Sleuth Kit Java Bindings (JNI)  4.2
Java bindings for using The Sleuth Kit
OSUtility.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import java.util.List;
22 import java.util.ArrayList;
23 
24 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
25 
30 public class OSUtility {
31 
32  private OSUtility() {
33  }
34 
43  public static List<OSInfo> getOSInfo(SleuthkitCase skCase) throws TskCoreException {
44  return getOSInfoInternal(skCase, false, false, 0);
45  }
46 
58  public static List<OSInfo> getOSInfo(SleuthkitCase skCase, FsContent fsc) throws TskCoreException {
59  return getOSInfoInternal(skCase, false, true, fsc.getFileSystemId());
60  }
61 
71  public static List<OSInfo> getAllOSInfo(SleuthkitCase skCase) throws TskCoreException {
72  return getOSInfoInternal(skCase, true, false, 0);
73  }
74 
89  private static List<OSInfo> getOSInfoInternal(SleuthkitCase skCase, boolean includeBackups,
90  boolean restrictFs, long fsId) throws TskCoreException {
91 
92  List<OSInfo> infoList = new ArrayList<OSInfo>();
93 
94  // Get all OS_INFO artifacts for this case
95  ArrayList<BlackboardArtifact> results = skCase.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO);
96 
97  for (BlackboardArtifact art : results) {
98 
99  AbstractFile file = skCase.getAbstractFileById(art.getObjectID());
100  if (file == null) {
101  continue;
102  }
103 
104  // Check if we're in a backup directory. If so and we're not including backups,
105  // skip this artifact.
106  boolean isBackup = file.getParentPath().contains("RegBack");
107  if (isBackup && (!includeBackups)) {
108  continue;
109  }
110 
111  // FsContent allows us to get the file system ID.
112  if (file instanceof FsContent) {
113  FsContent fsc = (FsContent) file;
114 
115  // If we're restricting the file system, skip any that don't match
116  if (restrictFs && (fsId != fsc.getFileSystemId())) {
117  continue;
118  }
119 
120  // Make a new OSInfo object
121  OSInfo newInfo = new OSInfo(art, isBackup, fsc.getFileSystemId(), file.getParent());
122 
123  // Attempt to merge it with an existing object
124  boolean mergedInfo = false;
125  for (OSInfo info : infoList) {
126  if (info.matches(newInfo)) {
127  info.combine(newInfo);
128  mergedInfo = true;
129  break;
130  }
131  }
132 
133  // If nothing matched, add the new object to the list
134  if (!mergedInfo) {
135  infoList.add(newInfo);
136  }
137  } else if (!restrictFs) {
138  // Make a new OSInfo object (no file system ID in this case)
139  OSInfo newInfo = new OSInfo(art, isBackup, file.getParent());
140 
141  // Attempt to merge it with an existing object
142  boolean mergedInfo = false;
143  for (OSInfo info : infoList) {
144  if (info.matches(newInfo)) {
145  info.combine(newInfo);
146  mergedInfo = true;
147  break;
148  }
149  }
150 
151  // If nothing matched, add the new object to the list
152  if (!mergedInfo) {
153  infoList.add(newInfo);
154  }
155  } else {
156  // If we're limiting the search to one FS, don't include any
157  // data we can't find the FS for
158  }
159  }
160 
161  return infoList;
162  }
163 
164 }
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO
TSK_OS_INFO
Information pertaining to an operating system.
Definition: BlackboardArtifact.java:88
org.sleuthkit.datamodel.AbstractContent.getParent
synchronized Content getParent()
Definition: AbstractContent.java:118
org.sleuthkit.datamodel.OSUtility.getAllOSInfo
static List< OSInfo > getAllOSInfo(SleuthkitCase skCase)
Definition: OSUtility.java:71
org.sleuthkit.datamodel.OSUtility.getOSInfo
static List< OSInfo > getOSInfo(SleuthkitCase skCase)
Definition: OSUtility.java:43
org.sleuthkit.datamodel.OSInfo.combine
void combine(OSInfo a_osInfo)
Definition: OSInfo.java:142
org.sleuthkit.datamodel.OSUtility.getOSInfo
static List< OSInfo > getOSInfo(SleuthkitCase skCase, FsContent fsc)
Definition: OSUtility.java:58
org.sleuthkit.datamodel.OSUtility.getOSInfoInternal
static List< OSInfo > getOSInfoInternal(SleuthkitCase skCase, boolean includeBackups, boolean restrictFs, long fsId)
Definition: OSUtility.java:89
org.sleuthkit.datamodel.FsContent
Definition: FsContent.java:39
org.sleuthkit.datamodel.FsContent.getFileSystemId
long getFileSystemId()
Definition: FsContent.java:102
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE
Definition: BlackboardArtifact.java:46

Copyright © 2011-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.