|
Autopsy
4.4
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
Classes | |
| class | EventTransaction |
Public Member Functions | |
| void | finalize () throws Throwable |
| Interval | getSpanningInterval (Collection< Long > eventIDs) |
Static Public Member Functions | |
| static EventDB | getEventDB (Case autoCase) |
Private Member Functions | |
| EventDB (Case autoCase) throws SQLException, Exception | |
| void | closeStatements () throws SQLException |
| void | configureDB () throws SQLException |
| SingleEvent | constructTimeLineEvent (ResultSet rs) throws SQLException |
| Map< EventType, Long > | countEventsByType (Long startTime, Long endTime, RootFilter filter, EventTypeZoomLevel zoomLevel) |
| void | createIndex (final String tableName, final List< String > columnList) |
| EventCluster | eventClusterHelper (ResultSet rs, boolean useSubTypes, DescriptionLoD descriptionLOD, TagsFilter filter) throws SQLException |
| boolean | hasDataSourceIDColumn () |
| boolean | hasDBColumn (@Nonnull final String dbColumn) |
| boolean | hasHashHitColumn () |
| boolean | hasTaggedColumn () |
| void | initializeTagsTable () |
| void | insertTag (Tag tag, long eventID) throws SQLException |
| Set< Long > | markEventsTagged (long objectID,@Nullable Long artifactID, boolean tagged) throws SQLException |
| PreparedStatement | prepareStatement (String queryString) throws SQLException |
Static Private Member Functions | |
| static List< EventStripe > | mergeClustersToStripes (Period timeUnitLength, List< EventCluster > preMergedEvents) |
| static String | typeColumnHelper (final boolean useSubTypes) |
Private Attributes | |
| volatile Connection | con |
| PreparedStatement | countAllEventsStmt |
| final Lock | DBLock = new ReentrantReadWriteLock(true).writeLock() |
| final String | dbPath |
| PreparedStatement | deleteTagStmt |
| PreparedStatement | dropDBInfoTableStmt |
| PreparedStatement | dropEventsTableStmt |
| PreparedStatement | dropHashSetHitsTableStmt |
| PreparedStatement | dropHashSetsTableStmt |
| PreparedStatement | dropTagsTableStmt |
| PreparedStatement | getDataSourceIDsStmt |
| PreparedStatement | getEventByIDStmt |
| PreparedStatement | getHashSetNamesStmt |
| PreparedStatement | getMaxTimeStmt |
| PreparedStatement | getMinTimeStmt |
| PreparedStatement | insertHashHitStmt |
| PreparedStatement | insertHashSetStmt |
| PreparedStatement | insertRowStmt |
| PreparedStatement | insertTagStmt |
| final Set< PreparedStatement > | preparedStatements = new HashSet<>() |
| PreparedStatement | selectEventIDsBYObjectAndArtifactIDStmt |
| PreparedStatement | selectHashSetStmt |
| PreparedStatement | selectNonArtifactEventIDsByObjectIDStmt |
Static Private Attributes | |
| static final org.sleuthkit.autopsy.coreutils.Logger | LOGGER = Logger.getLogger(EventDB.class.getName()) |
Provides access to the Timeline SQLite database.
This class borrows a lot of ideas and techniques from SleuthkitCase. Creating an abstract base class for SQLite databases, or using a higherlevel persistence api may make sense in the future.
Definition at line 88 of file EventDB.java.
|
private |
Definition at line 150 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.getEventDB().
|
private |
Definition at line 1040 of file EventDB.java.
|
private |
Definition at line 1046 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
|
private |
Definition at line 1075 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes.
|
private |
count all the events with the given options and return a map organizing the counts in a hierarchy from date > eventtype> count
| startTime | events before this time will be excluded (seconds from unix epoch) |
| endTime | events at or after this time will be excluded (seconds from unix epoch) |
| filter | only events that pass this filter will be counted |
| zoomLevel | only events of this type or a subtype will be counted and the counts will be organized into bins for each of the subtypes of the given event type |
Definition at line 1105 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes, org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER, org.sleuthkit.autopsy.timeline.zooming.EventTypeZoomLevel.SUB_TYPE, and org.sleuthkit.autopsy.timeline.db.EventDB.typeColumnHelper().
|
private |
| tableName | the value of tableName |
| columnList | the value of columnList |
Definition at line 758 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
|
private |
map a single row in a ResultSet to an EventCluster
| rs | the result set whose current row should be mapped |
| useSubTypes | use the sub_type column if true, else use the base_type column |
| descriptionLOD | the description level of detail for this event |
| filter |
| SQLException |
Definition at line 1224 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes, and org.sleuthkit.autopsy.timeline.TimeLineController.getJodaTimeZone().
| void org.sleuthkit.autopsy.timeline.db.EventDB.finalize | ( | ) | throws Throwable |
Definition at line 157 of file EventDB.java.
public factory method. Creates and opens a connection to a database at the given path. If a database does not already exist at that path, one is created.
| autoCase | the Autopsy Case the is events database is for. |
Definition at line 110 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.EventDB(), and org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
Referenced by org.sleuthkit.autopsy.timeline.db.EventsRepository.EventsRepository().
| Interval org.sleuthkit.autopsy.timeline.db.EventDB.getSpanningInterval | ( | Collection< Long > | eventIDs | ) |
Definition at line 177 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
Referenced by org.sleuthkit.autopsy.timeline.db.EventsRepository.getSpanningInterval().
|
private |
Definition at line 790 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn().
|
private |
| dbColumn | the value of dbColumn |
Definition at line 775 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.hasDataSourceIDColumn(), org.sleuthkit.autopsy.timeline.db.EventDB.hasHashHitColumn(), and org.sleuthkit.autopsy.timeline.db.EventDB.hasTaggedColumn().
|
private |
Definition at line 798 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn().
|
private |
Definition at line 794 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn().
|
private |
create the tags table if it doesn't already exist. This is broken out as a separate method so it can be used by reInitializeTags()
Definition at line 739 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
|
private |
insert this tag into the db
NOTE: does not lock the db, must be called form inside a DBLock.lock/unlock pair
| tag | the tag to insert |
| eventID | the event id that this tag is applied to. |
| SQLException | if there was a problem executing insert |
Definition at line 941 of file EventDB.java.
|
private |
mark any events with the given object and artifact ids as tagged, and record the tag it self.
NOTE: does not lock the db, must be called form inside a DBLock.lock/unlock pair
| objectID | the obj_id that this tag applies to, the id of the content that the artifact is derived from for artifact tags |
| artifactID | the artifact_id that this tag applies to, or null if this is a content tag |
| tagged | true to mark the matching events tagged, false to mark them as untagged |
| SQLException | if there is an error marking the events as (un)taggedS |
Definition at line 1004 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.selectEventIDsBYObjectAndArtifactIDStmt, and org.sleuthkit.autopsy.timeline.db.EventDB.selectNonArtifactEventIDsByObjectIDStmt.
|
staticprivate |
merge the events in the given list if they are within the same period General algorithm is as follows:
1) sort them into a map from (type, description)-> List<aggevent> 2) for each key in map, merge the events and accumulate them in a list to return
| timeUnitLength | |
| preMergedEvents |
Definition at line 1250 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.EventCluster.getSpan(), org.sleuthkit.autopsy.timeline.datamodel.EventStripe.getStartMillis(), org.sleuthkit.autopsy.timeline.datamodel.EventStripe.merge(), and org.sleuthkit.autopsy.timeline.datamodel.EventCluster.merge().
|
private |
Definition at line 1305 of file EventDB.java.
|
staticprivate |
Definition at line 1301 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.countEventsByType().
|
private |
Definition at line 122 of file EventDB.java.
|
private |
Definition at line 137 of file EventDB.java.
|
private |
Definition at line 148 of file EventDB.java.
|
private |
Definition at line 124 of file EventDB.java.
|
private |
Definition at line 135 of file EventDB.java.
|
private |
Definition at line 142 of file EventDB.java.
|
private |
Definition at line 138 of file EventDB.java.
|
private |
Definition at line 139 of file EventDB.java.
|
private |
Definition at line 140 of file EventDB.java.
|
private |
Definition at line 141 of file EventDB.java.
|
private |
Definition at line 129 of file EventDB.java.
|
private |
Definition at line 126 of file EventDB.java.
|
private |
Definition at line 130 of file EventDB.java.
|
private |
Definition at line 127 of file EventDB.java.
|
private |
Definition at line 128 of file EventDB.java.
|
private |
Definition at line 133 of file EventDB.java.
|
private |
Definition at line 132 of file EventDB.java.
|
private |
Definition at line 131 of file EventDB.java.
|
private |
Definition at line 134 of file EventDB.java.
|
staticprivate |
Definition at line 90 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.close(), org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.commit(), org.sleuthkit.autopsy.timeline.db.EventDB.configureDB(), org.sleuthkit.autopsy.timeline.db.EventDB.countEventsByType(), org.sleuthkit.autopsy.timeline.db.EventDB.createIndex(), org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.EventTransaction(), org.sleuthkit.autopsy.timeline.db.EventDB.getEventDB(), org.sleuthkit.autopsy.timeline.db.EventDB.getSpanningInterval(), org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn(), org.sleuthkit.autopsy.timeline.db.EventDB.initializeTagsTable(), and org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.rollback().
|
private |
Definition at line 146 of file EventDB.java.
|
private |
Definition at line 144 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.markEventsTagged().
|
private |
Definition at line 136 of file EventDB.java.
|
private |
Definition at line 143 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.markEventsTagged().
Copyright © 2012-2016 Basis Technology. Generated on: Tue Jun 13 2017
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.