Autopsy  4.17.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Classes | Public Member Functions | Public Attributes | Private Member Functions | Static Private Member Functions | Private Attributes | Static Private Attributes | List of all members
org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary Class Reference

Inherits org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultArtifactUpdateGovernor.

Classes

class  PastCasesResult
 

Public Member Functions

 PastCasesSummary ()
 
 PastCasesSummary (SleuthkitCaseProvider provider, java.util.logging.Logger logger)
 
Set< Integer > getArtifactTypeIdsForRefresh ()
 
default Set< Case.Events > getCaseEventUpdates ()
 
default Set< IngestJobEvent > getIngestJobEventUpdates ()
 
PastCasesResult getPastCasesData (DataSource dataSource) throws SleuthkitCaseProvider.SleuthkitCaseProviderException, TskCoreException
 
default boolean isRefreshRequired (ModuleDataEvent evt)
 
default boolean isRefreshRequired (ModuleContentEvent evt)
 
default boolean isRefreshRequired (IngestManager.IngestJobEvent evt)
 
default boolean isRefreshRequired (AbstractFile evt)
 
boolean isRefreshRequired (IngestJobEvent evt)
 
default boolean isRefreshRequiredForCaseEvent (PropertyChangeEvent evt)
 

Public Attributes

Set< IngestJobEvent > INGEST_JOB_EVENTS
 

Private Member Functions

List< Pair< String, Long > > getCaseCounts (Stream< String > cases)
 
BlackboardArtifact getParentArtifact (BlackboardArtifact artifact) throws SleuthkitCaseProviderException
 
boolean hasDeviceAssociatedArtifact (BlackboardArtifact artifact) throws SleuthkitCaseProviderException
 

Static Private Member Functions

static List< String > getCasesFromArtifact (BlackboardArtifact artifact)
 
static boolean isCentralRepoGenerated (List< String > sources)
 

Private Attributes

final SleuthkitCaseProvider caseProvider
 
final java.util.logging.Logger logger
 

Static Private Attributes

static final Set< Integer > ARTIFACT_UPDATE_TYPE_IDS
 
static final String CASE_SEPARATOR = ","
 
static final String CENTRAL_REPO_INGEST_NAME = CentralRepoIngestModuleFactory.getModuleName().toUpperCase().trim()
 
static final Set< Integer > CR_DEVICE_TYPE_IDS
 
static final String PREFIX_END = ":"
 
static final BlackboardAttribute.Type TYPE_ASSOCIATED_ARTIFACT = new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT)
 
static final BlackboardAttribute.Type TYPE_COMMENT = new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_COMMENT)
 

Detailed Description

Provides information about how a datasource relates to a previous case. NOTE: This code is fragile and has certain expectations about how the central repository handles creating artifacts. So, if the central repository changes ingest process, this code could break. This code expects that the central repository ingest module:

a) Creates a TSK_INTERESTING_FILE_HIT artifact for a file whose hash is in the central repository as a notable file.

b) Creates a TSK_INTERESTING_ARTIFACT_HIT artifact for a matching id in the central repository.

c) The created artifact will have a TSK_COMMENT attribute attached where one of the sources for the attribute matches CentralRepoIngestModuleFactory.getModuleName(). The module display name at time of ingest will match CentralRepoIngestModuleFactory.getModuleName() as well.

d) The content of that TSK_COMMENT attribute will be of the form "Previous Case: case1,case2...caseN"

Definition at line 65 of file PastCasesSummary.java.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.PastCasesSummary ( )
org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.PastCasesSummary ( SleuthkitCaseProvider  provider,
java.util.logging.Logger  logger 
)

Main constructor with external dependencies specified. This constructor is designed with unit testing in mind since mocked dependencies can be utilized.

Parameters
providerThe object providing the current SleuthkitCase.
loggerThe logger to use.

Definition at line 142 of file PastCasesSummary.java.

References org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.logger.

Member Function Documentation

Set<Integer> org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getArtifactTypeIdsForRefresh ( )
List<Pair<String, Long> > org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getCaseCounts ( Stream< String >  cases)
private

Given a stream of case ids, groups the strings in a case-insensitive manner, and then provides a list of cases and the occurrence count sorted from max to min.

Parameters
casesA stream of cases.
Returns
The list of unique cases and their occurrences sorted from max to min.

Definition at line 227 of file PastCasesSummary.java.

Referenced by org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getPastCasesData().

default Set<Case.Events> org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultUpdateGovernor.getCaseEventUpdates ( )
inherited
Returns
The set of Case Events for which data should be updated.

Implements org.sleuthkit.autopsy.datasourcesummary.uiutils.UpdateGovernor.

Definition at line 57 of file DefaultUpdateGovernor.java.

static List<String> org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getCasesFromArtifact ( BlackboardArtifact  artifact)
staticprivate

Gets a list of cases from the TSK_COMMENT of an artifact. The cases string is expected to be of a form of "Previous Case: case1,case2...caseN".

Parameters
artifactThe artifact.
Returns
The list of cases if found or empty list if not.

Definition at line 183 of file PastCasesSummary.java.

References org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.isCentralRepoGenerated(), and org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.TYPE_COMMENT.

Referenced by org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getPastCasesData().

default Set<IngestJobEvent> org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultArtifactUpdateGovernor.getIngestJobEventUpdates ( )
inherited
BlackboardArtifact org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getParentArtifact ( BlackboardArtifact  artifact) throws SleuthkitCaseProviderException
private

Given an artifact with a TYPE_ASSOCIATED_ARTIFACT attribute, retrieves the related artifact.

Parameters
artifactThe artifact with the TYPE_ASSOCIATED_ARTIFACT attribute.
Returns
The artifact if found or null if not.
Exceptions
SleuthkitCaseProviderException

Definition at line 254 of file PastCasesSummary.java.

References org.sleuthkit.autopsy.datasourcesummary.datamodel.SleuthkitCaseProvider.get(), org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.logger, and org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.TYPE_ASSOCIATED_ARTIFACT.

Referenced by org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.hasDeviceAssociatedArtifact().

PastCasesResult org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getPastCasesData ( DataSource  dataSource) throws SleuthkitCaseProvider.SleuthkitCaseProviderException, TskCoreException
boolean org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.hasDeviceAssociatedArtifact ( BlackboardArtifact  artifact) throws SleuthkitCaseProviderException
private

Returns true if the artifact has an associated artifact of a device type.

Parameters
artifactThe artifact.
Returns
True if there is a device associated artifact.
Exceptions
SleuthkitCaseProviderException

Definition at line 280 of file PastCasesSummary.java.

References org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getParentArtifact().

Referenced by org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getPastCasesData().

static boolean org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.isCentralRepoGenerated ( List< String >  sources)
staticprivate

Given the provided sources for an attribute, aims to determine if one of those sources is the Central Repository Ingest Module.

Parameters
sourcesThe list of sources found on an attribute.
Returns
Whether or not this attribute (and subsequently the parent artifact) is created by the Central Repository Ingest Module.

Definition at line 164 of file PastCasesSummary.java.

Referenced by org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getCasesFromArtifact().

default boolean org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultArtifactUpdateGovernor.isRefreshRequired ( ModuleDataEvent  evt)
inherited

Given a module data event, whether or not an update should occur.

Parameters
evtThe ModuleDataEvent that is occurring.
Returns
Whether or not this event should trigger an update.

Implements org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultUpdateGovernor.

Definition at line 38 of file DefaultArtifactUpdateGovernor.java.

References org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultArtifactUpdateGovernor.getArtifactTypeIdsForRefresh(), and org.sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType().

default boolean org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultUpdateGovernor.isRefreshRequired ( ModuleContentEvent  evt)
inherited

Given a module content event, whether or not an update should occur.

Parameters
evtThe ModuleContentEvent.
Returns
Whether or not this event should trigger an update.

Implements org.sleuthkit.autopsy.datasourcesummary.uiutils.UpdateGovernor.

Implemented in org.sleuthkit.autopsy.datasourcesummary.datamodel.TimelineSummary, org.sleuthkit.autopsy.datasourcesummary.datamodel.ContainerSummary, org.sleuthkit.autopsy.datasourcesummary.datamodel.MimeTypeSummary, and org.sleuthkit.autopsy.datasourcesummary.datamodel.TypesSummary.

Definition at line 42 of file DefaultUpdateGovernor.java.

default boolean org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultArtifactUpdateGovernor.isRefreshRequired ( IngestManager.IngestJobEvent  evt)
inherited
default boolean org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultUpdateGovernor.isRefreshRequired ( AbstractFile  evt)
inherited
boolean org.sleuthkit.autopsy.datasourcesummary.uiutils.UpdateGovernor.isRefreshRequired ( IngestJobEvent  evt)
inherited

Given an ingest job event, determines whether or not an update should occur.

Parameters
evtThe event.
Returns
Whether or not this event should trigger an update.

Implemented in org.sleuthkit.autopsy.datasourcesummary.datamodel.TimelineSummary, org.sleuthkit.autopsy.datasourcesummary.datamodel.MimeTypeSummary, and org.sleuthkit.autopsy.datasourcesummary.datamodel.TypesSummary.

default boolean org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultUpdateGovernor.isRefreshRequiredForCaseEvent ( PropertyChangeEvent  evt)
inherited

Given a case event, whether or not an update should occur.

Parameters
evtThe event.
Returns
Whether or not this event should trigger an update.

Implements org.sleuthkit.autopsy.datasourcesummary.uiutils.UpdateGovernor.

Definition at line 37 of file DefaultUpdateGovernor.java.

Member Data Documentation

final Set<Integer> org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.ARTIFACT_UPDATE_TYPE_IDS
staticprivate
Initial value:
= new HashSet<>(Arrays.asList(
ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID(),
ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()
))

Definition at line 101 of file PastCasesSummary.java.

Referenced by org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.getArtifactTypeIdsForRefresh().

final String org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.CASE_SEPARATOR = ","
staticprivate

Definition at line 117 of file PastCasesSummary.java.

final SleuthkitCaseProvider org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.caseProvider
private

Definition at line 120 of file PastCasesSummary.java.

final String org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.CENTRAL_REPO_INGEST_NAME = CentralRepoIngestModuleFactory.getModuleName().toUpperCase().trim()
staticprivate

Definition at line 106 of file PastCasesSummary.java.

final Set<Integer> org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.CR_DEVICE_TYPE_IDS
staticprivate
Initial value:
= new HashSet<>(Arrays.asList(
ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID(),
ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID(),
ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID(),
ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
))

Definition at line 110 of file PastCasesSummary.java.

Set<IngestJobEvent> org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultArtifactUpdateGovernor.INGEST_JOB_EVENTS
inherited
Initial value:
= new HashSet<>(
Arrays.asList(IngestJobEvent.COMPLETED, IngestJobEvent.CANCELLED))

Definition at line 34 of file DefaultArtifactUpdateGovernor.java.

Referenced by org.sleuthkit.autopsy.datasourcesummary.uiutils.DefaultArtifactUpdateGovernor.getIngestJobEventUpdates().

final java.util.logging.Logger org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.logger
private
final String org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.PREFIX_END = ":"
staticprivate

Definition at line 118 of file PastCasesSummary.java.

final BlackboardAttribute.Type org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.TYPE_ASSOCIATED_ARTIFACT = new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT)
staticprivate
final BlackboardAttribute.Type org.sleuthkit.autopsy.datasourcesummary.datamodel.PastCasesSummary.TYPE_COMMENT = new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_COMMENT)
staticprivate

The documentation for this class was generated from the following file:

Copyright © 2012-2021 Basis Technology. Generated on: Tue Jan 19 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.