19 package org.sleuthkit.autopsy.centralrepository.ingestmodule;
21 import java.util.HashSet;
22 import java.util.LinkedHashSet;
23 import java.util.List;
25 import java.util.logging.Level;
26 import org.apache.commons.lang3.StringUtils;
27 import org.openide.util.NbBundle;
80 flagNotableItems = settings.isFlagTaggedNotableItems();
81 flagPrevSeenDevices = settings.isFlagPreviousDevices();
82 flagUniqueArtifacts = settings.isFlagUniqueArtifacts();
83 saveCorrAttrInstances = settings.shouldCreateCorrelationProperties();
84 corrAttrValuesAlreadyProcessed =
new LinkedHashSet<>();
88 "CentralRepoIngestModule_crNotEnabledErrMsg=Central repository required, but not enabled",
89 "CentralRepoIngestModule_crInaccessibleErrMsg=Error accessing central repository",
90 "CentralRepoIngestModule_noCurrentCaseErrMsg=Error getting current case",
91 "CentralRepoIngestModule_crDatabaseTypeMismatch=Mulit-user cases require a PostgreSQL central repository"
133 if (flagNotableItems || flagPrevSeenDevices || flagUniqueArtifacts || saveCorrAttrInstances) {
135 if (corrAttrValuesAlreadyProcessed.add(corrAttr.toString())) {
137 if (saveCorrAttrInstances) {
141 LOGGER.log(Level.SEVERE, String.format(
"Error adding correlation attribute '%s' to central repository for '%s' (job ID=%d)", corrAttr, artifact, context.
getJobId()), ex);
158 List<CorrelationAttributeInstance> previousOccurrences = null;
159 if (flagNotableItems) {
160 previousOccurrences = getOccurrencesInOtherCases(corrAttr, context.
getJobId());
161 if (!previousOccurrences.isEmpty()) {
162 Set<String> previousCases =
new HashSet<>();
164 if (occurrence.getKnownStatus() == TskData.FileKnown.BAD) {
165 previousCases.add(occurrence.getCorrelationCase().getDisplayName());
168 if (!previousCases.isEmpty()) {
174 if (flagPrevSeenDevices
182 if (previousOccurrences == null) {
183 previousOccurrences = getOccurrencesInOtherCases(corrAttr, context.
getJobId());
185 if (!previousOccurrences.isEmpty()) {
187 if (!previousCases.isEmpty()) {
193 if (flagUniqueArtifacts
196 if (previousOccurrences == null) {
197 previousOccurrences = getOccurrencesInOtherCases(corrAttr, context.
getJobId());
199 if (previousOccurrences.isEmpty()) {
213 private Set<String>
getPreviousCases(List<CorrelationAttributeInstance> previousOccurrences) {
214 Set<String> previousCases =
new HashSet<>();
216 previousCases.add(occurrence.getCorrelationCase().getDisplayName());
218 return previousCases;
224 if (saveCorrAttrInstances) {
228 LOGGER.log(Level.SEVERE, String.format(
"Error doing final bulk commit of correlation attributes (job ID=%d)", context.
getJobId()), ex);
242 "CentralRepoIngestModule_prevSeenOsAcctSetName=Users seen in previous cases",
243 "CentralRepoIngestModule_prevSeenOsAcctConfig=Previously Seen Users (Central Repository)"
246 if (saveCorrAttrInstances || flagPrevSeenDevices) {
249 List<OsAccount> osAccounts = osAccountMgr.getOsAccountsByDataSourceObjId(context.
getDataSource().getId());
250 for (OsAccount osAccount : osAccounts) {
252 if (flagPrevSeenDevices) {
255 if (saveCorrAttrInstances) {
259 LOGGER.log(Level.SEVERE, String.format(
"Error adding correlation attribute '%s' to central repository for '%s'(job ID=%d)", corrAttr, osAccount, context.
getJobId()), ex);
265 LOGGER.log(Level.SEVERE, String.format(
"Error getting OS accounts for data source '%s' (job ID=%d)", context.
getDataSource(), context.
getJobId()), ex);
278 if (flagPrevSeenDevices) {
279 List<CorrelationAttributeInstance> previousOccurrences = getOccurrencesInOtherCases(corrAttr, context.
getJobId());
280 if (!previousOccurrences.isEmpty()) {
282 if (!previousCases.isEmpty()) {
301 if (correlationCase == null) {
302 correlationCase = centralRepo.
newCase(currentCase);
306 if (correlationDataSource == null) {
311 String imageMd5Hash = image.getMd5();
312 if (imageMd5Hash == null) {
315 String crMd5Hash = correlationDataSource.
getMd5();
316 if (StringUtils.equals(imageMd5Hash, crMd5Hash) ==
false) {
317 correlationDataSource.
setMd5(imageMd5Hash);
320 String imageSha1Hash = image.getSha1();
321 if (imageSha1Hash == null) {
324 String crSha1Hash = correlationDataSource.
getSha1();
325 if (StringUtils.equals(imageSha1Hash, crSha1Hash) ==
false) {
326 correlationDataSource.
setSha1(imageSha1Hash);
329 String imageSha256Hash = image.getSha256();
330 if (imageSha256Hash == null) {
331 imageSha256Hash =
"";
333 String crSha256Hash = correlationDataSource.
getSha256();
334 if (StringUtils.equals(imageSha256Hash, crSha256Hash) ==
false) {
335 correlationDataSource.
setSha256(imageSha256Hash);
339 LOGGER.log(Level.SEVERE, String.format(
"Error fetching data from the central repository for data source '%s' (job ID=%d)", context.
getDataSource().getName(), context.
getJobId()), ex);
341 LOGGER.log(Level.SEVERE, String.format(
"Error fetching data from the case database for data source '%s' (job ID=%d)", context.
getDataSource().getName(), context.
getJobId()), ex);
CentralRepoPlatforms getDbPlatform()
void addAttributeInstanceBulk(CorrelationAttributeInstance eamArtifact)
static final int EMAIL_TYPE_ID
void syncDataSourceHashes()
static final int USBID_TYPE_ID
void setMd5(String md5Hash)
final boolean flagPrevSeenDevices
void makeAnalysisResults(OsAccount osAccount, CorrelationAttributeInstance corrAttr)
static final int ICCID_TYPE_ID
Set< String > getPreviousCases(List< CorrelationAttributeInstance > previousOccurrences)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
CorrelationCase getCase(Case autopsyCase)
static CentralRepoDbChoice getSavedDbChoice()
String getCorrelationValue()
static final int IMEI_TYPE_ID
static final Logger LOGGER
final boolean saveCorrAttrInstances
Type getCorrelationType()
final Set< String > corrAttrValuesAlreadyProcessed
CentralRepository centralRepo
static final int DOMAIN_TYPE_ID
void setSha256(String sha256Hash)
static final int PHONE_TYPE_ID
CorrelationCase newCase(CorrelationCase eamCase)
void startUp(IngestJobContext context)
static final int INSTALLED_PROGS_TYPE_ID
SleuthkitCase getSleuthkitCase()
void setSha1(String sha1Hash)
static final int MAC_TYPE_ID
final boolean flagNotableItems
static final int IMSI_TYPE_ID
void commitAttributeInstancesBulk()
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(DataArtifact artifact)
CorrelationDataSource getDataSource(CorrelationCase correlationCase, Long caseDbDataSourceId)
synchronized static Logger getLogger(String name)
static Case getCurrentCaseThrows()
static CentralRepository getInstance()
ProcessResult process(DataArtifact artifact)
static boolean isEnabled()
void makeAnalysisResults(DataArtifact artifact, CorrelationAttributeInstance corrAttr)
final boolean flagUniqueArtifacts