19 package org.sleuthkit.datamodel;
21 import java.io.BufferedInputStream;
22 import java.io.BufferedOutputStream;
24 import java.io.FileInputStream;
25 import java.io.FileOutputStream;
26 import java.io.IOException;
27 import java.io.InputStream;
28 import java.io.OutputStream;
29 import java.nio.file.Paths;
30 import java.sql.Connection;
31 import java.sql.DriverManager;
32 import java.sql.PreparedStatement;
33 import java.sql.ResultSet;
34 import java.sql.SQLException;
35 import java.sql.Statement;
36 import java.text.MessageFormat;
37 import java.util.ArrayList;
38 import java.util.Collection;
39 import java.util.Collections;
40 import java.util.EnumMap;
41 import java.util.HashMap;
42 import java.util.HashSet;
43 import java.util.LinkedHashMap;
44 import java.util.List;
46 import java.util.ResourceBundle;
47 import java.util.concurrent.locks.ReentrantReadWriteLock;
48 import java.util.logging.Level;
49 import java.util.logging.Logger;
60 import org.sqlite.SQLiteConfig;
61 import org.sqlite.SQLiteJDBCLoader;
74 private static final ResourceBundle
bundle = ResourceBundle.getBundle(
"org.sleuthkit.datamodel.Bundle");
76 private final ResultSetHelper
rsHelper =
new ResultSetHelper(
this);
78 private final Map<Long, FileSystem>
fileSystemIdMap =
new HashMap<Long, FileSystem>();
79 private final ArrayList<ErrorObserver>
errorObservers =
new ArrayList<ErrorObserver>();
91 private final ReentrantReadWriteLock
rwLock =
new ReentrantReadWriteLock(
true);
103 Class.forName(
"org.sqlite.JDBC");
105 this.dbDirPath =
new java.io.File(dbPath).getParentFile().getAbsolutePath();
121 Statement statement = null;
122 ResultSet resultSet = null;
124 statement = connection.createStatement();
126 resultSet = connection.
executeQuery(statement,
"SELECT COUNT(*) from blackboard_artifact_types WHERE artifact_type_id = '" + type.getTypeID() +
"'");
127 if (resultSet.getLong(1) == 0) {
128 connection.executeUpdate(statement,
"INSERT INTO blackboard_artifact_types (artifact_type_id, type_name, display_name) VALUES (" + type.getTypeID() +
" , '" + type.getLabel() +
"', '" + type.getDisplayName() +
"')");
147 Statement statement = null;
148 ResultSet resultSet = null;
150 statement = connection.createStatement();
152 resultSet = connection.
executeQuery(statement,
"SELECT COUNT(*) from blackboard_attribute_types WHERE attribute_type_id = '" + type.getTypeID() +
"'");
153 if (resultSet.getLong(1) == 0) {
154 connection.executeUpdate(statement,
"INSERT INTO blackboard_attribute_types (attribute_type_id, type_name, display_name) VALUES (" + type.getTypeID() +
", '" + type.getLabel() +
"', '" + type.getDisplayName() +
"')");
176 Statement statement = null;
177 ResultSet resultSet = null;
179 statement = connection.createStatement();
180 resultSet = connection.
executeQuery(statement,
"SELECT MAX(artifact_id) FROM blackboard_artifacts");
181 this.nextArtifactId = resultSet.getLong(1) + 1;
182 if (this.nextArtifactId == 1) {
199 ResultSet resultSet = null;
200 Statement statement = null;
202 connection.beginTransaction();
206 statement = connection.createStatement();
207 resultSet = connection.
executeQuery(statement,
"SELECT schema_ver FROM tsk_db_info");
208 if (resultSet.next()) {
209 schemaVersionNumber = resultSet.getInt(
"schema_ver");
215 if (SCHEMA_VERSION_NUMBER != schemaVersionNumber) {
218 String backupFilePath = dbPath +
".schemaVer" + schemaVersionNumber +
".backup";
220 dbBackupPath = backupFilePath;
229 connection.executeUpdate(statement,
"UPDATE tsk_db_info SET schema_ver = " + schemaVersionNumber);
231 versionNumber = schemaVersionNumber;
233 connection.commitTransaction();
234 }
catch (Exception ex) {
235 connection.rollbackTransaction();
251 public void copyCaseDB(String newDBPath)
throws IOException {
252 InputStream in = null;
253 OutputStream out = null;
256 InputStream inFile =
new FileInputStream(dbPath);
257 in =
new BufferedInputStream(inFile);
258 OutputStream outFile =
new FileOutputStream(newDBPath);
259 out =
new BufferedOutputStream(outFile);
261 while ((bytesRead = in.read()) != -1) {
262 out.write(bytesRead);
273 }
catch (IOException e) {
274 logger.log(Level.WARNING,
"Could not close streams after db copy", e);
286 SQLiteJDBCLoader.getVersion(), SQLiteJDBCLoader.isNativeMode()
287 ?
"native" :
"pure-java"));
288 }
catch (Exception ex) {
301 @SuppressWarnings(
"deprecation")
303 if (schemaVersionNumber != 2) {
304 return schemaVersionNumber;
308 Statement statement = null;
309 Statement updateStatement = null;
310 ResultSet resultSet = null;
312 statement = connection.createStatement();
315 statement.execute(
"CREATE TABLE tag_names (tag_name_id INTEGER PRIMARY KEY, display_name TEXT UNIQUE, description TEXT NOT NULL, color TEXT NOT NULL)");
316 statement.execute(
"CREATE TABLE content_tags (tag_id INTEGER PRIMARY KEY, obj_id INTEGER NOT NULL, tag_name_id INTEGER NOT NULL, comment TEXT NOT NULL, begin_byte_offset INTEGER NOT NULL, end_byte_offset INTEGER NOT NULL)");
317 statement.execute(
"CREATE TABLE blackboard_artifact_tags (tag_id INTEGER PRIMARY KEY, artifact_id INTEGER NOT NULL, tag_name_id INTEGER NOT NULL, comment TEXT NOT NULL)");
320 statement.execute(
"CREATE TABLE reports (report_id INTEGER PRIMARY KEY, path TEXT NOT NULL, crtime INTEGER NOT NULL, src_module_name TEXT NOT NULL, report_name TEXT NOT NULL)");
323 statement.execute(
"ALTER TABLE tsk_image_info ADD COLUMN size INTEGER;");
324 statement.execute(
"ALTER TABLE tsk_image_info ADD COLUMN md5 TEXT;");
325 statement.execute(
"ALTER TABLE tsk_image_info ADD COLUMN display_name TEXT;");
328 statement.execute(
"ALTER TABLE tsk_fs_info ADD COLUMN display_name TEXT;");
331 statement.execute(
"ALTER TABLE tsk_files ADD COLUMN meta_seq INTEGER;");
336 statement.execute(
"ALTER TABLE blackboard_attributes ADD COLUMN artifact_type_id INTEGER NULL NOT NULL DEFAULT -1;");
337 statement.execute(
"CREATE INDEX attribute_artifactTypeId ON blackboard_attributes(artifact_type_id);");
338 statement.execute(
"CREATE INDEX attribute_valueText ON blackboard_attributes(value_text);");
339 statement.execute(
"CREATE INDEX attribute_valueInt32 ON blackboard_attributes(value_int32);");
340 statement.execute(
"CREATE INDEX attribute_valueInt64 ON blackboard_attributes(value_int64);");
341 statement.execute(
"CREATE INDEX attribute_valueDouble ON blackboard_attributes(value_double);");
342 resultSet = statement.executeQuery(
343 "SELECT attrs.artifact_id, arts.artifact_type_id " +
344 "FROM blackboard_attributes AS attrs " +
345 "INNER JOIN blackboard_artifacts AS arts " +
346 "WHERE attrs.artifact_id = arts.artifact_id;");
347 updateStatement = connection.createStatement();
348 while (resultSet.next()) {
349 long artifactId = resultSet.getLong(1);
350 int artifactTypeId = resultSet.getInt(2);
351 updateStatement.executeUpdate(
352 "UPDATE blackboard_attributes " +
353 "SET artifact_type_id = " + artifactTypeId +
" " +
354 "WHERE blackboard_attributes.artifact_id = " + artifactId +
";");
363 HashMap<String, TagName> tagNames =
new HashMap<String, TagName>();
371 name = attribute.getValueString();
373 comment = attribute.getValueString();
376 if (!name.isEmpty()) {
378 if (tagNames.containsKey(name)) {
379 tagName = tagNames.get(name);
382 tagNames.put(name, tagName);
388 long taggedArtifactId = -1;
394 name = attribute.getValueString();
396 comment = attribute.getValueString();
398 taggedArtifactId = attribute.getValueLong();
401 if (taggedArtifactId != -1 && !name.isEmpty()) {
403 if (tagNames.containsKey(name)) {
404 tagName = tagNames.get(name);
407 tagNames.put(name, tagName);
413 "DELETE FROM blackboard_attributes WHERE artifact_id IN " +
417 "DELETE FROM blackboard_artifacts WHERE " +
476 rwLock.writeLock().lock();
485 rwLock.writeLock().unlock();
494 rwLock.readLock().lock();
503 rwLock.readLock().unlock();
517 }
catch (Exception ex) {
518 throw new TskCoreException(
"Failed to open case database at " + dbPath, ex);
533 }
catch (Exception ex) {
534 throw new TskCoreException(
"Failed to create case database at " + dbPath, ex);
551 return this.
caseHandle.initAddImageProcess(timezone, processUnallocSpace, noFatFsOrphans);
567 s = connection.createStatement();
568 rs = connection.
executeQuery(s,
"SELECT obj_id, type from tsk_objects "
569 +
"WHERE par_obj_id IS NULL");
570 Collection<ObjectInfo> infos =
new ArrayList<ObjectInfo>();
572 infos.add(
new ObjectInfo(rs.getLong(
"obj_id"),
ObjectType.
valueOf(rs.getShort(
"type"))));
575 List<Content> rootObjs =
new ArrayList<Content>();
576 for (ObjectInfo i : infos) {
585 throw new TskCoreException(
"Parentless object has wrong type to be a root (ABSTRACTFILE, but not VIRTUAL_DIRECTORY: " + i.type);
588 throw new TskCoreException(
"Parentless object has wrong type to be a root: " + i.type);
592 }
catch (SQLException ex) {
593 throw new TskCoreException(
"Error getting root objects", ex);
613 String artifactTypeName = getArtifactTypeString(artifactTypeID);
615 statement.clearParameters();
616 statement.setInt(1, artifactTypeID);
618 ArrayList<BlackboardArtifact> artifacts =
new ArrayList<BlackboardArtifact>();
624 }
catch (SQLException ex) {
625 throw new TskCoreException(
"Error getting or creating a blackboard artifact", ex);
645 statement.clearParameters();
646 statement.setLong(1, objId);
650 count = rs.getLong(1);
653 }
catch (SQLException ex) {
654 throw new TskCoreException(
"Error getting number of blackboard artifacts by content", ex);
674 statement.clearParameters();
675 statement.setInt(1, artifactTypeID);
679 count = rs.getLong(1);
682 }
catch (SQLException ex) {
683 throw new TskCoreException(
"Error getting number of blackboard artifacts by type", ex);
700 ArrayList<BlackboardArtifact> artifacts =
new ArrayList<BlackboardArtifact>();
702 final int artifactTypeID = rs.getInt(3);
727 s = connection.createStatement();
728 rs = connection.
executeQuery(s,
"SELECT DISTINCT blackboard_artifacts.artifact_id, "
729 +
"blackboard_artifacts.obj_id, blackboard_artifacts.artifact_type_id "
730 +
"FROM blackboard_artifacts, blackboard_attributes "
731 +
"WHERE blackboard_artifacts.artifact_id = blackboard_attributes.artifact_id "
732 +
"AND blackboard_attributes.attribute_type_id IS " + attrType.getTypeID()
733 +
" AND blackboard_attributes.value_text IS '" + value +
"'");
735 }
catch (SQLException ex) {
736 throw new TskCoreException(
"Error getting blackboard artifacts by attribute", ex);
759 subString =
"%" + subString;
760 if (startsWith ==
false) {
761 subString = subString +
"%";
768 s = connection.createStatement();
769 rs = connection.
executeQuery(s,
"SELECT DISTINCT blackboard_artifacts.artifact_id, "
770 +
"blackboard_artifacts.obj_id, blackboard_artifacts.artifact_type_id "
771 +
"FROM blackboard_artifacts, blackboard_attributes "
772 +
"WHERE blackboard_artifacts.artifact_id = blackboard_attributes.artifact_id "
773 +
"AND blackboard_attributes.attribute_type_id IS " + attrType.getTypeID()
774 +
" AND blackboard_attributes.value_text LIKE '" + subString +
"'");
776 }
catch (SQLException ex) {
777 throw new TskCoreException(
"Error getting blackboard artifacts by attribute. " + ex.getMessage(), ex);
802 s = connection.createStatement();
803 rs = connection.
executeQuery(s,
"SELECT DISTINCT blackboard_artifacts.artifact_id, "
804 +
"blackboard_artifacts.obj_id, blackboard_artifacts.artifact_type_id "
805 +
"FROM blackboard_artifacts, blackboard_attributes "
806 +
"WHERE blackboard_artifacts.artifact_id = blackboard_attributes.artifact_id "
807 +
"AND blackboard_attributes.attribute_type_id IS " + attrType.getTypeID()
808 +
" AND blackboard_attributes.value_int32 IS " + value);
810 }
catch (SQLException ex) {
811 throw new TskCoreException(
"Error getting blackboard artifacts by attribute", ex);
836 s = connection.createStatement();
837 rs = connection.
executeQuery(s,
"SELECT DISTINCT blackboard_artifacts.artifact_id, "
838 +
"blackboard_artifacts.obj_id, blackboard_artifacts.artifact_type_id "
839 +
"FROM blackboard_artifacts, blackboard_attributes "
840 +
"WHERE blackboard_artifacts.artifact_id = blackboard_attributes.artifact_id "
841 +
"AND blackboard_attributes.attribute_type_id IS " + attrType.getTypeID()
842 +
" AND blackboard_attributes.value_int64 IS " + value);
844 }
catch (SQLException ex) {
845 throw new TskCoreException(
"Error getting blackboard artifacts by attribute. " + ex.getMessage(), ex);
870 s = connection.createStatement();
871 rs = connection.
executeQuery(s,
"SELECT DISTINCT blackboard_artifacts.artifact_id, "
872 +
"blackboard_artifacts.obj_id, blackboard_artifacts.artifact_type_id "
873 +
"FROM blackboard_artifacts, blackboard_attributes "
874 +
"WHERE blackboard_artifacts.artifact_id = blackboard_attributes.artifact_id "
875 +
"AND blackboard_attributes.attribute_type_id IS " + attrType.getTypeID()
876 +
" AND blackboard_attributes.value_double IS " + value);
878 }
catch (SQLException ex) {
879 throw new TskCoreException(
"Error getting blackboard artifacts by attribute", ex);
904 s = connection.createStatement();
905 rs = connection.
executeQuery(s,
"SELECT DISTINCT blackboard_artifacts.artifact_id, "
906 +
"blackboard_artifacts.obj_id, blackboard_artifacts.artifact_type_id "
907 +
"FROM blackboard_artifacts, blackboard_attributes "
908 +
"WHERE blackboard_artifacts.artifact_id = blackboard_attributes.artifact_id "
909 +
"AND blackboard_attributes.attribute_type_id IS " + attrType.getTypeID()
910 +
" AND blackboard_attributes.value_byte IS " + value);
912 }
catch (SQLException ex) {
913 throw new TskCoreException(
"Error getting blackboard artifacts by attribute", ex);
935 s = connection.createStatement();
936 rs = connection.
executeQuery(s,
"SELECT artifact_type_id FROM blackboard_artifact_types");
944 if (artType.getTypeID() == rs.getInt(1)) {
945 artifact_types.add(artType);
949 return artifact_types;
950 }
catch (SQLException ex) {
951 throw new TskCoreException(
"Error getting artifact types", ex);
994 s = connection.createStatement();
995 rs = connection.
executeQuery(s,
"SELECT type_name FROM blackboard_attribute_types");
1000 return attribute_types;
1001 }
catch (SQLException ex) {
1002 throw new TskCoreException(
"Error getting attribute types", ex);
1024 ResultSet rs = null;
1026 s = connection.createStatement();
1027 rs = connection.
executeQuery(s,
"SELECT COUNT(*) FROM blackboard_attribute_types");
1030 count = rs.getInt(1);
1033 }
catch (SQLException ex) {
1034 throw new TskCoreException(
"Error getting number of blackboard artifacts by type", ex);
1056 ResultSet rs = null;
1059 statement.clearParameters();
1060 statement.setLong(1, obj_id);
1061 statement.setInt(2, artifactTypeID);
1063 ArrayList<BlackboardArtifact> artifacts =
new ArrayList<BlackboardArtifact>();
1065 artifacts.add(
new BlackboardArtifact(
this, rs.getLong(1), obj_id, artifactTypeID, artifactTypeName, this.getArtifactTypeDisplayName(artifactTypeID)));
1068 }
catch (SQLException ex) {
1069 throw new TskCoreException(
"Error getting or creating a blackboard artifact", ex);
1089 ResultSet rs = null;
1092 statement.clearParameters();
1093 statement.setLong(1, obj_id);
1094 statement.setInt(2, artifactTypeID);
1098 count = rs.getLong(1);
1101 }
catch (SQLException ex) {
1121 ResultSet rs = null;
1124 statement.clearParameters();
1125 statement.setInt(1, artifactTypeID);
1127 ArrayList<BlackboardArtifact> artifacts =
new ArrayList<BlackboardArtifact>();
1129 artifacts.add(
new BlackboardArtifact(
this, rs.getLong(1), rs.getLong(2), artifactTypeID, artifactTypeName, this.getArtifactTypeDisplayName(artifactTypeID)));
1132 }
catch (SQLException ex) {
1133 throw new TskCoreException(
"Error getting or creating a blackboard artifact", ex);
1151 if (artifactTypeID == -1) {
1152 return new ArrayList<BlackboardArtifact>();
1167 String artifactTypeName = this.getArtifactTypeString(artifactTypeID);
1181 return getArtifactsHelper(artifactType.getTypeID(), artifactType.getLabel(), obj_id);
1196 if (artifactTypeID == -1) {
1240 if (artifactTypeID == -1) {
1241 return new ArrayList<BlackboardArtifact>();
1273 ResultSet rs = null;
1275 s = connection.createStatement();
1276 rs = connection.
executeQuery(s,
"SELECT DISTINCT blackboard_artifacts.artifact_id, "
1277 +
"blackboard_artifacts.obj_id, blackboard_artifacts.artifact_type_id "
1278 +
"FROM blackboard_artifacts, blackboard_attributes "
1279 +
"WHERE blackboard_artifacts.artifact_id = blackboard_attributes.artifact_id "
1280 +
"AND blackboard_attributes.attribute_type_id IS " + attrType.getTypeID()
1281 +
" AND blackboard_artifacts.artifact_type_id = " + artifactType.getTypeID()
1282 +
" AND blackboard_attributes.value_text IS '" + value +
"'");
1284 }
catch (SQLException ex) {
1285 throw new TskCoreException(
"Error getting blackboard artifacts by artifact type and attribute. " + ex.getMessage(), ex);
1304 ResultSet rs = null;
1307 statement.clearParameters();
1308 statement.setLong(1, artifactID);
1311 if (artifacts.size() > 0) {
1312 return artifacts.get(0);
1317 throw new TskCoreException(
"No blackboard artifact with id " + artifactID);
1319 }
catch (SQLException ex) {
1320 throw new TskCoreException(
"Error getting a blackboard artifact. " + ex.getMessage(), ex);
1339 }
catch (SQLException ex) {
1340 throw new TskCoreException(
"Error adding blackboard attribute " + attr.toString(), ex);
1358 connection.beginTransaction();
1362 connection.commitTransaction();
1363 }
catch (SQLException ex) {
1364 connection.rollbackTransaction();
1372 PreparedStatement statement;
1373 switch (attr.getValueType()) {
1376 statement.clearParameters();
1381 statement.clearParameters();
1382 statement.setBytes(7, attr.getValueBytes());
1386 statement.clearParameters();
1387 statement.setInt(7, attr.getValueInt());
1391 statement.clearParameters();
1392 statement.setLong(7, attr.getValueLong());
1396 statement.clearParameters();
1397 statement.setDouble(7, attr.getValueDouble());
1402 statement.setLong(1, attr.getArtifactID());
1403 statement.setInt(2, artifactTypeId);
1404 statement.setString(3, attr.getModuleName());
1405 statement.setString(4, attr.getContext());
1406 statement.setInt(5, attr.getAttributeTypeID());
1407 statement.setLong(6, attr.getValueType().getType());
1408 connection.executeUpdate(statement);
1424 ResultSet rs = null;
1426 connection.beginTransaction();
1427 s = connection.createStatement();
1428 rs = connection.
executeQuery(s,
"SELECT attribute_type_id FROM blackboard_attribute_types WHERE type_name = '" + attrTypeString +
"'");
1431 connection.executeUpdate(s,
"INSERT INTO blackboard_artifact_types (type_name, display_name) VALUES ('" + attrTypeString +
"', '" + displayName +
"')");
1432 rs = s.getGeneratedKeys();
1434 int type = rs.getInt(1);
1435 connection.commitTransaction();
1437 }
catch (SQLException ex) {
1438 connection.rollbackTransaction();
1459 ResultSet rs = null;
1461 s = connection.createStatement();
1462 rs = connection.
executeQuery(s,
"SELECT attribute_type_id FROM blackboard_attribute_types WHERE type_name = '" + attrTypeName +
"'");
1465 typeId = rs.getInt(1);
1468 }
catch (SQLException ex) {
1490 ResultSet rs = null;
1492 s = connection.createStatement();
1493 rs = connection.
executeQuery(s,
"SELECT type_name FROM blackboard_attribute_types WHERE attribute_type_id = " + attrTypeID);
1495 return rs.getString(1);
1499 }
catch (SQLException ex) {
1500 throw new TskCoreException(
"Error getting or creating a attribute type name", ex);
1521 ResultSet rs = null;
1523 s = connection.createStatement();
1524 rs = connection.
executeQuery(s,
"SELECT display_name FROM blackboard_attribute_types WHERE attribute_type_id = " + attrTypeID);
1526 return rs.getString(1);
1530 }
catch (SQLException ex) {
1531 throw new TskCoreException(
"Error getting or creating a attribute type name", ex);
1551 ResultSet rs = null;
1553 s = connection.createStatement();
1554 rs = connection.
executeQuery(s,
"SELECT artifact_type_id FROM blackboard_artifact_types WHERE type_name = '" + artifactTypeName +
"'");
1557 typeId = rs.getInt(1);
1560 }
catch (SQLException ex) {
1580 CaseDbConnection connection = connections.getConnection();
1583 ResultSet rs = null;
1585 s = connection.createStatement();
1586 rs = connection.executeQuery(s,
"SELECT type_name FROM blackboard_artifact_types WHERE artifact_type_id = " + artifactTypeID);
1588 return rs.getString(1);
1590 throw new TskCoreException(
"Error getting artifact type name, artifact type id = " + artifactTypeID +
" not found");
1592 }
catch (SQLException ex) {
1593 throw new TskCoreException(
"Error getting artifact type name, artifact type id = " + artifactTypeID, ex);
1611 String getArtifactTypeDisplayName(
int artifactTypeID)
throws TskCoreException {
1613 CaseDbConnection connection = connections.getConnection();
1616 ResultSet rs = null;
1618 s = connection.createStatement();
1619 rs = connection.executeQuery(s,
"SELECT display_name FROM blackboard_artifact_types WHERE artifact_type_id = " + artifactTypeID);
1621 return rs.getString(1);
1623 throw new TskCoreException(
"Error getting artifact type display name, artifact type id = " + artifactTypeID +
" not found");
1625 }
catch (SQLException ex) {
1626 throw new TskCoreException(
"Error getting artifact type display name, artifact type id = " + artifactTypeID, ex);
1648 ResultSet rs = null;
1650 connection.beginTransaction();
1651 s = connection.createStatement();
1652 rs = connection.
executeQuery(s,
"SELECT artifact_type_id FROM blackboard_artifact_types WHERE type_name = '" + artifactTypeName +
"'");
1655 connection.executeUpdate(s,
"INSERT INTO blackboard_artifact_types (type_name, display_name) VALUES ('" + artifactTypeName +
"', '" + displayName +
"')");
1656 rs = s.getGeneratedKeys();
1658 int id = rs.getInt(1);
1659 connection.commitTransaction();
1661 }
catch (SQLException ex) {
1662 connection.rollbackTransaction();
1674 ResultSet rs = null;
1677 statement.clearParameters();
1678 statement.setLong(1, artifact.getArtifactID());
1680 ArrayList<BlackboardAttribute> attributes =
new ArrayList<BlackboardAttribute>();
1692 rs.getBytes(6),
this);
1693 attributes.add(attr);
1696 }
catch (SQLException ex) {
1697 throw new TskCoreException(
"Error getting attributes for artifact, artifact id = " + artifact.getArtifactID(), ex);
1718 ResultSet rs = null;
1720 s = connection.createStatement();
1721 rs = connection.
executeQuery(s,
"Select artifact_id, source, context, attribute_type_id, value_type, "
1722 +
"value_byte, value_text, value_int32, value_int64, value_double FROM blackboard_attributes " + whereClause);
1723 ArrayList<BlackboardAttribute> matches =
new ArrayList<BlackboardAttribute>();
1727 rs.getString(
"value_text"), rs.getBytes(
"value_byte"),
this);
1731 }
catch (SQLException ex) {
1732 throw new TskCoreException(
"Error getting attributes using this where clause: " + whereClause, ex);
1752 ResultSet rs = null;
1755 s = connection.createStatement();
1756 rs = connection.
executeQuery(s,
"SELECT artifact_id, obj_id, artifact_type_id FROM blackboard_artifacts " + whereClause);
1757 ArrayList<BlackboardArtifact> matches =
new ArrayList<BlackboardArtifact>();
1759 BlackboardArtifact artifact =
new BlackboardArtifact(
this, rs.getLong(1), rs.getLong(2), rs.getInt(3), this.getArtifactTypeString(rs.getInt(3)), this.getArtifactTypeDisplayName(rs.getInt(3)));
1760 matches.add(artifact);
1763 }
catch (SQLException ex) {
1764 throw new TskCoreException(
"Error getting attributes using this where clause: " + whereClause, ex);
1784 return newBlackboardArtifact(artifactTypeID, obj_id, getArtifactTypeString(artifactTypeID), getArtifactTypeDisplayName(artifactTypeID));
1797 return newBlackboardArtifact(artifactType.getTypeID(), obj_id, artifactType.getLabel(), artifactType.getDisplayName());
1803 ResultSet rs = null;
1806 statement.clearParameters();
1807 statement.setLong(1, this.nextArtifactId++);
1808 statement.setLong(2, obj_id);
1809 statement.setInt(3, artifact_type_id);
1810 connection.executeUpdate(statement);
1811 rs = statement.getGeneratedKeys();
1812 return new BlackboardArtifact(
this, rs.getLong(1), obj_id, artifact_type_id, artifactTypeName, artifactDisplayName,
true);
1813 }
catch (SQLException ex) {
1832 CaseDbConnection connection = connections.getConnection();
1834 ResultSet rs = null;
1836 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.COUNT_CHILD_OBJECTS_BY_PARENT);
1837 statement.clearParameters();
1838 statement.setLong(1, content.getId());
1839 rs = connection.executeQuery(statement);
1840 boolean hasChildren =
false;
1842 hasChildren = rs.getInt(1) > 0;
1845 }
catch (SQLException e) {
1846 throw new TskCoreException(
"Error checking for children of parent " + content, e);
1863 int getContentChildrenCount(Content content)
throws TskCoreException {
1864 CaseDbConnection connection = connections.getConnection();
1866 ResultSet rs = null;
1868 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.COUNT_CHILD_OBJECTS_BY_PARENT);
1869 statement.clearParameters();
1870 statement.setLong(1, content.getId());
1871 rs = connection.executeQuery(statement);
1872 int countChildren = -1;
1874 countChildren = rs.getInt(1);
1876 return countChildren;
1877 }
catch (SQLException e) {
1878 throw new TskCoreException(
"Error checking for children of parent " + content, e);
1894 List<Content> getAbstractFileChildren(Content parent, TSK_DB_FILES_TYPE_ENUM type)
throws TskCoreException {
1895 CaseDbConnection connection = connections.getConnection();
1897 ResultSet rs = null;
1899 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_FILES_BY_PARENT_AND_TYPE);
1900 statement.clearParameters();
1901 long parentId = parent.getId();
1902 statement.setLong(1, parentId);
1903 statement.setShort(2, type.getFileType());
1904 rs = connection.executeQuery(statement);
1905 return rsHelper.fileChildren(rs, parentId);
1906 }
catch (SQLException ex) {
1907 throw new TskCoreException(
"Error getting AbstractFile children for Content", ex);
1923 List<Content> getAbstractFileChildren(Content parent)
throws TskCoreException {
1924 CaseDbConnection connection = connections.getConnection();
1926 ResultSet rs = null;
1928 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_FILES_BY_PARENT);
1929 statement.clearParameters();
1930 long parentId = parent.getId();
1931 statement.setLong(1, parentId);
1932 rs = connection.executeQuery(statement);
1933 return rsHelper.fileChildren(rs, parentId);
1934 }
catch (SQLException ex) {
1935 throw new TskCoreException(
"Error getting AbstractFile children for Content", ex);
1951 List<Long> getAbstractFileChildrenIds(Content parent, TSK_DB_FILES_TYPE_ENUM type)
throws TskCoreException {
1952 CaseDbConnection connection = connections.getConnection();
1954 ResultSet rs = null;
1956 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_FILE_IDS_BY_PARENT_AND_TYPE);
1957 statement.clearParameters();
1958 statement.setLong(1, parent.getId());
1959 statement.setShort(2, type.getFileType());
1960 rs = connection.executeQuery(statement);
1961 List<Long> children =
new ArrayList<Long>();
1963 children.add(rs.getLong(1));
1966 }
catch (SQLException ex) {
1967 throw new TskCoreException(
"Error getting AbstractFile children for Content", ex);
1981 List<Long> getAbstractFileChildrenIds(Content parent)
throws TskCoreException {
1982 CaseDbConnection connection = connections.getConnection();
1984 ResultSet rs = null;
1986 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_FILE_IDS_BY_PARENT);
1987 statement.clearParameters();
1988 statement.setLong(1, parent.getId());
1989 rs = connection.executeQuery(statement);
1990 List<Long> children =
new ArrayList<Long>();
1992 children.add(rs.getLong(1));
1995 }
catch (SQLException ex) {
1996 throw new TskCoreException(
"Error getting AbstractFile children for Content", ex);
2006 static class ObjectInfo {
2009 TskData.ObjectType type;
2011 ObjectInfo(
long id, ObjectType type) {
2025 Collection<ObjectInfo> getChildrenInfo(Content c)
throws TskCoreException {
2026 CaseDbConnection connection = connections.getConnection();
2029 ResultSet rs = null;
2031 s = connection.createStatement();
2032 rs = connection.executeQuery(s,
"SELECT tsk_objects.obj_id, tsk_objects.type "
2033 +
"FROM tsk_objects left join tsk_files "
2034 +
"ON tsk_objects.obj_id=tsk_files.obj_id "
2035 +
"WHERE tsk_objects.par_obj_id = " + c.getId());
2036 Collection<ObjectInfo> infos =
new ArrayList<ObjectInfo>();
2038 infos.add(
new ObjectInfo(rs.getLong(
"obj_id"), ObjectType.valueOf(rs.getShort(
"type"))));
2041 }
catch (SQLException ex) {
2042 throw new TskCoreException(
"Error getting Children Info for Content", ex);
2058 ObjectInfo getParentInfo(Content c)
throws TskCoreException {
2061 CaseDbConnection connection = connections.getConnection();
2064 ResultSet rs = null;
2066 s = connection.createStatement();
2067 rs = connection.executeQuery(s,
"SELECT parent.obj_id, parent.type "
2068 +
"FROM tsk_objects AS parent INNER JOIN tsk_objects AS child "
2069 +
"ON child.par_obj_id = parent.obj_id "
2070 +
"WHERE child.obj_id = " + c.getId());
2072 return new ObjectInfo(rs.getLong(1), ObjectType.valueOf(rs.getShort(2)));
2074 throw new TskCoreException(
"Given content (id: " + c.getId() +
") has no parent");
2076 }
catch (SQLException ex) {
2077 throw new TskCoreException(
"Error getting Parent Info for Content", ex);
2093 ObjectInfo getParentInfo(
long contentId)
throws TskCoreException {
2096 CaseDbConnection connection = connections.getConnection();
2099 ResultSet rs = null;
2101 s = connection.createStatement();
2102 rs = connection.executeQuery(s,
"SELECT parent.obj_id, parent.type "
2103 +
"FROM tsk_objects AS parent INNER JOIN tsk_objects AS child "
2104 +
"ON child.par_obj_id = parent.obj_id "
2105 +
"WHERE child.obj_id = " + contentId);
2107 return new ObjectInfo(rs.getLong(1), ObjectType.valueOf(rs.getShort(2)));
2109 throw new TskCoreException(
"Given content (id: " + contentId +
") has no parent.");
2111 }
catch (SQLException ex) {
2112 throw new TskCoreException(
"Error getting Parent Info for Content: " + contentId, ex);
2128 Directory getParentDirectory(FsContent fsc)
throws TskCoreException {
2132 throw new TskCoreException(
"Given FsContent (id: " + fsc.getId() +
") is a root object (can't have parent directory).");
2134 ObjectInfo parentInfo = getParentInfo(fsc);
2135 Directory parent = null;
2136 if (parentInfo.type == ObjectType.ABSTRACTFILE) {
2137 parent = getDirectoryById(parentInfo.id, fsc.getFileSystem());
2139 throw new TskCoreException(
"Parent of FsContent (id: " + fsc.getId() +
") has wrong type to be directory: " + parentInfo.type);
2158 ResultSet rs = null;
2160 s = connection.createStatement();
2161 rs = connection.
executeQuery(s,
"SELECT * FROM tsk_objects WHERE obj_id = " +
id +
" LIMIT 1");
2167 long parentId = rs.getLong(
"par_obj_id");
2174 content = getVolumeSystemById(
id, parentId);
2177 content = getVolumeById(
id, parentId);
2180 content = getFileSystemById(
id, parentId);
2186 throw new TskCoreException(
"Could not obtain Content object with ID: " +
id);
2189 }
catch (SQLException ex) {
2204 String getFilePath(
long id) {
2205 CaseDbConnection connection;
2207 connection = connections.getConnection();
2208 }
catch (TskCoreException ex) {
2209 logger.log(Level.SEVERE,
"Error getting file path for file " +
id, ex);
2212 String filePath = null;
2214 ResultSet rs = null;
2216 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_LOCAL_PATH_FOR_FILE);
2217 statement.clearParameters();
2218 statement.setLong(1,
id);
2219 rs = connection.executeQuery(statement);
2221 filePath = rs.getString(1);
2223 }
catch (SQLException ex) {
2224 logger.log(Level.SEVERE,
"Error getting file path for file " +
id, ex);
2238 String getFileParentPath(
long id) {
2239 CaseDbConnection connection;
2241 connection = connections.getConnection();
2242 }
catch (TskCoreException ex) {
2243 logger.log(Level.SEVERE,
"Error getting parent file path for file " +
id, ex);
2246 String parentPath = null;
2248 ResultSet rs = null;
2250 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_PATH_FOR_FILE);
2251 statement.clearParameters();
2252 statement.setLong(1,
id);
2253 rs = connection.executeQuery(statement);
2255 parentPath = rs.getString(1);
2257 }
catch (SQLException ex) {
2258 logger.log(Level.SEVERE,
"Error getting file parent_path for file " +
id, ex);
2272 String getFileName(
long id) {
2273 CaseDbConnection connection;
2275 connection = connections.getConnection();
2276 }
catch (TskCoreException ex) {
2277 logger.log(Level.SEVERE,
"Error getting file name for file " +
id, ex);
2280 String fileName = null;
2282 ResultSet rs = null;
2284 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_FILE_NAME);
2285 statement.clearParameters();
2286 statement.setLong(1,
id);
2287 rs = connection.executeQuery(statement);
2289 fileName = rs.getString(1);
2291 }
catch (SQLException ex) {
2292 logger.log(Level.SEVERE,
"Error getting file parent_path for file " +
id, ex);
2308 DerivedFile.DerivedMethod getDerivedMethod(
long id)
throws TskCoreException {
2309 CaseDbConnection connection = connections.getConnection();
2310 DerivedFile.DerivedMethod method = null;
2312 ResultSet rs1 = null;
2313 ResultSet rs2 = null;
2315 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_DERIVED_FILE);
2316 statement.clearParameters();
2317 statement.setLong(1,
id);
2318 rs1 = connection.executeQuery(statement);
2320 int method_id = rs1.getInt(1);
2321 String rederive = rs1.getString(1);
2322 method =
new DerivedFile.DerivedMethod(method_id, rederive);
2323 statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.SELECT_FILE_DERIVATION_METHOD);
2324 statement.clearParameters();
2325 statement.setInt(1, method_id);
2326 rs2 = connection.executeQuery(statement);
2328 method.setToolName(rs2.getString(1));
2329 method.setToolVersion(rs2.getString(2));
2330 method.setOther(rs2.getString(3));
2333 }
catch (SQLException e) {
2334 logger.log(Level.SEVERE,
"Error getting derived method for file: " +
id, e);
2354 ResultSet rs = null;
2357 statement.clearParameters();
2358 statement.setLong(1,
id);
2360 List<AbstractFile> results;
2362 return results.get(0);
2366 }
catch (SQLException ex) {
2387 connection = connections.getConnection();
2389 logger.log(Level.SEVERE,
"Error getting file system id for file " + fileId, ex);
2393 ResultSet rs = null;
2397 statement.clearParameters();
2398 statement.setLong(1, fileId);
2401 ret = rs.getLong(1);
2406 }
catch (SQLException e) {
2407 logger.log(Level.SEVERE,
"Error checking file system id of a file, id = " + fileId, e);
2425 if (dataSource.getParent() != null) {
2426 final String msg = MessageFormat.format(bundle.getString(
"SleuthkitCase.isFileFromSource.exception.msg.text"), dataSource);
2427 logger.log(Level.SEVERE, msg);
2428 throw new IllegalArgumentException(msg);
2438 if (dataSource instanceof
Image) {
2441 if (fs.getId() == fsId) {
2451 return dataSource.getId() == fsId;
2453 final String msg = MessageFormat.format(bundle.getString(
"SleuthkitCase.isFileFromSource.exception.msg2.text"), dataSource);
2454 logger.log(Level.SEVERE, msg);
2455 throw new IllegalArgumentException(msg);
2469 if (dataSource.getParent() != null) {
2470 final String msg = MessageFormat.format(bundle.getString(
"SleuthkitCase.isFileFromSource.exception.msg1.text"), dataSource);
2471 logger.log(Level.SEVERE, msg);
2472 throw new IllegalArgumentException(msg);
2475 List<AbstractFile> files =
new ArrayList<AbstractFile>();
2478 ResultSet rs = null;
2480 if (dataSource instanceof
Image) {
2484 statement.clearParameters();
2485 statement.setString(1, fileName.toLowerCase());
2486 statement.setLong(2, fileSystem.getId());
2487 rs = connection.executeQuery(statement);
2494 Statement s = connection.createStatement();
2495 rs = connection.executeQuery(s,
"SELECT * FROM tsk_files WHERE LOWER(name) LIKE '" + fileName.toLowerCase() +
"' and LOWER(name) NOT LIKE '%journal%' AND parent_path LIKE '/" + dataSource.getName() +
"/%'");
2498 final String msg = MessageFormat.format(bundle.getString(
"SleuthkitCase.findFiles.exception.msg2.text"), dataSource);
2499 logger.log(Level.SEVERE, msg);
2500 throw new IllegalArgumentException(msg);
2502 }
catch (SQLException e) {
2503 throw new TskCoreException(bundle.getString(
"SleuthkitCase.findFiles.exception.msg3.text"), e);
2523 if (dataSource.getParent() != null) {
2524 final String msg = MessageFormat.format(bundle.getString(
"SleuthkitCase.findFiles3.exception.msg1.text"), dataSource);
2525 logger.log(Level.SEVERE, msg);
2526 throw new IllegalArgumentException(msg);
2529 List<AbstractFile> files =
new ArrayList<AbstractFile>();
2532 ResultSet rs = null;
2534 if (dataSource instanceof
Image) {
2538 statement.clearParameters();
2539 statement.setString(1, fileName.toLowerCase());
2540 statement.setString(2,
"%" + dirName.toLowerCase() +
"%");
2541 statement.setLong(3, fileSystem.getId());
2542 rs = connection.executeQuery(statement);
2549 Statement s = connection.createStatement();
2550 rs = connection.executeQuery(s,
"SELECT * FROM tsk_files WHERE LOWER(name) LIKE '" + fileName.toLowerCase() +
"' and LOWER(name) NOT LIKE '%journal%' AND parent_path LIKE '/" + dataSource.getName() +
"/%' AND lower(parent_path) LIKE '%" + dirName.toLowerCase() +
"%'");
2553 final String msg = MessageFormat.format(bundle.getString(
"SleuthkitCase.findFiles3.exception.msg2.text"), dataSource);
2554 logger.log(Level.SEVERE, msg);
2555 throw new IllegalArgumentException(msg);
2557 }
catch (SQLException e) {
2558 throw new TskCoreException(bundle.getString(
"SleuthkitCase.findFiles3.exception.msg3.text"), e);
2563 }
catch (SQLException ex) {
2564 logger.log(Level.WARNING,
"Error closing result set after finding files", ex);
2609 if (trans == null) {
2614 ResultSet resultSet = null;
2617 String parentPath = getFileParentPath(parentId);
2618 if (parentPath == null) {
2621 String parentName = getFileName(parentId);
2622 if (parentName != null) {
2623 parentPath = parentPath + parentName +
"/";
2630 statement.clearParameters();
2631 if (parentId != 0) {
2632 statement.setLong(1, parentId);
2635 connection.executeUpdate(statement);
2636 resultSet = statement.getGeneratedKeys();
2637 long newObjId = resultSet.getLong(1);
2644 statement.clearParameters();
2645 statement.setLong(1, newObjId);
2649 if (parentFs != -1) {
2650 statement.setLong(2, parentFs);
2652 statement.setString(3, directoryName);
2656 statement.setBoolean(5,
true);
2660 statement.setShort(6, dirType.
getValue());
2662 statement.setShort(7, metaType.
getValue());
2666 statement.setShort(8, dirFlag.
getValue());
2669 statement.setShort(9, metaFlags);
2673 statement.setLong(10, size);
2676 statement.setString(15, parentPath);
2678 connection.executeUpdate(statement);
2683 }
catch (SQLException e) {
2684 throw new TskCoreException(
"Error creating virtual directory '" + directoryName +
"'", e);
2702 ResultSet rs = null;
2704 s = connection.createStatement();
2705 rs = connection.
executeQuery(s,
"SELECT tsk_files.* FROM tsk_objects, tsk_files WHERE "
2706 +
"tsk_objects.par_obj_id IS NULL AND "
2708 +
"tsk_objects.obj_id = tsk_files.obj_id AND "
2710 +
" ORDER BY tsk_files.dir_type, tsk_files.name COLLATE NOCASE");
2711 List<VirtualDirectory> virtDirRootIds =
new ArrayList<VirtualDirectory>();
2713 virtDirRootIds.add(rsHelper.virtualDirectory(rs));
2715 return virtDirRootIds;
2716 }
catch (SQLException ex) {
2717 throw new TskCoreException(
"Error getting local files virtual folder id", ex);
2740 List<CarvedFileContainer> carvedFileContainer =
new ArrayList<CarvedFileContainer>();
2741 carvedFileContainer.add(
new CarvedFileContainer(carvedFileName, carvedFileSize, containerId, data));
2743 List<LayoutFile> layoutCarvedFiles =
addCarvedFiles(carvedFileContainer);
2744 if (layoutCarvedFiles != null) {
2745 return layoutCarvedFiles.get(0);
2763 if (filesToAdd != null && filesToAdd.isEmpty() ==
false) {
2764 List<LayoutFile> addedFiles =
new ArrayList<LayoutFile>();
2767 ResultSet rs = null;
2774 long firstItemId = filesToAdd.get(0).getId();
2777 Long carvedDirId = carvedFileContainersCache.get(firstItemId);
2778 if (carvedDirId != null) {
2784 if (parent == null) {
2785 throw new TskCoreException(
"No Content object found with this ID (" + firstItemId +
").");
2788 List<Content> children = Collections.<
Content>emptyList();
2790 FileSystem fs = (FileSystem) parent;
2792 }
else if (parent instanceof
Volume
2793 || parent instanceof
Image) {
2796 throw new TskCoreException(
"The given ID (" + firstItemId +
") was not an image, volume or file system.");
2800 Content carvedFilesDir = null;
2801 for (
Content child : children) {
2803 carvedFilesDir = child;
2809 if (carvedFilesDir != null) {
2811 carvedFileContainersCache.put(firstItemId, carvedFilesDir.
getId());
2812 id = carvedFilesDir.
getId();
2818 carvedFileContainersCache.put(firstItemId,
id);
2823 String parentPath = getFileParentPath(
id);
2824 if (parentPath == null) {
2827 String parentName = getFileName(
id);
2828 if (parentName != null) {
2829 parentPath = parentPath + parentName +
"/";
2833 boolean isContainerAFs =
false;
2834 s = connection.createStatement();
2835 rs = connection.
executeQuery(s,
"select * from tsk_fs_info "
2836 +
"where obj_id = " + firstItemId);
2838 isContainerAFs =
true;
2848 statement.clearParameters();
2849 statement.setLong(1,
id);
2851 connection.executeUpdate(statement);
2852 rs = statement.getGeneratedKeys();
2853 long newObjId = rs.getLong(1);
2860 statement.clearParameters();
2861 statement.setLong(1, newObjId);
2864 if (isContainerAFs) {
2865 statement.setLong(2, itemToAdd.getId());
2867 statement.setString(3, itemToAdd.getName());
2874 statement.setBoolean(5,
true);
2878 statement.setShort(6, dirType.
getValue());
2882 statement.setShort(7, metaType.
getValue());
2886 statement.setShort(8, dirFlag.
getValue());
2890 statement.setShort(9, metaFlags);
2893 statement.setLong(10, itemToAdd.getSize());
2896 statement.setString(15, parentPath);
2898 connection.executeUpdate(statement);
2904 for (
TskFileRange tskFileRange : itemToAdd.getRanges()) {
2905 statement.clearParameters();
2908 statement.setLong(1, newObjId);
2911 statement.setLong(2, tskFileRange.getByteStart());
2914 statement.setLong(3, tskFileRange.getByteLen());
2917 statement.setLong(4, tskFileRange.getSequence());
2920 connection.executeUpdate(statement);
2923 addedFiles.add(
new LayoutFile(
this, newObjId, itemToAdd.getName(),
2924 type, dirType, metaType, dirFlag, metaFlags,
2927 localTrans.commit();
2929 }
catch (SQLException ex) {
2930 if (null != localTrans) {
2931 localTrans.rollback();
2933 throw new TskCoreException(
"Failed to add carved file to case database", ex);
2940 return Collections.emptyList();
2969 long size,
long ctime,
long crtime,
long atime,
long mtime,
2971 String rederiveDetails, String toolName, String toolVersion, String otherDetails)
throws TskCoreException {
2974 ResultSet rs = null;
2976 connection.beginTransaction();
2978 final long parentId = parentFile.getId();
2979 final String parentPath = parentFile.getParentPath() + parentFile.getName() +
'/';
2984 statement.clearParameters();
2985 statement.setLong(1, parentId);
2987 connection.executeUpdate(statement);
2988 rs = statement.getGeneratedKeys();
2989 long newObjId = rs.getLong(1);
2998 statement.clearParameters();
2999 statement.setLong(1, newObjId);
3003 if (fsObjId != -1) {
3004 statement.setLong(2, fsObjId);
3006 statement.setString(3, fileName);
3010 statement.setBoolean(5,
true);
3014 statement.setShort(6, dirType.
getValue());
3016 statement.setShort(7, metaType.
getValue());
3020 statement.setShort(8, dirFlag.
getValue());
3023 statement.setShort(9, metaFlags);
3026 statement.setLong(10, size);
3030 statement.setLong(11, ctime);
3031 statement.setLong(12, crtime);
3032 statement.setLong(13, atime);
3033 statement.setLong(14, mtime);
3036 statement.setString(15, parentPath);
3038 connection.executeUpdate(statement);
3043 connection.commitTransaction();
3046 return new DerivedFile(
this, newObjId, fileName, dirType, metaType, dirFlag, metaFlags,
3047 size, ctime, crtime, atime, mtime, null, null, parentPath, localPath, parentId);
3048 }
catch (SQLException ex) {
3049 connection.rollbackTransaction();
3050 throw new TskCoreException(
"Failed to add derived file to case database", ex);
3075 long size,
long ctime,
long crtime,
long atime,
long mtime,
3080 LocalFile created =
addLocalFile(fileName, localPath, size, ctime, crtime, atime, mtime, isFile, parent, localTrans);
3117 long size,
long ctime,
long crtime,
long atime,
long mtime,
3119 if (trans == null) {
3124 ResultSet resultSet = null;
3128 if (parent == null) {
3129 throw new TskCoreException(MessageFormat.format(bundle.getString(
"SleuthkitCase.addLocalFile.exception.msg1.text"), fileName));
3131 parentId = parent.getId();
3132 parentPath = parent.getParentPath() + parent.getName() +
"/";
3139 statement.clearParameters();
3140 statement.setLong(1, parentId);
3142 connection.executeUpdate(statement);
3143 resultSet = statement.getGeneratedKeys();
3144 long newObjId = resultSet.getLong(1);
3153 statement.clearParameters();
3154 statement.setLong(1, newObjId);
3157 statement.setString(3, fileName);
3161 statement.setBoolean(5,
true);
3165 statement.setShort(6, dirType.
getValue());
3167 statement.setShort(7, metaType.
getValue());
3171 statement.setShort(8, dirFlag.
getValue());
3174 statement.setShort(9, metaFlags);
3177 statement.setLong(10, size);
3181 statement.setLong(11, ctime);
3182 statement.setLong(12, crtime);
3183 statement.setLong(13, atime);
3184 statement.setLong(14, mtime);
3187 statement.setString(15, parentPath);
3189 connection.executeUpdate(statement);
3194 return new LocalFile(
this, newObjId, fileName, dirType, metaType, dirFlag, metaFlags,
3195 size, ctime, crtime, atime, mtime, null, null, parentPath, localPath, parentId);
3196 }
catch (SQLException e) {
3197 throw new TskCoreException(
"Error adding local file directory " + fileName +
" with local path " + localPath, e);
3214 statement.clearParameters();
3215 statement.setLong(1, objId);
3216 statement.setString(2, path);
3217 connection.executeUpdate(statement);
3232 return findFiles(dataSource, fileName, parentFile.getName());
3247 ResultSet rs = null;
3249 s = connection.createStatement();
3250 rs = connection.
executeQuery(s,
"SELECT COUNT (*) FROM tsk_files WHERE " + sqlWhereClause);
3251 return rs.getLong(1);
3252 }
catch (SQLException e) {
3253 throw new TskCoreException(
"SQLException thrown when calling 'SleuthkitCase.findFilesWhere().", e);
3276 ResultSet rs = null;
3278 s = connection.createStatement();
3279 rs = connection.
executeQuery(s,
"SELECT * FROM tsk_files WHERE " + sqlWhereClause);
3281 }
catch (SQLException e) {
3282 throw new TskCoreException(
"SQLException thrown when calling 'SleuthkitCase.findAllFilesWhere(): " + sqlWhereClause, e);
3303 ResultSet rs = null;
3305 s = connection.createStatement();
3306 rs = connection.
executeQuery(s,
"SELECT obj_id FROM tsk_files WHERE " + sqlWhereClause);
3307 List<Long> ret =
new ArrayList<Long>();
3309 ret.add(rs.getLong(1));
3312 }
catch (SQLException e) {
3313 throw new TskCoreException(
"SQLException thrown when calling 'SleuthkitCase.findAllFileIdsWhere(): " + sqlWhereClause, e);
3336 ResultSet rs = null;
3338 s = connection.createStatement();
3339 rs = connection.
executeQuery(s,
"SELECT * FROM tsk_files WHERE " + sqlWhereClause);
3341 }
catch (SQLException e) {
3342 throw new TskCoreException(
"SQLException thrown when calling 'SleuthkitCase.findFilesWhere().", e);
3365 int lastSlash = path.lastIndexOf(
"/");
3368 if (lastSlash == path.length()) {
3369 path = path.substring(0, lastSlash - 1);
3370 lastSlash = path.lastIndexOf(
"/");
3373 String parentPath = path.substring(0, lastSlash);
3374 String fileName = path.substring(lastSlash);
3376 return findFiles(dataSource, fileName, parentPath);
3391 ResultSet rs = null;
3393 s = connection.createStatement();
3394 rs = connection.
executeQuery(s,
"select * from tsk_file_layout where obj_id = " +
id +
" order by sequence");
3395 List<TskFileRange> ranges =
new ArrayList<TskFileRange>();
3397 ranges.add(rsHelper.tskFileRange(rs));
3400 }
catch (SQLException ex) {
3401 throw new TskCoreException(
"Error getting TskFileLayoutRanges by id, id = " +
id, ex);
3420 Statement s1 = null;
3421 ResultSet rs1 = null;
3422 Statement s2 = null;
3423 ResultSet rs2 = null;
3425 s1 = connection.createStatement();
3426 rs1 = connection.
executeQuery(s1,
"SELECT * FROM tsk_image_info WHERE obj_id = " +
id);
3428 s2 = connection.createStatement();
3429 rs2 = connection.
executeQuery(s2,
"select * from tsk_image_names where obj_id = " + rs1.getLong(
"obj_id"));
3430 List<String> imagePaths =
new ArrayList<String>();
3431 while (rs2.next()) {
3432 imagePaths.add(rsHelper.imagePath(rs2));
3434 return rsHelper.image(rs1, imagePaths.toArray(
new String[imagePaths.size()]));
3438 }
catch (SQLException ex) {
3459 CaseDbConnection connection = connections.getConnection();
3462 ResultSet rs = null;
3464 s = connection.createStatement();
3465 rs = connection.executeQuery(s,
"select * from tsk_vs_info "
3466 +
"where obj_id = " +
id);
3468 return rsHelper.volumeSystem(rs, parent);
3470 throw new TskCoreException(
"No volume system found for id:" +
id);
3472 }
catch (SQLException ex) {
3473 throw new TskCoreException(
"Error getting Volume System by ID.", ex);
3487 VolumeSystem getVolumeSystemById(
long id,
long parentId)
throws TskCoreException {
3488 VolumeSystem vs = getVolumeSystemById(
id, null);
3489 vs.setParentId(parentId);
3502 FileSystem getFileSystemById(
long id, Image parent)
throws TskCoreException {
3512 FileSystem getFileSystemById(
long id,
long parentId)
throws TskCoreException {
3514 FileSystem fs = getFileSystemById(
id, vol);
3515 fs.setParentId(parentId);
3528 FileSystem getFileSystemById(
long id, Volume parent)
throws TskCoreException {
3546 if (fileSystemIdMap.containsKey(
id)) {
3547 return fileSystemIdMap.get(
id);
3553 ResultSet rs = null;
3555 s = connection.createStatement();
3556 rs = connection.
executeQuery(s,
"select * from tsk_fs_info "
3557 +
"where obj_id = " +
id);
3559 FileSystem fs = rsHelper.fileSystem(rs, parent);
3562 fileSystemIdMap.put(
id, fs);
3568 }
catch (SQLException ex) {
3587 CaseDbConnection connection = connections.getConnection();
3590 ResultSet rs = null;
3592 s = connection.createStatement();
3593 rs = connection.executeQuery(s,
"select * from tsk_vs_parts "
3594 +
"where obj_id = " +
id);
3596 return rsHelper.volume(rs, parent);
3598 throw new TskCoreException(
"No volume found for id:" +
id);
3600 }
catch (SQLException ex) {
3601 throw new TskCoreException(
"Error getting Volume by ID", ex);
3615 Volume getVolumeById(
long id,
long parentId)
throws TskCoreException {
3616 Volume vol = getVolumeById(
id, null);
3617 vol.setParentId(parentId);
3630 Directory getDirectoryById(
long id, FileSystem parentFs)
throws TskCoreException {
3631 CaseDbConnection connection = connections.getConnection();
3634 ResultSet rs = null;
3636 s = connection.createStatement();
3637 rs = connection.executeQuery(s,
"SELECT * FROM tsk_files "
3638 +
"WHERE obj_id = " +
id);
3639 Directory temp = null;
3641 final short type = rs.getShort(
"type");
3642 if (type == TSK_DB_FILES_TYPE_ENUM.FS.getFileType()) {
3643 if (rs.getShort(
"meta_type") == TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getValue()) {
3644 temp = rsHelper.directory(rs, parentFs);
3646 }
else if (type == TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType()) {
3647 throw new TskCoreException(
"Expecting an FS-type directory, got virtual, id: " +
id);
3650 throw new TskCoreException(
"No Directory found for id:" +
id);
3653 }
catch (SQLException ex) {
3654 throw new TskCoreException(
"Error getting Directory by ID", ex);
3669 List<FileSystem> fileSystems =
new ArrayList<FileSystem>();
3672 connection = connections.getConnection();
3674 logger.log(Level.SEVERE,
"Error getting file systems for image " + image.
getId(), ex);
3679 ResultSet rs = null;
3681 s = connection.createStatement();
3684 List<FileSystem> allFileSystems =
new ArrayList<FileSystem>();
3686 rs = connection.executeQuery(s,
"SELECT * FROM tsk_fs_info");
3688 allFileSystems.add(rsHelper.fileSystem(rs, null));
3690 }
catch (SQLException ex) {
3691 logger.log(Level.SEVERE,
"There was a problem while trying to obtain all file systems", ex);
3701 Long imageID = null;
3702 Long currentObjID = fs.getId();
3703 while (imageID == null) {
3705 rs = connection.executeQuery(s,
"SELECT * FROM tsk_objects WHERE tsk_objects.obj_id = " + currentObjID);
3706 currentObjID = rs.getLong(
"par_obj_id");
3708 imageID = rs.getLong(
"obj_id");
3710 }
catch (SQLException ex) {
3711 logger.log(Level.SEVERE,
"There was a problem while trying to obtain this image's file systems", ex);
3719 if (imageID == image.
getId()) {
3720 fileSystems.add(fs);
3723 }
catch (SQLException ex) {
3724 logger.log(Level.SEVERE,
"Error getting case database connection", ex);
3742 Collection<ObjectInfo> childInfos = getChildrenInfo(img);
3743 List<Content> children =
new ArrayList<Content>();
3744 for (ObjectInfo info : childInfos) {
3746 children.add(getVolumeSystemById(info.id, img));
3747 }
else if (info.type == ObjectType.FS) {
3748 children.add(getFileSystemById(info.id, img));
3749 }
else if (info.type == ObjectType.ABSTRACTFILE) {
3755 throw new TskCoreException(
"Image has child of invalid type: " + info.type);
3769 List<Long> getImageChildrenIds(Image img)
throws TskCoreException {
3770 Collection<ObjectInfo> childInfos = getChildrenInfo(img);
3771 List<Long> children =
new ArrayList<Long>();
3772 for (ObjectInfo info : childInfos) {
3773 if (info.type == ObjectType.VS
3774 || info.type == ObjectType.FS
3775 || info.type == ObjectType.ABSTRACTFILE) {
3776 children.add(info.id);
3778 throw new TskCoreException(
"Image has child of invalid type: " + info.type);
3792 List<Content> getVolumeSystemChildren(VolumeSystem vs)
throws TskCoreException {
3793 Collection<ObjectInfo> childInfos = getChildrenInfo(vs);
3794 List<Content> children =
new ArrayList<Content>();
3795 for (ObjectInfo info : childInfos) {
3796 if (info.type == ObjectType.VOL) {
3797 children.add(getVolumeById(info.id, vs));
3798 }
else if (info.type == ObjectType.ABSTRACTFILE) {
3804 throw new TskCoreException(
"VolumeSystem has child of invalid type: " + info.type);
3818 List<Long> getVolumeSystemChildrenIds(VolumeSystem vs)
throws TskCoreException {
3819 Collection<ObjectInfo> childInfos = getChildrenInfo(vs);
3820 List<Long> children =
new ArrayList<Long>();
3821 for (ObjectInfo info : childInfos) {
3822 if (info.type == ObjectType.VOL || info.type == ObjectType.ABSTRACTFILE) {
3823 children.add(info.id);
3825 throw new TskCoreException(
"VolumeSystem has child of invalid type: " + info.type);
3839 List<Content> getVolumeChildren(Volume vol)
throws TskCoreException {
3840 Collection<ObjectInfo> childInfos = getChildrenInfo(vol);
3841 List<Content> children =
new ArrayList<Content>();
3842 for (ObjectInfo info : childInfos) {
3843 if (info.type == ObjectType.FS) {
3844 children.add(getFileSystemById(info.id, vol));
3845 }
else if (info.type == ObjectType.ABSTRACTFILE) {
3851 throw new TskCoreException(
"Volume has child of invalid type: " + info.type);
3865 List<Long> getVolumeChildrenIds(Volume vol)
throws TskCoreException {
3866 final Collection<ObjectInfo> childInfos = getChildrenInfo(vol);
3867 final List<Long> children =
new ArrayList<Long>();
3868 for (ObjectInfo info : childInfos) {
3869 if (info.type == ObjectType.FS || info.type == ObjectType.ABSTRACTFILE) {
3870 children.add(info.id);
3872 throw new TskCoreException(
"Volume has child of invalid type: " + info.type);
3889 Statement s1 = null;
3890 Statement s2 = null;
3891 ResultSet rs1 = null;
3892 ResultSet rs2 = null;
3894 s1 = connection.createStatement();
3895 rs1 = connection.
executeQuery(s1,
"select obj_id from tsk_image_info");
3896 s2 = connection.createStatement();
3897 Map<Long, List<String>> imgPaths =
new LinkedHashMap<Long, List<String>>();
3898 while (rs1.next()) {
3899 long obj_id = rs1.getLong(
"obj_id");
3900 rs2 = connection.
executeQuery(s2,
"select * from tsk_image_names where obj_id = " + obj_id);
3901 List<String> paths =
new ArrayList<String>();
3902 while (rs2.next()) {
3903 paths.add(rsHelper.imagePath(rs2));
3907 imgPaths.put(obj_id, paths);
3910 }
catch (SQLException ex) {
3911 throw new TskCoreException(
"Error getting image paths.", ex);
3930 ResultSet rs = null;
3932 s = connection.createStatement();
3933 rs = connection.
executeQuery(s,
"SELECT obj_id FROM tsk_image_info");
3934 Collection<Long> imageIDs =
new ArrayList<Long>();
3936 imageIDs.add(rs.getLong(
"obj_id"));
3938 List<Image> images =
new ArrayList<Image>();
3939 for (
long id : imageIDs) {
3943 }
catch (SQLException ex) {
3944 throw new TskCoreException(
"Error retrieving images.", ex);
3962 ResultSet rs = null;
3971 }
catch (SQLException e) {
3972 throw new TskCoreException(
"Error getting last object id", e);
3990 Statement statement = null;
3992 connection.beginTransaction();
3993 statement = connection.createStatement();
3994 connection.executeUpdate(statement,
"DELETE FROM tsk_image_names WHERE obj_id = " + obj_id);
3995 for (
int i = 0; i < paths.size(); i++) {
3996 connection.executeUpdate(statement,
"INSERT INTO tsk_image_names VALUES (" + obj_id +
", \"" + paths.get(i) +
"\", " + i +
")");
3998 connection.commitTransaction();
3999 }
catch (SQLException ex) {
4000 connection.rollbackTransaction();
4019 ArrayList<AbstractFile> results =
new ArrayList<AbstractFile>();
4022 final short type = rs.getShort(
"type");
4026 result = rsHelper.directory(rs, null);
4028 result = rsHelper.file(rs, null);
4030 results.add(result);
4033 results.add(virtDir);
4038 String parentPath = rs.getString(
"parent_path");
4039 if (parentPath == null) {
4043 rs.getString(
"name"),
4061 }
catch (SQLException e) {
4062 logger.log(Level.SEVERE,
"Error getting abstract files from result set", e);
4076 List<FsContent> results =
new ArrayList<FsContent>();
4101 public ResultSet
runQuery(String query)
throws SQLException {
4104 connection = connections.getConnection();
4106 throw new SQLException(
"Error getting connection for ad hoc query", ex);
4110 return connection.
executeQuery(connection.createStatement(), query);
4127 final Statement statement = resultSet.getStatement();
4129 if (statement != null) {
4163 System.err.println(this.hashCode() +
" closed");
4166 connections.
close();
4167 fileSystemIdMap.clear();
4176 logger.log(Level.WARNING,
4177 "Error freeing case handle.", ex);
4194 long id = file.getId();
4195 FileKnown currentKnown = file.getKnown();
4196 if (currentKnown.compareTo(fileKnown) > 0) {
4201 Statement statement = null;
4203 statement = connection.createStatement();
4204 connection.executeUpdate(statement,
"UPDATE tsk_files "
4205 +
"SET known='" + fileKnown.getFileKnownValue() +
"' "
4206 +
"WHERE obj_id=" + id);
4207 file.setKnown(fileKnown);
4208 }
catch (SQLException ex) {
4226 if (md5Hash == null) {
4229 long id = file.getId();
4230 CaseDbConnection connection = connections.getConnection();
4233 PreparedStatement statement = connection.getPreparedStatement(CaseDbConnection.PREPARED_STATEMENT.UPDATE_FILE_MD5);
4234 statement.clearParameters();
4235 statement.setString(1, md5Hash.toLowerCase());
4236 statement.setLong(2,
id);
4237 connection.executeUpdate(statement);
4238 file.setMd5Hash(md5Hash.toLowerCase());
4239 }
catch (SQLException ex) {
4240 throw new TskCoreException(
"Error setting MD5 hash", ex);
4258 ResultSet rs = null;
4260 s = connection.createStatement();
4261 Short contentShort = contentType.getValue();
4262 rs = connection.
executeQuery(s,
"SELECT COUNT(*) FROM tsk_files WHERE meta_type = '" + contentShort.toString() +
"'");
4265 count = rs.getInt(1);
4268 }
catch (SQLException ex) {
4269 throw new TskCoreException(
"Error getting number of objects.", ex);
4286 text = text.replaceAll(
"'",
"''");
4298 if (md5Hash == null) {
4303 connection = connections.getConnection();
4305 logger.log(Level.SEVERE,
"Error finding files by md5 hash " + md5Hash, ex);
4310 ResultSet rs = null;
4312 s = connection.createStatement();
4313 rs = connection.
executeQuery(s,
"SELECT * FROM tsk_files WHERE "
4314 +
" md5 = '" + md5Hash.toLowerCase() +
"' "
4317 }
catch (SQLException ex) {
4318 logger.log(Level.WARNING,
"Error querying database.", ex);
4336 connection = connections.getConnection();
4338 logger.log(Level.SEVERE,
"Error checking md5 hashing status", ex);
4341 boolean allFilesAreHashed =
false;
4344 ResultSet rs = null;
4346 s = connection.createStatement();
4347 rs = connection.
executeQuery(s,
"SELECT COUNT(*) FROM tsk_files "
4349 +
"AND md5 IS NULL "
4350 +
"AND size > '0'");
4351 if (rs.next() && rs.getInt(1) == 0) {
4352 allFilesAreHashed =
true;
4354 }
catch (SQLException ex) {
4355 logger.log(Level.WARNING,
"Failed to query whether all files have MD5 hashes", ex);
4361 return allFilesAreHashed;
4372 connection = connections.getConnection();
4374 logger.log(Level.SEVERE,
"Error getting database connection for hashed files count", ex);
4380 ResultSet rs = null;
4382 s = connection.createStatement();
4383 rs = connection.
executeQuery(s,
"SELECT COUNT(*) FROM tsk_files "
4384 +
"WHERE md5 IS NOT NULL "
4385 +
"AND size > '0'");
4387 count = rs.getInt(1);
4389 }
catch (SQLException ex) {
4390 logger.log(Level.WARNING,
"Failed to query for all the files.", ex);
4407 void receiveError(String context, String errorMessage);
4418 errorObservers.add(observer);
4429 int i = errorObservers.indexOf(observer);
4431 errorObservers.remove(i);
4445 observer.receiveError(context, errorMessage);
4459 ResultSet resultSet = null;
4464 ArrayList<TagName> tagNames =
new ArrayList<TagName>();
4465 while (resultSet.next()) {
4466 tagNames.add(
new TagName(resultSet.getLong(
"tag_name_id"), resultSet.getString(
"display_name"), resultSet.getString(
"description"),
TagName.
HTML_COLOR.
getColorByName(resultSet.getString(
"color"))));
4469 }
catch (SQLException ex) {
4470 throw new TskCoreException(
"Error selecting rows from tag_names table", ex);
4489 ResultSet resultSet = null;
4494 ArrayList<TagName> tagNames =
new ArrayList<TagName>();
4495 while (resultSet.next()) {
4496 tagNames.add(
new TagName(resultSet.getLong(
"tag_name_id"), resultSet.getString(
"display_name"), resultSet.getString(
"description"),
TagName.
HTML_COLOR.
getColorByName(resultSet.getString(
"color"))));
4499 }
catch (SQLException ex) {
4500 throw new TskCoreException(
"Error selecting rows from tag_names table", ex);
4519 ResultSet resultSet = null;
4523 statement.clearParameters();
4524 statement.setString(1, displayName);
4525 statement.setString(2, description);
4526 statement.setString(3, color.getName());
4527 connection.executeUpdate(statement);
4528 resultSet = statement.getGeneratedKeys();
4529 return new TagName(resultSet.getLong(1), displayName, description, color);
4530 }
catch (SQLException ex) {
4531 throw new TskCoreException(
"Error adding row for " + displayName +
" tag name to tag_names table", ex);
4552 ResultSet resultSet = null;
4556 statement.clearParameters();
4557 statement.setLong(1, content.getId());
4558 statement.setLong(2, tagName.getId());
4559 statement.setString(3, comment);
4560 statement.setLong(4, beginByteOffset);
4561 statement.setLong(5, endByteOffset);
4562 connection.executeUpdate(statement);
4563 resultSet = statement.getGeneratedKeys();
4564 return new ContentTag(resultSet.getLong(1), content, tagName, comment, beginByteOffset, endByteOffset);
4565 }
catch (SQLException ex) {
4566 throw new TskCoreException(
"Error adding row to content_tags table (obj_id = " + content.getId() +
", tag_name_id = " + tagName.getId() +
")", ex);
4584 statement.clearParameters();
4585 statement.setLong(1, tag.getId());
4586 connection.executeUpdate(statement);
4587 }
catch (SQLException ex) {
4588 throw new TskCoreException(
"Error deleting row from content_tags table (id = " + tag.getId() +
")", ex);
4604 ResultSet resultSet = null;
4609 ArrayList<ContentTag> tags =
new ArrayList<ContentTag>();
4610 while (resultSet.next()) {
4613 tags.add(
new ContentTag(resultSet.getLong(
"tag_id"), content, tagName, resultSet.getString(
"comment"), resultSet.getLong(
"begin_byte_offset"), resultSet.getLong(
"end_byte_offset")));
4616 }
catch (SQLException ex) {
4617 throw new TskCoreException(
"Error selecting rows from content_tags table", ex);
4633 if (tagName.getId() ==
Tag.ID_NOT_SET) {
4638 ResultSet resultSet = null;
4642 statement.clearParameters();
4643 statement.setLong(1, tagName.getId());
4645 if (resultSet.next()) {
4646 return resultSet.getLong(1);
4648 throw new TskCoreException(
"Error getting content_tags row count for tag name (tag_name_id = " + tagName.getId() +
")");
4650 }
catch (SQLException ex) {
4651 throw new TskCoreException(
"Error getting content_tags row count for tag name (tag_name_id = " + tagName.getId() +
")", ex);
4668 if (tagName.getId() ==
Tag.ID_NOT_SET) {
4673 ResultSet resultSet = null;
4677 statement.clearParameters();
4678 statement.setLong(1, tagName.getId());
4680 ArrayList<ContentTag> tags =
new ArrayList<ContentTag>();
4681 while (resultSet.next()) {
4682 ContentTag tag =
new ContentTag(resultSet.getLong(
"tag_id"),
getContentById(resultSet.getLong(
"obj_id")), tagName, resultSet.getString(
"comment"), resultSet.getLong(
"begin_byte_offset"), resultSet.getLong(
"end_byte_offset"));
4687 }
catch (SQLException ex) {
4688 throw new TskCoreException(
"Error getting content_tags rows (tag_name_id = " + tagName.getId() +
")", ex);
4707 ResultSet resultSet = null;
4711 statement.clearParameters();
4712 statement.setLong(1, content.getId());
4714 ArrayList<ContentTag> tags =
new ArrayList<ContentTag>();
4715 while (resultSet.next()) {
4717 ContentTag tag =
new ContentTag(resultSet.getLong(
"tag_id"), content, tagName, resultSet.getString(
"comment"), resultSet.getLong(
"begin_byte_offset"), resultSet.getLong(
"end_byte_offset"));
4721 }
catch (SQLException ex) {
4722 throw new TskCoreException(
"Error getting content tags data for content (obj_id = " + content.getId() +
")", ex);
4743 ResultSet resultSet = null;
4747 statement.clearParameters();
4748 statement.setLong(1, artifact.getArtifactID());
4749 statement.setLong(2, tagName.getId());
4750 statement.setString(3, comment);
4751 connection.executeUpdate(statement);
4752 resultSet = statement.getGeneratedKeys();
4754 }
catch (SQLException ex) {
4755 throw new TskCoreException(
"Error adding row to blackboard_artifact_tags table (obj_id = " + artifact.getArtifactID() +
", tag_name_id = " + tagName.getId() +
")", ex);
4773 statement.clearParameters();
4774 statement.setLong(1, tag.getId());
4775 connection.executeUpdate(statement);
4776 }
catch (SQLException ex) {
4777 throw new TskCoreException(
"Error deleting row from blackboard_artifact_tags table (id = " + tag.getId() +
")", ex);
4794 ResultSet resultSet = null;
4799 ArrayList<BlackboardArtifactTag> tags =
new ArrayList<BlackboardArtifactTag>();
4800 while (resultSet.next()) {
4808 }
catch (SQLException ex) {
4809 throw new TskCoreException(
"Error selecting rows from blackboard_artifact_tags table", ex);
4825 if (tagName.getId() ==
Tag.ID_NOT_SET) {
4830 ResultSet resultSet = null;
4834 statement.clearParameters();
4835 statement.setLong(1, tagName.getId());
4837 if (resultSet.next()) {
4838 return resultSet.getLong(1);
4840 throw new TskCoreException(
"Error getting blackboard_artifact_tags row count for tag name (tag_name_id = " + tagName.getId() +
")");
4842 }
catch (SQLException ex) {
4843 throw new TskCoreException(
"Error getting blackboard artifact_content_tags row count for tag name (tag_name_id = " + tagName.getId() +
")", ex);
4860 if (tagName.getId() ==
Tag.ID_NOT_SET) {
4865 ResultSet resultSet = null;
4869 statement.clearParameters();
4870 statement.setLong(1, tagName.getId());
4872 ArrayList<BlackboardArtifactTag> tags =
new ArrayList<BlackboardArtifactTag>();
4873 while (resultSet.next()) {
4880 }
catch (SQLException ex) {
4881 throw new TskCoreException(
"Error getting blackboard artifact tags data (tag_name_id = " + tagName.getId() +
")", ex);
4901 ResultSet resultSet = null;
4905 statement.clearParameters();
4906 statement.setLong(1, artifact.getArtifactID());
4908 ArrayList<BlackboardArtifactTag> tags =
new ArrayList<BlackboardArtifactTag>();
4909 while (resultSet.next()) {
4916 }
catch (SQLException ex) {
4917 throw new TskCoreException(
"Error getting blackboard artifact tags data (artifact_id = " + artifact.getArtifactID() +
")", ex);
4937 String relativePath =
"";
4939 relativePath =
new File(
getDbDirPath()).toURI().relativize(
new File(localPath).toURI()).getPath();
4940 }
catch (IllegalArgumentException ex) {
4941 String errorMessage = String.format(
"Local path %s not in the database directory or one of its subdirectories", localPath);
4946 long createTime = 0;
4948 java.io.File tempFile =
new java.io.File(localPath);
4950 createTime = tempFile.lastModified() / 1000;
4951 }
catch (Exception ex) {
4952 throw new TskCoreException(
"Could not get create time for report at " + localPath, ex);
4958 ResultSet resultSet = null;
4962 statement.clearParameters();
4963 statement.setString(1, relativePath);
4964 statement.setLong(2, createTime);
4965 statement.setString(3, sourceModuleName);
4966 statement.setString(4, reportName);
4967 connection.executeUpdate(statement);
4968 resultSet = statement.getGeneratedKeys();
4969 return new Report(resultSet.getLong(1), localPath, createTime, sourceModuleName, reportName);
4970 }
catch (SQLException ex) {
4971 throw new TskCoreException(
"Error adding report " + localPath +
" to reports table", ex);
4988 ResultSet resultSet = null;
4992 ArrayList<Report> reports =
new ArrayList<Report>();
4993 while (resultSet.next()) {
4994 reports.add(
new Report(resultSet.getLong(
"report_id"),
4995 Paths.get(
getDbDirPath(), resultSet.getString(
"path")).normalize().toString(),
4996 resultSet.getLong(
"crtime"),
4997 resultSet.getString(
"src_module_name"),
4998 resultSet.getString(
"report_name")));
5001 }
catch (SQLException ex) {
5002 throw new TskCoreException(
"Error querying reports table", ex);
5020 statement.setString(1, String.valueOf(report.getId()));
5021 connection.executeUpdate(statement);
5022 }
catch (SQLException ex) {
5030 if (resultSet != null) {
5033 }
catch (SQLException ex) {
5034 logger.log(Level.SEVERE,
"Error closing ResultSet", ex);
5040 if (statement != null) {
5043 }
catch (SQLException ex) {
5044 logger.log(Level.SEVERE,
"Error closing Statement", ex);
5056 throw new TskCoreException(
"Error getting case database connection - case is closed");
5060 if (!connection.isOpen()) {
5061 throw new TskCoreException(
"Case database connection for current thread is not open");
5063 databaseConnections.add(connection);
5076 databaseConnections.clear();
5092 enum PREPARED_STATEMENT {
5094 SELECT_ATTRIBUTES_OF_ARTIFACT(
"SELECT artifact_id, source, context, attribute_type_id, value_type, "
5095 +
"value_byte, value_text, value_int32, value_int64, value_double "
5096 +
"FROM blackboard_attributes WHERE artifact_id = ?"),
5097 SELECT_ARTIFACT_BY_ID(
"SELECT artifact_id ,obj_id, artifact_type_id FROM blackboard_artifacts WHERE artifact_id = ?"),
5098 SELECT_ARTIFACTS_BY_TYPE(
"SELECT artifact_id, obj_id FROM blackboard_artifacts "
5099 +
"WHERE artifact_type_id = ?"),
5100 COUNT_ARTIFACTS_OF_TYPE(
"SELECT COUNT(*) FROM blackboard_artifacts WHERE artifact_type_id = ?"),
5101 COUNT_ARTIFACTS_FROM_SOURCE(
"SELECT COUNT(*) FROM blackboard_artifacts WHERE obj_id = ?"),
5102 SELECT_ARTIFACTS_BY_SOURCE_AND_TYPE(
"SELECT artifact_id FROM blackboard_artifacts WHERE obj_id = ? AND artifact_type_id = ?"),
5103 COUNT_ARTIFACTS_BY_SOURCE_AND_TYPE(
"SELECT COUNT(*) FROM blackboard_artifacts WHERE obj_id = ? AND artifact_type_id = ?"),
5104 SELECT_FILES_BY_PARENT(
"SELECT tsk_files.* "
5105 +
"FROM tsk_objects INNER JOIN tsk_files "
5106 +
"ON tsk_objects.obj_id=tsk_files.obj_id "
5107 +
"WHERE (tsk_objects.par_obj_id = ? ) "
5108 +
"ORDER BY tsk_files.dir_type, tsk_files.name COLLATE NOCASE"),
5109 SELECT_FILES_BY_PARENT_AND_TYPE(
"SELECT tsk_files.* "
5110 +
"FROM tsk_objects INNER JOIN tsk_files "
5111 +
"ON tsk_objects.obj_id=tsk_files.obj_id "
5112 +
"WHERE (tsk_objects.par_obj_id = ? AND tsk_files.type = ? ) "
5113 +
"ORDER BY tsk_files.dir_type, tsk_files.name COLLATE NOCASE"),
5114 SELECT_FILE_IDS_BY_PARENT(
"SELECT tsk_files.obj_id FROM tsk_objects INNER JOIN tsk_files "
5115 +
"ON tsk_objects.obj_id=tsk_files.obj_id WHERE (tsk_objects.par_obj_id = ?)"),
5116 SELECT_FILE_IDS_BY_PARENT_AND_TYPE(
"SELECT tsk_files.obj_id "
5117 +
"FROM tsk_objects INNER JOIN tsk_files "
5118 +
"ON tsk_objects.obj_id=tsk_files.obj_id "
5119 +
"WHERE (tsk_objects.par_obj_id = ? "
5120 +
"AND tsk_files.type = ? )"),
5121 SELECT_FILE_BY_ID(
"SELECT * FROM tsk_files WHERE obj_id = ? LIMIT 1"),
5122 INSERT_ARTIFACT(
"INSERT INTO blackboard_artifacts (artifact_id, obj_id, artifact_type_id) "
5123 +
"VALUES (?, ?, ?)"),
5124 INSERT_STRING_ATTRIBUTE(
"INSERT INTO blackboard_attributes (artifact_id, artifact_type_id, source, context, attribute_type_id, value_type, value_text) "
5125 +
"VALUES (?,?,?,?,?,?,?)"),
5126 INSERT_BYTE_ATTRIBUTE(
"INSERT INTO blackboard_attributes (artifact_id, artifact_type_id, source, context, attribute_type_id, value_type, value_byte) "
5127 +
"VALUES (?,?,?,?,?,?,?)"),
5128 INSERT_INT_ATTRIBUTE(
"INSERT INTO blackboard_attributes (artifact_id, artifact_type_id, source, context, attribute_type_id, value_type, value_int32) "
5129 +
"VALUES (?,?,?,?,?,?,?)"),
5130 INSERT_LONG_ATTRIBUTE(
"INSERT INTO blackboard_attributes (artifact_id, artifact_type_id, source, context, attribute_type_id, value_type, value_int64) "
5131 +
"VALUES (?,?,?,?,?,?,?)"),
5132 INSERT_DOUBLE_ATTRIBUTE(
"INSERT INTO blackboard_attributes (artifact_id, artifact_type_id, source, context, attribute_type_id, value_type, value_double) "
5133 +
"VALUES (?,?,?,?,?,?,?)"),
5134 SELECT_FILES_BY_FILE_SYSTEM_AND_NAME(
"SELECT * FROM tsk_files WHERE LOWER(name) LIKE ? and LOWER(name) NOT LIKE '%journal%' AND fs_obj_id = ?"),
5135 SELECT_FILES_BY_FILE_SYSTEM_AND_PATH(
"SELECT * FROM tsk_files WHERE LOWER(name) LIKE ? AND LOWER(name) NOT LIKE '%journal%' AND LOWER(parent_path) LIKE ? AND fs_obj_id = ?"),
5136 UPDATE_FILE_MD5(
"UPDATE tsk_files SET md5 = ? WHERE obj_id = ?"),
5137 SELECT_LOCAL_PATH_FOR_FILE(
"SELECT path FROM tsk_files_path WHERE obj_id = ?"),
5138 SELECT_PATH_FOR_FILE(
"SELECT parent_path FROM tsk_files WHERE obj_id = ?"),
5139 SELECT_FILE_NAME(
"SELECT name FROM tsk_files WHERE obj_id = ?"),
5140 SELECT_DERIVED_FILE(
"SELECT derived_id, rederive FROM tsk_files_derived WHERE obj_id = ?"),
5141 SELECT_FILE_DERIVATION_METHOD(
"SELECT tool_name, tool_version, other FROM tsk_files_derived_method WHERE derived_id = ?"),
5142 SELECT_MAX_OBJECT_ID(
"SELECT MAX(obj_id) from tsk_objects"),
5143 INSERT_OBJECT(
"INSERT INTO tsk_objects (par_obj_id, type) VALUES (?, ?)"),
5144 INSERT_FILE(
"INSERT INTO tsk_files (obj_id, fs_obj_id, name, type, has_path, dir_type, meta_type, dir_flags, meta_flags, size, ctime, crtime, atime, mtime, parent_path) "
5145 +
"VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"),
5146 INSERT_LAYOUT_FILE(
"INSERT INTO tsk_file_layout (obj_id, byte_start, byte_len, sequence) "
5147 +
"VALUES (?, ?, ?, ?)"),
5148 INSERT_LOCAL_PATH(
"INSERT INTO tsk_files_path (obj_id, path) VALUES (?, ?)"),
5149 COUNT_CHILD_OBJECTS_BY_PARENT(
"SELECT COUNT(obj_id) FROM tsk_objects WHERE par_obj_id = ?"),
5150 SELECT_FILE_SYSTEM_BY_OBJECT(
"SELECT fs_obj_id from tsk_files WHERE obj_id=?"),
5151 SELECT_TAG_NAMES(
"SELECT * FROM tag_names"),
5152 SELECT_TAG_NAMES_IN_USE(
"SELECT * FROM tag_names "
5153 +
"WHERE tag_name_id IN "
5154 +
"(SELECT tag_name_id from content_tags UNION SELECT tag_name_id FROM blackboard_artifact_tags)"),
5155 INSERT_TAG_NAME(
"INSERT INTO tag_names (display_name, description, color) VALUES (?, ?, ?)"),
5156 INSERT_CONTENT_TAG(
"INSERT INTO content_tags (obj_id, tag_name_id, comment, begin_byte_offset, end_byte_offset) VALUES (?, ?, ?, ?, ?)"),
5157 DELETE_CONTENT_TAG(
"DELETE FROM content_tags WHERE tag_id = ?"),
5158 COUNT_CONTENT_TAGS_BY_TAG_NAME(
"SELECT COUNT(*) FROM content_tags WHERE tag_name_id = ?"),
5159 SELECT_CONTENT_TAGS(
"SELECT * FROM content_tags INNER JOIN tag_names ON content_tags.tag_name_id = tag_names.tag_name_id"),
5160 SELECT_CONTENT_TAGS_BY_TAG_NAME(
"SELECT * FROM content_tags WHERE tag_name_id = ?"),
5161 SELECT_CONTENT_TAGS_BY_CONTENT(
"SELECT * FROM content_tags INNER JOIN tag_names ON content_tags.tag_name_id = tag_names.tag_name_id WHERE content_tags.obj_id = ?"),
5162 INSERT_ARTIFACT_TAG(
"INSERT INTO blackboard_artifact_tags (artifact_id, tag_name_id, comment) VALUES (?, ?, ?)"),
5163 DELETE_ARTIFACT_TAG(
"DELETE FROM blackboard_artifact_tags WHERE tag_id = ?"),
5164 SELECT_ARTIFACT_TAGS(
"SELECT * FROM blackboard_artifact_tags INNER JOIN tag_names ON blackboard_artifact_tags.tag_name_id = tag_names.tag_name_id"),
5165 COUNT_ARTIFACTS_BY_TAG_NAME(
"SELECT COUNT(*) FROM blackboard_artifact_tags WHERE tag_name_id = ?"),
5166 SELECT_ARTIFACT_TAGS_BY_TAG_NAME(
"SELECT * FROM blackboard_artifact_tags WHERE tag_name_id = ?"),
5167 SELECT_ARTIFACT_TAGS_BY_ARTIFACT(
"SELECT * FROM blackboard_artifact_tags INNER JOIN tag_names ON blackboard_artifact_tags.tag_name_id = tag_names.tag_name_id WHERE blackboard_artifact_tags.artifact_id = ?"),
5168 SELECT_REPORTS(
"SELECT * FROM reports"),
5169 INSERT_REPORT(
"INSERT INTO reports (path, crtime, src_module_name, report_name) VALUES (?, ?, ?, ?)"),
5170 DELETE_REPORT(
"DELETE FROM reports WHERE reports.report_id = ?");
5172 private final String sql;
5174 private PREPARED_STATEMENT(String sql) {
5186 this.preparedStatements =
new EnumMap<PREPARED_STATEMENT, PreparedStatement>(PREPARED_STATEMENT.class);
5187 Statement statement = null;
5189 SQLiteConfig config =
new SQLiteConfig();
5192 config.setSynchronous(SQLiteConfig.SynchronousMode.OFF);
5199 config.setReadUncommited(
true);
5202 config.enforceForeignKeys(
true);
5204 this.connection = DriverManager.getConnection(
"jdbc:sqlite:" + dbPath, config.toProperties());
5205 }
catch (SQLException ex) {
5212 SleuthkitCase.
logger.log(Level.SEVERE,
"Error setting up case database connection for thread", ex);
5213 if (this.connection != null) {
5215 this.connection.close();
5216 }
catch (SQLException e) {
5219 this.connection = null;
5225 return this.connection != null;
5228 PreparedStatement getPreparedStatement(PREPARED_STATEMENT statementKey)
throws SQLException {
5230 PreparedStatement statement;
5231 if (this.preparedStatements.containsKey(statementKey)) {
5232 statement = this.preparedStatements.get(statementKey);
5235 this.preparedStatements.put(statementKey, statement);
5241 PreparedStatement statement = null;
5242 boolean locked =
true;
5245 statement = this.connection.prepareStatement(sqlStatement);
5247 }
catch (SQLException ex) {
5256 Statement createStatement() throws SQLException {
5257 Statement statement = null;
5258 boolean locked =
true;
5261 statement = this.connection.createStatement();
5263 }
catch (SQLException ex) {
5272 void beginTransaction() throws SQLException {
5273 boolean locked =
true;
5276 connection.setAutoCommit(
false);
5278 }
catch (SQLException ex) {
5286 void commitTransaction() throws SQLException {
5287 boolean locked =
true;
5293 connection.commit();
5295 }
catch (SQLException ex) {
5296 logger.log(Level.SEVERE, String.format(
"Exception commiting transaction: Error code: %d SQLState: %s", ex.getErrorCode(), ex.getSQLState()), ex);
5302 connection.setAutoCommit(
true);
5303 }
catch (SQLException ex) {
5304 logger.log(Level.SEVERE, String.format(
"Exception resetting auto commit: Error code: %d SQLState: %s", ex.getErrorCode(), ex.getSQLState()), ex);
5313 void rollbackTransaction() {
5315 connection.rollback();
5316 }
catch (SQLException e) {
5317 logger.log(Level.SEVERE,
"Error rolling back transaction", e);
5320 connection.setAutoCommit(
true);
5321 }
catch (SQLException e) {
5322 logger.log(Level.SEVERE,
"Error restoring auto-commit", e);
5333 void rollbackTransactionWithThrow() throws SQLException {
5335 connection.rollback();
5337 connection.setAutoCommit(
true);
5341 private ResultSet
executeQuery(Statement statement, String query)
throws SQLException {
5342 ResultSet resultSet = null;
5343 boolean locked =
true;
5346 resultSet = statement.executeQuery(query);
5348 }
catch (SQLException ex) {
5357 private ResultSet
executeQuery(PreparedStatement statement)
throws SQLException {
5358 ResultSet resultSet = null;
5359 boolean locked =
true;
5362 resultSet = statement.executeQuery();
5364 }
catch (SQLException ex) {
5373 void executeUpdate(Statement statement, String update)
throws SQLException {
5374 boolean locked =
true;
5377 statement.executeUpdate(update);
5379 }
catch (SQLException ex) {
5387 void executeUpdate(PreparedStatement statement)
throws SQLException {
5388 boolean locked =
true;
5391 statement.executeUpdate();
5393 }
catch (SQLException ex) {
5409 }
catch (SQLException ex) {
5410 logger.log(Level.SEVERE,
"Unable to close handle to autopsy.db", ex);
5430 this.connection.beginTransaction();
5431 }
catch (SQLException ex) {
5432 throw new TskCoreException(
"Failed to create transaction on case database", ex);
5455 this.connection.commitTransaction();
5456 }
catch (SQLException ex) {
5457 throw new TskCoreException(
"Failed to commit transaction on case database", ex);
5469 this.connection.rollbackTransactionWithThrow();
5470 }
catch (SQLException ex) {
5471 throw new TskCoreException(
"Case database transaction rollback failed", ex);
5491 if (!query.regionMatches(
true, 0,
"SELECT", 0,
"SELECT".length())) {
5492 throw new TskCoreException(
"Unsupported query: Only SELECT queries are supported.");
5498 connection = connections.getConnection();
5505 resultSet = connection.
executeQuery(connection.createStatement(), query);
5506 }
catch (SQLException ex) {
5524 if (resultSet != null) {
5525 final Statement statement = resultSet.getStatement();
5526 if (statement != null) {
5533 }
catch (SQLException ex) {
5534 throw new TskCoreException(
"Error closing query: ", ex);
List< BlackboardArtifact > getBlackboardArtifacts(BlackboardAttribute.ATTRIBUTE_TYPE attrType, long value)
FS
File that can be found in file system tree.
static FileKnown valueOf(byte known)
static final int SCHEMA_VERSION_NUMBER
ArrayList< BlackboardArtifact > getArtifactsHelper(int artifactTypeID, String artifactTypeName)
List< Report > getAllReports()
static ATTRIBUTE_TYPE fromLabel(String label)
ArrayList< BlackboardAttribute > getBlackboardAttributes(final BlackboardArtifact artifact)
long getBlackboardArtifactsCount(long objId)
int getArtifactTypeID(String artifactTypeName)
long getBlackboardArtifactTagsCountByTagName(TagName tagName)
ArrayList< BlackboardArtifact > getBlackboardArtifacts(ARTIFACT_TYPE artifactType)
ArrayList< BlackboardArtifact > getBlackboardArtifacts(String artifactTypeName)
List< BlackboardArtifact > getBlackboardArtifacts(BlackboardAttribute.ATTRIBUTE_TYPE attrType, int value)
void addBlackboardAttributes(Collection< BlackboardAttribute > attributes, int artifactTypeId)
CaseDbConnection initialValue()
void logSQLiteJDBCDriverInfo()
final ConnectionPerThreadDispenser connections
AddImageProcess makeAddImageProcess(String timezone, boolean processUnallocSpace, boolean noFatFsOrphans)
ArrayList< BlackboardArtifact > getBlackboardArtifacts(int artifactTypeID, long obj_id)
DerivedFile addDerivedFile(String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parentFile, String rederiveDetails, String toolName, String toolVersion, String otherDetails)
CaseDbTransaction beginTransaction()
LocalFile addLocalFile(String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parent)
FileSystem getFileSystemByIdHelper(long id, Content parent)
final Map< Long, FileSystem > fileSystemIdMap
ALLOC
Metadata structure is currently in an allocated state.
int countFilesMd5Hashed()
CaseDbTransaction(CaseDbConnection connection)
ArrayList< BlackboardArtifact > getBlackboardArtifacts(int artifactTypeID)
void addErrorObserver(ErrorObserver observer)
static final int DATABASE_LOCKED_ERROR
TSK_FS_META_TYPE_DIR
Directory file NON-NLS.
VirtualDirectory addVirtualDirectory(long parentId, String directoryName, CaseDbTransaction trans)
List< AbstractFile > findFiles(Content dataSource, String fileName, AbstractFile parentFile)
UNALLOC
Metadata structure is currently in an unallocated state.
void addBlackboardAttribute(BlackboardAttribute attr, int artifactTypeId)
static ARTIFACT_TYPE fromID(int ID)
final HashSet< CaseDbConnection > databaseConnections
int addArtifactType(String artifactTypeName, String displayName)
ResultSet executeQuery(Statement statement, String query)
static TSK_FS_META_TYPE_ENUM valueOf(short metaType)
int updateFromSchema2toSchema3(int schemaVersionNumber)
List< FsContent > resultSetToFsContents(ResultSet rs)
List< BlackboardArtifact > getBlackboardArtifacts(BlackboardAttribute.ATTRIBUTE_TYPE attrType, double value)
List< AbstractFile > openFiles(Content dataSource, String filePath)
Directory getRootDirectory()
List< BlackboardArtifactTag > getBlackboardArtifactTagsByArtifact(BlackboardArtifact artifact)
synchronized void close()
long getBlackboardArtifactsCount(String artifactTypeName, long obj_id)
Content getContentById(long id)
List< TagName > getTagNamesInUse()
List< BlackboardArtifact > getBlackboardArtifacts(BlackboardAttribute.ATTRIBUTE_TYPE attrType, byte value)
static final String NAME_CARVED
List< ContentTag > getAllContentTags()
List< VirtualDirectory > getVirtualDirectoryRoots()
ArrayList< BlackboardArtifact.ARTIFACT_TYPE > getBlackboardArtifactTypes()
LOCAL
Local file that was added (not from a disk image)
static TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE fromType(long type)
Map< Long, List< String > > getImagePaths()
List< Long > findAllFileIdsWhere(String sqlWhereClause)
List< Content > getChildren()
BlackboardArtifact getBlackboardArtifact(long artifactID)
static void closeResultSet(ResultSet resultSet)
AbstractFile getAbstractFileById(long id)
CARVED
Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS ra...
static TSK_FS_NAME_FLAG_ENUM valueOf(int dirFlag)
BlackboardArtifactTag addBlackboardArtifactTag(BlackboardArtifact artifact, TagName tagName, String comment)
long countFilesWhere(String sqlWhereClause)
long getBlackboardArtifactsCount(ARTIFACT_TYPE artifactType, long obj_id)
final CaseDbConnection connection
CaseDbQuery(String query)
boolean isFileFromSource(Content dataSource, long fileId)
ArrayList< BlackboardArtifact > getMatchingArtifacts(String whereClause)
ArrayList< BlackboardArtifact.ARTIFACT_TYPE > getBlackboardArtifactTypesInUse()
final ResultSetHelper rsHelper
void deleteReport(Report report)
List< Image > getImages()
List< AbstractFile > resultSetToAbstractFiles(ResultSet rs)
int getAttrTypeID(String attrTypeName)
Image getImageById(long id)
List< Content > getChildren()
USED
Metadata structure has been allocated at least once.
final Map< Long, Long > carvedFileContainersCache
final ArrayList< ErrorObserver > errorObservers
static final int SQLITE_BUSY_ERROR
void closeRunQuery(ResultSet resultSet)
int addAttrType(String attrTypeString, String displayName)
void deleteBlackboardArtifactTag(BlackboardArtifactTag tag)
List< ContentTag > getContentTagsByTagName(TagName tagName)
BlackboardArtifact newBlackboardArtifact(int artifactTypeID, long obj_id)
String getAttrTypeDisplayName(int attrTypeID)
List< BlackboardArtifact > getBlackboardArtifacts(ARTIFACT_TYPE artifactType, BlackboardAttribute.ATTRIBUTE_TYPE attrType, String value)
List< AbstractFile > findFiles(Content dataSource, String fileName)
List< TagName > getAllTagNames()
static TSK_FS_NAME_TYPE_ENUM valueOf(short dir_type)
long getArtifactsCountHelper(int artifactTypeID, long obj_id)
void initNextArtifactId()
static HTML_COLOR getColorByName(String colorName)
final ReentrantReadWriteLock rwLock
TSK_TAG_ARTIFACT
tagged results/artifacts
List< AbstractFile > findFilesByMd5(String md5Hash)
BlackboardArtifact newBlackboardArtifact(ARTIFACT_TYPE artifactType, long obj_id)
List< BlackboardArtifact > getArtifactsHelper(ResultSet rs)
LocalFile addLocalFile(String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parent, CaseDbTransaction trans)
DERIVED
File derived from a parent file (i.e. from ZIP)
List< LayoutFile > addCarvedFiles(List< CarvedFileContainer > filesToAdd)
List< BlackboardArtifactTag > getBlackboardArtifactTagsByTagName(TagName tagName)
Report addReport(String localPath, String sourceModuleName, String reportName)
void releaseExclusiveLock()
List< BlackboardArtifactTag > getAllBlackboardArtifactTags()
ArrayList< BlackboardArtifact > getBlackboardArtifacts(String artifactTypeName, long obj_id)
static TSK_DB_FILES_TYPE_ENUM valueOf(short fileType)
List< Content > getRootObjects()
void initBlackboardArtifactTypes()
void acquireExclusiveLock()
boolean allFilesMd5Hashed()
String getAttrTypeString(int attrTypeID)
int getBlackboardAttributeTypesCount()
List< AbstractFile > findFiles(Content dataSource, String fileName, String dirName)
LayoutFile addCarvedFile(String carvedFileName, long carvedFileSize, long containerId, List< TskFileRange > data)
ArrayList< BlackboardAttribute.ATTRIBUTE_TYPE > getBlackboardAttributeTypes()
UNALLOC_BLOCKS
Set of blocks not allocated by file system. Parent should be image, volume, or file system...
ArrayList< BlackboardAttribute > getMatchingAttributes(String whereClause)
List< BlackboardArtifact > getBlackboardArtifacts(BlackboardAttribute.ATTRIBUTE_TYPE attrType, String value)
long getBlackboardArtifactsTypeCount(int artifactTypeID)
ArrayList< BlackboardArtifact > getArtifactsHelper(int artifactTypeID, String artifactTypeName, long obj_id)
void deleteContentTag(ContentTag tag)
static ObjectType valueOf(short objectType)
long getContentTagsCountByTagName(TagName tagName)
UNKNOWN
File marked as unknown by hash db.
List< AbstractFile > findAllFilesWhere(String sqlWhereClause)
boolean setKnown(AbstractFile file, FileKnown fileKnown)
static void closeStatement(Statement statement)
static final ResourceBundle bundle
long getFileSystemId(long fileId)
void receiveError(String context, String errorMessage)
static SleuthkitCase openCase(String dbPath)
static String createNonUniquePath(String uniquePath)
long getBlackboardArtifactsCount(int artifactTypeID, long obj_id)
void submitError(String context, String errorMessage)
ResultSet executeQuery(PreparedStatement statement)
ALLOC
Name is in an allocated state.
VIRTUAL_DIR
Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other ...
void initBlackboardAttributeTypes()
static SleuthkitCase newCase(String dbPath)
String getBackupDatabasePath()
VirtualDirectory addVirtualDirectory(long parentId, String directoryName)
BlackboardArtifact newBlackboardArtifact(int artifact_type_id, long obj_id, String artifactTypeName, String artifactDisplayName)
List< ContentTag > getContentTagsByContent(Content content)
ArrayList< BlackboardArtifact > getBlackboardArtifacts(ARTIFACT_TYPE artifactType, long obj_id)
int countFsContentType(TskData.TSK_FS_META_TYPE_ENUM contentType)
TagName addTagName(String displayName, String description, TagName.HTML_COLOR color)
ABSTRACTFILE
File - see tsk_files for more details.
ContentTag addContentTag(Content content, TagName tagName, String comment, long beginByteOffset, long endByteOffset)
SleuthkitCase(String dbPath, SleuthkitJNI.CaseDbHandle caseHandle)
List< BlackboardArtifact > getBlackboardArtifacts(BlackboardAttribute.ATTRIBUTE_TYPE attrType, String subString, boolean startsWith)
void addFilePath(CaseDbConnection connection, long objId, String path)
static final long UNKNOWN_ID
static final long BASE_ARTIFACT_ID
TSK_FS_META_TYPE_REG
Regular file NON-NLS.
void removerErrorObserver(ErrorObserver observer)
final Map< PREPARED_STATEMENT, PreparedStatement > preparedStatements
List< FsContent > findFilesWhere(String sqlWhereClause)
static final Logger logger
CaseDbConnection getConnection()
void copyCaseDB(String newDBPath)
PreparedStatement prepareStatement(String sqlStatement)
void addBlackBoardAttribute(BlackboardAttribute attr, int artifactTypeId, CaseDbConnection connection)
ResultSet runQuery(String query)
List< TskFileRange > getFileRanges(long id)
UNUSED_BLOCKS
Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNAL...
static String escapeForBlackboard(String text)
CaseDbQuery executeQuery(String query)
void updateDatabaseSchema()
void setImagePaths(long obj_id, List< String > paths)
VS
Volume System - see tsk_vs_info for more details.
IMG
Disk Image - see tsk_image_info for more details.
SleuthkitJNI.CaseDbHandle caseHandle
UNALLOC
Name is in an unallocated state.
Collection< FileSystem > getFileSystems(Image image)
