Autopsy  4.8.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
QueryResults.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.keywordsearch;
20 
21 import java.util.ArrayList;
22 import java.util.Collection;
23 import java.util.HashMap;
24 import java.util.List;
25 import java.util.Map;
26 import java.util.Set;
27 import java.util.logging.Level;
28 import java.util.stream.Collectors;
29 import javax.swing.SwingWorker;
30 import org.apache.commons.lang.StringUtils;
31 import org.netbeans.api.progress.ProgressHandle;
32 import org.netbeans.api.progress.aggregate.ProgressContributor;
33 import org.openide.util.NbBundle;
34 import org.sleuthkit.autopsy.casemodule.Case;
35 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
36 import org.sleuthkit.autopsy.coreutils.EscapeUtil;
37 import org.sleuthkit.autopsy.coreutils.Logger;
38 import org.sleuthkit.autopsy.ingest.IngestMessage;
39 import org.sleuthkit.autopsy.ingest.IngestServices;
40 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
41 import org.sleuthkit.datamodel.AbstractFile;
42 import org.sleuthkit.datamodel.BlackboardArtifact;
43 import org.sleuthkit.datamodel.BlackboardAttribute;
44 import org.sleuthkit.datamodel.Content;
45 import org.sleuthkit.datamodel.SleuthkitCase;
46 import org.sleuthkit.datamodel.TskCoreException;
47 
54 class QueryResults {
55 
56  private static final Logger logger = Logger.getLogger(QueryResults.class.getName());
57  private static final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName();
58  private final KeywordSearchQuery query;
59  private final Map<Keyword, List<KeywordHit>> results = new HashMap<>();
60 
71  QueryResults(KeywordSearchQuery query) {
72  this.query = query;
73  }
74 
81  KeywordSearchQuery getQuery() {
82  return query;
83  }
84 
93  void addResult(Keyword keyword, List<KeywordHit> hits) {
94  results.put(keyword, hits);
95  }
96 
104  List<KeywordHit> getResults(Keyword keyword) {
105  return results.get(keyword);
106  }
107 
114  Set<Keyword> getKeywords() {
115  return results.keySet();
116  }
117 
147  void process(ProgressHandle progress, ProgressContributor subProgress, SwingWorker<?, ?> worker, boolean notifyInbox, boolean saveResults) {
148  /*
149  * Initialize the progress indicator to the number of keywords that will
150  * be processed.
151  */
152  if (null != progress) {
153  progress.start(getKeywords().size());
154  }
155 
156  /*
157  * Process the keyword hits for each keyword.
158  */
159  int keywordsProcessed = 0;
160  final Collection<BlackboardArtifact> hitArtifacts = new ArrayList<>();
161  for (final Keyword keyword : getKeywords()) {
162  /*
163  * Cancellation check.
164  */
165  if (worker.isCancelled()) {
166  logger.log(Level.INFO, "Processing cancelled, exiting before processing search term {0}", keyword.getSearchTerm()); //NON-NLS
167  break;
168  }
169 
170  /*
171  * Update the progress indicator and the show the current keyword
172  * via the progress contributor.
173  */
174  if (progress != null) {
175  progress.progress(keyword.toString(), keywordsProcessed);
176  }
177  if (subProgress != null) {
178  String hitDisplayStr = keyword.getSearchTerm();
179  if (hitDisplayStr.length() > 50) {
180  hitDisplayStr = hitDisplayStr.substring(0, 49) + "...";
181  }
182  subProgress.progress(query.getKeywordList().getName() + ": " + hitDisplayStr, keywordsProcessed);
183  }
184 
185  /*
186  * Reduce the hits for this keyword to one hit per text source
187  * object so that only one hit artifact is generated per text source
188  * object, no matter how many times the keyword was actually found.
189  */
190  for (KeywordHit hit : getOneHitPerTextSourceObject(keyword)) {
191  /*
192  * Get a snippet (preview) for the hit. Regex queries always
193  * have snippets made from the content_str pulled back from Solr
194  * for executing the search. Other types of queries may or may
195  * not have snippets yet.
196  */
197  String snippet = hit.getSnippet();
198  if (StringUtils.isBlank(snippet)) {
199  final String snippetQuery = KeywordSearchUtil.escapeLuceneQuery(keyword.getSearchTerm());
200  try {
201  snippet = LuceneQuery.querySnippet(snippetQuery, hit.getSolrObjectId(), hit.getChunkId(), !query.isLiteral(), true);
202  } catch (NoOpenCoreException e) {
203  logger.log(Level.SEVERE, "Solr core closed while executing snippet query " + snippetQuery, e); //NON-NLS
204  break; // Stop processing.
205  } catch (Exception e) {
206  logger.log(Level.SEVERE, "Error executing snippet query " + snippetQuery, e); //NON-NLS
207  continue; // Try processing the next hit.
208  }
209  }
210 
211  /*
212  * Get the content (file or artifact) that is the text source
213  * for the hit.
214  */
215  Content content = null;
216  try {
217  SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
218  content = tskCase.getContentById(hit.getContentID());
219  } catch (TskCoreException | NoCurrentCaseException tskCoreException) {
220  logger.log(Level.SEVERE, "Failed to get text source object for ", tskCoreException); //NON-NLS
221  }
222 
223  if (saveResults) {
224  /*
225  * Post an artifact for the hit to the blackboard.
226  */
227  BlackboardArtifact artifact = query.postKeywordHitToBlackboard(content, keyword, hit, snippet, query.getKeywordList().getName());
228 
229  /*
230  * Send an ingest inbox message for the hit.
231  */
232  if (null != artifact) {
233  hitArtifacts.add(artifact);
234  if (notifyInbox) {
235  try {
236  writeSingleFileInboxMessage(artifact, content);
237  } catch (TskCoreException ex) {
238  logger.log(Level.SEVERE, "Error sending message to ingest messages inbox", ex); //NON-NLS
239  }
240  }
241  }
242  }
243  }
244 
245  ++keywordsProcessed;
246  }
247 
248  /*
249  * Publish an event to notify subscribers of the blackboard posts. The
250  * artifacts are grouped by type, since they may contain both
251  * TSK_KEYWORD_HIT artifacts and TSK_ACCOUNT artifacts (for credit card
252  * account number hits).
253  */
254  if (!hitArtifacts.isEmpty()) {
255  hitArtifacts.stream()
256  // Group artifacts by type
257  .collect(Collectors.groupingBy(BlackboardArtifact::getArtifactTypeID))
258  // For each type send an event
259  .forEach((typeID, artifacts)
260  -> IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.fromID(typeID), artifacts)));
261 
262  }
263  }
264 
274  private Collection<KeywordHit> getOneHitPerTextSourceObject(Keyword keyword) {
275  /*
276  * For each Solr document (chunk) for a text source object, return only
277  * a single keyword hit from the first chunk of text (the one with the
278  * lowest chunk id).
279  */
280  HashMap< Long, KeywordHit> hits = new HashMap<>();
281  getResults(keyword).forEach((hit) -> {
282  if (!hits.containsKey(hit.getSolrObjectId())) {
283  hits.put(hit.getSolrObjectId(), hit);
284  } else if (hit.getChunkId() < hits.get(hit.getSolrObjectId()).getChunkId()) {
285  hits.put(hit.getSolrObjectId(), hit);
286  }
287  });
288  return hits.values();
289  }
290 
301  private void writeSingleFileInboxMessage(BlackboardArtifact artifact, Content hitContent) throws TskCoreException {
302  StringBuilder subjectSb = new StringBuilder(1024);
303  if (!query.isLiteral()) {
304  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExpHitLbl"));
305  } else {
306  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitLbl"));
307  }
308 
309  StringBuilder detailsSb = new StringBuilder(1024);
310  String uniqueKey = null;
311  BlackboardAttribute attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD));
312  if (attr != null) {
313  final String keyword = attr.getValueString();
314  subjectSb.append(keyword);
315  uniqueKey = keyword.toLowerCase();
316  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
317  detailsSb.append("<tr>"); //NON-NLS
318  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitThLbl"));
319  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(keyword)).append("</td>"); //NON-NLS
320  detailsSb.append("</tr>"); //NON-NLS
321  }
322 
323  //preview
324  attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW));
325  if (attr != null) {
326  detailsSb.append("<tr>"); //NON-NLS
327  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.previewThLbl"));
328  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append("</td>"); //NON-NLS
329  detailsSb.append("</tr>"); //NON-NLS
330  }
331 
332  //file
333  detailsSb.append("<tr>"); //NON-NLS
334  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.fileThLbl"));
335  if (hitContent instanceof AbstractFile) {
336  AbstractFile hitFile = (AbstractFile) hitContent;
337  detailsSb.append("<td>").append(hitFile.getParentPath()).append(hitFile.getName()).append("</td>"); //NON-NLS
338  } else {
339  detailsSb.append("<td>").append(hitContent.getName()).append("</td>"); //NON-NLS
340  }
341  detailsSb.append("</tr>"); //NON-NLS
342 
343  //list
344  attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
345  if (attr != null) {
346  detailsSb.append("<tr>"); //NON-NLS
347  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.listThLbl"));
348  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
349  detailsSb.append("</tr>"); //NON-NLS
350  }
351 
352  //regex
353  if (!query.isLiteral()) {
354  attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP));
355  if (attr != null) {
356  detailsSb.append("<tr>"); //NON-NLS
357  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExThLbl"));
358  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
359  detailsSb.append("</tr>"); //NON-NLS
360  }
361  }
362  detailsSb.append("</table>"); //NON-NLS
363 
364  IngestServices.getInstance().postMessage(IngestMessage.createDataMessage(MODULE_NAME, subjectSb.toString(), detailsSb.toString(), uniqueKey, artifact));
365  }
366 }

Copyright © 2012-2018 Basis Technology. Generated on: Thu Oct 4 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.