Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
QueryResults.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2017 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.keywordsearch;
20 
21 import java.util.ArrayList;
22 import java.util.Collection;
23 import java.util.HashMap;
24 import java.util.List;
25 import java.util.Map;
26 import java.util.Set;
27 import java.util.logging.Level;
28 import java.util.stream.Collectors;
29 import javax.swing.SwingWorker;
30 import org.apache.commons.lang.StringUtils;
31 import org.netbeans.api.progress.ProgressHandle;
32 import org.netbeans.api.progress.aggregate.ProgressContributor;
33 import org.openide.util.NbBundle;
43 
49 class QueryResults {
50 
51  private static final Logger logger = Logger.getLogger(QueryResults.class.getName());
52  private static final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName();
56  private final KeywordSearchQuery keywordSearchQuery;
57 
61  private final Map<Keyword, List<KeywordHit>> results = new HashMap<>();
62 
63 
64 
65  QueryResults(KeywordSearchQuery query) {
66  this.keywordSearchQuery = query;
67  }
68 
69  void addResult(Keyword keyword, List<KeywordHit> hits) {
70  results.put(keyword, hits);
71  }
72 
73 
74 
75  KeywordSearchQuery getQuery() {
76  return keywordSearchQuery;
77  }
78 
79  List<KeywordHit> getResults(Keyword keyword) {
80  return results.get(keyword);
81  }
82 
83  Set<Keyword> getKeywords() {
84  return results.keySet();
85  }
86 
102  Collection<BlackboardArtifact> writeAllHitsToBlackBoard(ProgressHandle progress, ProgressContributor subProgress, SwingWorker<Object, Void> worker, boolean notifyInbox) {
103  final Collection<BlackboardArtifact> newArtifacts = new ArrayList<>();
104  if (progress != null) {
105  progress.start(getKeywords().size());
106  }
107  int unitProgress = 0;
108 
109  for (final Keyword keyword : getKeywords()) {
110  if (worker.isCancelled()) {
111  logger.log(Level.INFO, "Cancel detected, bailing before new keyword processed: {0}", keyword.getSearchTerm()); //NON-NLS
112  break;
113  }
114 
115  // Update progress object(s), if any
116  if (progress != null) {
117  progress.progress(keyword.toString(), unitProgress);
118  }
119  if (subProgress != null) {
120  String hitDisplayStr = keyword.getSearchTerm();
121  if (hitDisplayStr.length() > 50) {
122  hitDisplayStr = hitDisplayStr.substring(0, 49) + "...";
123  }
124  subProgress.progress(keywordSearchQuery.getKeywordList().getName() + ": " + hitDisplayStr, unitProgress);
125  }
126 
127  for (KeywordHit hit : getOneHitPerObject(keyword)) {
128  String termString = keyword.getSearchTerm();
129  String snippet = hit.getSnippet();
130  if (StringUtils.isBlank(snippet)) {
131  final String snippetQuery = KeywordSearchUtil.escapeLuceneQuery(termString);
132  try {
133  /*
134  * this doesn't work for regex queries... But that is
135  * okay because regex queries always have snippets made
136  * from the content_str field we pull back from Solr
137  */
138  snippet = LuceneQuery.querySnippet(snippetQuery, hit.getSolrObjectId(), hit.getChunkId(), !keywordSearchQuery.isLiteral(), true);
139  } catch (NoOpenCoreException e) {
140  logger.log(Level.WARNING, "Error querying snippet: " + snippetQuery, e); //NON-NLS
141  //no reason to continue
142  break;
143  } catch (Exception e) {
144  logger.log(Level.WARNING, "Error querying snippet: " + snippetQuery, e); //NON-NLS
145  continue;
146  }
147  }
148  KeywordCachedArtifact writeResult = keywordSearchQuery.writeSingleFileHitsToBlackBoard(keyword, hit, snippet, keywordSearchQuery.getKeywordList().getName());
149  if (writeResult != null) {
150  newArtifacts.add(writeResult.getArtifact());
151  if (notifyInbox) {
152  writeSingleFileInboxMessage(writeResult, hit.getContent());
153  }
154  } else {
155  logger.log(Level.WARNING, "BB artifact for keyword hit not written, file: {0}, hit: {1}", new Object[]{hit.getContent(), keyword.toString()}); //NON-NLS
156  }
157  }
158  ++unitProgress;
159  }
160 
161  // Update artifact browser
162  if (!newArtifacts.isEmpty()) {
163  newArtifacts.stream()
164  //group artifacts by type
165  .collect(Collectors.groupingBy(BlackboardArtifact::getArtifactTypeID))
166  //for each type send an event
167  .forEach((typeID, artifacts)
168  -> IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.fromID(typeID), artifacts)));
169 
170  }
171 
172  return newArtifacts;
173  }
174 
183  private Collection<KeywordHit> getOneHitPerObject(Keyword keyword) {
184 
185  HashMap<Long, KeywordHit> hits = new HashMap<>();
186 
187  // create a list of KeywordHits. KeywordHits with lowest chunkID is added the the list.
188  for (KeywordHit hit : getResults(keyword)) {
189  if (!hits.containsKey(hit.getSolrObjectId())) {
190  hits.put(hit.getSolrObjectId(), hit);
191  } else if (hit.getChunkId() < hits.get(hit.getSolrObjectId()).getChunkId()) {
192  hits.put(hit.getSolrObjectId(), hit);
193  }
194  }
195  return hits.values();
196  }
197 
204  private void writeSingleFileInboxMessage(KeywordCachedArtifact written, Content hitContent) {
205  StringBuilder subjectSb = new StringBuilder();
206  StringBuilder detailsSb = new StringBuilder();
207 
208  if (!keywordSearchQuery.isLiteral()) {
209  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExpHitLbl"));
210  } else {
211  subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitLbl"));
212  }
213  String uniqueKey = null;
214  BlackboardAttribute attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID());
215  if (attr != null) {
216  final String keyword = attr.getValueString();
217  subjectSb.append(keyword);
218  uniqueKey = keyword.toLowerCase();
219  }
220 
221  //details
222  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
223  //hit
224  detailsSb.append("<tr>"); //NON-NLS
225  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitThLbl"));
226  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append("</td>"); //NON-NLS
227  detailsSb.append("</tr>"); //NON-NLS
228 
229  //preview
230  attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID());
231  if (attr != null) {
232  detailsSb.append("<tr>"); //NON-NLS
233  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.previewThLbl"));
234  detailsSb.append("<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append("</td>"); //NON-NLS
235  detailsSb.append("</tr>"); //NON-NLS
236  }
237 
238  //file
239  detailsSb.append("<tr>"); //NON-NLS
240  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.fileThLbl"));
241  if (hitContent instanceof AbstractFile) {
242  AbstractFile hitFile = (AbstractFile) hitContent;
243  detailsSb.append("<td>").append(hitFile.getParentPath()).append(hitFile.getName()).append("</td>"); //NON-NLS
244  } else {
245  detailsSb.append("<td>").append(hitContent.getName()).append("</td>"); //NON-NLS
246  }
247  detailsSb.append("</tr>"); //NON-NLS
248 
249  //list
250  attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID());
251  if (attr != null) {
252  detailsSb.append("<tr>"); //NON-NLS
253  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.listThLbl"));
254  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
255  detailsSb.append("</tr>"); //NON-NLS
256  }
257  //regex
258  if (!keywordSearchQuery.isLiteral()) {
259  attr = written.getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID());
260  if (attr != null) {
261  detailsSb.append("<tr>"); //NON-NLS
262  detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExThLbl"));
263  detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
264  detailsSb.append("</tr>"); //NON-NLS
265  }
266  }
267  detailsSb.append("</table>"); //NON-NLS
268 
269  IngestServices.getInstance().postMessage(IngestMessage.createDataMessage(MODULE_NAME, subjectSb.toString(), detailsSb.toString(), uniqueKey, written.getArtifact()));
270  }
271 
272 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Apr 24 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.