Sleuth Kit Java Bindings (JNI)  4.12.1
Java bindings for using The Sleuth Kit
org.sleuthkit.datamodel.TimelineManager Class Reference

Classes

class  TimelineEventAddedEvent
 

Public Member Functions

TimelineEvent addTimelineEvent (TimelineEventType eventType, String shortDesc, String medDesc, String longDesc, long dataSourceId, long contentId, Long artifactId, long time, boolean hashHit, boolean tagged, CaseDbTransaction trans) throws TskCoreException
 
Map< TimelineEventType, Long > countEventsByType (Long startTime, Long endTime, TimelineFilter.RootFilter filter, TimelineEventType.HierarchyLevel typeHierachyLevel) throws TskCoreException
 
TimelineEvent getEventById (long eventID) throws TskCoreException
 
List< Long > getEventIDs (Interval timeRange, TimelineFilter.RootFilter filter) throws TskCoreException
 
List< Long > getEventIDsForArtifact (BlackboardArtifact artifact) throws TskCoreException
 
Set< Long > getEventIDsForContent (Content content, boolean includeDerivedArtifacts) throws TskCoreException
 
List< TimelineEventgetEvents (Interval timeRange, TimelineFilter.RootFilter filter) throws TskCoreException
 
Optional< TimelineEventTypegetEventType (long eventTypeID)
 
ImmutableList< TimelineEventTypegetEventTypes ()
 
Long getMaxEventTime () throws TskCoreException
 
Long getMinEventTime () throws TskCoreException
 
Interval getSpanningInterval (Collection< Long > eventIDs) throws TskCoreException
 
Interval getSpanningInterval (Interval timeRange, TimelineFilter.RootFilter filter, DateTimeZone timeZone) throws TskCoreException
 
Set< Long > updateEventsForArtifactTagAdded (BlackboardArtifact artifact) throws TskCoreException
 
Set< Long > updateEventsForArtifactTagDeleted (BlackboardArtifact artifact) throws TskCoreException
 
Set< Long > updateEventsForContentTagAdded (Content content) throws TskCoreException
 
Set< Long > updateEventsForContentTagDeleted (Content content) throws TskCoreException
 
Set< Long > updateEventsForHashSetHit (Content content) throws TskCoreException
 

Detailed Description

Provides access to the timeline data in a case database.

Definition at line 58 of file TimelineManager.java.

Member Function Documentation

TimelineEvent org.sleuthkit.datamodel.TimelineManager.addTimelineEvent ( TimelineEventType  eventType,
String  shortDesc,
String  medDesc,
String  longDesc,
long  dataSourceId,
long  contentId,
Long  artifactId,
long  time,
boolean  hashHit,
boolean  tagged,
CaseDbTransaction  trans 
) throws TskCoreException

Adds a timeline event to the database in a transaction.

Parameters
eventTypeThe event type.
shortDescThe short description.
medDescThe medium description.
longDescThe long description.
dataSourceIdThe data source id of the event.
contentIdThe content id of the event.
artifactIdThe artifact id of the event (can be null).
timeUnix epoch offset time of the event in seconds.
hashHitTrue if a hash hit.
taggedTrue if tagged.
transThe transaction.
Returns
The added event.
Exceptions
TskCoreException

Definition at line 814 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Map<TimelineEventType, Long> org.sleuthkit.datamodel.TimelineManager.countEventsByType ( Long  startTime,
Long  endTime,
TimelineFilter.RootFilter  filter,
TimelineEventType.HierarchyLevel  typeHierachyLevel 
) throws TskCoreException

Counts the timeline events events that satisfy the given conditions.

Parameters
startTimeEvents that occurred before this time are not counted (units: seconds from UNIX epoch)
endTimeEvents that occurred at or after this time are not counted (seconds from unix epoch)
filterEvents that fall within the specified time range are only ocunted if they pass this filter.
typeHierachyLevelEvents that fall within the specified time range and pass the specified filter asre only counted if their types are at the specified level of the event type hierarchy.
Returns
The event counts for each event type at the specified level in the event types hierarchy.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 1173 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineEventType.HierarchyLevel.EVENT, org.sleuthkit.datamodel.TimelineManager.getEventType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

TimelineEvent org.sleuthkit.datamodel.TimelineManager.getEventById ( long  eventID) throws TskCoreException

Gets the timeline event with a given event ID.

Parameters
eventIDAn event ID.
Returns
The timeline event, may be null.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 229 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineManager.getEventType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<Long> org.sleuthkit.datamodel.TimelineManager.getEventIDs ( Interval  timeRange,
TimelineFilter.RootFilter  filter 
) throws TskCoreException

Gets the event IDs of the timeline events within a given time range that pass a given timeline events filter.

Parameters
timeRangeThe time range that the events must be within.
filterThe timeline events filter that the events must pass.
Returns
A list of event IDs ordered by event time.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 269 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<Long> org.sleuthkit.datamodel.TimelineManager.getEventIDsForArtifact ( BlackboardArtifact  artifact) throws TskCoreException

Gets a list of event IDs for the timeline events that have a given artifact as the event source.

Parameters
artifactAn artifact.
Returns
The list of event IDs.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 413 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.getEventIDsForContent ( Content  content,
boolean  includeDerivedArtifacts 
) throws TskCoreException

Gets a list of event IDs for the timeline events that have a given content as the event source.

Parameters
contentThe content.
includeDerivedArtifactsIf true, also get event IDs for events where the event source is an artifact that has the given content as its source.
Returns
The list of event IDs.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 448 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

List<TimelineEvent> org.sleuthkit.datamodel.TimelineManager.getEvents ( Interval  timeRange,
TimelineFilter.RootFilter  filter 
) throws TskCoreException

Gets the timeline events that fall within a given time interval and satisfy a given event filter.

Parameters
timeRangeThe time level.
filterThe event filter.
Returns
The list of events that fall within the specified interval and poass the specified filter.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 1294 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineManager.getEventType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Optional<TimelineEventType> org.sleuthkit.datamodel.TimelineManager.getEventType ( long  eventTypeID)

Gets the timeline event type with a given event type ID.

Parameters
eventTypeIDAn event type ID.
Returns
The timeline event type in an Optional object, may be empty if the event type is not found.

Definition at line 354 of file TimelineManager.java.

References org.sleuthkit.datamodel.TimelineEventType.DEPRECATED_OTHER_EVENT_ID, and org.sleuthkit.datamodel.TimelineEventType.MISC_TYPES.

Referenced by org.sleuthkit.datamodel.TimelineManager.countEventsByType(), org.sleuthkit.datamodel.TimelineManager.getEventById(), and org.sleuthkit.datamodel.TimelineManager.getEvents().

ImmutableList<TimelineEventType> org.sleuthkit.datamodel.TimelineManager.getEventTypes ( )

Gets all of the timeline event types in the case database.

Returns
A list of timeline event types.

Definition at line 369 of file TimelineManager.java.

Long org.sleuthkit.datamodel.TimelineManager.getMaxEventTime ( ) throws TskCoreException

Gets the maximum timeline event time in the case database.

Returns
The maximum timeline event time in seconds since the UNIX epoch, or -1 if there are no timeline events in the case database.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 306 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.TimelineManager.getSpanningInterval().

Long org.sleuthkit.datamodel.TimelineManager.getMinEventTime ( ) throws TskCoreException

Gets the minimum timeline event time in the case database.

Returns
The minimum timeline event time in seconds since the UNIX epoch, or -1 if there are no timeline events in the case database.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 330 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Interval org.sleuthkit.datamodel.TimelineManager.getSpanningInterval ( Collection< Long >  eventIDs) throws TskCoreException

Gets the smallest possible time interval that spans a collection of timeline events.

Parameters
eventIDsThe event IDs of the events for which to obtain the spanning interval.
Returns
The minimal spanning interval, may be null.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 157 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Interval org.sleuthkit.datamodel.TimelineManager.getSpanningInterval ( Interval  timeRange,
TimelineFilter.RootFilter  filter,
DateTimeZone  timeZone 
) throws TskCoreException

Gets the smallest possible time interval that spans a collection of timeline events.

Parameters
timeRangeA time range that the events must be within.
filterA timeline events filter that the events must pass.
timeZoneThe time zone for the returned time interval.
Returns
The minimal spanning interval, may be null.
Exceptions
TskCoreExceptionIf there is an error querying the case database.

Definition at line 189 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineManager.getMaxEventTime(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForArtifactTagAdded ( BlackboardArtifact  artifact) throws TskCoreException

Finds all of the timeline events directly associated with a given artifact and marks them as having an event source that is tagged.

Parameters
artifactThe artifact.
Returns
The event IDs of the events that were marked as having a tagged event source.
Exceptions
TskCoreExceptionIf there is an error updating the case database.

Definition at line 1063 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForArtifactTagDeleted ( BlackboardArtifact  artifact) throws TskCoreException

Finds all of the timeline events directly associated with a given artifact and marks them as not having an event source that is tagged, if and only if there are no other tags on the artifact.

Parameters
artifactThe artifact.
Returns
The event IDs of the events that were marked as not having a tagged event source.
Exceptions
TskCoreExceptionIf there is an error updating the case database.

Definition at line 1086 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForContentTagAdded ( Content  content) throws TskCoreException

Finds all of the timeline events directly associated with a given content and marks them as having an event source that is tagged. This does not include timeline events where the event source is an artifact, even if the artifact source is the tagged content.

Parameters
contentThe content.
Returns
The event IDs of the events that were marked as having a tagged event source.
Exceptions
TskCoreExceptionIf there is an error updating the case database.

WARNING: THIS IS A BETA VERSION OF THIS METHOD, SUBJECT TO CHANGE AT ANY TIME.

Definition at line 1008 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForContentTagDeleted ( Content  content) throws TskCoreException

Finds all of the timeline events directly associated with a given content and marks them as not having an event source that is tagged, if and only if there are no other tags on the content. The inspection of events does not include events where the event source is an artifact, even if the artifact source is the content from which trhe tag was removed.

Parameters
contentThe content.
Returns
The event IDs of the events that were marked as not having a tagged event source.
Exceptions
TskCoreExceptionIf there is an error updating the case database.

WARNING: THIS IS A BETA VERSION OF THIS METHOD, SUBJECT TO CHANGE AT ANY TIME.

Definition at line 1037 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByContent(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForHashSetHit ( Content  content) throws TskCoreException

Finds all of the timeline events associated directly or indirectly with a given content and marks them as having an event source that has a hash set hit. This includes both the events that have the content as their event source and the events for which the content is the source content for the source artifact of the event.

Parameters
contentThe content.
Returns
The event IDs of the events that were marked as having an event source with a hash set hit.
Exceptions
TskCoreExceptionIf there is an error updating the case database.

Definition at line 1128 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().


The documentation for this class was generated from the following file:

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.