19 package org.sleuthkit.autopsy.datamodel;
21 import java.beans.PropertyChangeEvent;
22 import java.beans.PropertyChangeListener;
23 import java.util.ArrayList;
24 import java.util.Arrays;
25 import java.util.EnumSet;
26 import java.util.List;
27 import java.util.Objects;
28 import java.util.Observable;
29 import java.util.Observer;
31 import java.util.logging.Level;
32 import javax.swing.JOptionPane;
33 import javax.swing.SwingUtilities;
34 import org.openide.nodes.AbstractNode;
35 import org.openide.nodes.ChildFactory;
36 import org.openide.nodes.Children;
37 import org.openide.nodes.Node;
38 import org.openide.nodes.Sheet;
39 import org.openide.util.NbBundle;
40 import org.openide.util.lookup.Lookups;
41 import org.openide.windows.WindowManager;
68 @NbBundle.Messages({
"DeletedContent.fsDelFilter.text=File System",
69 "DeletedContent.allDelFilter.text=All"})
72 FS_DELETED_FILTER(0,
"FS_DELETED_FILTER",
73 Bundle.DeletedContent_fsDelFilter_text()),
74 ALL_DELETED_FILTER(1,
"ALL_DELETED_FILTER",
75 Bundle.DeletedContent_allDelFilter_text());
84 this.displayName = displayName;
97 return this.displayName;
102 return visitor.
visit(
this);
112 this.datasourceObjId = dsObjId;
115 long filteringDataSourceObjId() {
120 public <T> T accept(AutopsyItemVisitor<T> visitor) {
121 return visitor.visit(
this);
130 @NbBundle.Messages(
"DeletedContent.deletedContentsNode.name=Deleted Files")
131 private static final String
NAME = Bundle.DeletedContent_deletedContentsNode_name();
136 super.setDisplayName(NAME);
137 this.setIconBaseWithExtension(
"org/sleuthkit/autopsy/images/file-icon-deleted.png");
147 return visitor.
visit(
this);
152 "DeletedContent.createSheet.name.displayName=Name",
153 "DeletedContent.createSheet.name.desc=no description"})
155 Sheet sheet = super.createSheet();
156 Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);
157 if (sheetSet == null) {
158 sheetSet = Sheet.createPropertiesSet();
163 Bundle.DeletedContent_createSheet_name_displayName(),
164 Bundle.DeletedContent_createSheet_name_desc(),
171 return getClass().getName();
185 this.datasourceObjId = dsObjId;
212 private final PropertyChangeListener
pcl = (PropertyChangeEvent evt) -> {
213 String eventType = evt.getPropertyName();
252 if (evt.getNewValue() == null) {
255 maxFilesDialogShown =
false;
267 protected boolean createKeys(List<DeletedContent.DeletedContentFilter> list) {
285 super(Children.create(
new DeletedContentChildren(
filter, skCase, null, dsObjId ),
true), Lookups.singleton(
filter.getDisplayName()));
287 this.datasourceObjId = dsObjId;
292 super(Children.create(
new DeletedContentChildren(
filter, skCase, o, dsObjId),
true), Lookups.singleton(
filter.getDisplayName()));
294 this.datasourceObjId = dsObjId;
296 o.addObserver(
new DeletedContentNodeObserver());
300 super.setName(
filter.getName());
302 String tooltip =
filter.getDisplayName();
303 this.setShortDescription(tooltip);
304 this.setIconBaseWithExtension(
"org/sleuthkit/autopsy/images/file-icon-deleted.png");
312 public void update(Observable o, Object arg) {
319 final long count = DeletedContentChildren.calculateItems(skCase,
filter, datasourceObjId);
321 super.setDisplayName(
filter.getDisplayName() +
" (" + count +
")");
326 return visitor.
visit(
this);
331 "DeletedContent.createSheet.filterType.displayName=Type",
332 "DeletedContent.createSheet.filterType.desc=no description"})
334 Sheet sheet = super.createSheet();
335 Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);
336 if (sheetSet == null) {
337 sheetSet = Sheet.createPropertiesSet();
342 Bundle.DeletedContent_createSheet_filterType_displayName(),
343 Bundle.DeletedContent_createSheet_filterType_desc(),
344 filter.getDisplayName()));
364 static class DeletedContentChildren
extends ChildFactory.Detachable<AbstractFile> {
366 private final SleuthkitCase
skCase;
369 private static final int MAX_OBJECTS = 10001;
375 this.filter = filter;
380 private final Observer observer =
new DeletedContentChildrenObserver();
386 public void update(Observable o, Object arg) {
392 protected void addNotify() {
393 if (notifier != null) {
394 notifier.addObserver(observer);
399 protected void removeNotify() {
400 if (notifier != null) {
401 notifier.deleteObserver(observer);
406 @NbBundle.Messages({
"# {0} - The deleted files threshold",
407 "DeletedContent.createKeys.maxObjects.msg="
408 +
"There are more Deleted Files than can be displayed."
409 +
" Only the first {0} Deleted Files will be shown."})
410 protected boolean createKeys(List<AbstractFile> list) {
411 List<AbstractFile> queryList = runFsQuery();
412 if (queryList.size() == MAX_OBJECTS) {
413 queryList.remove(queryList.size() - 1);
415 if (maxFilesDialogShown ==
false) {
416 maxFilesDialogShown =
true;
417 SwingUtilities.invokeLater(()
418 -> JOptionPane.showMessageDialog(WindowManager.getDefault().getMainWindow(),
419 DeletedContent_createKeys_maxObjects_msg(MAX_OBJECTS - 1))
423 list.addAll(queryList);
427 static private String makeQuery(
DeletedContent.DeletedContentFilter filter,
long filteringDSObjId) {
430 case FS_DELETED_FILTER:
431 query =
"dir_flags = " + TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC.getValue()
432 +
" AND meta_flags != " + TskData.TSK_FS_META_FLAG_ENUM.ORPHAN.getValue()
433 +
" AND type = " + TskData.TSK_DB_FILES_TYPE_ENUM.FS.getFileType();
436 case ALL_DELETED_FILTER:
439 +
"(dir_flags = " + TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC.getValue()
441 +
"meta_flags = " + TskData.TSK_FS_META_FLAG_ENUM.ORPHAN.getValue()
443 +
" AND type = " + TskData.TSK_DB_FILES_TYPE_ENUM.FS.getFileType()
445 +
" OR type = " + TskData.TSK_DB_FILES_TYPE_ENUM.CARVED.getFileType()
456 logger.log(Level.SEVERE,
"Unsupported filter type to get deleted content: {0}", filter);
460 if (UserPreferences.hideKnownFilesInViewsTree()) {
461 query +=
" AND (known != " + TskData.FileKnown.KNOWN.getFileKnownValue()
462 +
" OR known IS NULL)";
465 if (Objects.equals(CasePreferences.getGroupItemsInTreeByDataSource(),
true)) {
466 query +=
" AND data_source_obj_id = " + filteringDSObjId;
469 query +=
" LIMIT " + MAX_OBJECTS;
473 private List<AbstractFile> runFsQuery() {
474 List<AbstractFile> ret =
new ArrayList<>();
476 String query = makeQuery(filter, datasourceObjId);
478 ret = skCase.findAllFilesWhere(query);
479 }
catch (TskCoreException e) {
480 logger.log(Level.SEVERE,
"Error getting files for the deleted content view using: " + query, e);
495 static long calculateItems(SleuthkitCase sleuthkitCase,
DeletedContent.DeletedContentFilter filter,
long datasourceObjId) {
497 return sleuthkitCase.countFilesWhere(makeQuery(filter, datasourceObjId));
498 }
catch (TskCoreException ex) {
499 logger.log(Level.SEVERE,
"Error getting deleted files search view count", ex);
506 return key.accept(
new ContentVisitor.Default<AbstractNode>() {
507 public FileNode visit(AbstractFile f) {
508 return new FileNode(f, false);
511 public FileNode visit(FsContent f) {
512 return new FileNode(f,
false);
516 public FileNode visit(LayoutFile f) {
517 return new FileNode(f,
false);
521 public FileNode visit(File f) {
522 return new FileNode(f,
false);
526 public FileNode visit(Directory f) {
527 return new FileNode(f,
false);
531 protected AbstractNode defaultVisit(Content di) {
532 throw new UnsupportedOperationException(
"Not supported for this type of Displayable Item: " + di.toString());
void removeIngestModuleEventListener(final PropertyChangeListener listener)
static synchronized IngestManager getInstance()
public< T > T accept(AutopsyItemVisitor< T > visitor)
void update(Observable o, Object arg)
static volatile boolean maxFilesDialogShown
static final Set< Case.Events > CASE_EVENTS_OF_INTEREST
final long datasourceObjId
T visit(DataSourcesNode in)
final DeletedContent.DeletedContentFilter filter
void removeIngestJobEventListener(final PropertyChangeListener listener)
DeletedContentFilter(int id, String name, String displayName)
boolean createKeys(List< DeletedContent.DeletedContentFilter > list)
SleuthkitCase getSleuthkitCase()
void addIngestJobEventListener(final PropertyChangeListener listener)
final PropertyChangeListener pcl
final long datasourceObjId
void addIngestModuleEventListener(final PropertyChangeListener listener)
synchronized static Logger getLogger(String name)
static Case getCurrentCaseThrows()
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Node createNodeForKey(DeletedContent.DeletedContentFilter key)
DeletedContent(SleuthkitCase skCase)
DeletedContentsChildren(SleuthkitCase skCase, long dsObjId)
final long datasourceObjId
void update(Observable o, Object arg)
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
DeletedContent(SleuthkitCase skCase, long dsObjId)