Sleuth Kit Java Bindings (JNI)  4.11.0
Java bindings for using The Sleuth Kit
Classes | Public Member Functions | Static Public Member Functions | Static Public Attributes | List of all members
org.sleuthkit.datamodel.Score Class Reference

Inherits Comparable< Score >.

Classes

enum  Priority
 
enum  Significance
 

Public Member Functions

 Score (Significance significance, Priority priority)
 
int compareTo (Score other)
 
Priority getPriority ()
 
Significance getSignificance ()
 

Static Public Member Functions

static final Comparator< ScoregetScoreComparator ()
 

Static Public Attributes

static final Score SCORE_LIKELY_NONE = new Score(Significance.LIKELY_NONE, Priority.NORMAL)
 
static final Score SCORE_LIKELY_NOTABLE = new Score(Significance.LIKELY_NOTABLE, Priority.NORMAL)
 
static final Score SCORE_NONE = new Score(Significance.NONE, Priority.NORMAL)
 
static final Score SCORE_NOTABLE = new Score(Significance.NOTABLE, Priority.NORMAL)
 
static final Score SCORE_UNKNOWN = new Score(Significance.UNKNOWN, Priority.NORMAL)
 

Detailed Description

Encapsulates either an analysis result score or the aggregate score of Content. A score measures how likely the Content object is to be relevant to an investigation. Relevance is determined by a series of analysis techniques, each of which has a score. The aggregate score for an item is then determined based on its analysis results.

A score has two primary fields: Significance and Priority.

There are two priorities : Normal and Override. Nearly everything should have a "Normal" priority. "Override" is used when a user wants to change the score because of a false positive. An "Override" score will take priority over the combined "Normal" scores. An item should have only one "Override" score at a time, but that is not currently enforced.

The significance is a range of how Notable (i.e. "Bad") the item is. The range is from NONE (i.e. "Good") to NOTABLE with values in the middle, such as LIKELY_NOTABLE for suspicious items. The LIKELY_ values are used when there is less confidence in the result. The significance has to do with the false positive rate at actually detecting notable or benign things.

For an example, if a file is found in a MD5 hashset of notable files, then a module would use a significance of NOTABLE. This is because the MD5 is exact match and the hash set is all notable files.

For a keyword hit, the significance would be LIKELY_NOTABLE because keywords often can be used in both good and bad ways. A user will need to review the file to determine if it is a true or false positive.

If a file is found to be on a good list (via MD5), then it could have a significance of NONE and then other modules could ignore it.

An aggregate score is the combination of the specific analysis results. USER_RESULTS will overrule NORMAL. NOTABLE overrules NONE. Both of those overrule the LIKELY_* results.

NOTABLE > NONE > LIKELY_NOTABLE > LIKELY_NONE > UNKNOWN

Definition at line 64 of file Score.java.

Constructor & Destructor Documentation

org.sleuthkit.datamodel.Score.Score ( Significance  significance,
Priority  priority 
)

Definition at line 219 of file Score.java.

Member Function Documentation

int org.sleuthkit.datamodel.Score.compareTo ( Score  other)

Definition at line 233 of file Score.java.

References org.sleuthkit.datamodel.Score.getPriority(), and org.sleuthkit.datamodel.Score.getSignificance().

Referenced by org.sleuthkit.datamodel.Score.getScoreComparator().

Priority org.sleuthkit.datamodel.Score.getPriority ( )

Definition at line 228 of file Score.java.

Referenced by org.sleuthkit.datamodel.Score.compareTo().

static final Comparator<Score> org.sleuthkit.datamodel.Score.getScoreComparator ( )
static

Definition at line 244 of file Score.java.

References org.sleuthkit.datamodel.Score.compareTo().

Significance org.sleuthkit.datamodel.Score.getSignificance ( )

Definition at line 224 of file Score.java.

Referenced by org.sleuthkit.datamodel.Score.compareTo().

Member Data Documentation

final Score org.sleuthkit.datamodel.Score.SCORE_LIKELY_NONE = new Score(Significance.LIKELY_NONE, Priority.NORMAL)
static

Definition at line 210 of file Score.java.

final Score org.sleuthkit.datamodel.Score.SCORE_LIKELY_NOTABLE = new Score(Significance.LIKELY_NOTABLE, Priority.NORMAL)
static

Definition at line 209 of file Score.java.

final Score org.sleuthkit.datamodel.Score.SCORE_NONE = new Score(Significance.NONE, Priority.NORMAL)
static

Definition at line 211 of file Score.java.

final Score org.sleuthkit.datamodel.Score.SCORE_NOTABLE = new Score(Significance.NOTABLE, Priority.NORMAL)
static

Definition at line 208 of file Score.java.

final Score org.sleuthkit.datamodel.Score.SCORE_UNKNOWN = new Score(Significance.UNKNOWN, Priority.NORMAL)
static

Definition at line 213 of file Score.java.

Referenced by org.sleuthkit.datamodel.ScoringManager.getAggregateScores(), org.sleuthkit.datamodel.Report.newArtifact(), org.sleuthkit.datamodel.AbstractContent.newArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

The documentation for this class was generated from the following file:

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.