19 package org.sleuthkit.datamodel;
21 import com.google.common.annotations.Beta;
22 import com.google.common.base.MoreObjects;
23 import com.google.common.collect.ImmutableSortedSet;
24 import java.util.Arrays;
25 import java.util.Comparator;
26 import java.util.List;
27 import java.util.Optional;
28 import java.util.SortedSet;
83 SortedSet<? extends TimelineEventType>
getChildren();
93 Optional<? extends TimelineEventType>
getChild(String displayName);
139 ROOT(getBundle().getString(
"EventTypeHierarchyLevel.root")),
145 CATEGORY(getBundle().getString(
"EventTypeHierarchyLevel.category")),
151 EVENT(getBundle().getString(
"EventTypeHierarchyLevel.event"));
153 private final String displayName;
172 this.displayName = displayName;
182 getBundle().getString(
"RootEventType.eventTypes.name"),
186 public SortedSet< TimelineEventType>
getChildren() {
187 ImmutableSortedSet.Builder<
TimelineEventType> builder = ImmutableSortedSet.orderedBy(
new Comparator<TimelineEventType>() {
195 return builder.build();
200 getBundle().getString(
"BaseTypes.fileSystem.name"),
203 public SortedSet< TimelineEventType>
getChildren() {
210 getBundle().getString(
"BaseTypes.webActivity.name"),
213 public SortedSet< TimelineEventType>
getChildren() {
226 getBundle().getString(
"BaseTypes.miscTypes.name"),
229 public SortedSet<TimelineEventType>
getChildren() {
245 getBundle().getString(
"FileSystemTypes.fileModified.name"),
249 getBundle().getString(
"FileSystemTypes.fileAccessed.name"),
253 getBundle().getString(
"FileSystemTypes.fileCreated.name"),
257 getBundle().getString(
"FileSystemTypes.fileChanged.name"),
261 getBundle().getString(
"WebTypes.webDownloads.name"),
264 new Type(TSK_DATETIME_ACCESSED),
268 getBundle().getString(
"WebTypes.webCookies.name"),
271 new Type(TSK_DATETIME_CREATED),
275 getBundle().getString(
"WebTypes.webBookmarks.name"),
278 new Type(TSK_DATETIME_CREATED),
282 getBundle().getString(
"WebTypes.webHistory.name"),
285 new Type(TSK_DATETIME_ACCESSED),
289 getBundle().getString(
"WebTypes.webSearch.name"),
292 new Type(TSK_DATETIME_ACCESSED),
293 new Type(TSK_DOMAIN));
296 getBundle().getString(
"MiscTypes.message.name"),
299 new Type(TSK_DATETIME),
300 new TimelineEventArtifactTypeImpl.AttributeExtractor(
new Type(TSK_MESSAGE_TYPE)),
308 if (phoneNumber == null) {
309 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_TO));
312 if (phoneNumber == null) {
313 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_FROM));
316 List<String> asList = Arrays.asList(
319 name == null && phoneNumber == null ?
"" :
toFrom(dir),
320 name != null || phoneNumber != null ?
stringValueOf(MoreObjects.firstNonNull(name, phoneNumber)) :
"",
323 return String.join(
" ", asList);
328 getBundle().getString(
"MiscTypes.GPSRoutes.name"),
331 new Type(TSK_DATETIME),
332 new AttributeExtractor(
new Type(TSK_PROG_NAME)),
333 new AttributeExtractor(
new Type(TSK_LOCATION)),
342 @SuppressWarnings(
"deprecation")
344 getBundle().getString("MiscTypes.GPSTrackpoint.name"),
347 new
Type(TSK_DATETIME),
348 new AttributeExtractor(new
Type(TSK_PROG_NAME)),
354 new EmptyExtractor());
357 getBundle().getString(
"MiscTypes.Calls.name"),
360 new Type(TSK_DATETIME_START),
361 new AttributeExtractor(
new Type(TSK_NAME)),
364 if (phoneNumber == null) {
365 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_TO));
367 if (phoneNumber == null) {
368 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_FROM));
373 new AttributeExtractor(
new Type(TSK_DIRECTION)));
376 getBundle().getString(
"MiscTypes.Email.name"),
379 new Type(TSK_DATETIME_SENT),
381 String emailFrom =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_EMAIL_FROM)));
382 if (emailFrom.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
383 emailFrom = emailFrom.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
386 if (emailTo.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
387 emailTo = emailTo.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
389 return "Sent from: " + emailFrom +
"Sent to: " + emailTo;
391 new AttributeExtractor(
new Type(TSK_SUBJECT)),
395 if (msg.length() > TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX) {
396 msg = msg.substring(0, TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX);
402 getBundle().getString(
"MiscTypes.recentDocuments.name"),
405 new Type(TSK_DATETIME_ACCESSED),
409 getBundle().getString(
"MiscTypes.installedPrograms.name"),
412 new Type(TSK_DATETIME),
413 new AttributeExtractor(
new Type(TSK_PROG_NAME)),
414 new EmptyExtractor(),
415 new EmptyExtractor());
418 getBundle().getString(
"MiscTypes.exif.name"),
421 new Type(TSK_DATETIME_CREATED),
422 new AttributeExtractor(
new Type(TSK_DEVICE_MAKE)),
423 new AttributeExtractor(
new Type(TSK_DEVICE_MODEL)),
424 artf -> artf.getSleuthkitCase().getAbstractFileById(artf.getObjectID()).getName()
428 getBundle().getString(
"MiscTypes.devicesAttached.name"),
431 new Type(TSK_DATETIME),
432 new AttributeExtractor(
new Type(TSK_DEVICE_MAKE)),
433 new AttributeExtractor(
new Type(TSK_DEVICE_MODEL)),
434 new AttributeExtractor(
new Type(TSK_DEVICE_ID)));
446 getBundle().getString(
"CustomTypes.other.name"),
454 getBundle().getString(
"MiscTypes.LogEntry.name"),
461 getBundle().getString(
"MiscTypes.Registry.name"),
471 getBundle().getString(
"CustomTypes.customArtifact.name"),
478 getBundle().getString(
"WebTypes.webFormAutoFill.name"),
481 new Type(TSK_DATETIME_CREATED),
487 },
new EmptyExtractor(),
new EmptyExtractor());
490 getBundle().getString(
"WebTypes.webFormAddress.name"),
493 new Type(TSK_DATETIME_ACCESSED),
494 new Type(TSK_EMAIL));
497 getBundle().getString(
"MiscTypes.GPSBookmark.name"),
500 new Type(TSK_DATETIME),
501 new AttributeExtractor(
new Type(TSK_NAME)),
507 new EmptyExtractor());
510 getBundle().getString(
"MiscTypes.GPSLastknown.name"),
513 new Type(TSK_DATETIME),
514 new AttributeExtractor(
new Type(TSK_NAME)),
520 new EmptyExtractor());
523 getBundle().getString(
"MiscTypes.GPSearch.name"),
526 new Type(TSK_DATETIME),
527 new AttributeExtractor(
new Type(TSK_NAME)),
533 new EmptyExtractor());
536 getBundle().getString(
"MiscTypes.GPSTrack.name"),
542 getBundle().getString(
"MiscTypes.metadataLastPrinted.name"),
547 return getBundle().getString(
"MiscTypes.metadataLastPrinted.name");
549 new EmptyExtractor(),
550 new EmptyExtractor());
553 getBundle().getString(
"MiscTypes.metadataLastSaved.name"),
558 return getBundle().getString(
"MiscTypes.metadataLastSaved.name");
560 new EmptyExtractor(),
561 new EmptyExtractor());
564 getBundle().getString(
"MiscTypes.metadataCreated.name"),
569 return getBundle().getString(
"MiscTypes.metadataCreated.name");
571 new EmptyExtractor(),
572 new EmptyExtractor());
575 getBundle().getString(
"MiscTypes.programexecuted.name"),
578 new Type(TSK_DATETIME),
579 new AttributeExtractor(
new Type(TSK_PROG_NAME)),
581 String userName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_USER_NAME)));
582 if (userName != null) {
587 new AttributeExtractor(
new Type(TSK_COMMENT)));
590 getBundle().getString(
"WebTypes.webFormAutofillAccessed.name"),
593 new Type(TSK_DATETIME_ACCESSED),
599 },
new EmptyExtractor(),
new EmptyExtractor());
602 getBundle().getString(
"MiscTypes.CallsEnd.name"),
605 new Type(TSK_DATETIME_END),
606 new AttributeExtractor(
new Type(TSK_NAME)),
609 if (phoneNumber == null) {
610 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_TO));
612 if (phoneNumber == null) {
613 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_FROM));
618 new AttributeExtractor(
new Type(TSK_DIRECTION)));
621 getBundle().getString(
"MiscTypes.EmailRcvd.name"),
624 new Type(TSK_DATETIME_RCVD),
626 String emailFrom =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_EMAIL_FROM)));
627 if (emailFrom.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
628 emailFrom = emailFrom.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
631 if (emailTo.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
632 emailTo = emailTo.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
634 return "Message from: " + emailFrom +
" To: " + emailTo;
636 new AttributeExtractor(
new Type(TSK_SUBJECT)),
640 if (msg.length() > TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX) {
641 msg = msg.substring(0, TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX);
647 getBundle().getString(
"WebTypes.webFormAddressModified.name"),
650 new Type(TSK_DATETIME_MODIFIED),
651 new Type(TSK_EMAIL));
654 getBundle().getString(
"WebTypes.webCookiesAccessed.name"),
657 new Type(TSK_DATETIME_ACCESSED),
661 getBundle().getString(
"WebTypes.webCookiesEnd.name"),
664 new Type(TSK_DATETIME_END),
668 getBundle().getString(
"TimelineEventType.BackupEventStart.txt"),
673 return getBundle().getString(
"TimelineEventType.BackupEvent.description.start");
675 new EmptyExtractor(),
676 new EmptyExtractor());
679 getBundle().getString(
"TimelineEventType.BackupEventEnd.txt"),
684 return getBundle().getString(
"TimelineEventType.BackupEvent.description.end");
686 new EmptyExtractor(),
687 new EmptyExtractor());
690 getBundle().getString(
"TimelineEventType.BluetoothPairing.txt"),
697 getBundle().getString(
"TimelineEventType.CalendarEntryStart.txt"),
704 getBundle().getString(
"TimelineEventType.CalendarEntryEnd.txt"),
711 getBundle().getString(
"TimelineEventType.DeletedProgram.txt"),
718 getBundle().getString(
"TimelineEventType.OSInfo.txt"),
725 getBundle().getString(
"TimelineEventType.ProgramNotification.txt"),
732 getBundle().getString(
"TimelineEventType.ScreenShot.txt"),
739 getBundle().getString(
"TimelineEventType.ServiceAccount.txt"),
744 String progName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_PROG_NAME)));
746 return String.format(
"Program Name: %s User ID: %s", progName, userId);
748 new EmptyExtractor(),
749 new EmptyExtractor());
752 getBundle().getString(
"TimelineEventType.UserDeviceEventStart.txt"),
757 String progName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_PROG_NAME)));
758 String activityType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_ACTIVITY_TYPE)));
759 String connectionType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_VALUE)));
760 return String.format(
"Program Name: %s Activity Type: %s Connection Type: %s", progName, activityType, connectionType);
762 new EmptyExtractor(),
763 new EmptyExtractor());
766 getBundle().getString(
"TimelineEventType.UserDeviceEventEnd.txt"),
771 String progName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_PROG_NAME)));
772 String activityType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_ACTIVITY_TYPE)));
773 String connectionType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_VALUE)));
774 return String.format(
"Program Name: %s Activity Type: %s Connection Type: %s", progName, activityType, connectionType);
776 new EmptyExtractor(),
777 new EmptyExtractor());
780 getBundle().getString(
"TimelineEventType.WebCache.text"),
783 new Type(TSK_DATETIME_CREATED),
787 getBundle().getString(
"TimelineEventType.WIFINetwork.txt"),
794 getBundle().getString(
"WebTypes.webHistoryCreated.name"),
797 new Type(TSK_DATETIME_CREATED),
801 getBundle().getString(
"TimelineEventType.BluetoothAdapter.txt"),
808 getBundle().getString(
"TimelineEventType.BluetoothPairingLastConnection.txt"),
817 getBundle().getString(
"CustomTypes.userCreated.name"),
840 return Optional.ofNullable(attr)
TimelineEventType EMAIL_RCVD
TimelineEventType BLUETOOTH_ADAPTER
TimelineEventType BACKUP_EVENT_START
TimelineEventType REGISTRY
default int compareTo(TimelineEventType otherType)
static String stringValueOf(BlackboardAttribute attr)
TimelineEventType PROGRAM_DELETED
TimelineEventType FILE_ACCESSED
TimelineEventType PROGRAM_NOTIFICATION
TimelineEventType CALENDAR_ENTRY_START
TimelineEventType WEB_FORM_ADDRESSES_MODIFIED
TimelineEventType SERVICE_ACCOUNT
TimelineEventType LOG_ENTRY
SortedSet<?extends TimelineEventType > getChildren()
TimelineEventType RECENT_DOCUMENTS
TimelineEventType WEB_COOKIE_END
TimelineEventType MESSAGE
default SortedSet<?extends TimelineEventType > getSiblings()
TimelineEventType GPS_ROUTE
static String toFrom(BlackboardAttribute dir)
TimelineEventType BLUETOOTH_PAIRING_ACCESSED
TimelineEventType BLUETOOTH_PAIRING
TimelineEventType USER_DEVICE_EVENT_END
TimelineEventType CALL_LOG_END
TimelineEventType WEB_HISTORY_CREATED
TimelineEventType.HierarchyLevel getTypeHierarchyLevel()
TimelineEventType WEB_COOKIE
TimelineEventType WEB_ACTIVITY
TimelineEventType USER_CREATED
TimelineEventType FILE_MODIFIED
TimelineEventType WEB_CACHE
Optional<?extends TimelineEventType > getChild(String displayName)
TimelineEventType USER_DEVICE_EVENT_START
String getDisplayString()
TimelineEventType CUSTOM_ARTIFACT_CATCH_ALL
TimelineEventType MISC_TYPES
TimelineEventType WEB_SEARCH
TimelineEventType WEB_BOOKMARK
TimelineEventType SCREEN_SHOT
TimelineEventType WEB_FORM_AUTOFILL_ACCESSED
default TimelineEventType getCategory()
int DEPRECATED_OTHER_EVENT_ID
TimelineEventType OS_INFO
TimelineEventType FILE_CREATED
TimelineEventType GPS_BOOKMARK
TimelineEventType INSTALLED_PROGRAM
TimelineEventType CALL_LOG
TimelineEventType WEB_HISTORY
TimelineEventType getParent()
TimelineEventType FILE_SYSTEM
TimelineEventType DEVICES_ATTACHED
TimelineEventType STANDARD_ARTIFACT_CATCH_ALL
TimelineEventType WEB_FORM_ADDRESSES
TimelineEventType WEB_DOWNLOADS
TimelineEventType ROOT_EVENT_TYPE
TimelineEventType GPS_TRACK
static SortedSet<?extends TimelineEventType > getWebActivityTypes()
static SortedSet<?extends TimelineEventType > getMiscTypes()
TimelineEventType WEB_FORM_AUTOFILL
TimelineEventType PROGRAM_EXECUTION
TimelineEventType GPS_LAST_KNOWN_LOCATION
TimelineEventType WEB_COOKIE_ACCESSED
static SortedSet<?extends TimelineEventType > getFileSystemTypes()
static SortedSet<?extends TimelineEventType > getCategoryTypes()
TimelineEventType CALENDAR_ENTRY_END
TimelineEventType GPS_SEARCH
TimelineEventType METADATA_CREATED
TimelineEventType GPS_TRACKPOINT
TimelineEventType METADATA_LAST_PRINTED
TimelineEventType FILE_CHANGED
TimelineEventType BACKUP_EVENT_END
TimelineEventType METADATA_LAST_SAVED
TimelineEventType WIFI_NETWORK