Autopsy  4.10.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EnCaseKeywordSearchList.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.keywordsearch;
20 
21 import org.openide.util.NbBundle;
22 
23 import java.io.BufferedReader;
24 import java.io.FileInputStream;
25 import java.io.FileNotFoundException;
26 import java.io.IOException;
27 import java.io.InputStreamReader;
28 import java.util.ArrayList;
29 import java.util.Date;
30 import java.util.List;
31 import java.util.logging.Level;
32 
43 class EnCaseKeywordSearchList extends KeywordSearchList {
44 
45  ArrayList<EncaseFileEntry> entriesUnsorted;
46  EncaseFileEntry rootEntry;
47 
48  public EnCaseKeywordSearchList(String encasePath) {
49  super(encasePath);
50  }
51 
59  private void doCreateListsFromEntries(EncaseFileEntry entry, String parentPath) {
60  String name;
61  if (parentPath.isEmpty()) {
62  name = entry.name;
63  } else {
64  name = parentPath + "/" + entry.name;
65  }
66 
67  List<Keyword> children = new ArrayList<>();
68  for (EncaseFileEntry child : entry.children) {
69  switch (child.type) {
70  case Folder:
71  doCreateListsFromEntries(child, name);
72  break;
73  case Expression:
74  if (child.flags.contains(EncaseFlag.pg)) { // Skip GREP keywords
75  break;
76  }
77  children.add(new Keyword(child.value, true, true));
78  break;
79  }
80  }
81  // Give each list a unique name
82  if (theLists.containsKey(name)) {
83  int i = 2;
84  while (theLists.containsKey(name + "(" + i + ")")) {
85  i += 1;
86  }
87  name = name + "(" + i + ")";
88  }
89  // Don't create lists if there are no keywords
90  if (!children.isEmpty()) {
91  KeywordList newList = new KeywordList(name, new Date(), new Date(),
92  true, true, children);
93  theLists.put(name, newList);
94  }
95  }
96 
101  private void doCreateEntryStructure(EncaseFileEntry parent) {
102  if (!parent.isFull()) {
103  EncaseFileEntry child = entriesUnsorted.remove(0);
104  child.hasParent = true;
105  child.parent = parent;
106  parent.addChild(child);
107  if (!child.isFull()) {
108  doCreateEntryStructure(child);
109  }
110  if (!parent.isFull()) {
111  doCreateEntryStructure(parent);
112  }
113  }
114  if (parent.hasParent) {
115  doCreateEntryStructure(parent.parent);
116  }
117  }
118 
119  @Override
120  public boolean save() {
121  throw new UnsupportedOperationException(
122  NbBundle.getMessage(this.getClass(), "KeywordSearchListsEncase.save.exception.msg"));
123  }
124 
125  @Override
126  public boolean save(boolean isExport) {
127  throw new UnsupportedOperationException(
128  NbBundle.getMessage(this.getClass(), "KeywordSearchListsEncase.save2.exception.msg"));
129  }
130 
131  @Override
132  public boolean load() {
133  try {
134  BufferedReader readBuffer = new BufferedReader(new InputStreamReader(new FileInputStream(filePath), "utf-16")); //NON-NLS
135  String structLine;
136  String metaLine;
137  entriesUnsorted = new ArrayList<>();
138  for (int line = 1; line < 6; line++) {
139  readBuffer.readLine();
140  }
141  while ((structLine = readBuffer.readLine()) != null && (metaLine = readBuffer.readLine()) != null) {
142  String[] structArr = structLine.split("\t");
143  String[] metaArr = metaLine.split("\t");
144  EncaseMetaType type = EncaseMetaType.getType(metaArr[0]);
145  String childCount = structArr[1];
146  String name = metaArr[1];
147  String value = metaArr[2];
148  ArrayList<EncaseFlag> flags = new ArrayList<>();
149  for (int i = 0; i < 17; i++) {
150  if (metaArr.length < i + 4) {
151  continue;
152  }
153  if (!metaArr[i + 3].equals("")) {
154  flags.add(EncaseFlag.getFlag(i));
155  }
156  }
157  entriesUnsorted.add(new EncaseFileEntry(name, value, Integer.parseInt(childCount), false, null, type, flags));
158  }
159  if (entriesUnsorted.isEmpty()) {
160  return false;
161  }
162 
163  this.rootEntry = entriesUnsorted.remove(0);
164  doCreateEntryStructure(this.rootEntry);
165  doCreateListsFromEntries(this.rootEntry, "");
166  return true;
167 
168  } catch (FileNotFoundException ex) {
169  LOGGER.log(Level.INFO, "File at " + filePath + " does not exist!", ex); //NON-NLS
170  } catch (IOException ex) {
171  LOGGER.log(Level.INFO, "Failed to read file at " + filePath, ex); //NON-NLS
172  }
173  return false;
174  }
175 
176  private enum EncaseMetaType {
177 
178  Expression, Folder;
179 
180  static EncaseMetaType getType(String type) {
181  if (type.equals("5")) {
182  return Folder;
183  } else if (type.equals("")) {
184  return Expression;
185  } else {
186  throw new IllegalArgumentException(
187  NbBundle.getMessage(EnCaseKeywordSearchList.class,
188  "KeywordSearchListsEncase.encaseMetaType.exception.msg",
189  type));
190  }
191  }
192  }
193 
194  /*
195  * Flags for EncaseFileEntries. p8 = UTF-8 p7 = UTF-7 pg = GREP
196  */
197  private enum EncaseFlag {
198 
199  pc, pu, pb, p8, p7, pg, an, ph, or, di, um, st, ww, pr, lo, ta, cp;
200 
201  static EncaseFlag getFlag(int i) {
202  return EncaseFlag.values()[i];
203  }
204  }
205 
209  private class EncaseFileEntry {
210 
211  String name;
212  String value;
213  int childCount;
214  List<EncaseFileEntry> children;
215  EncaseFileEntry parent;
216  EncaseMetaType type;
217  boolean hasParent;
218  ArrayList<EncaseFlag> flags;
219 
220  EncaseFileEntry(String name, String value, int childCount, boolean hasParent, EncaseFileEntry parent, EncaseMetaType type, ArrayList<EncaseFlag> flags) {
221  this.name = name;
222  this.value = value;
223  this.childCount = childCount;
224  this.children = new ArrayList<>();
225  this.hasParent = hasParent;
226  this.parent = parent;
227  this.type = type;
228  this.flags = flags;
229  }
230 
231  boolean isFull() {
232  return children.size() == childCount;
233  }
234 
235  void addChild(EncaseFileEntry child) {
236  children.add(child);
237  }
238  }
239 
240 }

Copyright © 2012-2018 Basis Technology. Generated on: Fri Mar 22 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.