Autopsy  4.4
Graphical digital forensics platform for The Sleuth Kit and other tools.
InterestingHits.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2017 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datamodel;
20 
21 import java.beans.PropertyChangeEvent;
22 import java.beans.PropertyChangeListener;
23 import java.sql.ResultSet;
24 import java.sql.SQLException;
25 import java.util.ArrayList;
26 import java.util.Collections;
27 import java.util.HashMap;
28 import java.util.HashSet;
29 import java.util.LinkedHashMap;
30 import java.util.List;
31 import java.util.Map;
32 import java.util.Observable;
33 import java.util.Observer;
34 import java.util.Set;
35 import java.util.logging.Level;
36 import org.openide.nodes.ChildFactory;
37 import org.openide.nodes.Children;
38 import org.openide.nodes.Node;
39 import org.openide.nodes.Sheet;
40 import org.openide.util.NbBundle;
41 import org.openide.util.lookup.Lookups;
42 import org.sleuthkit.autopsy.casemodule.Case;
43 import org.sleuthkit.autopsy.coreutils.Logger;
44 import org.sleuthkit.autopsy.ingest.IngestManager;
45 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
46 import org.sleuthkit.datamodel.BlackboardArtifact;
47 import org.sleuthkit.datamodel.BlackboardAttribute;
48 import org.sleuthkit.datamodel.SleuthkitCase;
49 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;
50 import org.sleuthkit.datamodel.TskCoreException;
51 
52 public class InterestingHits implements AutopsyVisitableItem {
53 
54  private static final String INTERESTING_ITEMS = NbBundle
55  .getMessage(InterestingHits.class, "InterestingHits.interestingItems.text");
56  private static final String DISPLAY_NAME = NbBundle.getMessage(InterestingHits.class, "InterestingHits.displayName.text");
57  private static final Logger logger = Logger.getLogger(InterestingHits.class.getName());
58  private SleuthkitCase skCase;
59  private final InterestingResults interestingResults = new InterestingResults();
60 
61  public InterestingHits(SleuthkitCase skCase) {
62  this.skCase = skCase;
63  interestingResults.update();
64  }
65 
66  private class InterestingResults extends Observable {
67 
68  // NOTE: the map can be accessed by multiple worker threads and needs to be synchronized
69  private final Map<String, Map<String, Set<Long>>> interestingItemsMap = new LinkedHashMap<>();
70 
71  public List<String> getSetNames() {
72  List<String> setNames;
73  synchronized (interestingItemsMap) {
74  setNames = new ArrayList<>(interestingItemsMap.keySet());
75  }
76  Collections.sort(setNames);
77  return setNames;
78  }
79 
80  public Set<Long> getArtifactIds(String setName, String typeName) {
81  synchronized (interestingItemsMap) {
82  return interestingItemsMap.get(setName).get(typeName);
83  }
84  }
85 
86  public void update() {
87  synchronized (interestingItemsMap) {
88  interestingItemsMap.clear();
89  }
90  loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
91  loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
92  setChanged();
93  notifyObservers();
94  }
95 
96  /*
97  * Reads the artifacts of specified type, grouped by Set, and loads into
98  * the interestingItemsMap
99  */
100  @SuppressWarnings("deprecation")
101  private void loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE artType) {
102  if (skCase == null) {
103  return;
104  }
105 
106  int setNameId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID();
107  int artId = artType.getTypeID();
108  String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS
109  + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS
110  + "attribute_type_id=" + setNameId //NON-NLS
111  + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS
112  + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS
113 
114  try (CaseDbQuery dbQuery = skCase.executeQuery(query)) {
115  synchronized (interestingItemsMap) {
116  ResultSet resultSet = dbQuery.getResultSet();
117  while (resultSet.next()) {
118  String value = resultSet.getString("value_text"); //NON-NLS
119  long artifactId = resultSet.getLong("artifact_id"); //NON-NLS
120  if (!interestingItemsMap.containsKey(value)) {
121  interestingItemsMap.put(value, new LinkedHashMap<>());
122  interestingItemsMap.get(value).put(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getDisplayName(), new HashSet<>());
123  interestingItemsMap.get(value).put(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getDisplayName(), new HashSet<>());
124  }
125  interestingItemsMap.get(value).get(artType.getDisplayName()).add(artifactId);
126  }
127  }
128  } catch (TskCoreException | SQLException ex) {
129  logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS
130  }
131  }
132  }
133 
134  @Override
135  public <T> T accept(AutopsyItemVisitor<T> v) {
136  return v.visit(this);
137  }
138 
142  public class RootNode extends DisplayableItemNode {
143 
144  public RootNode() {
145  super(Children.create(new SetNameFactory(), true), Lookups.singleton(DISPLAY_NAME));
146  super.setName(INTERESTING_ITEMS);
147  super.setDisplayName(DISPLAY_NAME);
148  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
149  }
150 
151  @Override
152  public boolean isLeafTypeNode() {
153  return false;
154  }
155 
156  @Override
157  public <T> T accept(DisplayableItemNodeVisitor<T> v) {
158  return v.visit(this);
159  }
160 
161  @Override
162  protected Sheet createSheet() {
163  Sheet s = super.createSheet();
164  Sheet.Set ss = s.get(Sheet.PROPERTIES);
165  if (ss == null) {
166  ss = Sheet.createPropertiesSet();
167  s.put(ss);
168  }
169 
170  ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
171  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.displayName"),
172  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
173  getName()));
174 
175  return s;
176  }
177 
178  @Override
179  public String getItemType() {
180  return getClass().getName();
181  }
182  }
183 
184  private class SetNameFactory extends ChildFactory.Detachable<String> implements Observer {
185 
186  /*
187  * This should probably be in the top-level class, but the factory has
188  * nice methods for its startup and shutdown, so it seemed like a
189  * cleaner place to register the property change listener.
190  */
191  private final PropertyChangeListener pcl = new PropertyChangeListener() {
192  @Override
193  public void propertyChange(PropertyChangeEvent evt) {
194  String eventType = evt.getPropertyName();
195  if (eventType.equals(IngestManager.IngestModuleEvent.DATA_ADDED.toString())) {
202  try {
203  Case.getCurrentCase();
210  ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();
211  if (null != eventData && (eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()
212  || eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID())) {
213  interestingResults.update();
214  }
215  } catch (IllegalStateException notUsed) {
219  }
220  } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())
221  || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())) {
228  try {
229  Case.getCurrentCase();
230  interestingResults.update();
231  } catch (IllegalStateException notUsed) {
235  }
236  } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {
237  // case was closed. Remove listeners so that we don't get called with a stale case handle
238  if (evt.getNewValue() == null) {
239  removeNotify();
240  skCase = null;
241  }
242  }
243  }
244  };
245 
246  @Override
247  protected void addNotify() {
248  IngestManager.getInstance().addIngestJobEventListener(pcl);
249  IngestManager.getInstance().addIngestModuleEventListener(pcl);
250  Case.addPropertyChangeListener(pcl);
251  interestingResults.update();
252  interestingResults.addObserver(this);
253  }
254 
255  @Override
256  protected void removeNotify() {
257  IngestManager.getInstance().removeIngestJobEventListener(pcl);
258  IngestManager.getInstance().removeIngestModuleEventListener(pcl);
259  Case.removePropertyChangeListener(pcl);
260  interestingResults.deleteObserver(this);
261  }
262 
263  @Override
264  protected boolean createKeys(List<String> list) {
265  list.addAll(interestingResults.getSetNames());
266  return true;
267  }
268 
269  @Override
270  protected Node createNodeForKey(String key) {
271  return new SetNameNode(key);
272  }
273 
274  @Override
275  public void update(Observable o, Object arg) {
276  refresh(true);
277  }
278  }
279 
280  public class SetNameNode extends DisplayableItemNode implements Observer {
281 
282  private final String setName;
283 
284  public SetNameNode(String setName) {//, Set<Long> children) {
285  super(Children.create(new HitTypeFactory(setName), true), Lookups.singleton(setName));
286  this.setName = setName;
287  super.setName(setName);
288  updateDisplayName();
289  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
290  interestingResults.addObserver(this);
291  }
292 
293  private void updateDisplayName() {
294  int sizeOfSet = interestingResults.getArtifactIds(setName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getDisplayName()).size()
295  + interestingResults.getArtifactIds(setName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getDisplayName()).size();
296  super.setDisplayName(setName + " (" + sizeOfSet + ")");
297  }
298 
299  @Override
300  public boolean isLeafTypeNode() {
301  return false;
302  }
303 
304  @Override
305  protected Sheet createSheet() {
306  Sheet s = super.createSheet();
307  Sheet.Set ss = s.get(Sheet.PROPERTIES);
308  if (ss == null) {
309  ss = Sheet.createPropertiesSet();
310  s.put(ss);
311  }
312 
313  ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
314  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
315  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
316  getName()));
317 
318  return s;
319  }
320 
321  @Override
322  public <T> T accept(DisplayableItemNodeVisitor<T> v) {
323  return v.visit(this);
324  }
325 
326  @Override
327  public void update(Observable o, Object arg) {
328  updateDisplayName();
329  }
330 
331  @Override
332  public String getItemType() {
337  return getClass().getName();
338  }
339  }
340 
341  private class HitTypeFactory extends ChildFactory<String> implements Observer {
342 
343  private final String setName;
344  private final Map<Long, BlackboardArtifact> artifactHits = new HashMap<>();
345 
346  private HitTypeFactory(String setName) {
347  super();
348  this.setName = setName;
349  interestingResults.addObserver(this);
350  }
351 
352  @Override
353  protected boolean createKeys(List<String> list) {
354  list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getDisplayName());
355  list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getDisplayName());
356  return true;
357  }
358 
359  @Override
360  protected Node createNodeForKey(String key) {
361  return new InterestingItemTypeNode(setName, key);
362  }
363 
364  @Override
365  public void update(Observable o, Object arg) {
366  refresh(true);
367  }
368  }
369 
370  public class InterestingItemTypeNode extends DisplayableItemNode implements Observer {
371 
372  private final String typeName;
373  private final String setName;
374 
375  private InterestingItemTypeNode(String setName, String typeName) {
376  super(Children.create(new HitFactory(setName, typeName), true), Lookups.singleton(setName));
377  this.typeName = typeName;
378  this.setName = setName;
379  super.setName(typeName);
380  updateDisplayName();
381  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
382  interestingResults.addObserver(this);
383  }
384 
385  private void updateDisplayName() {
386  super.setDisplayName(typeName + " (" + interestingResults.getArtifactIds(setName, typeName).size() + ")");
387  }
388 
389  @Override
390  public boolean isLeafTypeNode() {
391  return true;
392  }
393 
394  @Override
395  protected Sheet createSheet() {
396  Sheet s = super.createSheet();
397  Sheet.Set ss = s.get(Sheet.PROPERTIES);
398  if (ss == null) {
399  ss = Sheet.createPropertiesSet();
400  s.put(ss);
401  }
402  ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
403  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
404  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
405  getName()));
406  return s;
407  }
408 
409  @Override
410  public <T> T accept(DisplayableItemNodeVisitor<T> v) {
411  return v.visit(this);
412  }
413 
414  @Override
415  public void update(Observable o, Object arg) {
416  updateDisplayName();
417  }
418 
419  @Override
420  public String getItemType() {
425  return getClass().getName();
426  }
427  }
428 
429  private class HitFactory extends ChildFactory<Long> implements Observer {
430 
431  private final String setName;
432  private final String typeName;
433  private final Map<Long, BlackboardArtifact> artifactHits = new HashMap<>();
434 
435  private HitFactory(String setName, String typeName) {
436  super();
437  this.setName = setName;
438  this.typeName = typeName;
439  interestingResults.addObserver(this);
440  }
441 
442  @Override
443  protected boolean createKeys(List<Long> list) {
444 
445  if (skCase == null) {
446  return true;
447  }
448 
449  interestingResults.getArtifactIds(setName, typeName).forEach((id) -> {
450  try {
451  if (!artifactHits.containsKey(id)) {
452  BlackboardArtifact art = skCase.getBlackboardArtifact(id);
453  artifactHits.put(id, art);
454  }
455  list.add(id);
456  } catch (TskCoreException ex) {
457  logger.log(Level.SEVERE, "TSK Exception occurred", ex); //NON-NLS
458  }
459  });
460  return true;
461  }
462 
463  @Override
464  protected Node createNodeForKey(Long l) {
465  BlackboardArtifact art = artifactHits.get(l);
466  return (null == art) ? null : new BlackboardArtifactNode(art);
467  }
468 
469  @Override
470  public void update(Observable o, Object arg) {
471  refresh(true);
472  }
473  }
474 }
org.sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType
BlackboardArtifact.Type getBlackboardArtifactType()
Definition: ModuleDataEvent.java:104
org.sleuthkit.autopsy.ingest.IngestManager.removeIngestModuleEventListener
void removeIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:481
org.sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition: IngestManager.java:142
org.sleuthkit.autopsy.casemodule.Case.removePropertyChangeListener
static void removePropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:369
org.sleuthkit.autopsy.datamodel.InterestingHits.InterestingResults.loadArtifacts
void loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE artType)
Definition: InterestingHits.java:101
org.sleuthkit.autopsy.ingest.IngestManager.removeIngestJobEventListener
void removeIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:463
org.sleuthkit.autopsy.ingest.IngestManager.addIngestJobEventListener
void addIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:454
org.sleuthkit.autopsy.datamodel.InterestingHits.InterestingResults.getArtifactIds
Set< Long > getArtifactIds(String setName, String typeName)
Definition: InterestingHits.java:80
org.sleuthkit.autopsy.casemodule.Case.addPropertyChangeListener
static void addPropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:357
org.sleuthkit.autopsy.ingest.IngestManager.addIngestModuleEventListener
void addIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:472
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:161
org.sleuthkit.autopsy.datamodel.InterestingHits.InterestingResults.interestingItemsMap
final Map< String, Map< String, Set< Long > > > interestingItemsMap
Definition: InterestingHits.java:69

Copyright © 2012-2016 Basis Technology. Generated on: Tue Jun 13 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.