Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Classes | Public Member Functions | Static Public Member Functions | Private Member Functions | Static Private Member Functions | Private Attributes | Static Private Attributes | List of all members
org.sleuthkit.autopsy.timeline.events.db.EventDB Class Reference

Classes

class  EventTransaction
 
class  MultipleTransactionException
 

Public Member Functions

void finalize () throws Throwable
 
Interval getSpanningInterval (Collection< Long > eventIDs)
 

Static Public Member Functions

static EventDB getEventDB (String dbPath)
 

Private Member Functions

 EventDB (String dbPath) throws SQLException, Exception
 
void closeStatements () throws SQLException
 
void configureDB () throws SQLException
 
TimeLineEvent constructTimeLineEvent (ResultSet rs) throws SQLException
 
Map< EventType, Long > countEvents (Long startTime, Long endTime, Filter filter, EventTypeZoomLevel zoomLevel)
 
List< AggregateEventgetAggregatedEvents (Interval timeRange, Filter filter, EventTypeZoomLevel zoomLevel, DescriptionLOD lod)
 
long getDBInfo (String key, long defaultValue)
 
String getDescriptionColumn (DescriptionLOD lod)
 
String getStrfTimeFormat (TimeUnits info)
 
PreparedStatement prepareStatement (String queryString) throws SQLException
 
void recordDBInfo (String key, long value)
 

Static Private Member Functions

static String getSQLWhere (Filter filter)
 
static String getSQLWhere (HideKnownFilter filter)
 
static String getSQLWhere (TextFilter filter)
 
static String getSQLWhere (TypeFilter filter)
 

Private Attributes

volatile Connection con
 
final String dbPath
 
PreparedStatement getDBInfoStmt
 
PreparedStatement getEventByIDStmt
 
PreparedStatement getMaxTimeStmt
 
PreparedStatement getMinTimeStmt
 
PreparedStatement insertRowStmt
 
final Set< PreparedStatement > preparedStatements = new HashSet<>()
 
PreparedStatement recordDBInfoStmt
 
final ReentrantReadWriteLock rwLock = new ReentrantReadWriteLock(true)
 
final Lock DBLock = rwLock.writeLock()
 

Static Private Attributes

static final String ARTIFACT_ID_COLUMN = "artifact_id"
 
static final String BASE_TYPE_COLUMN = "base_type"
 
static final String EVENT_ID_COLUMN = "event_id"
 
static final String FILE_ID_COLUMN = "file_id"
 
static final String FULL_DESCRIPTION_COLUMN = "full_description"
 
static final String KNOWN_COLUMN = "known_state"
 
static final String LAST_ARTIFACT_ID_KEY = "last_artifact_id"
 
static final String LAST_OBJECT_ID_KEY = "last_object_id"
 
static final java.util.logging.Logger LOGGER = Logger.getLogger(EventDB.class.getName())
 
static final String MED_DESCRIPTION_COLUMN = "med_description"
 
static final String SHORT_DESCRIPTION_COLUMN = "short_description"
 
static final String SUB_TYPE_COLUMN = "sub_type"
 
static final String TIME_COLUMN = "time"
 
static final String WAS_INGEST_RUNNING_KEY = "was_ingest_running"
 

Detailed Description

This class provides access to the Timeline SQLite database. This class borrows a lot of ideas and techniques from SleuthkitCase, Creating an abstract base class for sqlite databases, or using a higherlevel persistence api may make sense in the future.

Definition at line 80 of file EventDB.java.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.timeline.events.db.EventDB.EventDB ( String  dbPath) throws SQLException, Exception
private

Member Function Documentation

void org.sleuthkit.autopsy.timeline.events.db.EventDB.closeStatements ( ) throws SQLException
private

Definition at line 722 of file EventDB.java.

void org.sleuthkit.autopsy.timeline.events.db.EventDB.configureDB ( ) throws SQLException
private
TimeLineEvent org.sleuthkit.autopsy.timeline.events.db.EventDB.constructTimeLineEvent ( ResultSet  rs) throws SQLException
private
Map<EventType, Long> org.sleuthkit.autopsy.timeline.events.db.EventDB.countEvents ( Long  startTime,
Long  endTime,
Filter  filter,
EventTypeZoomLevel  zoomLevel 
)
private

count all the events with the given options and return a map organizing the counts in a hierarchy from date > eventtype> count

Parameters
startTimeevents before this time will be excluded (seconds from unix epoch)
endTimeevents at or after this time will be excluded (seconds from unix epoch)
filteronly events that pass this filter will be counted
zoomLevelonly events of this type or a subtype will be counted and the counts will be organized into bins for each of the subtypes of the given event type
Returns
a map organizing the counts in a hierarchy from date > eventtype> count

Definition at line 787 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.events.type.EventType.allTypes, org.sleuthkit.autopsy.timeline.events.db.EventDB.BASE_TYPE_COLUMN, org.sleuthkit.autopsy.timeline.events.db.EventDB.LOGGER, and org.sleuthkit.autopsy.timeline.zooming.EventTypeZoomLevel.SUB_TYPE.

void org.sleuthkit.autopsy.timeline.events.db.EventDB.finalize ( ) throws Throwable

Definition at line 262 of file EventDB.java.

List<AggregateEvent> org.sleuthkit.autopsy.timeline.events.db.EventDB.getAggregatedEvents ( Interval  timeRange,
Filter  filter,
EventTypeZoomLevel  zoomLevel,
DescriptionLOD  lod 
)
private

//TODO: update javadoc //TODO: split this into helper methods

get a list of AggregateEvents.

General algorithm is as follows:

  • get all aggregate events, via one db query.
  • sort them into a map from (type, description)-> aggevent
  • for each key in map, merge the events and accumulate them in a list to return
Parameters
timeRangethe Interval within in which all returned aggregate events will be.
filteronly events that pass the filter will be included in aggregates events returned
zoomLevelonly events of this level will be included
loddescription level of detail to use when grouping events
Returns
a list of aggregate events within the given timerange, that pass the supplied filter, aggregated according to the given event type and description zoom levels

Definition at line 858 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.events.type.EventType.allTypes, org.sleuthkit.autopsy.timeline.events.db.EventDB.BASE_TYPE_COLUMN, org.sleuthkit.autopsy.timeline.events.AggregateEvent.getDescription(), org.sleuthkit.autopsy.timeline.events.db.EventDB.getDescriptionColumn(), org.sleuthkit.autopsy.timeline.TimeLineController.getJodaTimeZone(), org.sleuthkit.autopsy.timeline.zooming.TimeUnits.getPeriod(), org.sleuthkit.autopsy.timeline.utils.RangeDivisionInfo.getPeriodSize(), org.sleuthkit.autopsy.timeline.utils.RangeDivisionInfo.getRangeDivisionInfo(), org.sleuthkit.autopsy.timeline.events.AggregateEvent.getSpan(), org.sleuthkit.autopsy.timeline.events.db.EventDB.getStrfTimeFormat(), org.sleuthkit.autopsy.timeline.TimeLineController.getTimeZone(), org.sleuthkit.autopsy.timeline.events.AggregateEvent.merge(), and org.sleuthkit.autopsy.timeline.zooming.EventTypeZoomLevel.SUB_TYPE.

long org.sleuthkit.autopsy.timeline.events.db.EventDB.getDBInfo ( String  key,
long  defaultValue 
)
private
String org.sleuthkit.autopsy.timeline.events.db.EventDB.getDescriptionColumn ( DescriptionLOD  lod)
private
static EventDB org.sleuthkit.autopsy.timeline.events.db.EventDB.getEventDB ( String  dbPath)
static

public factory method. Creates and opens a connection to a database at the given path. If a database does not already exist at that path, one is created.

Parameters
dbPath
Returns

Definition at line 129 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.events.db.EventDB.EventDB(), and org.sleuthkit.autopsy.timeline.events.db.EventDB.LOGGER.

Referenced by org.sleuthkit.autopsy.timeline.events.db.EventsRepository.EventsRepository().

Interval org.sleuthkit.autopsy.timeline.events.db.EventDB.getSpanningInterval ( Collection< Long >  eventIDs)
static String org.sleuthkit.autopsy.timeline.events.db.EventDB.getSQLWhere ( Filter  filter)
staticprivate

Definition at line 169 of file EventDB.java.

static String org.sleuthkit.autopsy.timeline.events.db.EventDB.getSQLWhere ( HideKnownFilter  filter)
staticprivate
static String org.sleuthkit.autopsy.timeline.events.db.EventDB.getSQLWhere ( TextFilter  filter)
staticprivate
static String org.sleuthkit.autopsy.timeline.events.db.EventDB.getSQLWhere ( TypeFilter  filter)
staticprivate

generate a sql where clause for the given type filter, while trying to be as simple as possible to improve performance.

Parameters
filter
Returns

Definition at line 221 of file EventDB.java.

References org.sleuthkit.autopsy.timeline.filters.TypeFilter.getEventType(), org.sleuthkit.autopsy.timeline.filters.CompoundFilter.getSubFilters(), org.sleuthkit.autopsy.timeline.filters.AbstractFilter.isActive(), and org.sleuthkit.autopsy.timeline.filters.Filter.isActive().

String org.sleuthkit.autopsy.timeline.events.db.EventDB.getStrfTimeFormat ( TimeUnits  info)
private
PreparedStatement org.sleuthkit.autopsy.timeline.events.db.EventDB.prepareStatement ( String  queryString) throws SQLException
private

Definition at line 1016 of file EventDB.java.

void org.sleuthkit.autopsy.timeline.events.db.EventDB.recordDBInfo ( String  key,
long  value 
)
private

Member Data Documentation

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.ARTIFACT_ID_COLUMN = "artifact_id"
staticprivate

Definition at line 82 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.BASE_TYPE_COLUMN = "base_type"
staticprivate
volatile Connection org.sleuthkit.autopsy.timeline.events.db.EventDB.con
private

Definition at line 234 of file EventDB.java.

final Lock org.sleuthkit.autopsy.timeline.events.db.EventDB.DBLock = rwLock.writeLock()
private

Definition at line 254 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.dbPath
private
final String org.sleuthkit.autopsy.timeline.events.db.EventDB.EVENT_ID_COLUMN = "event_id"
staticprivate

Definition at line 86 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.FILE_ID_COLUMN = "file_id"
staticprivate

Definition at line 89 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.FULL_DESCRIPTION_COLUMN = "full_description"
staticprivate
PreparedStatement org.sleuthkit.autopsy.timeline.events.db.EventDB.getDBInfoStmt
private

Definition at line 238 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.events.db.EventDB.getEventByIDStmt
private

Definition at line 240 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.events.db.EventDB.getMaxTimeStmt
private

Definition at line 242 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.events.db.EventDB.getMinTimeStmt
private

Definition at line 244 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.events.db.EventDB.insertRowStmt
private

Definition at line 246 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.KNOWN_COLUMN = "known_state"
staticprivate

Definition at line 93 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.LAST_ARTIFACT_ID_KEY = "last_artifact_id"
staticprivate

Definition at line 95 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.LAST_OBJECT_ID_KEY = "last_object_id"
staticprivate

Definition at line 97 of file EventDB.java.

final java.util.logging.Logger org.sleuthkit.autopsy.timeline.events.db.EventDB.LOGGER = Logger.getLogger(EventDB.class.getName())
staticprivate
final String org.sleuthkit.autopsy.timeline.events.db.EventDB.MED_DESCRIPTION_COLUMN = "med_description"
staticprivate
final Set<PreparedStatement> org.sleuthkit.autopsy.timeline.events.db.EventDB.preparedStatements = new HashSet<>()
private

Definition at line 248 of file EventDB.java.

PreparedStatement org.sleuthkit.autopsy.timeline.events.db.EventDB.recordDBInfoStmt
private

Definition at line 250 of file EventDB.java.

final ReentrantReadWriteLock org.sleuthkit.autopsy.timeline.events.db.EventDB.rwLock = new ReentrantReadWriteLock(true)
private

Definition at line 252 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.SHORT_DESCRIPTION_COLUMN = "short_description"
staticprivate
final String org.sleuthkit.autopsy.timeline.events.db.EventDB.SUB_TYPE_COLUMN = "sub_type"
staticprivate

Definition at line 105 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.TIME_COLUMN = "time"
staticprivate

Definition at line 107 of file EventDB.java.

final String org.sleuthkit.autopsy.timeline.events.db.EventDB.WAS_INGEST_RUNNING_KEY = "was_ingest_running"
staticprivate

Definition at line 109 of file EventDB.java.


The documentation for this class was generated from the following file:

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.