Autopsy  4.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
QueryResults.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014-2015 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.keywordsearch;
20 
21 import java.util.ArrayList;
22 import java.util.Collection;
23 import java.util.HashMap;
24 import java.util.List;
25 import java.util.Map;
26 import java.util.Set;
27 import java.util.logging.Level;
28 import javax.swing.SwingWorker;
29 import org.netbeans.api.progress.ProgressHandle;
30 import org.netbeans.api.progress.aggregate.ProgressContributor;
31 import org.openide.util.NbBundle;
37 import org.sleuthkit.datamodel.AbstractFile;
38 import org.sleuthkit.datamodel.BlackboardArtifact;
39 import org.sleuthkit.datamodel.BlackboardAttribute;
40 import org.sleuthkit.datamodel.Content;
41 
47 class QueryResults {
48 
49  private static final Logger logger = Logger.getLogger(QueryResults.class.getName());
50 
54  private final KeywordSearchQuery keywordSearchQuery;
55 
59  private final Map<Keyword, List<KeywordHit>> results = new HashMap<>();
60 
64  // TODO: This is redundant. The keyword list is in the query.
65  private final KeywordList keywordList;
66 
67  QueryResults(KeywordSearchQuery query, KeywordList keywordList) {
68  this.keywordSearchQuery = query;
69  this.keywordList = keywordList;
70  }
71 
72  void addResult(Keyword keyword, List<KeywordHit> hits) {
73  results.put(keyword, hits);
74  }
75 
76  // TODO: This is redundant. The keyword list is in the query.
77  KeywordList getKeywordList() {
78  return keywordList;
79  }
80 
81  KeywordSearchQuery getQuery() {
82  return keywordSearchQuery;
83  }
84 
85  List<KeywordHit> getResults(Keyword keyword) {
86  return results.get(keyword);
87  }
88 
89  Set<Keyword> getKeywords() {
90  return results.keySet();
91  }
92 
108  Collection<BlackboardArtifact> writeAllHitsToBlackBoard(ProgressHandle progress, ProgressContributor subProgress, SwingWorker<Object, Void> worker, boolean notifyInbox) {
109  final Collection<BlackboardArtifact> newArtifacts = new ArrayList<>();
110  if (progress != null) {
111  progress.start(getKeywords().size());
112  }
113  int unitProgress = 0;
114 
115  for (final Keyword keyword : getKeywords()) {
116  if (worker.isCancelled()) {
117  logger.log(Level.INFO, "Cancel detected, bailing before new keyword processed: {0}", keyword.getQuery()); //NON-NLS
118  break;
119  }
120 
121  // Update progress object(s), if any
122  if (progress != null) {
123  progress.progress(keyword.toString(), unitProgress);
124  }
125  if (subProgress != null) {
126  String hitDisplayStr = keyword.getQuery();
127  if (hitDisplayStr.length() > 50) {
128  hitDisplayStr = hitDisplayStr.substring(0, 49) + "...";
129  }
130  subProgress.progress(keywordList.getName() + ": " + hitDisplayStr, unitProgress);
131  }
132 
133  for (KeywordHit hit : getOneHitPerObject(keyword)) {
134  String termString = keyword.getQuery();
135  final String snippetQuery = KeywordSearchUtil.escapeLuceneQuery(termString);
136  String snippet;
137  try {
138  snippet = LuceneQuery.querySnippet(snippetQuery, hit.getSolrObjectId(), hit.getChunkId(), !keywordSearchQuery.isLiteral(), true);
139  } catch (NoOpenCoreException e) {
140  logger.log(Level.WARNING, "Error querying snippet: " + snippetQuery, e); //NON-NLS
141  //no reason to continue
142  break;
143  } catch (Exception e) {
144  logger.log(Level.WARNING, "Error querying snippet: " + snippetQuery, e); //NON-NLS
145  continue;
146  }
147  if (snippet != null) {
148  KeywordCachedArtifact writeResult = keywordSearchQuery.writeSingleFileHitsToBlackBoard(termString, hit, snippet, keywordList.getName());
149  if (writeResult != null) {
150  newArtifacts.add(writeResult.getArtifact());
151  if (notifyInbox) {
152  writeSingleFileInboxMessage(writeResult, hit.getContent());
153  }
154  } else {
155  logger.log(Level.WARNING, "BB artifact for keyword hit not written, file: {0}, hit: {1}", new Object[]{hit.getContent(), keyword.toString()}); //NON-NLS
156  }
157  }
158  }
159  ++unitProgress;
160  }
161 
162  // Update artifact browser
163  if (!newArtifacts.isEmpty()) {
164  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(KeywordSearchModuleFactory.getModuleName(), BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT, newArtifacts));
165  }
166 
167  return newArtifacts;
168  }
169 
178  private Collection<KeywordHit> getOneHitPerObject(Keyword keyword) {
179 
180  HashMap<Long, KeywordHit> hits = new HashMap<Long, KeywordHit>();
181 
182  // create a list of KeywordHits. KeywordHits with lowest chunkID is added the the list.
183  for (KeywordHit hit : getResults(keyword)) {
184  if (!hits.containsKey(hit.getSolrObjectId())) {
185  hits.put(hit.getSolrObjectId(), hit);
186  } else {
187  if (hit.getChunkId() < hits.get(hit.getSolrObjectId()).getChunkId()) {
188  hits.put(hit.getSolrObjectId(), hit);
189  }
190  }
191  }
192  return hits.values();
193  }
194 
201  private void writeSingleFileInboxMessage(KeywordCachedArtifact written, Content hitContent) {
202  StringBuilder subjectSb = new StringBuilder();
203  StringBuilder detailsSb = new StringBuilder();
204 
205  if (!keywordSearchQuery.isLiteral()) {
206  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExpHitLbl"));
207  } else {
208  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitLbl"));
209  }
210  String uniqueKey = null;
211  BlackboardAttribute attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID());
212  if (attr != null) {
213  final String keyword = attr.getValueString();
214  subjectSb.append(keyword);
215  uniqueKey = keyword.toLowerCase();
216  }
217 
218  //details
219  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
220  //hit
221  detailsSb.append("<tr>"); //NON-NLS
222  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitThLbl"));
223  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append("</td>"); //NON-NLS
224  detailsSb.append("</tr>"); //NON-NLS
225 
226  //preview
227  attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID());
228  if (attr != null) {
229  detailsSb.append("<tr>"); //NON-NLS
230  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.previewThLbl"));
231  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append("</td>"); //NON-NLS
232  detailsSb.append("</tr>"); //NON-NLS
233  }
234 
235  //file
236  detailsSb.append("<tr>"); //NON-NLS
237  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.fileThLbl"));
238  if (hitContent instanceof AbstractFile) {
239  AbstractFile hitFile = (AbstractFile) hitContent;
240  detailsSb.append("<td>").append(hitFile.getParentPath()).append(hitFile.getName()).append("</td>"); //NON-NLS
241  } else {
242  detailsSb.append("<td>").append(hitContent.getName()).append("</td>"); //NON-NLS
243  }
244  detailsSb.append("</tr>"); //NON-NLS
245 
246  //list
247  attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID());
248  detailsSb.append("<tr>"); //NON-NLS
249  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.listThLbl"));
250  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
251  detailsSb.append("</tr>"); //NON-NLS
252 
253  //regex
254  if (!keywordSearchQuery.isLiteral()) {
255  attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID());
256  if (attr != null) {
257  detailsSb.append("<tr>"); //NON-NLS
258  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExThLbl"));
259  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
260  detailsSb.append("</tr>"); //NON-NLS
261  }
262  }
263  detailsSb.append("</table>"); //NON-NLS
264 
265  IngestServices.getInstance().postMessage(IngestMessage.createDataMessage(KeywordSearchModuleFactory.getModuleName(), subjectSb.toString(), detailsSb.toString(), uniqueKey, written.getArtifact()));
266  }
267 
268 }

Copyright © 2012-2015 Basis Technology. Generated on: Wed Apr 6 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.