Autopsy  4.21.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CorrelationAttributeUtil.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2017-2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.datamodel;
20 
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.Collections;
24 import java.util.HashSet;
25 import java.util.List;
26 import java.util.Optional;
27 import java.util.Set;
28 import java.util.logging.Level;
29 import org.openide.util.NbBundle.Messages;
34 import org.sleuthkit.datamodel.AbstractFile;
35 import org.sleuthkit.datamodel.Account;
36 import org.sleuthkit.datamodel.AnalysisResult;
37 import org.sleuthkit.datamodel.BlackboardArtifact;
38 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
39 import org.sleuthkit.datamodel.BlackboardAttribute;
40 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
41 import org.sleuthkit.datamodel.Content;
42 import org.sleuthkit.datamodel.DataArtifact;
43 import org.sleuthkit.datamodel.HashUtility;
44 import org.sleuthkit.datamodel.InvalidAccountIDException;
45 import org.sleuthkit.datamodel.OsAccount;
46 import org.sleuthkit.datamodel.OsAccountInstance;
47 import org.sleuthkit.datamodel.TskCoreException;
48 import org.sleuthkit.datamodel.TskData;
49 
55 
56  private static final Logger logger = Logger.getLogger(CorrelationAttributeUtil.class.getName());
57  private static final List<String> domainsToSkip = Arrays.asList("localhost", "127.0.0.1");
58 
59  // artifact ids that specifically have a TSK_DOMAIN attribute that should be handled by CR
60  private static final Set<Integer> DOMAIN_ARTIFACT_TYPE_IDS = new HashSet<>(Arrays.asList(
61  ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID(),
62  ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID(),
63  ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID(),
64  ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID(),
65  ARTIFACT_TYPE.TSK_WEB_CACHE.getTypeID()
66  ));
67 
78  @Messages({"CorrelationAttributeUtil.emailaddresses.text=Email Addresses"})
79  private static String getEmailAddressAttrDisplayName() {
80  return Bundle.CorrelationAttributeUtil_emailaddresses_text();
81  }
82 
83  public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(DataArtifact artifact) {
84  int artifactTypeID = artifact.getArtifactTypeID();
85  //The account fields in these types are expected to be saved in a TSK_ACCOUNT artifact, which will be processed
86  if (artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
87  || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()
88  || artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()) {
89  return Collections.emptyList();
90  }
92  }
93 
108  public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(AbstractFile file) {
109  return makeCorrAttrsForSearch(file);
110  }
111 
112  public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(AnalysisResult file) {
113  return Collections.emptyList();
114  }
115 
125  public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(OsAccount account, Content dataSource) {
126  List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
128  Optional<String> accountAddr = account.getAddr();
129  if (accountAddr.isPresent() && !isSystemOsAccount(accountAddr.get())) {
130  try {
132  CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
134  accountAddr.get(),
135  correlationCase,
136  CorrelationDataSource.fromTSKDataSource(correlationCase, dataSource),
137  dataSource.getName(),
138  "",
139  TskData.FileKnown.KNOWN,
140  account.getId());
141  correlationAttrs.add(correlationAttributeInstance);
142  } catch (CentralRepoException ex) {
143  logger.log(Level.SEVERE, String.format("Error querying central repository for OS account '%s'", accountAddr.get()), ex); //NON-NLS
144  } catch (NoCurrentCaseException ex) {
145  logger.log(Level.SEVERE, String.format("Error getting current case for OS account '%s'", accountAddr.get()), ex); //NON-NLS
147  logger.log(Level.WARNING, String.format("Error normalizing correlation attribute for OS account '%s': %s", accountAddr.get(), ex.getMessage())); //NON-NLS
148  }
149  }
150  }
151  return correlationAttrs;
152  }
153 
162  private static boolean isSystemOsAccount(String accountAddr) {
163  return accountAddr.equals("S-1-5-18") || accountAddr.equals("S-1-5-19") || accountAddr.equals("S-1-5-20");
164  }
165 
187  @SuppressWarnings("deprecation")
188  public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AnalysisResult analysisResult) {
189  List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
190 
192  try {
193  int artifactTypeID = analysisResult.getArtifactTypeID();
194  if (artifactTypeID == ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID()) {
195  //because this attribute retrieval is only occuring when the analysis result is an interesting artifact hit
196  //and only one attribute is being retrieved the analysis result's own get attribute method can be used efficently
197  BlackboardAttribute assocArtifactAttr = analysisResult.getAttribute(BlackboardAttribute.Type.TSK_ASSOCIATED_ARTIFACT);
198  if (assocArtifactAttr != null) {
199  BlackboardArtifact sourceArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(assocArtifactAttr.getValueLong());
200  if (sourceArtifact instanceof DataArtifact) {
201  correlationAttrs.addAll((CorrelationAttributeUtil.makeCorrAttrsForSearch((DataArtifact) sourceArtifact)));
202  } else if (sourceArtifact instanceof AnalysisResult) {
203  correlationAttrs.addAll((CorrelationAttributeUtil.makeCorrAttrsForSearch((AnalysisResult) sourceArtifact)));
204  } else {
205  String sourceName = sourceArtifact != null ? "SourceArtifact display name: " + sourceArtifact.getDisplayName() : "SourceArtifact was null";
206  logger.log(Level.SEVERE, "Source artifact found through TSK_ASSOCIATED_ARTIFACT attribute was not a DataArtifact or "
207  + "an Analysis Result. AssociateArtifactAttr Value: {0} {1}",
208  new Object[]{assocArtifactAttr.getValueString(), sourceName});
209  }
210  }
211  } else {
212  if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
213  //because this attribute retrieval is only occuring when the analysis result is a keyword hit
214  //and only one attribute is being retrieved the analysis result's own get attribute method can be used efficently
215  BlackboardAttribute setNameAttr = analysisResult.getAttribute(BlackboardAttribute.Type.TSK_SET_NAME);
216  if (setNameAttr != null && CorrelationAttributeUtil.getEmailAddressAttrDisplayName().equals(setNameAttr.getValueString())) {
217  /*
218  * We no longer save email instances from keyword
219  * search hits in the central repository, but we
220  * still want to be able to search for email address
221  * instances in the CR when we are presenting email
222  * address keyword hits. Also note that we may want
223  * to correlate on the source Content (parent) of
224  * the keyword hit as well, so we do not return at
225  * this point.
226  */
227  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(analysisResult, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, CorrelationAttributeInstance.EMAIL_TYPE_ID, analysisResult.getAttributes()));
228  }
229 
230  }
231 
232  Content parent = analysisResult.getParent();
233  if (parent instanceof AbstractFile) {
234  correlationAttrs.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((AbstractFile) parent));
235  } else if (parent instanceof AnalysisResult) {
236  correlationAttrs.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((AnalysisResult) parent));
237  } else if (parent instanceof DataArtifact) {
238  correlationAttrs.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((DataArtifact) parent));
239  } else if (parent instanceof OsAccount) {
240  for (OsAccountInstance osAccountInst : ((OsAccount) parent).getOsAccountInstances()) {
241  if (osAccountInst.getDataSource().equals(analysisResult.getDataSource())) {
255  correlationAttrs.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch(osAccountInst));
256  break;
257  }
258  }
259  }
260  }
261  } catch (TskCoreException ex) {
262  logger.log(Level.SEVERE, "Failed to get information regarding correlation attributes in regards to either the provided AnalysisResult, it's associated artifact, or it's parent.", ex);
263  } catch (NoCurrentCaseException ex) {
264  logger.log(Level.WARNING, "Attempted to retrieve correlation attributes for search with no currently open case.", ex);
265  } catch (CentralRepoException ex) {
266  logger.log(Level.SEVERE, "Failed to get correlation type from central repository.", ex);
267  }
268  }
269  return correlationAttrs;
270  }
271 
290  public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(DataArtifact artifact) {
291  List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
292 
294  try {
295  List<BlackboardAttribute> attributes = artifact.getAttributes();
296 
297  int artifactTypeID = artifact.getArtifactTypeID();
298  if (DOMAIN_ARTIFACT_TYPE_IDS.contains(artifactTypeID)) {
299  BlackboardAttribute domainAttr = getAttribute(attributes, new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
300  if ((domainAttr != null)
301  && !domainsToSkip.contains(domainAttr.getValueString())) {
302  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, CorrelationAttributeInstance.DOMAIN_TYPE_ID, attributes));
303  }
304  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
305  // prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
306  Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
307  Content dataSource = sourceContent.getDataSource();
308  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID, CorrelationAttributeInstance.USBID_TYPE_ID,
309  attributes, sourceContent, dataSource));
310  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID,
311  attributes, sourceContent, dataSource));
312  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
313  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SSID, CorrelationAttributeInstance.SSID_TYPE_ID, attributes));
314  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
315  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
316  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
317  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID, attributes));
318  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
319  // prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
320  Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
321  Content dataSource = sourceContent.getDataSource();
322  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI, CorrelationAttributeInstance.IMEI_TYPE_ID,
323  attributes, sourceContent, dataSource));
324  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID,
325  attributes, sourceContent, dataSource));
326  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID,
327  attributes, sourceContent, dataSource));
328 
329  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
330  // prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
331  Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
332  Content dataSource = sourceContent.getDataSource();
333  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID,
334  attributes, sourceContent, dataSource));
335  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID,
336  attributes, sourceContent, dataSource));
337 
338  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
339  // prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
340  Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
341  Content dataSource = sourceContent.getDataSource();
342  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, CorrelationAttributeInstance.PHONE_TYPE_ID,
343  attributes, sourceContent, dataSource));
344  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, CorrelationAttributeInstance.EMAIL_TYPE_ID,
345  attributes, sourceContent, dataSource));
346 
347  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
348  makeCorrAttrFromAcctArtifact(correlationAttrs, artifact, attributes);
349 
350  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
351  BlackboardAttribute setNameAttr = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
352  String pathAttrString = null;
353  if (setNameAttr != null) {
354  pathAttrString = setNameAttr.getValueString();
355  }
356  if (pathAttrString != null && !pathAttrString.isEmpty()) {
357  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID, attributes));
358  } else {
359  correlationAttrs.addAll(makeCorrAttrFromArtifactAttr(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID, attributes));
360  }
361  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
362  || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
363  || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
364  correlationAttrs.addAll(makeCorrAttrsFromCommunicationArtifact(artifact, attributes));
365  }
367  logger.log(Level.WARNING, String.format("Error normalizing correlation attribute (%s): %s", artifact, ex.getMessage())); // NON-NLS
368  return correlationAttrs;
369  } catch (InvalidAccountIDException ex) {
370  logger.log(Level.WARNING, String.format("Invalid account identifier (artifactID: %d): %s", artifact.getId(), ex.getMessage())); // NON-NLS
371  return correlationAttrs;
372  } catch (CentralRepoException ex) {
373  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
374  return correlationAttrs;
375  } catch (TskCoreException ex) {
376  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
377  return correlationAttrs;
378  } catch (NoCurrentCaseException ex) {
379  logger.log(Level.WARNING, "Error getting current case", ex); // NON-NLS
380  return correlationAttrs;
381  }
382  }
383  return correlationAttrs;
384  }
385 
396  private static BlackboardAttribute getAttribute(List<BlackboardAttribute> attributes, BlackboardAttribute.Type attributeType) throws TskCoreException {
397  for (BlackboardAttribute attribute : attributes) {
398  if (attribute.getAttributeType().equals(attributeType)) {
399  return attribute;
400  }
401  }
402  return null;
403  }
404 
422  private static List<CorrelationAttributeInstance> makeCorrAttrsFromCommunicationArtifact(BlackboardArtifact artifact,
423  List<BlackboardAttribute> attributes) throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException {
424 
425  /*
426  * Extract the phone number from the artifact attribute.
427  */
428  String value = null;
429  if (null != getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
430  value = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
431  } else if (null != getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
432  value = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
433  } else if (null != getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
434  value = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
435  }
436  /*
437  * Normalize the phone number.
438  */
439  List<CorrelationAttributeInstance> corrAttrInstances = new ArrayList<>();
440  if (value != null
441  && CorrelationAttributeNormalizer.isValidPhoneNumber(value)) {
442  value = CorrelationAttributeNormalizer.normalizePhone(value);
444  if (corrAttr != null) {
445  corrAttrInstances.add(corrAttr);
446  }
447  }
448  return corrAttrInstances;
449  }
450 
465  private static void makeCorrAttrFromAcctArtifact(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact acctArtifact, List<BlackboardAttribute> attributes) throws InvalidAccountIDException, TskCoreException, CentralRepoException {
466 
467  // Get the account type from the artifact
468  BlackboardAttribute accountTypeAttribute = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE));
469  String accountTypeStr = accountTypeAttribute.getValueString();
470 
471  // @@TODO Vik-6136: CR currently does not know of custom account types.
472  // Ensure there is a predefined account type for this account.
473  Account.Type predefinedAccountType = Account.Type.PREDEFINED_ACCOUNT_TYPES.stream().filter(type -> type.getTypeName().equalsIgnoreCase(accountTypeStr)).findAny().orElse(null);
474 
475  // do not create any correlation attribute instance for a Device account
476  if (Account.Type.DEVICE.getTypeName().equalsIgnoreCase(accountTypeStr) == false && predefinedAccountType != null) {
477 
478  // Get the corresponding CentralRepoAccountType from the database.
479  Optional<CentralRepoAccountType> optCrAccountType = CentralRepository.getInstance().getAccountTypeByName(accountTypeStr);
480  if (!optCrAccountType.isPresent()) {
481  return;
482  }
483  CentralRepoAccountType crAccountType = optCrAccountType.get();
484 
485  int corrTypeId = crAccountType.getCorrelationTypeId();
487 
488  // Get the account identifier
489  BlackboardAttribute accountIdAttribute = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ID));
490  String accountIdStr = accountIdAttribute.getValueString();
491 
492  // add/get the account and get its accountId.
493  CentralRepoAccount crAccount = CentralRepository.getInstance().getOrCreateAccount(crAccountType, accountIdStr);
494 
495  CorrelationAttributeInstance corrAttr = makeCorrAttr(acctArtifact, corrType, accountIdStr);
496  if (corrAttr != null) {
497  // set the account_id in correlation attribute
498  corrAttr.setAccountId(crAccount.getId());
499  corrAttrInstances.add(corrAttr);
500  }
501  }
502  }
503 
522  private static List<CorrelationAttributeInstance> makeCorrAttrFromArtifactAttr(BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId,
523  List<BlackboardAttribute> attributes, Content sourceContent, Content dataSource) throws CentralRepoException, TskCoreException {
524  List<CorrelationAttributeInstance> corrAttrInstances = new ArrayList<>();
525  BlackboardAttribute attribute = getAttribute(attributes, new BlackboardAttribute.Type(artAttrType));
526  if (attribute != null) {
527  String value = attribute.getValueString();
528  if ((null != value) && (value.isEmpty() == false)) {
529  CorrelationAttributeInstance inst = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(typeId), value, sourceContent, dataSource);
530  if (inst != null) {
531  corrAttrInstances.add(inst);
532  }
533  }
534  }
535  return corrAttrInstances;
536  }
537 
554  private static List<CorrelationAttributeInstance> makeCorrAttrFromArtifactAttr(BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId,
555  List<BlackboardAttribute> attributes) throws CentralRepoException, TskCoreException {
556 
557  return makeCorrAttrFromArtifactAttr(artifact, artAttrType, typeId, attributes, null, null);
558  }
559 
577  private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) {
578  return makeCorrAttr(artifact, correlationType, value, null, null);
579  }
580 
600  private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value,
601  Content sourceContent, Content dataSource) {
602  Content srcContent = sourceContent;
603  Content dataSrc = dataSource;
604  try {
605  if (srcContent == null) {
606  srcContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
607  }
608  if (null == srcContent) {
609  logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load content with ID: {1} associated with artifact with ID: {2}",
610  new Object[]{correlationType.getDisplayName(), artifact.getObjectID(), artifact.getId()}); // NON-NLS
611  return null;
612  }
613  if (dataSrc == null) {
614  dataSrc = srcContent.getDataSource();
615  }
616  if (dataSrc == null) {
617  logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load data source for content with ID: {1}",
618  new Object[]{correlationType.getDisplayName(), artifact.getObjectID()}); // NON-NLS
619  return null;
620  }
621 
623  if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()
624  || !(srcContent instanceof AbstractFile)) {
625  return new CorrelationAttributeInstance(
626  correlationType,
627  value,
628  correlationCase,
629  CorrelationDataSource.fromTSKDataSource(correlationCase, dataSrc),
630  srcContent.getName(),
631  "",
632  TskData.FileKnown.UNKNOWN,
633  srcContent.getId());
634  } else {
635  AbstractFile bbSourceFile = (AbstractFile) srcContent;
636 
637  return new CorrelationAttributeInstance(
638  correlationType,
639  value,
640  correlationCase,
641  CorrelationDataSource.fromTSKDataSource(correlationCase, dataSrc),
642  bbSourceFile.getParentPath() + bbSourceFile.getName(),
643  "",
644  TskData.FileKnown.UNKNOWN,
645  bbSourceFile.getId());
646  }
647  } catch (TskCoreException ex) {
648  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
649  return null;
650  } catch (CentralRepoException ex) {
651  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
652  return null;
654  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s): %s", artifact, ex.getMessage())); // NON-NLS
655  return null;
656  } catch (NoCurrentCaseException ex) {
657  logger.log(Level.WARNING, "Error getting current case", ex); // NON-NLS
658  return null;
659  }
660  }
661 
662  // @@@ BC: This seems like it should go into a DB-specific class because it is
663  // much different from the other methods in this class. It is going to the DB for data.
682  public static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file) {
683 
685  return null;
686  }
687 
689  CorrelationCase correlationCase;
690  CorrelationDataSource correlationDataSource;
691 
692  try {
695  if (null == correlationCase) {
696  //if the correlationCase is not in the Central repo then attributes generated in relation to it will not be
697  return null;
698  }
699  correlationDataSource = CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource());
700  } catch (TskCoreException ex) {
701  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", file), ex); // NON-NLS
702  return null;
703  } catch (CentralRepoException ex) {
704  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
705  return null;
706  } catch (NoCurrentCaseException ex) {
707  logger.log(Level.WARNING, "Error getting current case", ex); // NON-NLS
708  return null;
709  }
710 
711  CorrelationAttributeInstance correlationAttributeInstance;
712  try {
713  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getId());
714  } catch (CentralRepoException ex) {
715  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
716  return null;
718  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s): %s", file, ex.getMessage())); // NON-NLS
719  return null;
720  }
721 
722  /*
723  * If no correlation attribute instance was found when querying by file
724  * object ID, try searching by file path instead. This is necessary
725  * because file object IDs were not stored in the central repository in
726  * early versions of its schema.
727  */
728  if (correlationAttributeInstance == null && file.getMd5Hash() != null) {
729  String filePath = (file.getParentPath() + file.getName()).toLowerCase();
730  try {
731  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getMd5Hash(), filePath);
732  } catch (CentralRepoException ex) {
733  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
734  return null;
736  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s): %s", file, ex.getMessage())); // NON-NLS
737  return null;
738  }
739  }
740 
741  return correlationAttributeInstance;
742  }
743 
764  public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AbstractFile file) {
765  List<CorrelationAttributeInstance> fileTypeList = new ArrayList<>(); // will be an empty or single element list as was decided in 7852
767  return fileTypeList;
768  }
769 
770  // We need a hash to make the correlation artifact instance.
771  String md5 = file.getMd5Hash();
772  if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
773  return fileTypeList;
774  }
775 
776  try {
778 
780  fileTypeList.add(new CorrelationAttributeInstance(
781  filesType,
782  file.getMd5Hash(),
783  correlationCase,
784  CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource()),
785  file.getParentPath() + file.getName(),
786  "",
787  TskData.FileKnown.UNKNOWN,
788  file.getId()));
789  } catch (TskCoreException ex) {
790  logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS
791  } catch (CentralRepoException ex) {
792  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
794  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s): %s", file, ex.getMessage())); // NON-NLS
795  } catch (NoCurrentCaseException ex) {
796  logger.log(Level.WARNING, "Error getting current case", ex); // NON-NLS
797  }
798  return fileTypeList;
799  }
800 
809  public static boolean isSupportedAbstractFileType(AbstractFile file) {
810  if (file == null) {
811  return false;
812  }
813  switch (file.getType()) {
814  case UNALLOC_BLOCKS:
815  case UNUSED_BLOCKS:
816  case SLACK:
817  case VIRTUAL_DIR:
818  case LOCAL_DIR:
819  return false;
820  case CARVED:
821  case DERIVED:
822  case LOCAL:
823  case LAYOUT_FILE:
824  return true;
825  case FS:
826  return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
827  default:
828  logger.log(Level.WARNING, "Unexpected file type {0}", file.getType().getName());
829  return false;
830  }
831  }
832 
833  public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(OsAccountInstance osAccountInst) {
834  List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
835  if (CentralRepository.isEnabled() && osAccountInst != null) {
836  try {
837  correlationAttrs.addAll(makeCorrAttrsToSave(osAccountInst.getOsAccount(), osAccountInst.getDataSource()));
838  } catch (TskCoreException ex) {
839  logger.log(Level.SEVERE, String.format("Error getting OS account from OS account instance '%s'", osAccountInst), ex);
840  }
841  }
842  return correlationAttrs;
843  }
844 
849  }
850 
851 }
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value, Content sourceContent, Content dataSource)
static List< CorrelationAttributeInstance > makeCorrAttrsFromCommunicationArtifact(BlackboardArtifact artifact, List< BlackboardAttribute > attributes)
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(OsAccountInstance osAccountInst)
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(AbstractFile file)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
static List< CorrelationAttributeInstance > makeCorrAttrFromArtifactAttr(BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes, Content sourceContent, Content dataSource)
Optional< CentralRepoAccountType > getAccountTypeByName(String accountTypeName)
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(DataArtifact artifact)
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(AbstractFile file)
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(AnalysisResult analysisResult)
static BlackboardAttribute getAttribute(List< BlackboardAttribute > attributes, BlackboardAttribute.Type attributeType)
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(OsAccount account, Content dataSource)
static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file)
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(AnalysisResult file)
static List< CorrelationAttributeInstance > makeCorrAttrFromArtifactAttr(BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId, List< BlackboardAttribute > attributes)
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(DataArtifact artifact)
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
static void makeCorrAttrFromAcctArtifact(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact, List< BlackboardAttribute > attributes)
CentralRepoAccount getOrCreateAccount(CentralRepoAccount.CentralRepoAccountType crAccountType, String accountUniqueID)

Copyright © 2012-2022 Basis Technology. Generated on: Tue Feb 6 2024
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.