Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Classes | Public Member Functions | Static Public Member Functions | Private Member Functions | Static Private Member Functions | Private Attributes | Static Private Attributes | List of all members
org.sleuthkit.autopsy.timeline.db.EventDB Class Reference

Classes

class  EventTransaction
 

Public Member Functions

void finalize () throws Throwable
 
Interval getSpanningInterval (Collection< Long > eventIDs)
 

Static Public Member Functions

static EventDB getEventDB (Case autoCase)
 

Private Member Functions

 EventDB (Case autoCase) throws SQLException, Exception
 
void closeStatements () throws SQLException
 
void configureDB () throws SQLException
 
SingleEvent constructTimeLineEvent (ResultSet rs) throws SQLException
 
Map< EventType, Long > countEventsByType (Long startTime, Long endTime, RootFilter filter, EventTypeZoomLevel zoomLevel)
 
void createIndex (final String tableName, final List< String > columnList)
 
EventCluster eventClusterHelper (ResultSet rs, boolean useSubTypes, DescriptionLoD descriptionLOD, TagsFilter filter) throws SQLException
 
boolean hasDataSourceIDColumn ()
 
boolean hasDBColumn (@Nonnull final String dbColumn)
 
boolean hasHashHitColumn ()
 
boolean hasTaggedColumn ()
 
void initializeTagsTable ()
 
void insertTag (Tag tag, long eventID) throws SQLException
 
Set< Long > markEventsTagged (long objectID,@Nullable Long artifactID, boolean tagged) throws SQLException
 
PreparedStatement prepareStatement (String queryString) throws SQLException
 

Static Private Member Functions

static List< EventStripemergeClustersToStripes (Period timeUnitLength, List< EventCluster > preMergedEvents)
 
static String typeColumnHelper (final boolean useSubTypes)
 

Private Attributes

volatile Connection con
 
PreparedStatement countAllEventsStmt
 
final Lock DBLock = new ReentrantReadWriteLock(true).writeLock()
 
final String dbPath
 
PreparedStatement deleteTagStmt
 
PreparedStatement dropDBInfoTableStmt
 
PreparedStatement dropEventsTableStmt
 
PreparedStatement dropHashSetHitsTableStmt
 
PreparedStatement dropHashSetsTableStmt
 
PreparedStatement dropTagsTableStmt
 
PreparedStatement getDataSourceIDsStmt
 
PreparedStatement getEventByIDStmt
 
PreparedStatement getHashSetNamesStmt
 
PreparedStatement getMaxTimeStmt
 
PreparedStatement getMinTimeStmt
 
PreparedStatement insertHashHitStmt
 
PreparedStatement insertHashSetStmt
 
PreparedStatement insertRowStmt
 
PreparedStatement insertTagStmt
 
final Set< PreparedStatement > preparedStatements = new HashSet<>()
 
PreparedStatement selectEventIDsBYObjectAndArtifactIDStmt
 
PreparedStatement selectHashSetStmt
 
PreparedStatement selectNonArtifactEventIDsByObjectIDStmt
 

Static Private Attributes

static final org.sleuthkit.autopsy.coreutils.Logger LOGGER = Logger.getLogger(EventDB.class.getName())
 

Detailed Description

Provides access to the Timeline SQLite database.

This class borrows a lot of ideas and techniques from SleuthkitCase. Creating an abstract base class for SQLite databases, or using a higherlevel persistence api may make sense in the future.

Definition at line 88 of file EventDB.java.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.timeline.db.EventDB.EventDB ( Case  autoCase) throws SQLException, Exception
private

Definition at line 150 of file EventDB.java.

Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.getEventDB().

Member Function Documentation

void org.sleuthkit.autopsy.timeline.db.EventDB.closeStatements ( ) throws SQLException
private

Definition at line 1040 of file EventDB.java.

void org.sleuthkit.autopsy.timeline.db.EventDB.configureDB ( ) throws SQLException
private

Definition at line 1046 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.

SingleEvent org.sleuthkit.autopsy.timeline.db.EventDB.constructTimeLineEvent ( ResultSet  rs) throws SQLException
private
Map<EventType, Long> org.sleuthkit.autopsy.timeline.db.EventDB.countEventsByType ( Long  startTime,
Long  endTime,
RootFilter  filter,
EventTypeZoomLevel  zoomLevel 
)
private

count all the events with the given options and return a map organizing the counts in a hierarchy from date > eventtype> count

Parameters
startTimeevents before this time will be excluded (seconds from unix epoch)
endTimeevents at or after this time will be excluded (seconds from unix epoch)
filteronly events that pass this filter will be counted
zoomLevelonly events of this type or a subtype will be counted and the counts will be organized into bins for each of the subtypes of the given event type
Returns
a map organizing the counts in a hierarchy from date > eventtype> count

Definition at line 1105 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes, org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER, org.sleuthkit.autopsy.timeline.zooming.EventTypeZoomLevel.SUB_TYPE, and org.sleuthkit.autopsy.timeline.db.EventDB.typeColumnHelper().

void org.sleuthkit.autopsy.timeline.db.EventDB.createIndex ( final String  tableName,
final List< String >  columnList 
)
private
Parameters
tableNamethe value of tableName
columnListthe value of columnList

Definition at line 758 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.

EventCluster org.sleuthkit.autopsy.timeline.db.EventDB.eventClusterHelper ( ResultSet  rs,
boolean  useSubTypes,
DescriptionLoD  descriptionLOD,
TagsFilter  filter 
) throws SQLException
private

map a single row in a ResultSet to an EventCluster

Parameters
rsthe result set whose current row should be mapped
useSubTypesuse the sub_type column if true, else use the base_type column
descriptionLODthe description level of detail for this event
filter
Returns
an AggregateEvent corresponding to the current row in the given result set
Exceptions
SQLException

Definition at line 1224 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes, and org.sleuthkit.autopsy.timeline.TimeLineController.getJodaTimeZone().

void org.sleuthkit.autopsy.timeline.db.EventDB.finalize ( ) throws Throwable

Definition at line 157 of file EventDB.java.

static EventDB org.sleuthkit.autopsy.timeline.db.EventDB.getEventDB ( Case  autoCase)
static

public factory method. Creates and opens a connection to a database at the given path. If a database does not already exist at that path, one is created.

Parameters
autoCasethe Autopsy Case the is events database is for.
Returns
a new EventDB or null if there was an error.

Definition at line 110 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.db.EventDB.EventDB(), and org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.

Referenced by org.sleuthkit.autopsy.timeline.db.EventsRepository.EventsRepository().

Interval org.sleuthkit.autopsy.timeline.db.EventDB.getSpanningInterval ( Collection< Long >  eventIDs)
boolean org.sleuthkit.autopsy.timeline.db.EventDB.hasDataSourceIDColumn ( )
private
boolean org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn ( @Nonnull final String  dbColumn)
private
boolean org.sleuthkit.autopsy.timeline.db.EventDB.hasHashHitColumn ( )
private
boolean org.sleuthkit.autopsy.timeline.db.EventDB.hasTaggedColumn ( )
private
void org.sleuthkit.autopsy.timeline.db.EventDB.initializeTagsTable ( )
private

create the tags table if it doesn't already exist. This is broken out as a separate method so it can be used by reInitializeTags()

Definition at line 739 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.

void org.sleuthkit.autopsy.timeline.db.EventDB.insertTag ( Tag  tag,
long  eventID 
) throws SQLException
private

insert this tag into the db

NOTE: does not lock the db, must be called form inside a DBLock.lock/unlock pair

Parameters
tagthe tag to insert
eventIDthe event id that this tag is applied to.
Exceptions
SQLExceptionif there was a problem executing insert

Definition at line 941 of file EventDB.java.

Set<Long> org.sleuthkit.autopsy.timeline.db.EventDB.markEventsTagged ( long  objectID,
@Nullable Long  artifactID,
boolean  tagged 
) throws SQLException
private

mark any events with the given object and artifact ids as tagged, and record the tag it self.

NOTE: does not lock the db, must be called form inside a DBLock.lock/unlock pair

Parameters
objectIDthe obj_id that this tag applies to, the id of the content that the artifact is derived from for artifact tags
artifactIDthe artifact_id that this tag applies to, or null if this is a content tag
taggedtrue to mark the matching events tagged, false to mark them as untagged
Returns
the event ids that match the object/artifact pair
Exceptions
SQLExceptionif there is an error marking the events as (un)taggedS

Definition at line 1004 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.db.EventDB.selectEventIDsBYObjectAndArtifactIDStmt, and org.sleuthkit.autopsy.timeline.db.EventDB.selectNonArtifactEventIDsByObjectIDStmt.

static List<EventStripe> org.sleuthkit.autopsy.timeline.db.EventDB.mergeClustersToStripes ( Period  timeUnitLength,
List< EventCluster preMergedEvents 
)
staticprivate

merge the events in the given list if they are within the same period General algorithm is as follows:

1) sort them into a map from (type, description)-> List<aggevent> 2) for each key in map, merge the events and accumulate them in a list to return

Parameters
timeUnitLength
preMergedEvents
Returns

Definition at line 1250 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.datamodel.EventCluster.getSpan(), org.sleuthkit.autopsy.timeline.datamodel.EventStripe.getStartMillis(), org.sleuthkit.autopsy.timeline.datamodel.EventStripe.merge(), and org.sleuthkit.autopsy.timeline.datamodel.EventCluster.merge().

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.prepareStatement ( String  queryString) throws SQLException
private

Definition at line 1305 of file EventDB.java.

static String org.sleuthkit.autopsy.timeline.db.EventDB.typeColumnHelper ( final boolean  useSubTypes)
staticprivate

Member Data Documentation

volatile Connection org.sleuthkit.autopsy.timeline.db.EventDB.con
private

Definition at line 122 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.countAllEventsStmt
private

Definition at line 137 of file EventDB.java.

final Lock org.sleuthkit.autopsy.timeline.db.EventDB.DBLock = new ReentrantReadWriteLock(true).writeLock()
private

Definition at line 148 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.db.EventDB.dbPath
private

Definition at line 124 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.deleteTagStmt
private

Definition at line 135 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.dropDBInfoTableStmt
private

Definition at line 142 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.dropEventsTableStmt
private

Definition at line 138 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.dropHashSetHitsTableStmt
private

Definition at line 139 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.dropHashSetsTableStmt
private

Definition at line 140 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.dropTagsTableStmt
private

Definition at line 141 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.getDataSourceIDsStmt
private

Definition at line 129 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.getEventByIDStmt
private

Definition at line 126 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.getHashSetNamesStmt
private

Definition at line 130 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.getMaxTimeStmt
private

Definition at line 127 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.getMinTimeStmt
private

Definition at line 128 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.insertHashHitStmt
private

Definition at line 133 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.insertHashSetStmt
private

Definition at line 132 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.insertRowStmt
private

Definition at line 131 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.insertTagStmt
private

Definition at line 134 of file EventDB.java.

final org.sleuthkit.autopsy.coreutils.Logger org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER = Logger.getLogger(EventDB.class.getName())
staticprivate
final Set<PreparedStatement> org.sleuthkit.autopsy.timeline.db.EventDB.preparedStatements = new HashSet<>()
private

Definition at line 146 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.selectEventIDsBYObjectAndArtifactIDStmt
private
PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.selectHashSetStmt
private

Definition at line 136 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.db.EventDB.selectNonArtifactEventIDsByObjectIDStmt
private

The documentation for this class was generated from the following file:

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.