Autopsy  4.4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
IngestEventsListener.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2015-2017 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
20 
21 import java.beans.PropertyChangeEvent;
22 import java.beans.PropertyChangeListener;
23 import static java.lang.Boolean.FALSE;
24 import java.util.ArrayList;
25 import java.util.Collection;
26 import java.util.LinkedHashSet;
27 import java.util.List;
28 import java.util.logging.Level;
29 import java.util.stream.Collectors;
30 import org.openide.util.NbBundle;
40 import org.sleuthkit.datamodel.AbstractFile;
41 import org.sleuthkit.datamodel.BlackboardArtifact;
42 import org.sleuthkit.datamodel.BlackboardAttribute;
43 import org.sleuthkit.datamodel.TskCoreException;
45 
50 public class IngestEventsListener {
51 
52  private static final Logger LOGGER = Logger.getLogger(CorrelationAttribute.class.getName());
53 
54  final Collection<String> addedCeArtifactTrackerSet = new LinkedHashSet<>();
55  private static int ceModuleInstanceCount = 0;
56  private final PropertyChangeListener pcl1 = new IngestModuleEventListener();
57  private final PropertyChangeListener pcl2 = new IngestJobEventListener();
58 
59  /*
60  * Add all of our Ingest Event Listeners to the IngestManager Instance.
61  */
62  public void installListeners() {
65  }
66 
67  /*
68  * Remove all of our Ingest Event Listeners from the IngestManager Instance.
69  */
70  public void uninstallListeners() {
73  }
74 
80  public synchronized static void incrementCorrelationEngineModuleCount() {
81  ceModuleInstanceCount++; //Should be called once in the Correlation Engine module's startup method.
82  }
83 
88  public synchronized static void decrementCorrelationEngineModuleCount() {
89  if (getCeModuleInstanceCount()>0) { //prevent it ingestJobCounter from going negative
90  ceModuleInstanceCount--; //Should be called once in the Correlation Engine module's shutdown method.
91  }
92  }
93 
98  synchronized static void resetCeModuleInstanceCount() {
99  ceModuleInstanceCount = 0; //called when a case is opened in case for some reason counter was not reset
100  }
101 
108  private synchronized static int getCeModuleInstanceCount() {
109  return ceModuleInstanceCount;
110  }
111 
112  private class IngestModuleEventListener implements PropertyChangeListener {
113 
114  @Override
115  public void propertyChange(PropertyChangeEvent evt) {
116  if (getCeModuleInstanceCount() > 0) {
117  EamDb dbManager;
118  try {
119  dbManager = EamDb.getInstance();
120  } catch (EamDbException ex) {
121  LOGGER.log(Level.SEVERE, "Failed to connect to Central Repository database.", ex);
122  return;
123  }
124  switch (IngestManager.IngestModuleEvent.valueOf(evt.getPropertyName())) {
125  case DATA_ADDED: {
126  if (!EamDb.isEnabled()) {
127  return;
128  }
129  final ModuleDataEvent mde = (ModuleDataEvent) evt.getOldValue();
130  Collection<BlackboardArtifact> bbArtifacts = mde.getArtifacts();
131  if (null == bbArtifacts) { //the ModuleDataEvents don't always have a collection of artifacts set
132  return;
133  }
134  List<CorrelationAttribute> eamArtifacts = new ArrayList<>();
135 
136  for (BlackboardArtifact bbArtifact : bbArtifacts) {
137  // eamArtifact will be null OR a EamArtifact containing one EamArtifactInstance.
138  List<CorrelationAttribute> convertedArtifacts = EamArtifactUtil.getCorrelationAttributeFromBlackboardArtifact(bbArtifact, true, true);
139  for (CorrelationAttribute eamArtifact : convertedArtifacts) {
140  try {
141  // Only do something with this artifact if it's unique within the job
142  if (addedCeArtifactTrackerSet.add(eamArtifact.toString())) {
143  // Was it previously marked as bad?
144  // query db for artifact instances having this TYPE/VALUE and knownStatus = "Bad".
145  // if gettKnownStatus() is "Unknown" and this artifact instance was marked bad in a previous case,
146  // create TSK_INTERESTING_ARTIFACT_HIT artifact on BB.
147  List<String> caseDisplayNames = dbManager.getListCasesHavingArtifactInstancesKnownBad(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());
148  if (!caseDisplayNames.isEmpty()) {
150  caseDisplayNames);
151  }
152  eamArtifacts.add(eamArtifact);
153  }
154  } catch (EamDbException ex) {
155  LOGGER.log(Level.SEVERE, "Error counting notable artifacts.", ex);
156  }
157  }
158  }
159 
160  if (FALSE == eamArtifacts.isEmpty()) {
161  // send update to entperirse artifact manager db
162  Runnable r = new NewArtifactsRunner(eamArtifacts);
163  // TODO: send r into a thread pool instead
164  Thread t = new Thread(r);
165  t.start();
166  } // DATA_ADDED
167  break;
168  }
169  }
170  }
171  }
172  }
173 
174  private class IngestJobEventListener implements PropertyChangeListener {
175 
176  @Override
177  public void propertyChange(PropertyChangeEvent evt) {
178  switch (IngestManager.IngestJobEvent.valueOf(evt.getPropertyName())) {
179  case DATA_SOURCE_ANALYSIS_COMPLETED: {
180  // clear the tracker to reduce memory usage
181  // @@@ This isnt' entirely accurate to do here. We could have multiple
182  // ingest jobs at the same time
183  addedCeArtifactTrackerSet.clear();
184 
185  } // DATA_SOURCE_ANALYSIS_COMPLETED
186  break;
187  }
188  }
189  }
190 
191  @NbBundle.Messages({"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
192  "IngestEventsListener.prevCaseComment.text=Previous Case: ",
193  "IngestEventsListener.ingestmodule.name=Correlation Engine"})
194  private void postCorrelatedBadArtifactToBlackboard(BlackboardArtifact bbArtifact, List<String> caseDisplayNames) {
195 
196  try {
197  AbstractFile af = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
198 
199  String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
200  BlackboardArtifact tifArtifact = af.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
201  BlackboardAttribute att = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
202  Bundle.IngestEventsListener_prevTaggedSet_text());
203  BlackboardAttribute att2 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
204  Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(",", "", "")));
205  tifArtifact.addAttribute(att);
206  tifArtifact.addAttribute(att2);
207  tifArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
208 
209  try {
210  // index the artifact for keyword search
212  blackboard.indexArtifact(tifArtifact);
213  } catch (Blackboard.BlackboardException ex) {
214  LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + tifArtifact.getArtifactID(), ex); //NON-NLS
215  }
216 
217  // fire event to notify UI of this new artifact
218  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT));
219  } catch (TskCoreException ex) {
220  LOGGER.log(Level.SEVERE, "Failed to create BlackboardArtifact.", ex); // NON-NLS
221  } catch (IllegalStateException ex) {
222  LOGGER.log(Level.SEVERE, "Failed to create BlackboardAttribute.", ex); // NON-NLS
223  }
224  }
225 }
Collection< BlackboardArtifact > getArtifacts()
void removeIngestModuleEventListener(final PropertyChangeListener listener)
static synchronized IngestManager getInstance()
void postCorrelatedBadArtifactToBlackboard(BlackboardArtifact bbArtifact, List< String > caseDisplayNames)
List< String > getListCasesHavingArtifactInstancesKnownBad(CorrelationAttribute.Type aType, String value)
void removeIngestJobEventListener(final PropertyChangeListener listener)
void addIngestJobEventListener(final PropertyChangeListener listener)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
void addIngestModuleEventListener(final PropertyChangeListener listener)
synchronized void indexArtifact(BlackboardArtifact artifact)
Definition: Blackboard.java:59
synchronized static Logger getLogger(String name)
Definition: Logger.java:161
static List< CorrelationAttribute > getCorrelationAttributeFromBlackboardArtifact(BlackboardArtifact bbArtifact, boolean addInstanceDetails, boolean checkEnabled)
static synchronized IngestServices getInstance()

Copyright © 2012-2016 Basis Technology. Generated on: Fri Sep 29 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.