Autopsy  4.6.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EamArtifactUtil.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2015-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.datamodel;
20 
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.logging.Level;
24 import org.openide.util.NbBundle.Messages;
25 import org.sleuthkit.autopsy.casemodule.Case;
26 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
27 import org.sleuthkit.autopsy.coreutils.Logger;
28 import org.sleuthkit.datamodel.AbstractFile;
29 import org.sleuthkit.datamodel.BlackboardArtifact;
30 import org.sleuthkit.datamodel.BlackboardAttribute;
31 import org.sleuthkit.datamodel.Content;
32 import org.sleuthkit.datamodel.HashUtility;
33 import org.sleuthkit.datamodel.TskCoreException;
34 import org.sleuthkit.datamodel.TskData;
35 
39 public class EamArtifactUtil {
40 
41  private static final long serialVersionUID = 1L;
42  private static final Logger LOGGER = Logger.getLogger(EamArtifactUtil.class.getName());
43 
44  public EamArtifactUtil() {
45  }
46 
47  @Messages({"EamArtifactUtil.emailaddresses.text=Email Addresses"})
48  public static String getEmailAddressAttrString() {
49  return Bundle.EamArtifactUtil_emailaddresses_text();
50  }
51 
66  public static List<CorrelationAttribute> getCorrelationAttributeFromBlackboardArtifact(BlackboardArtifact bbArtifact,
67  boolean addInstanceDetails, boolean checkEnabled) {
68 
69  List<CorrelationAttribute> eamArtifacts = new ArrayList<>();
70 
71  try {
72  // Cycle through the types and see if there is a correlation attribute that works
73  // for the given blackboard artifact
74  //
75  // @@@ This seems ineffecient. Instead of cycling based on correlation type, we should just
76  // have switch based on artifact type
77  for (CorrelationAttribute.Type aType : EamDb.getInstance().getDefinedCorrelationTypes()) {
78  if ((checkEnabled && aType.isEnabled()) || !checkEnabled) {
79  CorrelationAttribute eamArtifact = EamArtifactUtil.getCorrelationAttributeFromBlackboardArtifact(aType, bbArtifact);
80  if (eamArtifact != null) {
81  eamArtifacts.add(eamArtifact);
82  }
83  }
84  }
85  } catch (EamDbException ex) {
86  LOGGER.log(Level.SEVERE, "Error getting defined correlation types.", ex); // NON-NLS
87  return eamArtifacts;
88  }
89 
90  // if they asked for it, add the instance details associated with this occurance.
91  if (!eamArtifacts.isEmpty() && addInstanceDetails) {
92  try {
93  Case currentCase = Case.getOpenCase();
94  AbstractFile bbSourceFile = currentCase.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
95  if (null == bbSourceFile) {
96  //@@@ Log this
97  return eamArtifacts;
98  }
99 
100  // make an instance for the BB source file
101  CorrelationCase correlationCase = EamDb.getInstance().getCase(Case.getOpenCase());
102  if (null == correlationCase) {
103  correlationCase = EamDb.getInstance().newCase(Case.getOpenCase());
104  }
105  CorrelationAttributeInstance eamInstance = new CorrelationAttributeInstance(
106  correlationCase,
107  CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()),
108  bbSourceFile.getParentPath() + bbSourceFile.getName(),
109  "",
110  TskData.FileKnown.UNKNOWN
111  );
112 
113  // add the instance details
114  for (CorrelationAttribute eamArtifact : eamArtifacts) {
115  eamArtifact.addInstance(eamInstance);
116  }
117  } catch (TskCoreException | EamDbException ex) {
118  LOGGER.log(Level.SEVERE, "Error creating artifact instance.", ex); // NON-NLS
119  return eamArtifacts;
120  } catch (NoCurrentCaseException ex) {
121  LOGGER.log(Level.SEVERE, "Case is closed.", ex); // NON-NLS
122  return eamArtifacts;
123  }
124  }
125 
126  return eamArtifacts;
127  }
128 
139  private static CorrelationAttribute getCorrelationAttributeFromBlackboardArtifact(CorrelationAttribute.Type correlationType,
140  BlackboardArtifact bbArtifact) throws EamDbException {
141  String value = null;
142  int artifactTypeID = bbArtifact.getArtifactTypeID();
143 
144  try {
145  if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifactTypeID) {
146  // Get the associated artifact
147  BlackboardAttribute attribute = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
148  if (attribute != null) {
149  BlackboardArtifact associatedArtifact = Case.getOpenCase().getSleuthkitCase().getBlackboardArtifact(attribute.getValueLong());
150  return EamArtifactUtil.getCorrelationAttributeFromBlackboardArtifact(correlationType, associatedArtifact);
151  }
152 
153  } else if (correlationType.getId() == CorrelationAttribute.EMAIL_TYPE_ID
154  && BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() == artifactTypeID) {
155 
156  BlackboardAttribute setNameAttr = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
157  if (setNameAttr != null
158  && EamArtifactUtil.getEmailAddressAttrString().equals(setNameAttr.getValueString())) {
159  value = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD)).getValueString();
160  }
161  } else if (correlationType.getId() == CorrelationAttribute.DOMAIN_TYPE_ID
162  && (BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID() == artifactTypeID
163  || BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID() == artifactTypeID
164  || BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID() == artifactTypeID
165  || BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID() == artifactTypeID)) {
166 
167  // Lower-case this to normalize domains
168  value = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN)).getValueString();
169  } else if (correlationType.getId() == CorrelationAttribute.PHONE_TYPE_ID
170  && (BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT.getTypeID() == artifactTypeID
171  || BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG.getTypeID() == artifactTypeID
172  || BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE.getTypeID() == artifactTypeID)) {
173 
174  if (null != bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
175  value = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
176  } else if (null != bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
177  value = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
178  } else if (null != bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
179  value = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
180  }
181 
182  // Remove all non-numeric symbols to semi-normalize phone numbers, preserving leading "+" character
183  if (value != null) {
184  String newValue = value.replaceAll("\\D", "");
185  if (value.startsWith("+")) {
186  newValue = "+" + newValue;
187  }
188 
189  value = newValue;
190 
191  // If the resulting phone number is too small to be of use, return null
192  // (these 3-5 digit numbers can be valid, but are not useful for correlation)
193  if (value.length() <= 5) {
194  return null;
195  }
196  }
197 
198  } else if (correlationType.getId() == CorrelationAttribute.USBID_TYPE_ID
199  && BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID() == artifactTypeID) {
200 
201  value = bbArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID)).getValueString();
202  }
203 
204  } catch (TskCoreException ex) {
205  LOGGER.log(Level.SEVERE, "Error getting attribute while getting type from BlackboardArtifact.", ex); // NON-NLS
206  return null;
207  } catch (NoCurrentCaseException ex) {
208  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS
209  return null;
210  }
211 
212  if (null != value) {
213  return new CorrelationAttribute(correlationType, value);
214  } else {
215  return null;
216  }
217  }
218 
235  public static CorrelationAttribute getCorrelationAttributeFromContent(Content content, TskData.FileKnown knownStatus, String comment) {
236 
237  if (!(content instanceof AbstractFile)) {
238  return null;
239  }
240 
241  final AbstractFile af = (AbstractFile) content;
242 
243  if (!isValidCentralRepoFile(af)) {
244  return null;
245  }
246 
247  // We need a hash to make the artifact
248  String md5 = af.getMd5Hash();
249  if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
250  return null;
251  }
252 
253  CorrelationAttribute eamArtifact;
254  try {
255  CorrelationAttribute.Type filesType = EamDb.getInstance().getCorrelationTypeById(CorrelationAttribute.FILES_TYPE_ID);
256  eamArtifact = new CorrelationAttribute(filesType, af.getMd5Hash());
257  CorrelationCase correlationCase = EamDb.getInstance().getCase(Case.getOpenCase());
258  if (null == correlationCase) {
259  correlationCase = EamDb.getInstance().newCase(Case.getOpenCase());
260  }
261  CorrelationAttributeInstance cei = new CorrelationAttributeInstance(
262  correlationCase,
263  CorrelationDataSource.fromTSKDataSource(correlationCase, af.getDataSource()),
264  af.getParentPath() + af.getName(),
265  comment,
266  knownStatus
267  );
268  eamArtifact.addInstance(cei);
269  return eamArtifact;
270  } catch (TskCoreException | EamDbException | NoCurrentCaseException ex) {
271  LOGGER.log(Level.SEVERE, "Error making correlation attribute.", ex);
272  return null;
273  }
274  }
275 
285  public static boolean isValidCentralRepoFile(AbstractFile af) {
286  if (af == null) {
287  return false;
288  }
289 
290  if (af.getKnown() == TskData.FileKnown.KNOWN) {
291  return false;
292  }
293 
294  switch (af.getType()) {
295  case UNALLOC_BLOCKS:
296  case UNUSED_BLOCKS:
297  case SLACK:
298  case VIRTUAL_DIR:
299  case LOCAL_DIR:
300  return false;
301  case CARVED:
302  case DERIVED:
303  case LOCAL:
304  return true;
305  case FS:
306  return af.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
307  default:
308  LOGGER.log(Level.WARNING, "Unexpected file type {0}", af.getType().getName());
309  return false;
310  }
311  }
312 }
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getCorrelationTypeById
CorrelationAttribute.Type getCorrelationTypeById(int typeId)
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.getCorrelationAttributeFromContent
static CorrelationAttribute getCorrelationAttributeFromContent(Content content, TskData.FileKnown knownStatus, String comment)
Definition: EamArtifactUtil.java:235
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.getCorrelationAttributeFromBlackboardArtifact
static CorrelationAttribute getCorrelationAttributeFromBlackboardArtifact(CorrelationAttribute.Type correlationType, BlackboardArtifact bbArtifact)
Definition: EamArtifactUtil.java:139
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.newCase
CorrelationCase newCase(CorrelationCase eamCase)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
Definition: CorrelationDataSource.java:74
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttribute.addInstance
void addInstance(CorrelationAttributeInstance artifactInstance)
Definition: CorrelationAttribute.java:166
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getDefinedCorrelationTypes
List< CorrelationAttribute.Type > getDefinedCorrelationTypes()
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.getCorrelationAttributeFromBlackboardArtifact
static List< CorrelationAttribute > getCorrelationAttributeFromBlackboardArtifact(BlackboardArtifact bbArtifact, boolean addInstanceDetails, boolean checkEnabled)
Definition: EamArtifactUtil.java:66

Copyright © 2012-2016 Basis Technology. Generated on: Mon May 7 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.