Inherits org.sleuthkit.autopsy.ingest.DataArtifactIngestModule.

Public Member Functions
ProcessResult	process (DataArtifact artifact)

void	shutDown ()

void	startUp (IngestJobContext context) throws IngestModuleException

Private Member Functions
void	analyzeOsAccounts ()

Set< String >	getPreviousCases (List< CorrelationAttributeInstance > previousOccurrences)

void	makeAnalysisResults (DataArtifact artifact, CorrelationAttributeInstance corrAttr)

void	makeAnalysisResults (OsAccount osAccount, CorrelationAttributeInstance corrAttr)

void	syncDataSourceHashes ()

Private Attributes
CentralRepository	centralRepo

IngestJobContext	context

final Set< String >	corrAttrValuesAlreadyProcessed

final boolean	flagNotableItems

final boolean	flagPrevSeenDevices

final boolean	flagUniqueArtifacts

final boolean	saveCorrAttrInstances

Static Private Attributes
static final Logger	LOGGER = Logger.getLogger(CentralRepoDataArtifactIngestModule.class.getName())

Detailed Description

A data artifact ingest module that adds correlation attributes for data artifacts and OS accounts to the central repository and makes analysis results based on previous occurences. When the ingest job is completed, ensures the data source in the central repository has hash values that match those in the case database.

Definition at line 59 of file CentralRepoDataArtifactIngestModule.java.

Member Function Documentation

void org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.analyzeOsAccounts ( )

private

Queries the case database for any OS accounts assoicated with the data source for the ingest job. The attributes of any OS account returned by the query are translated into central repository correlation attributes and used them to create analysis results and new central repository correlation attribute instances, depending on ingest job settings.

Definition at line 245 of file CentralRepoDataArtifactIngestModule.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.addAttributeInstanceBulk(), org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(), org.sleuthkit.autopsy.ingest.IngestJobContext.getDataSource(), org.sleuthkit.autopsy.ingest.IngestJobContext.getJobId(), org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase(), org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.makeAnalysisResults(), and org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave().

Referenced by org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.shutDown().

Set<String> org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.getPreviousCases ( List< CorrelationAttributeInstance > previousOccurrences )

private

Gets a unique set of previous cases, represented by their names, from a list of previous occurrences of correlation attributes.

Parameters

previousOccurrences The correlations attributes.

Returns: The names of the previous cases.

Definition at line 213 of file CentralRepoDataArtifactIngestModule.java.

Referenced by org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.makeAnalysisResults().

void org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.makeAnalysisResults	(	DataArtifact	artifact,
		CorrelationAttributeInstance	corrAttr
	)

private

Makes analysis results for a data artifact based on previous occurrences, if any, of a correlation attribute.

Parameters

artifact	The data artifact.
corrAttr	A correlation attribute for the data artifact.

Definition at line 157 of file CentralRepoDataArtifactIngestModule.java.

Referenced by org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.analyzeOsAccounts(), and org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.process().

void org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.makeAnalysisResults	(	OsAccount	osAccount,
		CorrelationAttributeInstance	corrAttr
	)

private

Makes analysis results for an OS Account based on previous occurrences, if any, of a correlation attribute.

Parameters

artifact	The data artifact.
corrAttr	A correlation attribute for the data artifact.

Definition at line 277 of file CentralRepoDataArtifactIngestModule.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.getCorrelationType(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.getCorrelationValue(), org.sleuthkit.autopsy.ingest.IngestJobContext.getDataSource(), org.sleuthkit.autopsy.ingest.IngestJobContext.getJobId(), and org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.getPreviousCases().

ProcessResult org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.process ( DataArtifact artifact )

Translates the attributes of a data artifact into central repository correlation attributes and uses them to create analysis results and new central repository correlation attribute instances, depending on ingest job settings.

Parameters

artifact The data artifact.

Returns: An ingest module process result.

Implements org.sleuthkit.autopsy.ingest.DataArtifactIngestModule.

Definition at line 132 of file CentralRepoDataArtifactIngestModule.java.

References org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.addAttributeInstanceBulk(), org.sleuthkit.autopsy.ingest.IngestJobContext.getJobId(), org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.makeAnalysisResults(), org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave(), and org.sleuthkit.autopsy.ingest.IngestModule.ProcessResult.OK.

void org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.shutDown ( )

Invoked by Autopsy when an ingest job is completed (either because the data has been analyzed or because the job was cancelled), before the ingest module instance is discarded. The module should respond by doing things like releasing private resources, submitting final results, and posting a final ingest message.

IMPORTANT: If the module instances must share resources, the modules are responsible for synchronizing access to the shared resources and doing reference counting as required to release those resources correctly. Also, more than one ingest job may be in progress at any given time. This must also be taken into consideration when sharing resources between module instances. See IngestModuleReferenceCounter.

Implements org.sleuthkit.autopsy.ingest.IngestModule.

Definition at line 222 of file CentralRepoDataArtifactIngestModule.java.

References org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.analyzeOsAccounts(), org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.commitAttributeInstancesBulk(), org.sleuthkit.autopsy.ingest.IngestJobContext.getJobId(), and org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.syncDataSourceHashes().

void org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.startUp ( IngestJobContext context ) throws IngestModuleException

Invoked by Autopsy to allow an ingest module instance to set up any internal data structures and acquire any private resources it will need during an ingest job. If the module depends on loading any resources, it should do so in this method so that it can throw an exception in the case of an error and alert the user. Exceptions that are thrown from startUp() are logged and stop processing of the data source.

IMPORTANT: If the module instances must share resources, the modules are responsible for synchronizing access to the shared resources and doing reference counting as required to release those resources correctly. Also, more than one ingest job may be in progress at any given time. This must also be taken into consideration when sharing resources between module instances. See IngestModuleReferenceCounter.

IMPORTANT: Start up IngestModuleException messages are displayed to the user, if a user is present. Therefore, an exception to the policy that exception messages are not localized is appropriate in this method. Also, the exception messages should be user-friendly.

Parameters

context Provides data and services specific to the ingest job and the ingest pipeline of which the module is a part.

Exceptions

org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException

Implements org.sleuthkit.autopsy.ingest.IngestModule.

Definition at line 94 of file CentralRepoDataArtifactIngestModule.java.

void org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.syncDataSourceHashes ( )

private

Ensures the data source in the central repository has hash values that match those in the case database.

Definition at line 293 of file CentralRepoDataArtifactIngestModule.java.

Referenced by org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.shutDown().

Member Data Documentation

CentralRepository org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.centralRepo

private

Definition at line 67 of file CentralRepoDataArtifactIngestModule.java.

IngestJobContext org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.context

private

Definition at line 68 of file CentralRepoDataArtifactIngestModule.java.

Referenced by org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.startUp().

final Set<String> org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.corrAttrValuesAlreadyProcessed

private

Definition at line 66 of file CentralRepoDataArtifactIngestModule.java.

final boolean org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.flagNotableItems

private

Definition at line 62 of file CentralRepoDataArtifactIngestModule.java.

final boolean org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.flagPrevSeenDevices

private

Definition at line 63 of file CentralRepoDataArtifactIngestModule.java.

final boolean org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.flagUniqueArtifacts

private

Definition at line 64 of file CentralRepoDataArtifactIngestModule.java.

final Logger org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.LOGGER = Logger.getLogger(CentralRepoDataArtifactIngestModule.class.getName())

staticprivate

Definition at line 61 of file CentralRepoDataArtifactIngestModule.java.

final boolean org.sleuthkit.autopsy.centralrepository.ingestmodule.CentralRepoDataArtifactIngestModule.saveCorrAttrInstances

private

Definition at line 65 of file CentralRepoDataArtifactIngestModule.java.

The documentation for this class was generated from the following file:

/home/carriersleuth/repos/autopsy/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoDataArtifactIngestModule.java

Public Member Functions

Private Member Functions

Private Attributes

Static Private Attributes

Detailed Description

Member Function Documentation

Member Data Documentation