Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Classes | Public Member Functions | Private Member Functions | Private Attributes | Static Private Attributes | List of all members
org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector Class Reference

Classes

class  FileTypeDetectorInitException
 

Public Member Functions

 FileTypeDetector () throws FileTypeDetectorInitException
 
boolean isDetectable (String mimeType)
 
String getFileType (AbstractFile file) throws TskCoreException
 
String detectAndPostToBlackboard (AbstractFile file) throws TskCoreException
 
String detect (AbstractFile file) throws TskCoreException
 

Private Member Functions

boolean isDetectableAsUserDefinedType (String mimeType)
 
boolean isDetectableByTika (String mimeType)
 
String detectUserDefinedType (AbstractFile file) throws TskCoreException
 

Private Attributes

final byte buffer [] = new byte[BUFFER_SIZE]
 
final Map< String, FileType > userDefinedFileTypes
 

Static Private Attributes

static final Tika tika = new Tika()
 
static final int BUFFER_SIZE = 64 * 1024
 

Detailed Description

Detects the type of a file by an inspection of its contents.

Definition at line 36 of file FileTypeDetector.java.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.FileTypeDetector ( ) throws FileTypeDetectorInitException

Constructs an object that detects the type of a file by an inspection of its contents.

Exceptions
FileTypeDetector.FileTypeDetectorInitExceptionif an initialization error occurs.

Definition at line 50 of file FileTypeDetector.java.

Member Function Documentation

String org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detect ( AbstractFile  file) throws TskCoreException

Detect the MIME type of a file.

Parameters
fileThe file to test.
Returns
The MIME type name if detection was successful, null otherwise.
Exceptions
TskCoreException

Strip out any Tika enhancements to the MIME type name.

This exception is swallowed rather than propagated because files in images are not always consistent with their file system meta data making for read errors, and Tika can be a bit flaky at times, making this a best effort endeavor.

Definition at line 154 of file FileTypeDetector.java.

References org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.buffer, org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detectUserDefinedType(), org::sleuthkit::datamodel::TskData::TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS, and org::sleuthkit::datamodel::TskData::TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS.

Referenced by org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detectAndPostToBlackboard().

String org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detectAndPostToBlackboard ( AbstractFile  file) throws TskCoreException

Detect the MIME type of a file, posting it to the blackboard if detection succeeds. Note that this method should currently be called at most once per file.

Parameters
fileThe file to test.
Returns
The MIME type name id detection was successful, null otherwise.
Exceptions
TskCoreException

Add the file type attribute to the general info artifact. Note that no property change is fired for this blackboard posting because general info artifacts are different from other artifacts, e.g., they are not displayed in the results tree.

Definition at line 131 of file FileTypeDetector.java.

References org::sleuthkit::datamodel::BlackboardArtifact.addAttribute(), org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detect(), and org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG.

Referenced by org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.getFileType().

String org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detectUserDefinedType ( AbstractFile  file) throws TskCoreException
private

Determines whether or not the a file matches a user-defined or Autopsy predefined file type. If a match is found and the file type definition calls for an alert on a match, an interesting file hit artifact is posted to the blackboard.

Parameters
fileThe file to test.
Returns
The file type name string or null, if no match is detected.
Exceptions
TskCoreException

Use the MIME type as the category, i.e., the rule that determined this file belongs to the interesting files set.

Definition at line 205 of file FileTypeDetector.java.

References org::sleuthkit::datamodel::BlackboardArtifact.addAttribute(), org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE.TSK_CATEGORY, org::sleuthkit::datamodel::BlackboardArtifact::ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, and org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE.TSK_SET_NAME.

Referenced by org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detect().

String org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.getFileType ( AbstractFile  file) throws TskCoreException

Look up the MIME type of a file using the blackboard. If it is not already posted, detect the type of the file, posting it to the blackboard if detection succeeds.

Parameters
fileThe file to test.
Returns
The MIME type name if detection was successful, null otherwise.
Exceptions
TskCoreException

Get the first TSK_FILE_TYPE_SIG attribute.

Definition at line 107 of file FileTypeDetector.java.

References org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.detectAndPostToBlackboard(), and org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG.

Referenced by org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule.Indexer.indexFile(), org.sleuthkit.autopsy.modules.exif.ExifParserFileIngestModule.parsableFormat(), and org.sleuthkit.autopsy.modules.filetypeid.FileTypeIdIngestModule.process().

boolean org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.isDetectable ( String  mimeType)

Determines whether or not a given MIME type is detectable by this detector.

Parameters
mimeTypeThe MIME type name, e.g. "text/html", to look up.
Returns
True if MIME type is detectable.

Definition at line 65 of file FileTypeDetector.java.

References org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.isDetectableAsUserDefinedType(), and org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.isDetectableByTika().

Referenced by org.sleuthkit.autopsy.modules.filetypeid.FileTypeIdIngestModule.isMimeTypeDetectable().

boolean org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.isDetectableAsUserDefinedType ( String  mimeType)
private

Determines whether or not a given MIME type is detectable as a user-defined file type.

Parameters
mimeTypeThe MIME type name, e.g. "text/html", to look up.
Returns
True if MIME type is detectable.

Definition at line 76 of file FileTypeDetector.java.

Referenced by org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.isDetectable().

boolean org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.isDetectableByTika ( String  mimeType)
private

Determines whether or not a given MIME type is detectable by Tika.

Parameters
mimeTypeThe MIME type name, e.g. "text/html", to look up.
Returns
True if MIME type is detectable.

Definition at line 86 of file FileTypeDetector.java.

Referenced by org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.isDetectable().

Member Data Documentation

final byte org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.buffer[] = new byte[BUFFER_SIZE]
private
final int org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.BUFFER_SIZE = 64 * 1024
staticprivate

Definition at line 39 of file FileTypeDetector.java.

final Tika org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.tika = new Tika()
staticprivate

Definition at line 38 of file FileTypeDetector.java.

final Map<String, FileType> org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.userDefinedFileTypes
private

Definition at line 41 of file FileTypeDetector.java.


The documentation for this class was generated from the following file:

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.