19 package org.sleuthkit.datamodel;
21 import com.google.common.annotations.Beta;
22 import com.google.common.base.MoreObjects;
23 import com.google.common.collect.ImmutableSortedSet;
24 import com.google.common.collect.ImmutableSet;
25 import java.util.Arrays;
26 import java.util.Comparator;
27 import java.util.List;
28 import java.util.Optional;
30 import java.util.SortedSet;
85 SortedSet<? extends TimelineEventType>
getChildren();
95 Optional<? extends TimelineEventType>
getChild(String displayName);
153 ROOT(getBundle().getString(
"EventTypeHierarchyLevel.root")),
159 CATEGORY(getBundle().getString(
"EventTypeHierarchyLevel.category")),
165 EVENT(getBundle().getString(
"EventTypeHierarchyLevel.event"));
167 private final String displayName;
186 this.displayName = displayName;
196 getBundle().getString(
"RootEventType.eventTypes.name"),
200 public SortedSet< TimelineEventType>
getChildren() {
201 ImmutableSortedSet.Builder<
TimelineEventType> builder = ImmutableSortedSet.orderedBy(
new Comparator<TimelineEventType>() {
209 return builder.build();
214 getBundle().getString(
"BaseTypes.fileSystem.name"),
217 public SortedSet< TimelineEventType>
getChildren() {
224 getBundle().getString(
"BaseTypes.webActivity.name"),
227 public SortedSet< TimelineEventType>
getChildren() {
239 getBundle().getString(
"BaseTypes.miscTypes.name"),
242 public SortedSet<TimelineEventType>
getChildren() {
258 getBundle().getString(
"FileSystemTypes.fileModified.name"),
262 getBundle().getString(
"FileSystemTypes.fileAccessed.name"),
266 getBundle().getString(
"FileSystemTypes.fileCreated.name"),
270 getBundle().getString(
"FileSystemTypes.fileChanged.name"),
274 getBundle().getString(
"WebTypes.webDownloads.name"),
277 new Type(TSK_DATETIME_ACCESSED),
281 getBundle().getString(
"WebTypes.webCookies.name"),
284 new Type(TSK_DATETIME_CREATED),
288 getBundle().getString(
"WebTypes.webBookmarks.name"),
291 new Type(TSK_DATETIME_CREATED),
295 getBundle().getString(
"WebTypes.webHistory.name"),
298 new Type(TSK_DATETIME_ACCESSED),
302 getBundle().getString(
"WebTypes.webSearch.name"),
305 new Type(TSK_DATETIME_ACCESSED),
306 new Type(TSK_DOMAIN));
309 getBundle().getString(
"MiscTypes.message.name"),
312 new Type(TSK_DATETIME),
313 new TimelineEventArtifactTypeImpl.AttributeExtractor(
new Type(TSK_MESSAGE_TYPE)),
321 if (phoneNumber == null) {
322 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_TO));
325 if (phoneNumber == null) {
326 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_FROM));
329 List<String> asList = Arrays.asList(
332 name == null && phoneNumber == null ?
"" :
toFrom(dir),
333 name != null || phoneNumber != null ?
stringValueOf(MoreObjects.firstNonNull(name, phoneNumber)) :
"",
336 return String.join(
" ", asList);
341 getBundle().getString(
"MiscTypes.GPSRoutes.name"),
344 new Type(TSK_DATETIME),
345 new AttributeExtractor(
new Type(TSK_PROG_NAME)),
346 new AttributeExtractor(
new Type(TSK_LOCATION)),
355 @SuppressWarnings(
"deprecation")
357 getBundle().getString("MiscTypes.GPSTrackpoint.name"),
360 new
Type(TSK_DATETIME),
361 new AttributeExtractor(new
Type(TSK_PROG_NAME)),
367 new EmptyExtractor());
370 getBundle().getString(
"MiscTypes.Calls.name"),
373 new Type(TSK_DATETIME_START),
374 new AttributeExtractor(
new Type(TSK_NAME)),
377 if (phoneNumber == null) {
378 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_TO));
380 if (phoneNumber == null) {
381 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_FROM));
386 new AttributeExtractor(
new Type(TSK_DIRECTION)));
389 getBundle().getString(
"MiscTypes.Email.name"),
392 new Type(TSK_DATETIME_SENT),
394 String emailFrom =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_EMAIL_FROM)));
395 if (emailFrom.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
396 emailFrom = emailFrom.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
399 if (emailTo.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
400 emailTo = emailTo.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
402 return "Sent from: " + emailFrom +
"Sent to: " + emailTo;
404 new AttributeExtractor(
new Type(TSK_SUBJECT)),
408 if (msg.length() > TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX) {
409 msg = msg.substring(0, TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX);
415 getBundle().getString(
"MiscTypes.recentDocuments.name"),
418 new Type(TSK_DATETIME_ACCESSED),
422 getBundle().getString(
"MiscTypes.installedPrograms.name"),
425 new Type(TSK_DATETIME),
426 new AttributeExtractor(
new Type(TSK_PROG_NAME)),
427 new EmptyExtractor(),
428 new EmptyExtractor());
431 getBundle().getString(
"MiscTypes.exif.name"),
434 new Type(TSK_DATETIME_CREATED),
435 new AttributeExtractor(
new Type(TSK_DEVICE_MAKE)),
436 new AttributeExtractor(
new Type(TSK_DEVICE_MODEL)),
437 artf -> artf.getSleuthkitCase().getAbstractFileById(artf.getObjectID()).getName()
441 getBundle().getString(
"MiscTypes.devicesAttached.name"),
444 new Type(TSK_DATETIME),
445 new AttributeExtractor(
new Type(TSK_DEVICE_MAKE)),
446 new AttributeExtractor(
new Type(TSK_DEVICE_MODEL)),
447 new AttributeExtractor(
new Type(TSK_DEVICE_ID)));
459 getBundle().getString(
"CustomTypes.other.name"),
467 getBundle().getString(
"MiscTypes.LogEntry.name"),
474 getBundle().getString(
"MiscTypes.Registry.name"),
484 getBundle().getString(
"CustomTypes.customArtifact.name"),
491 getBundle().getString(
"WebTypes.webFormAutoFill.name"),
494 new Type(TSK_DATETIME_CREATED),
500 },
new EmptyExtractor(),
new EmptyExtractor());
503 getBundle().getString(
"WebTypes.webFormAddress.name"),
506 new Type(TSK_DATETIME_ACCESSED),
507 new Type(TSK_EMAIL));
510 getBundle().getString(
"MiscTypes.GPSBookmark.name"),
513 new Type(TSK_DATETIME),
514 new AttributeExtractor(
new Type(TSK_NAME)),
520 new EmptyExtractor());
523 getBundle().getString(
"MiscTypes.GPSLastknown.name"),
526 new Type(TSK_DATETIME),
527 new AttributeExtractor(
new Type(TSK_NAME)),
533 new EmptyExtractor());
536 getBundle().getString(
"MiscTypes.GPSearch.name"),
539 new Type(TSK_DATETIME),
540 new AttributeExtractor(
new Type(TSK_NAME)),
546 new EmptyExtractor());
549 getBundle().getString(
"MiscTypes.GPSTrack.name"),
555 getBundle().getString(
"MiscTypes.metadataLastPrinted.name"),
560 return getBundle().getString(
"MiscTypes.metadataLastPrinted.name");
562 new EmptyExtractor(),
563 new EmptyExtractor());
566 getBundle().getString(
"MiscTypes.metadataLastSaved.name"),
571 return getBundle().getString(
"MiscTypes.metadataLastSaved.name");
573 new EmptyExtractor(),
574 new EmptyExtractor());
577 getBundle().getString(
"MiscTypes.metadataCreated.name"),
582 return getBundle().getString(
"MiscTypes.metadataCreated.name");
584 new EmptyExtractor(),
585 new EmptyExtractor());
588 getBundle().getString(
"MiscTypes.programexecuted.name"),
591 new Type(TSK_DATETIME),
592 new AttributeExtractor(
new Type(TSK_PROG_NAME)),
594 String userName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_USER_NAME)));
595 if (userName != null) {
600 new AttributeExtractor(
new Type(TSK_COMMENT)));
603 getBundle().getString(
"WebTypes.webFormAutofillAccessed.name"),
606 new Type(TSK_DATETIME_ACCESSED),
612 },
new EmptyExtractor(),
new EmptyExtractor());
615 getBundle().getString(
"MiscTypes.CallsEnd.name"),
618 new Type(TSK_DATETIME_END),
619 new AttributeExtractor(
new Type(TSK_NAME)),
622 if (phoneNumber == null) {
623 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_TO));
625 if (phoneNumber == null) {
626 phoneNumber = getAttributeSafe(artf,
new Type(TSK_PHONE_NUMBER_FROM));
631 new AttributeExtractor(
new Type(TSK_DIRECTION)));
634 getBundle().getString(
"MiscTypes.EmailRcvd.name"),
637 new Type(TSK_DATETIME_RCVD),
639 String emailFrom =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_EMAIL_FROM)));
640 if (emailFrom.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
641 emailFrom = emailFrom.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
644 if (emailTo.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
645 emailTo = emailTo.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
647 return "Message from: " + emailFrom +
" To: " + emailTo;
649 new AttributeExtractor(
new Type(TSK_SUBJECT)),
653 if (msg.length() > TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX) {
654 msg = msg.substring(0, TimelineEventArtifactTypeImpl.EMAIL_FULL_DESCRIPTION_LENGTH_MAX);
660 getBundle().getString(
"WebTypes.webFormAddressModified.name"),
663 new Type(TSK_DATETIME_MODIFIED),
664 new Type(TSK_EMAIL));
667 getBundle().getString(
"WebTypes.webCookiesAccessed.name"),
670 new Type(TSK_DATETIME_ACCESSED),
674 getBundle().getString(
"WebTypes.webCookiesEnd.name"),
677 new Type(TSK_DATETIME_END),
687 getBundle().getString(
"TimelineEventType.BackupEventStart.txt"),
692 return getBundle().getString(
"TimelineEventType.BackupEvent.description.start");
694 new EmptyExtractor(),
695 new EmptyExtractor());
698 getBundle().getString(
"TimelineEventType.BackupEventEnd.txt"),
703 return getBundle().getString(
"TimelineEventType.BackupEvent.description.end");
705 new EmptyExtractor(),
706 new EmptyExtractor());
709 getBundle().getString(
"TimelineEventType.BluetoothPairing.txt"),
716 getBundle().getString(
"TimelineEventType.CalendarEntryStart.txt"),
723 getBundle().getString(
"TimelineEventType.CalendarEntryEnd.txt"),
730 getBundle().getString(
"TimelineEventType.DeletedProgram.txt"),
737 getBundle().getString(
"TimelineEventType.OSInfo.txt"),
744 getBundle().getString(
"TimelineEventType.ProgramNotification.txt"),
751 getBundle().getString(
"TimelineEventType.ScreenShot.txt"),
758 getBundle().getString(
"TimelineEventType.ServiceAccount.txt"),
763 String progName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_PROG_NAME)));
765 return String.format(
"Program Name: %s User ID: %s", progName, userId);
767 new EmptyExtractor(),
768 new EmptyExtractor());
771 getBundle().getString(
"TimelineEventType.UserDeviceEventStart.txt"),
776 String progName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_PROG_NAME)));
777 String activityType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_ACTIVITY_TYPE)));
778 String connectionType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_VALUE)));
779 return String.format(
"Program Name: %s Activity Type: %s Connection Type: %s", progName, activityType, connectionType);
781 new EmptyExtractor(),
782 new EmptyExtractor());
785 getBundle().getString(
"TimelineEventType.UserDeviceEventEnd.txt"),
790 String progName =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_PROG_NAME)));
791 String activityType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_ACTIVITY_TYPE)));
792 String connectionType =
stringValueOf(getAttributeSafe(artf,
new Type(TSK_VALUE)));
793 return String.format(
"Program Name: %s Activity Type: %s Connection Type: %s", progName, activityType, connectionType);
795 new EmptyExtractor(),
796 new EmptyExtractor());
799 getBundle().getString(
"TimelineEventType.WebCache.text"),
802 new Type(TSK_DATETIME_CREATED),
806 getBundle().getString(
"TimelineEventType.WIFINetwork.txt"),
813 getBundle().getString(
"WebTypes.webHistoryCreated.name"),
816 new Type(TSK_DATETIME_CREATED),
820 getBundle().getString(
"TimelineEventType.BluetoothAdapter.txt"),
827 getBundle().getString(
"TimelineEventType.BluetoothPairingLastConnection.txt"),
836 getBundle().getString(
"CustomTypes.userCreated.name"),
859 return Optional.ofNullable(attr)
TimelineEventType EMAIL_RCVD
TimelineEventType BLUETOOTH_ADAPTER
TimelineEventType BACKUP_EVENT_START
TimelineEventType REGISTRY
default int compareTo(TimelineEventType otherType)
static String stringValueOf(BlackboardAttribute attr)
TimelineEventType PROGRAM_DELETED
TimelineEventType FILE_ACCESSED
TimelineEventType PROGRAM_NOTIFICATION
TimelineEventType CALENDAR_ENTRY_START
TimelineEventType WEB_FORM_ADDRESSES_MODIFIED
TimelineEventType SERVICE_ACCOUNT
TimelineEventType LOG_ENTRY
SortedSet<?extends TimelineEventType > getChildren()
TimelineEventType RECENT_DOCUMENTS
TimelineEventType WEB_COOKIE_END
TimelineEventType MESSAGE
default SortedSet<?extends TimelineEventType > getSiblings()
TimelineEventType GPS_ROUTE
static String toFrom(BlackboardAttribute dir)
TimelineEventType BLUETOOTH_PAIRING_ACCESSED
TimelineEventType BLUETOOTH_PAIRING
TimelineEventType USER_DEVICE_EVENT_END
TimelineEventType CALL_LOG_END
TimelineEventType WEB_HISTORY_CREATED
TimelineEventType.HierarchyLevel getTypeHierarchyLevel()
TimelineEventType WEB_COOKIE
TimelineEventType WEB_ACTIVITY
TimelineEventType USER_CREATED
TimelineEventType FILE_MODIFIED
TimelineEventType WEB_CACHE
Optional<?extends TimelineEventType > getChild(String displayName)
TimelineEventType USER_DEVICE_EVENT_START
String getDisplayString()
TimelineEventType CUSTOM_ARTIFACT_CATCH_ALL
TimelineEventType MISC_TYPES
TimelineEventType WEB_SEARCH
TimelineEventType WEB_BOOKMARK
TimelineEventType SCREEN_SHOT
TimelineEventType WEB_FORM_AUTOFILL_ACCESSED
default TimelineEventType getCategory()
int DEPRECATED_OTHER_EVENT_ID
TimelineEventType OS_INFO
TimelineEventType FILE_CREATED
TimelineEventType GPS_BOOKMARK
TimelineEventType INSTALLED_PROGRAM
TimelineEventType CALL_LOG
TimelineEventType WEB_HISTORY
TimelineEventType getParent()
TimelineEventType FILE_SYSTEM
TimelineEventType DEVICES_ATTACHED
TimelineEventType STANDARD_ARTIFACT_CATCH_ALL
TimelineEventType WEB_FORM_ADDRESSES
TimelineEventType WEB_DOWNLOADS
TimelineEventType ROOT_EVENT_TYPE
default boolean isDeprecated()
TimelineEventType GPS_TRACK
static SortedSet<?extends TimelineEventType > getWebActivityTypes()
static SortedSet<?extends TimelineEventType > getMiscTypes()
TimelineEventType WEB_FORM_AUTOFILL
TimelineEventType PROGRAM_EXECUTION
TimelineEventType GPS_LAST_KNOWN_LOCATION
TimelineEventType WEB_COOKIE_ACCESSED
static SortedSet<?extends TimelineEventType > getFileSystemTypes()
static SortedSet<?extends TimelineEventType > getCategoryTypes()
TimelineEventType CALENDAR_ENTRY_END
TimelineEventType GPS_SEARCH
TimelineEventType METADATA_CREATED
TimelineEventType GPS_TRACKPOINT
TimelineEventType METADATA_LAST_PRINTED
TimelineEventType FILE_CHANGED
TimelineEventType BACKUP_EVENT_END
TimelineEventType METADATA_LAST_SAVED
TimelineEventType WIFI_NETWORK