Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExternalResultsImporter.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this localFile except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.externalresults;
20 
21 import java.io.File;
22 import java.nio.file.Path;
23 import java.nio.file.Paths;
24 import java.util.ArrayList;
25 import java.util.Collection;
26 import java.util.HashSet;
27 import java.util.List;
28 import java.util.logging.Level;
29 import org.openide.util.NbBundle;
30 import org.sleuthkit.autopsy.casemodule.Case;
31 import org.sleuthkit.autopsy.casemodule.services.FileManager;
32 import org.sleuthkit.autopsy.coreutils.ErrorInfo;
33 import org.sleuthkit.autopsy.coreutils.Logger;
34 import org.sleuthkit.autopsy.ingest.IngestServices;
35 import org.sleuthkit.autopsy.ingest.ModuleContentEvent;
36 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
37 import org.sleuthkit.datamodel.AbstractFile;
38 import org.sleuthkit.datamodel.BlackboardArtifact;
39 import org.sleuthkit.datamodel.BlackboardAttribute;
40 import org.sleuthkit.datamodel.Content;
41 import org.sleuthkit.datamodel.DerivedFile;
42 import org.sleuthkit.datamodel.SleuthkitCase;
43 import org.sleuthkit.datamodel.TskCoreException;
44 
50 public final class ExternalResultsImporter {
51 
52  private static final Logger logger = Logger.getLogger(ExternalResultsImporter.class.getName());
53  private static final HashSet<Integer> standardArtifactTypeIds = new HashSet<>();
54  private final List<ErrorInfo> errors = new ArrayList<>();
55 
56  static {
57  for (BlackboardArtifact.ARTIFACT_TYPE artifactType : BlackboardArtifact.ARTIFACT_TYPE.values()) {
58  standardArtifactTypeIds.add(artifactType.getTypeID());
59  }
60  }
61 
71  public List<ErrorInfo> importResults(ExternalResults results) {
72  // Import files first, they may be artifactData sources.
73  importDerivedFiles(results);
74  importArtifacts(results);
75  importReports(results);
76  List<ErrorInfo> importErrors = new ArrayList<>(this.errors);
77  this.errors.clear();
78  return importErrors;
79  }
80 
81  private void importDerivedFiles(ExternalResults results) {
82  FileManager fileManager = Case.getCurrentCase().getServices().getFileManager();
83  for (ExternalResults.DerivedFile fileData : results.getDerivedFiles()) {
84  String localPath = fileData.getLocalPath();
85  try {
86  File localFile = new File(localPath);
87  if (localFile.exists()) {
88  String relativePath = this.getPathRelativeToCaseFolder(localPath);
89  if (!relativePath.isEmpty()) {
90  String parentFilePath = fileData.getParentPath();
91  AbstractFile parentFile = findFileInCaseDatabase(parentFilePath);
92  if (parentFile != null) {
93  DerivedFile derivedFile = fileManager.addDerivedFile(localFile.getName(), relativePath, localFile.length(),
94  0, 0, 0, 0, // Do not currently have file times for derived files from external processes.
95  true, parentFile,
96  "", "", "", ""); // Not currently providing derivation info for derived files from external processes.
97  IngestServices.getInstance().fireModuleContentEvent(new ModuleContentEvent(derivedFile));
98  } else {
99  String errorMessage = NbBundle.getMessage(this.getClass(),
100  "ExternalResultsImporter.importDerivedFiles.errMsg1.text",
101  localPath, parentFilePath);
102  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage);
103  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage));
104  }
105  }
106  } else {
107  String errorMessage = NbBundle.getMessage(this.getClass(),
108  "ExternalResultsImporter.importDerivedFiles.errMsg2.text",
109  localPath);
110  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage);
111  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage));
112  }
113  } catch (TskCoreException ex) {
114  String errorMessage = NbBundle.getMessage(this.getClass(),
115  "ExternalResultsImporter.importDerivedFiles.errMsg3.text",
116  localPath);
117  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage, ex);
118  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage, ex));
119  }
120  }
121  }
122 
123  private void importArtifacts(ExternalResults results) {
124  SleuthkitCase caseDb = Case.getCurrentCase().getSleuthkitCase();
125  for (ExternalResults.Artifact artifactData : results.getArtifacts()) {
126  try {
127  // Add the artifact to the case database.
128  int artifactTypeId = caseDb.getArtifactTypeID(artifactData.getType());
129  if (artifactTypeId == -1) {
130  artifactTypeId = caseDb.addArtifactType(artifactData.getType(), artifactData.getType());
131  }
132  Content sourceFile = findFileInCaseDatabase(artifactData.getSourceFilePath());
133  if (sourceFile != null) {
134  BlackboardArtifact artifact = sourceFile.newArtifact(artifactTypeId);
135 
136  // Add the artifact's attributes to the case database.
137  Collection<BlackboardAttribute> attributes = new ArrayList<>();
138  for (ExternalResults.ArtifactAttribute attributeData : artifactData.getAttributes()) {
139  int attributeTypeId = caseDb.getAttrTypeID(attributeData.getType());
140  if (attributeTypeId == -1) {
141  attributeTypeId = caseDb.addAttrType(attributeData.getType(), attributeData.getType());
142  }
143  switch (attributeData.getValueType()) {
144  case "text": //NON-NLS
145  attributes.add(new BlackboardAttribute(attributeTypeId, attributeData.getSourceModule(), attributeData.getValue()));
146  break;
147  case "int32": //NON-NLS
148  int intValue = Integer.parseInt(attributeData.getValue());
149  attributes.add(new BlackboardAttribute(attributeTypeId, attributeData.getSourceModule(), intValue));
150  break;
151  case "int64": //NON-NLS
152  long longValue = Long.parseLong(attributeData.getValue());
153  attributes.add(new BlackboardAttribute(attributeTypeId, attributeData.getSourceModule(), longValue));
154  break;
155  case "double": //NON-NLS
156  double doubleValue = Double.parseDouble(attributeData.getValue());
157  attributes.add(new BlackboardAttribute(attributeTypeId, attributeData.getSourceModule(), doubleValue));
158  break;
159  default:
160  String errorMessage = NbBundle.getMessage(this.getClass(),
161  "ExternalResultsImporter.importArtifacts.caseErrMsg1.text",
162  attributeData.getType(), attributeData.getValue(),
163  artifactData.getType(), artifactData.getSourceFilePath(),
164  attributeData.getValueType());
165  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage);
166  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage));
167  break;
168  }
169  }
170  artifact.addAttributes(attributes);
171 
172  if (standardArtifactTypeIds.contains(artifactTypeId)) {
173  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(this.getClass().getSimpleName(), BlackboardArtifact.ARTIFACT_TYPE.fromID(artifactTypeId)));
174  }
175  } else {
176  String errorMessage = NbBundle.getMessage(this.getClass(),
177  "ExternalResultsImporter.importArtifacts.errMsg1.text",
178  artifactData.getType(), artifactData.getSourceFilePath());
179  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage);
180  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage));
181  }
182  } catch (TskCoreException ex) {
183  String errorMessage = NbBundle.getMessage(this.getClass(),
184  "ExternalResultsImporter.importArtifacts.errMsg2.text",
185  artifactData.getType(), artifactData.getSourceFilePath());
186  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage, ex);
187  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage, ex));
188  }
189  }
190  }
191 
192  private void importReports(ExternalResults results) {
193  for (ExternalResults.Report report : results.getReports()) {
194  String reportPath = report.getLocalPath();
195  try {
196  File reportFile = new File(reportPath);
197  if (reportFile.exists()) {
198  Case.getCurrentCase().addReport(reportPath, report.getSourceModuleName(), report.getReportName());
199  } else {
200  String errorMessage = NbBundle.getMessage(this.getClass(), "ExternalResultsImporter.importReports.errMsg1.text", reportPath);
201  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage);
202  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage));
203  }
204  } catch (TskCoreException ex) {
205  String errorMessage = NbBundle.getMessage(this.getClass(), "ExternalResultsImporter.importReports.errMsg2.text", reportPath);
206  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage, ex);
207  this.errors.add(new ErrorInfo(ExternalResultsImporter.class.getName(), errorMessage, ex));
208  }
209  }
210  }
211 
212  private AbstractFile findFileInCaseDatabase(String filePath) throws TskCoreException {
213  AbstractFile file = null;
214  // Split the path into the file name and the parent path.
215  String fileName = filePath;
216  String parentPath = "";
217  int charPos = filePath.lastIndexOf("/");
218  if (charPos >= 0) {
219  fileName = filePath.substring(charPos + 1);
220  parentPath = filePath.substring(0, charPos + 1);
221  }
222  // Find the file.
223  String condition = "name='" + fileName + "' AND parent_path='" + parentPath + "'"; //NON-NLS
224  List<AbstractFile> files = Case.getCurrentCase().getSleuthkitCase().findAllFilesWhere(condition);
225  if (!files.isEmpty()) {
226  file = files.get(0);
227  if (files.size() > 1) {
228  String errorMessage = NbBundle.getMessage(this.getClass(), "ExternalResultsImporter.findFileInCaseDatabase.errMsg1.text", filePath);
229  this.recordError(errorMessage);
230  }
231  }
232  return file;
233  }
234 
235  private String getPathRelativeToCaseFolder(String localPath) {
236  String relativePath = "";
237  String caseDirectoryPath = Case.getCurrentCase().getCaseDirectory();
238  Path path = Paths.get(localPath);
239  if (path.isAbsolute()) {
240  Path pathBase = Paths.get(caseDirectoryPath);
241  try {
242  Path pathRelative = pathBase.relativize(path);
243  relativePath = pathRelative.toString();
244  } catch (IllegalArgumentException ex) {
245  String errorMessage = NbBundle.getMessage(this.getClass(),
246  "ExternalResultsImporter.getPathRelativeToCaseFolder.errMsg1.text",
247  localPath, caseDirectoryPath);
248  this.recordError(errorMessage, ex);
249  }
250  } else {
251  String errorMessage = NbBundle.getMessage(this.getClass(),
252  "ExternalResultsImporter.getPathRelativeToCaseFolder.errMsg2.text",
253  localPath, caseDirectoryPath);
254  this.recordError(errorMessage);
255  }
256  return relativePath;
257  }
258 
259 // private static boolean isStandardArtifactType(int artifactTypeId) {
260 // for (BlackboardArtifact.ARTIFACT_TYPE art : BlackboardArtifact.ARTIFACT_TYPE.values()) {
261 // if (art.getTypeID() == artifactTypeId) {
262 // return true;
263 // }
264 // }
265 // return false;
266 // }
267 //
268  private void recordError(String errorMessage) {
269  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage);
270  this.errors.add(new ErrorInfo(this.getClass().getName(), errorMessage));
271  }
272 
273  private void recordError(String errorMessage, Exception ex) {
274  ExternalResultsImporter.logger.log(Level.SEVERE, errorMessage, ex);
275  this.errors.add(new ErrorInfo(this.getClass().getName(), errorMessage));
276  }
277 }
org::sleuthkit::datamodel::Content::newArtifact
BlackboardArtifact newArtifact(int artifactTypeID)
org::sleuthkit::datamodel::SleuthkitCase::getArtifactTypeID
int getArtifactTypeID(String artifactTypeName)
org::sleuthkit::datamodel::BlackboardArtifact::addAttributes
void addAttributes(Collection< BlackboardAttribute > attributes)
org::sleuthkit::datamodel::BlackboardArtifact::ARTIFACT_TYPE::fromID
static ARTIFACT_TYPE fromID(int ID)
org::sleuthkit::datamodel::SleuthkitCase::addArtifactType
int addArtifactType(String artifactTypeName, String displayName)
org::sleuthkit.autopsy.casemodule.Case.addReport
void addReport(String localPath, String srcModuleName, String reportName)
Definition: Case.java:1165
org::sleuthkit.autopsy.casemodule.services.FileManager.addDerivedFile
synchronized DerivedFile addDerivedFile(String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parentFile, String rederiveDetails, String toolName, String toolVersion, String otherDetails)
Definition: FileManager.java:186
org::sleuthkit::datamodel::SleuthkitCase::getAttrTypeID
int getAttrTypeID(String attrTypeName)
org::sleuthkit::datamodel::SleuthkitCase::addAttrType
int addAttrType(String attrTypeString, String displayName)
org::sleuthkit::datamodel::Content
org::sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
Definition: IngestServices.java:97
org::sleuthkit.autopsy.ingest.IngestServices.fireModuleContentEvent
void fireModuleContentEvent(ModuleContentEvent moduleContentEvent)
Definition: IngestServices.java:109
org::sleuthkit::datamodel::SleuthkitCase::findAllFilesWhere
List< AbstractFile > findAllFilesWhere(String sqlWhereClause)
org::sleuthkit.autopsy.ingest.ModuleContentEvent
Definition: ModuleContentEvent.java:27
org::sleuthkit::datamodel::BlackboardArtifact::ARTIFACT_TYPE
org::sleuthkit.autopsy.coreutils.Logger.getLogger
static Logger getLogger(String name)
Definition: Logger.java:131
org::sleuthkit.autopsy.ingest.IngestServices.getInstance
static synchronized IngestServices getInstance()
Definition: IngestServices.java:45

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.