19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
21 import com.google.common.util.concurrent.ThreadFactoryBuilder;
22 import java.beans.PropertyChangeEvent;
23 import java.beans.PropertyChangeListener;
24 import static java.lang.Boolean.FALSE;
25 import java.util.ArrayList;
26 import java.util.Collection;
27 import java.util.LinkedHashSet;
28 import java.util.List;
29 import java.util.concurrent.ExecutorService;
30 import java.util.concurrent.Executors;
31 import java.util.logging.Level;
32 import java.util.stream.Collectors;
33 import org.openide.util.NbBundle;
61 final Collection<String> recentlyAddedCeArtifacts =
new LinkedHashSet<>();
72 jobProcessingExecutor = Executors.newSingleThreadExecutor(
new ThreadFactoryBuilder().setNameFormat(INGEST_EVENT_THREAD_NAME).build());
100 correlationModuleInstanceCount++;
109 correlationModuleInstanceCount--;
117 synchronized static void resetCeModuleInstanceCount() {
118 correlationModuleInstanceCount = 0;
164 flagNotableItems = value;
173 flagSeenDevices = value;
182 createCrProperties = value;
185 @NbBundle.Messages({
"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
186 "IngestEventsListener.prevCaseComment.text=Previous Case: ",
187 "IngestEventsListener.ingestmodule.name=Correlation Engine"})
191 String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
193 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
194 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
195 Bundle.IngestEventsListener_prevTaggedSet_text()));
196 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
197 Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(
",",
"",
""))));
198 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
200 SleuthkitCase tskCase = bbArtifact.getSleuthkitCase();
201 AbstractFile abstractFile = tskCase.getAbstractFileById(bbArtifact.getObjectID());
202 org.
sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard();
204 if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT, attributes)) {
205 BlackboardArtifact tifArtifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
206 tifArtifact.addAttributes(attributes);
213 LOGGER.log(Level.SEVERE,
"Unable to index blackboard artifact " + tifArtifact.getArtifactID(), ex);
219 }
catch (TskCoreException ex) {
220 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardArtifact.", ex);
221 }
catch (IllegalStateException ex) {
222 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardAttribute.", ex);
232 @NbBundle.Messages({
"IngestEventsListener.prevExists.text=Previously Seen Devices (Central Repository)",
235 "IngestEventsListener.prevCount.text=Number of previous {0}: {1}"})
239 String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
241 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
242 BlackboardAttribute att =
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
243 Bundle.IngestEventsListener_prevExists_text());
245 attributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
247 SleuthkitCase tskCase = bbArtifact.getSleuthkitCase();
248 AbstractFile abstractFile = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
249 org.
sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard();
251 if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT, attributes)) {
252 BlackboardArtifact tifArtifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
253 tifArtifact.addAttributes(attributes);
260 LOGGER.log(Level.SEVERE,
"Unable to index blackboard artifact " + tifArtifact.getArtifactID(), ex);
266 }
catch (TskCoreException ex) {
267 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardArtifact.", ex);
268 }
catch (IllegalStateException ex) {
269 LOGGER.log(Level.SEVERE,
"Failed to create BlackboardAttribute.", ex);
285 LOGGER.log(Level.SEVERE,
"Failed to connect to Central Repository database.", ex);
294 jobProcessingExecutor.submit(
new DataAddedTask(dbManager, evt, flagNotable, flagPrevious, createAttributes));
307 case DATA_SOURCE_ANALYSIS_COMPLETED: {
322 recentlyAddedCeArtifacts.clear();
331 private final PropertyChangeEvent
event;
336 private DataAddedTask(
EamDb db, PropertyChangeEvent evt,
boolean flagNotableItemsEnabled,
boolean flagPreviousItemsEnabled,
boolean createCorrelationAttributes) {
350 Collection<BlackboardArtifact> bbArtifacts = mde.
getArtifacts();
351 if (null == bbArtifacts) {
354 List<CorrelationAttributeInstance> eamArtifacts =
new ArrayList<>();
356 for (BlackboardArtifact bbArtifact : bbArtifacts) {
362 if (recentlyAddedCeArtifacts.add(eamArtifact.toString())) {
367 if (flagNotableItemsEnabled) {
368 List<String> caseDisplayNames;
371 if (!caseDisplayNames.isEmpty()) {
376 LOGGER.log(Level.INFO, String.format(
"Unable to flag notable item: %s.", eamArtifact.toString()), ex);
379 if (flagPreviousItemsEnabled
387 if (countPreviousOccurences > 0) {
391 LOGGER.log(Level.INFO, String.format(
"Unable to flag notable item: %s.", eamArtifact.toString()), ex);
394 if (createCorrelationAttributes) {
395 eamArtifacts.add(eamArtifact);
399 LOGGER.log(Level.SEVERE,
"Error counting notable artifacts.", ex);
403 if (FALSE == eamArtifacts.isEmpty()) {
408 LOGGER.log(Level.SEVERE,
"Error adding artifact to database.", ex);
Collection< BlackboardArtifact > getArtifacts()
void removeIngestModuleEventListener(final PropertyChangeListener listener)
static List< CorrelationAttributeInstance > makeInstancesFromBlackboardArtifact(BlackboardArtifact artifact, boolean checkEnabled)
static boolean flagSeenDevices
final ExecutorService jobProcessingExecutor
static final int USBID_TYPE_ID
static synchronized IngestManager getInstance()
static synchronized int getCeModuleInstanceCount()
static final Logger LOGGER
DataAddedTask(EamDb db, PropertyChangeEvent evt, boolean flagNotableItemsEnabled, boolean flagPreviousItemsEnabled, boolean createCorrelationAttributes)
static final int ICCID_TYPE_ID
static synchronized boolean isFlagSeenDevices()
List< String > getListCasesHavingArtifactInstancesKnownBad(CorrelationAttributeInstance.Type aType, String value)
static synchronized void setCreateCrProperties(boolean value)
Long getCountArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type aType, String value)
boolean isIngestRunning()
final PropertyChangeListener pcl1
static final int IMEI_TYPE_ID
static boolean createCrProperties
static synchronized boolean isFlagNotableItems()
void removeIngestJobEventListener(final PropertyChangeListener listener)
final boolean createCorrelationAttributes
static void shutDownTaskExecutor(ExecutorService executor)
void uninstallListeners()
final PropertyChangeEvent event
static EamDb getInstance()
void addIngestJobEventListener(final PropertyChangeListener listener)
final boolean flagNotableItemsEnabled
static synchronized void setFlagSeenDevices(boolean value)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
void propertyChange(PropertyChangeEvent evt)
static boolean isEnabled()
static final String INGEST_EVENT_THREAD_NAME
void propertyChange(PropertyChangeEvent evt)
static int correlationModuleInstanceCount
static synchronized void setFlagNotableItems(boolean value)
static final int MAC_TYPE_ID
Blackboard getBlackboard()
static final int IMSI_TYPE_ID
void addIngestModuleEventListener(final PropertyChangeListener listener)
synchronized void indexArtifact(BlackboardArtifact artifact)
synchronized static Logger getLogger(String name)
static Case getCurrentCaseThrows()
static boolean flagNotableItems
static synchronized boolean shouldCreateCrProperties()
final boolean flagPreviousItemsEnabled
static void postCorrelatedBadArtifactToBlackboard(BlackboardArtifact bbArtifact, List< String > caseDisplayNames)
static synchronized void incrementCorrelationEngineModuleCount()
static synchronized void decrementCorrelationEngineModuleCount()
final PropertyChangeListener pcl2
void addArtifactInstance(CorrelationAttributeInstance eamArtifact)
static void postCorrelatedPreviousArtifactToBlackboard(BlackboardArtifact bbArtifact)
static synchronized IngestServices getInstance()