Autopsy  4.21.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
OtherOccurrences.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.application;
20 
21 import java.io.BufferedWriter;
22 import java.io.File;
23 import java.io.IOException;
24 import java.nio.file.Files;
25 import java.text.DateFormat;
26 import java.text.ParseException;
27 import java.text.SimpleDateFormat;
28 import java.util.Collection;
29 import java.util.Collections;
30 import java.util.HashMap;
31 import java.util.List;
32 import java.util.Locale;
33 import java.util.Map;
34 import java.util.Optional;
35 import java.util.logging.Level;
36 import org.apache.commons.lang3.StringUtils;
37 import org.joda.time.DateTimeZone;
38 import org.joda.time.LocalDateTime;
39 import org.openide.nodes.Node;
40 import org.openide.util.NbBundle;
50 import org.sleuthkit.datamodel.AbstractFile;
51 import org.sleuthkit.datamodel.ContentTag;
52 import org.sleuthkit.datamodel.OsAccount;
53 import org.sleuthkit.datamodel.OsAccountInstance;
54 import org.sleuthkit.datamodel.TskCoreException;
55 import org.sleuthkit.datamodel.TskData;
56 
61 public final class OtherOccurrences {
62 
63  private static final Logger logger = Logger.getLogger(OtherOccurrences.class.getName());
64 
65  private static final String UUID_PLACEHOLDER_STRING = "NoCorrelationAttributeInstance";
66 
67  private OtherOccurrences() {
68  }
69 
78  public static Collection<CorrelationAttributeInstance> getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount) {
79  Optional<String> osAccountAddr = osAccount.getAddr();
80  if (osAccountAddr.isPresent()) {
81  try {
82  for (OsAccountInstance instance : osAccount.getOsAccountInstances()) {
83  List<CorrelationAttributeInstance> correlationAttributeInstances = CorrelationAttributeUtil.makeCorrAttrsForSearch(instance);
84  if (!correlationAttributeInstances.isEmpty()) {
85  return correlationAttributeInstances;
86  }
87  }
88  } catch (TskCoreException ex) {
89  logger.log(Level.INFO, String.format("Unable to check create CorrelationAttribtueInstance for osAccount %s.", osAccountAddr.get()), ex);
90  }
91  }
92  return Collections.emptyList();
93  }
94 
106  public static Map<UniquePathKey, NodeData> getCorrelatedInstances(String deviceId, String dataSourceName, CorrelationAttributeInstance corAttr) {
107  // @@@ Check exception
108  try {
109  final Case openCase = Case.getCurrentCaseThrows();
110  String caseUUID = openCase.getName();
111  HashMap<UniquePathKey, NodeData> nodeDataMap = new HashMap<>();
112 
114  List<CorrelationAttributeInstance> instances = CentralRepository.getInstance().getArtifactInstancesByTypeValue(corAttr.getCorrelationType(), corAttr.getCorrelationValue());
115 
116  for (CorrelationAttributeInstance artifactInstance : instances) {
117 
118  // Only add the attribute if it isn't the object the user selected.
119  // We consider it to be a different object if at least one of the following is true:
120  // - the case UUID is different
121  // - the data source name is different
122  // - the data source device ID is different
123  // - the object id for the underlying file is different
124  if (artifactInstance.getCorrelationCase().getCaseUUID().equals(caseUUID)
125  && (!StringUtils.isBlank(dataSourceName) && artifactInstance.getCorrelationDataSource().getName().equals(dataSourceName))
126  && (!StringUtils.isBlank(deviceId) && artifactInstance.getCorrelationDataSource().getDeviceID().equals(deviceId))) {
127  Long foundObjectId = artifactInstance.getFileObjectId();
128  Long currentObjectId = corAttr.getFileObjectId();
129  if (foundObjectId != null && currentObjectId != null && foundObjectId.equals(currentObjectId)) {
130  continue;
131  }
132  }
133  NodeData newNode = new NodeData(artifactInstance, corAttr.getCorrelationType(), corAttr.getCorrelationValue());
134  UniquePathKey uniquePathKey = new UniquePathKey(newNode);
135  nodeDataMap.put(uniquePathKey, newNode);
136  }
137  }
138  return nodeDataMap;
139  } catch (CentralRepoException ex) {
140  logger.log(Level.SEVERE, "Error getting artifact instances from database.", ex); // NON-NLS
142  logger.log(Level.INFO, "Error getting artifact instances from database.", ex); // NON-NLS
143  } catch (NoCurrentCaseException ex) {
144  logger.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS
145  }
146 
147  return new HashMap<>(
148  0);
149  }
150 
161  public static void addOrUpdateNodeData(final Case autopsyCase, Map<UniquePathKey, NodeData> nodeDataMap, AbstractFile newFile) throws TskCoreException, CentralRepoException {
162 
163  NodeData newNode = new NodeData(newFile, autopsyCase);
164 
165  // If the caseDB object has a notable tag associated with it, update
166  // the known status to BAD
167  if (newNode.getKnown() != TskData.FileKnown.BAD) {
168  List<ContentTag> fileMatchTags = autopsyCase.getServices().getTagsManager().getContentTagsByContent(newFile);
169  for (ContentTag tag : fileMatchTags) {
170  TskData.FileKnown tagKnownStatus = tag.getName().getKnownStatus();
171  if (tagKnownStatus.equals(TskData.FileKnown.BAD)) {
172  newNode.updateKnown(TskData.FileKnown.BAD);
173  break;
174  }
175  }
176  }
177 
178  // Make a key to see if the file is already in the map
179  UniquePathKey uniquePathKey = new UniquePathKey(newNode);
180 
181  // If this node is already in the list, the only thing we need to do is
182  // update the known status to BAD if the caseDB version had known status BAD.
183  // Otherwise this is a new node so add the new node to the map.
184  if (nodeDataMap.containsKey(uniquePathKey)) {
185  if (newNode.getKnown() == TskData.FileKnown.BAD) {
186  NodeData prevInstance = nodeDataMap.get(uniquePathKey);
187  prevInstance.updateKnown(newNode.getKnown());
188  }
189  } else {
190  nodeDataMap.put(uniquePathKey, newNode);
191  }
192  }
193 
198  public static String makeDataSourceString(String caseUUID, String deviceId, String dataSourceName) {
199  return caseUUID + deviceId + dataSourceName;
200  }
201 
206  public static String getEarliestCaseDate() throws CentralRepoException {
207  String dateStringDisplay = "";
208 
210  LocalDateTime earliestDate = LocalDateTime.now(DateTimeZone.UTC);
211  DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss", Locale.US);
213  List<CorrelationCase> cases = dbManager.getCases();
214  for (CorrelationCase aCase : cases) {
215  LocalDateTime caseDate;
216  try {
217  caseDate = LocalDateTime.fromDateFields(datetimeFormat.parse(aCase.getCreationDate()));
218 
219  if (caseDate.isBefore(earliestDate)) {
220  earliestDate = caseDate;
221  dateStringDisplay = aCase.getCreationDate();
222  }
223  } catch (ParseException ex) {
224  throw new CentralRepoException("Failed to format case creation date " + aCase.getCreationDate(), ex);
225  }
226  }
227  }
228 
229  return dateStringDisplay;
230  }
231 
232  @NbBundle.Messages({
233  "OtherOccurrences.csvHeader.case=Case",
234  "OtherOccurrences.csvHeader.device=Device",
235  "OtherOccurrences.csvHeader.dataSource=Data Source",
236  "OtherOccurrences.csvHeader.attribute=Matched Attribute",
237  "OtherOccurrences.csvHeader.value=Attribute Value",
238  "OtherOccurrences.csvHeader.known=Known",
239  "OtherOccurrences.csvHeader.path=Path",
240  "OtherOccurrences.csvHeader.comment=Comment"
241  })
242 
254  public static void writeOtherOccurrencesToFileAsCSV(File destFile, Collection<CorrelationAttributeInstance> correlationAttList, String dataSourceName, String deviceId) throws IOException {
255  try (BufferedWriter writer = Files.newBufferedWriter(destFile.toPath())) {
256  //write headers
257  StringBuilder headers = new StringBuilder("\"");
258  headers.append(Bundle.OtherOccurrences_csvHeader_case())
259  .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_dataSource())
260  .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_attribute())
261  .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_value())
262  .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_known())
263  .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_path())
264  .append(NodeData.getCsvItemSeparator()).append(Bundle.OtherOccurrences_csvHeader_comment())
265  .append('"').append(System.getProperty("line.separator"));
266  writer.write(headers.toString());
267  //write content
268  for (CorrelationAttributeInstance corAttr : correlationAttList) {
269  Map<UniquePathKey, NodeData> correlatedNodeDataMap = new HashMap<>(0);
270  // get correlation and reference set instances from DB
271  correlatedNodeDataMap.putAll(getCorrelatedInstances(deviceId, dataSourceName, corAttr));
272  for (NodeData nodeData : correlatedNodeDataMap.values()) {
273  writer.write(nodeData.toCsvString());
274  }
275  }
276  }
277  }
278 
285  public static String getPlaceholderUUID() {
287  }
288 }
static void writeOtherOccurrencesToFileAsCSV(File destFile, Collection< CorrelationAttributeInstance > correlationAttList, String dataSourceName, String deviceId)
static Map< UniquePathKey, NodeData > getCorrelatedInstances(String deviceId, String dataSourceName, CorrelationAttributeInstance corAttr)
static Collection< CorrelationAttributeInstance > getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount)
static List< CorrelationAttributeInstance > makeCorrAttrsForSearch(AnalysisResult analysisResult)
List< CorrelationAttributeInstance > getArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type type, String value)
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
static void addOrUpdateNodeData(final Case autopsyCase, Map< UniquePathKey, NodeData > nodeDataMap, AbstractFile newFile)
static String makeDataSourceString(String caseUUID, String deviceId, String dataSourceName)

Copyright © 2012-2022 Basis Technology. Generated on: Tue Feb 6 2024
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.