Autopsy  4.18.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CorrelationAttributeUtil.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2017-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.datamodel;
20 
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.HashSet;
24 import java.util.List;
25 import java.util.Optional;
26 import java.util.Set;
27 import java.util.logging.Level;
28 import org.openide.util.NbBundle.Messages;
29 import org.sleuthkit.autopsy.casemodule.Case;
30 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
31 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount.CentralRepoAccountType;
32 import org.sleuthkit.autopsy.coreutils.Logger;
33 import org.sleuthkit.datamodel.AbstractFile;
34 import org.sleuthkit.datamodel.Account;
35 import org.sleuthkit.datamodel.BlackboardArtifact;
36 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
37 import org.sleuthkit.datamodel.BlackboardAttribute;
38 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
39 import org.sleuthkit.datamodel.HashUtility;
40 import org.sleuthkit.datamodel.InvalidAccountIDException;
41 import org.sleuthkit.datamodel.TskCoreException;
42 import org.sleuthkit.datamodel.TskData;
43 
48 public class CorrelationAttributeUtil {
49 
50  private static final Logger logger = Logger.getLogger(CorrelationAttributeUtil.class.getName());
51  private static final List<String> domainsToSkip = Arrays.asList("localhost", "127.0.0.1");
52 
53  // artifact ids that specifically have a TSK_DOMAIN attribute that should be handled by CR
54  private static Set<Integer> DOMAIN_ARTIFACT_TYPE_IDS = new HashSet<>(Arrays.asList(
55  ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID(),
56  ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID(),
57  ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID(),
58  ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID(),
59  ARTIFACT_TYPE.TSK_WEB_CACHE.getTypeID()
60  ));
61 
72  @Messages({"CorrelationAttributeUtil.emailaddresses.text=Email Addresses"})
73  private static String getEmailAddressAttrDisplayName() {
74  return Bundle.CorrelationAttributeUtil_emailaddresses_text();
75  }
76 
77  // Defines which artifact types act as the sources for CR data.
78  // Most notably, does not include KEYWORD HIT, CALLLOGS, MESSAGES, CONTACTS
79  // TSK_INTERESTING_ARTIFACT_HIT (See JIRA-6129 for more details on the
80  // interesting artifact hit).
81  // IMPORTANT: This set should be updated for new artifacts types that need to
82  // be inserted into the CR.
83  private static final Set<Integer> SOURCE_TYPES_FOR_CR_INSERT = new HashSet<Integer>() {
84  {
85  addAll(DOMAIN_ARTIFACT_TYPE_IDS);
86 
87  add(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID());
88  add(ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID());
89  add(ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID());
90  add(ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID());
91  add(ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID());
92  add(ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID());
93  add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID());
94  add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID());
95  add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID());
96  add(ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID());
97  }
98  };
99 
113  public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(BlackboardArtifact artifact) {
114  if (SOURCE_TYPES_FOR_CR_INSERT.contains(artifact.getArtifactTypeID())) {
115  // Restrict the correlation attributes to use for saving.
116  // The artifacts which are suitable for saving are a subset of the
117  // artifacts that are suitable for correlating.
118  return makeCorrAttrsForCorrelation(artifact);
119  }
120  // Return an empty collection.
121  return new ArrayList<>();
122  }
123 
148  public static List<CorrelationAttributeInstance> makeCorrAttrsForCorrelation(BlackboardArtifact artifact) {
149  List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
150  try {
151  BlackboardArtifact sourceArtifact = getCorrAttrSourceArtifact(artifact);
152  if (sourceArtifact != null) {
153  int artifactTypeID = sourceArtifact.getArtifactTypeID();
154  if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
155  BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
156  if (setNameAttr != null && CorrelationAttributeUtil.getEmailAddressAttrDisplayName().equals(setNameAttr.getValueString())) {
157  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, CorrelationAttributeInstance.EMAIL_TYPE_ID);
158  }
159  } else if (DOMAIN_ARTIFACT_TYPE_IDS.contains(artifactTypeID)) {
160  BlackboardAttribute domainAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
161  if ((domainAttr != null)
162  && !domainsToSkip.contains(domainAttr.getValueString())) {
163  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, CorrelationAttributeInstance.DOMAIN_TYPE_ID);
164  }
165  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
166  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID, CorrelationAttributeInstance.USBID_TYPE_ID);
167  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
168 
169  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
170  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SSID, CorrelationAttributeInstance.SSID_TYPE_ID);
171 
172  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
173  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
174  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
175  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
176 
177  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
178  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI, CorrelationAttributeInstance.IMEI_TYPE_ID);
179  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
180  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
181 
182  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
183  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
184  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
185 
186  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
187  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, CorrelationAttributeInstance.PHONE_TYPE_ID);
188  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, CorrelationAttributeInstance.EMAIL_TYPE_ID);
189 
190  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
191  makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact);
192 
193  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
194  BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
195  if (setNameAttr != null) {
196  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
197  } else {
198  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
199  }
200  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
201  || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
202  || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
203  makeCorrAttrsFromCommunicationArtifacts(correlationAttrs, sourceArtifact);
204  }
205  }
206  } catch (CorrelationAttributeNormalizationException ex) {
207  logger.log(Level.WARNING, String.format("Error normalizing correlation attribute (%s)", artifact), ex); // NON-NLS
208  return correlationAttrs;
209  } catch (InvalidAccountIDException ex) {
210  logger.log(Level.WARNING, String.format("Invalid account identifier (artifactID: %d)", artifact.getId())); // NON-NLS
211  return correlationAttrs;
212  } catch (CentralRepoException ex) {
213  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
214  return correlationAttrs;
215  } catch (TskCoreException ex) {
216  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
217  return correlationAttrs;
218  } catch (NoCurrentCaseException ex) {
219  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
220  return correlationAttrs;
221  }
222  return correlationAttrs;
223  }
224 
238  private static void makeCorrAttrsFromCommunicationArtifacts(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact) throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException {
239  CorrelationAttributeInstance corrAttr = null;
240 
241  /*
242  * Extract the phone number from the artifact attribute.
243  */
244  String value = null;
245  if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
246  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
247  } else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
248  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
249  } else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
250  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
251  }
252 
253  /*
254  * Normalize the phone number.
255  */
256  if (value != null
257  && CorrelationAttributeNormalizer.isValidPhoneNumber(value)) {
258 
259  value = CorrelationAttributeNormalizer.normalizePhone(value);
260  corrAttr = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.PHONE_TYPE_ID), value);
261  if (corrAttr != null) {
262  corrAttrInstances.add(corrAttr);
263  }
264  }
265  }
266 
280  private static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact) throws NoCurrentCaseException, TskCoreException {
281  BlackboardArtifact sourceArtifact = null;
282  if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifact.getArtifactTypeID()) {
283  BlackboardAttribute assocArtifactAttr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
284  if (assocArtifactAttr != null) {
285  sourceArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(assocArtifactAttr.getValueLong());
286  }
287  } else {
288  sourceArtifact = artifact;
289  }
290  return sourceArtifact;
291  }
292 
306  private static void makeCorrAttrFromAcctArtifact(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact acctArtifact) throws InvalidAccountIDException, TskCoreException, CentralRepoException {
307 
308  // Get the account type from the artifact
309  BlackboardAttribute accountTypeAttribute = acctArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE));
310  String accountTypeStr = accountTypeAttribute.getValueString();
311 
312  // @@TODO Vik-6136: CR currently does not know of custom account types.
313  // Ensure there is a predefined account type for this account.
314  Account.Type predefinedAccountType = Account.Type.PREDEFINED_ACCOUNT_TYPES.stream().filter(type -> type.getTypeName().equalsIgnoreCase(accountTypeStr)).findAny().orElse(null);
315 
316  // do not create any correlation attribute instance for a Device account
317  if (Account.Type.DEVICE.getTypeName().equalsIgnoreCase(accountTypeStr) == false && predefinedAccountType != null) {
318 
319  // Get the corresponding CentralRepoAccountType from the database.
320  Optional<CentralRepoAccountType> optCrAccountType = CentralRepository.getInstance().getAccountTypeByName(accountTypeStr);
321  if (!optCrAccountType.isPresent()) {
322  return;
323  }
324  CentralRepoAccountType crAccountType = optCrAccountType.get();
325 
326  int corrTypeId = crAccountType.getCorrelationTypeId();
327  CorrelationAttributeInstance.Type corrType = CentralRepository.getInstance().getCorrelationTypeById(corrTypeId);
328 
329  // Get the account identifier
330  BlackboardAttribute accountIdAttribute = acctArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ID));
331  String accountIdStr = accountIdAttribute.getValueString();
332 
333  // add/get the account and get its accountId.
334  CentralRepoAccount crAccount = CentralRepository.getInstance().getOrCreateAccount(crAccountType, accountIdStr);
335 
336  CorrelationAttributeInstance corrAttr = makeCorrAttr(acctArtifact, corrType, accountIdStr);
337  if (corrAttr != null) {
338  // set the account_id in correlation attribute
339  corrAttr.setAccountId(crAccount.getId());
340  corrAttrInstances.add(corrAttr);
341  }
342  }
343  }
344 
359  private static void makeCorrAttrFromArtifactAttr(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId) throws CentralRepoException, TskCoreException {
360  BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(artAttrType));
361  if (attribute != null) {
362  String value = attribute.getValueString();
363  if ((null != value) && (value.isEmpty() == false)) {
364  CorrelationAttributeInstance inst = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(typeId), value);
365  if (inst != null) {
366  corrAttrInstances.add(inst);
367  }
368  }
369  }
370  }
371 
389  private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) {
390  try {
391  Case currentCase = Case.getCurrentCaseThrows();
392  AbstractFile bbSourceFile = currentCase.getSleuthkitCase().getAbstractFileById(artifact.getObjectID());
393  if (null == bbSourceFile) {
394  logger.log(Level.SEVERE, "Error creating artifact instance. Abstract File was null."); // NON-NLS
395  return null;
396  }
397 
398  CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
399  if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
400  return new CorrelationAttributeInstance(
401  correlationType,
402  value,
403  correlationCase,
404  CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()),
405  "",
406  "",
407  TskData.FileKnown.UNKNOWN,
408  bbSourceFile.getId());
409  } else {
410  return new CorrelationAttributeInstance(
411  correlationType,
412  value,
413  correlationCase,
414  CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()),
415  bbSourceFile.getParentPath() + bbSourceFile.getName(),
416  "",
417  TskData.FileKnown.UNKNOWN,
418  bbSourceFile.getId());
419  }
420  } catch (TskCoreException ex) {
421  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
422  return null;
423  } catch (CentralRepoException ex) {
424  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
425  return null;
426  } catch (CorrelationAttributeNormalizationException ex) {
427  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", artifact), ex); // NON-NLS
428  return null;
429  } catch (NoCurrentCaseException ex) {
430  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
431  return null;
432  }
433  }
434 
451  public static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file) {
452 
453  if (!isSupportedAbstractFileType(file)) {
454  return null;
455  }
456 
457  CorrelationAttributeInstance.Type type;
458  CorrelationCase correlationCase;
459  CorrelationDataSource correlationDataSource;
460 
461  try {
462  type = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
463  correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
464  if (null == correlationCase) {
465  //if the correlationCase is not in the Central repo then attributes generated in relation to it will not be
466  return null;
467  }
468  correlationDataSource = CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource());
469  } catch (TskCoreException ex) {
470  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", file), ex); // NON-NLS
471  return null;
472  } catch (CentralRepoException ex) {
473  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
474  return null;
475  } catch (NoCurrentCaseException ex) {
476  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
477  return null;
478  }
479 
480  CorrelationAttributeInstance correlationAttributeInstance;
481  try {
482  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getId());
483  } catch (CentralRepoException ex) {
484  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
485  return null;
486  } catch (CorrelationAttributeNormalizationException ex) {
487  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
488  return null;
489  }
490 
491  /*
492  * If no correlation attribute instance was found when querying by file
493  * object ID, try searching by file path instead. This is necessary
494  * because file object IDs were not stored in the central repository in
495  * early versions of its schema.
496  */
497  if (correlationAttributeInstance == null && file.getMd5Hash() != null) {
498  String filePath = (file.getParentPath() + file.getName()).toLowerCase();
499  try {
500  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getMd5Hash(), filePath);
501  } catch (CentralRepoException ex) {
502  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
503  return null;
504  } catch (CorrelationAttributeNormalizationException ex) {
505  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
506  return null;
507  }
508  }
509 
510  return correlationAttributeInstance;
511  }
512 
531  public static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file) {
532 
533  if (!isSupportedAbstractFileType(file)) {
534  return null;
535  }
536 
537  // We need a hash to make the correlation artifact instance.
538  String md5 = file.getMd5Hash();
539  if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
540  return null;
541  }
542 
543  try {
544  CorrelationAttributeInstance.Type filesType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
545 
546  CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
547  return new CorrelationAttributeInstance(
548  filesType,
549  file.getMd5Hash(),
550  correlationCase,
551  CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource()),
552  file.getParentPath() + file.getName(),
553  "",
554  TskData.FileKnown.UNKNOWN,
555  file.getId());
556 
557  } catch (TskCoreException ex) {
558  logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS
559  return null;
560  } catch (CentralRepoException ex) {
561  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
562  return null;
563  } catch (CorrelationAttributeNormalizationException ex) {
564  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
565  return null;
566  } catch (NoCurrentCaseException ex) {
567  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
568  return null;
569  }
570  }
571 
580  public static boolean isSupportedAbstractFileType(AbstractFile file) {
581  if (file == null) {
582  return false;
583  }
584  switch (file.getType()) {
585  case UNALLOC_BLOCKS:
586  case UNUSED_BLOCKS:
587  case SLACK:
588  case VIRTUAL_DIR:
589  case LOCAL_DIR:
590  return false;
591  case CARVED:
592  case DERIVED:
593  case LOCAL:
594  case LAYOUT_FILE:
595  return true;
596  case FS:
597  return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
598  default:
599  logger.log(Level.WARNING, "Unexpected file type {0}", file.getType().getName());
600  return false;
601  }
602  }
603 
607  private CorrelationAttributeUtil() {
608  }
609 
610 }
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)
Definition: CorrelationAttributeUtil.java:389
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
Definition: CorrelationDataSource.java:113
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromFile
static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file)
Definition: CorrelationAttributeUtil.java:531
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getAccountTypeByName
Optional< CentralRepoAccountType > getAccountTypeByName(String accountTypeName)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation
static List< CorrelationAttributeInstance > makeCorrAttrsForCorrelation(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:148
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts
static void makeCorrAttrsFromCommunicationArtifacts(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:238
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile
static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file)
Definition: CorrelationAttributeUtil.java:451
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr
static void makeCorrAttrFromArtifactAttr(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId)
Definition: CorrelationAttributeUtil.java:359
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationAttributeInstance
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrSourceArtifact
static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:280
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:113
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact
static void makeCorrAttrFromAcctArtifact(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact)
Definition: CorrelationAttributeUtil.java:306
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getOrCreateAccount
CentralRepoAccount getOrCreateAccount(CentralRepoAccount.CentralRepoAccountType crAccountType, String accountUniqueID)

Copyright © 2012-2021 Basis Technology. Generated on: Thu Jul 8 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.