19 package org.sleuthkit.autopsy.centralrepository.ingestmodule;
21 import java.util.ArrayList;
22 import java.util.Collection;
25 import java.util.List;
26 import java.util.logging.Level;
27 import java.util.stream.Collectors;
28 import org.openide.util.NbBundle.Messages;
62 @Messages({
"CentralRepoIngestModule.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
63 "CentralRepoIngestModule.prevCaseComment.text=Previous Case: "})
66 static final boolean DEFAULT_FLAG_TAGGED_NOTABLE_ITEMS =
true;
67 static final boolean DEFAULT_FLAG_PREVIOUS_DEVICES =
true;
68 static final boolean DEFAULT_CREATE_CR_PROPERTIES =
true;
79 private final boolean flagTaggedNotableItems;
80 private final boolean flagPreviouslySeenDevices;
81 private final boolean createCorrelationProperties;
88 CentralRepoIngestModule(IngestSettings settings) {
89 flagTaggedNotableItems = settings.isFlagTaggedNotableItems();
90 flagPreviouslySeenDevices = settings.isFlagPreviousDevices();
91 createCorrelationProperties = settings.shouldCreateCorrelationProperties();
95 public ProcessResult process(AbstractFile abstractFile) {
103 return ProcessResult.OK;
109 logger.log(Level.SEVERE,
"Exception while getting open case.", ex);
110 return ProcessResult.ERROR;
114 return ProcessResult.OK;
117 if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) {
118 return ProcessResult.OK;
125 logger.log(Level.SEVERE,
"Error connecting to Central Repository database.", ex);
126 return ProcessResult.ERROR;
130 if (!filesType.isEnabled()) {
131 return ProcessResult.OK;
135 String md5 = abstractFile.getMd5Hash();
136 if ((md5 == null) || (HashUtility.isNoDataMd5(md5))) {
137 return ProcessResult.OK;
144 if (abstractFile.getKnown() != TskData.FileKnown.KNOWN && flagTaggedNotableItems) {
149 if (!caseDisplayNamesList.isEmpty()) {
150 postCorrelatedBadFileToBlackboard(abstractFile, caseDisplayNamesList);
153 logger.log(Level.SEVERE,
"Error searching database for artifact.", ex);
154 return ProcessResult.ERROR;
156 logger.log(Level.INFO,
"Error searching database for artifact.", ex);
157 return ProcessResult.ERROR;
162 if (createCorrelationProperties) {
169 abstractFile.getParentPath() + abstractFile.
getName(),
171 TskData.FileKnown.UNKNOWN
173 abstractFile.getId());
176 logger.log(Level.SEVERE,
"Error adding artifact to bulk artifacts.", ex);
177 return ProcessResult.ERROR;
179 logger.log(Level.INFO,
"Error adding artifact to bulk artifacts.", ex);
180 return ProcessResult.ERROR;
183 return ProcessResult.OK;
187 public void shutDown() {
190 if ((
EamDb.
isEnabled() ==
false) || (eamCase == null) || (eamDataSource == null)) {
197 logger.log(Level.SEVERE,
"Error connecting to Central Repository database.", ex);
203 logger.log(Level.SEVERE,
"Error doing bulk insert of artifacts.", ex);
207 logger.log(Level.INFO,
"{0} artifacts in db for case: {1} ds:{2}",
new Object[]{count, eamCase.getDisplayName(), eamDataSource.getName()});
209 logger.log(Level.SEVERE,
"Error counting artifacts.", ex);
218 "CentralRepoIngestModule.notfyBubble.title=Central Repository Not Initialized",
219 "CentralRepoIngestModule.errorMessage.isNotEnabled=Central repository settings are not initialized, cannot run Correlation Engine ingest module."
222 public void startUp(
IngestJobContext context)
throws IngestModuleException {
259 MessageNotifyUtil.
Notify.
warn(Bundle.CentralRepoIngestModule_notfyBubble_title(), Bundle.CentralRepoIngestModule_errorMessage_isNotEnabled());
268 logger.log(Level.SEVERE,
"Exception while getting open case.", ex);
269 throw new IngestModuleException(
"Exception while getting open case.", ex);
275 logger.log(Level.SEVERE,
"Cannot run correlation engine on a multi-user case with a SQLite central repository.");
276 throw new IngestModuleException(
"Cannot run on a multi-user case with a SQLite central repository.");
284 logger.log(Level.SEVERE,
"Error connecting to central repository database.", ex);
285 throw new IngestModuleException(
"Error connecting to central repository database.", ex);
291 logger.log(Level.SEVERE,
"Error getting correlation type FILES in ingest module start up.", ex);
292 throw new IngestModuleException(
"Error getting correlation type FILES in ingest module start up.", ex);
296 eamCase = centralRepoDb.
getCase(autopsyCase);
298 throw new IngestModuleException(
"Unable to get case from central repository database ", ex);
304 logger.log(Level.SEVERE,
"Error getting data source info.", ex);
305 throw new IngestModuleException(
"Error getting data source info.", ex);
318 logger.log(Level.SEVERE,
"Error adding data source to Central Repository.", ex);
319 throw new IngestModuleException(
"Error adding data source to Central Repository.", ex);
331 private void postCorrelatedBadFileToBlackboard(AbstractFile abstractFile, List<String> caseDisplayNames) {
336 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
337 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
338 Bundle.CentralRepoIngestModule_prevTaggedSet_text()));
339 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
340 Bundle.CentralRepoIngestModule_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(
",",
"",
""))));
343 org.
sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard();
345 if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, attributes)) {
346 BlackboardArtifact tifArtifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
347 tifArtifact.addAttributes(attributes);
353 logger.log(Level.SEVERE,
"Unable to index blackboard artifact " + tifArtifact.getArtifactID(), ex);
357 sendBadFileInboxMessage(tifArtifact, abstractFile.getName(), abstractFile.getMd5Hash());
362 }
catch (TskCoreException ex) {
363 logger.log(Level.SEVERE,
"Failed to create BlackboardArtifact.", ex);
364 }
catch (IllegalStateException ex) {
365 logger.log(Level.SEVERE,
"Failed to create BlackboardAttribute.", ex);
367 logger.log(Level.SEVERE,
"Exception while getting open case.", ex);
379 @Messages({
"CentralRepoIngestModule.postToBB.fileName=File Name",
380 "CentralRepoIngestModule.postToBB.md5Hash=MD5 Hash",
381 "CentralRepoIngestModule.postToBB.hashSetSource=Source of Hash",
382 "CentralRepoIngestModule.postToBB.eamHit=Central Repository",
383 "# {0} - Name of file that is Notable",
384 "CentralRepoIngestModule.postToBB.knownBadMsg=Notable: {0}"})
385 public void sendBadFileInboxMessage(BlackboardArtifact artifact, String name, String md5Hash) {
386 StringBuilder detailsSb =
new StringBuilder();
388 detailsSb.append(
"<table border='0' cellpadding='4' width='280'>");
390 detailsSb.append(
"<tr>");
391 detailsSb.append(
"<th>")
392 .append(Bundle.CentralRepoIngestModule_postToBB_fileName())
394 detailsSb.append(
"<td>")
397 detailsSb.append(
"</tr>");
399 detailsSb.append(
"<tr>");
400 detailsSb.append(
"<th>")
401 .append(Bundle.CentralRepoIngestModule_postToBB_md5Hash())
403 detailsSb.append(
"<td>").append(md5Hash).append(
"</td>");
404 detailsSb.append(
"</tr>");
406 detailsSb.append(
"<tr>");
407 detailsSb.append(
"<th>")
408 .append(Bundle.CentralRepoIngestModule_postToBB_hashSetSource())
410 detailsSb.append(
"<td>").append(Bundle.CentralRepoIngestModule_postToBB_eamHit()).append(
"</td>");
411 detailsSb.append(
"</tr>");
413 detailsSb.append(
"</table>");
416 Bundle.CentralRepoIngestModule_postToBB_knownBadMsg(name),
417 detailsSb.toString(),
synchronized long decrementAndGet(long jobId)
CorrelationDataSource newDataSource(CorrelationDataSource eamDataSource)
static synchronized int getCeModuleInstanceCount()
static IngestMessage createDataMessage(String source, String subject, String detailsHtml, String uniqueKey, BlackboardArtifact data)
static boolean runningWithGUI
static synchronized boolean isFlagSeenDevices()
List< String > getListCasesHavingArtifactInstancesKnownBad(CorrelationAttributeInstance.Type aType, String value)
static synchronized void setCreateCrProperties(boolean value)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
static boolean isSupportedAbstractFileType(AbstractFile file)
synchronized long incrementAndGet(long jobId)
static TimingMetric getTimingMetric(String name)
static synchronized boolean isFlagNotableItems()
void addAttributeInstanceBulk(CorrelationAttributeInstance eamArtifact)
static EamDb getInstance()
CorrelationDataSource getDataSource(CorrelationCase correlationCase, Long caseDbDataSourceId)
void commitAttributeInstancesBulk()
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
static synchronized void setFlagSeenDevices(boolean value)
void postMessage(final IngestMessage message)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
static String getModuleName()
Long getCountArtifactInstancesByCaseDataSource(CorrelationDataSource correlationDataSource)
static boolean isEnabled()
SleuthkitCase getSleuthkitCase()
static synchronized void setFlagNotableItems(boolean value)
Long getDataSourceObjectID()
static void submitTimingMetric(TimingMetric metric)
Blackboard getBlackboard()
CorrelationCase getCase(Case autopsyCase)
synchronized void indexArtifact(BlackboardArtifact artifact)
synchronized static Logger getLogger(String name)
static Case getCurrentCaseThrows()
static synchronized boolean shouldCreateCrProperties()
static synchronized void incrementCorrelationEngineModuleCount()
static synchronized void decrementCorrelationEngineModuleCount()
static void warn(String title, String message)
static final int FILES_TYPE_ID
static synchronized IngestServices getInstance()