Autopsy
4.21.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
Classes | |
class | FileRecord |
class | IngestJobState |
Private Member Functions | |
AnalysisResult | createAnalysisResult (IngestJobState ingestJobState, SleuthkitCase.CaseDbTransaction trans, CTCloudBean cloudBean, Long objId) throws Blackboard.BlackboardException |
void | createAnalysisResults (IngestJobState ingestJobState, List< CTCloudBean > repResult, Map< String, List< Long >> md5ToObjId) throws Blackboard.BlackboardException, TskCoreException |
List< CTCloudBean > | getHashLookupResults (IngestJobState ingestJobState, List< String > md5Hashes) throws CTCloudException |
IngestJobState | getNewJobState (IngestJobContext context, boolean uploadFiles) throws Exception |
void | handleBatch (IngestJobState ingestJobState, List< FileRecord > fileRecords) |
void | handleLookupResults (IngestJobState ingestJobState, Map< String, List< Long >> md5ToObjId, List< CTCloudBean > repResult) throws Blackboard.BlackboardException, TskCoreException, TskCoreException, CTCloudException, NoSuchAlgorithmException, ReadContentInputStream.ReadContentInputStreamException |
void | handleNonFoundResults (IngestJobState ingestJobState, Map< String, List< Long >> md5ToObjId, List< CTCloudBean > results, boolean performFileUpload) throws CTCloudException, TskCoreException, NoSuchAlgorithmException, ReadContentInputStream.ReadContentInputStreamException |
void | longPollForNotFound (IngestJobState ingestJobState) throws InterruptedException, CTCloudException, Blackboard.BlackboardException, TskCoreException |
boolean | uploadFile (IngestJobState ingestJobState, String md5, long objId) throws CTCloudException, TskCoreException, NoSuchAlgorithmException, ReadContentInputStream.ReadContentInputStreamException |
Static Private Member Functions | |
static String | getOrCalcHash (AbstractFile af, HashType hashType) |
static String | getOrCalcMd5 (AbstractFile af) |
static String | getOrCalcSha1 (AbstractFile af) throws NoSuchAlgorithmException, ReadContentInputStream.ReadContentInputStreamException |
static String | getOrCalcSha256 (AbstractFile af) |
static boolean | isUploadable (AbstractFile af) |
static String | normalizedMd5 (String orig) |
static void | notifyWarning (String title, String message, Exception ex) |
static long | remaining (Long limit, Long used) |
Private Attributes | |
final BatchProcessor< FileRecord > | batchProcessor |
final CTApiDAO | ctApiDAO = CTApiDAO.getInstance() |
final CTLicensePersistence | ctSettingsPersistence = CTLicensePersistence.getInstance() |
IngestJobState | ingestJobState = null |
Static Private Attributes | |
static final int | BATCH_SIZE = 200 |
static final Set< String > | EXECUTABLE_MIME_TYPES |
static final long | FILE_UPLOAD_RETRY_SLEEP_MILLIS = 60 * 1000 |
static final long | FLUSH_SECS_TIMEOUT = 24 * 60 * 60 |
static final Logger | logger = Logger.getLogger(MalwareScanIngestModule.class.getName()) |
static final long | LOW_LOOKUPS_REMAINING = 250 |
static final long | LOW_UPLOADS_REMAINING = 25 |
static final String | MALWARE_CONFIG = "" |
static final long | MAX_UPLOAD_SIZE = 100_000_000 |
static final long | MIN_UPLOAD_SIZE = 1 |
static final int | NUM_FILE_UPLOAD_RETRIES = 7 |
Does the bulk of processing for the ingest module and handles concurrent ingest modules adding files simultaneously.
Definition at line 103 of file MalwareScanIngestModule.java.
|
private |
Creates an analysis result for the given information.
ingestJobState | The state of the ingest job. |
trans | The case database transaction to use. |
cloudBean | The bean indicating the malware result. |
objId | The object id of the corresponding file that will receive the analysis result. |
org.sleuthkit.datamodel.Blackboard.BlackboardException |
Definition at line 835 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.Status.FOUND, com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.getCTScore(), com.basistech.df.cybertriage.autopsy.ctapi.json.CTCloudBean.getMalwareResult(), com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.getStatus(), com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.getStatusDescription(), com.basistech.df.cybertriage.autopsy.ctapi.json.CTScore.getTskCore(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.MALWARE_CONFIG.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.createAnalysisResults().
|
private |
Creates TSK_MALWARE analysis results based on a list of cloud beans received from the CT cloud api.
ingestJobState | The ingest job state. |
repResult | The list of cloud beans. Only cloud beans with a malware status |
md5ToObjId | The mapping of md5 |
org.sleuthkit.datamodel.Blackboard.BlackboardException | |
TskCoreException |
Definition at line 772 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.createAnalysisResult(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.normalizedMd5().
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleLookupResults(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.longPollForNotFound().
|
private |
Makes CT Cloud REST API query for results regarding the status of a list of md5 hashes for executables.
ingestJobState | The current state of operations of the ingest module. |
md5Hashes | The md5 hashes to check. |
CTCloudException |
Definition at line 544 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.ctapi.CTApiDAO.getAuthToken(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getFileUploadCount(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getFileUploadLimit(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getHashLookupCount(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getHashLookupLimit(), com.basistech.df.cybertriage.autopsy.ctapi.CTApiDAO.getReputationResults(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.notifyWarning(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.remaining().
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleBatch(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.longPollForNotFound().
|
private |
Sets up the state necessary for a new ingest job.
context | The ingest job context. |
Exception |
Definition at line 187 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.ctapi.CTApiDAO.getAuthToken(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getFileUploadCount(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getFileUploadLimit(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getHashLookupCount(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getHashLookupLimit(), org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase(), com.basistech.df.cybertriage.autopsy.ctoptions.ctcloud.CTLicensePersistence.loadLicenseInfo(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.notifyWarning(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.remaining().
|
staticprivate |
Gets the md5 hash from the abstract file or calculates it.
af | The abstract file. |
Definition at line 268 of file MalwareScanIngestModule.java.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getOrCalcMd5(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getOrCalcSha256().
|
staticprivate |
Gets or calculates the md5 for a file.
af | The file. |
Definition at line 308 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getOrCalcHash().
|
staticprivate |
Gets or calculates the sha1 for a file.
af | The file. |
Definition at line 328 of file MalwareScanIngestModule.java.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.uploadFile().
|
staticprivate |
Gets or calculates the sha256 for a file.
af | The file. |
Definition at line 318 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getOrCalcHash().
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.uploadFile().
|
private |
Handles a batch of files to be sent to CT file lookup for results.
ingestJobState | The current state of operation for the ingest job. |
fileRecords | The file records to be uploaded. |
Definition at line 409 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getHashLookupResults(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleLookupResults(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.normalizedMd5(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.notifyWarning().
|
private |
Handles results received from CT Cloud.
ingestJobState | The current state of operations of the ingest module. |
md5ToObjId | The mapping of md5 to a list of object ids. |
repResult | The ct cloud results. |
org.sleuthkit.datamodel.Blackboard.BlackboardException | |
TskCoreException |
Definition at line 462 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.Status.BEING_SCANNED, com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.createAnalysisResults(), com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.Status.ERROR, com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.Status.FOUND, com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleNonFoundResults(), com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.Status.LIMITS_EXCEEDED, com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.Status.NOT_FOUND, and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.notifyWarning().
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleBatch().
|
private |
Handles a CT cloud response objects that have a status that isn't FOUND but still are queryable (i.e. NOT_FOUND, BEING_SCANNED).
ingestJobState | The current state of operations of the ingest module. |
md5ToObjId | The mapping of md5 to a list of object ids. |
results | The ct cloud results. |
performFileUpload | True if the class of results warrants file upload (i.e. NOT_FOUND) |
Definition at line 509 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.normalizedMd5(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.uploadFile().
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleLookupResults().
|
staticprivate |
Whether or not an abstract file meets the requirements to be uploaded.
af | The abstract file. |
Definition at line 601 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.MAX_UPLOAD_SIZE.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.uploadFile().
|
private |
Does long polling for any pending results.
ingestJobState | The state of the ingest job. |
InterruptedException | |
CTCloudException | |
org.sleuthkit.datamodel.Blackboard.BlackboardException | |
TskCoreException |
Definition at line 694 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.createAnalysisResults(), com.basistech.df.cybertriage.autopsy.ctapi.json.MalwareResultBean.Status.FOUND, com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getHashLookupResults(), org.sleuthkit.autopsy.coreutils.MessageNotifyUtil.Notify.info(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.normalizedMd5(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.notifyWarning(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.NUM_FILE_UPLOAD_RETRIES, and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.remaining().
|
staticprivate |
Normalizes an md5 string for the purposes of lookup in a map.
orig | The original value. |
Definition at line 590 of file MalwareScanIngestModule.java.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.createAnalysisResults(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleBatch(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleNonFoundResults(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.longPollForNotFound().
|
staticprivate |
Creates a warning notification to display in the lower right corner and a corresponding log message.
title | The title of the warning. |
message | The message of the warning. |
ex | The corresponding exception (or null if none). |
Definition at line 911 of file MalwareScanIngestModule.java.
References org.sleuthkit.autopsy.coreutils.MessageNotifyUtil.Notify.warn().
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getHashLookupResults(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getNewJobState(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleBatch(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleLookupResults(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.longPollForNotFound(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.uploadFile().
|
staticprivate |
Determines remaining given a possibly null limit and used count.
limit | The limit (can be null). |
used | The number used (can be null). |
Definition at line 256 of file MalwareScanIngestModule.java.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getHashLookupResults(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getNewJobState(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.longPollForNotFound(), and com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.uploadFile().
|
private |
Uploads a file to CT Cloud if the file is valid for upload.
ingestJobState | The current state of the ingest job. |
objId | The object id of the file to upload to CT cloud. |
CTCloudException | |
TskCoreException |
Definition at line 621 of file MalwareScanIngestModule.java.
References com.basistech.df.cybertriage.autopsy.ctapi.CTApiDAO.getAuthToken(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getFileUploadCount(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getFileUploadLimit(), com.basistech.df.cybertriage.autopsy.ctapi.json.AuthTokenResponse.getFileUploadUrl(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getOrCalcSha1(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.getOrCalcSha256(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.isUploadable(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.notifyWarning(), com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.remaining(), com.basistech.df.cybertriage.autopsy.ctapi.json.MetadataUploadRequest.setCreatedDate(), com.basistech.df.cybertriage.autopsy.ctapi.json.FileUploadRequest.setFileName(), com.basistech.df.cybertriage.autopsy.ctapi.json.MetadataUploadRequest.setFileSizeBytes(), com.basistech.df.cybertriage.autopsy.ctapi.json.MetadataUploadRequest.setSha1(), com.basistech.df.cybertriage.autopsy.ctapi.json.MetadataUploadRequest.setSha256(), com.basistech.df.cybertriage.autopsy.ctapi.CTApiDAO.uploadFile(), and com.basistech.df.cybertriage.autopsy.ctapi.CTApiDAO.uploadMeta().
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.handleNonFoundResults().
|
staticprivate |
Definition at line 106 of file MalwareScanIngestModule.java.
|
private |
Definition at line 141 of file MalwareScanIngestModule.java.
|
private |
Definition at line 147 of file MalwareScanIngestModule.java.
|
private |
Definition at line 146 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 123 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 121 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 108 of file MalwareScanIngestModule.java.
|
private |
Definition at line 149 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 139 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 111 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 114 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 137 of file MalwareScanIngestModule.java.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.createAnalysisResult().
|
staticprivate |
Definition at line 118 of file MalwareScanIngestModule.java.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.isUploadable().
|
staticprivate |
Definition at line 117 of file MalwareScanIngestModule.java.
|
staticprivate |
Definition at line 120 of file MalwareScanIngestModule.java.
Referenced by com.basistech.df.cybertriage.autopsy.malwarescan.MalwareScanIngestModule.SharedProcessing.longPollForNotFound().
Copyright © 2012-2022 Basis Technology. Generated on: Tue Feb 6 2024
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.