19 package org.sleuthkit.autopsy.centralrepository.application;
21 import java.io.BufferedWriter;
23 import java.io.IOException;
24 import java.nio.file.Files;
25 import java.text.DateFormat;
26 import java.text.ParseException;
27 import java.text.SimpleDateFormat;
28 import java.util.ArrayList;
29 import java.util.Collection;
30 import java.util.HashMap;
31 import java.util.List;
32 import java.util.Locale;
34 import java.util.Optional;
35 import java.util.logging.Level;
36 import org.apache.commons.lang3.StringUtils;
37 import org.joda.time.DateTimeZone;
38 import org.joda.time.LocalDateTime;
39 import org.openide.nodes.Node;
40 import org.openide.util.NbBundle;
85 Collection<CorrelationAttributeInstance> ret =
new ArrayList<>();
86 Optional<String> osAccountAddr = osAccount.getAddr();
88 if (osAccountAddr.isPresent()) {
90 for (OsAccountInstance instance : osAccount.getOsAccountInstances()) {
91 DataSource osAccountDataSource = instance.getDataSource();
101 TskData.FileKnown.KNOWN,
104 ret.add(correlationAttributeInstance);
106 logger.log(Level.SEVERE, String.format(
"Cannot get central repository for OsAccount: %s.", osAccountAddr.get()), ex);
108 logger.log(Level.WARNING, String.format(
"Exception while getting open case looking up osAccount %s.", osAccountAddr.get()), ex);
110 logger.log(Level.SEVERE, String.format(
"Exception with Correlation Attribute Normalization for osAccount %s.", osAccountAddr.get()), ex);
113 }
catch (TskCoreException ex) {
114 logger.log(Level.INFO, String.format(
"Unable to check create CorrelationAttribtueInstance for osAccount %s.", osAccountAddr.get()), ex);
131 Collection<CorrelationAttributeInstance> ret =
new ArrayList<>();
144 String md5 = file.getMd5Hash();
145 if (md5 != null && !md5.isEmpty() && null != artifactTypes && !artifactTypes.isEmpty()) {
155 file.getParentPath() + file.
getName(),
160 logger.log(Level.INFO, String.format(
"Unable to check create CorrelationAttribtueInstance for value %s and type %s.", md5, aType.toString()), ex);
167 logger.log(Level.SEVERE,
"Error connecting to DB", ex);
170 }
else if (file != null && file.getSize() > 0) {
171 String md5 = file.getMd5Hash();
172 if (md5 != null && !md5.isEmpty()) {
183 logger.log(Level.SEVERE,
"Error connecting to DB", ex);
185 logger.log(Level.INFO, String.format(
"Unable to create CorrelationAttributeInstance for value %s", md5), ex);
200 BlackboardArtifactTag nodeBbArtifactTag = node.getLookup().lookup(BlackboardArtifactTag.class);
201 BlackboardArtifact nodeBbArtifact = node.getLookup().lookup(BlackboardArtifact.class);
203 if (nodeBbArtifactTag != null) {
204 return nodeBbArtifactTag.getArtifact();
205 }
else if (nodeBbArtifact != null) {
206 return nodeBbArtifact;
221 BlackboardArtifactTag nodeBbArtifactTag = node.getLookup().lookup(BlackboardArtifactTag.class);
222 ContentTag nodeContentTag = node.getLookup().lookup(ContentTag.class);
223 AbstractFile nodeAbstractFile = node.getLookup().lookup(AbstractFile.class);
225 if (nodeBbArtifactTag != null) {
226 Content content = nodeBbArtifactTag.getContent();
227 if (content instanceof AbstractFile) {
228 return (AbstractFile) content;
230 }
else if (nodeContentTag != null) {
231 Content content = nodeContentTag.getContent();
232 if (content instanceof AbstractFile) {
233 return (AbstractFile) content;
235 }
else if (nodeAbstractFile != null) {
236 return nodeAbstractFile;
259 String caseUUID = openCase.
getName();
260 HashMap<UniquePathKey, NodeData> nodeDataMap =
new HashMap<>();
273 if (artifactInstance.getCorrelationCase().getCaseUUID().equals(caseUUID)
274 && (!StringUtils.isBlank(dataSourceName) && artifactInstance.getCorrelationDataSource().getName().equals(dataSourceName))
275 && (!StringUtils.isBlank(deviceId) && artifactInstance.getCorrelationDataSource().getDeviceID().equals(deviceId))
276 && (file != null && artifactInstance.getFilePath().equalsIgnoreCase(file.getParentPath() + file.getName()))) {
281 nodeDataMap.put(uniquePathKey, newNode);
286 for (AbstractFile caseDbFile : caseDbFiles) {
293 logger.log(Level.SEVERE,
"Error getting artifact instances from database.", ex);
295 logger.log(Level.INFO,
"Error getting artifact instances from database.", ex);
297 logger.log(Level.SEVERE,
"Exception while getting open case.", ex);
298 }
catch (TskCoreException ex) {
301 logger.log(Level.SEVERE,
"Exception while querying open case.", ex);
304 return new HashMap<>(
323 List<AbstractFile> caseDbArtifactInstances =
new ArrayList<>();
325 String md5 = corAttr.getCorrelationValue();
326 SleuthkitCase tsk = openCase.getSleuthkitCase();
327 List<AbstractFile> matches = tsk.findAllFilesWhere(String.format(
"md5 = '%s'",
new Object[]{md5}));
329 for (AbstractFile fileMatch : matches) {
330 if (file.equals(fileMatch)) {
333 caseDbArtifactInstances.add(fileMatch);
336 return caseDbArtifactInstances;
356 if (newNode.
getKnown() != TskData.FileKnown.BAD) {
357 List<ContentTag> fileMatchTags = autopsyCase.getServices().getTagsManager().getContentTagsByContent(newFile);
358 for (ContentTag tag : fileMatchTags) {
359 TskData.FileKnown tagKnownStatus = tag.getName().getKnownStatus();
360 if (tagKnownStatus.equals(TskData.FileKnown.BAD)) {
361 newNode.updateKnown(TskData.FileKnown.BAD);
373 if (nodeDataMap.containsKey(uniquePathKey)) {
374 if (newNode.
getKnown() == TskData.FileKnown.BAD) {
375 NodeData prevInstance = nodeDataMap.get(uniquePathKey);
376 prevInstance.updateKnown(newNode.
getKnown());
379 nodeDataMap.put(uniquePathKey, newNode);
388 return caseUUID + deviceId + dataSourceName;
396 String dateStringDisplay =
"";
399 LocalDateTime earliestDate = LocalDateTime.now(DateTimeZone.UTC);
400 DateFormat datetimeFormat =
new SimpleDateFormat(
"yyyy/MM/dd HH:mm:ss", Locale.US);
402 List<CorrelationCase> cases = dbManager.
getCases();
404 LocalDateTime caseDate;
406 caseDate = LocalDateTime.fromDateFields(datetimeFormat.parse(aCase.getCreationDate()));
408 if (caseDate.isBefore(earliestDate)) {
409 earliestDate = caseDate;
410 dateStringDisplay = aCase.getCreationDate();
412 }
catch (ParseException ex) {
413 throw new CentralRepoException(
"Failed to format case creation date " + aCase.getCreationDate(), ex);
418 return dateStringDisplay;
422 "OtherOccurrences.csvHeader.case=Case",
423 "OtherOccurrences.csvHeader.device=Device",
424 "OtherOccurrences.csvHeader.dataSource=Data Source",
425 "OtherOccurrences.csvHeader.attribute=Matched Attribute",
426 "OtherOccurrences.csvHeader.value=Attribute Value",
427 "OtherOccurrences.csvHeader.known=Known",
428 "OtherOccurrences.csvHeader.path=Path",
429 "OtherOccurrences.csvHeader.comment=Comment"
444 public static void writeOtherOccurrencesToFileAsCSV(File destFile, AbstractFile abstractFile, Collection<CorrelationAttributeInstance> correlationAttList, String dataSourceName, String deviceId)
throws IOException {
445 try (BufferedWriter writer = Files.newBufferedWriter(destFile.toPath())) {
447 StringBuilder headers =
new StringBuilder(
"\"");
448 headers.append(Bundle.OtherOccurrences_csvHeader_case())
455 .append(
'"').append(System.getProperty(
"line.separator"));
456 writer.write(headers.toString());
459 Map<UniquePathKey, NodeData> correlatedNodeDataMap =
new HashMap<>(0);
462 for (
NodeData nodeData : correlatedNodeDataMap.values()) {
463 writer.write(nodeData.toCsvString());
List< CorrelationCase > getCases()
static String getEarliestCaseDate()
static void writeOtherOccurrencesToFileAsCSV(File destFile, AbstractFile abstractFile, Collection< CorrelationAttributeInstance > correlationAttList, String dataSourceName, String deviceId)
static AbstractFile getAbstractFileFromNode(Node node)
static Map< UniquePathKey, NodeData > getCorrelatedInstances(AbstractFile file, String deviceId, String dataSourceName, CorrelationAttributeInstance corAttr)
static final Logger logger
List< CorrelationAttributeInstance > getArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type aType, String value)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
CorrelationCase getCase(Case autopsyCase)
static List< CorrelationAttributeInstance.Type > getDefaultCorrelationTypes()
static Collection< CorrelationAttributeInstance > getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount)
String getCorrelationValue()
TskData.FileKnown getKnown()
List< CorrelationAttributeInstance.Type > getDefinedCorrelationTypes()
static List< CorrelationAttributeInstance > makeCorrAttrsForCorrelation(BlackboardArtifact artifact)
Type getCorrelationType()
static Collection< CorrelationAttributeInstance > getCorrelationAttributesFromNode(Node node, AbstractFile file)
static String getCsvItemSeparator()
static BlackboardArtifact getBlackboardArtifactFromNode(Node node)
static List< AbstractFile > getCaseDbMatches(CorrelationAttributeInstance corAttr, Case openCase, AbstractFile file)
static final String UUID_PLACEHOLDER_STRING
static Case getCurrentCase()
synchronized static Logger getLogger(String name)
static void addOrUpdateNodeData(final Case autopsyCase, Map< UniquePathKey, NodeData > nodeDataMap, AbstractFile newFile)
static final int OSACCOUNT_TYPE_ID
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
static Case getCurrentCaseThrows()
static String makeDataSourceString(String caseUUID, String deviceId, String dataSourceName)
static String getPlaceholderUUID()
static CentralRepository getInstance()
static final int FILES_TYPE_ID
static boolean isEnabled()