19 package org.sleuthkit.autopsy.keywordsearch;
21 import com.google.common.base.CharMatcher;
22 import java.util.ArrayList;
23 import java.util.Collection;
24 import java.util.HashMap;
25 import java.util.HashSet;
26 import java.util.List;
29 import java.util.logging.Level;
30 import java.util.regex.Matcher;
31 import java.util.regex.Pattern;
32 import org.apache.commons.lang.StringUtils;
33 import org.apache.commons.validator.routines.checkdigit.LuhnCheckDigit;
34 import org.apache.solr.client.solrj.SolrQuery;
35 import org.apache.solr.client.solrj.response.TermsResponse.Term;
42 import org.
sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
44 import org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
54 final class TermsComponentQuery
implements KeywordSearchQuery {
56 private static final Logger LOGGER = Logger.getLogger(TermsComponentQuery.class.getName());
57 private static final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName();
58 private static final String SEARCH_HANDLER =
"/terms";
59 private static final String SEARCH_FIELD = Server.Schema.CONTENT_WS.toString();
60 private static final int TERMS_SEARCH_TIMEOUT = 90 * 1000;
61 private static final String CASE_INSENSITIVE =
"case_insensitive";
62 private static final boolean DEBUG_FLAG = Version.Type.DEVELOPMENT.equals(Version.getBuildType());
63 private static final int MAX_TERMS_QUERY_RESULTS = 20000;
64 private final KeywordList keywordList;
65 private final Keyword keyword;
66 private String searchTerm;
67 private boolean searchTermIsEscaped;
68 private final List<KeywordQueryFilter> filters =
new ArrayList<>();
75 private static final Pattern CREDIT_CARD_NUM_PATTERN = Pattern.compile(
"(?<ccn>[3456]([ -]?\\d){11,18})");
76 private static final LuhnCheckDigit CREDIT_CARD_NUM_LUHN_CHECK =
new LuhnCheckDigit();
77 private static final Pattern CREDIT_CARD_TRACK1_PATTERN = Pattern.compile(
89 +
"(?<accountNumber>[3456]([ -]?\\d){11,18})"
91 +
"(?<name>[^^]{2,26})"
93 +
"(?:(?:\\^|(?<expiration>\\d{4}))"
94 +
"(?:(?:\\^|(?<serviceCode>\\d{3}))"
95 +
"(?:(?<discretionary>[^?]*)"
99 private static final Pattern CREDIT_CARD_TRACK2_PATTERN = Pattern.compile(
110 +
"(?<accountNumber>[3456]([ -]?\\d){11,18})"
112 +
"(?:(?<expiration>\\d{4})"
113 +
"(?:(?<serviceCode>\\d{3})"
114 +
"(?:(?<discretionary>[^:;<=>?]*)"
118 private static final BlackboardAttribute.Type KEYWORD_SEARCH_DOCUMENT_ID =
new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_DOCUMENT_ID);
136 TermsComponentQuery(KeywordList keywordList, Keyword keyword) {
137 this.keywordList = keywordList;
138 this.keyword = keyword;
139 this.searchTerm = keyword.getSearchTerm();
149 public KeywordList getKeywordList() {
160 public String getQueryString() {
161 return keyword.getSearchTerm();
172 public boolean isLiteral() {
181 public void setSubstringQuery() {
182 searchTerm =
".*" + searchTerm +
".*";
189 public void escape() {
190 searchTerm = Pattern.quote(keyword.getSearchTerm());
191 searchTermIsEscaped =
true;
200 public boolean isEscaped() {
201 return searchTermIsEscaped;
211 public String getEscapedQueryString() {
212 return this.searchTerm;
221 public boolean validate() {
222 if (searchTerm.isEmpty()) {
226 Pattern.compile(searchTerm);
228 }
catch (IllegalArgumentException ex) {
240 public void setField(String field) {
250 public void addFilter(KeywordQueryFilter filter) {
251 this.filters.add(filter);
265 public QueryResults performQuery() throws KeywordSearchModuleException, NoOpenCoreException {
270 final SolrQuery termsQuery =
new SolrQuery();
271 termsQuery.setRequestHandler(SEARCH_HANDLER);
272 termsQuery.setTerms(
true);
273 termsQuery.setTermsRegexFlag(CASE_INSENSITIVE);
274 termsQuery.setTermsRegex(searchTerm);
275 termsQuery.addTermsField(SEARCH_FIELD);
276 termsQuery.setTimeAllowed(TERMS_SEARCH_TIMEOUT);
277 termsQuery.setShowDebugInfo(DEBUG_FLAG);
278 termsQuery.setTermsLimit(MAX_TERMS_QUERY_RESULTS);
279 List<Term> terms = KeywordSearch.getServer().queryTerms(termsQuery).getTerms(SEARCH_FIELD);
283 QueryResults results =
new QueryResults(
this, keywordList);
284 for (Term term : terms) {
289 if (keyword.getArtifactAttributeType() == ATTRIBUTE_TYPE.TSK_CARD_NUMBER) {
290 Matcher matcher = CREDIT_CARD_NUM_PATTERN.matcher(term.getTerm());
292 final String ccn = CharMatcher.anyOf(
" -").removeFrom(matcher.group(
"ccn"));
293 if (
false == CREDIT_CARD_NUM_LUHN_CHECK.isValid(ccn)) {
308 String escapedTerm = KeywordSearchUtil.escapeLuceneQuery(term.getTerm());
309 LuceneQuery termQuery =
new LuceneQuery(keywordList,
new Keyword(escapedTerm,
true));
310 filters.forEach(termQuery::addFilter);
311 QueryResults termQueryResult = termQuery.performQuery();
312 Set<KeywordHit> termHits =
new HashSet<>();
313 for (Keyword word : termQueryResult.getKeywords()) {
314 termHits.addAll(termQueryResult.getResults(word));
316 results.addResult(
new Keyword(term.getTerm(),
false),
new ArrayList<>(termHits));
338 public KeywordCachedArtifact writeSingleFileHitsToBlackBoard(String searchTerm, KeywordHit hit, String snippet, String listName) {
345 BlackboardArtifact newArtifact;
346 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
347 if (keyword.getArtifactAttributeType() != ATTRIBUTE_TYPE.TSK_CARD_NUMBER) {
348 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD, MODULE_NAME, searchTerm));
349 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP, MODULE_NAME, keyword.getSearchTerm()));
351 newArtifact = hit.getContent().newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT);
353 }
catch (TskCoreException ex) {
354 LOGGER.log(Level.SEVERE,
"Error adding artifact for keyword hit to blackboard", ex);
362 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE, MODULE_NAME, Account.Type.CREDIT_CARD.name()));
363 Map<BlackboardAttribute.Type, BlackboardAttribute> parsedTrackAttributeMap =
new HashMap<>();
364 Matcher matcher = CREDIT_CARD_TRACK1_PATTERN.matcher(hit.getSnippet());
365 if (matcher.find()) {
366 parseTrack1Data(parsedTrackAttributeMap, matcher);
368 matcher = CREDIT_CARD_TRACK2_PATTERN.matcher(hit.getSnippet());
369 if (matcher.find()) {
370 parseTrack2Data(parsedTrackAttributeMap, matcher);
372 final BlackboardAttribute ccnAttribute = parsedTrackAttributeMap.get(
new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_CARD_NUMBER));
373 if (ccnAttribute == null || StringUtils.isBlank(ccnAttribute.getValueString())) {
374 if (hit.isArtifactHit()) {
375 LOGGER.log(Level.SEVERE, String.format(
"Failed to parse credit card account number for artifact keyword hit: term = %s, snippet = '%s', artifact id = %d", searchTerm, hit.getSnippet(), hit.getArtifact().getArtifactID()));
377 LOGGER.log(Level.SEVERE, String.format(
"Failed to parse credit card account number for content keyword hit: term = %s, snippet = '%s', object id = %d", searchTerm, hit.getSnippet(), hit.getContent().getId()));
381 attributes.addAll(parsedTrackAttributeMap.values());
387 final int bin = Integer.parseInt(ccnAttribute.getValueString().substring(0, 8));
388 CreditCards.BankIdentificationNumber binInfo = CreditCards.getBINInfo(bin);
389 if (binInfo != null) {
390 binInfo.getScheme().ifPresent(scheme
391 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_CARD_SCHEME, MODULE_NAME, scheme)));
392 binInfo.getCardType().ifPresent(cardType
393 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_CARD_TYPE, MODULE_NAME, cardType)));
394 binInfo.getBrand().ifPresent(brand
395 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_BRAND_NAME, MODULE_NAME, brand)));
396 binInfo.getBankName().ifPresent(bankName
397 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_BANK_NAME, MODULE_NAME, bankName)));
398 binInfo.getBankPhoneNumber().ifPresent(phoneNumber
399 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, MODULE_NAME, phoneNumber)));
400 binInfo.getBankURL().ifPresent(url
401 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, MODULE_NAME, url)));
402 binInfo.getCountry().ifPresent(country
403 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COUNTRY, MODULE_NAME, country)));
404 binInfo.getBankCity().ifPresent(city
405 -> attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_CITY, MODULE_NAME, city)));
413 if (hit.getContent() instanceof AbstractFile) {
414 AbstractFile file = (AbstractFile) hit.getContent();
415 if (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS
416 || file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) {
417 attributes.add(
new BlackboardAttribute(KEYWORD_SEARCH_DOCUMENT_ID, MODULE_NAME, hit.getSolrDocumentId()));
425 newArtifact = hit.getContent().newArtifact(ARTIFACT_TYPE.TSK_ACCOUNT);
426 }
catch (TskCoreException ex) {
427 LOGGER.log(Level.SEVERE,
"Error adding artifact for account to blackboard", ex);
432 if (StringUtils.isNotBlank(listName)) {
433 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, listName));
435 if (snippet != null) {
436 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW, MODULE_NAME, snippet));
438 if (hit.isArtifactHit()) {
439 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, hit.getArtifact().getArtifactID()));
443 newArtifact.addAttributes(attributes);
444 KeywordCachedArtifact writeResult =
new KeywordCachedArtifact(newArtifact);
445 writeResult.add(attributes);
447 }
catch (TskCoreException e) {
448 LOGGER.log(Level.SEVERE,
"Error adding bb attributes for terms search artifact", e);
461 static private void parseTrack2Data(Map<BlackboardAttribute.Type, BlackboardAttribute> attributesMap, Matcher matcher) {
462 addAttributeIfNotAlreadyCaptured(attributesMap, ATTRIBUTE_TYPE.TSK_CARD_NUMBER,
"accountNumber", matcher);
463 addAttributeIfNotAlreadyCaptured(attributesMap, ATTRIBUTE_TYPE.TSK_CARD_EXPIRATION,
"expiration", matcher);
464 addAttributeIfNotAlreadyCaptured(attributesMap, ATTRIBUTE_TYPE.TSK_CARD_SERVICE_CODE,
"serviceCode", matcher);
465 addAttributeIfNotAlreadyCaptured(attributesMap, ATTRIBUTE_TYPE.TSK_CARD_DISCRETIONARY,
"discretionary", matcher);
466 addAttributeIfNotAlreadyCaptured(attributesMap, ATTRIBUTE_TYPE.TSK_CARD_LRC,
"LRC", matcher);
478 static private void parseTrack1Data(Map<BlackboardAttribute.Type, BlackboardAttribute> attributeMap, Matcher matcher) {
479 parseTrack2Data(attributeMap, matcher);
480 addAttributeIfNotAlreadyCaptured(attributeMap, ATTRIBUTE_TYPE.TSK_NAME_PERSON,
"name", matcher);
494 static private void addAttributeIfNotAlreadyCaptured(Map<BlackboardAttribute.Type, BlackboardAttribute> attributeMap, ATTRIBUTE_TYPE attrType, String groupName, Matcher matcher) {
495 BlackboardAttribute.Type type =
new BlackboardAttribute.Type(attrType);
496 attributeMap.computeIfAbsent(type, (BlackboardAttribute.Type t) -> {
497 String value = matcher.group(groupName);
498 if (attrType.equals(ATTRIBUTE_TYPE.TSK_CARD_NUMBER)) {
499 value = CharMatcher.anyOf(
" -").removeFrom(value);
501 if (StringUtils.isNotBlank(value)) {
502 return new BlackboardAttribute(attrType, MODULE_NAME, value);