19 package org.sleuthkit.autopsy.keywordsearch;
21 import java.util.ArrayList;
22 import java.util.Collection;
23 import java.util.HashMap;
24 import java.util.List;
27 import java.util.logging.Level;
28 import javax.swing.SwingWorker;
29 import org.apache.commons.lang.StringUtils;
30 import org.netbeans.api.progress.ProgressHandle;
31 import org.netbeans.api.progress.aggregate.ProgressContributor;
32 import org.openide.util.NbBundle;
55 private static final Logger logger = Logger.getLogger(QueryResults.class.getName());
56 private static final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName();
57 private final KeywordSearchQuery query;
58 private final Map<Keyword, List<KeywordHit>> results =
new HashMap<>();
70 QueryResults(KeywordSearchQuery query) {
80 KeywordSearchQuery getQuery() {
92 void addResult(Keyword keyword, List<KeywordHit> hits) {
93 results.put(keyword, hits);
103 List<KeywordHit> getResults(Keyword keyword) {
104 return results.get(keyword);
113 Set<Keyword> getKeywords() {
114 return results.keySet();
146 void process(ProgressHandle progress, ProgressContributor subProgress, SwingWorker<?, ?> worker,
boolean notifyInbox,
boolean saveResults) {
151 if (null != progress) {
152 progress.start(getKeywords().size());
158 int keywordsProcessed = 0;
159 final Collection<BlackboardArtifact> hitArtifacts =
new ArrayList<>();
160 for (
final Keyword keyword : getKeywords()) {
164 if (worker.isCancelled()) {
165 logger.log(Level.INFO,
"Processing cancelled, exiting before processing search term {0}", keyword.getSearchTerm());
173 if (progress != null) {
174 progress.progress(keyword.toString(), keywordsProcessed);
176 if (subProgress != null) {
177 String hitDisplayStr = keyword.getSearchTerm();
178 if (hitDisplayStr.length() > 50) {
179 hitDisplayStr = hitDisplayStr.substring(0, 49) +
"...";
181 subProgress.progress(query.getKeywordList().getName() +
": " + hitDisplayStr, keywordsProcessed);
189 for (KeywordHit hit : getOneHitPerTextSourceObject(keyword)) {
196 String snippet = hit.getSnippet();
197 if (StringUtils.isBlank(snippet)) {
198 final String snippetQuery = KeywordSearchUtil.escapeLuceneQuery(keyword.getSearchTerm());
200 snippet = LuceneQuery.querySnippet(snippetQuery, hit.getSolrObjectId(), hit.getChunkId(), !query.isLiteral(),
true);
201 }
catch (NoOpenCoreException e) {
202 logger.log(Level.SEVERE,
"Solr core closed while executing snippet query " + snippetQuery, e);
204 }
catch (Exception e) {
205 logger.log(Level.SEVERE,
"Error executing snippet query " + snippetQuery, e);
214 Content content = null;
216 SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
217 content = tskCase.getContentById(hit.getContentID());
218 }
catch (TskCoreException | NoCurrentCaseException tskCoreException) {
219 logger.log(Level.SEVERE,
"Failed to get text source object for keyword hit", tskCoreException);
222 if ((content != null) && saveResults) {
226 BlackboardArtifact artifact = query.createKeywordHitArtifact(content, keyword, hit, snippet, query.getKeywordList().getName());
231 if (null != artifact) {
232 hitArtifacts.add(artifact);
235 writeSingleFileInboxMessage(artifact, content);
236 }
catch (TskCoreException ex) {
237 logger.log(Level.SEVERE,
"Error sending message to ingest messages inbox", ex);
251 if (!hitArtifacts.isEmpty()) {
253 SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
254 Blackboard blackboard = tskCase.getBlackboard();
256 blackboard.postArtifacts(hitArtifacts, MODULE_NAME);
257 }
catch (NoCurrentCaseException | Blackboard.BlackboardException ex) {
258 logger.log(Level.SEVERE,
"Failed to post KWH artifact to blackboard.", ex);
272 private Collection<KeywordHit> getOneHitPerTextSourceObject(Keyword keyword) {
278 HashMap< Long, KeywordHit> hits =
new HashMap<>();
279 getResults(keyword).forEach((hit) -> {
280 if (!hits.containsKey(hit.getSolrObjectId())) {
281 hits.put(hit.getSolrObjectId(), hit);
282 }
else if (hit.getChunkId() < hits.get(hit.getSolrObjectId()).getChunkId()) {
283 hits.put(hit.getSolrObjectId(), hit);
286 return hits.values();
299 private void writeSingleFileInboxMessage(BlackboardArtifact artifact, Content hitContent)
throws TskCoreException {
300 StringBuilder subjectSb =
new StringBuilder(1024);
301 if (!query.isLiteral()) {
302 subjectSb.append(NbBundle.getMessage(
this.getClass(),
"KeywordSearchIngestModule.regExpHitLbl"));
304 subjectSb.append(NbBundle.getMessage(
this.getClass(),
"KeywordSearchIngestModule.kwHitLbl"));
307 StringBuilder detailsSb =
new StringBuilder(1024);
308 String uniqueKey = null;
309 BlackboardAttribute attr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD));
311 final String keyword = attr.getValueString();
312 subjectSb.append(keyword);
313 uniqueKey = keyword.toLowerCase();
314 detailsSb.append(
"<table border='0' cellpadding='4' width='280'>");
315 detailsSb.append(
"<tr>");
316 detailsSb.append(NbBundle.getMessage(
this.getClass(),
"KeywordSearchIngestModule.kwHitThLbl"));
317 detailsSb.append(
"<td>").append(EscapeUtil.escapeHtml(keyword)).append(
"</td>");
318 detailsSb.append(
"</tr>");
322 attr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW));
324 detailsSb.append(
"<tr>");
325 detailsSb.append(NbBundle.getMessage(
this.getClass(),
"KeywordSearchIngestModule.previewThLbl"));
326 detailsSb.append(
"<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append(
"</td>");
327 detailsSb.append(
"</tr>");
331 detailsSb.append(
"<tr>");
332 detailsSb.append(NbBundle.getMessage(
this.getClass(),
"KeywordSearchIngestModule.fileThLbl"));
333 if (hitContent instanceof AbstractFile) {
334 AbstractFile hitFile = (AbstractFile) hitContent;
335 detailsSb.append(
"<td>").append(hitFile.getParentPath()).append(hitFile.getName()).append(
"</td>");
337 detailsSb.append(
"<td>").append(hitContent.getName()).append(
"</td>");
339 detailsSb.append(
"</tr>");
342 attr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
344 detailsSb.append(
"<tr>");
345 detailsSb.append(NbBundle.getMessage(
this.getClass(),
"KeywordSearchIngestModule.listThLbl"));
346 detailsSb.append(
"<td>").append(attr.getValueString()).append(
"</td>");
347 detailsSb.append(
"</tr>");
351 if (!query.isLiteral()) {
352 attr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP));
354 detailsSb.append(
"<tr>");
355 detailsSb.append(NbBundle.getMessage(
this.getClass(),
"KeywordSearchIngestModule.regExThLbl"));
356 detailsSb.append(
"<td>").append(attr.getValueString()).append(
"</td>");
357 detailsSb.append(
"</tr>");
360 detailsSb.append(
"</table>");
362 IngestServices.getInstance().postMessage(IngestMessage.createDataMessage(MODULE_NAME, subjectSb.toString(), detailsSb.toString(), uniqueKey, artifact));