19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
21 import com.google.common.util.concurrent.ThreadFactoryBuilder;
22 import java.beans.PropertyChangeEvent;
23 import java.beans.PropertyChangeListener;
24 import java.util.ArrayList;
25 import java.util.EnumSet;
26 import java.util.List;
28 import java.util.concurrent.ExecutorService;
29 import java.util.concurrent.Executors;
30 import java.util.logging.Level;
31 import org.apache.commons.lang.StringUtils;
32 import org.openide.util.NbBundle.Messages;
67 @Messages({
"caseeventlistener.evidencetag=Evidence"})
71 private static final String CASE_EVENT_THREAD_NAME =
"CR-Case-Event-Listener-%d";
72 private static final Set<
Case.
Events> CASE_EVENTS_OF_INTEREST = EnumSet.of(
87 jobProcessingExecutor = Executors.newSingleThreadExecutor(
new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build());
107 if (!(evt instanceof
AutopsyEvent) || (((AutopsyEvent) evt).getSourceType() != AutopsyEvent.SourceType.LOCAL)) {
119 LOGGER.log(Level.SEVERE,
"Failed to access central repository", ex);
128 switch (
Case.
Events.valueOf(evt.getPropertyName())) {
129 case CONTENT_TAG_ADDED:
130 case CONTENT_TAG_DELETED:
131 jobProcessingExecutor.submit(
new ContentTagTask(centralRepo, evt));
133 case BLACKBOARD_ARTIFACT_TAG_DELETED:
134 case BLACKBOARD_ARTIFACT_TAG_ADDED:
137 case DATA_SOURCE_ADDED:
140 case TAG_DEFINITION_CHANGED:
146 case DATA_SOURCE_NAME_CHANGED:
162 return (tag != null && isNotableTagDefinition(tag.getName()));
202 List<CorrelationAttributeInstance> corrAttrInstances =
new ArrayList<>();
203 if (artifact instanceof DataArtifact) {
205 }
else if (artifact instanceof AnalysisResult) {
212 LOGGER.log(Level.SEVERE, String.format(
"Error setting correlation attribute instance known status", corrAttrInstance), ex);
220 private final PropertyChangeEvent
event;
235 handleTagAdded((ContentTagAddedEvent) event);
237 handleTagDeleted((ContentTagDeletedEvent) event);
239 LOGGER.log(Level.SEVERE,
240 String.format(
"Received an event %s of type %s and was expecting either CONTENT_TAG_ADDED or CONTENT_TAG_DELETED.",
241 event, curEventType));
248 LOGGER.log(Level.SEVERE,
"ContentTagDeletedEvent did not have valid content to provide a content id.");
255 if (content == null) {
256 LOGGER.log(Level.WARNING,
262 handleTagChange(content);
270 if (evt.getAddedTag() == null || evt.getAddedTag().getContent() == null) {
271 LOGGER.log(Level.SEVERE,
"ContentTagAddedEvent did not have valid content to provide a content id.");
276 handleTagChange(evt.getAddedTag().getContent());
287 AbstractFile af = null;
291 Long contentID = (content != null) ? content.getId() : null;
292 LOGGER.log(Level.WARNING,
"Error updating non-file object: " + contentID, ex);
305 setContentKnownStatus(af, TskData.FileKnown.BAD);
308 setContentKnownStatus(af, TskData.FileKnown.UNKNOWN);
311 LOGGER.log(Level.SEVERE,
"Failed to obtain tags manager for case.", ex);
326 if (!md5CorrelationAttr.isEmpty()) {
332 LOGGER.log(Level.SEVERE,
"Error connecting to Central Repository database while setting artifact known status.", ex);
341 private final PropertyChangeEvent
event;
356 handleTagAdded((BlackBoardArtifactTagAddedEvent) event);
358 handleTagDeleted((BlackBoardArtifactTagDeletedEvent) event);
360 LOGGER.log(Level.WARNING,
361 String.format(
"Received an event %s of type %s and was expecting either CONTENT_TAG_ADDED or CONTENT_TAG_DELETED.",
362 event, curEventType));
369 LOGGER.log(Level.SEVERE,
"BlackBoardArtifactTagDeletedEvent did not have valid content to provide a content id.");
378 if (content == null) {
379 LOGGER.log(Level.WARNING,
386 if (bbArtifact == null) {
387 LOGGER.log(Level.WARNING,
393 handleTagChange(content, bbArtifact);
395 LOGGER.log(Level.WARNING,
"Error updating non-file object.", ex);
401 if (evt.getAddedTag() == null || evt.getAddedTag().getContent() == null || evt.getAddedTag().getArtifact() == null) {
402 LOGGER.log(Level.SEVERE,
"BlackBoardArtifactTagAddedEvent did not have valid content to provide a content id.");
407 handleTagChange(evt.getAddedTag().getContent(), evt.getAddedTag().getArtifact());
423 LOGGER.log(Level.SEVERE,
"Exception while getting open case.", ex);
428 if (isKnownFile(content)) {
434 if (hasNotableTag(tags)) {
435 setArtifactKnownStatus(dbManager, bbArtifact, TskData.FileKnown.BAD);
437 setArtifactKnownStatus(dbManager, bbArtifact, TskData.FileKnown.UNKNOWN);
439 }
catch (TskCoreException ex) {
440 LOGGER.log(Level.SEVERE,
"Failed to obtain tags manager for case.", ex);
452 return ((content instanceof AbstractFile) && (((AbstractFile) content).getKnown() == TskData.FileKnown.KNOWN));
459 private final PropertyChangeEvent
event;
471 String modifiedTagName = (String) event.getOldValue();
482 for (BlackboardArtifactTag bbTag : artifactTags) {
484 boolean hasTagWithConflictingKnownStatus =
false;
488 if (tagName.getKnownStatus() == TskData.FileKnown.UNKNOWN) {
489 Content content = bbTag.getContent();
492 if ((content instanceof AbstractFile) && (((AbstractFile) content).getKnown() == TskData.FileKnown.KNOWN)) {
496 BlackboardArtifact bbArtifact = bbTag.getArtifact();
500 for (BlackboardArtifactTag t : tags) {
502 if (t.getName().equals(tagName)) {
506 if (TskData.FileKnown.BAD == t.getName().getKnownStatus()) {
508 hasTagWithConflictingKnownStatus =
true;
514 if (!hasTagWithConflictingKnownStatus) {
522 for (ContentTag contentTag : fileTags) {
524 boolean hasTagWithConflictingKnownStatus =
false;
528 if (tagName.getKnownStatus() == TskData.FileKnown.UNKNOWN) {
529 Content content = contentTag.getContent();
533 for (ContentTag t : tags) {
535 if (t.getName().equals(tagName)) {
539 if (TskData.FileKnown.BAD == t.getName().getKnownStatus()) {
541 hasTagWithConflictingKnownStatus =
true;
547 if (!hasTagWithConflictingKnownStatus) {
548 Content taggedContent = contentTag.getContent();
549 if (taggedContent instanceof AbstractFile) {
551 if (!eamArtifact.isEmpty()) {
558 }
catch (TskCoreException ex) {
559 LOGGER.log(Level.SEVERE,
"Cannot update known status in central repository for tag: " + modifiedTagName, ex);
561 LOGGER.log(Level.SEVERE,
"Cannot get central repository for tag: " + modifiedTagName, ex);
563 LOGGER.log(Level.SEVERE,
"Exception while getting open case.", ex);
571 private final PropertyChangeEvent
event;
587 LOGGER.log(Level.SEVERE,
"Exception while getting open case.", ex);
592 Content newDataSource = dataSourceAddedEvent.
getDataSource();
596 if (null == dbManager.
getDataSource(correlationCase, newDataSource.getId())) {
600 LOGGER.log(Level.SEVERE,
"Error adding new data source to the central repository", ex);
608 private final PropertyChangeEvent
event;
621 if ((null == event.getOldValue()) && (event.getNewValue() instanceof
Case)) {
622 Case curCase = (
Case) event.getNewValue();
631 if (dbManager.
getCase(curCase) == null) {
635 LOGGER.log(Level.SEVERE,
"Error connecting to Central Repository database.", ex);
644 private final PropertyChangeEvent
event;
655 Content dataSource = dataSourceNameChangedEvent.
getDataSource();
656 String newName = (String) event.getNewValue();
658 if (!StringUtils.isEmpty(newName)) {
669 LOGGER.log(Level.SEVERE,
"Error updating data source with ID " + dataSource.getId() +
" to " + newName, ex);
671 LOGGER.log(Level.SEVERE,
"No open case", ex);
final PropertyChangeEvent event
final CentralRepository dbManager
ContentTagTask(CentralRepository db, PropertyChangeEvent evt)
static boolean isNotableTag(Tag tag)
boolean isKnownFile(Content content)
DataSourceAddedTask(CentralRepository db, PropertyChangeEvent evt)
final PropertyChangeEvent event
final CentralRepository dbManager
DeletedBlackboardArtifactTagInfo getDeletedTagInfo()
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
CorrelationCase getCase(Case autopsyCase)
static boolean isNotableTagDefinition(TagName tagDef)
void setAttributeInstanceKnownStatus(CorrelationAttributeInstance eamArtifact, TskData.FileKnown knownStatus)
void handleTagChange(Content content, BlackboardArtifact bbArtifact)
final ExecutorService jobProcessingExecutor
CurrentCaseTask(CentralRepository db, PropertyChangeEvent evt)
TagDefinitionChangeTask(PropertyChangeEvent evt)
static void shutDownTaskExecutor(ExecutorService executor)
final CentralRepository dbManager
TagsManager getTagsManager()
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(AnalysisResult analysisResult)
void handleTagDeleted(BlackBoardArtifactTagDeletedEvent evt)
static void setArtifactKnownStatus(CentralRepository centralRepo, BlackboardArtifact artifact, TskData.FileKnown notableStatus)
CorrelationCase newCase(CorrelationCase eamCase)
final CentralRepository dbManager
SleuthkitCase getSleuthkitCase()
void handleTagChange(Content content)
DataSourceNameChangedTask(CentralRepository db, PropertyChangeEvent evt)
ArtifactTagTask(CentralRepository db, PropertyChangeEvent evt)
void updateDataSourceName(CorrelationDataSource eamDataSource, String newName)
final CentralRepository dbManager
BLACKBOARD_ARTIFACT_TAG_ADDED
void handleTagDeleted(ContentTagDeletedEvent evt)
void propertyChange(PropertyChangeEvent evt)
CorrelationDataSource getDataSource(CorrelationCase correlationCase, Long caseDbDataSourceId)
synchronized static Logger getLogger(String name)
void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus)
static Case getCurrentCaseThrows()
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
void handleTagAdded(BlackBoardArtifactTagAddedEvent evt)
final PropertyChangeEvent event
final PropertyChangeEvent event
DeletedContentTagInfo getDeletedTagInfo()
void handleTagAdded(ContentTagAddedEvent evt)
final PropertyChangeEvent event
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
static boolean hasNotableTag(List<?extends Tag > tags)
static CentralRepository getInstance()
final PropertyChangeEvent event
BLACKBOARD_ARTIFACT_TAG_DELETED
static boolean isEnabled()