Sleuth Kit Java Bindings (JNI)  4.11.1
Java bindings for using The Sleuth Kit
TimelineEventTypes.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2018-2019 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import com.google.common.net.InternetDomainName;
22 import java.net.URI;
23 import java.net.URISyntaxException;
24 import java.util.stream.Collectors;
25 import java.util.stream.Stream;
26 import org.apache.commons.lang3.StringUtils;
30 
35 class TimelineEventTypes {
36 
37  private TimelineEventTypes() {
38  }
39 
45  final static class EmptyExtractor implements TimelineEventArtifactTypeImpl.TSKCoreCheckedFunction<BlackboardArtifact, String> {
46 
47  @Override
48  public String apply(BlackboardArtifact ignored) throws TskCoreException {
49  return "";
50  }
51  }
52 
53  static class URLArtifactEventType extends TimelineEventArtifactTypeSingleDescription {
54 
55  URLArtifactEventType(int typeID, String displayName, TimelineEventType superType, BlackboardArtifact.Type artifactType, BlackboardAttribute.Type timeAttribute, BlackboardAttribute.Type descriptionAttribute) {
56  super(typeID, displayName, superType, artifactType, timeAttribute, descriptionAttribute);
57  }
58 
59  @Override
60  TimelineEventDescription parseDescription(String fullDescriptionRaw, String medDescriptionRaw, String shortDescriptionRaw) {
68  String fullDescription = fullDescriptionRaw;
69  try {
70  URI uri = new URI(fullDescription);
71  String host = uri.getHost();
72  if (host == null) {
73  host = StringUtils.strip(fullDescription, "./");
74 
75  }
76  String shortDescription;
77  if (InternetDomainName.isValid(host)) {
78  InternetDomainName domain = InternetDomainName.from(host);
79  shortDescription = (domain.isUnderPublicSuffix())
80  ? domain.topPrivateDomain().toString()
81  : domain.toString();
82  } else {
83  shortDescription = host;
84  }
85 
86  String mediumDescription = new URI(uri.getScheme(), uri.getUserInfo(), host, uri.getPort(), uri.getPath(), null, null).toString();
87 
88  return new TimelineEventDescription(fullDescription, mediumDescription, shortDescription);
89  } catch (URISyntaxException ex) {
90  //There was an error parsing the description as a URL, just ignore the description levels.
91  return new TimelineEventDescription(fullDescription);
92  }
93  }
94  }
95 
96  static class FilePathEventType extends TimelineEventTypeImpl {
97 
98  FilePathEventType(long typeID, String displayName, TimelineEventType.HierarchyLevel eventTypeZoomLevel, TimelineEventType superType) {
99  super(typeID, displayName, eventTypeZoomLevel, superType);
100  }
101 
102  @Override
103  TimelineEventDescription parseDescription(String fullDescription, String medDescription, String shortDescription) {
104  return parseFilePathDescription(fullDescription);
105  }
106 
107  }
108 
109  static class FilePathArtifactEventType extends TimelineEventArtifactTypeSingleDescription {
110 
111  FilePathArtifactEventType(int typeID, String displayName, TimelineEventType superType, BlackboardArtifact.Type artifactType, BlackboardAttribute.Type timeAttribute, BlackboardAttribute.Type descriptionAttribute) {
112  super(typeID, displayName, superType, artifactType, timeAttribute, descriptionAttribute);
113  }
114 
115  @Override
116  TimelineEventDescription parseDescription(String fullDescriptionRaw, String medDescriptionRaw, String shortDescriptionRaw) {
117  return parseFilePathDescription(fullDescriptionRaw);
118  }
119  }
120 
126  static class GPSTrackArtifactEventType extends TimelineEventArtifactTypeSingleDescription {
127 
128  GPSTrackArtifactEventType(int typeID, String displayName, TimelineEventType superType, BlackboardArtifact.Type artifactType, BlackboardAttribute.Type descriptionAttribute) {
129  // Passing TSK_GEO_TRACKPOINTS as the "time attribute" as more of a place filler, to avoid any null issues
130  super(typeID, displayName, superType, artifactType, new BlackboardAttribute.Type(TSK_GEO_TRACKPOINTS), descriptionAttribute);
131  }
132 
133  @Override
134  public TimelineEventDescriptionWithTime makeEventDescription(BlackboardArtifact artifact) throws TskCoreException {
135 
136  //If there is not a list if track points do not create an event.
137  BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(TSK_GEO_TRACKPOINTS));
138  if (attribute == null) {
139  return null;
140  }
141 
142  // Get the waypoint list "start time"
143  GeoTrackPoints pointsList;
144  try {
145  pointsList = BlackboardJsonAttrUtil.fromAttribute(attribute, GeoTrackPoints.class);
146  } catch (BlackboardJsonAttrUtil.InvalidJsonException ex) {
147  throw new TskCoreException("Unable to parse track points in TSK_GEO_TRACKPOINTS attribute", ex);
148  }
149  Long startTime = pointsList.getStartTime();
150 
151  // If we didn't find a startime do not create an event.
152  if (startTime == null) {
153  return null;
154  }
155 
156  return new TimelineEventDescriptionWithTime(startTime, null, null, extractFullDescription(artifact));
157  }
158  }
159 
168  static TimelineEventDescription parseFilePathDescription(String fullDescription) {
169 
170  String[] split = fullDescription.split("/");
171  String mediumDescription = Stream.of(split)
172  .filter(StringUtils::isNotBlank)
173  .limit(Math.max(1, split.length - 2))
174  .collect(Collectors.joining("/", "/", ""))
175  .replaceAll("//", "/");
176 
177  String shortDescription = Stream.of(split)
178  .filter(StringUtils::isNotBlank)
179  .limit(1)
180  .collect(Collectors.joining("/", "/", ""))
181  .replaceAll("//", "/");
182  return new TimelineEventDescription(fullDescription, mediumDescription, shortDescription);
183 
184  }
185 
186 }

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.