19 package org.sleuthkit.autopsy.centralrepository.datamodel;
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.HashSet;
24 import java.util.List;
25 import java.util.Optional;
27 import java.util.logging.Level;
28 import org.openide.util.NbBundle.Messages;
36 import org.
sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
38 import org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
40 import org.
sleuthkit.datamodel.InvalidAccountIDException;
51 private static final List<String>
domainsToSkip = Arrays.asList(
"localhost",
"127.0.0.1");
55 ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID(),
56 ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID(),
57 ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID(),
58 ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID(),
59 ARTIFACT_TYPE.TSK_WEB_CACHE.getTypeID()
72 @Messages({
"CorrelationAttributeUtil.emailaddresses.text=Email Addresses"})
74 return Bundle.CorrelationAttributeUtil_emailaddresses_text();
85 addAll(DOMAIN_ARTIFACT_TYPE_IDS);
87 add(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID());
88 add(ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID());
89 add(ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID());
90 add(ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID());
91 add(ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID());
92 add(ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID());
93 add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID());
94 add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID());
95 add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID());
96 add(ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID());
114 if (SOURCE_TYPES_FOR_CR_INSERT.contains(artifact.getArtifactTypeID())) {
121 return new ArrayList<>();
149 List<CorrelationAttributeInstance> correlationAttrs =
new ArrayList<>();
152 if (sourceArtifact != null) {
153 int artifactTypeID = sourceArtifact.getArtifactTypeID();
154 if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
155 BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
159 }
else if (DOMAIN_ARTIFACT_TYPE_IDS.contains(artifactTypeID)) {
160 BlackboardAttribute domainAttr = sourceArtifact.getAttribute(
new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
161 if ((domainAttr != null)
162 && !domainsToSkip.contains(domainAttr.getValueString())) {
165 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
169 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
172 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
173 || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
174 || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
177 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
182 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
186 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
190 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
193 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
194 BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
195 if (setNameAttr != null) {
200 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
201 || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
202 || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
207 logger.log(Level.WARNING, String.format(
"Error normalizing correlation attribute (%s)", artifact), ex);
208 return correlationAttrs;
209 }
catch (InvalidAccountIDException ex) {
210 logger.log(Level.WARNING, String.format(
"Invalid account identifier (artifactID: %d)", artifact.getId()));
211 return correlationAttrs;
213 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", artifact), ex);
214 return correlationAttrs;
215 }
catch (TskCoreException ex) {
216 logger.log(Level.SEVERE, String.format(
"Error getting querying case database (%s)", artifact), ex);
217 return correlationAttrs;
219 logger.log(Level.SEVERE,
"Error getting current case", ex);
220 return correlationAttrs;
222 return correlationAttrs;
245 if (null != artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
246 value = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
247 }
else if (null != artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
248 value = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
249 }
else if (null != artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
250 value = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
261 if (corrAttr != null) {
262 corrAttrInstances.add(corrAttr);
281 BlackboardArtifact sourceArtifact = null;
282 if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifact.getArtifactTypeID()) {
283 BlackboardAttribute assocArtifactAttr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
284 if (assocArtifactAttr != null) {
288 sourceArtifact = artifact;
290 return sourceArtifact;
306 private static void makeCorrAttrFromAcctArtifact(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact acctArtifact)
throws InvalidAccountIDException, TskCoreException, CentralRepoException {
309 BlackboardAttribute accountTypeAttribute = acctArtifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE));
310 String accountTypeStr = accountTypeAttribute.getValueString();
314 Account.Type predefinedAccountType = Account.Type.PREDEFINED_ACCOUNT_TYPES.stream().filter(type -> type.getTypeName().equalsIgnoreCase(accountTypeStr)).findAny().orElse(null);
317 if (Account.Type.DEVICE.getTypeName().equalsIgnoreCase(accountTypeStr) ==
false && predefinedAccountType != null) {
321 if (!optCrAccountType.isPresent()) {
330 BlackboardAttribute accountIdAttribute = acctArtifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ID));
331 String accountIdStr = accountIdAttribute.getValueString();
337 if (corrAttr != null) {
339 corrAttr.setAccountId(crAccount.
getId());
340 corrAttrInstances.add(corrAttr);
359 private static void makeCorrAttrFromArtifactAttr(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType,
int typeId)
throws CentralRepoException, TskCoreException {
360 BlackboardAttribute attribute = artifact.getAttribute(
new BlackboardAttribute.Type(artAttrType));
361 if (attribute != null) {
362 String value = attribute.getValueString();
363 if ((null != value) && (value.isEmpty() ==
false)) {
366 corrAttrInstances.add(inst);
392 AbstractFile bbSourceFile = currentCase.
getSleuthkitCase().getAbstractFileById(artifact.getObjectID());
393 if (null == bbSourceFile) {
394 logger.log(Level.SEVERE,
"Error creating artifact instance. Abstract File was null.");
399 if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
407 TskData.FileKnown.UNKNOWN,
408 bbSourceFile.getId());
415 bbSourceFile.getParentPath() + bbSourceFile.
getName(),
417 TskData.FileKnown.UNKNOWN,
418 bbSourceFile.getId());
420 }
catch (TskCoreException ex) {
421 logger.log(Level.SEVERE, String.format(
"Error getting querying case database (%s)", artifact), ex);
423 }
catch (CentralRepoException ex) {
424 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", artifact), ex);
427 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s)", artifact), ex);
429 }
catch (NoCurrentCaseException ex) {
430 logger.log(Level.SEVERE,
"Error getting current case", ex);
464 if (null == correlationCase) {
469 }
catch (TskCoreException ex) {
470 logger.log(Level.SEVERE, String.format(
"Error getting querying case database (%s)", file), ex);
472 }
catch (CentralRepoException ex) {
473 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
475 }
catch (NoCurrentCaseException ex) {
476 logger.log(Level.SEVERE,
"Error getting current case", ex);
483 }
catch (CentralRepoException ex) {
484 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
487 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s)", file), ex);
497 if (correlationAttributeInstance == null && file.getMd5Hash() != null) {
498 String filePath = (file.getParentPath() + file.getName()).toLowerCase();
501 }
catch (CentralRepoException ex) {
502 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
505 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s)", file), ex);
510 return correlationAttributeInstance;
538 String md5 = file.getMd5Hash();
539 if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
552 file.getParentPath() + file.
getName(),
554 TskData.FileKnown.UNKNOWN,
557 }
catch (TskCoreException ex) {
558 logger.log(Level.SEVERE, String.format(
"Error querying case database (%s)", file), ex);
560 }
catch (CentralRepoException ex) {
561 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
564 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s)", file), ex);
566 }
catch (NoCurrentCaseException ex) {
567 logger.log(Level.SEVERE,
"Error getting current case", ex);
584 switch (file.getType()) {
597 return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
599 logger.log(Level.WARNING,
"Unexpected file type {0}", file.getType().getName());
static final int EMAIL_TYPE_ID
static final int USBID_TYPE_ID
static String getEmailAddressAttrDisplayName()
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)
static final int ICCID_TYPE_ID
CorrelationAttributeUtil()
static Set< Integer > DOMAIN_ARTIFACT_TYPE_IDS
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file)
CorrelationCase getCase(Case autopsyCase)
static final int IMEI_TYPE_ID
static final Logger logger
Optional< CentralRepoAccountType > getAccountTypeByName(String accountTypeName)
static List< CorrelationAttributeInstance > makeCorrAttrsForCorrelation(BlackboardArtifact artifact)
static boolean isSupportedAbstractFileType(AbstractFile file)
static void makeCorrAttrsFromCommunicationArtifacts(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact)
static final int DOMAIN_TYPE_ID
static final int PHONE_TYPE_ID
static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file)
static final int INSTALLED_PROGS_TYPE_ID
SleuthkitCase getSleuthkitCase()
static void makeCorrAttrFromArtifactAttr(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId)
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
static final List< String > domainsToSkip
static final int MAC_TYPE_ID
int getCorrelationTypeId()
static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact)
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(BlackboardArtifact artifact)
static final int IMSI_TYPE_ID
synchronized static Logger getLogger(String name)
static void makeCorrAttrFromAcctArtifact(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact)
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
static Case getCurrentCaseThrows()
static final int SSID_TYPE_ID
static CentralRepository getInstance()
static final Set< Integer > SOURCE_TYPES_FOR_CR_INSERT
static final int FILES_TYPE_ID
CentralRepoAccount getOrCreateAccount(CentralRepoAccount.CentralRepoAccountType crAccountType, String accountUniqueID)