Autopsy  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
QueryResults.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.keywordsearch;
20 
21 import java.util.ArrayList;
22 import java.util.Collection;
23 import java.util.HashMap;
24 import java.util.List;
25 import java.util.Map;
26 import java.util.Set;
27 import java.util.logging.Level;
28 import javax.swing.SwingWorker;
29 import org.apache.commons.lang.StringUtils;
30 import org.netbeans.api.progress.ProgressHandle;
31 import org.netbeans.api.progress.aggregate.ProgressContributor;
32 import org.openide.util.NbBundle;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.Blackboard;
41 import org.sleuthkit.datamodel.BlackboardArtifact;
42 import org.sleuthkit.datamodel.BlackboardAttribute;
43 import org.sleuthkit.datamodel.Content;
44 import org.sleuthkit.datamodel.SleuthkitCase;
45 import org.sleuthkit.datamodel.TskCoreException;
46 
53 class QueryResults {
54 
55  private static final Logger logger = Logger.getLogger(QueryResults.class.getName());
56  private static final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName();
57  private final KeywordSearchQuery query;
58  private final Map<Keyword, List<KeywordHit>> results = new HashMap<>();
59 
70  QueryResults(KeywordSearchQuery query) {
71  this.query = query;
72  }
73 
80  KeywordSearchQuery getQuery() {
81  return query;
82  }
83 
92  void addResult(Keyword keyword, List<KeywordHit> hits) {
93  results.put(keyword, hits);
94  }
95 
103  List<KeywordHit> getResults(Keyword keyword) {
104  return results.get(keyword);
105  }
106 
113  Set<Keyword> getKeywords() {
114  return results.keySet();
115  }
116 
146  void process(ProgressHandle progress, ProgressContributor subProgress, SwingWorker<?, ?> worker, boolean notifyInbox, boolean saveResults) {
147  /*
148  * Initialize the progress indicator to the number of keywords that will
149  * be processed.
150  */
151  if (null != progress) {
152  progress.start(getKeywords().size());
153  }
154 
155  /*
156  * Process the keyword hits for each keyword.
157  */
158  int keywordsProcessed = 0;
159  final Collection<BlackboardArtifact> hitArtifacts = new ArrayList<>();
160  for (final Keyword keyword : getKeywords()) {
161  /*
162  * Cancellation check.
163  */
164  if (worker.isCancelled()) {
165  logger.log(Level.INFO, "Processing cancelled, exiting before processing search term {0}", keyword.getSearchTerm()); //NON-NLS
166  break;
167  }
168 
169  /*
170  * Update the progress indicator and the show the current keyword
171  * via the progress contributor.
172  */
173  if (progress != null) {
174  progress.progress(keyword.toString(), keywordsProcessed);
175  }
176  if (subProgress != null) {
177  String hitDisplayStr = keyword.getSearchTerm();
178  if (hitDisplayStr.length() > 50) {
179  hitDisplayStr = hitDisplayStr.substring(0, 49) + "...";
180  }
181  subProgress.progress(query.getKeywordList().getName() + ": " + hitDisplayStr, keywordsProcessed);
182  }
183 
184  /*
185  * Reduce the hits for this keyword to one hit per text source
186  * object so that only one hit artifact is generated per text source
187  * object, no matter how many times the keyword was actually found.
188  */
189  for (KeywordHit hit : getOneHitPerTextSourceObject(keyword)) {
190  /*
191  * Get a snippet (preview) for the hit. Regex queries always
192  * have snippets made from the content_str pulled back from Solr
193  * for executing the search. Other types of queries may or may
194  * not have snippets yet.
195  */
196  String snippet = hit.getSnippet();
197  if (StringUtils.isBlank(snippet)) {
198  final String snippetQuery = KeywordSearchUtil.escapeLuceneQuery(keyword.getSearchTerm());
199  try {
200  snippet = LuceneQuery.querySnippet(snippetQuery, hit.getSolrObjectId(), hit.getChunkId(), !query.isLiteral(), true);
201  } catch (NoOpenCoreException e) {
202  logger.log(Level.SEVERE, "Solr core closed while executing snippet query " + snippetQuery, e); //NON-NLS
203  break; // Stop processing.
204  } catch (Exception e) {
205  logger.log(Level.SEVERE, "Error executing snippet query " + snippetQuery, e); //NON-NLS
206  continue; // Try processing the next hit.
207  }
208  }
209 
210  /*
211  * Get the content (file or artifact) that is the text source
212  * for the hit.
213  */
214  Content content = null;
215  try {
216  SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
217  content = tskCase.getContentById(hit.getContentID());
218  } catch (TskCoreException | NoCurrentCaseException tskCoreException) {
219  logger.log(Level.SEVERE, "Failed to get text source object for keyword hit", tskCoreException); //NON-NLS
220  }
221 
222  if ((content != null) && saveResults) {
223  /*
224  * Post an artifact for the hit to the blackboard.
225  */
226  BlackboardArtifact artifact = query.createKeywordHitArtifact(content, keyword, hit, snippet, query.getKeywordList().getName());
227 
228  /*
229  * Send an ingest inbox message for the hit.
230  */
231  if (null != artifact) {
232  hitArtifacts.add(artifact);
233  if (notifyInbox) {
234  try {
235  writeSingleFileInboxMessage(artifact, content);
236  } catch (TskCoreException ex) {
237  logger.log(Level.SEVERE, "Error sending message to ingest messages inbox", ex); //NON-NLS
238  }
239  }
240  }
241  }
242  }
243 
244  ++keywordsProcessed;
245  }
246 
247  /*
248  * Post the artifacts to the blackboard which will publish an event to
249  * notify subscribers of the new artifacts.
250  */
251  if (!hitArtifacts.isEmpty()) {
252  try {
253  SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
254  Blackboard blackboard = tskCase.getBlackboard();
255 
256  blackboard.postArtifacts(hitArtifacts, MODULE_NAME);
257  } catch (NoCurrentCaseException | Blackboard.BlackboardException ex) {
258  logger.log(Level.SEVERE, "Failed to post KWH artifact to blackboard.", ex); //NON-NLS
259  }
260  }
261  }
262 
272  private Collection<KeywordHit> getOneHitPerTextSourceObject(Keyword keyword) {
273  /*
274  * For each Solr document (chunk) for a text source object, return only
275  * a single keyword hit from the first chunk of text (the one with the
276  * lowest chunk id).
277  */
278  HashMap< Long, KeywordHit> hits = new HashMap<>();
279  getResults(keyword).forEach((hit) -> {
280  if (!hits.containsKey(hit.getSolrObjectId())) {
281  hits.put(hit.getSolrObjectId(), hit);
282  } else if (hit.getChunkId() < hits.get(hit.getSolrObjectId()).getChunkId()) {
283  hits.put(hit.getSolrObjectId(), hit);
284  }
285  });
286  return hits.values();
287  }
288 
299  private void writeSingleFileInboxMessage(BlackboardArtifact artifact, Content hitContent) throws TskCoreException {
300  StringBuilder subjectSb = new StringBuilder(1024);
301  if (!query.isLiteral()) {
302  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExpHitLbl"));
303  } else {
304  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitLbl"));
305  }
306 
307  StringBuilder detailsSb = new StringBuilder(1024);
308  String uniqueKey = null;
309  BlackboardAttribute attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD));
310  if (attr != null) {
311  final String keyword = attr.getValueString();
312  subjectSb.append(keyword);
313  uniqueKey = keyword.toLowerCase();
314  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
315  detailsSb.append("<tr>"); //NON-NLS
316  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitThLbl"));
317  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(keyword)).append("</td>"); //NON-NLS
318  detailsSb.append("</tr>"); //NON-NLS
319  }
320 
321  //preview
322  attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW));
323  if (attr != null) {
324  detailsSb.append("<tr>"); //NON-NLS
325  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.previewThLbl"));
326  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append("</td>"); //NON-NLS
327  detailsSb.append("</tr>"); //NON-NLS
328  }
329 
330  //file
331  detailsSb.append("<tr>"); //NON-NLS
332  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.fileThLbl"));
333  if (hitContent instanceof AbstractFile) {
334  AbstractFile hitFile = (AbstractFile) hitContent;
335  detailsSb.append("<td>").append(hitFile.getParentPath()).append(hitFile.getName()).append("</td>"); //NON-NLS
336  } else {
337  detailsSb.append("<td>").append(hitContent.getName()).append("</td>"); //NON-NLS
338  }
339  detailsSb.append("</tr>"); //NON-NLS
340 
341  //list
342  attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
343  if (attr != null) {
344  detailsSb.append("<tr>"); //NON-NLS
345  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.listThLbl"));
346  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
347  detailsSb.append("</tr>"); //NON-NLS
348  }
349 
350  //regex
351  if (!query.isLiteral()) {
352  attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP));
353  if (attr != null) {
354  detailsSb.append("<tr>"); //NON-NLS
355  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExThLbl"));
356  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
357  detailsSb.append("</tr>"); //NON-NLS
358  }
359  }
360  detailsSb.append("</table>"); //NON-NLS
361 
362  IngestServices.getInstance().postMessage(IngestMessage.createDataMessage(MODULE_NAME, subjectSb.toString(), detailsSb.toString(), uniqueKey, artifact));
363  }
364 }

Copyright © 2012-2019 Basis Technology. Generated on: Tue Jan 7 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.