api-docs/4.20.0/_other_occurrences_8java_source.html

 /*

  * Central Repository

  *

  * Copyright 2021 Basis Technology Corp.

  * Contact: carrier <at> sleuthkit <dot> org

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.sleuthkit.autopsy.centralrepository.application;


 import java.io.BufferedWriter;

 import java.io.File;

 import java.io.IOException;

 import java.nio.file.Files;

 import java.text.DateFormat;

 import java.text.ParseException;

 import java.text.SimpleDateFormat;

 import java.util.Collection;

 import java.util.Collections;

 import java.util.HashMap;

 import java.util.List;

 import java.util.Locale;

 import java.util.Map;

 import java.util.Optional;

 import java.util.logging.Level;

 import org.apache.commons.lang3.StringUtils;

 import org.joda.time.DateTimeZone;

 import org.joda.time.LocalDateTime;

 import org.openide.nodes.Node;

 import org.openide.util.NbBundle;

 import org.sleuthkit.autopsy.casemodule.Case;

 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoException;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;

 import org.sleuthkit.autopsy.coreutils.Logger;

 import org.sleuthkit.datamodel.AbstractFile;

 import org.sleuthkit.datamodel.ContentTag;

 import org.sleuthkit.datamodel.OsAccount;

 import org.sleuthkit.datamodel.OsAccountInstance;

 import org.sleuthkit.datamodel.TskCoreException;

 import org.sleuthkit.datamodel.TskData;


 public final class OtherOccurrences {


     private static final Logger logger = Logger.getLogger(OtherOccurrences.class.getName());


     private static final String UUID_PLACEHOLDER_STRING = "NoCorrelationAttributeInstance";


     private OtherOccurrences() {

     }


     public static Collection<CorrelationAttributeInstance> getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount) {

         Optional<String> osAccountAddr = osAccount.getAddr();

         if (osAccountAddr.isPresent()) {

             try {

                 for (OsAccountInstance instance : osAccount.getOsAccountInstances()) {

                     List<CorrelationAttributeInstance> correlationAttributeInstances = CorrelationAttributeUtil.makeCorrAttrsForSearch(instance);

                     if (!correlationAttributeInstances.isEmpty()) {

                         return correlationAttributeInstances;

                     }

                 }

             } catch (TskCoreException ex) {

                 logger.log(Level.INFO, String.format("Unable to check create CorrelationAttribtueInstance for osAccount %s.", osAccountAddr.get()), ex);

             }

         }

         return Collections.emptyList();

     }


     public static Map<UniquePathKey, NodeData> getCorrelatedInstances(String deviceId, String dataSourceName, CorrelationAttributeInstance corAttr) {

         // @@@ Check exception

         try {

             final Case openCase = Case.getCurrentCaseThrows();

             String caseUUID = openCase.getName();

             HashMap<UniquePathKey, NodeData> nodeDataMap = new HashMap<>();


             if (CentralRepository.isEnabled()) {

                 List<CorrelationAttributeInstance> instances = CentralRepository.getInstance().getArtifactInstancesByTypeValue(corAttr.getCorrelationType(), corAttr.getCorrelationValue());


                 for (CorrelationAttributeInstance artifactInstance : instances) {


                     // Only add the attribute if it isn't the object the user selected.

                     // We consider it to be a different object if at least one of the following is true:

                     // - the case UUID is different

                     // - the data source name is different

                     // - the data source device ID is different

                     // - the object id for the underlying file is different

                     if (artifactInstance.getCorrelationCase().getCaseUUID().equals(caseUUID)

                             && (!StringUtils.isBlank(dataSourceName) && artifactInstance.getCorrelationDataSource().getName().equals(dataSourceName))

                             && (!StringUtils.isBlank(deviceId) && artifactInstance.getCorrelationDataSource().getDeviceID().equals(deviceId))) {

                         Long foundObjectId = artifactInstance.getFileObjectId();

                         Long currentObjectId = corAttr.getFileObjectId();

                         if (foundObjectId != null && currentObjectId != null && foundObjectId.equals(currentObjectId)) {

                             continue;

                         }

                     }

                     NodeData newNode = new NodeData(artifactInstance, corAttr.getCorrelationType(), corAttr.getCorrelationValue());

                     UniquePathKey uniquePathKey = new UniquePathKey(newNode);

                     nodeDataMap.put(uniquePathKey, newNode);

                 }

             }

             return nodeDataMap;

         } catch (CentralRepoException ex) {

             logger.log(Level.SEVERE, "Error getting artifact instances from database.", ex); // NON-NLS

         } catch (CorrelationAttributeNormalizationException ex) {

             logger.log(Level.INFO, "Error getting artifact instances from database.", ex); // NON-NLS

         } catch (NoCurrentCaseException ex) {

             logger.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS

         }


         return new HashMap<>(

                 0);

     }


     public static void addOrUpdateNodeData(final Case autopsyCase, Map<UniquePathKey, NodeData> nodeDataMap, AbstractFile newFile) throws TskCoreException, CentralRepoException {


         NodeData newNode = new NodeData(newFile, autopsyCase);


         // If the caseDB object has a notable tag associated with it, update

         // the known status to BAD

         if (newNode.getKnown() != TskData.FileKnown.BAD) {

             List<ContentTag> fileMatchTags = autopsyCase.getServices().getTagsManager().getContentTagsByContent(newFile);

             for (ContentTag tag : fileMatchTags) {

                 TskData.FileKnown tagKnownStatus = tag.getName().getKnownStatus();

                 if (tagKnownStatus.equals(TskData.FileKnown.BAD)) {

                     newNode.updateKnown(TskData.FileKnown.BAD);

                     break;

                 }

             }

         }


         // Make a key to see if the file is already in the map

         UniquePathKey uniquePathKey = new UniquePathKey(newNode);


         // If this node is already in the list, the only thing we need to do is

         // update the known status to BAD if the caseDB version had known status BAD.

         // Otherwise this is a new node so add the new node to the map.

         if (nodeDataMap.containsKey(uniquePathKey)) {

             if (newNode.getKnown() == TskData.FileKnown.BAD) {

                 NodeData prevInstance = nodeDataMap.get(uniquePathKey);

                 prevInstance.updateKnown(newNode.getKnown());

             }

         } else {

             nodeDataMap.put(uniquePathKey, newNode);

         }

     }


     public static String makeDataSourceString(String caseUUID, String deviceId, String dataSourceName) {

         return caseUUID + deviceId + dataSourceName;

     }


     public static String getEarliestCaseDate() throws CentralRepoException {

         String dateStringDisplay = "";


         if (CentralRepository.isEnabled()) {

             LocalDateTime earliestDate = LocalDateTime.now(DateTimeZone.UTC);

             DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss", Locale.US);

             CentralRepository dbManager = CentralRepository.getInstance();

             List<CorrelationCase> cases = dbManager.getCases();

             for (CorrelationCase aCase : cases) {

                 LocalDateTime caseDate;

                 try {

                     caseDate = LocalDateTime.fromDateFields(datetimeFormat.parse(aCase.getCreationDate()));


                     if (caseDate.isBefore(earliestDate)) {

                         earliestDate = caseDate;

                         dateStringDisplay = aCase.getCreationDate();

                     }

                 } catch (ParseException ex) {

                     throw new CentralRepoException("Failed to format case creation date " + aCase.getCreationDate(), ex);

                 }

             }

         }


         return dateStringDisplay;

     }


     @NbBundle.Messages({

         "OtherOccurrences.csvHeader.case=Case",

         "OtherOccurrences.csvHeader.device=Device",

         "OtherOccurrences.csvHeader.dataSource=Data Source",

         "OtherOccurrences.csvHeader.attribute=Matched Attribute",

         "OtherOccurrences.csvHeader.value=Attribute Value",

         "OtherOccurrences.csvHeader.known=Known",

         "OtherOccurrences.csvHeader.path=Path",

         "OtherOccurrences.csvHeader.comment=Comment"

     })


     public static void writeOtherOccurrencesToFileAsCSV(File destFile, Collection<CorrelationAttributeInstance> correlationAttList, String dataSourceName, String deviceId) throws IOException {

         try (BufferedWriter writer = Files.newBufferedWriter(destFile.toPath())) {

             //write headers

             StringBuilder headers = new StringBuilder("\"");

             headers.append(Bundle.OtherOccurrences_csvHeader_case())

                     .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_dataSource())

                     .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_attribute())

                     .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_value())

                     .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_known())

                     .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_path())

                     .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_comment())

                     .append('"').append(System.getProperty("line.separator"));

             writer.write(headers.toString());

             //write content

             for (CorrelationAttributeInstance corAttr : correlationAttList) {

                 Map<UniquePathKey, NodeData> correlatedNodeDataMap = new HashMap<>(0);

                 // get correlation and reference set instances from DB

                 correlatedNodeDataMap.putAll(getCorrelatedInstances(deviceId, dataSourceName, corAttr));

                 for (NodeData nodeData : correlatedNodeDataMap.values()) {

                     writer.write(nodeData.toCsvString());

                 }

             }

         }

     }


     public static String getPlaceholderUUID() {

         return UUID_PLACEHOLDER_STRING;

     }

 }

org.sleuthkit

org.sleuthkit.autopsy.casemodule.Case
Definition: Case.java:163

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.writeOtherOccurrencesToFileAsCSV
static void writeOtherOccurrencesToFileAsCSV(File destFile, Collection< CorrelationAttributeInstance > correlationAttList, String dataSourceName, String deviceId)
Definition: OtherOccurrences.java:254

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCases
List< CorrelationCase > getCases()

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.getEarliestCaseDate
static String getEarliestCaseDate()
Definition: OtherOccurrences.java:206

org.sleuthkit.autopsy.centralrepository.datamodel
Definition: CentralRepoAccount.java:19

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.getCorrelatedInstances
static Map< UniquePathKey, NodeData > getCorrelatedInstances(String deviceId, String dataSourceName, CorrelationAttributeInstance corAttr)
Definition: OtherOccurrences.java:106

org

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.logger
static final Logger logger
Definition: OtherOccurrences.java:63

org.sleuthkit.autopsy.casemodule
Definition: AddImageAction.java:19

org.sleuthkit.autopsy.centralrepository
Definition: AddEditCentralRepoCommentAction.java:19

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.getCorrelationAttributeFromOsAccount
static Collection< CorrelationAttributeInstance > getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount)
Definition: OtherOccurrences.java:78

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.getCorrelationValue
String getCorrelationValue()
Definition: CorrelationAttributeInstance.java:137

org.sleuthkit.autopsy.centralrepository.application.UniquePathKey
Definition: UniquePathKey.java:32

org.sleuthkit.autopsy.coreutils
Definition: AppSQLiteDB.java:19

org.sleuthkit.autopsy.centralrepository.application.NodeData.getKnown
TskData.FileKnown getKnown()
Definition: NodeData.java:185

org.sleuthkit.autopsy.coreutils.Logger
Definition: Logger.java:36

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.OtherOccurrences
OtherOccurrences()
Definition: OtherOccurrences.java:67

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.getCorrelationType
Type getCorrelationType()
Definition: CorrelationAttributeInstance.java:144

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForSearch
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(AnalysisResult analysisResult)
Definition: CorrelationAttributeUtil.java:188

org.sleuthkit.autopsy.centralrepository.application.NodeData.getCsvItemSeparator
static String getCsvItemSeparator()
Definition: NodeData.java:232

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoException
Definition: CentralRepoException.java:26

org.sleuthkit.autopsy.casemodule.Case.getName
String getName()
Definition: Case.java:1467

org.sleuthkit.autopsy.centralrepository.application.NodeData
Definition: NodeData.java:33

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository
Definition: CentralRepository.java:36

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.UUID_PLACEHOLDER_STRING
static final String UUID_PLACEHOLDER_STRING
Definition: OtherOccurrences.java:65

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.getFileObjectId
Long getFileObjectId()
Definition: CorrelationAttributeInstance.java:227

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getArtifactInstancesByTypeValue
List< CorrelationAttributeInstance > getArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type type, String value)

org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.addOrUpdateNodeData
static void addOrUpdateNodeData(final Case autopsyCase, Map< UniquePathKey, NodeData > nodeDataMap, AbstractFile newFile)
Definition: OtherOccurrences.java:161

org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows
static Case getCurrentCaseThrows()
Definition: Case.java:902

org.sleuthkit.autopsy

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.makeDataSourceString
static String makeDataSourceString(String caseUUID, String deviceId, String dataSourceName)
Definition: OtherOccurrences.java:198

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences.getPlaceholderUUID
static String getPlaceholderUUID()
Definition: OtherOccurrences.java:285

org.sleuthkit.autopsy.casemodule.NoCurrentCaseException
Definition: NoCurrentCaseException.java:26

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getInstance
static CentralRepository getInstance()
Definition: CentralRepository.java:45

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil
Definition: CorrelationAttributeUtil.java:54

org.sleuthkit.autopsy.centralrepository.application.OtherOccurrences
Definition: OtherOccurrences.java:61

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase
Definition: CorrelationCase.java:32

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance
Definition: CorrelationAttributeInstance.java:40

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException
Definition: CorrelationAttributeNormalizationException.java:25

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.isEnabled
static boolean isEnabled()
Definition: CentralRepository.java:99