FileTypeDetector.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2011-2016 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.modules.filetypeid;

import java.util.ArrayList;
import java.util.List;
import java.util.SortedSet;
import java.util.logging.Level;
import org.apache.tika.Tika;
import org.apache.tika.mime.MediaType;
import org.apache.tika.mime.MimeTypes;
import org.openide.util.NbBundle;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.services.Blackboard;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData;

public class FileTypeDetector {

    private static final Tika tika = new Tika();
    private static final int BUFFER_SIZE = 64 * 1024;
    private final byte buffer[] = new byte[BUFFER_SIZE];
    private final List<FileType> userDefinedFileTypes;
    private static final Logger logger = Logger.getLogger(FileTypeDetector.class.getName());

    public FileTypeDetector() throws FileTypeDetectorInitException {
        try {
            userDefinedFileTypes = UserDefinedFileTypesManager.getInstance().getFileTypes();
        } catch (UserDefinedFileTypesManager.UserDefinedFileTypesException ex) {
            throw new FileTypeDetectorInitException("Error loading user-defined file types", ex); //NON-NLS
        }
    }

    public List<String> getUserDefinedTypes() {
        List<String> list = new ArrayList<>();
        if (userDefinedFileTypes != null) {
            for (FileType fileType : userDefinedFileTypes) {
                list.add(fileType.getMimeType());
            }
        }
        return list;
    }

    public boolean isDetectable(String mimeType) {
        return isDetectableAsUserDefinedType(mimeType) || isDetectableByTika(mimeType);
    }

    private boolean isDetectableAsUserDefinedType(String mimeType) {
        for (FileType fileType : userDefinedFileTypes) {
            if (fileType.getMimeType().equals(mimeType)) {
                return true;
            }
        }
        return false;
    }

    private boolean isDetectableByTika(String mimeType) {
        String[] split = mimeType.split("/");
        if (split.length == 2) {
            String type = split[0];
            String subtype = split[1];
            MediaType mediaType = new MediaType(type, subtype);
            SortedSet<MediaType> m = MimeTypes.getDefaultMimeTypes().getMediaTypeRegistry().getTypes();
            return m.contains(mediaType);
        }
        return false;
    }

    public String getFileType(AbstractFile file) throws TskCoreException {
        return detect(file, true);
    }

    public String detect(AbstractFile file) throws TskCoreException {
        return detect(file, false);
    }

    private String detect(AbstractFile file, boolean addToCaseDb) throws TskCoreException {
        /*
         * Check to see if the file has already been typed. This is the "check"
         * part of a check-then-act race condition (see note below).
         */
        String mimeType = file.getMIMEType();
        if (null != mimeType) {
            return mimeType;
        }

        /*
         * Mark non-regular files (refer to TskData.TSK_FS_META_TYPE_ENUM),
         * zero-sized files, unallocated space, and unused blocks (refer to
         * TskData.TSK_DB_FILES_TYPE_ENUM) as octet-stream.
         */
        if (!file.isFile() || file.getSize() <= 0
                || (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
                || (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
                || (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR)) {
            mimeType = MimeTypes.OCTET_STREAM;
        }

        /*
         * If the file is a regular file, give precedence to user-defined types.
         */
        if (null == mimeType) {
            mimeType = detectUserDefinedType(file, addToCaseDb);
        }

        /*
         * If the file does not match a user-defined type, send the initial
         * bytes to Tika.
         */
        if (null == mimeType) {
            try {
                byte buf[];
                int len = file.read(buffer, 0, BUFFER_SIZE);
                if (len < BUFFER_SIZE) {
                    buf = new byte[len];
                    System.arraycopy(buffer, 0, buf, 0, len);
                } else {
                    buf = buffer;
                }
                String tikaType = tika.detect(buf, file.getName());

                /*
                 * Remove the Tika suffix from the MIME type name.
                 */
                mimeType = tikaType.replace("tika-", ""); //NON-NLS

            } catch (Exception ignored) {
                /*
                 * This exception is swallowed and not logged rather than
                 * propagated because files in data sources are not always
                 * consistent with their file system metadata, making for read
                 * errors. Also, Tika can be a bit flaky at times, making this a
                 * best effort endeavor. Default to octet-stream.
                 */
                mimeType = MimeTypes.OCTET_STREAM;
            }
        }

        /*
         * If adding the result to the case database, do so now.
         *
         * NOTE: This condtional is a way to deal with the check-then-act race
         * condition created by the gap between querying the MIME type and
         * recording it. It is not really a problem for the mime_type column of
         * the tsk_files table, but it can lead to duplicate blackboard posts,
         * and the posts are required to maintain backward compatibility.
         * Various mitigation strategies were considered. It was decided to go
         * with the policy that only ingest modules are allowed to add file
         * types to the case database, at least until such time as file types
         * are no longer posted to the blackboard. Of course, this is not a
         * perfect solution. It's not really enforceable for community
         * contributed plug ins and it does not handle the unlikely but possible
         * scenario of multiple processes typing the same file for a multi-user
         * case.
         */
        if (addToCaseDb) {
            /*
             * Add the MIME type to the files table in the case database.
             */
            Case.getCurrentCase().getSleuthkitCase().setFileMIMEType(file, mimeType);

            /*
             * Post to the blackboard, adding the file type attribute to the
             * general info artifact. A property change is not fired for this
             * posting because general info artifacts are different from other
             * artifacts, e.g., they are not displayed in the results tree.
             */
            BlackboardArtifact getInfoArt = file.getGenInfoArtifact();
            @SuppressWarnings("deprecation")
            BlackboardAttribute batt = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG, FileTypeIdModuleFactory.getModuleName(), mimeType);
            getInfoArt.addAttribute(batt);
        }

        return mimeType;
    }

    private String detectUserDefinedType(AbstractFile file, boolean postToBlackBoard) throws TskCoreException {
        for (FileType fileType : userDefinedFileTypes) {
            if (fileType.matches(file)) {
                if (postToBlackBoard && fileType.alertOnMatch()) {
                    /*
                     * Create an interesting file hit artifact.
                     */
                    BlackboardArtifact artifact;
                    artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
                    BlackboardAttribute setNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, FileTypeIdModuleFactory.getModuleName(), fileType.getFilesSetName());
                    artifact.addAttribute(setNameAttribute);

                    /*
                     * Use the MIME type as the category attribute, i.e., the
                     * rule that determined this file belongs to the interesting
                     * files set.
                     */
                    BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, FileTypeIdModuleFactory.getModuleName(), fileType.getMimeType());
                    artifact.addAttribute(ruleNameAttribute);

                    /*
                     * Index the artifact for keyword search.
                     */
                    try {
                        Case.getCurrentCase().getServices().getBlackboard().indexArtifact(artifact);
                    } catch (Blackboard.BlackboardException | IllegalStateException ex) {
                        logger.log(Level.SEVERE, String.format("Unable to index blackboard artifact %d", artifact.getArtifactID()), ex); //NON-NLS
                        MessageNotifyUtil.Notify.error(
                                NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.exception.msg"), artifact.getDisplayName());
                    }
                }
                return fileType.getMimeType();
            }
        }
        return null;
    }

    /*
     * Exception thrown when a file type detector experiences an error
     * condition.
     */
    public static class FileTypeDetectorInitException extends Exception {

        private static final long serialVersionUID = 1L;

        FileTypeDetectorInitException(String message) {
            super(message);
        }

        FileTypeDetectorInitException(String message, Throwable throwable) {
            super(message, throwable);
        }

    }

    @Deprecated
    @SuppressWarnings("deprecation")
    public String detectAndPostToBlackboard(AbstractFile file) throws TskCoreException {
        return getFileType(file);
    }

}