Autopsy  4.7.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Classes | Public Member Functions | Private Member Functions | Private Attributes | Static Private Attributes | List of all members
org.sleuthkit.autopsy.timeline.db.EventsRepository Class Reference

Classes

enum  DBPopulationMode
 
class  DBPopulationWorker
 

Public Member Functions

 EventsRepository (Case autoCase, ReadOnlyObjectProperty< ZoomParams > currentStateProperty)
 
synchronized Set< Long > addTag (long objID, Long artifactID, Tag tag, EventDB.EventTransaction trans)
 
boolean areFiltersEquivalent (RootFilter f1, RootFilter f2)
 
synchronized int countAllEvents ()
 
synchronized Map< EventType, Long > countEvents (ZoomParams params)
 
synchronized Set< Long > deleteTag (long objID, Long artifactID, long tagID, boolean tagged)
 
Case getAutoCase ()
 
Interval getBoundingEventsInterval (Interval timeRange, RootFilter filter)
 
List< CombinedEventgetCombinedEvents (Interval timeRange, RootFilter filter)
 
synchronized ObservableMap< Long, String > getDatasourcesMap ()
 
SingleEvent getEventById (Long eventID)
 
List< Long > getEventIDs (Interval timeRange, RootFilter filter)
 
List< Long > getEventIDsForArtifact (BlackboardArtifact artifact)
 
List< Long > getEventIDsForFile (AbstractFile file, boolean includeDerivedArtifacts)
 
synchronized Set< SingleEventgetEventsById (Collection< Long > eventIDs)
 
FilteredEventsModel getEventsModel ()
 
synchronized List< EventStripegetEventStripes (ZoomParams params)
 
synchronized ObservableMap< Long, String > getHashSetMap ()
 
Long getMaxTime ()
 
Long getMinTime ()
 
Interval getSpanningInterval (Collection< Long > eventIDs)
 
Map< String, Long > getTagCountsByTagName (Set< Long > eventIDsWithTags)
 
ObservableList< TagName > getTagNames ()
 
boolean hasNewColumns ()
 
CancellationProgressTask< Void > rebuildRepository (Consumer< Worker.State > onStateChange)
 
CancellationProgressTask< Void > rebuildTags (Consumer< Worker.State > onStateChange)
 
void syncTagsFilter (TagsFilter tagsFilter)
 

Private Member Functions

void invalidateCaches ()
 
synchronized void invalidateCaches (Set< Long > updatedEventIDs)
 
synchronized void populateFilterData (SleuthkitCase skCase)
 
CancellationProgressTask< Void > rebuildRepository (final DBPopulationMode mode, Consumer< Worker.State > onStateChange)
 

Private Attributes

final Case autoCase
 
final ObservableMap< Long, String > datasourcesMap = FXCollections.observableHashMap()
 
DBPopulationWorker dbWorker
 
final LoadingCache< ZoomParams, Map< EventType, Long > > eventCountsCache
 
final EventDB eventDB
 
final LoadingCache< ZoomParams, List< EventStripe > > eventStripeCache
 
final ObservableMap< Long, String > hashSetMap = FXCollections.observableHashMap()
 
final LoadingCache< Long, SingleEventidToEventCache
 
final LoadingCache< Object, Long > maxCache
 
final LoadingCache< Object, Long > minCache
 
final FilteredEventsModel modelInstance
 
final ObservableList< TagName > tagNames = FXCollections.observableArrayList()
 
final Executor workerExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("eventrepository-worker-%d").build())
 

Static Private Attributes

static final Logger logger = Logger.getLogger(EventsRepository.class.getName())
 

Detailed Description

Provides higher-level public API (over EventsDB) to access events. In theory this insulates the rest of the timeline module form the details of the db implementation. Since there are no other implementations of the database or clients of this class, and no Java Interface defined yet, in practice this just delegates everything to the eventDB. Some results are also cached by this layer.

Concurrency Policy:

Since almost everything just delegates to the EventDB, which is internally synchronized, we only have to worry about rebuildRepository() which we synchronize on our intrinsic lock.

Definition at line 97 of file EventsRepository.java.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.timeline.db.EventsRepository.EventsRepository ( Case  autoCase,
ReadOnlyObjectProperty< ZoomParams currentStateProperty 
)

Member Function Documentation

synchronized Set<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.addTag ( long  objID,
Long  artifactID,
Tag  tag,
EventDB.EventTransaction  trans 
)
boolean org.sleuthkit.autopsy.timeline.db.EventsRepository.areFiltersEquivalent ( RootFilter  f1,
RootFilter  f2 
)

Definition at line 362 of file EventsRepository.java.

synchronized int org.sleuthkit.autopsy.timeline.db.EventsRepository.countAllEvents ( )

Definition at line 207 of file EventsRepository.java.

synchronized Map<EventType, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.countEvents ( ZoomParams  params)
synchronized Set<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.deleteTag ( long  objID,
Long  artifactID,
long  tagID,
boolean  tagged 
)
Case org.sleuthkit.autopsy.timeline.db.EventsRepository.getAutoCase ( )
Interval org.sleuthkit.autopsy.timeline.db.EventsRepository.getBoundingEventsInterval ( Interval  timeRange,
RootFilter  filter 
)
List<CombinedEvent> org.sleuthkit.autopsy.timeline.db.EventsRepository.getCombinedEvents ( Interval  timeRange,
RootFilter  filter 
)

Get a representation of all the events, within the given time range, that pass the given filter, grouped by time and description such that file system events for the same file, with the same timestamp, are combined together.

Parameters
timeRangeThe Interval that all returned events must be within.
filterThe Filter that all returned events must pass.
Returns
A List of combined events, sorted by timestamp.

Definition at line 266 of file EventsRepository.java.

Referenced by org.sleuthkit.autopsy.timeline.datamodel.FilteredEventsModel.getCombinedEvents().

synchronized ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.getDatasourcesMap ( )
SingleEvent org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventById ( Long  eventID)
List<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventIDs ( Interval  timeRange,
RootFilter  filter 
)
List<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventIDsForArtifact ( BlackboardArtifact  artifact)

Get a List of event IDs for the events that are derived from the given artifact.

Parameters
artifactThe BlackboardArtifact to get derived event IDs for.
Returns
A List of event IDs for the events that are derived from the given artifact.

Definition at line 239 of file EventsRepository.java.

Referenced by org.sleuthkit.autopsy.timeline.datamodel.FilteredEventsModel.getEventIDsForArtifact().

List<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventIDsForFile ( AbstractFile  file,
boolean  includeDerivedArtifacts 
)

Get a List of event IDs for the events that are derived from the given file.

Parameters
fileThe AbstractFile to get derived event IDs for.
includeDerivedArtifactsIf true, also get event IDs for events derived from artifacts derived form this file. If false, only gets events derived directly from this file (file system timestamps).
Returns
A List of event IDs for the events that are derived from the given file.

Definition at line 226 of file EventsRepository.java.

Referenced by org.sleuthkit.autopsy.timeline.datamodel.FilteredEventsModel.getEventIDsForFile().

synchronized Set<SingleEvent> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventsById ( Collection< Long >  eventIDs)
FilteredEventsModel org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventsModel ( )
Returns
a FilteredEvetns object with this repository as underlying source of events

Definition at line 141 of file EventsRepository.java.

References org.sleuthkit.autopsy.timeline.db.EventsRepository.modelInstance.

Referenced by org.sleuthkit.autopsy.timeline.TimeLineController.TimeLineController().

synchronized List<EventStripe> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventStripes ( ZoomParams  params)
synchronized ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.getHashSetMap ( )
Long org.sleuthkit.autopsy.timeline.db.EventsRepository.getMaxTime ( )
Returns
min time (in seconds from unix epoch)

Definition at line 170 of file EventsRepository.java.

Referenced by org.sleuthkit.autopsy.timeline.datamodel.FilteredEventsModel.getMaxTime().

Long org.sleuthkit.autopsy.timeline.db.EventsRepository.getMinTime ( )
Returns
max tie (in seconds from unix epoch)

Definition at line 178 of file EventsRepository.java.

Referenced by org.sleuthkit.autopsy.timeline.datamodel.FilteredEventsModel.getMinTime().

Interval org.sleuthkit.autopsy.timeline.db.EventsRepository.getSpanningInterval ( Collection< Long >  eventIDs)
Map<String, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.getTagCountsByTagName ( Set< Long >  eventIDsWithTags)

get a count of tagnames applied to the given event ids as a map from tagname displayname to count of tag applications

Parameters
eventIDsWithTagsthe event ids to get the tag counts map for
Returns
a map from tagname displayname to count of applications

Definition at line 286 of file EventsRepository.java.

Referenced by org.sleuthkit.autopsy.timeline.datamodel.FilteredEventsModel.getTagCountsByTagName().

ObservableList<TagName> org.sleuthkit.autopsy.timeline.db.EventsRepository.getTagNames ( )
boolean org.sleuthkit.autopsy.timeline.db.EventsRepository.hasNewColumns ( )

Definition at line 274 of file EventsRepository.java.

void org.sleuthkit.autopsy.timeline.db.EventsRepository.invalidateCaches ( )
private
synchronized void org.sleuthkit.autopsy.timeline.db.EventsRepository.invalidateCaches ( Set< Long >  updatedEventIDs)
private
synchronized void org.sleuthkit.autopsy.timeline.db.EventsRepository.populateFilterData ( SleuthkitCase  skCase)
private

use the given SleuthkitCase to update the data used to determine the available filters.

Parameters
skCase

Definition at line 296 of file EventsRepository.java.

Referenced by org.sleuthkit.autopsy.timeline.db.EventsRepository.DBPopulationWorker.call(), and org.sleuthkit.autopsy.timeline.db.EventsRepository.EventsRepository().

CancellationProgressTask<Void> org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildRepository ( Consumer< Worker.State >  onStateChange)

rebuild the entire repo.

Parameters
onStateChangecalled when he background task changes state. Clients can use this to handle failure, or cleanup operations for example.
Returns
the task that will rebuild the repo in a background thread. The task has already been started.

Definition at line 378 of file EventsRepository.java.

References org.sleuthkit.autopsy.timeline.db.EventsRepository.DBPopulationMode.FULL.

Referenced by org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildTags().

CancellationProgressTask<Void> org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildRepository ( final DBPopulationMode  mode,
Consumer< Worker.State >  onStateChange 
)
private

rebuild the repo.

Parameters
modethe rebuild mode to use.
onStateChangecalled when he background task changes state. Clients can use this to handle failure, or cleanup operations for example.
Returns
the task that will rebuild the repo in a background thread. The task has already been started.

Definition at line 410 of file EventsRepository.java.

References org.sleuthkit.autopsy.timeline.db.EventsRepository.dbWorker.

CancellationProgressTask<Void> org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildTags ( Consumer< Worker.State >  onStateChange)

drop and rebuild the tags in the repo.

Parameters
onStateChangecalled when he background task changes state. Clients can use this to handle failure, or cleanup operations for example.
Returns
the task that will rebuild the repo in a background thread. The task has already been started.

Definition at line 394 of file EventsRepository.java.

References org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildRepository(), and org.sleuthkit.autopsy.timeline.db.EventsRepository.DBPopulationMode.TAGS_ONLY.

void org.sleuthkit.autopsy.timeline.db.EventsRepository.syncTagsFilter ( TagsFilter  tagsFilter)

"sync" the given tags filter with the tagnames in use: Disable filters for tags that are not in use in the case, and add new filters for tags that don't have them. New filters are selected by default.

Parameters
tagsFilterthe tags filter to modify so it is consistent with the tags in use in the case

Definition at line 353 of file EventsRepository.java.

References org.sleuthkit.autopsy.timeline.filters.UnionFilter< SubFilterType extends Filter >.addSubFilter().

Member Data Documentation

final Case org.sleuthkit.autopsy.timeline.db.EventsRepository.autoCase
private
final ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.datasourcesMap = FXCollections.observableHashMap()
private
DBPopulationWorker org.sleuthkit.autopsy.timeline.db.EventsRepository.dbWorker
private
final LoadingCache<ZoomParams, Map<EventType, Long> > org.sleuthkit.autopsy.timeline.db.EventsRepository.eventCountsCache
private

Definition at line 110 of file EventsRepository.java.

final EventDB org.sleuthkit.autopsy.timeline.db.EventsRepository.eventDB
private

Definition at line 103 of file EventsRepository.java.

final LoadingCache<ZoomParams, List<EventStripe> > org.sleuthkit.autopsy.timeline.db.EventsRepository.eventStripeCache
private

Definition at line 111 of file EventsRepository.java.

final ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.hashSetMap = FXCollections.observableHashMap()
private
final LoadingCache<Long, SingleEvent> org.sleuthkit.autopsy.timeline.db.EventsRepository.idToEventCache
private

Definition at line 109 of file EventsRepository.java.

final Logger org.sleuthkit.autopsy.timeline.db.EventsRepository.logger = Logger.getLogger(EventsRepository.class.getName())
staticprivate

Definition at line 99 of file EventsRepository.java.

final LoadingCache<Object, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.maxCache
private

Definition at line 107 of file EventsRepository.java.

final LoadingCache<Object, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.minCache
private

Definition at line 108 of file EventsRepository.java.

final FilteredEventsModel org.sleuthkit.autopsy.timeline.db.EventsRepository.modelInstance
private
final ObservableList<TagName> org.sleuthkit.autopsy.timeline.db.EventsRepository.tagNames = FXCollections.observableArrayList()
private
final Executor org.sleuthkit.autopsy.timeline.db.EventsRepository.workerExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("eventrepository-worker-%d").build())
private

Definition at line 101 of file EventsRepository.java.


The documentation for this class was generated from the following file:

Copyright © 2012-2016 Basis Technology. Generated on: Mon Jun 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.