Sleuth Kit Java Bindings (JNI): org.sleuthkit.datamodel.SleuthkitCase Class Reference

Deprecated:: User TaggingManager.addArtifactTag instead.

Definition at line 12086 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TaggingManager.addArtifactTag(), and org.sleuthkit.datamodel.TaggingManager.BlackboardArtifactTagChange.getAddedTag().

BlackboardArtifact.Type org.sleuthkit.datamodel.SleuthkitCase.addBlackboardArtifactType	(	String	artifactTypeName,
		String	displayName
	)		throws TskCoreException, TskDataException

Add an artifact type with the given name. Will return an artifact Type.

This assumes that the artifact type being added has the category DATA_ARTIFACT.

Parameters

artifactTypeName	System (unique) name of artifact
displayName	Display (non-unique) name of artifact

Returns: Type of the artifact added

Exceptions

TskCoreException	exception thrown if a critical error occurs
TskDataException	exception thrown if given data is already in db within tsk core

Deprecated:: Use Blackboard.getOrAddArtifactType() instead.

Definition at line 4944 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addArtifactType().

void org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttribute	(	BlackboardAttribute	attr,
		int	artifactTypeId
	)		throws TskCoreException

Add a blackboard attribute.

Parameters

attr	A blackboard attribute.
artifactTypeId	The type of artifact associated with the attribute.

Exceptions

TskCoreException thrown if a critical error occurs.

Definition at line 4616 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.addAttribute().

void org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttributes	(	Collection< BlackboardAttribute >	attributes,
		int	artifactTypeId
	)		throws TskCoreException

Add a set blackboard attributes.

Parameters

attributes	A set of blackboard attribute.
artifactTypeId	The type of artifact associated with the attributes.

Exceptions

TskCoreException thrown if a critical error occurs.

Definition at line 4636 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.addAttributes().

LayoutFile org.sleuthkit.datamodel.SleuthkitCase.addCarvedFile	(	String	carvedFileName,
		long	carvedFileSize,
		long	containerId,
		List< TskFileRange >	data
	)		throws TskCoreException

Adds a carved file to the VirtualDirectory '$CarvedFiles' in the volume or image given by systemId. Creates $CarvedFiles virtual directory if it does not exist already.

Parameters

carvedFileName	the name of the carved file to add
carvedFileSize	the size of the carved file to add
containerId	the ID of the parent volume, file system, or image
data	the layout information - a list of offsets that make up this carved file.

Returns: A LayoutFile object representing the carved file.

Exceptions

Deprecated:: Use addCarvedFile(CarvingResult) instead

Definition at line 14709 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles(), and org.sleuthkit.datamodel.SleuthkitCase.getContentById().

final List<LayoutFile> org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles ( CarvingResult carvingResult ) throws TskCoreException

Adds a carving result to the case database.

Parameters

carvingResult The carving result (a set of carved files and their parent) to be added.

Returns: A list of LayoutFile representations of the carved files.

Exceptions

TskCoreException If there is a problem completing a case database operation.

Definition at line 7699 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addCarvedFile(), and org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles().

List<LayoutFile> org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles ( List< CarvedFileContainer > filesToAdd ) throws TskCoreException

Adds a collection of carved files to the VirtualDirectory '$CarvedFiles' in the volume or image given by systemId. Creates $CarvedFiles virtual directory if it does not exist already.

Parameters

filesToAdd A list of CarvedFileContainer files to add as carved files.

Returns: A list of the files added to the database.

Exceptions

Deprecated:: Use addCarvedFile(CarvingResult) instead

Definition at line 14739 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.Content.getId().

ContentTag org.sleuthkit.datamodel.SleuthkitCase.addContentTag	(	Content	content,
		TagName	tagName,
		String	comment,
		long	beginByteOffset,
		long	endByteOffset
	)		throws TskCoreException

Inserts a row into the content_tags table in the case database.

Parameters

content	The content to tag.
tagName	The name to use for the tag.
comment	A comment to store with the tag.
beginByteOffset	Designates the beginning of a tagged section.
endByteOffset	Designates the end of a tagged section.

Returns: A ContentTag data transfer object (DTO) for the new row.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Deprecated:: Use TaggingManager.addContentTag

Definition at line 11717 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TaggingManager.addContentTag(), and org.sleuthkit.datamodel.TaggingManager.ContentTagChange.getAddedTag().

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		Content	parentObj,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails,
		TskData.EncodingType	encodingType
	)		throws TskCoreException

Creates a new derived file object, adds it to database and returns it.

TODO add support for adding derived method

Parameters

fileName	file name the derived file
localPath	local path of the derived file, including the file name. The path is relative to the database path.
size	size of the derived file in bytes
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	whether a file or directory, true if a file
parentObj	parent content object
rederiveDetails	details needed to re-derive file (will be specific to the derivation method), currently unused
toolName	name of derivation method/tool, currently unused
toolVersion	version of derivation method/tool, currently unused
otherDetails	details of derivation method/tool, currently unused
encodingType	Type of encoding used on the file (or NONE if no encoding)

Returns: newly created derived file object

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Definition at line 7979 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile().

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		Content	parentObj,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails,
		TskData.EncodingType	encodingType,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Definition at line 7999 of file SleuthkitCase.java.

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parentFile,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails
	)		throws TskCoreException

Creates a new derived file object, adds it to database and returns it.

TODO add support for adding derived method

Parameters

fileName	file name the derived file
localPath	local path of the derived file, including the file name. The path is relative to the database path.
size	size of the derived file in bytes
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	whether a file or directory, true if a file
parentFile	parent file object (derived or local file)
rederiveDetails	details needed to re-derive file (will be specific to the derivation method), currently unused
toolName	name of derivation method/tool, currently unused
toolVersion	version of derivation method/tool, currently unused
otherDetails	details of derivation method/tool, currently unused

Returns: newly created derived file object

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Deprecated:: Use the newer version with explicit encoding type parameter

Definition at line 14787 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile(), and org.sleuthkit.datamodel.TskData.EncodingType.NONE.

void org.sleuthkit.datamodel.SleuthkitCase.addErrorObserver ( ErrorObserver observer )

Add an observer for SleuthkitCase errors.

Parameters

observer The observer to add.

Deprecated:: Catch exceptions instead.

Definition at line 14244 of file SleuthkitCase.java.

FileSystem org.sleuthkit.datamodel.SleuthkitCase.addFileSystem	(	long	parentObjId,
		long	imgOffset,
		TskData.TSK_FS_TYPE_ENUM	type,
		long	blockSize,
		long	blockCount,
		long	rootInum,
		long	firstInum,
		long	lastInum,
		String	displayName,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a FileSystem to the database.

Parameters

parentObjId	Object ID of the file system's parent
imgOffset	Offset in the image
type	Type of file system
blockSize	Block size
blockCount	Block count
rootInum	root inum
firstInum	first inum
lastInum	last inum
displayName	display name
transaction	Case DB transaction

Returns: the newly created FileSystem

Exceptions

Definition at line 7022 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.ObjectType.FS.

FsContent org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile	(	long	dataSourceObjId,
		long	fsObjId,
		String	fileName,
		long	metaAddr,
		int	metaSeq,
		TSK_FS_ATTR_TYPE_ENUM	attrType,
		int	attrId,
		TSK_FS_NAME_FLAG_ENUM	dirFlag,
		short	metaFlags,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		Content	parent
	)		throws TskCoreException

Add a file system file.

Parameters

dataSourceObjId	The object id of the root data source of this file.
fsObjId	The file system object id.
fileName	The name of the file.
metaAddr	The meta address of the file.
metaSeq	The meta address sequence of the file.
attrType	The attributed type of the file.
attrId	The attribute id
dirFlag	The allocated status from the name structure
metaFlags
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	True, unless the file is a directory.
parent	The parent of the file (e.g., a virtual directory)

Returns: Newly created file

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Definition at line 7083 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile().

FsContent org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile	(	long	dataSourceObjId,
		long	fsObjId,
		String	fileName,
		long	metaAddr,
		int	metaSeq,
		TSK_FS_ATTR_TYPE_ENUM	attrType,
		int	attrId,
		TSK_FS_NAME_FLAG_ENUM	dirFlag,
		short	metaFlags,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5Hash,
		String	sha256Hash,
		String	mimeType,
		boolean	isFile,
		Content	parent,
		String	ownerUid,
		OsAccount	osAccount,
		List< Attribute >	fileAttributes,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a file system file.

Parameters

dataSourceObjId	The object id of the root data source of this file.
fsObjId	The file system object id.
fileName	The name of the file.
metaAddr	The meta address of the file.
metaSeq	The meta address sequence of the file.
attrType	The attributed type of the file.
attrId	The attribute id.
dirFlag	The allocated status from the name structure
metaFlags	The allocated status of the file, usually as reported in the metadata structure of the file system.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5Hash	The MD5 hash of the file
sha256Hash	The SHA256 hash of the file
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
parent	The parent of the file (e.g., a virtual directory).
ownerUid	UID of the file owner as found in the file system, can be null.
osAccount	OS account of owner, may be null.
fileAttributes	A list of file attributes. May be empty.
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: Newly created file

Exceptions

Definition at line 7151 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile().

FsContent org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile	(	long	dataSourceObjId,
		long	fsObjId,
		String	fileName,
		long	metaAddr,
		int	metaSeq,
		TSK_FS_ATTR_TYPE_ENUM	attrType,
		int	attrId,
		TSK_FS_NAME_FLAG_ENUM	dirFlag,
		short	metaFlags,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5Hash,
		String	sha256Hash,
		String	sha1Hash,
		String	mimeType,
		boolean	isFile,
		Content	parent,
		String	ownerUid,
		OsAccount	osAccount,
		List< Attribute >	fileAttributes,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a file system file.

Parameters

dataSourceObjId	The object id of the root data source of this file.
fsObjId	The file system object id.
fileName	The name of the file.
metaAddr	The meta address of the file.
metaSeq	The meta address sequence of the file.
attrType	The attributed type of the file.
attrId	The attribute id.
dirFlag	The allocated status from the name structure
metaFlags	The allocated status of the file, usually as reported in the metadata structure of the file system.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5Hash	The MD5 hash of the file
sha256Hash	The SHA256 hash of the file
sha1Hash	SHA1 Hash of the file. May be null.
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
parent	The parent of the file (e.g., a virtual directory).
ownerUid	UID of the file owner as found in the file system, can be null.
osAccount	OS account of owner, may be null.
fileAttributes	A list of file attributes. May be empty.
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: Newly created file

Exceptions

Definition at line 7214 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile(), and org.sleuthkit.datamodel.TskData.CollectedStatus.UNKNOWN.

FsContent org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile	(	long	dataSourceObjId,
		long	fsObjId,
		String	fileName,
		long	metaAddr,
		int	metaSeq,
		TSK_FS_ATTR_TYPE_ENUM	attrType,
		int	attrId,
		TSK_FS_NAME_FLAG_ENUM	dirFlag,
		short	metaFlags,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5Hash,
		String	sha256Hash,
		String	sha1Hash,
		String	mimeType,
		boolean	isFile,
		Content	parent,
		String	ownerUid,
		OsAccount	osAccount,
		TskData.CollectedStatus	collected,
		List< Attribute >	fileAttributes,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a file system file.

Parameters

dataSourceObjId	The object id of the root data source of this file.
fsObjId	The file system object id.
fileName	The name of the file.
metaAddr	The meta address of the file.
metaSeq	The meta address sequence of the file.
attrType	The attributed type of the file.
attrId	The attribute id.
dirFlag	The allocated status from the name structure
metaFlags	The allocated status of the file, usually as reported in the metadata structure of the file system.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5Hash	The MD5 hash of the file
sha256Hash	The SHA256 hash of the file
sha1Hash	SHA1 Hash of the file. May be null.
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
parent	The parent of the file (e.g., a virtual directory).
ownerUid	UID of the file owner as found in the file system, can be null.
osAccount	OS account of owner, may be null.
collected	Collected status for file content, may be null
fileAttributes	A list of file attributes. May be empty.
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: Newly created file

Exceptions

Definition at line 7278 of file SleuthkitCase.java.

Image org.sleuthkit.datamodel.SleuthkitCase.addImage	(	TskData.TSK_IMG_TYPE_ENUM	type,
		long	sectorSize,
		long	size,
		String	displayName,
		List< String >	imagePaths,
		String	timezone,
		String	md5,
		String	sha1,
		String	sha256,
		String	deviceId,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add an image to the database.

Parameters

type	Type of image
sectorSize	Sector size
size	Image size
displayName	Display name for the image
imagePaths	Image path(s)
timezone	Time zone
md5	MD5 hash
sha1	SHA1 hash
sha256	SHA256 hash
deviceId	Device ID
transaction	Case DB transaction

Returns: the newly added Image

Exceptions

Definition at line 6780 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitJNI.addImageToDatabase().

Image org.sleuthkit.datamodel.SleuthkitCase.addImage	(	TskData.TSK_IMG_TYPE_ENUM	type,
		long	sectorSize,
		long	size,
		String	displayName,
		List< String >	imagePaths,
		String	timezone,
		String	md5,
		String	sha1,
		String	sha256,
		String	deviceId,
		Host	host,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add an image to the database.

Parameters

type	Type of image
sectorSize	Sector size
size	Image size
displayName	Display name for the image
imagePaths	Image path(s)
timezone	Time zone
md5	MD5 hash
sha1	SHA1 hash
sha256	SHA256 hash
deviceId	Device ID
host	Host
transaction	Case DB transaction

Returns: the newly added Image

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.IngestModuleInfo.getIngestModuleId(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Definition at line 6807 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getHostManager(), org.sleuthkit.datamodel.TskData.ObjectType.IMG, and org.sleuthkit.datamodel.HostManager.newHost().

Image org.sleuthkit.datamodel.SleuthkitCase.addImageInfo	(	long	deviceObjId,
		List< String >	imageFilePaths,
		String	timeZone
	)		throws TskCoreException

Adds an image to the case database.

Parameters

deviceObjId	The object id of the device associated with the image.
imageFilePaths	The image file paths.
timeZone	The time zone for the image.

Returns: An Image object.

Exceptions

TskCoreException if there is an error adding the image to case database.

Definition at line 9921 of file SleuthkitCase.java.

Image org.sleuthkit.datamodel.SleuthkitCase.addImageInfo	(	long	deviceObjId,
		List< String >	imageFilePaths,
		String	timeZone,
		Host	host
	)		throws TskCoreException

Adds an image to the case database.

Parameters

deviceObjId	The object id of the device associated with the image.
imageFilePaths	The image file paths.
timeZone	The time zone for the image.
host	The host for this image.

Returns: An Image object.

Exceptions

TskCoreException if there is an error adding the image to case database.

Definition at line 9939 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getImageById().

final IngestJobInfo org.sleuthkit.datamodel.SleuthkitCase.addIngestJob	(	Content	dataSource,
		String	hostName,
		List< IngestModuleInfo >	ingestModules,
		Date	jobStart,
		Date	jobEnd,
		IngestJobStatusType	status,
		String	settingsDir
	)		throws TskCoreException

Parameters

dataSource	The datasource the ingest job is being run on
hostName	The name of the host
ingestModules	The ingest modules being run during the ingest job. Should be in pipeline order.
jobStart	The time the job started
jobEnd	The time the job ended
status	The ingest job status
settingsDir	The directory of the job's settings

Returns: An information object representing the ingest job added to the database.

Exceptions

TskCoreException If adding the job to the database fails.

Definition at line 12805 of file SleuthkitCase.java.

final IngestModuleInfo org.sleuthkit.datamodel.SleuthkitCase.addIngestModule	(	String	displayName,
		String	factoryClassName,
		IngestModuleType	type,
		String	version
	)		throws TskCoreException

Adds the given ingest module to the database.

Parameters

displayName	The display name of the module
factoryClassName	The factory class name of the module.
type	The type of the module.
version	The version of the module.

Returns: An ingest module info object representing the module added to the db.

Exceptions

TskCoreException When the ingest module cannot be added.

Definition at line 12857 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.IngestModuleInfo.IngestModuleType.fromID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

LayoutFile org.sleuthkit.datamodel.SleuthkitCase.addLayoutFile	(	String	fileName,
		long	size,
		TSK_FS_NAME_FLAG_ENUM	dirFlag,
		TSK_FS_META_FLAG_ENUM	metaFlag,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		List< TskFileRange >	fileRanges,
		Content	parent
	)		throws TskCoreException

Add a new layout file to the database.

Parameters

fileName	The name of the file.
size	The size of the file in bytes.
dirFlag	The allocated status from the name structure
metaFlag	The allocated status from the metadata structure
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
fileRanges	The byte ranges that belong to this file (relative to start of image)
parent	The parent of the file

Returns: The new LayoutFile

Exceptions

Definition at line 8695 of file SleuthkitCase.java.

final List<LayoutFile> org.sleuthkit.datamodel.SleuthkitCase.addLayoutFiles	(	Content	parent,
		List< TskFileRange >	fileRanges
	)		throws TskCoreException

Adds one or more layout files for a parent Content object to the case database.

Parameters

parent	The parent Content.
fileRanges	File range objects for the file(s).

Returns: A list of LayoutFile objects.

Exceptions

TskCoreException If there is a problem completing a case database operation.

Definition at line 7431 of file SleuthkitCase.java.

LocalDirectory org.sleuthkit.datamodel.SleuthkitCase.addLocalDirectory	(	long	parentId,
		String	directoryName
	)		throws TskCoreException

Adds a local directory to the database and returns a LocalDirectory object representing it.

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the local directory to create

Returns: a LocalDirectory object representing the one added to the database.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Definition at line 6518 of file SleuthkitCase.java.

LocalDirectory org.sleuthkit.datamodel.SleuthkitCase.addLocalDirectory	(	long	parentId,
		String	directoryName,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local directory to the database and returns a LocalDirectory object representing it.

Make sure the connection in transaction is used for all database interactions called by this method

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the local directory to create
transaction	the transaction in the scope of which the operation is to be performed, managed by the caller

Returns: a LocalDirectory object representing the one added to the database.

Exceptions

Definition at line 6551 of file SleuthkitCase.java.

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		AbstractFile	parent
	)		throws TskCoreException

Wraps the version of addLocalFile that takes a Transaction in a transaction local to this method.

Parameters

fileName
localPath
size
ctime
crtime
atime
mtime
isFile
encodingType
parent

Returns

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Definition at line 8257 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		Content	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	True, unless the file is a directory.
encodingType	Type of encoding used on the file
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Definition at line 8303 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5,
		String	sha256,
		FileKnown	known,
		String	mimeType,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		Content	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5	The MD5 hash of the file
sha256	the SHA-256 hash of the file.
known	The known status of the file (can be null)
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
encodingType	Type of encoding used on the file
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Definition at line 8343 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5,
		String	sha256,
		FileKnown	known,
		String	mimeType,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		Long	osAccountId,
		String	ownerAccount,
		Content	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5	The MD5 hash of the file
sha256	the SHA-256 hash of the file.
known	The known status of the file (can be null)
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
encodingType	Type of encoding used on the file
osAccountId	OS account id (can be null)
ownerAccount	Owner account (can be null)
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Definition at line 8385 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5,
		String	sha256,
		String	sha1Hash,
		FileKnown	known,
		String	mimeType,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		Long	osAccountId,
		String	ownerAccount,
		Content	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5	The MD5 hash of the file
sha256	the SHA-256 hash of the file.
sha1Hash	SHA-1 Hash of the file, may be null.
known	The known status of the file (can be null)
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
encodingType	Type of encoding used on the file
osAccountId	OS account id (can be null)
ownerAccount	Owner account (can be null)
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Definition at line 8431 of file SleuthkitCase.java.

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5,
		FileKnown	known,
		String	mimeType,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		Content	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5	The MD5 hash of the file
known	The known status of the file (can be null)
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
encodingType	Type of encoding used on the file
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Deprecated:: Use the newer version with explicit sha256 parameter

Definition at line 14826 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	True, unless the file is a directory.
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Deprecated:: Use the newer version with explicit encoding type parameter

Definition at line 14862 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(), and org.sleuthkit.datamodel.TskData.EncodingType.NONE.

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parent
	)		throws TskCoreException

Wraps the version of addLocalFile that takes a Transaction in a transaction local to this method.

Parameters

fileName
localPath
size
ctime
crtime
atime
mtime
isFile
parent

Returns

Exceptions

Deprecated:: Use the newer version with explicit encoding type parameter

Definition at line 14890 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(), and org.sleuthkit.datamodel.TskData.EncodingType.NONE.

LocalFilesDataSource org.sleuthkit.datamodel.SleuthkitCase.addLocalFilesDataSource	(	String	deviceId,
		String	rootDirectoryName,
		String	timeZone,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical files and/or directories data source.

Parameters

deviceId	An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
rootDirectoryName	The name for the root virtual directory for the data source.
timeZone	The time zone used to process the data source, may be the empty string.
transaction	A transaction in the scope of which the operation is to be performed, managed by the caller.

Returns: The new local files data source.

Exceptions

TskCoreException if there is an error adding the data source.

Definition at line 6663 of file SleuthkitCase.java.

LocalFilesDataSource org.sleuthkit.datamodel.SleuthkitCase.addLocalFilesDataSource	(	String	deviceId,
		String	rootDirectoryName,
		String	timeZone,
		Host	host,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical files and/or directories data source.

Parameters

deviceId	An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
rootDirectoryName	The name for the root virtual directory for the data source.
timeZone	The time zone used to process the data source, may be the empty string.
host	The host for the data source (may be null)
transaction	A transaction in the scope of which the operation is to be performed, managed by the caller.

Returns: The new local files data source.

Exceptions

TskCoreException if there is an error adding the data source.

Definition at line 6687 of file SleuthkitCase.java.

TagName org.sleuthkit.datamodel.SleuthkitCase.addOrUpdateTagName	(	String	displayName,
		String	description,
		TagName.HTML_COLOR	color,
		TskData.FileKnown	knownStatus
	)		throws TskCoreException

Inserts row into the tags_names table, or updates the existing row if the displayName already exists in the tag_names table in the case database.

Parameters

displayName	The display name for the new tag name.
description	The description for the new tag name.
color	The HTML color to associate with the new tag name.
knownStatus	The TskData.FileKnown value to associate with the new tag name.

Returns: A TagName data transfer object (DTO) for the new row.

Exceptions

Deprecated:: This method has been replaced by TaggingManager.addOrUpdateTagName.

Definition at line 11698 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TaggingManager.addOrUpdateTagName(), and org.sleuthkit.datamodel.SleuthkitCase.getTaggingManager().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addTagName().

Pool org.sleuthkit.datamodel.SleuthkitCase.addPool	(	long	parentObjId,
		TskData.TSK_POOL_TYPE_ENUM	type,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a pool to the database.

Parameters

parentObjId	Object ID of the pool's parent
type	Type of pool
transaction	Case DB transaction

Returns: the newly created Pool

Exceptions

Definition at line 6983 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.ObjectType.POOL.

Report org.sleuthkit.datamodel.SleuthkitCase.addReport	(	String	localPath,
		String	sourceModuleName,
		String	reportName
	)		throws TskCoreException

Inserts a row into the reports table in the case database.

Parameters

localPath	The path of the report file, must be in the database directory (case directory in Autopsy) or one of its subdirectories.
sourceModuleName	The name of the module that created the report.
reportName	The report name.

Returns: A Report object for the new row.

Exceptions

Definition at line 12492 of file SleuthkitCase.java.

Report org.sleuthkit.datamodel.SleuthkitCase.addReport	(	String	localPath,
		String	sourceModuleName,
		String	reportName,
		Content	parent
	)		throws TskCoreException

Inserts a row into the reports table in the case database.

Parameters

localPath	The path of the report file, must be in the database directory (case directory in Autopsy) or one of its subdirectories.
sourceModuleName	The name of the module that created the report.
reportName	The report name.
parent	The Content from which the report was created, if available.

Returns: A Report object for the new row.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.TskData.ObjectType.REPORT.

Definition at line 12511 of file SleuthkitCase.java.

TagName org.sleuthkit.datamodel.SleuthkitCase.addTagName	(	String	displayName,
		String	description,
		TagName.HTML_COLOR	color
	)		throws TskCoreException

Inserts row into the tags_names table in the case database.

Parameters

displayName	The display name for the new tag name.
description	The description for the new tag name.
color	The HTML color to associate with the new tag name.

Returns: A TagName data transfer object (DTO) for the new row.

Exceptions

Deprecated:: TaggingManager.addOrUpdateTagName should be used instead with the default knowStatus of TskData.FileKnown.UNKNOWN

Definition at line 11677 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addOrUpdateTagName(), and org.sleuthkit.datamodel.TskData.FileKnown.UNKNOWN.

VirtualDirectory org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory	(	long	parentId,
		String	directoryName
	)		throws TskCoreException

Adds a virtual directory to the database and returns a VirtualDirectory object representing it.

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the virtual directory to create

Returns

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Definition at line 6310 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles().

VirtualDirectory org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory	(	long	parentId,
		String	directoryName,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a virtual directory to the database and returns a VirtualDirectory object representing it.

Make sure the connection in transaction is used for all database interactions called by this method

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the virtual directory to create
transaction	the transaction in the scope of which the operation is to be performed, managed by the caller

Returns: a VirtualDirectory object representing the one added to the database.

Exceptions

Definition at line 6387 of file SleuthkitCase.java.

Volume org.sleuthkit.datamodel.SleuthkitCase.addVolume	(	long	parentObjId,
		long	addr,
		long	start,
		long	length,
		String	desc,
		long	flags,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a volume to the database

Parameters

parentObjId	Object ID of the volume's parent
addr	Address of the volume
start	Start of the volume
length	Length of the volume
desc	Description of the volume
flags	Flags
transaction	Case DB transaction

Returns: the newly created Volume

Exceptions

Definition at line 6941 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.POSTGRESQL, and org.sleuthkit.datamodel.TskData.ObjectType.VOL.

VolumeSystem org.sleuthkit.datamodel.SleuthkitCase.addVolumeSystem	(	long	parentObjId,
		TskData.TSK_VS_TYPE_ENUM	type,
		long	imgOffset,
		long	blockSize,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a volume system to the database.

Parameters

parentObjId	Object ID of the volume system's parent
type	Type of volume system
imgOffset	Image offset
blockSize	Block size
transaction	Case DB transaction

Returns: the newly added VolumeSystem

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_FS_NAME_TYPE_ENUM.REG, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Definition at line 6901 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.ObjectType.VS.

boolean org.sleuthkit.datamodel.SleuthkitCase.allFilesMd5Hashed ( )

Query all the files to verify if they have an MD5 hash associated with them.

Returns: true if all files have an MD5 hash

Definition at line 11486 of file SleuthkitCase.java.

CaseDbTransaction org.sleuthkit.datamodel.SleuthkitCase.beginTransaction ( ) throws TskCoreException

Create a new transaction on the case database. The transaction object that is returned can be passed to methods that take a CaseDbTransaction. The caller is responsible for calling either commit() or rollback() on the transaction object.

Note that this beginning the transaction also acquires the single user case write lock, which will be automatically released when the transaction is closed.

Returns: A CaseDbTransaction object.

Exceptions

Definition at line 2914 of file SleuthkitCase.java.

synchronized void org.sleuthkit.datamodel.SleuthkitCase.close ( )

Call to free resources when done with instance.

Definition at line 10769 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), org.sleuthkit.datamodel.SleuthkitCase.finalize(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

void org.sleuthkit.datamodel.SleuthkitCase.closeRunQuery ( ResultSet resultSet ) throws SQLException

Closes ResultSet and its Statement previously retrieved from runQuery()

Parameters

resultSet with its Statement to close

Exceptions

SQLException of closing the query files failed

Deprecated:: Do not use runQuery() and closeRunQuery(), use executeQuery() instead. Query the Database

Definition at line 14684 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.copyCaseDB ( String newDBPath ) throws IOException

Make a duplicate / backup copy of the current case database. Makes a new copy only, and continues to use the current connection.

Parameters

newDBPath Path to the copy to be created. File will be overwritten if it exists.

Exceptions

IOException if copying fails.

Definition at line 1064 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

int org.sleuthkit.datamodel.SleuthkitCase.countFilesMd5Hashed ( )

Query all the files and counts how many have an MD5 hash.

Returns: the number of files with an MD5 hash

Definition at line 11519 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.countFilesWhere ( String sqlWhereClause ) throws TskCoreException

Count files matching the specific Where clause

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: count of files each of which satisfy the given WHERE clause

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), org.sleuthkit.datamodel.SleuthkitCase.getScoringManager(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Definition at line 9005 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

int org.sleuthkit.datamodel.SleuthkitCase.countFsContentType ( TskData.TSK_FS_META_TYPE_ENUM contentType ) throws TskCoreException

Return the number of objects in the database of a given file type.

Parameters

contentType Type of file to count

Returns: Number of objects with that type.

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 11405 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

void org.sleuthkit.datamodel.SleuthkitCase.deleteBlackboardArtifactTag ( BlackboardArtifactTag tag ) throws TskCoreException

Definition at line 12095 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.deleteContentTag ( ContentTag tag ) throws TskCoreException

Definition at line 11726 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), org.sleuthkit.datamodel.SleuthkitCase.getScoringManager(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

void org.sleuthkit.datamodel.SleuthkitCase.deleteReport ( Report report ) throws TskCoreException

Deletes a row from the reports table in the case database.

Parameters

report A Report data transfer object (DTO) for the row to delete.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.TskData.ObjectType.REPORT.

Definition at line 12705 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.disableTimelineEventCreation ( )

Disable the creation of timeline events for new files.

This setting is not saved to the case database.

Definition at line 3246 of file SleuthkitCase.java.

static String org.sleuthkit.datamodel.SleuthkitCase.escapeSingleQuotes ( String text )

static

Escape the single quotes in the given string so they can be added to the SQL caseDbConnection

Parameters

text

Returns: text the escaped version

Definition at line 11438 of file SleuthkitCase.java.

CaseDbQuery org.sleuthkit.datamodel.SleuthkitCase.executeInsertOrUpdate ( String query ) throws TskCoreException

This method allows developers to run arbitrary SQL queries, including INSERT and UPDATE. The CaseDbQuery object will take care of acquiring the necessary database lock and when used in a try-with-resources block will automatically take care of releasing the lock. If you do not use a try-with-resources block you must call CaseDbQuery.close() once you are done processing the files of the query.

Also note that if you use it within a transaction to insert something into the database, and then within that same transaction query the inserted item from the database, you will likely not see your inserted item, as the method uses new connections for each execution. With this method, you must close your transaction before successfully querying for newly-inserted items.

Parameters

query The query string to execute.

Returns: A CaseDbQuery instance.

Exceptions

Definition at line 10730 of file SleuthkitCase.java.

CaseDbQuery org.sleuthkit.datamodel.SleuthkitCase.executeQuery ( String query ) throws TskCoreException

This method allows developers to run arbitrary SQL "SELECT" queries. The CaseDbQuery object will take care of acquiring the necessary database lock and when used in a try-with-resources block will automatically take care of releasing the lock. If you do not use a try-with-resources block you must call CaseDbQuery.close() once you are done processing the files of the query.

Also note that if you use it within a transaction to insert something into the database, and then within that same transaction query the inserted item from the database, you will likely not see your inserted item, as the method uses new connections for each execution. With this method, you must close your transaction before successfully querying for newly-inserted items.

Parameters

query The query string to execute.

Returns: A CaseDbQuery instance.

Exceptions

Definition at line 10705 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.finalize ( ) throws Throwable

protected

Definition at line 10758 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.close().

List<Long> org.sleuthkit.datamodel.SleuthkitCase.findAllFileIdsWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of all (abstract) ids of files matching the specific Where clause

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of file ids each of which satisfy the given WHERE clause

Exceptions

Definition at line 9108 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findAllFilesInFolderWhere	(	long	parentId,
		String	sqlWhereClause
	)		throws TskCoreException

Find and return list of all (abstract) files matching the specific Where clause with the give parentId. You need to know the database schema to use this, which is outlined on the wiki. You should use enums from org.sleuthkit.datamodel.TskData to make the queries easier to maintain and understand.

Parameters

parentId	The parentId
sqlWhereClause	a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of AbstractFile each of which satisfy the given WHERE clause

Exceptions

Definition at line 9081 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findAllFilesWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of all (abstract) files matching the specific Where clause. You need to know the database schema to use this, which is outlined on the wiki. You should use enums from org.sleuthkit.datamodel.TskData to make the queries easier to maintain and understand.

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of AbstractFile each of which satisfy the given WHERE clause

Exceptions

Definition at line 9043 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName
	)		throws TskCoreException

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).

Returns: a list of AbstractFile for files/directories whose name matches the given fileName

Exceptions

TskCoreException thrown if check failed

Definition at line 6207 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.openFiles().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName,
		String	dirSubString
	)		throws TskCoreException

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).
dirSubString	Substring that must exist in parent path. Will be surrounded by % in LIKE query

Returns: a list of AbstractFile for files/directories whose name matches fileName and whose parent directory contains dirName.

Exceptions

Definition at line 6259 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName,
		AbstractFile	parentFile
	)		throws TskCoreException

Find all files in the data source, by name and parent

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).
parentFile	Object for parent file/directory to find children in

Returns: a list of AbstractFile for files/directories whose name matches fileName and that were inside a directory described by parentFile.

Exceptions

Deprecated:: Use findFilesInFolder()

Definition at line 14957 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.findFilesInFolder().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFilesByMd5 ( String md5Hash )

Find all the files with the given MD5 hash.

Parameters

md5Hash hash value to match files with

Returns: List of AbstractFile with the given hash

Definition at line 11453 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFilesInFolder	(	String	fileName,
		AbstractFile	parentFile
	)		throws TskCoreException

Find all files by name and parent

Parameters

fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).
parentFile	Object for parent file/directory to find children in

Returns: a list of AbstractFile for files/directories whose name matches fileName and that were inside a directory described by parentFile.

Exceptions

Definition at line 8955 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.findFiles().

List<FsContent> org.sleuthkit.datamodel.SleuthkitCase.findFilesWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of files matching the specific Where clause. Use findAllFilesWhere instead. It returns a more generic data type

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of FsContent each of which satisfy the given WHERE clause

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM.FS, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Deprecated:: use SleuthkitCase.findAllFilesWhere() instead

Definition at line 14397 of file SleuthkitCase.java.

AbstractFile org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById ( long id ) throws TskCoreException

Get abstract file object from tsk_files table by its id

Parameters

id	id of the file object in tsk_files table

Returns: AbstractFile object populated, or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core and file could not be queried

Definition at line 5979 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper.addAttachments(), org.sleuthkit.datamodel.SleuthkitCase.addLocalDirectory(), org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.getRootObjects().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getAllBlackboardArtifactTags ( ) throws TskCoreException

Selects all of the rows from the blackboard_artifacts_tags table in the case database.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 12132 of file SleuthkitCase.java.

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getAllContentTags ( ) throws TskCoreException

Selects all of the rows from the content_tags table in the case database.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 11762 of file SleuthkitCase.java.

List<Report> org.sleuthkit.datamodel.SleuthkitCase.getAllReports ( ) throws TskCoreException

Selects all of the rows from the reports table in the case database.

Returns: A list, possibly empty, of Report data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Definition at line 12583 of file SleuthkitCase.java.

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getAllTagNames ( ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database.

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 11555 of file SleuthkitCase.java.

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.getArtifactByArtifactId ( long id ) throws TskCoreException

Get artifact from blackboard_artifacts table by its artifact_id

Parameters

id	Artifact ID of the artifact in blackboard_artifacts table

Returns: Artifact object populated, or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core and file could not be queried

Deprecated:: Use the type specific methods in Blackboard getAnalysisResultsById and getDataArtifactById

Definition at line 6085 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.Blackboard.getAnalysisResultById(), org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.Blackboard.getDataArtifactById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.getArtifactById ( long id ) throws TskCoreException

Get artifact from blackboard_artifacts table by its artifact_obj_id

Parameters

id	id of the artifact in blackboard_artifacts table (artifact_obj_id column)

Returns: Artifact object populated, or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core and file could not be queried

Definition at line 6033 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.Blackboard.getAnalysisResultById(), org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.Blackboard.getDataArtifactById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getContentById().

BlackboardArtifact.Type org.sleuthkit.datamodel.SleuthkitCase.getArtifactType ( String artTypeName ) throws TskCoreException

Get the artifact type associated with an artifact type name.

Parameters

artTypeName An artifact type name.

Returns: An artifact type or null if the artifact type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Deprecated:: Use Blackboard.getArtifactType instead

Definition at line 4923 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getArtifactType().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts(), and org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount().

int org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypeID ( String artifactTypeName ) throws TskCoreException

Get the artifact type id associated with an artifact type name.

Parameters

artifactTypeName An artifact type name.

Returns: An artifact id or -1 if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Deprecated:: Use getArtifactType instead

Definition at line 14437 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Iterable<BlackboardArtifact.Type> org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypes ( ) throws TskCoreException

Gets a list of all the artifact types for this case

Returns: a list of artifact types

Exceptions

TskCoreException when there is an error getting the types

Definition at line 4150 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.fromID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifact.Type> org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypesInUse ( ) throws TskCoreException

Gets the list of all unique artifact IDs in use.

Gets both static and dynamic IDs.

Returns: The list of unique IDs

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core

Definition at line 4227 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.fromID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

BlackboardAttribute.Type org.sleuthkit.datamodel.SleuthkitCase.getAttributeType ( String attrTypeName ) throws TskCoreException

Get the attribute type associated with an attribute type name.

Parameters

attrTypeName An attribute type name.

Returns: An attribute type or null if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Deprecated:: Use Blackboard.getAttributeType instead

Definition at line 4907 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getAttributeType().

List<BlackboardAttribute.Type> org.sleuthkit.datamodel.SleuthkitCase.getAttributeTypes ( ) throws TskCoreException

Gets a list of all the attribute types for this case

Returns: a list of attribute types

Exceptions

TskCoreException when there is an error getting the types

Definition at line 4267 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

String org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeDisplayName ( int attrTypeID ) throws TskCoreException

Get the display name for the attribute with the given id. Will throw an error if that id does not exist

Parameters

attrTypeID attribute id

Returns: string associated with the given id

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Deprecated:: Use getAttributeType instead

Definition at line 14604 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

int org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeID ( String attrTypeName ) throws TskCoreException

Gets the attribute type id associated with an attribute type name.

Parameters

attrTypeName An attribute type name.

Returns: An attribute id or -1 if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Deprecated:: Use SleuthkitCase.getAttributeType() instead.

Definition at line 14530 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

String org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeString ( int attrTypeID ) throws TskCoreException

Get the string associated with the given id. Will throw an error if that id does not exist

Parameters

attrTypeID attribute id

Returns: string associated with the given id

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Deprecated:: Use getAttributeType instead

Definition at line 14567 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

String org.sleuthkit.datamodel.SleuthkitCase.getBackupDatabasePath ( )

Returns the path of a backup copy of the database made when a schema version upgrade has occurred.

Returns: The path of the backup file or null if no backup was made.

Definition at line 2896 of file SleuthkitCase.java.

Blackboard org.sleuthkit.datamodel.SleuthkitCase.getBlackboard ( )

Gets the artifacts blackboard for this case.

Returns: The per case Blackboard object.

Definition at line 503 of file SleuthkitCase.java.

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact ( long artifactID ) throws TskCoreException

Get the blackboard artifact with the given artifact id (artifact_id in blackboard_artifacts)

Parameters

artifactID artifact ID (artifact_id column)

Returns: blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4594 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getAnalysisResultsWhere(), and org.sleuthkit.datamodel.Blackboard.getDataArtifactsWhere().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getAllBlackboardArtifactTags(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagByID(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName(), and org.sleuthkit.datamodel.BlackboardAttribute.getParentArtifact().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( int artifactTypeID ) throws TskCoreException

Get all blackboard artifacts of a given type. Does not included rejected artifacts.

Parameters

artifactTypeID artifact type id (must exist in database)

Returns: list of blackboard artifacts.

Exceptions

Referenced by org.sleuthkit.datamodel.CommunicationsManager.getAccountFileInstances(), org.sleuthkit.datamodel.Report.getArtifacts(), org.sleuthkit.datamodel.AbstractContent.getArtifacts(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts(), and org.sleuthkit.datamodel.AbstractContent.getGenInfoArtifact().

Deprecated:: Use Blackboard.getArtifacts with the desired type(s) and data source(s) as arguments instead.

Definition at line 3677 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getArtifactType().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and String value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Deprecated:: Do not use.

Definition at line 3810 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.ANALYSIS_RESULT, org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT, org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	subString,
		boolean	startsWith
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and String value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
subString	value substring of the string attribute of the attrType type to look for
startsWith	if true, the artifact attribute string should start with the substring, if false, it should just contain it

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Deprecated:: Do not use.

Definition at line 3870 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.ANALYSIS_RESULT, org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT, org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		int	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and integer value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Deprecated:: Do not use.

Definition at line 3931 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.ANALYSIS_RESULT, org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT, org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		long	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and long value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Deprecated:: Do not use.

Definition at line 3988 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.ANALYSIS_RESULT, org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT, org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		double	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and double value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Deprecated:: Do not use.

Definition at line 4045 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.ANALYSIS_RESULT, org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT, org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		byte	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and byte value. Does not include rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Deprecated:: Do not use.

Definition at line 4102 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.ANALYSIS_RESULT, org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT, org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	String	artifactTypeName,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given source (object id). Does not included rejected artifacts.

Parameters

artifactTypeName	artifact type name
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4378 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactType().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id. Does not included rejected artifacts.

Parameters

artifactTypeID	artifact type id (must exist in database)
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4396 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getArtifactType().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id. Does not included rejected artifacts.

Parameters

artifactType	artifact type enum
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4414 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( String artifactTypeName ) throws TskCoreException

Get all blackboard artifacts of a given type. Does not included rejected artifacts.

Parameters

artifactTypeName artifact type name

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4481 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactType().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( ARTIFACT_TYPE artifactType ) throws TskCoreException

Get all blackboard artifacts of a given type. Does not included rejected artifacts.

Parameters

artifactType artifact type enum

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4498 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getArtifactType().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	ARTIFACT_TYPE	artifactType,
		BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	value
	)		throws TskCoreException

Get all blackboard artifacts of a given type with an attribute of a given type and String value. Does not included rejected artifacts.

Parameters

artifactType	artifact type enum
attrType	attribute type enum
value	String value of attribute

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Deprecated:: Do not use.

Definition at line 4520 of file SleuthkitCase.java.

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount ( long objId ) throws TskCoreException

Get a count of blackboard artifacts for a given content. Does not include rejected artifacts.

Parameters

objId Id of the content.

Returns: The artifacts count for the content.

Exceptions

Definition at line 3693 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.Report.getAllArtifactsCount(), org.sleuthkit.datamodel.AbstractContent.getAllArtifactsCount(), org.sleuthkit.datamodel.Report.getArtifactsCount(), and org.sleuthkit.datamodel.AbstractContent.getArtifactsCount().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	String	artifactTypeName,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id. Does not include rejected artifacts.

Parameters

artifactTypeName	artifact type name
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4430 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactType().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id. Does not include rejected artifacts.

Parameters

artifactTypeID	artifact type id (must exist in database)
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4450 of file SleuthkitCase.java.

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id. Does not include rejected artifacts.

Parameters

artifactType	artifact type enum
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4466 of file SleuthkitCase.java.

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsTypeCount ( int artifactTypeID ) throws TskCoreException

Get a count of artifacts of a given type. Does not include rejected artifacts.

Parameters

artifactTypeID Id of the artifact type.

Returns: The artifacts count for the type.

Exceptions

Definition at line 3729 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsTypeCount	(	int	artifactTypeID,
		long	dataSourceID
	)		throws TskCoreException

Get a count of artifacts of a given type for the given data source. Does not include rejected artifacts.

Parameters

artifactTypeID	Id of the artifact type.
dataSourceID

Returns: The artifacts count for the type.

Exceptions

Definition at line 3766 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

BlackboardArtifactTag org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagByID ( long artifactTagID ) throws TskCoreException

Selects the row in the blackboard artifact tags table in the case database with a specified tag id.

Parameters

artifactTagID the tag id of the BlackboardArtifactTag to retrieve.

Returns: the BlackBoardArtifact Tag with the given tag id, or null if no such tag could be found

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 12367 of file SleuthkitCase.java.

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByArtifact ( BlackboardArtifact artifact ) throws TskCoreException

Selects the rows in the blackboard_artifacts_tags table in the case database with a specified foreign key into the blackboard_artifacts table.

Parameters

artifact A data transfer object (DTO) for the artifact to match.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 12419 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.TimelineManager.updateEventsForArtifactTagDeleted().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName ( TagName tagName ) throws TskCoreException

Selects the rows in the blackboard_artifacts_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.BlackboardArtifact.getObjectID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Definition at line 12264 of file SleuthkitCase.java.

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets artifact tags by tag name, for specified data source.

Parameters

tagName	The representation of the desired tag type in the case database, which can be obtained by calling getTagNames and/or addTagName.
dsObjId	data source object id

Returns: A list, possibly empty, of the artifact tags with the specified tag name, for the specified data source.

Exceptions

TskCoreException If there is an error getting the tags from the case database.

Definition at line 12314 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.BlackboardArtifact.getObjectID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsCountByTagName ( TagName tagName ) throws TskCoreException

Gets a count of the rows in the blackboard_artifact_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: The count, possibly zero.

Exceptions

Definition at line 12176 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsCountByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets an artifact tags count by tag name, for the given data source.

Parameters

tagName	The representation of the desired tag type in the case database, which can be obtained by calling getTagNames and/or addTagName.
dsObjId	data source object id

Returns: A count of the artifact tags with the specified tag name, for the given data source.

Exceptions

TskCoreException If there is an error getting the tags count from the case database.

Definition at line 12219 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

ArrayList<BlackboardArtifact.ARTIFACT_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypes ( ) throws TskCoreException

Gets a list of the standard blackboard artifact type enum objects.

Returns: The members of the BlackboardArtifact.ARTIFACT_TYPE enum.

Exceptions

TskCoreException Specified, but not thrown.

Deprecated:: For a list of standard blackboard artifacts type enum objects, use BlackboardArtifact.ARTIFACT_TYPE.values.

Definition at line 14471 of file SleuthkitCase.java.

ArrayList<BlackboardArtifact.ARTIFACT_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypesInUse ( ) throws TskCoreException

Get all of the standard blackboard artifact types that are in use in the blackboard.

Returns: List of standard blackboard artifact types

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.fromID(), org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getTypeID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Definition at line 4184 of file SleuthkitCase.java.

ArrayList<BlackboardAttribute> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributes ( final BlackboardArtifact artifact ) throws TskCoreException

Get the list of attributes for the given artifact.

Parameters

artifact The artifact to load attributes for.

Returns: The list of attributes.

Exceptions

Deprecated:: Use Blackboard.getBlackboardAttributes instead

Definition at line 4984 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getBlackboardAttributes().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.getAttributes().

ArrayList<BlackboardAttribute.ATTRIBUTE_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributeTypes ( ) throws TskCoreException

Gets a list of the standard blackboard attribute type enum objects.

Returns: The members of the BlackboardAttribute.ATTRIBUTE_TYPE enum.

Exceptions

TskCoreException Specified, but not thrown.

Deprecated:: For a list of standard blackboard attribute types enum objects, use BlackboardAttribute.ATTRIBUTE_TYP.values.

Definition at line 14638 of file SleuthkitCase.java.

int org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributeTypesCount ( ) throws TskCoreException

Get count of blackboard attribute types

Counts both static (in enum) and dynamic attributes types (created by modules at runtime)

Returns: count of attribute types

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 4303 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

synchronized CaseDbAccessManager org.sleuthkit.datamodel.SleuthkitCase.getCaseDbAccessManager ( ) throws TskCoreException

Definition at line 534 of file SleuthkitCase.java.

CommunicationsManager org.sleuthkit.datamodel.SleuthkitCase.getCommunicationsManager ( ) throws TskCoreException

Gets the communications manager for this case.

Returns: The per case CommunicationsManager object.

Exceptions

Definition at line 494 of file SleuthkitCase.java.

Content org.sleuthkit.datamodel.SleuthkitCase.getContentById ( long id ) throws TskCoreException

Get content object by content id

Parameters

id	to get content object for

Returns: instance of a Content object (one of its subclasses), or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core

Definition at line 5714 of file SleuthkitCase.java.

ContentTag org.sleuthkit.datamodel.SleuthkitCase.getContentTagByID ( long contentTagID ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified tag id.

Parameters

contentTagID the tag id of the ContentTag to retrieve.

Returns: The content tag.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 11893 of file SleuthkitCase.java.

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByContent ( Content content ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified foreign key into the tsk_objects table.

Parameters

content A data transfer object (DTO) for the content to match.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 12036 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.TimelineManager.updateEventsForContentTagDeleted().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByTagName ( TagName tagName ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Definition at line 11942 of file SleuthkitCase.java.

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets content tags by tag name, for the given data source.

Parameters

tagName	The tag name of interest.
dsObjId	data source object id

Returns: A list, possibly empty, of the content tags with the specified tag name, and for the given data source.

Exceptions

TskCoreException If there is an error getting the tags from the case database.

Definition at line 11989 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getContentTagsCountByTagName ( TagName tagName ) throws TskCoreException

Gets a count of the rows in the content_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: The count, possibly zero.

Exceptions

Definition at line 11804 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getContentTagsCountByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets content tags count by tag name, for the given data source

Parameters

tagName	The representation of the desired tag type in the case database, which can be obtained by calling getTagNames and/or addTagName.
dsObjId	data source object id

Returns: A count of the content tags with the specified tag name, and for the given data source

Exceptions

TskCoreException If there is an error getting the tags count from the case database.

Definition at line 11848 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Examiner org.sleuthkit.datamodel.SleuthkitCase.getCurrentExaminer ( ) throws TskCoreException

Returns the Examiner object for currently logged in user

Returns: A Examiner object.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM.ALLOC, org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.ALLOC, org.sleuthkit.datamodel.TskData.TSK_FS_NAME_TYPE_ENUM.DIR, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR, org.sleuthkit.datamodel.TskData.FileKnown.UNKNOWN, and org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.USED.

Definition at line 3257 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.TaggingManager.addArtifactTag(), and org.sleuthkit.datamodel.TaggingManager.addContentTag().

String org.sleuthkit.datamodel.SleuthkitCase.getDatabaseName ( )

Gets the case database name.

Returns: The case database name.

Definition at line 2923 of file SleuthkitCase.java.

DbType org.sleuthkit.datamodel.SleuthkitCase.getDatabaseType ( )

Returns the type of database in use.

Returns: database type

Definition at line 2886 of file SleuthkitCase.java.

DataSource org.sleuthkit.datamodel.SleuthkitCase.getDataSource ( long objectId ) throws TskDataException, TskCoreException

Gets a specific data source for the case. If it is an image, an Image will be instantiated. Otherwise, a LocalFilesDataSource will be instantiated.

NOTE: The DataSource class is an emerging feature and at present is only useful for obtaining the object id and the data source identifier, an ASCII-printable identifier for the data source that is intended to be unique across multiple cases (e.g., a UUID). In the future, this method will be a replacement for the getRootObjects method.

Parameters

objectId The object id of the data source.

Returns: The data source.

Exceptions

TskDataException	If there is no data source for the given object id.
TskCoreException	If there is a problem getting the data source.

Definition at line 3584 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.OsAccountInstance.getDataSource(), and org.sleuthkit.datamodel.HostManager.getDataSourcesForHost().

List<DataSource> org.sleuthkit.datamodel.SleuthkitCase.getDataSources ( ) throws TskCoreException

Gets the data sources for the case. For each data source, if it is an image, an Image will be instantiated. Otherwise, a LocalFilesDataSource will be instantiated.

NOTE: The DataSource interface is an emerging feature and at present is only useful for obtaining the object id and the device id, an ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID). In the future, this method will be a replacement for the getRootObjects method.

Returns: A list of the data sources for the case.

Exceptions

TskCoreException if there is a problem getting the data sources.

Definition at line 3479 of file SleuthkitCase.java.

String org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath ( )

Get the full path to the case directory. For a SQLite case database, this is the same as the database directory path.

Returns: Case directory path.

Definition at line 2933 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addReport(), org.sleuthkit.datamodel.SleuthkitCase.getAllReports(), and org.sleuthkit.datamodel.SleuthkitCase.getReportById().

CaseDbSchemaVersionNumber org.sleuthkit.datamodel.SleuthkitCase.getDBSchemaCreationVersion ( )

Gets the creation version of the database schema.

Returns: the creation version for the database schema, the creation version will be 0.0 for databases created prior to 8.2

Definition at line 2877 of file SleuthkitCase.java.

VersionNumber org.sleuthkit.datamodel.SleuthkitCase.getDBSchemaVersion ( )

Gets the database schema version in use.

Returns: the database schema version in use.

Definition at line 2867 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getSchemaVersion().

FileManager org.sleuthkit.datamodel.SleuthkitCase.getFileManager ( )

Gets the file manager for this case.

Returns: The per case FileManager object.

Definition at line 512 of file SleuthkitCase.java.

List<TskFileRange> org.sleuthkit.datamodel.SleuthkitCase.getFileRanges ( long id ) throws TskCoreException

Get file layout ranges from tsk_file_layout, for a file with specified id

Parameters

id	of the file to get file layout ranges for

Returns: list of populated file ranges

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 9174 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.AbstractFile.getRanges().

Collection<FileSystem> org.sleuthkit.datamodel.SleuthkitCase.getFileSystems ( Image image )

Helper to return FileSystems in an Image

Parameters

image Image to lookup FileSystem for

Returns: Collection of FileSystems in the image

Deprecated:: Use getImageFileSystems which throws an exception if an error occurs.

Definition at line 14930 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.AbstractContent.getId(), and org.sleuthkit.datamodel.SleuthkitCase.getImageFileSystems().

HostAddressManager org.sleuthkit.datamodel.SleuthkitCase.getHostAddressManager ( ) throws TskCoreException

Gets the HostAddress manager for this case.

Returns: The per case HostAddressManager object.

Exceptions

Definition at line 609 of file SleuthkitCase.java.

HostManager org.sleuthkit.datamodel.SleuthkitCase.getHostManager ( ) throws TskCoreException

Gets the Hosts manager for this case.

Returns: The per case HostManager object.

Exceptions

Definition at line 587 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addImage(), org.sleuthkit.datamodel.SleuthkitCase.addLocalFilesDataSource(), org.sleuthkit.datamodel.LocalFilesDataSource.getHost(), and org.sleuthkit.datamodel.Image.getHost().

Image org.sleuthkit.datamodel.SleuthkitCase.getImageById ( long id ) throws TskCoreException

Get am image by the image object id

Parameters

id	of the image object

Returns: Image object populated

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 9210 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addImageInfo(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.getImages(), and org.sleuthkit.datamodel.SleuthkitCase.getRootObjects().

Collection<FileSystem> org.sleuthkit.datamodel.SleuthkitCase.getImageFileSystems ( Image image ) throws TskCoreException

Helper to return FileSystems in an Image

Parameters

image Image to lookup FileSystem for

Returns: Collection of FileSystems in the image

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.TSK_FS_TYPE_ENUM.valueOf().

Definition at line 9611 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getFileSystems().

Map<Long, List<String> > org.sleuthkit.datamodel.SleuthkitCase.getImagePaths ( ) throws TskCoreException

Returns a map of image object IDs to a list of fully qualified file paths for that image

Returns: map of image object IDs to file paths

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 9953 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getDataSources().

List<Image> org.sleuthkit.datamodel.SleuthkitCase.getImages ( ) throws TskCoreException

Returns: a collection of Images associated with this instance of SleuthkitCase

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getImageById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Definition at line 10030 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

final List<IngestJobInfo> org.sleuthkit.datamodel.SleuthkitCase.getIngestJobs ( ) throws TskCoreException

Gets all of the ingest jobs that have been run.

Returns: The information about the ingest jobs that have been run

Exceptions

TskCoreException If there is a problem getting the ingest jobs

Definition at line 12916 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.IngestJobInfo.IngestJobStatusType.fromID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getLastObjectId ( ) throws TskCoreException

Get last (max) object id of content object in tsk_objects.

Returns: currently max id

Exceptions

TskCoreException exception thrown when database error occurs and last object id could not be queried

Deprecated:: Do not use, assumes a single-threaded, single-user case.

Definition at line 14359 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getMatchingArtifacts ( String whereClause ) throws TskCoreException

Get all artifacts that match a where clause. The clause should begin with "WHERE" or "JOIN". To use this method you must know the database tables

Parameters

whereClause a sqlite where clause

Returns: a list of matching artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core Query the Database

Definition at line 5056 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.Category.ANALYSIS_RESULT, org.sleuthkit.datamodel.BlackboardArtifact.Category.DATA_ARTIFACT, org.sleuthkit.datamodel.Blackboard.getArtifactType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.Report.getAllArtifacts(), and org.sleuthkit.datamodel.AbstractContent.getAllArtifacts().

ArrayList<BlackboardAttribute> org.sleuthkit.datamodel.SleuthkitCase.getMatchingAttributes ( String whereClause ) throws TskCoreException

Get all attributes that match a where clause. The clause should begin with "WHERE" or "JOIN". To use this method you must know the database tables

Parameters

whereClause a sqlite where clause

Returns: a list of matching attributes

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core Query the Database

Definition at line 5001 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.Blackboard.getAttributeType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

OsAccountManager org.sleuthkit.datamodel.SleuthkitCase.getOsAccountManager ( ) throws TskCoreException

Gets the OS account manager for this case.

Returns: The per case OsAccountManager object.

Exceptions

Referenced by org.sleuthkit.datamodel.OsAccount.getExtendedOsAccountAttributes(), org.sleuthkit.datamodel.OsAccountInstance.getOsAccount(), org.sleuthkit.datamodel.OsAccount.getOsAccountInstances(), and org.sleuthkit.datamodel.Blackboard.newDataArtifact().

Definition at line 576 of file SleuthkitCase.java.

OsAccountRealmManager org.sleuthkit.datamodel.SleuthkitCase.getOsAccountRealmManager ( ) throws TskCoreException

Gets the OS account realm manager for this case.

Returns: The per case OsAccountRealmManager object.

Exceptions

Definition at line 565 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.OsAccountManager.getWindowsOsAccount(), org.sleuthkit.datamodel.HostManager.mergeHosts(), and org.sleuthkit.datamodel.OsAccountManager.newWindowsOsAccount().

PersonManager org.sleuthkit.datamodel.SleuthkitCase.getPersonManager ( ) throws TskCoreException

Gets the Person manager for this case.

Returns: The per case PersonManager object.

Exceptions

Definition at line 598 of file SleuthkitCase.java.

Report org.sleuthkit.datamodel.SleuthkitCase.getReportById ( long id ) throws TskCoreException

Get a Report object for the given id.

Parameters

id

Returns: A new Report object for the given id.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Definition at line 12647 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getContentById().

List<Content> org.sleuthkit.datamodel.SleuthkitCase.getRootObjects ( ) throws TskCoreException

Get the list of root objects (data sources) from the case database, e.g., image files, logical (local) files, virtual directories.

Returns: List of content objects representing root objects.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById(), org.sleuthkit.datamodel.SleuthkitCase.getImageById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.ObjectType.valueOf().

Definition at line 3357 of file SleuthkitCase.java.

int org.sleuthkit.datamodel.SleuthkitCase.getSchemaVersion ( )

Returns case database schema version number. As of TSK 4.5.0 db schema versions are two part Major.minor. This method only returns the major part. Use getDBSchemaVersion() for the complete version.

Returns: The schema version number as an integer.

Deprecated:: since 4.5.0 Use getDBSchemaVersion() instead for more complete version info.

Definition at line 2858 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getDBSchemaVersion(), and org.sleuthkit.datamodel.VersionNumber.getMajor().

ScoringManager org.sleuthkit.datamodel.SleuthkitCase.getScoringManager ( ) throws TskCoreException

Gets the scoring manager for this case.

Returns: The per case ScoringManager object.

Exceptions

Referenced by org.sleuthkit.datamodel.TaggingManager.addArtifactTag(), org.sleuthkit.datamodel.TaggingManager.addContentTag(), org.sleuthkit.datamodel.SleuthkitCase.deleteBlackboardArtifactTag(), org.sleuthkit.datamodel.SleuthkitCase.deleteContentTag(), org.sleuthkit.datamodel.Report.getAggregateScore(), org.sleuthkit.datamodel.AbstractContent.getAggregateScore(), org.sleuthkit.datamodel.BlackboardArtifact.getAggregateScore(), and org.sleuthkit.datamodel.Blackboard.newAnalysisResult().

Definition at line 554 of file SleuthkitCase.java.

synchronized TaggingManager org.sleuthkit.datamodel.SleuthkitCase.getTaggingManager ( )

Get the case database TaggingManager object.

Returns: The per case TaggingManager object.

Definition at line 543 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addOrUpdateTagName().

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getTagNamesInUse ( ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database for which there is at least one matching row in the content_tags or blackboard_artifact_tags tables.

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 11591 of file SleuthkitCase.java.

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getTagNamesInUse ( long dsObjId ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database for which there is at least one matching row in the content_tags or blackboard_artifact_tags tables, for the given data source object id.

Parameters

dsObjId data source object id

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Definition at line 11629 of file SleuthkitCase.java.

TimelineManager org.sleuthkit.datamodel.SleuthkitCase.getTimelineManager ( ) throws TskCoreException

Gets the communications manager for this case.

Returns: The per case TimelineManager object.

Exceptions

Definition at line 523 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile(), org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile(), org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(), and org.sleuthkit.datamodel.Blackboard.postArtifacts().

List<VirtualDirectory> org.sleuthkit.datamodel.SleuthkitCase.getVirtualDirectoryRoots ( ) throws TskCoreException

Get IDs of the virtual folder roots (at the same level as image), used for containers such as for local files.

Returns: IDs of virtual directory root objects.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.

Definition at line 7392 of file SleuthkitCase.java.

boolean org.sleuthkit.datamodel.SleuthkitCase.isFileFromSource	(	Content	dataSource,
		long	fileId
	)		throws TskCoreException

Checks if the file is a (sub)child of the data source (parentless Content object such as Image or VirtualDirectory representing filesets)

Parameters

dataSource	dataSource to check
fileId	id of file to check

Returns: true if the file is in the dataSource hierarchy

Exceptions

TskCoreException thrown if check failed

Definition at line 6157 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

AddImageProcess org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess	(	String	timeZone,
		boolean	addUnallocSpace,
		boolean	noFatFsOrphans,
		String	imageCopyPath
	)

Starts the multi-step process of adding an image data source to the case by creating an object that can be used to control the process and get progress messages from it.

Parameters

timeZone	The time zone of the image.
addUnallocSpace	Set to true to create virtual files for unallocated space in the image.
noFatFsOrphans	Set to true to skip processing orphan files of FAT file systems.
imageCopyPath	Path to which a copy of the image should be written. Use the empty string to disable image writing.

Returns: An object that encapsulates control of adding an image via the SleuthKit native code layer.

Definition at line 3345 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

AddImageProcess org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess	(	String	timezone,
		boolean	addUnallocSpace,
		boolean	noFatFsOrphans
	)

Start process of adding a image to the case. Adding an image is a multi-step process and this returns an object that allows it to happen.

Parameters

timezone	TZ time zone string to use for ingest of image.
addUnallocSpace	Set to true to create virtual files for unallocated space in the image.
noFatFsOrphans	Set to true to skip processing orphan files of FAT file systems.

Returns: Object that encapsulates control of adding an image via the SleuthKit native code layer

Deprecated:: Use the newer version with explicit image writer path parameter

Definition at line 14915 of file SleuthkitCase.java.

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Add a new blackboard artifact with the given type. If that artifact type does not exist an error will be thrown. The artifact type name can be looked up in the returned blackboard artifact.

Parameters

artifactTypeID	the type the given artifact should have
obj_id	the content object id associated with this artifact

Returns: a new blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Deprecated:: Please use newDataArtifact or newAnalysisResult.

Definition at line 5107 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.Blackboard.getArtifactType(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.BlackboardArtifact.Category.getName(), org.sleuthkit.datamodel.Content.newAnalysisResult(), org.sleuthkit.datamodel.Content.newDataArtifact(), and org.sleuthkit.datamodel.Score.SCORE_UNKNOWN.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Add a new blackboard artifact with the given type.

Parameters

artifactType	the type the given artifact should have
obj_id	the content object id associated with this artifact

Returns: a new blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Deprecated:: Please use newDataArtifact or newAnalysisResult.

Definition at line 5150 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.newCase ( String dbPath ) throws TskCoreException

static

Creates a new SQLite case database.

Parameters

dbPath Path to where SQlite case database should be created.

Returns: A case database object.

Exceptions

Definition at line 3082 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.newCase(), and org.sleuthkit.datamodel.Examples.Sample.run().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.newCase	(	String	dbPath,
		ContentStreamProvider	contentProvider
	)		throws TskCoreException

static

Creates a new SQLite case database.

Parameters

dbPath	Path to where SQlite case database should be created.
contentProvider	Custom provider for file bytes (can be null).

Returns: A case database object.

Exceptions

Definition at line 3097 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.newCase	(	String	caseName,
		CaseDbConnectionInfo	info,
		String	caseDirPath
	)		throws TskCoreException

static

Creates a new PostgreSQL case database.

Parameters

caseName	The name of the case. It will be used to create a case database name that can be safely used in SQL commands and will not be subject to name collisions on the case database server. Use getDatabaseName to get the created name.
info	The information to connect to the database.
caseDirPath	The case directory path.

Returns: A case database object.

Exceptions

Definition at line 3124 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.newCase().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.newCase	(	String	caseName,
		CaseDbConnectionInfo	info,
		String	caseDirPath,
		ContentStreamProvider	contentProvider
	)		throws TskCoreException

static

Creates a new PostgreSQL case database.

Parameters

caseName	The name of the case. It will be used to create a case database name that can be safely used in SQL commands and will not be subject to name collisions on the case database server. Use getDatabaseName to get the created name.
info	The information to connect to the database.
caseDirPath	The case directory path.
contentProvider	Custom provider for file bytes (can be null).

Returns: A case database object.

Exceptions

The flow of this method involves trying to create a new case and if successful, return that case. If unsuccessful, an exception is thrown. We catch any exceptions, and use tryConnect() to attempt to obtain further information about the error. If tryConnect() is unable to successfully connect, tryConnect() will throw a TskCoreException with a message containing user-level error reporting. If tryConnect() is able to connect, flow continues and we rethrow the original exception obtained from trying to create the case. In this way, we obtain more detailed information if we are able, but do not lose any information if unable.

Definition at line 3146 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.tryConnect().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.openCase ( String dbPath ) throws TskCoreException

static

Open an existing case database.

Parameters

dbPath Path to SQLite case database.

Returns: Case database object.

Exceptions

Definition at line 2990 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.openCase().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.openCase	(	String	dbPath,
		ContentStreamProvider	provider
	)		throws TskCoreException

static

Open an existing case database.

Parameters

dbPath	Path to SQLite case database.
contentProvider	Custom provider for file content bytes (can be null).

Returns: Case database object.

Exceptions

Definition at line 3005 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.openCase	(	String	databaseName,
		CaseDbConnectionInfo	info,
		String	caseDir
	)		throws TskCoreException

static

Open an existing multi-user case database.

Parameters

databaseName	The name of the database.
info	Connection information for the the database.
caseDir	The folder where the case metadata fils is stored.

Returns: A case database object.

Exceptions

TskCoreException If there is a problem opening the database.

Definition at line 3028 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.openCase().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.openCase	(	String	databaseName,
		CaseDbConnectionInfo	info,
		String	caseDir,
		ContentStreamProvider	contentProvider
	)		throws TskCoreException

static

Open an existing multi-user case database.

Parameters

databaseName	The name of the database.
info	Connection information for the the database.
caseDir	The folder where the case metadata fils is stored.
contentProvider	Custom provider for file content bytes (can be null).

Returns: A case database object.

Exceptions

TskCoreException If there is a problem opening the database.

Definition at line 3045 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.tryConnect().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.openFiles	(	Content	dataSource,
		String	filePath
	)		throws TskCoreException

Parameters

dataSource	the data source (Image, VirtualDirectory for file-sets, etc) to search for the given file name
filePath	The full path to the file(s) of interest. This can optionally include the image and volume names. Treated in a case- insensitive manner.

Returns: a list of AbstractFile that have the given file path.

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.ALLOC, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock(), org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.toInt(), org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC, org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.UNALLOC, and org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.valuesOf().

Definition at line 9143 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.findFiles().

void org.sleuthkit.datamodel.SleuthkitCase.registerForEvents ( Object listener )

Definition at line 240 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock ( )

Releases a write lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Deprecated:: Use releaseSingleUserCaseWriteLock.

Definition at line 14981 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock ( )

Releases a read lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Deprecated:: Use releaseSingleUserCaseReadLock.

Definition at line 15005 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

void org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock ( )

Releases a read lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Definition at line 2975 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

void org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock ( )

Releases a write lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Definition at line 2953 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

void org.sleuthkit.datamodel.SleuthkitCase.removeErrorObserver ( ErrorObserver observer )

Remove an observer for SleuthkitCase errors.

Parameters

observer The observer to remove.

Deprecated:: Catch exceptions instead.

Definition at line 14256 of file SleuthkitCase.java.

ResultSet org.sleuthkit.datamodel.SleuthkitCase.runQuery ( String query ) throws SQLException

Process a read-only query on the tsk database, any table Can be used to e.g. to find files of a given criteria. resultSetToFsContents() will convert the files to useful objects. MUST CALL closeRunQuery() when done

Parameters

query the given string query to run

Returns: the resultSet from running the query. Caller MUST CALL closeRunQuery(resultSet) as soon as possible, when done with retrieving data from the resultSet

Exceptions

SQLException if error occurred during the query

Deprecated:: Do not use runQuery(), use executeQuery() instead. Query the Database

Definition at line 14658 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

void org.sleuthkit.datamodel.SleuthkitCase.setFileMIMEType	(	AbstractFile	file,
		String	mimeType
	)		throws TskCoreException

Stores the MIME type of a file in the case database and updates the MIME type of the given file object.

Parameters

file	A file.
mimeType	The MIME type.

Exceptions

TskCoreException If there is an error updating the case database.

Definition at line 10912 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.setFileUnalloc ( AbstractFile file ) throws TskCoreException

Sets the unalloc meta flags for the file in the case database, and updates the meta flags in given file object. Also updates the dir flag to unalloc.

Parameters

file A file.

Exceptions

TskCoreException If there is an error updating the case database.

Definition at line 10935 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.setImagePaths	(	long	obj_id,
		List< String >	paths
	)		throws TskCoreException

Set the file paths for the image given by obj_id

Parameters

obj_id	the ID of the image to update
paths	the fully qualified path to the files that make up the image

Exceptions

TskCoreException exception thrown when critical error occurs within tsk core and the update fails

Definition at line 10068 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

void org.sleuthkit.datamodel.SleuthkitCase.setImagePaths	(	long	objId,
		List< String >	paths,
		CaseDbTransaction	trans
	)		throws TskCoreException

Set the file paths for the image given by obj_id

Parameters

obj_id	the ID of the image to update
paths	the fully qualified path to the files that make up the image
trans	The case database transaction.

Exceptions

TskCoreException exception thrown when critical error occurs within tsk core and the update fails

Definition at line 10093 of file SleuthkitCase.java.

boolean org.sleuthkit.datamodel.SleuthkitCase.setKnown	(	AbstractFile	file,
		FileKnown	fileKnown
	)		throws TskCoreException

Store the known status for the FsContent in the database Note: will not update status if content is already 'Known Bad'

Parameters

file	The AbstractFile object
fileKnown	The object's known status

Returns: true if the known status was updated, false otherwise

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 10804 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.setReviewStatus	(	BlackboardArtifact	artifact,
		BlackboardArtifact.ReviewStatus	newStatus
	)		throws TskCoreException

Set the review status of the given artifact to newStatus

Parameters

artifact	The artifact whose review status is being set.
newStatus	The new review status for the given artifact. Must not be null.

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 11378 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.BlackboardArtifact.getArtifactID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.setReviewStatus().

void org.sleuthkit.datamodel.SleuthkitCase.submitError	(	String	context,
		String	errorMessage
	)

Submit an error to all clients that are listening.

Parameters

context	The context in which the error occurred.
errorMessage	A description of the error that occurred.

Deprecated:: Catch exceptions instead.

Definition at line 14272 of file SleuthkitCase.java.

static void org.sleuthkit.datamodel.SleuthkitCase.tryConnect ( CaseDbConnectionInfo info ) throws TskCoreException

static

Attempts to connect to the database with the passed in settings, throws if the settings are not sufficient to connect to the database type indicated. Only attempts to connect to remote databases.

When issues occur, it attempts to diagnose them by looking at the exception messages, returning the appropriate user-facing text for the exception received. This method expects the Exceptions messages to be in English and compares against English text.

Parameters

info	The connection information

Exceptions

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), org.sleuthkit.datamodel.AbstractContent.getParent(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Definition at line 278 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.newCase(), and org.sleuthkit.datamodel.SleuthkitCase.openCase().

void org.sleuthkit.datamodel.SleuthkitCase.unregisterForEvents ( Object listener )

Definition at line 244 of file SleuthkitCase.java.

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.updateDerivedFile	(	DerivedFile	derivedFile,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		String	mimeType,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails,
		TskData.EncodingType	encodingType
	)		throws TskCoreException

Updates an existing derived file in the database and returns a new derived file object with the updated contents

Parameters

derivedFile	The derived file you wish to update
localPath	local path of the derived file, including the file name. The path is relative to the database path.
size	size of the derived file in bytes
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	whether a file or directory, true if a file
mimeType	The MIME type the updated file should have, null to unset it
rederiveDetails	details needed to re-derive file (will be specific to the derivation method), currently unused
toolName	name of derivation method/tool, currently unused
toolVersion	version of derivation method/tool, currently unused
otherDetails	details of derivation method/tool, currently unused
encodingType	Type of encoding used on the file (or NONE if no encoding)

Returns: newly created derived file object which contains the updated data

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Definition at line 8141 of file SleuthkitCase.java.

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.updateDerivedFile	(	DerivedFile	derivedFile,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		String	mimeType,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails,
		TskData.EncodingType	encodingType,
		Content	parentObj,
		CaseDbTransaction	trans
	)		throws TskCoreException

Definition at line 8167 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.updateImagePath	(	String	newPath,
		long	objectId
	)		throws TskCoreException

Change the path for an image in the database.

Parameters

newPath	New path to the image
objectId	Data source ID of the image

Exceptions