Autopsy  4.15.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Static Public Member Functions | Private Member Functions | Static Private Member Functions | Static Private Attributes | List of all members
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil Class Reference

Static Public Member Functions

static CorrelationAttributeInstance getCorrAttrForFile (AbstractFile file)
 
static boolean isSupportedAbstractFileType (AbstractFile file)
 
static CorrelationAttributeInstance makeCorrAttrFromFile (AbstractFile file)
 
static List< CorrelationAttributeInstancemakeCorrAttrsForCorrelation (BlackboardArtifact artifact)
 
static List< CorrelationAttributeInstancemakeCorrAttrsToSave (BlackboardArtifact artifact)
 

Private Member Functions

 CorrelationAttributeUtil ()
 

Static Private Member Functions

static BlackboardArtifact getCorrAttrSourceArtifact (BlackboardArtifact artifact) throws NoCurrentCaseException, TskCoreException
 
static String getEmailAddressAttrDisplayName ()
 
static CorrelationAttributeInstance makeCorrAttr (BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)
 
static void makeCorrAttrFromAcctArtifact (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact) throws TskCoreException, CentralRepoException
 
static void makeCorrAttrFromArtifactAttr (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId) throws CentralRepoException, TskCoreException
 
static void makeCorrAttrsFromCommunicationArtifacts (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact) throws TskCoreException, CentralRepoException
 

Static Private Attributes

static final Logger logger = Logger.getLogger(CorrelationAttributeUtil.class.getName())
 
static final Set< Integer > SOURCE_TYPES_FOR_CR_INSERT
 

Detailed Description

Utility class for working with correlation attributes in the central repository.

Definition at line 46 of file CorrelationAttributeUtil.java.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.CorrelationAttributeUtil ( )
private

Prevent instantiation of this utility class.

Definition at line 569 of file CorrelationAttributeUtil.java.

Member Function Documentation

static CorrelationAttributeInstance org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile ( AbstractFile  file)
static

Gets the correlation attribute instance for a file.

Parameters
fileThe file.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Returns
The correlation attribute instance or null, if no such correlation attribute instance was found or an error occurred.

Definition at line 413 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.FILES_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationAttributeInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType().

Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction(), org.sleuthkit.autopsy.datamodel.AbstractAbstractFileNode< SpecialDirectory >.getCorrelationAttributeInstance(), and org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.getCorrelationAttributeInstance().

static BlackboardArtifact org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrSourceArtifact ( BlackboardArtifact  artifact) throws NoCurrentCaseException, TskCoreException
staticprivate

Gets the associated artifact of a "meta-artifact" such as an interesting artifact hit artifact.

Parameters
artifactAn artifact.
Returns
The associated artifact if the input artifact is a "meta-artifact", otherwise the input artifact.
Exceptions
NoCurrentCaseExceptionIf there is no open case.
TskCoreExceptionIf there is an error querying thew case database.

Definition at line 254 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), and org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase().

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().

static String org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getEmailAddressAttrDisplayName ( )
staticprivate

Gets a string that is expected to be the same string that is stored in the correlation_types table in the central repository as the display name for the email address correlation attribute type. This string is duplicated in the CorrelationAttributeInstance class.

TODO (Jira-6088): We should not have multiple deifnitions of this string.

Returns
The display name of the email address correlation attribute type.

Definition at line 61 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().

static boolean org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType ( AbstractFile  file)
static

Checks whether or not a file is of a type that can be added to the central repository as a correlation attribute instance.

Parameters
fileA file.
Returns
True or false.

Definition at line 542 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.CentralRepoContextMenuActionsProvider.getActions(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromFile().

static CorrelationAttributeInstance org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr ( BlackboardArtifact  artifact,
CorrelationAttributeInstance.Type  correlationType,
String  value 
)
staticprivate

Makes a correlation attribute instance of a given type from an artifact.

Parameters
artifactThe artifact.
correlationTypethe correlation attribute type.
valueThe correlation attribute value.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Returns
The correlation attribute instance or null, if an error occurred.

Definition at line 362 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.getName(), and org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase().

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts().

static void org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact ( List< CorrelationAttributeInstance corrAttrInstances,
BlackboardArtifact  acctArtifact 
) throws TskCoreException, CentralRepoException
staticprivate
static void org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr ( List< CorrelationAttributeInstance corrAttrInstances,
BlackboardArtifact  artifact,
ATTRIBUTE_TYPE  artAttrType,
int  typeId 
) throws CentralRepoException, TskCoreException
staticprivate

Makes a correlation attribute instance from a specified attribute of an artifact. The correlation attribute instance is added to an input list.

Parameters
corrAttrInstancesA list of correlation attribute instances.
artifactAn artifact.
artAttrTypeThe type of the atrribute of the artifact that is to be made into a correlatin attribute instance.
typeIdThe type ID for the desired correlation attribute instance.
Exceptions
CentralRepoExceptionIf there is an error querying the central repository.
TskCoreExceptionIf there is an error querying the case database.

Definition at line 332 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr().

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().

static CorrelationAttributeInstance org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromFile ( AbstractFile  file)
static

Makes a correlation attribute instance for a file.

IMPORTANT: The correlation attribute instance is NOT added to the central repository by this method.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Parameters
fileThe file.
Returns
The correlation attribute instance or null, if an error occurred.

Definition at line 493 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.FILES_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.getName(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType().

Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.TagDefinitionChangeTask.run(), and org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.setContentKnownStatus().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation ( BlackboardArtifact  artifact)
static

Makes zero to many correlation attribute instances from the attributes of artifacts that have correlatable data. The intention of this method is to use the results to correlate with, not to save. If you want to save, please use makeCorrAttrsToSave. An artifact that can have correlatable data != An artifact that should be the source of data in the CR, so results may be too lenient.

IMPORTANT: The correlation attribute instances are NOT added to the central repository by this method.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Parameters
artifactAn artifact.
Returns
A list, possibly empty, of correlation attribute instances for the artifact.

Definition at line 136 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.DOMAIN_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.EMAIL_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrSourceArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getEmailAddressAttrDisplayName(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.ICCID_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.IMEI_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.IMSI_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.MAC_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.PHONE_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.SSID_TYPE_ID, and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.USBID_TYPE_ID.

Referenced by org.sleuthkit.autopsy.contentviewers.AnnotationsContentViewer.getCentralRepositoryData(), org.sleuthkit.autopsy.centralrepository.contentviewer.DataContentViewerOtherCases.getCorrelationAttributesFromNode(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.TagDefinitionChangeTask.run(), and org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.BlackboardTagTask.setArtifactKnownStatus().

static void org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts ( List< CorrelationAttributeInstance corrAttrInstances,
BlackboardArtifact  artifact 
) throws TskCoreException, CentralRepoException
staticprivate

Makes a correlation attribute instance from a phone number attribute of an artifact.

Parameters
corrAttrInstancesCorrelation attributes will be added to this.
artifactAn artifact with a phone number attribute.
Exceptions
TskCoreExceptionIf there is an error querying the case database.
CentralRepoExceptionIf there is an error querying the central repository.

Definition at line 212 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.PHONE_TYPE_ID.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave ( BlackboardArtifact  artifact)
static

Makes zero to many correlation attribute instances from the attributes of artifacts that have correlatable data. The intention of this method is to use the results to save to the CR, not to correlate with them. If you want to correlate, please use makeCorrAttrsForCorrelation. An artifact that can have correlatable data != An artifact that should be the source of data in the CR, so results may be un-necessarily incomplete.

Parameters
artifactAn artifact.
Returns
A list, possibly empty, of correlation attribute instances for the artifact.

Definition at line 101 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation().

Referenced by org.sleuthkit.autopsy.centralrepository.eventlisteners.IngestEventsListener.DataAddedTask.run().

Member Data Documentation

final Logger org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.logger = Logger.getLogger(CorrelationAttributeUtil.class.getName())
staticprivate

Definition at line 48 of file CorrelationAttributeUtil.java.

final Set<Integer> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.SOURCE_TYPES_FOR_CR_INSERT
staticprivate
Initial value:
= new HashSet<Integer>() {{
add(ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID());
add(ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID());
add(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID());
add(ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID());
add(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID());
add(ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID());
add(ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID());
add(ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID());
add(ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID());
add(ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID());
add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID());
add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID());
add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID());
}}

Definition at line 72 of file CorrelationAttributeUtil.java.


The documentation for this class was generated from the following file:

Copyright © 2012-2020 Basis Technology. Generated on: Mon Jul 6 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.