|
Autopsy
4.19.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
Static Public Member Functions | |
| static CorrelationAttributeInstance | getCorrAttrForFile (AbstractFile file) |
| static boolean | isSupportedAbstractFileType (AbstractFile file) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsForSearch (AnalysisResult analysisResult) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsForSearch (DataArtifact artifact) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsForSearch (AbstractFile file) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsForSearch (OsAccountInstance osAccountInst) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsToSave (DataArtifact artifact) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsToSave (AbstractFile file) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsToSave (AnalysisResult file) |
| static List< CorrelationAttributeInstance > | makeCorrAttrsToSave (OsAccountInstance osAccountInstance) |
Private Member Functions | |
| CorrelationAttributeUtil () | |
Static Private Member Functions | |
| static BlackboardAttribute | getAttribute (List< BlackboardAttribute > attributes, BlackboardAttribute.Type attributeType) throws TskCoreException |
| static String | getEmailAddressAttrDisplayName () |
| static CorrelationAttributeInstance | makeCorrAttr (BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) |
| static CorrelationAttributeInstance | makeCorrAttr (BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value, Content sourceContent, Content dataSource) |
| static void | makeCorrAttrFromAcctArtifact (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact) throws InvalidAccountIDException, TskCoreException, CentralRepoException |
| static List< CorrelationAttributeInstance > | makeCorrAttrFromArtifactAttr (BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes, Content sourceContent, Content dataSource) throws CentralRepoException, TskCoreException |
| static List< CorrelationAttributeInstance > | makeCorrAttrFromArtifactAttr (BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes) throws CentralRepoException, TskCoreException |
| static List< CorrelationAttributeInstance > | makeCorrAttrsFromCommunicationArtifact (BlackboardArtifact artifact, List< BlackboardAttribute > attributes) throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException |
Static Private Attributes | |
| static final Set< Integer > | DOMAIN_ARTIFACT_TYPE_IDS |
| static final List< String > | domainsToSkip = Arrays.asList("localhost", "127.0.0.1") |
| static final Logger | logger = Logger.getLogger(CorrelationAttributeUtil.class.getName()) |
Utility class for working with correlation attributes in the central repository.
Definition at line 55 of file CorrelationAttributeUtil.java.
|
private |
Prevent instantiation of this utility class.
Definition at line 797 of file CorrelationAttributeUtil.java.
|
staticprivate |
Gets a specific attribute from a list of attributes.
| attributes | List of attributes |
| attributeType | Attribute type of interest |
| TskCoreException |
Definition at line 314 of file CorrelationAttributeUtil.java.
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifact().
|
static |
Gets the correlation attribute instance for a file. This method goes to the CR to get an actual instance. It does not simply package the data from file into a generic instance object.
| file | The file. |
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
Definition at line 601 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.FILES_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationAttributeInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.isEnabled(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType().
Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction().
|
staticprivate |
Gets a string that is expected to be the same string that is stored in the correlation_types table in the central repository as the display name for the email address correlation attribute type. This string is duplicated in the CorrelationAttributeInstance class.
TODO (Jira-6088): We should not have multiple definitions of this string.
Definition at line 80 of file CorrelationAttributeUtil.java.
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
|
static |
Checks whether or not a file is of a type that can be added to the central repository as a correlation attribute instance.
| file | A file. |
Definition at line 728 of file CorrelationAttributeUtil.java.
Referenced by org.sleuthkit.autopsy.centralrepository.CentralRepoContextMenuActionsProvider.getActions(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
|
staticprivate |
Makes a correlation attribute instance of a given type from an artifact.
| artifact | The artifact. |
| correlationType | the correlation attribute type. |
| value | The correlation attribute value. |
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
Definition at line 496 of file CorrelationAttributeUtil.java.
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifact().
|
staticprivate |
Makes a correlation attribute instance of a given type from an artifact.
| artifact | The artifact. |
| correlationType | the correlation attribute type. |
| value | The correlation attribute value. |
| sourceContent | The source content object. |
| dataSource | The data source content object. |
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
Definition at line 519 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.getName(), and org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase().
|
staticprivate |
Makes a correlation attribute instance for an account artifact.
Also creates an account in the CR DB if it doesn't exist.
IMPORTANT: The correlation attribute instance is NOT added to the central repository by this method.
| corrAttrInstances | A list of correlation attribute instances. |
| acctArtifact | An account artifact. |
Definition at line 382 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getAccountTypeByName(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount.CentralRepoAccountType.getCorrelationTypeId(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount.getId(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getOrCreateAccount(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr().
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
|
staticprivate |
Makes a correlation attribute instance from a specified attribute of an artifact. The correlation attribute instance is added to an input list.
| artifact | An artifact. |
| artAttrType | The type of the attribute of the artifact that is to be made into a correlation attribute instance. |
| typeId | The type ID for the desired correlation attribute instance. |
| attributes | List of attributes. |
| sourceContent | The source content object. |
| dataSource | The data source content object. |
| CentralRepoException | If there is an error querying the central repository. |
| TskCoreException | If there is an error querying the case database. |
Definition at line 440 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getAttribute(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr().
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
|
staticprivate |
Makes a correlation attribute instance from a specified attribute of an artifact. The correlation attribute instance is added to an input list.
| artifact | An artifact. |
| artAttrType | The type of the attribute of the artifact that is to be made into a correlation attribute instance. |
| typeId | The type ID for the desired correlation attribute instance. |
| attributes | List of attributes. |
| CentralRepoException | If there is an error querying the central repository. |
| TskCoreException | If there is an error querying the case database. |
Definition at line 473 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr().
|
static |
Makes zero to many correlation attribute instances from the attributes of AnalysisResult that have correlatable data. The intention of this method is to use the results to correlate with, not to save. If you want to save, please use makeCorrAttrsToSave. An artifact that can have data to search for != An artifact that should be the source of data in the CR, so results may be too lenient.
IMPORTANT: The correlation attribute instances are NOT added to the central repository by this method.
JIRA-TODO (Jira-6088)
| analysisResult | An AnalysisResult object. |
Definition at line 138 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.EMAIL_TYPE_ID, org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getEmailAddressAttrDisplayName(), org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction(), org.sleuthkit.autopsy.contentviewers.annotations.AnnotationUtils.getCentralRepositoryData(), org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.getCorrelationAttributeFromOsAccount(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.TagDefinitionChangeTask.run(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.OsAccountInstancesAddedTask.run(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.setArtifactKnownStatus(), and org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.setContentKnownStatus().
|
static |
Makes zero to many correlation attribute instances from the attributes of a DataArtifact that have correlatable data. The intention of this method is to use the results to correlate with, not to save. If you want to save, please use makeCorrAttrsToSave. An artifact that can have data to search for != An artifact that should be the source of data in the CR, so results may be too lenient.
IMPORTANT: The correlation attribute instances are NOT added to the central repository by this method.
JIRA-TODO (Jira-6088)
| artifact | A DataArtifact object. |
Definition at line 210 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.DOMAIN_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.EMAIL_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getAttribute(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.ICCID_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.IMEI_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.IMSI_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.MAC_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.PHONE_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.SSID_TYPE_ID, and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.USBID_TYPE_ID.
|
static |
Makes a correlation attribute instance for a file. Will include the specific object ID.
IMPORTANT: The correlation attribute instance is NOT added to the central repository by this method.
TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.
| file | The file. |
Definition at line 683 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.FILES_TYPE_ID, org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.getName(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType().
|
static |
Definition at line 752 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.OSACCOUNT_TYPE_ID.
|
staticprivate |
Makes a correlation attribute instance from a phone number attribute of an artifact.
| artifact | An artifact with a phone number attribute. |
| attributes | List of attributes. |
| TskCoreException | If there is an error querying the case database. |
| CentralRepoException | If there is an error querying the central repository. |
| CorrelationAttributeNormalizationException | If there is an error in normalizing the attribute. |
Definition at line 340 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getAttribute(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.PHONE_TYPE_ID.
Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
|
static |
Definition at line 84 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
Referenced by org.sleuthkit.autopsy.centralrepository.eventlisteners.IngestEventsListener.DataAddedTask.run().
|
static |
Makes zero to many correlation attribute instances from the attributes of abstract file objects that have correlatable data. The intention of this method is to use the results to save to the CR, not to correlate with them. If you want to correlate, please use makeCorrAttrsForSearch. An artifact that can have correlatable data != An artifact that should be the source of data in the CR, so results may be un-necessarily incomplete.
| file | A AbstractFile object. |
Definition at line 108 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
|
static |
Definition at line 112 of file CorrelationAttributeUtil.java.
|
static |
Definition at line 116 of file CorrelationAttributeUtil.java.
References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().
|
staticprivate |
Definition at line 61 of file CorrelationAttributeUtil.java.
|
staticprivate |
Definition at line 58 of file CorrelationAttributeUtil.java.
|
staticprivate |
Definition at line 57 of file CorrelationAttributeUtil.java.
Copyright © 2012-2021 Basis Technology. Generated on: Thu Sep 30 2021
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.