Autopsy  4.19.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
IngestEventsListener.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2017-2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
20 
21 import com.google.common.util.concurrent.ThreadFactoryBuilder;
22 import java.beans.PropertyChangeEvent;
23 import java.beans.PropertyChangeListener;
24 import static java.lang.Boolean.FALSE;
25 import java.util.ArrayList;
26 import java.util.Arrays;
27 import java.util.Collection;
28 import java.util.EnumSet;
29 import java.util.Iterator;
30 import java.util.LinkedHashSet;
31 import java.util.List;
32 import java.util.Set;
33 import java.util.concurrent.ExecutorService;
34 import java.util.concurrent.Executors;
35 import java.util.logging.Level;
36 import java.util.stream.Collectors;
37 import org.apache.commons.lang3.StringUtils;
38 import org.openide.util.NbBundle;
50 import org.sleuthkit.datamodel.Blackboard;
51 import org.sleuthkit.datamodel.BlackboardArtifact;
52 import org.sleuthkit.datamodel.BlackboardAttribute;
55 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
56 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CORRELATION_TYPE;
57 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CORRELATION_VALUE;
58 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_OTHER_CASES;
60 import org.sleuthkit.datamodel.Content;
61 import org.sleuthkit.datamodel.Image;
62 import org.sleuthkit.datamodel.SleuthkitCase;
63 import org.sleuthkit.datamodel.TskCoreException;
65 import org.sleuthkit.datamodel.DataArtifact;
66 import org.sleuthkit.datamodel.Score;
67 import org.sleuthkit.datamodel.TskData;
68 
73 @NbBundle.Messages({"IngestEventsListener.ingestmodule.name=Central Repository"})
74 public class IngestEventsListener {
75 
76  private static final Logger LOGGER = Logger.getLogger(CorrelationAttributeInstance.class.getName());
77  private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.DATA_SOURCE_ANALYSIS_COMPLETED);
78  private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(DATA_ADDED);
79  private static final String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
80  private static int correlationModuleInstanceCount;
81  private static boolean flagNotableItems;
82  private static boolean flagSeenDevices;
83  private static boolean createCrProperties;
84  private static boolean flagUniqueArtifacts;
85  private static final String INGEST_EVENT_THREAD_NAME = "Ingest-Event-Listener-%d";
86  private final ExecutorService jobProcessingExecutor;
87  private final PropertyChangeListener pcl1 = new IngestModuleEventListener();
88  private final PropertyChangeListener pcl2 = new IngestJobEventListener();
89  final Collection<String> recentlyAddedCeArtifacts = new LinkedHashSet<>();
90 
91  static final int MAX_NUM_PREVIOUS_CASES_FOR_LIKELY_NOTABLE_SCORE = 10;
92  static final int MAX_NUM_PREVIOUS_CASES_FOR_PREV_SEEN_ARTIFACT_CREATION = 20;
93 
95  jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(INGEST_EVENT_THREAD_NAME).build());
96  }
97 
98  public void shutdown() {
99  ThreadUtils.shutDownTaskExecutor(jobProcessingExecutor);
100  }
101 
102  /*
103  * Add all of our Ingest Event Listeners to the IngestManager Instance.
104  */
105  public void installListeners() {
106  IngestManager.getInstance().addIngestModuleEventListener(INGEST_MODULE_EVENTS_OF_INTEREST, pcl1);
107  IngestManager.getInstance().addIngestJobEventListener(INGEST_JOB_EVENTS_OF_INTEREST, pcl2);
108  }
109 
110  /*
111  * Remove all of our Ingest Event Listeners from the IngestManager Instance.
112  */
113  public void uninstallListeners() {
116  }
117 
122  public synchronized static void incrementCorrelationEngineModuleCount() {
123  correlationModuleInstanceCount++; //Should be called once in the Central Repository module's startup method.
124  }
125 
130  public synchronized static void decrementCorrelationEngineModuleCount() {
131  if (getCeModuleInstanceCount() > 0) { //prevent it ingestJobCounter from going negative
132  correlationModuleInstanceCount--; //Should be called once in the Central Repository module's shutdown method.
133  }
134  }
135 
140  synchronized static void resetCeModuleInstanceCount() {
141  correlationModuleInstanceCount = 0; //called when a case is opened in case for some reason counter was not reset
142  }
143 
150  public synchronized static int getCeModuleInstanceCount() {
151  return correlationModuleInstanceCount;
152  }
153 
159  public synchronized static boolean isFlagNotableItems() {
160  return flagNotableItems;
161  }
162 
168  public synchronized static boolean isFlagSeenDevices() {
169  return flagSeenDevices;
170  }
171 
177  public synchronized static boolean shouldCreateCrProperties() {
178  return createCrProperties;
179  }
180 
186  public synchronized static void setFlagNotableItems(boolean value) {
187  flagNotableItems = value;
188  }
189 
195  public synchronized static void setFlagSeenDevices(boolean value) {
196  flagSeenDevices = value;
197  }
198 
204  public synchronized static void setFlagUniqueArtifacts(boolean value) {
205  flagUniqueArtifacts = value;
206  }
207 
213  public synchronized static boolean isFlagUniqueArtifacts() {
214  return flagUniqueArtifacts;
215  }
216 
222  public synchronized static void setCreateCrProperties(boolean value) {
223  createCrProperties = value;
224  }
225 
236  @NbBundle.Messages({"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
237  "IngestEventsListener.prevCaseComment.text=Previous Case: "})
238  static private void makeAndPostPreviousNotableArtifact(BlackboardArtifact originalArtifact, List<String> caseDisplayNames,
239  CorrelationAttributeInstance.Type aType, String value) {
240  String prevCases = caseDisplayNames.stream().distinct().collect(Collectors.joining(","));
241  String justification = "Previously marked as notable in cases " + prevCases;
242  Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(new BlackboardAttribute(
243  TSK_SET_NAME, MODULE_NAME,
244  Bundle.IngestEventsListener_prevTaggedSet_text()),
245  new BlackboardAttribute(
246  TSK_CORRELATION_TYPE, MODULE_NAME,
247  aType.getDisplayName()),
248  new BlackboardAttribute(
249  TSK_CORRELATION_VALUE, MODULE_NAME,
250  value),
251  new BlackboardAttribute(
252  TSK_OTHER_CASES, MODULE_NAME,
253  prevCases));
254  makeAndPostArtifact(BlackboardArtifact.Type.TSK_PREVIOUSLY_NOTABLE, originalArtifact, attributesForNewArtifact, Bundle.IngestEventsListener_prevTaggedSet_text(),
255  Score.SCORE_NOTABLE, justification);
256  }
257 
268  @NbBundle.Messages({"IngestEventsListener.prevExists.text=Previously Seen Devices (Central Repository)",
269  "# {0} - typeName",
270  "# {1} - count",
271  "IngestEventsListener.prevCount.text=Number of previous {0}: {1}"})
272  static private void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact, List<String> caseDisplayNames,
273  CorrelationAttributeInstance.Type aType, String value) {
274 
275  // calculate score
276  Score score;
277  int numCases = caseDisplayNames.size();
278  if (numCases <= MAX_NUM_PREVIOUS_CASES_FOR_LIKELY_NOTABLE_SCORE) {
279  score = Score.SCORE_LIKELY_NOTABLE;
280  } else if (numCases > MAX_NUM_PREVIOUS_CASES_FOR_LIKELY_NOTABLE_SCORE && numCases <= MAX_NUM_PREVIOUS_CASES_FOR_PREV_SEEN_ARTIFACT_CREATION) {
281  score = Score.SCORE_NONE;
282  } else {
283  // don't make an Analysis Result, the artifact is too common.
284  return;
285  }
286 
287  String prevCases = caseDisplayNames.stream().distinct().collect(Collectors.joining(","));
288  String justification = "Previously seen in cases " + prevCases;
289  Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(new BlackboardAttribute(
290  TSK_SET_NAME, MODULE_NAME,
291  Bundle.IngestEventsListener_prevExists_text()),
292  new BlackboardAttribute(
293  TSK_CORRELATION_TYPE, MODULE_NAME,
294  aType.getDisplayName()),
295  new BlackboardAttribute(
296  TSK_CORRELATION_VALUE, MODULE_NAME,
297  value),
298  new BlackboardAttribute(
299  TSK_OTHER_CASES, MODULE_NAME,
300  prevCases));
301  makeAndPostArtifact(BlackboardArtifact.Type.TSK_PREVIOUSLY_SEEN, originalArtifact, attributesForNewArtifact, Bundle.IngestEventsListener_prevExists_text(),
302  score, justification);
303  }
304 
314  static private void makeAndPostPreviouslyUnseenArtifact(BlackboardArtifact originalArtifact, CorrelationAttributeInstance.Type aType, String value) {
315  Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(
316  new BlackboardAttribute(
317  TSK_CORRELATION_TYPE, MODULE_NAME,
318  aType.getDisplayName()),
319  new BlackboardAttribute(
320  TSK_CORRELATION_VALUE, MODULE_NAME,
321  value));
322  makeAndPostArtifact(BlackboardArtifact.Type.TSK_PREVIOUSLY_UNSEEN, originalArtifact, attributesForNewArtifact, "",
323  Score.SCORE_LIKELY_NOTABLE, "This application has not been previously seen before");
324  }
325 
336  private static void makeAndPostArtifact(BlackboardArtifact.Type newArtifactType, BlackboardArtifact originalArtifact, Collection<BlackboardAttribute> attributesForNewArtifact, String configuration,
337  Score score, String justification) {
338  try {
339  SleuthkitCase tskCase = originalArtifact.getSleuthkitCase();
340  Blackboard blackboard = tskCase.getBlackboard();
341  // Create artifact if it doesn't already exist.
342  BlackboardArtifact.ARTIFACT_TYPE type = BlackboardArtifact.ARTIFACT_TYPE.fromID(newArtifactType.getTypeID());
343  if (!blackboard.artifactExists(originalArtifact, type, attributesForNewArtifact)) {
344  BlackboardArtifact newArtifact = originalArtifact.newAnalysisResult(
345  newArtifactType, score,
346  null, configuration, justification, attributesForNewArtifact)
347  .getAnalysisResult();
348 
349  try {
350  // index the artifact for keyword search
351  blackboard.postArtifact(newArtifact, MODULE_NAME);
352  } catch (Blackboard.BlackboardException ex) {
353  LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newArtifact.getArtifactID(), ex); //NON-NLS
354  }
355  }
356  } catch (TskCoreException ex) {
357  LOGGER.log(Level.SEVERE, "Failed to create BlackboardArtifact.", ex); // NON-NLS
358  } catch (IllegalStateException ex) {
359  LOGGER.log(Level.SEVERE, "Failed to create BlackboardAttribute.", ex); // NON-NLS
360  }
361  }
362 
363  private class IngestModuleEventListener implements PropertyChangeListener {
364 
365  @Override
366  public void propertyChange(PropertyChangeEvent evt) {
367  //if ingest is running we want there to check if there is a Central Repository module running
368  //sometimes artifacts are generated by DSPs or other sources while ingest is not running
369  //in these cases we still want to create correlation attributesForNewArtifact for those artifacts when appropriate
370  if (!IngestManager.getInstance().isIngestRunning() || getCeModuleInstanceCount() > 0) {
371  CentralRepository dbManager;
372  try {
373  dbManager = CentralRepository.getInstance();
374  } catch (CentralRepoException ex) {
375  LOGGER.log(Level.SEVERE, "Failed to connect to Central Repository database.", ex);
376  return;
377  }
378  switch (IngestManager.IngestModuleEvent.valueOf(evt.getPropertyName())) {
379  case DATA_ADDED: {
380  //if ingest isn't running create the "previously seen" items,
381  // otherwise use the ingest module setting to determine if we create "previously seen" items
382  boolean flagNotable = !IngestManager.getInstance().isIngestRunning() || isFlagNotableItems();
383  boolean flagPrevious = !IngestManager.getInstance().isIngestRunning() || isFlagSeenDevices();
384  boolean createAttributes = !IngestManager.getInstance().isIngestRunning() || shouldCreateCrProperties();
385  boolean flagUnique = !IngestManager.getInstance().isIngestRunning() || isFlagUniqueArtifacts();
386  jobProcessingExecutor.submit(new DataAddedTask(dbManager, evt, flagNotable, flagPrevious, createAttributes, flagUnique));
387  break;
388  }
389  default:
390  break;
391  }
392  }
393  }
394  }
395 
396  private class IngestJobEventListener implements PropertyChangeListener {
397 
398  @Override
399  public void propertyChange(PropertyChangeEvent evt) {
400  CentralRepository dbManager;
401  try {
402  dbManager = CentralRepository.getInstance();
403  } catch (CentralRepoException ex) {
404  LOGGER.log(Level.SEVERE, "Failed to connect to Central Repository database.", ex);
405  return;
406  }
407 
408  switch (IngestManager.IngestJobEvent.valueOf(evt.getPropertyName())) {
409  case DATA_SOURCE_ANALYSIS_COMPLETED: {
410  jobProcessingExecutor.submit(new AnalysisCompleteTask(dbManager, evt));
411  break;
412  }
413  default:
414  break;
415  }
416  }
417 
418  }
419 
420  private final class AnalysisCompleteTask implements Runnable {
421 
423  private final PropertyChangeEvent event;
424 
425  private AnalysisCompleteTask(CentralRepository db, PropertyChangeEvent evt) {
426  dbManager = db;
427  event = evt;
428  }
429 
430  @Override
431  public void run() {
432  // clear the tracker to reduce memory usage
433  if (getCeModuleInstanceCount() == 0) {
434  recentlyAddedCeArtifacts.clear();
435  }
436  //else another instance of the Central Repository Module is still being run.
437 
438  /*
439  * Ensure the data source in the Central Repository has hash values
440  * that match those in the case database.
441  */
442  if (!CentralRepository.isEnabled()) {
443  return;
444  }
445  Content dataSource;
446  String dataSourceName = "";
447  long dataSourceObjectId = -1;
448  try {
449  dataSource = ((DataSourceAnalysisEvent) event).getDataSource();
450  /*
451  * We only care about Images for the purpose of updating hash
452  * values.
453  */
454  if (!(dataSource instanceof Image)) {
455  return;
456  }
457 
458  dataSourceName = dataSource.getName();
459  dataSourceObjectId = dataSource.getId();
460 
461  Case openCase = Case.getCurrentCaseThrows();
462 
463  CorrelationCase correlationCase = dbManager.getCase(openCase);
464  if (null == correlationCase) {
465  correlationCase = dbManager.newCase(openCase);
466  }
467 
468  CorrelationDataSource correlationDataSource = dbManager.getDataSource(correlationCase, dataSource.getId());
469  if (correlationDataSource == null) {
470  // Add the data source.
471  CorrelationDataSource.fromTSKDataSource(correlationCase, dataSource);
472  } else {
473  // Sync the data source hash values if necessary.
474  if (dataSource instanceof Image) {
475  Image image = (Image) dataSource;
476 
477  String imageMd5Hash = image.getMd5();
478  if (imageMd5Hash == null) {
479  imageMd5Hash = "";
480  }
481  String crMd5Hash = correlationDataSource.getMd5();
482  if (StringUtils.equals(imageMd5Hash, crMd5Hash) == false) {
483  correlationDataSource.setMd5(imageMd5Hash);
484  }
485 
486  String imageSha1Hash = image.getSha1();
487  if (imageSha1Hash == null) {
488  imageSha1Hash = "";
489  }
490  String crSha1Hash = correlationDataSource.getSha1();
491  if (StringUtils.equals(imageSha1Hash, crSha1Hash) == false) {
492  correlationDataSource.setSha1(imageSha1Hash);
493  }
494 
495  String imageSha256Hash = image.getSha256();
496  if (imageSha256Hash == null) {
497  imageSha256Hash = "";
498  }
499  String crSha256Hash = correlationDataSource.getSha256();
500  if (StringUtils.equals(imageSha256Hash, crSha256Hash) == false) {
501  correlationDataSource.setSha256(imageSha256Hash);
502  }
503  }
504  }
505  } catch (CentralRepoException ex) {
506  LOGGER.log(Level.SEVERE, String.format(
507  "Unable to fetch data from the Central Repository for data source '%s' (obj_id=%d)",
508  dataSourceName, dataSourceObjectId), ex);
509  } catch (NoCurrentCaseException ex) {
510  LOGGER.log(Level.SEVERE, "No current case opened.", ex);
511  } catch (TskCoreException ex) {
512  LOGGER.log(Level.SEVERE, String.format(
513  "Unable to fetch data from the case database for data source '%s' (obj_id=%d)",
514  dataSourceName, dataSourceObjectId), ex);
515  }
516  } // DATA_SOURCE_ANALYSIS_COMPLETED
517  }
518 
519  private final class DataAddedTask implements Runnable {
520 
522  private final PropertyChangeEvent event;
523  private final boolean flagNotableItemsEnabled;
524  private final boolean flagPreviousItemsEnabled;
525  private final boolean createCorrelationAttributes;
526  private final boolean flagUniqueItemsEnabled;
527 
528  private DataAddedTask(CentralRepository db, PropertyChangeEvent evt, boolean flagNotableItemsEnabled, boolean flagPreviousItemsEnabled, boolean createCorrelationAttributes, boolean flagUnique) {
529  this.dbManager = db;
530  this.event = evt;
531  this.flagNotableItemsEnabled = flagNotableItemsEnabled;
532  this.flagPreviousItemsEnabled = flagPreviousItemsEnabled;
533  this.createCorrelationAttributes = createCorrelationAttributes;
534  this.flagUniqueItemsEnabled = flagUnique;
535  }
536 
537  @Override
538  public void run() {
539  if (!CentralRepository.isEnabled()) {
540  return;
541  }
542  final ModuleDataEvent mde = (ModuleDataEvent) event.getOldValue();
543  Collection<BlackboardArtifact> bbArtifacts = mde.getArtifacts();
544  if (null == bbArtifacts) { //the ModuleDataEvents don't always have a collection of artifacts set
545  return;
546  }
547  List<CorrelationAttributeInstance> eamArtifacts = new ArrayList<>();
548 
549  for (BlackboardArtifact bbArtifact : bbArtifacts) {
550  // makeCorrAttrToSave will filter out artifacts which should not be sources of CR data.
551  List<CorrelationAttributeInstance> convertedArtifacts = new ArrayList<>();
552  if (bbArtifact instanceof DataArtifact){
553  convertedArtifacts.addAll(CorrelationAttributeUtil.makeCorrAttrsToSave((DataArtifact)bbArtifact));
554  }
555  for (CorrelationAttributeInstance eamArtifact : convertedArtifacts) {
556  try {
557  // Only do something with this artifact if it's unique within the job
558  if (recentlyAddedCeArtifacts.add(eamArtifact.toString())) {
559 
560  // Get a list of instances for a given value (hash, email, etc.)
561  List<CorrelationAttributeInstance> previousOccurrences = new ArrayList<>();
562  // check if we are flagging things
563  if (flagNotableItemsEnabled || flagPreviousItemsEnabled || flagUniqueItemsEnabled) {
564  try {
565  previousOccurrences = dbManager.getArtifactInstancesByTypeValue(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());
566 
567  // make sure the previous instances do not contain current case
568  for (Iterator<CorrelationAttributeInstance> iterator = previousOccurrences.iterator(); iterator.hasNext();) {
569  CorrelationAttributeInstance instance = iterator.next();
570  if (instance.getCorrelationCase().getCaseUUID().equals(eamArtifact.getCorrelationCase().getCaseUUID())) {
571  // this is the current case - remove the instace from the previousOccurrences list
572  iterator.remove();
573  }
574  }
576  LOGGER.log(Level.INFO, String.format("Unable to flag previously seen device: %s.", eamArtifact.toString()), ex);
577  }
578  }
579 
580  // Was it previously marked as bad?
581  // query db for artifact instances having this TYPE/VALUE and knownStatus = "Bad".
582  // if getKnownStatus() is "Unknown" and this artifact instance was marked bad in a previous case,
583  // create TSK_PREVIOUSLY_SEEN artifact on BB.
584  if (flagNotableItemsEnabled) {
585  List<String> caseDisplayNames = getCaseDisplayNamesForNotable(previousOccurrences);
586  if (!caseDisplayNames.isEmpty()) {
587  makeAndPostPreviousNotableArtifact(bbArtifact,
588  caseDisplayNames, eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());
589 
590  // if we have marked this artifact as notable, then skip the analysis of whether it was previously seen
591  continue;
592  }
593  }
594 
595  // flag previously seen devices and communication accounts (emails, phones, etc)
596  if (flagPreviousItemsEnabled && !previousOccurrences.isEmpty()
597  && (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID
598  || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID
599  || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID
600  || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID
601  || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID
602  || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.EMAIL_TYPE_ID
603  || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.PHONE_TYPE_ID)) {
604 
605  List<String> caseDisplayNames = getCaseDisplayNames(previousOccurrences);
606  makeAndPostPreviousSeenArtifact(bbArtifact, caseDisplayNames, eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());
607  }
608 
609  // flag previously unseen apps and domains
610  if (flagUniqueItemsEnabled
611  && (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID
612  || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.DOMAIN_TYPE_ID)) {
613 
614  if (previousOccurrences.isEmpty()) {
615  makeAndPostPreviouslyUnseenArtifact(bbArtifact, eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());
616  }
617  }
618  if (createCorrelationAttributes) {
619  eamArtifacts.add(eamArtifact);
620  }
621  }
622  } catch (CentralRepoException ex) {
623  LOGGER.log(Level.SEVERE, "Error counting notable artifacts.", ex);
624  }
625  }
626  }
627  if (FALSE == eamArtifacts.isEmpty()) {
628  for (CorrelationAttributeInstance eamArtifact : eamArtifacts) {
629  try {
630  dbManager.addArtifactInstance(eamArtifact);
631  } catch (CentralRepoException ex) {
632  LOGGER.log(Level.SEVERE, "Error adding artifact to database.", ex); //NON-NLS
633  }
634  }
635  } // DATA_ADDED
636  }
637  }
638 
646  private List<String> getCaseDisplayNames(List<CorrelationAttributeInstance> occurrences) {
647  List<String> caseNames = new ArrayList<>();
648  for (CorrelationAttributeInstance occurrence : occurrences) {
649  caseNames.add(occurrence.getCorrelationCase().getDisplayName());
650  }
651  return caseNames;
652  }
653 
661  private List<String> getCaseDisplayNamesForNotable(List<CorrelationAttributeInstance> occurrences) {
662  List<String> caseNames = new ArrayList<>();
663  for (CorrelationAttributeInstance occurrence : occurrences) {
664  if (occurrence.getKnownStatus() == TskData.FileKnown.BAD) {
665  caseNames.add(occurrence.getCorrelationCase().getDisplayName());
666  }
667  }
668  return caseNames;
669  }
670 }
Collection< BlackboardArtifact > getArtifacts()
void removeIngestModuleEventListener(final PropertyChangeListener listener)
static void makeAndPostArtifact(BlackboardArtifact.Type newArtifactType, BlackboardArtifact originalArtifact, Collection< BlackboardAttribute > attributesForNewArtifact, String configuration, Score score, String justification)
static synchronized IngestManager getInstance()
DataAddedTask(CentralRepository db, PropertyChangeEvent evt, boolean flagNotableItemsEnabled, boolean flagPreviousItemsEnabled, boolean createCorrelationAttributes, boolean flagUnique)
List< CorrelationAttributeInstance > getArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type aType, String value)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
void removeIngestJobEventListener(final PropertyChangeListener listener)
static void makeAndPostPreviousNotableArtifact(BlackboardArtifact originalArtifact, List< String > caseDisplayNames, CorrelationAttributeInstance.Type aType, String value)
void addArtifactInstance(CorrelationAttributeInstance eamArtifact)
static void shutDownTaskExecutor(ExecutorService executor)
void addIngestJobEventListener(final PropertyChangeListener listener)
List< String > getCaseDisplayNames(List< CorrelationAttributeInstance > occurrences)
static void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact, List< String > caseDisplayNames, CorrelationAttributeInstance.Type aType, String value)
static void makeAndPostPreviouslyUnseenArtifact(BlackboardArtifact originalArtifact, CorrelationAttributeInstance.Type aType, String value)
void addIngestModuleEventListener(final PropertyChangeListener listener)
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(DataArtifact artifact)
CorrelationDataSource getDataSource(CorrelationCase correlationCase, Long caseDbDataSourceId)
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
List< String > getCaseDisplayNamesForNotable(List< CorrelationAttributeInstance > occurrences)

Copyright © 2012-2021 Basis Technology. Generated on: Thu Sep 30 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.