19 package org.sleuthkit.autopsy.centralrepository.datamodel;
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.Collections;
24 import java.util.HashSet;
25 import java.util.List;
26 import java.util.Optional;
28 import java.util.logging.Level;
29 import org.openide.util.NbBundle.Messages;
38 import org.
sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
40 import org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
44 import org.
sleuthkit.datamodel.InvalidAccountIDException;
57 private static final List<String>
domainsToSkip = Arrays.asList(
"localhost",
"127.0.0.1");
61 ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID(),
62 ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID(),
63 ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID(),
64 ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID(),
65 ARTIFACT_TYPE.TSK_WEB_CACHE.getTypeID()
78 @Messages({
"CorrelationAttributeUtil.emailaddresses.text=Email Addresses"})
80 return Bundle.CorrelationAttributeUtil_emailaddresses_text();
84 int artifactTypeID = artifact.getArtifactTypeID();
86 if (artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
87 || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()
88 || artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()) {
89 return Collections.emptyList();
113 return Collections.emptyList();
125 public static List<CorrelationAttributeInstance>
makeCorrAttrsToSave(OsAccount account, Content dataSource) {
126 List<CorrelationAttributeInstance> correlationAttrs =
new ArrayList<>();
128 Optional<String> accountAddr = account.getAddr();
139 TskData.FileKnown.KNOWN,
141 correlationAttrs.add(correlationAttributeInstance);
143 logger.log(Level.SEVERE, String.format(
"Error querying central repository for OS account '%s'", accountAddr.get()), ex);
145 logger.log(Level.SEVERE, String.format(
"Error getting current case for OS account '%s'", accountAddr.get()), ex);
147 logger.log(Level.WARNING, String.format(
"Error normalizing correlation attribute for OS account '%s': %s", accountAddr.get(), ex.getMessage()));
151 return correlationAttrs;
163 return accountAddr.equals(
"S-1-5-18") || accountAddr.equals(
"S-1-5-19") || accountAddr.equals(
"S-1-5-20");
187 @SuppressWarnings(
"deprecation")
189 List<CorrelationAttributeInstance> correlationAttrs =
new ArrayList<>();
193 int artifactTypeID = analysisResult.getArtifactTypeID();
194 if (artifactTypeID == ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID()) {
197 BlackboardAttribute assocArtifactAttr = analysisResult.getAttribute(BlackboardAttribute.Type.TSK_ASSOCIATED_ARTIFACT);
198 if (assocArtifactAttr != null) {
200 if (sourceArtifact instanceof DataArtifact) {
202 }
else if (sourceArtifact instanceof AnalysisResult) {
205 String sourceName = sourceArtifact != null ?
"SourceArtifact display name: " + sourceArtifact.getDisplayName() :
"SourceArtifact was null";
206 logger.log(Level.SEVERE,
"Source artifact found through TSK_ASSOCIATED_ARTIFACT attribute was not a DataArtifact or "
207 +
"an Analysis Result. AssociateArtifactAttr Value: {0} {1}",
208 new Object[]{assocArtifactAttr.getValueString(), sourceName});
212 if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
215 BlackboardAttribute setNameAttr = analysisResult.getAttribute(BlackboardAttribute.Type.TSK_SET_NAME);
232 Content parent = analysisResult.getParent();
233 if (parent instanceof AbstractFile) {
235 }
else if (parent instanceof AnalysisResult) {
237 }
else if (parent instanceof DataArtifact) {
239 }
else if (parent instanceof OsAccount) {
240 for (OsAccountInstance osAccountInst : ((OsAccount) parent).getOsAccountInstances()) {
241 if (osAccountInst.getDataSource().equals(analysisResult.getDataSource())) {
261 }
catch (TskCoreException ex) {
262 logger.log(Level.SEVERE,
"Failed to get information regarding correlation attributes in regards to either the provided AnalysisResult, it's associated artifact, or it's parent.", ex);
264 logger.log(Level.WARNING,
"Attempted to retrieve correlation attributes for search with no currently open case.", ex);
266 logger.log(Level.SEVERE,
"Failed to get correlation type from central repository.", ex);
269 return correlationAttrs;
291 List<CorrelationAttributeInstance> correlationAttrs =
new ArrayList<>();
295 List<BlackboardAttribute> attributes = artifact.getAttributes();
297 int artifactTypeID = artifact.getArtifactTypeID();
298 if (DOMAIN_ARTIFACT_TYPE_IDS.contains(artifactTypeID)) {
299 BlackboardAttribute domainAttr =
getAttribute(attributes,
new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
300 if ((domainAttr != null)
301 && !domainsToSkip.contains(domainAttr.getValueString())) {
304 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
307 Content dataSource = sourceContent.getDataSource();
309 attributes, sourceContent, dataSource));
311 attributes, sourceContent, dataSource));
312 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
314 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
315 || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
316 || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
318 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
321 Content dataSource = sourceContent.getDataSource();
323 attributes, sourceContent, dataSource));
325 attributes, sourceContent, dataSource));
327 attributes, sourceContent, dataSource));
329 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
332 Content dataSource = sourceContent.getDataSource();
334 attributes, sourceContent, dataSource));
336 attributes, sourceContent, dataSource));
338 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
341 Content dataSource = sourceContent.getDataSource();
343 attributes, sourceContent, dataSource));
345 attributes, sourceContent, dataSource));
347 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
350 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
351 BlackboardAttribute setNameAttr =
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
352 String pathAttrString = null;
353 if (setNameAttr != null) {
354 pathAttrString = setNameAttr.getValueString();
356 if (pathAttrString != null && !pathAttrString.isEmpty()) {
361 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
362 || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
363 || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
367 logger.log(Level.WARNING, String.format(
"Error normalizing correlation attribute (%s): %s", artifact, ex.getMessage()));
368 return correlationAttrs;
369 }
catch (InvalidAccountIDException ex) {
370 logger.log(Level.WARNING, String.format(
"Invalid account identifier (artifactID: %d): %s", artifact.getId(), ex.getMessage()));
371 return correlationAttrs;
373 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", artifact), ex);
374 return correlationAttrs;
375 }
catch (TskCoreException ex) {
376 logger.log(Level.SEVERE, String.format(
"Error getting querying case database (%s)", artifact), ex);
377 return correlationAttrs;
379 logger.log(Level.WARNING,
"Error getting current case", ex);
380 return correlationAttrs;
383 return correlationAttrs;
396 private static BlackboardAttribute
getAttribute(List<BlackboardAttribute> attributes, BlackboardAttribute.Type attributeType) throws TskCoreException {
397 for (BlackboardAttribute attribute : attributes) {
398 if (attribute.getAttributeType().equals(attributeType)) {
429 if (null !=
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
430 value =
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
431 }
else if (null !=
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
432 value =
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
433 }
else if (null !=
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
434 value =
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
439 List<CorrelationAttributeInstance> corrAttrInstances =
new ArrayList<>();
444 if (corrAttr != null) {
445 corrAttrInstances.add(corrAttr);
448 return corrAttrInstances;
465 private static void makeCorrAttrFromAcctArtifact(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact acctArtifact, List<BlackboardAttribute> attributes)
throws InvalidAccountIDException, TskCoreException, CentralRepoException {
468 BlackboardAttribute accountTypeAttribute =
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE));
469 String accountTypeStr = accountTypeAttribute.getValueString();
473 Account.Type predefinedAccountType = Account.Type.PREDEFINED_ACCOUNT_TYPES.stream().filter(type -> type.getTypeName().equalsIgnoreCase(accountTypeStr)).findAny().orElse(null);
476 if (Account.Type.DEVICE.getTypeName().equalsIgnoreCase(accountTypeStr) ==
false && predefinedAccountType != null) {
480 if (!optCrAccountType.isPresent()) {
489 BlackboardAttribute accountIdAttribute =
getAttribute(attributes,
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ID));
490 String accountIdStr = accountIdAttribute.getValueString();
496 if (corrAttr != null) {
498 corrAttr.setAccountId(crAccount.
getId());
499 corrAttrInstances.add(corrAttr);
523 List<BlackboardAttribute> attributes, Content sourceContent, Content dataSource)
throws CentralRepoException, TskCoreException {
524 List<CorrelationAttributeInstance> corrAttrInstances =
new ArrayList<>();
525 BlackboardAttribute attribute =
getAttribute(attributes,
new BlackboardAttribute.Type(artAttrType));
526 if (attribute != null) {
527 String value = attribute.getValueString();
528 if ((null != value) && (value.isEmpty() ==
false)) {
531 corrAttrInstances.add(inst);
535 return corrAttrInstances;
555 List<BlackboardAttribute> attributes)
throws CentralRepoException, TskCoreException {
578 return makeCorrAttr(artifact, correlationType, value, null, null);
601 Content sourceContent, Content dataSource) {
602 Content srcContent = sourceContent;
603 Content dataSrc = dataSource;
605 if (srcContent == null) {
608 if (null == srcContent) {
609 logger.log(Level.SEVERE,
"Error creating artifact instance of type {0}. Failed to load content with ID: {1} associated with artifact with ID: {2}",
610 new Object[]{correlationType.getDisplayName(), artifact.getObjectID(), artifact.getId()});
613 if (dataSrc == null) {
614 dataSrc = srcContent.getDataSource();
616 if (dataSrc == null) {
617 logger.log(Level.SEVERE,
"Error creating artifact instance of type {0}. Failed to load data source for content with ID: {1}",
618 new Object[]{correlationType.getDisplayName(), artifact.getObjectID()});
623 if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()
624 || !(srcContent instanceof AbstractFile)) {
632 TskData.FileKnown.UNKNOWN,
635 AbstractFile bbSourceFile = (AbstractFile) srcContent;
642 bbSourceFile.getParentPath() + bbSourceFile.
getName(),
644 TskData.FileKnown.UNKNOWN,
645 bbSourceFile.getId());
647 }
catch (TskCoreException ex) {
648 logger.log(Level.SEVERE, String.format(
"Error getting querying case database (%s)", artifact), ex);
650 }
catch (CentralRepoException ex) {
651 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", artifact), ex);
654 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s): %s", artifact, ex.getMessage()));
657 logger.log(Level.WARNING,
"Error getting current case", ex);
695 if (null == correlationCase) {
700 }
catch (TskCoreException ex) {
701 logger.log(Level.SEVERE, String.format(
"Error getting querying case database (%s)", file), ex);
703 }
catch (CentralRepoException ex) {
704 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
707 logger.log(Level.WARNING,
"Error getting current case", ex);
714 }
catch (CentralRepoException ex) {
715 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
718 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s): %s", file, ex.getMessage()));
728 if (correlationAttributeInstance == null && file.getMd5Hash() != null) {
729 String filePath = (file.getParentPath() + file.getName()).toLowerCase();
732 }
catch (CentralRepoException ex) {
733 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
736 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s): %s", file, ex.getMessage()));
741 return correlationAttributeInstance;
765 List<CorrelationAttributeInstance> fileTypeList =
new ArrayList<>();
771 String md5 = file.getMd5Hash();
772 if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
785 file.getParentPath() + file.
getName(),
787 TskData.FileKnown.UNKNOWN,
789 }
catch (TskCoreException ex) {
790 logger.log(Level.SEVERE, String.format(
"Error querying case database (%s)", file), ex);
791 }
catch (CentralRepoException ex) {
792 logger.log(Level.SEVERE, String.format(
"Error querying central repository (%s)", file), ex);
794 logger.log(Level.WARNING, String.format(
"Error creating correlation attribute instance (%s): %s", file, ex.getMessage()));
796 logger.log(Level.WARNING,
"Error getting current case", ex);
813 switch (file.getType()) {
826 return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
828 logger.log(Level.WARNING,
"Unexpected file type {0}", file.getType().getName());
834 List<CorrelationAttributeInstance> correlationAttrs =
new ArrayList<>();
837 correlationAttrs.addAll(
makeCorrAttrsToSave(osAccountInst.getOsAccount(), osAccountInst.getDataSource()));
838 }
catch (TskCoreException ex) {
839 logger.log(Level.SEVERE, String.format(
"Error getting OS account from OS account instance '%s'", osAccountInst), ex);
842 return correlationAttrs;
static final int EMAIL_TYPE_ID
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value, Content sourceContent, Content dataSource)
static final int USBID_TYPE_ID
static List< CorrelationAttributeInstance > makeCorrAttrsFromCommunicationArtifact(BlackboardArtifact artifact, List< BlackboardAttribute > attributes)
static String getEmailAddressAttrDisplayName()
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(OsAccountInstance osAccountInst)
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)
static final int ICCID_TYPE_ID
CorrelationAttributeUtil()
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(AbstractFile file)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
CorrelationCase getCase(Case autopsyCase)
static List< CorrelationAttributeInstance > makeCorrAttrFromArtifactAttr(BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes, Content sourceContent, Content dataSource)
static final int IMEI_TYPE_ID
static final Logger logger
Optional< CentralRepoAccountType > getAccountTypeByName(String accountTypeName)
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(DataArtifact artifact)
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(AbstractFile file)
static boolean isSupportedAbstractFileType(AbstractFile file)
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(AnalysisResult analysisResult)
static BlackboardAttribute getAttribute(List< BlackboardAttribute > attributes, BlackboardAttribute.Type attributeType)
static final int DOMAIN_TYPE_ID
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(OsAccount account, Content dataSource)
static boolean isSystemOsAccount(String accountAddr)
static final int PHONE_TYPE_ID
static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file)
static final int INSTALLED_PROGS_TYPE_ID
SleuthkitCase getSleuthkitCase()
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(AnalysisResult file)
static List< CorrelationAttributeInstance > makeCorrAttrFromArtifactAttr(BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes)
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
static final List< String > domainsToSkip
static final int MAC_TYPE_ID
int getCorrelationTypeId()
static final int IMSI_TYPE_ID
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(DataArtifact artifact)
synchronized static Logger getLogger(String name)
static final int OSACCOUNT_TYPE_ID
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
static Case getCurrentCaseThrows()
static final int SSID_TYPE_ID
static CentralRepository getInstance()
static void makeCorrAttrFromAcctArtifact(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact, List< BlackboardAttribute > attributes)
static final int FILES_TYPE_ID
CentralRepoAccount getOrCreateAccount(CentralRepoAccount.CentralRepoAccountType crAccountType, String accountUniqueID)
static boolean isEnabled()
static final Set< Integer > DOMAIN_ARTIFACT_TYPE_IDS