19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
21 import com.google.common.util.concurrent.ThreadFactoryBuilder;
22 import java.beans.PropertyChangeEvent;
23 import java.beans.PropertyChangeListener;
24 import static java.lang.Boolean.FALSE;
25 import java.util.ArrayList;
26 import java.util.Collection;
27 import java.util.LinkedHashSet;
28 import java.util.List;
29 import java.util.concurrent.ExecutorService;
30 import java.util.concurrent.Executors;
31 import java.util.logging.Level;
32 import java.util.stream.Collectors;
33 import org.apache.commons.lang3.StringUtils;
34 import org.openide.util.NbBundle;
67 final Collection<String> recentlyAddedCeArtifacts =
new LinkedHashSet<>();
78 jobProcessingExecutor = Executors.newSingleThreadExecutor(
new ThreadFactoryBuilder().setNameFormat(INGEST_EVENT_THREAD_NAME).build());
106 correlationModuleInstanceCount++;
115 correlationModuleInstanceCount--;
123 synchronized static void resetCeModuleInstanceCount() {
124 correlationModuleInstanceCount = 0;
170 flagNotableItems = value;
179 flagSeenDevices = value;
188 createCrProperties = value;
191 @NbBundle.Messages({
"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
192 "IngestEventsListener.prevCaseComment.text=Previous Case: ",
193 "IngestEventsListener.ingestmodule.name=Correlation Engine"})
197 String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
199 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
200 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
201 Bundle.IngestEventsListener_prevTaggedSet_text()));
202 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
203 Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(
",",
"",
""))));
204 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
206 SleuthkitCase tskCase = bbArtifact.getSleuthkitCase();
207 AbstractFile abstractFile = tskCase.getAbstractFileById(bbArtifact.getObjectID());
208 org.
sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard();
210 if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT, attributes)) {
211 BlackboardArtifact tifArtifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
212 tifArtifact.addAttributes(attributes);
219 LOGGER.log(Level.SEVERE,
"Unable to index blackboard artifact " + tifArtifact.getArtifactID(), ex);
225 }
catch (TskCoreException ex) {
226 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardArtifact.", ex);
227 }
catch (IllegalStateException ex) {
228 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardAttribute.", ex);
238 @NbBundle.Messages({
"IngestEventsListener.prevExists.text=Previously Seen Devices (Central Repository)",
241 "IngestEventsListener.prevCount.text=Number of previous {0}: {1}"})
245 String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
247 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
248 BlackboardAttribute att =
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
249 Bundle.IngestEventsListener_prevExists_text());
251 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
253 SleuthkitCase tskCase = bbArtifact.getSleuthkitCase();
254 AbstractFile abstractFile = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
255 org.
sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard();
257 if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT, attributes)) {
258 BlackboardArtifact tifArtifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
259 tifArtifact.addAttributes(attributes);
266 LOGGER.log(Level.SEVERE,
"Unable to index blackboard artifact " + tifArtifact.getArtifactID(), ex);
272 }
catch (TskCoreException ex) {
273 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardArtifact.", ex);
274 }
catch (IllegalStateException ex) {
275 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardAttribute.", ex);
291 LOGGER.log(Level.SEVERE,
"Failed to connect to Central Repository database.", ex);
300 jobProcessingExecutor.submit(
new DataAddedTask(dbManager, evt, flagNotable, flagPrevious, createAttributes));
318 LOGGER.log(Level.SEVERE,
"Failed to connect to Central Repository database.", ex);
323 case DATA_SOURCE_ANALYSIS_COMPLETED: {
337 private final PropertyChangeEvent
event;
348 recentlyAddedCeArtifacts.clear();
360 String dataSourceName =
"";
361 long dataSourceObjectId = -1;
369 if (!(dataSource instanceof Image)) {
373 dataSourceName = dataSource.getName();
374 dataSourceObjectId = dataSource.getId();
379 if (null == correlationCase) {
380 correlationCase = dbManager.
newCase(openCase);
384 if (correlationDataSource == null) {
389 if (dataSource instanceof Image) {
390 Image image = (Image) dataSource;
392 String imageMd5Hash = image.
getMd5();
393 if (imageMd5Hash == null) {
396 String crMd5Hash = correlationDataSource.
getMd5();
397 if (StringUtils.equals(imageMd5Hash, crMd5Hash) ==
false) {
398 correlationDataSource.
setMd5(imageMd5Hash);
401 String imageSha1Hash = image.getSha1();
402 if (imageSha1Hash == null) {
405 String crSha1Hash = correlationDataSource.
getSha1();
406 if (StringUtils.equals(imageSha1Hash, crSha1Hash) ==
false) {
407 correlationDataSource.
setSha1(imageSha1Hash);
410 String imageSha256Hash = image.getSha256();
411 if (imageSha256Hash == null) {
412 imageSha256Hash =
"";
414 String crSha256Hash = correlationDataSource.
getSha256();
415 if (StringUtils.equals(imageSha256Hash, crSha256Hash) ==
false) {
416 correlationDataSource.
setSha256(imageSha256Hash);
421 LOGGER.log(Level.SEVERE, String.format(
422 "Unable to fetch data from the Central Repository for data source '%s' (obj_id=%d)",
423 dataSourceName, dataSourceObjectId), ex);
425 LOGGER.log(Level.SEVERE,
"No current case opened.", ex);
426 }
catch (TskCoreException ex) {
427 LOGGER.log(Level.SEVERE, String.format(
428 "Unable to fetch data from the case database for data source '%s' (obj_id=%d)",
429 dataSourceName, dataSourceObjectId), ex);
437 private final PropertyChangeEvent
event;
442 private DataAddedTask(
EamDb db, PropertyChangeEvent evt,
boolean flagNotableItemsEnabled,
boolean flagPreviousItemsEnabled,
boolean createCorrelationAttributes) {
456 Collection<BlackboardArtifact> bbArtifacts = mde.
getArtifacts();
457 if (null == bbArtifacts) {
460 List<CorrelationAttributeInstance> eamArtifacts =
new ArrayList<>();
462 for (BlackboardArtifact bbArtifact : bbArtifacts) {
468 if (recentlyAddedCeArtifacts.add(eamArtifact.toString())) {
473 if (flagNotableItemsEnabled) {
474 List<String> caseDisplayNames;
477 if (!caseDisplayNames.isEmpty()) {
482 LOGGER.log(Level.INFO, String.format(
"Unable to flag notable item: %s.", eamArtifact.toString()), ex);
485 if (flagPreviousItemsEnabled
493 if (countPreviousOccurences > 0) {
497 LOGGER.log(Level.INFO, String.format(
"Unable to flag notable item: %s.", eamArtifact.toString()), ex);
500 if (createCorrelationAttributes) {
501 eamArtifacts.add(eamArtifact);
505 LOGGER.log(Level.SEVERE,
"Error counting notable artifacts.", ex);
509 if (FALSE == eamArtifacts.isEmpty()) {
514 LOGGER.log(Level.SEVERE,
"Error adding artifact to database.", ex);
Collection< BlackboardArtifact > getArtifacts()
void removeIngestModuleEventListener(final PropertyChangeListener listener)
static List< CorrelationAttributeInstance > makeInstancesFromBlackboardArtifact(BlackboardArtifact artifact, boolean checkEnabled)
static boolean flagSeenDevices
final ExecutorService jobProcessingExecutor
static final int USBID_TYPE_ID
void setMd5(String md5Hash)
static synchronized IngestManager getInstance()
static synchronized int getCeModuleInstanceCount()
static final Logger LOGGER
DataAddedTask(EamDb db, PropertyChangeEvent evt, boolean flagNotableItemsEnabled, boolean flagPreviousItemsEnabled, boolean createCorrelationAttributes)
static final int ICCID_TYPE_ID
static synchronized boolean isFlagSeenDevices()
List< String > getListCasesHavingArtifactInstancesKnownBad(CorrelationAttributeInstance.Type aType, String value)
static synchronized void setCreateCrProperties(boolean value)
Long getCountArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type aType, String value)
CorrelationCase newCase(CorrelationCase eamCase)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
boolean isIngestRunning()
final PropertyChangeListener pcl1
static final int IMEI_TYPE_ID
static boolean createCrProperties
static synchronized boolean isFlagNotableItems()
void removeIngestJobEventListener(final PropertyChangeListener listener)
final boolean createCorrelationAttributes
static void shutDownTaskExecutor(ExecutorService executor)
void uninstallListeners()
AnalysisCompleteTask(EamDb db, PropertyChangeEvent evt)
final PropertyChangeEvent event
static EamDb getInstance()
CorrelationDataSource getDataSource(CorrelationCase correlationCase, Long caseDbDataSourceId)
void addIngestJobEventListener(final PropertyChangeListener listener)
final boolean flagNotableItemsEnabled
void setSha256(String sha256Hash)
static synchronized void setFlagSeenDevices(boolean value)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
void propertyChange(PropertyChangeEvent evt)
static boolean isEnabled()
void setSha1(String sha1Hash)
static final String INGEST_EVENT_THREAD_NAME
void propertyChange(PropertyChangeEvent evt)
static int correlationModuleInstanceCount
static synchronized void setFlagNotableItems(boolean value)
static final int MAC_TYPE_ID
Blackboard getBlackboard()
static final int IMSI_TYPE_ID
CorrelationCase getCase(Case autopsyCase)
void addIngestModuleEventListener(final PropertyChangeListener listener)
synchronized void indexArtifact(BlackboardArtifact artifact)
synchronized static Logger getLogger(String name)
static Case getCurrentCaseThrows()
static boolean flagNotableItems
static synchronized boolean shouldCreateCrProperties()
final boolean flagPreviousItemsEnabled
static void postCorrelatedBadArtifactToBlackboard(BlackboardArtifact bbArtifact, List< String > caseDisplayNames)
final PropertyChangeEvent event
static synchronized void incrementCorrelationEngineModuleCount()
static synchronized void decrementCorrelationEngineModuleCount()
final PropertyChangeListener pcl2
void addArtifactInstance(CorrelationAttributeInstance eamArtifact)
static void postCorrelatedPreviousArtifactToBlackboard(BlackboardArtifact bbArtifact)
static synchronized IngestServices getInstance()