Autopsy  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
InterestingHits.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datamodel;
20 
21 import java.beans.PropertyChangeEvent;
22 import java.beans.PropertyChangeListener;
23 import java.sql.ResultSet;
24 import java.sql.SQLException;
25 import java.util.ArrayList;
26 import java.util.Collections;
27 import java.util.EnumSet;
28 import java.util.HashMap;
29 import java.util.HashSet;
30 import java.util.LinkedHashMap;
31 import java.util.List;
32 import java.util.Map;
33 import java.util.Observable;
34 import java.util.Observer;
35 import java.util.Set;
36 import java.util.logging.Level;
37 import org.openide.nodes.ChildFactory;
38 import org.openide.nodes.Children;
39 import org.openide.nodes.Node;
40 import org.openide.nodes.Sheet;
41 import org.openide.util.NbBundle;
42 import org.openide.util.WeakListeners;
43 import org.openide.util.lookup.Lookups;
44 import org.sleuthkit.autopsy.casemodule.Case;
45 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
46 import org.sleuthkit.autopsy.coreutils.Logger;
47 import org.sleuthkit.autopsy.ingest.IngestManager;
48 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
49 import org.sleuthkit.datamodel.BlackboardArtifact;
50 import org.sleuthkit.datamodel.BlackboardAttribute;
51 import org.sleuthkit.datamodel.SleuthkitCase;
52 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;
53 import org.sleuthkit.datamodel.TskCoreException;
54 import org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode;
55 import org.sleuthkit.datamodel.AnalysisResult;
56 
57 public class InterestingHits implements AutopsyVisitableItem {
58 
59  private static final String INTERESTING_ITEMS = NbBundle
60  .getMessage(InterestingHits.class, "InterestingHits.interestingItems.text");
61  private static final String DISPLAY_NAME = NbBundle.getMessage(InterestingHits.class, "InterestingHits.displayName.text");
62  private static final Logger logger = Logger.getLogger(InterestingHits.class.getName());
63  private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
64  private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestModuleEvent.DATA_ADDED);
65  private SleuthkitCase skCase;
66  private final InterestingResults interestingResults = new InterestingResults();
67  private final long filteringDSObjId; // 0 if not filtering/grouping by data source
68 
75  public InterestingHits(SleuthkitCase skCase) {
76  this(skCase, 0);
77  }
78 
86  public InterestingHits(SleuthkitCase skCase, long objId) {
87  this.skCase = skCase;
88  this.filteringDSObjId = objId;
89  interestingResults.update();
90  }
91 
92  private class InterestingResults extends Observable {
93 
94  // NOTE: the map can be accessed by multiple worker threads and needs to be synchronized
95  private final Map<String, Map<String, Set<Long>>> interestingItemsMap = new LinkedHashMap<>();
96 
97  public List<String> getSetNames() {
98  List<String> setNames;
99  synchronized (interestingItemsMap) {
100  setNames = new ArrayList<>(interestingItemsMap.keySet());
101  }
102  Collections.sort(setNames);
103  return setNames;
104  }
105 
106  public Set<Long> getArtifactIds(String setName, String typeName) {
107  synchronized (interestingItemsMap) {
108  return interestingItemsMap.get(setName).get(typeName);
109  }
110  }
111 
112  public void update() {
113  synchronized (interestingItemsMap) {
114  interestingItemsMap.clear();
115  }
116  loadArtifacts(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT);
117  loadArtifacts(BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT);
118  setChanged();
119  notifyObservers();
120  }
121 
122  /*
123  * Reads the artifacts of specified type, grouped by Set, and loads into
124  * the interestingItemsMap
125  */
126  @SuppressWarnings("deprecation")
127  private void loadArtifacts(BlackboardArtifact.Type artType) {
128  if (skCase == null) {
129  return;
130  }
131 
132  int setNameId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID();
133  int artId = artType.getTypeID();
134  String query = "SELECT value_text,blackboard_artifacts.artifact_obj_id,attribute_type_id " //NON-NLS
135  + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS
136  + "attribute_type_id=" + setNameId //NON-NLS
137  + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS
138  + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS
139  if (filteringDSObjId > 0) {
140  query += " AND blackboard_artifacts.data_source_obj_id = " + filteringDSObjId;
141  }
142 
143  try (CaseDbQuery dbQuery = skCase.executeQuery(query)) {
144  synchronized (interestingItemsMap) {
145  ResultSet resultSet = dbQuery.getResultSet();
146  while (resultSet.next()) {
147  String value = resultSet.getString("value_text"); //NON-NLS
148  long artifactObjId = resultSet.getLong("artifact_obj_id"); //NON-NLS
149  if (!interestingItemsMap.containsKey(value)) {
150  interestingItemsMap.put(value, new LinkedHashMap<>());
151  interestingItemsMap.get(value).put(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT.getDisplayName(), new HashSet<>());
152  interestingItemsMap.get(value).put(BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.getDisplayName(), new HashSet<>());
153  }
154  interestingItemsMap.get(value).get(artType.getDisplayName()).add(artifactObjId);
155  }
156  }
157  } catch (TskCoreException | SQLException ex) {
158  logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS
159  }
160  }
161  }
162 
163  @Override
164  public <T> T accept(AutopsyItemVisitor<T> visitor) {
165  return visitor.visit(this);
166  }
167 
171  public class RootNode extends UpdatableCountTypeNode {
172 
173  public RootNode() {
174  super(Children.create(new SetNameFactory(), true),
175  Lookups.singleton(DISPLAY_NAME),
176  DISPLAY_NAME,
177  filteringDSObjId,
178  BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT,
179  BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT);
180  super.setName(INTERESTING_ITEMS);
181  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
182  }
183 
184  @Override
185  public boolean isLeafTypeNode() {
186  return false;
187  }
188 
189  @Override
190  public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {
191  return visitor.visit(this);
192  }
193 
194  @Override
195  protected Sheet createSheet() {
196  Sheet sheet = super.createSheet();
197  Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);
198  if (sheetSet == null) {
199  sheetSet = Sheet.createPropertiesSet();
200  sheet.put(sheetSet);
201  }
202 
203  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
204  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.displayName"),
205  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
206  getName()));
207 
208  return sheet;
209  }
210 
211  @Override
212  public String getItemType() {
213  return getClass().getName();
214  }
215  }
216 
217  private class SetNameFactory extends ChildFactory.Detachable<String> implements Observer {
218 
219  /*
220  * This should probably be in the top-level class, but the factory has
221  * nice methods for its startup and shutdown, so it seemed like a
222  * cleaner place to register the property change listener.
223  */
224  private final PropertyChangeListener pcl = (PropertyChangeEvent evt) -> {
225  String eventType = evt.getPropertyName();
226  if (eventType.equals(IngestManager.IngestModuleEvent.DATA_ADDED.toString())) {
233  try {
234  Case.getCurrentCaseThrows();
241  ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();
242  if (null != eventData && (eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()
243  || eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT.getTypeID())) {
244  interestingResults.update();
245  }
246  } catch (NoCurrentCaseException notUsed) {
250  }
251  } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())
252  || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())) {
259  try {
260  Case.getCurrentCaseThrows();
261  interestingResults.update();
262  } catch (NoCurrentCaseException notUsed) {
266  }
267  } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {
268  // case was closed. Remove listeners so that we don't get called with a stale case handle
269  if (evt.getNewValue() == null) {
270  removeNotify();
271  skCase = null;
272  }
273  }
274  };
275 
276  private final PropertyChangeListener weakPcl = WeakListeners.propertyChange(pcl, null);
277 
278  @Override
279  protected void addNotify() {
280  IngestManager.getInstance().addIngestJobEventListener(INGEST_JOB_EVENTS_OF_INTEREST, weakPcl);
281  IngestManager.getInstance().addIngestModuleEventListener(INGEST_MODULE_EVENTS_OF_INTEREST, weakPcl);
282  Case.addEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), weakPcl);
283  interestingResults.update();
284  interestingResults.addObserver(this);
285  }
286 
287  @Override
288  protected void finalize() throws Throwable {
289  super.finalize();
290  IngestManager.getInstance().removeIngestJobEventListener(weakPcl);
291  IngestManager.getInstance().removeIngestModuleEventListener(weakPcl);
292  Case.removeEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), weakPcl);
293  interestingResults.deleteObserver(this);
294  }
295 
296  @Override
297  protected boolean createKeys(List<String> list) {
298  list.addAll(interestingResults.getSetNames());
299  return true;
300  }
301 
302  @Override
303  protected Node createNodeForKey(String key) {
304  return new SetNameNode(key);
305  }
306 
307  @Override
308  public void update(Observable o, Object arg) {
309  refresh(true);
310  }
311  }
312 
313  public class SetNameNode extends DisplayableItemNode implements Observer {
314 
315  private final String setName;
316 
317  public SetNameNode(String setName) {//, Set<Long> children) {
318  super(Children.create(new HitTypeFactory(setName), true), Lookups.singleton(setName));
319  this.setName = setName;
320  super.setName(setName);
321  updateDisplayName();
322  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
323  interestingResults.addObserver(this);
324  }
325 
326  private void updateDisplayName() {
327  int sizeOfSet = interestingResults.getArtifactIds(setName, BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.getDisplayName()).size()
328  + interestingResults.getArtifactIds(setName, BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT.getDisplayName()).size();
329  super.setDisplayName(setName + " (" + sizeOfSet + ")");
330  }
331 
332  @Override
333  public boolean isLeafTypeNode() {
334  return false;
335  }
336 
337  @Override
338  protected Sheet createSheet() {
339  Sheet sheet = super.createSheet();
340  Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);
341  if (sheetSet == null) {
342  sheetSet = Sheet.createPropertiesSet();
343  sheet.put(sheetSet);
344  }
345 
346  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
347  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
348  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
349  getName()));
350 
351  return sheet;
352  }
353 
354  @Override
355  public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {
356  return visitor.visit(this);
357  }
358 
359  @Override
360  public void update(Observable o, Object arg) {
361  updateDisplayName();
362  }
363 
364  @Override
365  public String getItemType() {
370  return getClass().getName();
371  }
372  }
373 
374  private class HitTypeFactory extends ChildFactory<String> implements Observer {
375 
376  private final String setName;
377  private final Map<Long, BlackboardArtifact> artifactHits = new HashMap<>();
378 
379  private HitTypeFactory(String setName) {
380  super();
381  this.setName = setName;
382  interestingResults.addObserver(this);
383  }
384 
385  @Override
386  protected boolean createKeys(List<String> list) {
387  list.add(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT.getDisplayName());
388  list.add(BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.getDisplayName());
389  return true;
390  }
391 
392  @Override
393  protected Node createNodeForKey(String key) {
394  return new InterestingItemTypeNode(setName, key);
395  }
396 
397  @Override
398  public void update(Observable o, Object arg) {
399  refresh(true);
400  }
401  }
402 
403  public class InterestingItemTypeNode extends DisplayableItemNode implements Observer {
404 
405  private final String typeName;
406  private final String setName;
407 
408  private InterestingItemTypeNode(String setName, String typeName) {
409  super(Children.create(new HitFactory(setName, typeName), true), Lookups.singleton(setName));
410  this.typeName = typeName;
411  this.setName = setName;
417  super.setName(setName + "_" + typeName);
418  updateDisplayName();
419  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
420  interestingResults.addObserver(this);
421  }
422 
423  private void updateDisplayName() {
424  super.setDisplayName(typeName + " (" + interestingResults.getArtifactIds(setName, typeName).size() + ")");
425  }
426 
427  @Override
428  public boolean isLeafTypeNode() {
429  return true;
430  }
431 
432  @Override
433  protected Sheet createSheet() {
434  Sheet sheet = super.createSheet();
435  Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);
436  if (sheetSet == null) {
437  sheetSet = Sheet.createPropertiesSet();
438  sheet.put(sheetSet);
439  }
440  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
441  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
442  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
443  getName()));
444  return sheet;
445  }
446 
447  @Override
448  public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {
449  return visitor.visit(this);
450  }
451 
452  @Override
453  public void update(Observable o, Object arg) {
454  updateDisplayName();
455  }
456 
457  @Override
458  public String getItemType() {
463  return getClass().getName();
464  }
465  }
466 
467  private class HitFactory extends BaseChildFactory<AnalysisResult> implements Observer {
468 
469  private final String setName;
470  private final String typeName;
471  private final Map<Long, AnalysisResult> artifactHits = new HashMap<>();
472 
473  private HitFactory(String setName, String typeName) {
479  super(setName + "_" + typeName);
480  this.setName = setName;
481  this.typeName = typeName;
482  interestingResults.addObserver(this);
483  }
484 
485  @Override
486  protected List<AnalysisResult> makeKeys() {
487 
488  if (skCase != null) {
489  interestingResults.getArtifactIds(setName, typeName).forEach((id) -> {
490  try {
491  if (!artifactHits.containsKey(id)) {
492  AnalysisResult art = skCase.getBlackboard().getAnalysisResultById(id);
493  //Cache attributes while we are off the EDT.
494  //See JIRA-5969
495  art.getAttributes();
496  artifactHits.put(id, art);
497  }
498  } catch (TskCoreException ex) {
499  logger.log(Level.SEVERE, "TSK Exception occurred", ex); //NON-NLS
500  }
501  });
502 
503  return new ArrayList<>(artifactHits.values());
504  }
505  return Collections.emptyList();
506  }
507 
508  @Override
509  protected Node createNodeForKey(AnalysisResult art) {
510  return new BlackboardArtifactNode(art);
511  }
512 
513  @Override
514  public void update(Observable o, Object arg) {
515  refresh(true);
516  }
517 
518  @Override
519  protected void onAdd() {
520  // No-op
521  }
522 
523  @Override
524  protected void onRemove() {
525  // No-op
526  }
527  }
528 }
org.sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType
BlackboardArtifact.Type getBlackboardArtifactType()
Definition: ModuleDataEvent.java:104
org.sleuthkit.autopsy.ingest.IngestManager.removeIngestModuleEventListener
void removeIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:647
org.sleuthkit.autopsy.datamodel.InterestingHits.INGEST_MODULE_EVENTS_OF_INTEREST
static final Set< IngestManager.IngestModuleEvent > INGEST_MODULE_EVENTS_OF_INTEREST
Definition: InterestingHits.java:64
org.sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition: IngestManager.java:157
org.sleuthkit.autopsy.datamodel.InterestingHits.InterestingHits
InterestingHits(SleuthkitCase skCase, long objId)
Definition: InterestingHits.java:86
org.sleuthkit.autopsy.ingest.IngestManager.removeIngestJobEventListener
void removeIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:604
org.sleuthkit.autopsy.ingest.IngestManager.addIngestJobEventListener
void addIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:582
org.sleuthkit.autopsy.datamodel.InterestingHits.INGEST_JOB_EVENTS_OF_INTEREST
static final Set< IngestManager.IngestJobEvent > INGEST_JOB_EVENTS_OF_INTEREST
Definition: InterestingHits.java:63
org.sleuthkit.autopsy.datamodel.InterestingHits.InterestingResults.getArtifactIds
Set< Long > getArtifactIds(String setName, String typeName)
Definition: InterestingHits.java:106
org.sleuthkit.autopsy.ingest.IngestManager.addIngestModuleEventListener
void addIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:625
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.casemodule.Case.addEventTypeSubscriber
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:711
org.sleuthkit.autopsy.casemodule.Case.removeEventTypeSubscriber
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:756
org.sleuthkit.autopsy.datamodel.InterestingHits.InterestingResults.interestingItemsMap
final Map< String, Map< String, Set< Long > > > interestingItemsMap
Definition: InterestingHits.java:95

Copyright © 2012-2021 Basis Technology. Generated on: Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.