Autopsy
4.15.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
Static Public Member Functions | |
static CorrelationAttributeInstance | getCorrAttrForFile (AbstractFile file) |
static boolean | isSupportedAbstractFileType (AbstractFile file) |
static CorrelationAttributeInstance | makeCorrAttrFromFile (AbstractFile file) |
static List< CorrelationAttributeInstance > | makeCorrAttrsForCorrelation (BlackboardArtifact artifact) |
static List< CorrelationAttributeInstance > | makeCorrAttrsToSave (BlackboardArtifact artifact) |
Private Member Functions | |
CorrelationAttributeUtil () | |
Static Private Member Functions | |
static BlackboardArtifact | getCorrAttrSourceArtifact (BlackboardArtifact artifact) throws NoCurrentCaseException, TskCoreException |
static String | getEmailAddressAttrDisplayName () |
static CorrelationAttributeInstance | makeCorrAttr (BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) |
static void | makeCorrAttrFromAcctArtifact (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact) throws TskCoreException, CentralRepoException |
static void | makeCorrAttrFromArtifactAttr (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId) throws CentralRepoException, TskCoreException |
static void | makeCorrAttrsFromCommunicationArtifacts (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact) throws TskCoreException, CentralRepoException |
Static Private Attributes | |
static final Logger | logger = Logger.getLogger(CorrelationAttributeUtil.class.getName()) |
static final Set< Integer > | SOURCE_TYPES_FOR_CR_INSERT |
Utility class for working with correlation attributes in the central repository.
Definition at line 46 of file CorrelationAttributeUtil.java.
|
private |
Prevent instantiation of this utility class.
Definition at line 569 of file CorrelationAttributeUtil.java.
|
static |
Gets the correlation attribute instance for a file.
file | The file. |
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
Definition at line 413 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.FILES_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationAttributeInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType().
Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction(), org.sleuthkit.autopsy.datamodel.AbstractAbstractFileNode< SpecialDirectory >.getCorrelationAttributeInstance(), and org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.getCorrelationAttributeInstance().
|
staticprivate |
Gets the associated artifact of a "meta-artifact" such as an interesting artifact hit artifact.
artifact | An artifact. |
NoCurrentCaseException | If there is no open case. |
TskCoreException | If there is an error querying thew case database. |
Definition at line 254 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), and org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase().
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().
|
staticprivate |
Gets a string that is expected to be the same string that is stored in the correlation_types table in the central repository as the display name for the email address correlation attribute type. This string is duplicated in the CorrelationAttributeInstance class.
TODO (Jira-6088): We should not have multiple deifnitions of this string.
Definition at line 61 of file CorrelationAttributeUtil.java.
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().
|
static |
Checks whether or not a file is of a type that can be added to the central repository as a correlation attribute instance.
file | A file. |
Definition at line 542 of file CorrelationAttributeUtil.java.
Referenced by org.sleuthkit.autopsy.centralrepository.CentralRepoContextMenuActionsProvider.getActions(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromFile().
|
staticprivate |
Makes a correlation attribute instance of a given type from an artifact.
artifact | The artifact. |
correlationType | the correlation attribute type. |
value | The correlation attribute value. |
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
Definition at line 362 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.getName(), and org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase().
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts().
|
staticprivate |
Makes a correlation attribute instance for an account artifact.
Also creates an account in the CR DB if it doesn't exist.
IMPORTANT: The correlation attribute instance is NOT added to the central repository by this method.
corrAttrInstances | A list of correlation attribute instances. |
acctArtifact | An account artifact. |
Definition at line 280 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getAccountTypeByName(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount.CentralRepoAccountType.getCorrelationTypeId(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount.getId(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getOrCreateAccount(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr().
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().
|
staticprivate |
Makes a correlation attribute instance from a specified attribute of an artifact. The correlation attribute instance is added to an input list.
corrAttrInstances | A list of correlation attribute instances. |
artifact | An artifact. |
artAttrType | The type of the atrribute of the artifact that is to be made into a correlatin attribute instance. |
typeId | The type ID for the desired correlation attribute instance. |
CentralRepoException | If there is an error querying the central repository. |
TskCoreException | If there is an error querying the case database. |
Definition at line 332 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr().
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().
|
static |
Makes a correlation attribute instance for a file.
IMPORTANT: The correlation attribute instance is NOT added to the central repository by this method.
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
file | The file. |
Definition at line 493 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.FILES_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.getName(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType().
Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.TagDefinitionChangeTask.run(), and org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.setContentKnownStatus().
|
static |
Makes zero to many correlation attribute instances from the attributes of artifacts that have correlatable data. The intention of this method is to use the results to correlate with, not to save. If you want to save, please use makeCorrAttrsToSave. An artifact that can have correlatable data != An artifact that should be the source of data in the CR, so results may be too lenient.
IMPORTANT: The correlation attribute instances are NOT added to the central repository by this method.
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
artifact | An artifact. |
Definition at line 136 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.DOMAIN_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.EMAIL_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrSourceArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getEmailAddressAttrDisplayName(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.ICCID_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.IMEI_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.IMSI_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.MAC_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.PHONE_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.SSID_TYPE_ID, and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.USBID_TYPE_ID.
Referenced by org.sleuthkit.autopsy.contentviewers.AnnotationsContentViewer.getCentralRepositoryData(), org.sleuthkit.autopsy.centralrepository.contentviewer.DataContentViewerOtherCases.getCorrelationAttributesFromNode(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.TagDefinitionChangeTask.run(), and org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.BlackboardTagTask.setArtifactKnownStatus().
|
staticprivate |
Makes a correlation attribute instance from a phone number attribute of an artifact.
corrAttrInstances | Correlation attributes will be added to this. |
artifact | An artifact with a phone number attribute. |
TskCoreException | If there is an error querying the case database. |
CentralRepoException | If there is an error querying the central repository. |
Definition at line 212 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.PHONE_TYPE_ID.
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().
|
static |
Makes zero to many correlation attribute instances from the attributes of artifacts that have correlatable data. The intention of this method is to use the results to save to the CR, not to correlate with them. If you want to correlate, please use makeCorrAttrsForCorrelation. An artifact that can have correlatable data != An artifact that should be the source of data in the CR, so results may be un-necessarily incomplete.
artifact | An artifact. |
Definition at line 101 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().
Referenced by org.sleuthkit.autopsy.centralrepository.eventlisteners.IngestEventsListener.DataAddedTask.run().
|
staticprivate |
Definition at line 48 of file CorrelationAttributeUtil.java.
|
staticprivate |
Definition at line 72 of file CorrelationAttributeUtil.java.
Copyright © 2012-2020 Basis Technology. Generated on: Mon Jul 6 2020
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.