Classes
class	TimelineEventAddedEvent

Public Member Functions
TimelineEvent	addTimelineEvent (TimelineEventType eventType, String shortDesc, String medDesc, String longDesc, long dataSourceId, long contentId, Long artifactId, long time, boolean hashHit, boolean tagged, CaseDbTransaction trans) throws TskCoreException

Map< TimelineEventType, Long >	countEventsByType (Long startTime, Long endTime, TimelineFilter.RootFilter filter, TimelineEventType.HierarchyLevel typeHierachyLevel) throws TskCoreException

TimelineEvent	getEventById (long eventID) throws TskCoreException

List< Long >	getEventIDs (Interval timeRange, TimelineFilter.RootFilter filter) throws TskCoreException

List< Long >	getEventIDsForArtifact (BlackboardArtifact artifact) throws TskCoreException

Set< Long >	getEventIDsForContent (Content content, boolean includeDerivedArtifacts) throws TskCoreException

List< TimelineEvent >	getEvents (Interval timeRange, TimelineFilter.RootFilter filter) throws TskCoreException

Optional< TimelineEventType >	getEventType (long eventTypeID)

ImmutableList< TimelineEventType >	getEventTypes ()

Long	getMaxEventTime () throws TskCoreException

Long	getMinEventTime () throws TskCoreException

Interval	getSpanningInterval (Collection< Long > eventIDs) throws TskCoreException

Interval	getSpanningInterval (Interval timeRange, TimelineFilter.RootFilter filter, DateTimeZone timeZone) throws TskCoreException

Set< Long >	updateEventsForArtifactTagAdded (BlackboardArtifact artifact) throws TskCoreException

Set< Long >	updateEventsForArtifactTagDeleted (BlackboardArtifact artifact) throws TskCoreException

Set< Long >	updateEventsForContentTagAdded (Content content) throws TskCoreException

Set< Long >	updateEventsForContentTagDeleted (Content content) throws TskCoreException

Set< Long >	updateEventsForHashSetHit (Content content) throws TskCoreException

Detailed Description

Provides access to the timeline data in a case database.

Definition at line 58 of file TimelineManager.java.

Member Function Documentation

TimelineEvent org.sleuthkit.datamodel.TimelineManager.addTimelineEvent	(	TimelineEventType	eventType,
		String	shortDesc,
		String	medDesc,
		String	longDesc,
		long	dataSourceId,
		long	contentId,
		Long	artifactId,
		long	time,
		boolean	hashHit,
		boolean	tagged,
		CaseDbTransaction	trans
	)		throws TskCoreException

Adds a timeline event to the database in a transaction.

Parameters

eventType	The event type.
shortDesc	The short description.
medDesc	The medium description.
longDesc	The long description.
dataSourceId	The data source id of the event.
contentId	The content id of the event.
artifactId	The artifact id of the event (can be null).
time	Unix epoch offset time of the event in seconds.
hashHit	True if a hash hit.
tagged	True if tagged.
trans	The transaction.

Returns: The added event.

Exceptions

TskCoreException

Definition at line 814 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Map<TimelineEventType, Long> org.sleuthkit.datamodel.TimelineManager.countEventsByType	(	Long	startTime,
		Long	endTime,
		TimelineFilter.RootFilter	filter,
		TimelineEventType.HierarchyLevel	typeHierachyLevel
	)		throws TskCoreException

Counts the timeline events events that satisfy the given conditions.

Parameters

startTime	Events that occurred before this time are not counted (units: seconds from UNIX epoch)
endTime	Events that occurred at or after this time are not counted (seconds from unix epoch)
filter	Events that fall within the specified time range are only ocunted if they pass this filter.
typeHierachyLevel	Events that fall within the specified time range and pass the specified filter asre only counted if their types are at the specified level of the event type hierarchy.

Returns: The event counts for each event type at the specified level in the event types hierarchy.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 1173 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineEventType.HierarchyLevel.EVENT, org.sleuthkit.datamodel.TimelineManager.getEventType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

TimelineEvent org.sleuthkit.datamodel.TimelineManager.getEventById ( long eventID ) throws TskCoreException

Gets the timeline event with a given event ID.

Parameters

eventID An event ID.

Returns: The timeline event, may be null.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 229 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineManager.getEventType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<Long> org.sleuthkit.datamodel.TimelineManager.getEventIDs	(	Interval	timeRange,
		TimelineFilter.RootFilter	filter
	)		throws TskCoreException

Gets the event IDs of the timeline events within a given time range that pass a given timeline events filter.

Parameters

timeRange	The time range that the events must be within.
filter	The timeline events filter that the events must pass.

Returns: A list of event IDs ordered by event time.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 269 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<Long> org.sleuthkit.datamodel.TimelineManager.getEventIDsForArtifact ( BlackboardArtifact artifact ) throws TskCoreException

Gets a list of event IDs for the timeline events that have a given artifact as the event source.

Parameters

artifact An artifact.

Returns: The list of event IDs.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 413 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.getEventIDsForContent	(	Content	content,
		boolean	includeDerivedArtifacts
	)		throws TskCoreException

Gets a list of event IDs for the timeline events that have a given content as the event source.

Parameters

content	The content.
includeDerivedArtifacts	If true, also get event IDs for events where the event source is an artifact that has the given content as its source.

Returns: The list of event IDs.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 448 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

List<TimelineEvent> org.sleuthkit.datamodel.TimelineManager.getEvents	(	Interval	timeRange,
		TimelineFilter.RootFilter	filter
	)		throws TskCoreException

Gets the timeline events that fall within a given time interval and satisfy a given event filter.

Parameters

timeRange	The time level.
filter	The event filter.

Returns: The list of events that fall within the specified interval and poass the specified filter.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 1294 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineManager.getEventType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Optional<TimelineEventType> org.sleuthkit.datamodel.TimelineManager.getEventType ( long eventTypeID )

Gets the timeline event type with a given event type ID.

Parameters

eventTypeID An event type ID.

Returns: The timeline event type in an Optional object, may be empty if the event type is not found.

Definition at line 354 of file TimelineManager.java.

References org.sleuthkit.datamodel.TimelineEventType.DEPRECATED_OTHER_EVENT_ID, and org.sleuthkit.datamodel.TimelineEventType.MISC_TYPES.

Referenced by org.sleuthkit.datamodel.TimelineManager.countEventsByType(), org.sleuthkit.datamodel.TimelineManager.getEventById(), and org.sleuthkit.datamodel.TimelineManager.getEvents().

ImmutableList<TimelineEventType> org.sleuthkit.datamodel.TimelineManager.getEventTypes ( )

Gets all of the timeline event types in the case database.

Returns: A list of timeline event types.

Definition at line 369 of file TimelineManager.java.

Long org.sleuthkit.datamodel.TimelineManager.getMaxEventTime ( ) throws TskCoreException

Gets the maximum timeline event time in the case database.

Returns: The maximum timeline event time in seconds since the UNIX epoch, or -1 if there are no timeline events in the case database.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 306 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.TimelineManager.getSpanningInterval().

Long org.sleuthkit.datamodel.TimelineManager.getMinEventTime ( ) throws TskCoreException

Gets the minimum timeline event time in the case database.

Returns: The minimum timeline event time in seconds since the UNIX epoch, or -1 if there are no timeline events in the case database.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 330 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Interval org.sleuthkit.datamodel.TimelineManager.getSpanningInterval ( Collection< Long > eventIDs ) throws TskCoreException

Gets the smallest possible time interval that spans a collection of timeline events.

Parameters

eventIDs The event IDs of the events for which to obtain the spanning interval.

Returns: The minimal spanning interval, may be null.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 157 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Interval org.sleuthkit.datamodel.TimelineManager.getSpanningInterval	(	Interval	timeRange,
		TimelineFilter.RootFilter	filter,
		DateTimeZone	timeZone
	)		throws TskCoreException

Gets the smallest possible time interval that spans a collection of timeline events.

Parameters

timeRange	A time range that the events must be within.
filter	A timeline events filter that the events must pass.
timeZone	The time zone for the returned time interval.

Returns: The minimal spanning interval, may be null.

Exceptions

TskCoreException If there is an error querying the case database.

Definition at line 189 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TimelineManager.getMaxEventTime(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForArtifactTagAdded ( BlackboardArtifact artifact ) throws TskCoreException

Finds all of the timeline events directly associated with a given artifact and marks them as having an event source that is tagged.

Parameters

artifact The artifact.

Returns: The event IDs of the events that were marked as having a tagged event source.

Exceptions

TskCoreException If there is an error updating the case database.

Definition at line 1063 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForArtifactTagDeleted ( BlackboardArtifact artifact ) throws TskCoreException

Finds all of the timeline events directly associated with a given artifact and marks them as not having an event source that is tagged, if and only if there are no other tags on the artifact.

Parameters

artifact The artifact.

Returns: The event IDs of the events that were marked as not having a tagged event source.

Exceptions

TskCoreException If there is an error updating the case database.

Definition at line 1086 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForContentTagAdded ( Content content ) throws TskCoreException

Finds all of the timeline events directly associated with a given content and marks them as having an event source that is tagged. This does not include timeline events where the event source is an artifact, even if the artifact source is the tagged content.

Parameters

content The content.

Returns: The event IDs of the events that were marked as having a tagged event source.

Exceptions

TskCoreException If there is an error updating the case database.

WARNING: THIS IS A BETA VERSION OF THIS METHOD, SUBJECT TO CHANGE AT ANY TIME.

Definition at line 1008 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForContentTagDeleted ( Content content ) throws TskCoreException

Finds all of the timeline events directly associated with a given content and marks them as not having an event source that is tagged, if and only if there are no other tags on the content. The inspection of events does not include events where the event source is an artifact, even if the artifact source is the content from which trhe tag was removed.

Parameters

content The content.

Returns: The event IDs of the events that were marked as not having a tagged event source.

Exceptions

TskCoreException If there is an error updating the case database.

WARNING: THIS IS A BETA VERSION OF THIS METHOD, SUBJECT TO CHANGE AT ANY TIME.

Definition at line 1037 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByContent(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Set<Long> org.sleuthkit.datamodel.TimelineManager.updateEventsForHashSetHit ( Content content ) throws TskCoreException

Finds all of the timeline events associated directly or indirectly with a given content and marks them as having an event source that has a hash set hit. This includes both the events that have the content as their event source and the events for which the content is the source content for the source artifact of the event.

Parameters

content The content.

Returns: The event IDs of the events that were marked as having an event source with a hash set hit.

Exceptions

TskCoreException If there is an error updating the case database.

Definition at line 1128 of file TimelineManager.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

The documentation for this class was generated from the following file:

/home/carriersleuth/repos/sleuthkit/bindings/java/src/org/sleuthkit/datamodel/TimelineManager.java

Classes

Public Member Functions

Detailed Description

Member Function Documentation