Autopsy  4.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
DeletedContent.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2015 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datamodel;
20 
21 import java.beans.PropertyChangeEvent;
22 import java.beans.PropertyChangeListener;
23 import java.util.ArrayList;
24 import java.util.Arrays;
25 import java.util.List;
26 import java.util.Observable;
27 import java.util.Observer;
28 import java.util.logging.Level;
29 import javax.swing.JOptionPane;
30 import javax.swing.SwingUtilities;
31 import org.openide.nodes.AbstractNode;
32 import org.openide.nodes.ChildFactory;
33 import org.openide.nodes.Children;
34 import org.openide.nodes.Node;
35 import org.openide.nodes.Sheet;
36 import org.openide.util.NbBundle;
37 import org.openide.util.lookup.Lookups;
38 import org.openide.windows.WindowManager;
42 import org.sleuthkit.datamodel.AbstractFile;
43 import org.sleuthkit.datamodel.Content;
44 import org.sleuthkit.datamodel.ContentVisitor;
45 import org.sleuthkit.datamodel.Directory;
46 import org.sleuthkit.datamodel.File;
47 import org.sleuthkit.datamodel.FsContent;
48 import org.sleuthkit.datamodel.LayoutFile;
49 import org.sleuthkit.datamodel.SleuthkitCase;
50 import org.sleuthkit.datamodel.TskCoreException;
51 import org.sleuthkit.datamodel.TskData;
52 
56 public class DeletedContent implements AutopsyVisitableItem {
57 
58  private SleuthkitCase skCase;
59 
60  public enum DeletedContentFilter implements AutopsyVisitableItem {
61 
62  FS_DELETED_FILTER(0,
63  "FS_DELETED_FILTER", //NON-NLS
64  NbBundle.getMessage(DeletedContent.class, "DeletedContent.fsDelFilter.text")),
65  ALL_DELETED_FILTER(1,
66  "ALL_DELETED_FILTER", //NON-NLS
67  NbBundle.getMessage(DeletedContent.class, "DeletedContent.allDelFilter.text"));
68  private int id;
69  private String name;
70  private String displayName;
71 
72  private DeletedContentFilter(int id, String name, String displayName) {
73  this.id = id;
74  this.name = name;
75  this.displayName = displayName;
76 
77  }
78 
79  public String getName() {
80  return this.name;
81  }
82 
83  public int getId() {
84  return this.id;
85  }
86 
87  public String getDisplayName() {
88  return this.displayName;
89  }
90 
91  @Override
92  public <T> T accept(AutopsyItemVisitor<T> v) {
93  return v.visit(this);
94  }
95  }
96 
97  public DeletedContent(SleuthkitCase skCase) {
98  this.skCase = skCase;
99  }
100 
101  @Override
102  public <T> T accept(AutopsyItemVisitor<T> v) {
103  return v.visit(this);
104  }
105 
106  public SleuthkitCase getSleuthkitCase() {
107  return this.skCase;
108  }
109 
110  public static class DeletedContentsNode extends DisplayableItemNode {
111 
112  private static final String NAME = NbBundle.getMessage(DeletedContent.class,
113  "DeletedContent.deletedContentsNode.name");
114  private SleuthkitCase skCase;
115 
116  DeletedContentsNode(SleuthkitCase skCase) {
117  super(Children.create(new DeletedContentsChildren(skCase), true), Lookups.singleton(NAME));
118  super.setName(NAME);
119  super.setDisplayName(NAME);
120  this.skCase = skCase;
121  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/file-icon-deleted.png"); //NON-NLS
122  }
123 
124  @Override
125  public boolean isLeafTypeNode() {
126  return false;
127  }
128 
129  @Override
130  public <T> T accept(DisplayableItemNodeVisitor<T> v) {
131  return v.visit(this);
132  }
133 
134  @Override
135  protected Sheet createSheet() {
136  Sheet s = super.createSheet();
137  Sheet.Set ss = s.get(Sheet.PROPERTIES);
138  if (ss == null) {
139  ss = Sheet.createPropertiesSet();
140  s.put(ss);
141  }
142 
143  ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "DeletedContent.createSheet.name.name"),
144  NbBundle.getMessage(this.getClass(), "DeletedContent.createSheet.name.displayName"),
145  NbBundle.getMessage(this.getClass(), "DeletedContent.createSheet.name.desc"),
146  NAME));
147  return s;
148  }
149 
150  /*
151  * TODO (AUT-1849): Correct or remove peristent column reordering code
152  *
153  * Added to support this feature.
154  */
155 // @Override
156 // public String getItemType() {
157 // return "DeletedContent"; //NON-NLS
158 // }
159  }
160 
161  public static class DeletedContentsChildren extends ChildFactory<DeletedContent.DeletedContentFilter> {
162 
163  private SleuthkitCase skCase;
164  private Observable notifier;
165  // true if we have already told user that not all files will be shown
166  private static boolean maxFilesDialogShown = false;
167 
168  public DeletedContentsChildren(SleuthkitCase skCase) {
169  this.skCase = skCase;
170  this.notifier = new DeletedContentsChildrenObservable();
171  }
172 
177  private final class DeletedContentsChildrenObservable extends Observable {
178 
183  }
184 
185  private void removeListeners() {
186  deleteObservers();
190  }
191 
192  private final PropertyChangeListener pcl = new PropertyChangeListener() {
193  @Override
194  public void propertyChange(PropertyChangeEvent evt) {
195  String eventType = evt.getPropertyName();
196  if (eventType.equals(IngestManager.IngestModuleEvent.CONTENT_CHANGED.toString())) {
205  try {
207  // new file was added
208  // @@@ COULD CHECK If the new file is deleted before notifying...
209  update();
210  } catch (IllegalStateException notUsed) {
214  }
215  } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())
216  || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())
217  || eventType.equals(Case.Events.DATA_SOURCE_ADDED.toString())) {
224  try {
226  update();
227  } catch (IllegalStateException notUsed) {
231  }
232  } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {
233  // case was closed. Remove listeners so that we don't get called with a stale case handle
234  if (evt.getNewValue() == null) {
235  removeListeners();
236  }
237  maxFilesDialogShown = false;
238  }
239  }
240  };
241 
242  private void update() {
243  setChanged();
244  notifyObservers();
245  }
246  }
247 
248  @Override
249 
250  protected boolean createKeys(List<DeletedContent.DeletedContentFilter> list) {
251  list.addAll(Arrays.asList(DeletedContent.DeletedContentFilter.values()));
252  return true;
253  }
254 
255  @Override
257  return new DeletedContentNode(skCase, key, notifier);
258  }
259 
261 
263 
264  // Use version that has observer for updates
265  @Deprecated
267  super(Children.create(new DeletedContentChildren(filter, skCase, null), true), Lookups.singleton(filter.getDisplayName()));
268  this.filter = filter;
269  init();
270  }
271 
272  DeletedContentNode(SleuthkitCase skCase, DeletedContent.DeletedContentFilter filter, Observable o) {
273  super(Children.create(new DeletedContentChildren(filter, skCase, o), true), Lookups.singleton(filter.getDisplayName()));
274  this.filter = filter;
275  init();
276  o.addObserver(new DeletedContentNodeObserver());
277  }
278 
279  private void init() {
280  super.setName(filter.getName());
281 
282  String tooltip = filter.getDisplayName();
283  this.setShortDescription(tooltip);
284  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/file-icon-deleted.png"); //NON-NLS
286  }
287 
288  /*
289  * TODO (AUT-1849): Correct or remove peristent column reordering
290  * code
291  *
292  * Added to support this feature.
293  */
294 // @Override
295 // public String getItemType() {
296 // return "DeletedContentChildren"; //NON-NLS
297 // }
298  // update the display name when new events are fired
299  private class DeletedContentNodeObserver implements Observer {
300 
301  @Override
302  public void update(Observable o, Object arg) {
304  }
305  }
306 
307  private void updateDisplayName() {
308  //get count of children without preloading all children nodes
309  final long count = DeletedContentChildren.calculateItems(skCase, filter);
310  //final long count = getChildren().getNodesCount(true);
311  super.setDisplayName(filter.getDisplayName() + " (" + count + ")");
312  }
313 
314  @Override
315  public <T> T accept(DisplayableItemNodeVisitor<T> v) {
316  return v.visit(this);
317  }
318 
319  @Override
320  protected Sheet createSheet() {
321  Sheet s = super.createSheet();
322  Sheet.Set ss = s.get(Sheet.PROPERTIES);
323  if (ss == null) {
324  ss = Sheet.createPropertiesSet();
325  s.put(ss);
326  }
327 
328  ss.put(new NodeProperty<>(
329  NbBundle.getMessage(this.getClass(), "DeletedContent.createSheet.filterType.name"),
330  NbBundle.getMessage(this.getClass(), "DeletedContent.createSheet.filterType.displayName"),
331  NbBundle.getMessage(this.getClass(), "DeletedContent.createSheet.filterType.desc"),
332  filter.getDisplayName()));
333 
334  return s;
335  }
336 
337  @Override
338  public boolean isLeafTypeNode() {
339  return true;
340  }
341  }
342 
343  static class DeletedContentChildren extends ChildFactory.Detachable<AbstractFile> {
344 
345  private final SleuthkitCase skCase;
346  private final DeletedContent.DeletedContentFilter filter;
347  private static final Logger logger = Logger.getLogger(DeletedContentChildren.class.getName());
348  private static final int MAX_OBJECTS = 10001;
349  private final Observable notifier;
350 
351  DeletedContentChildren(DeletedContent.DeletedContentFilter filter, SleuthkitCase skCase, Observable o) {
352  this.skCase = skCase;
353  this.filter = filter;
354  this.notifier = o;
355  }
356 
357  private final Observer observer = new DeletedContentChildrenObserver();
358 
359  // Cause refresh of children if there are changes
360  private class DeletedContentChildrenObserver implements Observer {
361 
362  @Override
363  public void update(Observable o, Object arg) {
364  refresh(true);
365  }
366  }
367 
368  @Override
369  protected void addNotify() {
370  if (notifier != null) {
371  notifier.addObserver(observer);
372  }
373  }
374 
375  @Override
376  protected void removeNotify() {
377  if (notifier != null) {
378  notifier.deleteObserver(observer);
379  }
380  }
381 
382  @Override
383  protected boolean createKeys(List<AbstractFile> list) {
384  List<AbstractFile> queryList = runFsQuery();
385  if (queryList.size() == MAX_OBJECTS) {
386  queryList.remove(queryList.size() - 1);
387  // only show the dialog once - not each time we refresh
388  if (maxFilesDialogShown == false) {
389  maxFilesDialogShown = true;
390  SwingUtilities.invokeLater(new Runnable() {
391  @Override
392  public void run() {
393  JOptionPane.showMessageDialog(WindowManager.getDefault().getMainWindow(), NbBundle.getMessage(this.getClass(),
394  "DeletedContent.createKeys.maxObjects.msg",
395  MAX_OBJECTS - 1));
396  }
397  });
398  }
399  }
400  list.addAll(queryList);
401  return true;
402  }
403 
404  static private String makeQuery(DeletedContent.DeletedContentFilter filter) {
405  String query = "";
406  switch (filter) {
407  case FS_DELETED_FILTER:
408  query = "dir_flags = " + TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC.getValue() //NON-NLS
409  + " AND meta_flags != " + TskData.TSK_FS_META_FLAG_ENUM.ORPHAN.getValue() //NON-NLS
410  + " AND type = " + TskData.TSK_DB_FILES_TYPE_ENUM.FS.getFileType(); //NON-NLS
411 
412  break;
413  case ALL_DELETED_FILTER:
414  query = " ( "
415  + "( "
416  + "(dir_flags = " + TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC.getValue() //NON-NLS
417  + " OR " //NON-NLS
418  + "meta_flags = " + TskData.TSK_FS_META_FLAG_ENUM.ORPHAN.getValue() //NON-NLS
419  + ")"
420  + " AND type = " + TskData.TSK_DB_FILES_TYPE_ENUM.FS.getFileType() //NON-NLS
421  + " )"
422  + " OR type = " + TskData.TSK_DB_FILES_TYPE_ENUM.CARVED.getFileType() //NON-NLS
423  + " )";
424  //+ " AND type != " + TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS.getFileType()
425  //+ " AND type != " + TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS.getFileType()
426  //+ " AND type != " + TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS.getFileType()
427  //+ " AND type != " + TskData.TSK_DB_FILES_TYPE_ENUM.DERIVED.getFileType()
428  //+ " AND type != " + TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL.getFileType()
429  //+ " AND type != " + TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType();
430  break;
431 
432  default:
433  logger.log(Level.SEVERE, "Unsupported filter type to get deleted content: {0}", filter); //NON-NLS
434 
435  }
436 
437  query += " LIMIT " + MAX_OBJECTS; //NON-NLS
438  return query;
439  }
440 
441  private List<AbstractFile> runFsQuery() {
442  List<AbstractFile> ret = new ArrayList<>();
443 
444  String query = makeQuery(filter);
445  try {
446  ret = skCase.findAllFilesWhere(query);
447  } catch (TskCoreException e) {
448  logger.log(Level.SEVERE, "Error getting files for the deleted content view using: " + query, e); //NON-NLS
449  }
450 
451  return ret;
452 
453  }
454 
460  static long calculateItems(SleuthkitCase sleuthkitCase, DeletedContent.DeletedContentFilter filter) {
461  try {
462  return sleuthkitCase.countFilesWhere(makeQuery(filter));
463  } catch (TskCoreException ex) {
464  logger.log(Level.SEVERE, "Error getting deleted files search view count", ex); //NON-NLS
465  return 0;
466  }
467  }
468 
469  @Override
470  protected Node createNodeForKey(AbstractFile key) {
471  return key.accept(new ContentVisitor.Default<AbstractNode>() {
472  public FileNode visit(AbstractFile f) {
473  return new FileNode(f, false);
474  }
475 
476  public FileNode visit(FsContent f) {
477  return new FileNode(f, false);
478  }
479 
480  @Override
481  public FileNode visit(LayoutFile f) {
482  return new FileNode(f, false);
483  }
484 
485  @Override
486  public FileNode visit(File f) {
487  return new FileNode(f, false);
488  }
489 
490  @Override
491  public FileNode visit(Directory f) {
492  return new FileNode(f, false);
493  }
494 
495  @Override
496  protected AbstractNode defaultVisit(Content di) {
497  throw new UnsupportedOperationException(NbBundle.getMessage(this.getClass(),
498  "DeletedContent.createNodeForKey.typeNotSupported.msg",
499  di.toString()));
500  }
501  });
502  }
503  }
504  }
505 }
void removeIngestModuleEventListener(final PropertyChangeListener listener)
static synchronized IngestManager getInstance()
void removeIngestJobEventListener(final PropertyChangeListener listener)
boolean createKeys(List< DeletedContent.DeletedContentFilter > list)
void addIngestJobEventListener(final PropertyChangeListener listener)
static synchronized void removePropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:1305
void addIngestModuleEventListener(final PropertyChangeListener listener)
static synchronized void addPropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:1292
synchronized static Logger getLogger(String name)
Definition: Logger.java:166
Node createNodeForKey(DeletedContent.DeletedContentFilter key)

Copyright © 2012-2015 Basis Technology. Generated on: Wed Apr 6 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.