19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
21 import com.google.common.util.concurrent.ThreadFactoryBuilder;
22 import java.beans.PropertyChangeEvent;
23 import java.beans.PropertyChangeListener;
24 import static java.lang.Boolean.FALSE;
25 import java.util.ArrayList;
26 import java.util.Collection;
27 import java.util.LinkedHashSet;
28 import java.util.List;
29 import java.util.concurrent.ExecutorService;
30 import java.util.concurrent.Executors;
31 import java.util.logging.Level;
32 import java.util.stream.Collectors;
33 import org.openide.util.NbBundle;
60 final Collection<String> recentlyAddedCeArtifacts =
new LinkedHashSet<>();
69 jobProcessingExecutor = Executors.newSingleThreadExecutor(
new ThreadFactoryBuilder().setNameFormat(INGEST_EVENT_THREAD_NAME).build());
97 correlationModuleInstanceCount++;
106 correlationModuleInstanceCount--;
114 synchronized static void resetCeModuleInstanceCount() {
115 correlationModuleInstanceCount = 0;
143 flagNotableItems = value;
146 @NbBundle.Messages({
"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
147 "IngestEventsListener.prevCaseComment.text=Previous Case: ",
148 "IngestEventsListener.ingestmodule.name=Correlation Engine"})
152 AbstractFile af = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
153 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
154 String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
155 BlackboardArtifact tifArtifact = af.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
156 BlackboardAttribute att =
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
157 Bundle.IngestEventsListener_prevTaggedSet_text());
158 BlackboardAttribute att2 =
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
159 Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(
",",
"",
"")));
161 attributes.add(att2);
162 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
164 tifArtifact.addAttributes(attributes);
170 LOGGER.log(Level.SEVERE,
"Unable to index blackboard artifact " + tifArtifact.getArtifactID(), ex);
175 }
catch (TskCoreException ex) {
176 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardArtifact.", ex);
177 }
catch (IllegalStateException ex) {
178 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardAttribute.", ex);
191 LOGGER.log(Level.SEVERE,
"Failed to connect to Central Repository database.", ex);
209 case DATA_SOURCE_ANALYSIS_COMPLETED: {
224 recentlyAddedCeArtifacts.clear();
233 private final PropertyChangeEvent
event;
248 Collection<BlackboardArtifact> bbArtifacts = mde.
getArtifacts();
249 if (null == bbArtifacts) {
252 List<CorrelationAttributeInstance> eamArtifacts =
new ArrayList<>();
254 for (BlackboardArtifact bbArtifact : bbArtifacts) {
260 if (recentlyAddedCeArtifacts.add(eamArtifact.toString())) {
265 if (flagNotableItemsEnabled) {
266 List<String> caseDisplayNames;
269 if (!caseDisplayNames.isEmpty()) {
274 LOGGER.log(Level.INFO, String.format(
"Unable to flag notable item: %s.", eamArtifact.toString()), ex);
277 eamArtifacts.add(eamArtifact);
280 LOGGER.log(Level.SEVERE,
"Error counting notable artifacts.", ex);
284 if (FALSE == eamArtifacts.isEmpty()) {
289 LOGGER.log(Level.SEVERE,
"Error adding artifact to database.", ex);
Collection< BlackboardArtifact > getArtifacts()
void removeIngestModuleEventListener(final PropertyChangeListener listener)
final ExecutorService jobProcessingExecutor
static synchronized IngestManager getInstance()
static synchronized int getCeModuleInstanceCount()
static final Logger LOGGER
List< String > getListCasesHavingArtifactInstancesKnownBad(CorrelationAttributeInstance.Type aType, String value)
final PropertyChangeListener pcl1
static synchronized boolean isFlagNotableItems()
void removeIngestJobEventListener(final PropertyChangeListener listener)
static List< CorrelationAttributeInstance > makeInstancesFromBlackboardArtifact(BlackboardArtifact bbArtifact, boolean checkEnabled)
static void shutDownTaskExecutor(ExecutorService executor)
void uninstallListeners()
final PropertyChangeEvent event
static EamDb getInstance()
void addIngestJobEventListener(final PropertyChangeListener listener)
final boolean flagNotableItemsEnabled
DataAddedTask(EamDb db, PropertyChangeEvent evt, boolean flagNotableItemsEnabled)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
void propertyChange(PropertyChangeEvent evt)
static boolean isEnabled()
static final String INGEST_EVENT_THREAD_NAME
void propertyChange(PropertyChangeEvent evt)
static int correlationModuleInstanceCount
static synchronized void setFlagNotableItems(boolean value)
Blackboard getBlackboard()
void addIngestModuleEventListener(final PropertyChangeListener listener)
synchronized void indexArtifact(BlackboardArtifact artifact)
synchronized static Logger getLogger(String name)
static Case getCurrentCaseThrows()
static boolean flagNotableItems
static void postCorrelatedBadArtifactToBlackboard(BlackboardArtifact bbArtifact, List< String > caseDisplayNames)
static synchronized void incrementCorrelationEngineModuleCount()
static synchronized void decrementCorrelationEngineModuleCount()
final PropertyChangeListener pcl2
void addArtifactInstance(CorrelationAttributeInstance eamArtifact)
static synchronized IngestServices getInstance()