Autopsy  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
FilesIdentifierIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.interestingitems;
20 
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.Collection;
24 import java.util.List;
25 import java.util.Map;
26 import java.util.concurrent.ConcurrentHashMap;
27 import java.util.logging.Level;
28 import org.openide.util.NbBundle;
29 import org.openide.util.NbBundle.Messages;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.Blackboard;
41 import org.sleuthkit.datamodel.BlackboardArtifact;
42 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT;
43 import org.sleuthkit.datamodel.BlackboardAttribute;
44 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY;
45 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
46 import org.sleuthkit.datamodel.Score;
47 import org.sleuthkit.datamodel.TskCoreException;
48 import org.sleuthkit.datamodel.TskData;
49 
54 @NbBundle.Messages({"FilesIdentifierIngestModule.getFilesError=Error getting interesting files sets from file."})
55 final class FilesIdentifierIngestModule implements FileIngestModule {
56 
57  private static final Object sharedResourcesLock = new Object();
58  private static final Logger logger = Logger.getLogger(FilesIdentifierIngestModule.class.getName());
59  private static final IngestModuleReferenceCounter refCounter = new IngestModuleReferenceCounter();
60  private static final Map<Long, List<FilesSet>> interestingFileSetsByJob = new ConcurrentHashMap<>();
61  private static final String MODULE_NAME = InterestingItemsIngestModuleFactory.getModuleName();
62 
63  private final FilesIdentifierIngestJobSettings settings;
64  private final IngestServices services = IngestServices.getInstance();
65  private IngestJobContext context;
66  private Blackboard blackboard;
67 
74  FilesIdentifierIngestModule(FilesIdentifierIngestJobSettings settings) {
75  this.settings = settings;
76  }
77 
78  @Override
79  public void startUp(IngestJobContext context) throws IngestModuleException {
80  this.context = context;
81  synchronized (FilesIdentifierIngestModule.sharedResourcesLock) {
82  if (FilesIdentifierIngestModule.refCounter.incrementAndGet(context.getJobId()) == 1) {
83  // Starting up the first instance of this module for this ingest
84  // job, so get the interesting file sets definitions snapshot
85  // for the job. Note that getting this snapshot atomically via a
86  // synchronized definitions manager method eliminates the need
87  // to disable the interesting files set definition UI during ingest.
88  List<FilesSet> filesSets = new ArrayList<>();
89  try {
90  for (FilesSet set : FilesSetsManager.getInstance().getInterestingFilesSets().values()) {
91  if (settings.interestingFilesSetIsEnabled(set.getName())) {
92  filesSets.add(set);
93  }
94  }
95  } catch (FilesSetsManager.FilesSetsManagerException ex) {
96  throw new IngestModuleException(Bundle.FilesIdentifierIngestModule_getFilesError(), ex);
97  }
98  FilesIdentifierIngestModule.interestingFileSetsByJob.put(context.getJobId(), filesSets);
99  }
100  }
101  }
102 
103  @Override
104  @Messages({"FilesIdentifierIngestModule.indexError.message=Failed to index interesting file hit artifact for keyword search."})
105  public ProcessResult process(AbstractFile file) {
106  try {
107  blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard();
108  } catch (NoCurrentCaseException ex) {
109  logger.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
110  return ProcessResult.ERROR;
111  }
112 
113  // Skip slack space files.
114  if (file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK)) {
115  return ProcessResult.OK;
116  }
117 
118  // See if the file belongs to any defined interesting files set.
119  List<FilesSet> filesSets = FilesIdentifierIngestModule.interestingFileSetsByJob.get(this.context.getJobId());
120  for (FilesSet filesSet : filesSets) {
121  String ruleSatisfied = filesSet.fileIsMemberOf(file);
122  if (ruleSatisfied != null) {
123  try {
124 
125  Collection<BlackboardAttribute> attributes = Arrays.asList(
126  /*
127  * Add a set name attribute to the artifact. This
128  * adds a fair amount of redundant data to the
129  * attributes table (i.e., rows that differ only in
130  * artifact id), but doing otherwise would requires
131  * reworking the interesting files set hit artifact. */
132  new BlackboardAttribute(
133  TSK_SET_NAME, MODULE_NAME,
134  filesSet.getName()),
135  /*
136  * Add a category attribute to the artifact to
137  * record the interesting files set membership rule
138  * that was satisfied. */
139  new BlackboardAttribute(
140  TSK_CATEGORY, MODULE_NAME,
141  ruleSatisfied)
142  );
143 
144  // Create artifact if it doesn't already exist.
145  if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
146  BlackboardArtifact artifact = file.newAnalysisResult(
147  BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE,
148  null, filesSet.getName(), null,
149  attributes)
150  .getAnalysisResult();
151  try {
152 
153  // Post thet artifact to the blackboard.
154  blackboard.postArtifact(artifact, MODULE_NAME);
155  } catch (Blackboard.BlackboardException ex) {
156  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
157  MessageNotifyUtil.Notify.error(Bundle.FilesIdentifierIngestModule_indexError_message(), artifact.getDisplayName());
158  }
159 
160  // make an ingest inbox message
161  StringBuilder detailsSb = new StringBuilder();
162  detailsSb.append("File: ").append(file.getParentPath()).append(file.getName()).append("<br/>\n");
163  detailsSb.append("Rule Set: ").append(filesSet.getName());
164 
165  services.postMessage(IngestMessage.createDataMessage(InterestingItemsIngestModuleFactory.getModuleName(),
166  "Interesting File Match: " + filesSet.getName() + "(" + file.getName() + ")",
167  detailsSb.toString(),
168  file.getName(),
169  artifact));
170  }
171  } catch (TskCoreException ex) {
172  FilesIdentifierIngestModule.logger.log(Level.SEVERE, "Error posting to the blackboard", ex); //NOI18N NON-NLS
173  }
174  }
175  }
176  return ProcessResult.OK;
177  }
178 
179  @Override
180  public void shutDown() {
181  if (context != null) {
182  if (refCounter.decrementAndGet(this.context.getJobId()) == 0) {
183  // Shutting down the last instance of this module for this ingest
184  // job, so discard the interesting file sets definitions snapshot
185  // for the job.
186  FilesIdentifierIngestModule.interestingFileSetsByJob.remove(this.context.getJobId());
187  }
188  }
189  }
190 }

Copyright © 2012-2021 Basis Technology. Generated on: Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.