Autopsy  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CaseEventListener.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2017-2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
20 
21 import com.google.common.util.concurrent.ThreadFactoryBuilder;
22 import java.beans.PropertyChangeEvent;
23 import java.beans.PropertyChangeListener;
24 import java.util.Arrays;
25 import java.util.Collection;
26 import java.util.EnumSet;
27 import java.util.List;
28 import java.util.Optional;
29 import java.util.Set;
30 import java.util.concurrent.ExecutorService;
31 import java.util.concurrent.Executors;
32 import java.util.logging.Level;
33 import org.apache.commons.lang.StringUtils;
34 import org.openide.util.NbBundle;
35 import org.openide.util.NbBundle.Messages;
36 import org.sleuthkit.autopsy.casemodule.Case;
37 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
38 import org.sleuthkit.autopsy.casemodule.events.BlackBoardArtifactTagAddedEvent;
39 import org.sleuthkit.autopsy.casemodule.events.BlackBoardArtifactTagDeletedEvent;
40 import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent;
41 import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent;
42 import org.sleuthkit.autopsy.casemodule.events.DataSourceAddedEvent;
43 import org.sleuthkit.autopsy.casemodule.events.DataSourceNameChangedEvent;
44 import org.sleuthkit.autopsy.casemodule.events.OsAcctInstancesAddedEvent;
45 import org.sleuthkit.autopsy.casemodule.services.TagsManager;
46 import org.sleuthkit.autopsy.coreutils.Logger;
47 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
48 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil;
49 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;
50 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource;
51 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoException;
52 import org.sleuthkit.autopsy.coreutils.ThreadUtils;
53 import org.sleuthkit.datamodel.AbstractFile;
54 import org.sleuthkit.datamodel.BlackboardArtifact;
55 import org.sleuthkit.datamodel.BlackboardArtifactTag;
56 import org.sleuthkit.datamodel.Content;
57 import org.sleuthkit.datamodel.ContentTag;
58 import org.sleuthkit.datamodel.TagName;
59 import org.sleuthkit.datamodel.TskCoreException;
60 import org.sleuthkit.datamodel.TskData;
61 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
62 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
63 import org.sleuthkit.datamodel.Tag;
64 import org.sleuthkit.autopsy.events.AutopsyEvent;
65 import org.sleuthkit.autopsy.ingest.IngestManager;
66 import org.sleuthkit.datamodel.Blackboard;
67 import org.sleuthkit.datamodel.BlackboardAttribute;
68 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT;
69 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
70 import org.sleuthkit.datamodel.OsAccount;
71 import org.sleuthkit.datamodel.OsAccountInstance;
72 import org.sleuthkit.datamodel.Score;
73 import org.sleuthkit.datamodel.SleuthkitCase;
74 
79 @Messages({"caseeventlistener.evidencetag=Evidence"})
80 public final class CaseEventListener implements PropertyChangeListener {
81 
82  private static final Logger LOGGER = Logger.getLogger(CaseEventListener.class.getName());
83  private final ExecutorService jobProcessingExecutor;
84  private static final String CASE_EVENT_THREAD_NAME = "Case-Event-Listener-%d";
85 
86  private static final Set<Case.Events> CASE_EVENTS_OF_INTEREST = EnumSet.of(
87  Case.Events.CONTENT_TAG_ADDED, Case.Events.CONTENT_TAG_DELETED,
88  Case.Events.BLACKBOARD_ARTIFACT_TAG_DELETED, Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED,
89  Case.Events.CONTENT_TAG_ADDED, Case.Events.CONTENT_TAG_DELETED,
90  Case.Events.DATA_SOURCE_ADDED,
91  Case.Events.TAG_DEFINITION_CHANGED,
92  Case.Events.CURRENT_CASE,
93  Case.Events.DATA_SOURCE_NAME_CHANGED,
94  Case.Events.OS_ACCT_INSTANCES_ADDED);
95 
96  public CaseEventListener() {
97  jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build());
98  }
99 
100  public void shutdown() {
101  ThreadUtils.shutDownTaskExecutor(jobProcessingExecutor);
102  }
103 
104  @Override
105  public void propertyChange(PropertyChangeEvent evt) {
106  if (!(evt instanceof AutopsyEvent) || (((AutopsyEvent) evt).getSourceType() != AutopsyEvent.SourceType.LOCAL)) {
107  return;
108  }
109 
110  CentralRepository dbManager;
111  try {
112  dbManager = CentralRepository.getInstance();
113  } catch (CentralRepoException ex) {
114  LOGGER.log(Level.SEVERE, "Failed to get instance of db manager.", ex);
115  return;
116  }
117 
118  // If any changes are made to which event types are handled the change
119  // must also be made to CASE_EVENTS_OF_INTEREST.
120  switch (Case.Events.valueOf(evt.getPropertyName())) {
121  case CONTENT_TAG_ADDED:
122  case CONTENT_TAG_DELETED: {
123  jobProcessingExecutor.submit(new ContentTagTask(dbManager, evt));
124  }
125  break;
126 
127  case BLACKBOARD_ARTIFACT_TAG_DELETED:
128  case BLACKBOARD_ARTIFACT_TAG_ADDED: {
129  jobProcessingExecutor.submit(new BlackboardTagTask(dbManager, evt));
130  }
131  break;
132 
133  case DATA_SOURCE_ADDED: {
134  jobProcessingExecutor.submit(new DataSourceAddedTask(dbManager, evt));
135  }
136  break;
137  case TAG_DEFINITION_CHANGED: {
138  jobProcessingExecutor.submit(new TagDefinitionChangeTask(evt));
139  }
140  break;
141  case CURRENT_CASE: {
142  jobProcessingExecutor.submit(new CurrentCaseTask(dbManager, evt));
143  }
144  break;
145  case DATA_SOURCE_NAME_CHANGED: {
146  jobProcessingExecutor.submit(new DataSourceNameChangedTask(dbManager, evt));
147  }
148  break;
149  case OS_ACCT_INSTANCES_ADDED: {
150  if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) {
151  jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt));
152  }
153  }
154  break;
155  }
156  }
157 
158  /*
159  * Add all of our Case Event Listeners to the case.
160  */
161  public void installListeners() {
162  Case.addEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this);
163  }
164 
165  /*
166  * Remove all of our Case Event Listeners from the case.
167  */
168  public void uninstallListeners() {
169  Case.removeEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this);
170  }
171 
179  private static boolean isNotableTag(Tag t) {
180  return (t != null && isNotableTagName(t.getName()));
181  }
182 
190  private static boolean isNotableTagName(TagName t) {
191  return (t != null && TagsManager.getNotableTagDisplayNames().contains(t.getDisplayName()));
192  }
193 
201  private static boolean hasNotableTag(List<? extends Tag> tags) {
202  if (tags == null) {
203  return false;
204  }
205 
206  return tags.stream()
207  .filter(CaseEventListener::isNotableTag)
208  .findFirst()
209  .isPresent();
210  }
211 
212  private final class ContentTagTask implements Runnable {
213 
214  private final CentralRepository dbManager;
215  private final PropertyChangeEvent event;
216 
217  private ContentTagTask(CentralRepository db, PropertyChangeEvent evt) {
218  dbManager = db;
219  event = evt;
220  }
221 
222  @Override
223  public void run() {
224  if (!CentralRepository.isEnabled()) {
225  return;
226  }
227 
228  Case.Events curEventType = Case.Events.valueOf(event.getPropertyName());
229  if (curEventType == Case.Events.CONTENT_TAG_ADDED && event instanceof ContentTagAddedEvent) {
230  handleTagAdded((ContentTagAddedEvent) event);
231  } else if (curEventType == Case.Events.CONTENT_TAG_DELETED && event instanceof ContentTagDeletedEvent) {
232  handleTagDeleted((ContentTagDeletedEvent) event);
233  } else {
234  LOGGER.log(Level.SEVERE,
235  String.format("Received an event %s of type %s and was expecting either CONTENT_TAG_ADDED or CONTENT_TAG_DELETED.",
236  event, curEventType));
237  }
238  }
239 
240  private void handleTagDeleted(ContentTagDeletedEvent evt) {
241  // ensure tag deleted event has a valid content id
242  if (evt.getDeletedTagInfo() == null) {
243  LOGGER.log(Level.SEVERE, "ContentTagDeletedEvent did not have valid content to provide a content id.");
244  return;
245  }
246 
247  try {
248  // obtain content
249  Content content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(evt.getDeletedTagInfo().getContentID());
250  if (content == null) {
251  LOGGER.log(Level.WARNING,
252  String.format("Unable to get content for item with content id: %d.", evt.getDeletedTagInfo().getContentID()));
253  return;
254  }
255 
256  // then handle the event
257  handleTagChange(content);
258  } catch (NoCurrentCaseException | TskCoreException ex) {
259  LOGGER.log(Level.WARNING, "Error updating non-file object: " + evt.getDeletedTagInfo().getContentID(), ex);
260  }
261  }
262 
263  private void handleTagAdded(ContentTagAddedEvent evt) {
264  // ensure tag added event has a valid content id
265  if (evt.getAddedTag() == null || evt.getAddedTag().getContent() == null) {
266  LOGGER.log(Level.SEVERE, "ContentTagAddedEvent did not have valid content to provide a content id.");
267  return;
268  }
269 
270  // then handle the event
271  handleTagChange(evt.getAddedTag().getContent());
272  }
273 
281  private void handleTagChange(Content content) {
282  AbstractFile af = null;
283  try {
284  af = Case.getCurrentCaseThrows().getSleuthkitCase().getAbstractFileById(content.getId());
285  } catch (NoCurrentCaseException | TskCoreException ex) {
286  Long contentID = (content != null) ? content.getId() : null;
287  LOGGER.log(Level.WARNING, "Error updating non-file object: " + contentID, ex);
288  }
289 
290  if (af == null) {
291  return;
292  }
293 
294  try {
295  // Get the tags on the content object
296  TagsManager tagsManager = Case.getCurrentCaseThrows().getServices().getTagsManager();
297 
298  if (hasNotableTag(tagsManager.getContentTagsByContent(content))) {
299  // if there is a notable tag on the object, set content known status to bad
300  setContentKnownStatus(af, TskData.FileKnown.BAD);
301  } else {
302  // otherwise, set to unknown
303  setContentKnownStatus(af, TskData.FileKnown.UNKNOWN);
304  }
305  } catch (TskCoreException | NoCurrentCaseException ex) {
306  LOGGER.log(Level.SEVERE, "Failed to obtain tags manager for case.", ex);
307  }
308  }
309 
319  private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) {
320  final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af);
321 
322  if (eamArtifact != null) {
323  // send update to Central Repository db
324  try {
325  dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus);
326  } catch (CentralRepoException ex) {
327  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS
328  }
329  }
330  }
331  }
332 
333  private final class BlackboardTagTask implements Runnable {
334 
335  private final CentralRepository dbManager;
336  private final PropertyChangeEvent event;
337 
338  private BlackboardTagTask(CentralRepository db, PropertyChangeEvent evt) {
339  dbManager = db;
340  event = evt;
341  }
342 
343  @Override
344  public void run() {
345  if (!CentralRepository.isEnabled()) {
346  return;
347  }
348 
349  Case.Events curEventType = Case.Events.valueOf(event.getPropertyName());
350  if (curEventType == Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED && event instanceof BlackBoardArtifactTagAddedEvent) {
351  handleTagAdded((BlackBoardArtifactTagAddedEvent) event);
352  } else if (curEventType == Case.Events.BLACKBOARD_ARTIFACT_TAG_DELETED && event instanceof BlackBoardArtifactTagDeletedEvent) {
353  handleTagDeleted((BlackBoardArtifactTagDeletedEvent) event);
354  } else {
355  LOGGER.log(Level.WARNING,
356  String.format("Received an event %s of type %s and was expecting either CONTENT_TAG_ADDED or CONTENT_TAG_DELETED.",
357  event, curEventType));
358  }
359  }
360 
361  private void handleTagDeleted(BlackBoardArtifactTagDeletedEvent evt) {
362  // ensure tag deleted event has a valid content id
363  if (evt.getDeletedTagInfo() == null) {
364  LOGGER.log(Level.SEVERE, "BlackBoardArtifactTagDeletedEvent did not have valid content to provide a content id.");
365  return;
366  }
367 
368  try {
369  Case openCase = Case.getCurrentCaseThrows();
370 
371  // obtain content
372  Content content = openCase.getSleuthkitCase().getContentById(evt.getDeletedTagInfo().getContentID());
373  if (content == null) {
374  LOGGER.log(Level.WARNING,
375  String.format("Unable to get content for item with content id: %d.", evt.getDeletedTagInfo().getContentID()));
376  return;
377  }
378 
379  // obtain blackboard artifact
380  BlackboardArtifact bbArtifact = openCase.getSleuthkitCase().getBlackboardArtifact(evt.getDeletedTagInfo().getArtifactID());
381  if (bbArtifact == null) {
382  LOGGER.log(Level.WARNING,
383  String.format("Unable to get blackboard artifact for item with artifact id: %d.", evt.getDeletedTagInfo().getArtifactID()));
384  return;
385  }
386 
387  // then handle the event
388  handleTagChange(content, bbArtifact);
389  } catch (NoCurrentCaseException | TskCoreException ex) {
390  LOGGER.log(Level.WARNING, "Error updating non-file object.", ex);
391  }
392  }
393 
394  private void handleTagAdded(BlackBoardArtifactTagAddedEvent evt) {
395  // ensure tag added event has a valid content id
396  if (evt.getAddedTag() == null || evt.getAddedTag().getContent() == null || evt.getAddedTag().getArtifact() == null) {
397  LOGGER.log(Level.SEVERE, "BlackBoardArtifactTagAddedEvent did not have valid content to provide a content id.");
398  return;
399  }
400 
401  // then handle the event
402  handleTagChange(evt.getAddedTag().getContent(), evt.getAddedTag().getArtifact());
403  }
404 
413  private void handleTagChange(Content content, BlackboardArtifact bbArtifact) {
414  Case openCase;
415  try {
416  openCase = Case.getCurrentCaseThrows();
417  } catch (NoCurrentCaseException ex) {
418  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex);
419  return;
420  }
421 
422  try {
423  if (isKnownFile(content)) {
424  return;
425  }
426 
427  TagsManager tagsManager = openCase.getServices().getTagsManager();
428  List<BlackboardArtifactTag> tags = tagsManager.getBlackboardArtifactTagsByArtifact(bbArtifact);
429  if (hasNotableTag(tags)) {
430  setArtifactKnownStatus(bbArtifact, TskData.FileKnown.BAD);
431  } else {
432  setArtifactKnownStatus(bbArtifact, TskData.FileKnown.UNKNOWN);
433  }
434  } catch (TskCoreException ex) {
435  LOGGER.log(Level.SEVERE, "Failed to obtain tags manager for case.", ex);
436  return;
437  }
438  }
439 
447  private boolean isKnownFile(Content content) {
448  return ((content instanceof AbstractFile) && (((AbstractFile) content).getKnown() == TskData.FileKnown.KNOWN));
449  }
450 
458  private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) {
459  List<CorrelationAttributeInstance> convertedArtifacts = CorrelationAttributeUtil.makeCorrAttrsForCorrelation(bbArtifact);
460  for (CorrelationAttributeInstance eamArtifact : convertedArtifacts) {
461  try {
462  dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus);
463  } catch (CentralRepoException ex) {
464  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS
465  }
466  }
467  }
468 
469  }
470 
471  private final class TagDefinitionChangeTask implements Runnable {
472 
473  private final PropertyChangeEvent event;
474 
475  private TagDefinitionChangeTask(PropertyChangeEvent evt) {
476  event = evt;
477  }
478 
479  @Override
480  public void run() {
481  if (!CentralRepository.isEnabled()) {
482  return;
483  }
484  //get the display name of the tag that has had it's definition modified
485  String modifiedTagName = (String) event.getOldValue();
486 
487  /*
488  * Set knownBad status for all files/artifacts in the given case
489  * that are tagged with the given tag name.
490  */
491  try {
492  TagName tagName = Case.getCurrentCaseThrows().getServices().getTagsManager().getDisplayNamesToTagNamesMap().get(modifiedTagName);
493  //First update the artifacts
494  //Get all BlackboardArtifactTags with this tag name
495  List<BlackboardArtifactTag> artifactTags = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifactTagsByTagName(tagName);
496  for (BlackboardArtifactTag bbTag : artifactTags) {
497  //start with assumption that none of the other tags applied to this Correlation Attribute will prevent it's status from being changed
498  boolean hasTagWithConflictingKnownStatus = false;
499  // if the status of the tag has been changed to TskData.FileKnown.UNKNOWN
500  // we need to check the status of all other tags on this correlation attribute before changing
501  // the status of the correlation attribute in the central repository
502  if (tagName.getKnownStatus() == TskData.FileKnown.UNKNOWN) {
503  Content content = bbTag.getContent();
504  // If the content which this Blackboard Artifact Tag is linked to is an AbstractFile with KNOWN status then
505  // it's status in the central reporsitory should not be changed to UNKNOWN
506  if ((content instanceof AbstractFile) && (((AbstractFile) content).getKnown() == TskData.FileKnown.KNOWN)) {
507  continue;
508  }
509  //Get the BlackboardArtifact which this BlackboardArtifactTag has been applied to.
510  BlackboardArtifact bbArtifact = bbTag.getArtifact();
511  TagsManager tagsManager = Case.getCurrentCaseThrows().getServices().getTagsManager();
512  List<BlackboardArtifactTag> tags = tagsManager.getBlackboardArtifactTagsByArtifact(bbArtifact);
513  //get all tags which are on this blackboard artifact
514  for (BlackboardArtifactTag t : tags) {
515  //All instances of the modified tag name will be changed, they can not conflict with each other
516  if (t.getName().equals(tagName)) {
517  continue;
518  }
519  //if any other tags on this artifact are Notable in status then this artifact can not have its status changed
520  if (TskData.FileKnown.BAD == t.getName().getKnownStatus()) {
521  //a tag with a conflicting status has been found, the status of this correlation attribute can not be modified
522  hasTagWithConflictingKnownStatus = true;
523  break;
524  }
525  }
526  }
527  //if the Correlation Attribute will have no tags with a status which would prevent the current status from being changed
528  if (!hasTagWithConflictingKnownStatus) {
529  //Get the correlation atttributes that correspond to the current BlackboardArtifactTag if their status should be changed
530  //with the initial set of correlation attributes this should be a single correlation attribute
531  List<CorrelationAttributeInstance> convertedArtifacts = CorrelationAttributeUtil.makeCorrAttrsForCorrelation(bbTag.getArtifact());
532  for (CorrelationAttributeInstance eamArtifact : convertedArtifacts) {
533  CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact, tagName.getKnownStatus());
534  }
535  }
536  }
537  // Next update the files
538 
539  List<ContentTag> fileTags = Case.getCurrentCaseThrows().getSleuthkitCase().getContentTagsByTagName(tagName);
540  //Get all ContentTags with this tag name
541  for (ContentTag contentTag : fileTags) {
542  //start with assumption that none of the other tags applied to this ContentTag will prevent it's status from being changed
543  boolean hasTagWithConflictingKnownStatus = false;
544  // if the status of the tag has been changed to TskData.FileKnown.UNKNOWN
545  // we need to check the status of all other tags on this file before changing
546  // the status of the file in the central repository
547  if (tagName.getKnownStatus() == TskData.FileKnown.UNKNOWN) {
548  Content content = contentTag.getContent();
549  TagsManager tagsManager = Case.getCurrentCaseThrows().getServices().getTagsManager();
550  List<ContentTag> tags = tagsManager.getContentTagsByContent(content);
551  //get all tags which are on this file
552  for (ContentTag t : tags) {
553  //All instances of the modified tag name will be changed, they can not conflict with each other
554  if (t.getName().equals(tagName)) {
555  continue;
556  }
557  //if any other tags on this file are Notable in status then this file can not have its status changed
558  if (TskData.FileKnown.BAD == t.getName().getKnownStatus()) {
559  //a tag with a conflicting status has been found, the status of this file can not be modified
560  hasTagWithConflictingKnownStatus = true;
561  break;
562  }
563  }
564  }
565  //if the file will have no tags with a status which would prevent the current status from being changed
566  if (!hasTagWithConflictingKnownStatus) {
567  Content taggedContent = contentTag.getContent();
568  if (taggedContent instanceof AbstractFile) {
569  final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile((AbstractFile) taggedContent);
570  if (eamArtifact != null) {
571  CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact, tagName.getKnownStatus());
572  }
573  }
574  }
575  }
576  } catch (TskCoreException ex) {
577  LOGGER.log(Level.SEVERE, "Cannot update known status in central repository for tag: " + modifiedTagName, ex); //NON-NLS
578  } catch (CentralRepoException ex) {
579  LOGGER.log(Level.SEVERE, "Cannot get central repository for tag: " + modifiedTagName, ex); //NON-NLS
580  } catch (NoCurrentCaseException ex) {
581  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
582  }
583  } //TAG_STATUS_CHANGED
584  }
585 
586  private final class DataSourceAddedTask implements Runnable {
587 
588  private final CentralRepository dbManager;
589  private final PropertyChangeEvent event;
590 
591  private DataSourceAddedTask(CentralRepository db, PropertyChangeEvent evt) {
592  dbManager = db;
593  event = evt;
594  }
595 
596  @Override
597  public void run() {
598  if (!CentralRepository.isEnabled()) {
599  return;
600  }
601  Case openCase;
602  try {
603  openCase = Case.getCurrentCaseThrows();
604  } catch (NoCurrentCaseException ex) {
605  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex);
606  return;
607  }
608 
609  final DataSourceAddedEvent dataSourceAddedEvent = (DataSourceAddedEvent) event;
610  Content newDataSource = dataSourceAddedEvent.getDataSource();
611 
612  try {
613  CorrelationCase correlationCase = dbManager.getCase(openCase);
614  if (null == dbManager.getDataSource(correlationCase, newDataSource.getId())) {
615  CorrelationDataSource.fromTSKDataSource(correlationCase, newDataSource);
616  }
617  } catch (CentralRepoException ex) {
618  LOGGER.log(Level.SEVERE, "Error adding new data source to the central repository", ex); //NON-NLS
619  }
620  } // DATA_SOURCE_ADDED
621  }
622 
623  private final class CurrentCaseTask implements Runnable {
624 
625  private final CentralRepository dbManager;
626  private final PropertyChangeEvent event;
627 
628  private CurrentCaseTask(CentralRepository db, PropertyChangeEvent evt) {
629  dbManager = db;
630  event = evt;
631  }
632 
633  @Override
634  public void run() {
635  /*
636  * A case has been opened if evt.getOldValue() is null and
637  * evt.getNewValue() is a valid Case.
638  */
639  if ((null == event.getOldValue()) && (event.getNewValue() instanceof Case)) {
640  Case curCase = (Case) event.getNewValue();
641  IngestEventsListener.resetCeModuleInstanceCount();
642 
643  if (!CentralRepository.isEnabled()) {
644  return;
645  }
646 
647  try {
648  // NOTE: Cannot determine if the opened case is a new case or a reopened case,
649  // so check for existing name in DB and insert if missing.
650  if (dbManager.getCase(curCase) == null) {
651  dbManager.newCase(curCase);
652  }
653  } catch (CentralRepoException ex) {
654  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database.", ex); //NON-NLS
655  }
656  }
657  } // CURRENT_CASE
658  }
659 
660  @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository",
661  "CaseEventsListener.prevCaseComment.text=Users seen in previous cases",
662  "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"})
666  private final class OsAccountInstancesAddedTask implements Runnable {
667 
668  private final CentralRepository dbManager;
669  private final PropertyChangeEvent event;
670  private final String MODULE_NAME = Bundle.CaseEventsListener_module_name();
671 
672  private OsAccountInstancesAddedTask(CentralRepository db, PropertyChangeEvent evt) {
673  dbManager = db;
674  event = evt;
675  }
676 
677  @Override
678  public void run() {
679  //Nothing to do here if the central repo is not enabled or if ingest is running but is set to not save data/make artifacts
680  if (!CentralRepository.isEnabled()
681  || (IngestManager.getInstance().isIngestRunning() && !(IngestEventsListener.isFlagSeenDevices() || IngestEventsListener.shouldCreateCrProperties()))) {
682  return;
683  }
684 
685  final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event;
686  List<OsAccountInstance> addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances();
687  for (OsAccountInstance osAccountInstance : addedOsAccountNew) {
688  try {
689  OsAccount osAccount = osAccountInstance.getOsAccount();
690  Optional<String> accountAddr = osAccount.getAddr();
691  // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system
692  // and they are not unique
693  if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) {
694  return;
695  }
696  try {
697 
698  CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
699  CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
700  CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID),
701  accountAddr.get(),
702  correlationCase,
703  CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()),
704  "",
705  "",
706  TskData.FileKnown.KNOWN,
707  osAccount.getId());
708 
709  // Save to the database if requested
710  if(IngestEventsListener.shouldCreateCrProperties()) {
711  dbManager.addArtifactInstance(correlationAttributeInstance);
712  }
713 
714  // Look up and create artifacts for previously seen accounts if requested
715  if (IngestEventsListener.isFlagSeenDevices()) {
716  List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue());
717  for (CorrelationAttributeInstance instance : previousOccurences) {
718  if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) {
719  SleuthkitCase tskCase = osAccount.getSleuthkitCase();
720  Blackboard blackboard = tskCase.getBlackboard();
721 
722  Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(
723  new BlackboardAttribute(
724  TSK_SET_NAME, MODULE_NAME,
725  Bundle.CaseEventsListener_prevExists_text()),
726  new BlackboardAttribute(
727  TSK_COMMENT, MODULE_NAME,
728  Bundle.CaseEventsListener_prevCaseComment_text()));
729  BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult(
730  BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE,
731  null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult();
732  try {
733  // index the artifact for keyword search
734  blackboard.postArtifact(newAnalysisResult, MODULE_NAME);
735  break;
736  } catch (Blackboard.BlackboardException ex) {
737  LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS
738  }
739  }
740  }
741  }
742 
743  } catch (CentralRepoException ex) {
744  LOGGER.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", accountAddr.get()), ex); //NON-NLS
745  } catch (NoCurrentCaseException ex) {
746  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
747  } catch (CorrelationAttributeNormalizationException ex) {
748  LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS
749  }
750 
751  } catch (TskCoreException ex) {
752  LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex);
753  }
754  }
755  }
756  }
757 
758  private final class DataSourceNameChangedTask implements Runnable {
759 
760  private final CentralRepository dbManager;
761  private final PropertyChangeEvent event;
762 
763  private DataSourceNameChangedTask(CentralRepository db, PropertyChangeEvent evt) {
764  dbManager = db;
765  event = evt;
766  }
767 
768  @Override
769  public void run() {
770 
771  final DataSourceNameChangedEvent dataSourceNameChangedEvent = (DataSourceNameChangedEvent) event;
772  Content dataSource = dataSourceNameChangedEvent.getDataSource();
773  String newName = (String) event.getNewValue();
774 
775  if (!StringUtils.isEmpty(newName)) {
776 
777  if (!CentralRepository.isEnabled()) {
778  return;
779  }
780 
781  try {
782  CorrelationCase correlationCase = dbManager.getCase(Case.getCurrentCaseThrows());
783  CorrelationDataSource existingEamDataSource = dbManager.getDataSource(correlationCase, dataSource.getId());
784  dbManager.updateDataSourceName(existingEamDataSource, newName);
785  } catch (CentralRepoException ex) {
786  LOGGER.log(Level.SEVERE, "Error updating data source with ID " + dataSource.getId() + " to " + newName, ex); //NON-NLS
787  } catch (NoCurrentCaseException ex) {
788  LOGGER.log(Level.SEVERE, "No open case", ex);
789  }
790  }
791  } // DATA_SOURCE_NAME_CHANGED
792  }
793 }
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.ContentTagTask
ContentTagTask(CentralRepository db, PropertyChangeEvent evt)
Definition: CaseEventListener.java:217
org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent.DeletedContentTagInfo.getContentID
long getContentID()
Definition: ContentTagDeletedEvent.java:70
org.sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition: IngestManager.java:157
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getArtifactInstancesByTypeValue
List< CorrelationAttributeInstance > getArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type aType, String value)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
Definition: CorrelationDataSource.java:113
org.sleuthkit.autopsy.casemodule.services.TagsManager.getContentTagsByContent
List< ContentTag > getContentTagsByContent(Content content)
Definition: TagsManager.java:823
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromFile
static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file)
Definition: CorrelationAttributeUtil.java:552
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.setAttributeInstanceKnownStatus
void setAttributeInstanceKnownStatus(CorrelationAttributeInstance eamArtifact, TskData.FileKnown knownStatus)
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.addArtifactInstance
void addArtifactInstance(CorrelationAttributeInstance eamArtifact)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation
static List< CorrelationAttributeInstance > makeCorrAttrsForCorrelation(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:150
org.sleuthkit.autopsy.coreutils.ThreadUtils.shutDownTaskExecutor
static void shutDownTaskExecutor(ExecutorService executor)
Definition: ThreadUtils.java:43
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.dbManager
final CentralRepository dbManager
Definition: CaseEventListener.java:214
org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent
Definition: ContentTagAddedEvent.java:35
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.handleTagChange
void handleTagChange(Content content)
Definition: CaseEventListener.java:281
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.updateDataSourceName
void updateDataSourceName(CorrelationDataSource eamDataSource, String newName)
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.handleTagDeleted
void handleTagDeleted(ContentTagDeletedEvent evt)
Definition: CaseEventListener.java:240
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.BlackboardTagTask.setArtifactKnownStatus
void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus)
Definition: CaseEventListener.java:458
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.run
void run()
Definition: CaseEventListener.java:223
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getDataSource
CorrelationDataSource getDataSource(CorrelationCase correlationCase, Long caseDbDataSourceId)
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.setContentKnownStatus
void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus)
Definition: CaseEventListener.java:319
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
org.sleuthkit.autopsy.casemodule.Case.addEventTypeSubscriber
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:711
org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent.getDeletedTagInfo
DeletedContentTagInfo getDeletedTagInfo()
Definition: ContentTagDeletedEvent.java:44
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.handleTagAdded
void handleTagAdded(ContentTagAddedEvent evt)
Definition: CaseEventListener.java:263
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.event
final PropertyChangeEvent event
Definition: CaseEventListener.java:215
org.sleuthkit.autopsy.casemodule.Case.removeEventTypeSubscriber
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:756
org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent
Definition: ContentTagDeletedEvent.java:30
org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask
Definition: CaseEventListener.java:212
org.sleuthkit.autopsy.casemodule.services.TagsManager.getBlackboardArtifactTagsByArtifact
List< BlackboardArtifactTag > getBlackboardArtifactTagsByArtifact(BlackboardArtifact artifact)
Definition: TagsManager.java:1044

Copyright © 2012-2021 Basis Technology. Generated on: Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.