Sleuth Kit Java Bindings (JNI)  4.11.1
Java bindings for using The Sleuth Kit
org.sleuthkit.datamodel.Score Class Reference

Inherits Comparable< Score >.


enum  Priority
enum  Significance

Public Member Functions

 Score (Significance significance, Priority priority)
int compareTo (Score other)
Priority getPriority ()
Significance getSignificance ()

Static Public Member Functions

static final Comparator< ScoregetScoreComparator ()

Static Public Attributes

static final Score SCORE_LIKELY_NONE = new Score(Significance.LIKELY_NONE, Priority.NORMAL)
static final Score SCORE_LIKELY_NOTABLE = new Score(Significance.LIKELY_NOTABLE, Priority.NORMAL)
static final Score SCORE_NONE = new Score(Significance.NONE, Priority.NORMAL)
static final Score SCORE_NOTABLE = new Score(Significance.NOTABLE, Priority.NORMAL)
static final Score SCORE_UNKNOWN = new Score(Significance.UNKNOWN, Priority.NORMAL)

Detailed Description

Encapsulates either an analysis result score or the aggregate score of Content. A score measures how likely the Content object is to be relevant to an investigation. Relevance is determined by a series of analysis techniques, each of which has a score. The aggregate score for an item is then determined based on its analysis results.

A score has two primary fields: Significance and Priority.

There are two priorities : Normal and Override. Nearly everything should have a "Normal" priority. "Override" is used when a user wants to change the score because of a false positive. An "Override" score will take priority over the combined "Normal" scores. An item should have only one "Override" score at a time, but that is not currently enforced.

The significance is a range of how Notable (i.e. "Bad") the item is. The range is from NONE (i.e. "Good") to NOTABLE with values in the middle, such as LIKELY_NOTABLE for suspicious items. The LIKELY_ values are used when there is less confidence in the result. The significance has to do with the false positive rate at actually detecting notable or benign things.

For an example, if a file is found in a MD5 hashset of notable files, then a module would use a significance of NOTABLE. This is because the MD5 is exact match and the hash set is all notable files.

For a keyword hit, the significance would be LIKELY_NOTABLE because keywords often can be used in both good and bad ways. A user will need to review the file to determine if it is a true or false positive.

If a file is found to be on a good list (via MD5), then it could have a significance of NONE and then other modules could ignore it.

An aggregate score is the combination of the specific analysis results. USER_RESULTS will overrule NORMAL. NOTABLE overrules NONE. Both of those overrule the LIKELY_* results.


Definition at line 64 of file

Constructor & Destructor Documentation

org.sleuthkit.datamodel.Score.Score ( Significance  significance,
Priority  priority 

Definition at line 219 of file

Member Function Documentation

int org.sleuthkit.datamodel.Score.compareTo ( Score  other)
Priority org.sleuthkit.datamodel.Score.getPriority ( )

Definition at line 228 of file

Referenced by org.sleuthkit.datamodel.Score.compareTo().

static final Comparator<Score> org.sleuthkit.datamodel.Score.getScoreComparator ( )

Definition at line 244 of file

References org.sleuthkit.datamodel.Score.compareTo().

Significance org.sleuthkit.datamodel.Score.getSignificance ( )

Definition at line 224 of file

Referenced by org.sleuthkit.datamodel.Score.compareTo().

Member Data Documentation

final Score org.sleuthkit.datamodel.Score.SCORE_LIKELY_NONE = new Score(Significance.LIKELY_NONE, Priority.NORMAL)

Definition at line 210 of file

final Score org.sleuthkit.datamodel.Score.SCORE_LIKELY_NOTABLE = new Score(Significance.LIKELY_NOTABLE, Priority.NORMAL)

Definition at line 209 of file

final Score org.sleuthkit.datamodel.Score.SCORE_NONE = new Score(Significance.NONE, Priority.NORMAL)

Definition at line 211 of file

final Score org.sleuthkit.datamodel.Score.SCORE_NOTABLE = new Score(Significance.NOTABLE, Priority.NORMAL)

Definition at line 208 of file

The documentation for this class was generated from the following file:

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.