Sleuth Kit Java Bindings (JNI)  4.11.1
Java bindings for using The Sleuth Kit
OSUtility.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import java.util.List;
22 import java.util.ArrayList;
23 
24 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
25 
30 public class OSUtility {
31 
32  private OSUtility() {
33  }
34 
45  public static List<OSInfo> getOSInfo(SleuthkitCase skCase) throws TskCoreException {
46  return getOSInfoInternal(skCase, false, false, 0);
47  }
48 
62  public static List<OSInfo> getOSInfo(SleuthkitCase skCase, FsContent fsc) throws TskCoreException {
63  return getOSInfoInternal(skCase, false, true, fsc.getFileSystemId());
64  }
65 
77  public static List<OSInfo> getAllOSInfo(SleuthkitCase skCase) throws TskCoreException {
78  return getOSInfoInternal(skCase, true, false, 0);
79  }
80 
97  private static List<OSInfo> getOSInfoInternal(SleuthkitCase skCase, boolean includeBackups,
98  boolean restrictFs, long fsId) throws TskCoreException {
99 
100  List<OSInfo> infoList = new ArrayList<OSInfo>();
101 
102  // Get all OS_INFO artifacts for this case
103  ArrayList<BlackboardArtifact> results = skCase.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO);
104 
105  for (BlackboardArtifact art : results) {
106 
107  AbstractFile file = skCase.getAbstractFileById(art.getObjectID());
108  if (file == null) {
109  continue;
110  }
111 
112  // Check if we're in a backup directory. If so and we're not including backups,
113  // skip this artifact.
114  boolean isBackup = file.getParentPath().contains("RegBack");
115  if (isBackup && (!includeBackups)) {
116  continue;
117  }
118 
119  // FsContent allows us to get the file system ID.
120  if (file instanceof FsContent) {
121  FsContent fsc = (FsContent) file;
122 
123  // If we're restricting the file system, skip any that don't match
124  if (restrictFs && (fsId != fsc.getFileSystemId())) {
125  continue;
126  }
127 
128  // Make a new OSInfo object
129  OSInfo newInfo = new OSInfo(art, isBackup, fsc.getFileSystemId(), file.getParent());
130 
131  // Attempt to merge it with an existing object
132  boolean mergedInfo = false;
133  for (OSInfo info : infoList) {
134  if (info.matches(newInfo)) {
135  info.combine(newInfo);
136  mergedInfo = true;
137  break;
138  }
139  }
140 
141  // If nothing matched, add the new object to the list
142  if (!mergedInfo) {
143  infoList.add(newInfo);
144  }
145  } else if (!restrictFs) {
146  // Make a new OSInfo object (no file system ID in this case)
147  OSInfo newInfo = new OSInfo(art, isBackup, file.getParent());
148 
149  // Attempt to merge it with an existing object
150  boolean mergedInfo = false;
151  for (OSInfo info : infoList) {
152  if (info.matches(newInfo)) {
153  info.combine(newInfo);
154  mergedInfo = true;
155  break;
156  }
157  }
158 
159  // If nothing matched, add the new object to the list
160  if (!mergedInfo) {
161  infoList.add(newInfo);
162  }
163  } else {
164  // If we're limiting the search to one FS, don't include any
165  // data we can't find the FS for
166  }
167  }
168 
169  return infoList;
170  }
171 
172 }
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO
TSK_OS_INFO
Definition: BlackboardArtifact.java:1713
org.sleuthkit.datamodel.OSUtility.getAllOSInfo
static List< OSInfo > getAllOSInfo(SleuthkitCase skCase)
Definition: OSUtility.java:77
org.sleuthkit.datamodel.OSUtility.getOSInfo
static List< OSInfo > getOSInfo(SleuthkitCase skCase)
Definition: OSUtility.java:45
org.sleuthkit.datamodel.AbstractContent.getParent
Content getParent()
Definition: AbstractContent.java:126
org.sleuthkit.datamodel.OSUtility.getOSInfo
static List< OSInfo > getOSInfo(SleuthkitCase skCase, FsContent fsc)
Definition: OSUtility.java:62
org.sleuthkit.datamodel.FsContent
Definition: FsContent.java:39
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE
Definition: BlackboardArtifact.java:1597

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.