Static Public Member Functions
static CorrelationAttributeInstance	getCorrAttrForFile (AbstractFile file)

static boolean	isSupportedAbstractFileType (AbstractFile file)

static List< CorrelationAttributeInstance >	makeCorrAttrsForSearch (AnalysisResult analysisResult)

static List< CorrelationAttributeInstance >	makeCorrAttrsForSearch (DataArtifact artifact)

static List< CorrelationAttributeInstance >	makeCorrAttrsForSearch (AbstractFile file)

static List< CorrelationAttributeInstance >	makeCorrAttrsForSearch (OsAccountInstance osAccountInst)

static List< CorrelationAttributeInstance >	makeCorrAttrsToSave (DataArtifact artifact)

static List< CorrelationAttributeInstance >	makeCorrAttrsToSave (AbstractFile file)

static List< CorrelationAttributeInstance >	makeCorrAttrsToSave (AnalysisResult file)

static List< CorrelationAttributeInstance >	makeCorrAttrsToSave (OsAccount account, Content dataSource)

Private Member Functions
	CorrelationAttributeUtil ()

Static Private Member Functions
static BlackboardAttribute	getAttribute (List< BlackboardAttribute > attributes, BlackboardAttribute.Type attributeType) throws TskCoreException

static String	getEmailAddressAttrDisplayName ()

static boolean	isSystemOsAccount (String accountAddr)

static CorrelationAttributeInstance	makeCorrAttr (BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)

static CorrelationAttributeInstance	makeCorrAttr (BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value, Content sourceContent, Content dataSource)

static void	makeCorrAttrFromAcctArtifact (List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact, List< BlackboardAttribute > attributes) throws InvalidAccountIDException, TskCoreException, CentralRepoException

static List< CorrelationAttributeInstance >	makeCorrAttrFromArtifactAttr (BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes, Content sourceContent, Content dataSource) throws CentralRepoException, TskCoreException

static List< CorrelationAttributeInstance >	makeCorrAttrFromArtifactAttr (BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes) throws CentralRepoException, TskCoreException

static List< CorrelationAttributeInstance >	makeCorrAttrsFromCommunicationArtifact (BlackboardArtifact artifact, List< BlackboardAttribute > attributes) throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException

Static Private Attributes
static final Set< Integer >	DOMAIN_ARTIFACT_TYPE_IDS

static final List< String >	domainsToSkip = Arrays.asList("localhost", "127.0.0.1")

static final Logger	logger = Logger.getLogger(CorrelationAttributeUtil.class.getName())

Detailed Description

Utility class for working with correlation attributes in the central repository.

Definition at line 54 of file CorrelationAttributeUtil.java.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.CorrelationAttributeUtil ( )

private

Prevent instantiation of this utility class.

Definition at line 848 of file CorrelationAttributeUtil.java.

Member Function Documentation

static BlackboardAttribute org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getAttribute	(	List< BlackboardAttribute >	attributes,
		BlackboardAttribute.Type	attributeType
	)		throws TskCoreException

staticprivate

Gets a specific attribute from a list of attributes.

Parameters

attributes	List of attributes
attributeType	Attribute type of interest

Returns: Attribute of interest, null if not found.

Exceptions

TskCoreException

Definition at line 396 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifact().

static CorrelationAttributeInstance org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile ( AbstractFile file )

static

Gets the correlation attribute instance for a file. This method goes to the CR to get an actual instance. It does not simply package the data from file into a generic instance object.

Parameters

file The file.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Returns: The correlation attribute instance or null, if no such correlation attribute instance was found or an error occurred.

Definition at line 682 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction().

static String org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getEmailAddressAttrDisplayName ( )

staticprivate

Gets a string that is expected to be the same string that is stored in the correlation_types table in the central repository as the display name for the email address correlation attribute type. This string is duplicated in the CorrelationAttributeInstance class.

TODO (Jira-6088): We should not have multiple definitions of this string.

Returns: The display name of the email address correlation attribute type.

Definition at line 79 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

static boolean org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSupportedAbstractFileType ( AbstractFile file )

static

Checks whether or not a file is of a type that can be added to the central repository as a correlation attribute instance.

Parameters

file A file.

Returns: True or false.

Definition at line 809 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.CentralRepoContextMenuActionsProvider.getActions(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

static boolean org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.isSystemOsAccount ( String accountAddr )

staticprivate

Determines whether or not a given OS account address is a system account address.

Parameters

accountAddr The OS account address.

Returns: True or false.

Definition at line 162 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave().

static CorrelationAttributeInstance org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr	(	BlackboardArtifact	artifact,
		CorrelationAttributeInstance.Type	correlationType,
		String	value
	)

staticprivate

Makes a correlation attribute instance of a given type from an artifact.

Parameters

artifact	The artifact.
correlationType	the correlation attribute type.
value	The correlation attribute value.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Returns: The correlation attribute instance or null, if an error occurred.

Definition at line 577 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifact().

static CorrelationAttributeInstance org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr	(	BlackboardArtifact	artifact,
		CorrelationAttributeInstance.Type	correlationType,
		String	value,
		Content	sourceContent,
		Content	dataSource
	)

staticprivate

Makes a correlation attribute instance of a given type from an artifact.

Parameters

artifact	The artifact.
correlationType	the correlation attribute type.
value	The correlation attribute value.
sourceContent	The source content object.
dataSource	The data source content object.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Returns: The correlation attribute instance or null, if an error occurred.

Definition at line 600 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCase(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.getName(), and org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase().

static void org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact	(	List< CorrelationAttributeInstance >	corrAttrInstances,
		BlackboardArtifact	acctArtifact,
		List< BlackboardAttribute >	attributes
	)		throws InvalidAccountIDException, TskCoreException, CentralRepoException

staticprivate

Makes a correlation attribute instance for an account artifact.

Also creates an account in the CR DB if it doesn't exist.

IMPORTANT: The correlation attribute instance is NOT added to the central repository by this method.

Parameters

corrAttrInstances	A list of correlation attribute instances.
acctArtifact	An account artifact.
attributes	List of attributes.

Returns: The correlation attribute instance.

Definition at line 465 of file CorrelationAttributeUtil.java.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr	(	BlackboardArtifact	artifact,
		ATTRIBUTE_TYPE	artAttrType,
		int	typeId,
		List< BlackboardAttribute >	attributes,
		Content	sourceContent,
		Content	dataSource
	)		throws CentralRepoException, TskCoreException

staticprivate

Makes a correlation attribute instance from a specified attribute of an artifact. The correlation attribute instance is added to an input list.

Parameters

artifact	An artifact.
artAttrType	The type of the attribute of the artifact that is to be made into a correlation attribute instance.
typeId	The type ID for the desired correlation attribute instance.
attributes	List of attributes.
sourceContent	The source content object.
dataSource	The data source content object.

Exceptions

CentralRepoException	If there is an error querying the central repository.
TskCoreException	If there is an error querying the case database.

Definition at line 522 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getAttribute(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr().

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr	(	BlackboardArtifact	artifact,
		ATTRIBUTE_TYPE	artAttrType,
		int	typeId,
		List< BlackboardAttribute >	attributes
	)		throws CentralRepoException, TskCoreException

staticprivate

Makes a correlation attribute instance from a specified attribute of an artifact. The correlation attribute instance is added to an input list.

Parameters

artifact	An artifact.
artAttrType	The type of the attribute of the artifact that is to be made into a correlation attribute instance.
typeId	The type ID for the desired correlation attribute instance.
attributes	List of attributes.

Exceptions

CentralRepoException	If there is an error querying the central repository.
TskCoreException	If there is an error querying the case database.

Definition at line 554 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch ( AnalysisResult analysisResult )

static

Makes zero to many correlation attribute instances from the attributes of AnalysisResult that have correlatable data. The intention of this method is to use the results to correlate with, not to save. If you want to save, please use makeCorrAttrsToSave. An artifact that can have data to search for != An artifact that should be the source of data in the CR, so results may be too lenient.

IMPORTANT: The correlation attribute instances are NOT added to the central repository by this method.

JIRA-TODO (Jira-6088)

Parameters

analysisResult An AnalysisResult object.

Returns: A list, possibly empty, of correlation attribute instances for the AnalysisResult.

("deprecation") - we need to support already existing interesting file and artifact hits.

We only need to add correlation attributes for a single OsAccountInstance. because we are generally searching based on type and value.

However data source can also be used, so we would like to choose an OsAccountInstance which is associated with the same data source as the provided AnalysisResult for those use cases. For example to get the count of cases with other instances.

Definition at line 188 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.EMAIL_TYPE_ID, org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getEmailAddressAttrDisplayName(), org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.isEnabled(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

Referenced by org.sleuthkit.autopsy.centralrepository.AddEditCentralRepoCommentAction.AddEditCentralRepoCommentAction(), org.sleuthkit.autopsy.contentviewers.annotations.AnnotationUtils.getCentralRepositoryData(), org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.getCorrelationAttributeFromOsAccount(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.TagDefinitionChangeTask.run(), org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.setArtifactKnownStatus(), and org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener.ContentTagTask.setContentKnownStatus().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch ( DataArtifact artifact )

static

Makes zero to many correlation attribute instances from the attributes of a DataArtifact that have correlatable data. The intention of this method is to use the results to correlate with, not to save. If you want to save, please use makeCorrAttrsToSave. An artifact that can have data to search for != An artifact that should be the source of data in the CR, so results may be too lenient.

IMPORTANT: The correlation attribute instances are NOT added to the central repository by this method.

JIRA-TODO (Jira-6088)

Parameters

artifact A DataArtifact object.

Returns: A list, possibly empty, of correlation attribute instances for the DataArtifact.

Definition at line 290 of file CorrelationAttributeUtil.java.

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch ( AbstractFile file )

static

Makes a correlation attribute instance for a file. Will include the specific object ID.

IMPORTANT: The correlation attribute instance is NOT added to the central repository by this method.

TODO (Jira-6088): The methods in this low-level, utility class should throw exceptions instead of logging them. The reason for this is that the clients of the utility class, not the utility class itself, should be in charge of error handling policy, per the Autopsy Coding Standard. Note that clients of several of these methods currently cannot determine whether receiving a null return value is an error or not, plus null checking is easy to forget, while catching exceptions is enforced.

Parameters

file The file.

Returns: The correlation attribute instance in a list, or an empty list if an error occurred.

Definition at line 764 of file CorrelationAttributeUtil.java.

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch ( OsAccountInstance osAccountInst )

static

Definition at line 833 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.isEnabled(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifact	(	BlackboardArtifact	artifact,
		List< BlackboardAttribute >	attributes
	)		throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException

staticprivate

Makes a correlation attribute instance from a phone number attribute of an artifact.

Parameters

artifact	An artifact with a phone number attribute.
attributes	List of attributes.

Exceptions

TskCoreException	If there is an error querying the case database.
CentralRepoException	If there is an error querying the central repository.
CorrelationAttributeNormalizationException	If there is an error in normalizing the attribute.

Definition at line 422 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getAttribute(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.PHONE_TYPE_ID.

Referenced by org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave ( DataArtifact artifact )

static

Definition at line 83 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

Referenced by org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.analyzeOsAccounts(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch(), and org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.process().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave ( AbstractFile file )

static

Makes zero to many correlation attribute instances from the attributes of abstract file objects that have correlatable data. The intention of this method is to use the results to save to the CR, not to correlate with them. If you want to correlate, please use makeCorrAttrsForSearch. An artifact that can have correlatable data != An artifact that should be the source of data in the CR, so results may be un-necessarily incomplete.

Parameters

file	A AbstractFile object.

Returns: A list, possibly empty, of correlation attribute instances for the content.

Definition at line 108 of file CorrelationAttributeUtil.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch().

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave ( AnalysisResult file )

static

Definition at line 112 of file CorrelationAttributeUtil.java.

static List<CorrelationAttributeInstance> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave	(	OsAccount	account,
		Content	dataSource
	)

static

Gets the correlation attributes for an OS account instance represented as an OS account plus a data source.

Parameters

account	The OS account.
dataSource	The data source.

Returns: The correlation attributes.

Definition at line 125 of file CorrelationAttributeUtil.java.

Member Data Documentation

final Set<Integer> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.DOMAIN_ARTIFACT_TYPE_IDS

staticprivate

Initial value:

= new HashSet<>(Arrays.asList(
            ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID(),
            ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID(),
            ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID(),
            ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID(),
            ARTIFACT_TYPE.TSK_WEB_CACHE.getTypeID()
    ))

Definition at line 60 of file CorrelationAttributeUtil.java.

final List<String> org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.domainsToSkip = Arrays.asList("localhost", "127.0.0.1")

staticprivate

Definition at line 57 of file CorrelationAttributeUtil.java.

final Logger org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.logger = Logger.getLogger(CorrelationAttributeUtil.class.getName())

staticprivate

Definition at line 56 of file CorrelationAttributeUtil.java.

The documentation for this class was generated from the following file:

/home/carriersleuth/repos/autopsy/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java

Static Public Member Functions

Private Member Functions

Static Private Member Functions

Static Private Attributes

Detailed Description

Constructor & Destructor Documentation

Member Function Documentation

Member Data Documentation