Autopsy  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
DataSourceInfoUtilities.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.casemodule.datasourcesummary;
20 
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.Map;
24 import java.util.logging.Level;
25 import org.sleuthkit.autopsy.coreutils.Logger;
26 import org.sleuthkit.datamodel.SleuthkitCase;
27 import org.sleuthkit.datamodel.TskCoreException;
28 import java.util.Collections;
29 import java.util.HashMap;
30 import java.util.Set;
31 import org.sleuthkit.autopsy.casemodule.Case;
32 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
33 import org.sleuthkit.datamodel.BlackboardArtifact;
34 import org.sleuthkit.datamodel.TskData;
35 import org.sleuthkit.datamodel.BlackboardAttribute;
36 import org.sleuthkit.datamodel.DataSource;
37 
42 final class DataSourceInfoUtilities {
43 
44  private static final Logger logger = Logger.getLogger(DataSourceInfoUtilities.class.getName());
45 
54  static Map<Long, String> getDataSourceTypes() {
55  try {
56  SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase();
57  List<BlackboardArtifact> listOfArtifacts = skCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE);
58  Map<Long, String> typeMap = new HashMap<>();
59  for (BlackboardArtifact typeArtifact : listOfArtifacts) {
60  BlackboardAttribute descriptionAttr = typeArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION));
61  if (typeArtifact.getDataSource() != null && descriptionAttr != null) {
62  long dsId = typeArtifact.getDataSource().getId();
63  String type = typeMap.get(typeArtifact.getDataSource().getId());
64  if (type == null) {
65  type = descriptionAttr.getValueString();
66  } else {
67  type = type + ", " + descriptionAttr.getValueString();
68  }
69  typeMap.put(dsId, type);
70  }
71  }
72  return typeMap;
73  } catch (TskCoreException | NoCurrentCaseException ex) {
74  logger.log(Level.WARNING, "Unable to get types of files for all datasources, providing empty results", ex);
75  return Collections.emptyMap();
76  }
77  }
78 
87  static Map<Long, Long> getCountsOfFiles() {
88  try {
89  final String countFilesQuery = "data_source_obj_id, COUNT(*) AS value"
90  + " FROM tsk_files WHERE type<>" + TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType()
91  + " AND dir_type<>" + TskData.TSK_FS_NAME_TYPE_ENUM.VIRT_DIR.getValue()
92  + " AND name<>'' GROUP BY data_source_obj_id"; //NON-NLS
93  return getValuesMap(countFilesQuery);
94  } catch (TskCoreException | NoCurrentCaseException ex) {
95  logger.log(Level.WARNING, "Unable to get counts of files for all datasources, providing empty results", ex);
96  return Collections.emptyMap();
97  }
98  }
99 
108  static Map<Long, Long> getCountsOfArtifacts() {
109  try {
110  final String countArtifactsQuery = "data_source_obj_id, COUNT(*) AS value"
111  + " FROM blackboard_artifacts WHERE review_status_id !=" + BlackboardArtifact.ReviewStatus.REJECTED.getID()
112  + " GROUP BY data_source_obj_id"; //NON-NLS
113  return getValuesMap(countArtifactsQuery);
114  } catch (TskCoreException | NoCurrentCaseException ex) {
115  logger.log(Level.WARNING, "Unable to get counts of artifacts for all datasources, providing empty results", ex);
116  return Collections.emptyMap();
117  }
118  }
119 
129  static Map<Long, Long> getCountsOfTags() {
130  try {
131  final String countFileTagsQuery = "data_source_obj_id, COUNT(*) AS value"
132  + " FROM content_tags as content_tags, tsk_files as tsk_files"
133  + " WHERE content_tags.obj_id = tsk_files.obj_id"
134  + " GROUP BY data_source_obj_id"; //NON-NLS
135  //new hashmap so it can be modifiable
136  Map<Long, Long> tagCountMap = new HashMap<>(getValuesMap(countFileTagsQuery));
137  final String countArtifactTagsQuery = "data_source_obj_id, COUNT(*) AS value"
138  + " FROM blackboard_artifact_tags as artifact_tags, blackboard_artifacts AS arts"
139  + " WHERE artifact_tags.artifact_id = arts.artifact_id"
140  + " GROUP BY data_source_obj_id"; //NON-NLS
141  //combine the results from the count artifact tags query into the copy of the mapped results from the count file tags query
142  getValuesMap(countArtifactTagsQuery).forEach((key, value) -> tagCountMap.merge(key, value, (value1, value2) -> value1 + value2));
143  return tagCountMap;
144  } catch (TskCoreException | NoCurrentCaseException ex) {
145  logger.log(Level.WARNING, "Unable to get counts of tags for all datasources, providing empty results", ex);
146  return Collections.emptyMap();
147  }
148  }
149 
160  static Map<Long, String> getOperatingSystems() {
161  Map<Long, String> osDetailMap = new HashMap<>();
162  try {
163  SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase();
164  ArrayList<BlackboardArtifact> osInfoArtifacts = skCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO);
165  for (BlackboardArtifact osInfo : osInfoArtifacts) {
166  BlackboardAttribute programName = osInfo.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME));
167  if (programName != null) {
168  String currentOsString = osDetailMap.get(osInfo.getDataSource().getId());
169  if (currentOsString == null || currentOsString.isEmpty()) {
170  currentOsString = programName.getValueString();
171  } else {
172  currentOsString = currentOsString + ", " + programName.getValueString();
173  }
174  osDetailMap.put(osInfo.getDataSource().getId(), currentOsString);
175  }
176  }
177  } catch (TskCoreException | NoCurrentCaseException ex) {
178  logger.log(Level.SEVERE, "Failed to load OS info artifacts.", ex);
179  }
180  return osDetailMap;
181  }
182 
197  static Long getCountOfFilesForMimeTypes(DataSource currentDataSource, Set<String> setOfMimeTypes) {
198  if (currentDataSource != null) {
199  try {
200  String inClause = String.join("', '", setOfMimeTypes);
201  SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase();
202  return skCase.countFilesWhere("data_source_obj_id=" + currentDataSource.getId()
203  + " AND type<>" + TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType()
204  + " AND dir_type<>" + TskData.TSK_FS_NAME_TYPE_ENUM.VIRT_DIR.getValue()
205  + " AND mime_type IN ('" + inClause + "')"
206  + " AND name<>''");
207  } catch (TskCoreException | NoCurrentCaseException ex) {
208  logger.log(Level.WARNING, "Unable to get count of files for specified mime types", ex);
209  //unable to get count of files for the specified mimetypes cell will be displayed as empty
210  }
211  }
212  return null;
213  }
214 
223  static Map<Long, Long> getCountsOfUnallocatedFiles() {
224  try {
225  final String countUnallocatedFilesQuery = "data_source_obj_id, COUNT(*) AS value"
226  + " FROM tsk_files WHERE type<>" + TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType()
227  + " AND dir_type<>" + TskData.TSK_FS_NAME_TYPE_ENUM.VIRT_DIR.getValue()
228  + " AND dir_flags=" + TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC.getValue()
229  + " AND name<>'' GROUP BY data_source_obj_id"; //NON-NLS
230  return getValuesMap(countUnallocatedFilesQuery);
231  } catch (TskCoreException | NoCurrentCaseException ex) {
232  logger.log(Level.WARNING, "Unable to get counts of unallocated files for all datasources, providing empty results", ex);
233  return Collections.emptyMap();
234  }
235  }
236 
245  static Map<Long, Long> getSizeOfUnallocatedFiles() {
246  try {
247  final String countUnallocatedFilesQuery = "data_source_obj_id, sum(size) AS value"
248  + " FROM tsk_files WHERE type<>" + TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType()
249  + " AND dir_type<>" + TskData.TSK_FS_NAME_TYPE_ENUM.VIRT_DIR.getValue()
250  + " AND dir_flags=" + TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC.getValue()
251  + " AND name<>'' GROUP BY data_source_obj_id"; //NON-NLS
252  return getValuesMap(countUnallocatedFilesQuery);
253  } catch (TskCoreException | NoCurrentCaseException ex) {
254  logger.log(Level.WARNING, "Unable to get size of unallocated files for all datasources, providing empty results", ex);
255  return Collections.emptyMap();
256  }
257  }
258 
267  static Map<Long, Long> getCountsOfDirectories() {
268  try {
269  final String countDirectoriesQuery = "data_source_obj_id, COUNT(*) AS value"
270  + " FROM tsk_files WHERE type<>" + TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType()
271  + " AND dir_type<>" + TskData.TSK_FS_NAME_TYPE_ENUM.VIRT_DIR.getValue()
272  + " AND meta_type=" + TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getValue()
273  + " AND name<>'' GROUP BY data_source_obj_id"; //NON-NLS
274  return getValuesMap(countDirectoriesQuery);
275  } catch (TskCoreException | NoCurrentCaseException ex) {
276  logger.log(Level.WARNING, "Unable to get counts of directories for all datasources, providing empty results", ex);
277  return Collections.emptyMap();
278  }
279  }
280 
289  static Map<Long, Long> getCountsOfSlackFiles() {
290  try {
291  final String countSlackFilesQuery = "data_source_obj_id, COUNT(*) AS value"
292  + " FROM tsk_files WHERE type=" + TskData.TSK_DB_FILES_TYPE_ENUM.SLACK.getFileType()
293  + " AND dir_type<>" + TskData.TSK_FS_NAME_TYPE_ENUM.VIRT_DIR.getValue()
294  + " AND name<>'' GROUP BY data_source_obj_id"; //NON-NLS
295  return getValuesMap(countSlackFilesQuery);
296  } catch (TskCoreException | NoCurrentCaseException ex) {
297  logger.log(Level.WARNING, "Unable to get counts of slack files for all datasources, providing empty results", ex);
298  return Collections.emptyMap();
299  }
300  }
301 
311  static Map<Long, Map<String, Long>> getCountsOfArtifactsByType() {
312  try {
313  final String countArtifactsQuery = "blackboard_artifacts.data_source_obj_id, blackboard_artifact_types.display_name AS label, COUNT(*) AS value"
314  + " FROM blackboard_artifacts, blackboard_artifact_types"
315  + " WHERE blackboard_artifacts.artifact_type_id = blackboard_artifact_types.artifact_type_id"
316  + " GROUP BY blackboard_artifacts.data_source_obj_id, blackboard_artifact_types.display_name";
317  return getLabeledValuesMap(countArtifactsQuery);
318  } catch (TskCoreException | NoCurrentCaseException ex) {
319  logger.log(Level.WARNING, "Unable to get counts of all artifact types for all datasources, providing empty results", ex);
320  return Collections.emptyMap();
321  }
322  }
323 
336  private static Map<Long, Map<String, Long>> getLabeledValuesMap(String query) throws TskCoreException, NoCurrentCaseException {
337  SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase();
338  DataSourceLabeledValueCallback callback = new DataSourceLabeledValueCallback();
339  skCase.getCaseDbAccessManager().select(query, callback);
340  return callback.getMapOfLabeledValues();
341  }
342 
354  private static Map<Long, Long> getValuesMap(String query) throws TskCoreException, NoCurrentCaseException {
355  SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase();
356  DataSourceSingleValueCallback callback = new DataSourceSingleValueCallback();
357  skCase.getCaseDbAccessManager().select(query, callback);
358  return callback.getMapOfValues();
359  }
360 
364  private DataSourceInfoUtilities() {
365  }
366 }

Copyright © 2012-2019 Basis Technology. Generated on: Tue Jan 7 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.