19 package org.sleuthkit.autopsy.centralrepository.datamodel;
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.logging.Level;
24 import org.openide.util.NbBundle.Messages;
30 import org.
sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
32 import org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
45 @Messages({
"EamArtifactUtil.emailaddresses.text=Email Addresses"})
47 return Bundle.EamArtifactUtil_emailaddresses_text();
63 boolean checkEnabled) {
64 List<CorrelationAttributeInstance> eamArtifacts =
new ArrayList<>();
66 BlackboardArtifact artifactForInstance = null;
67 if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifact.getArtifactTypeID()) {
69 BlackboardAttribute attribute = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
70 if (attribute != null) {
74 artifactForInstance = artifact;
76 if (artifactForInstance != null) {
77 int artifactTypeID = artifactForInstance.getArtifactTypeID();
78 if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
79 BlackboardAttribute setNameAttr = artifactForInstance.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
80 if (setNameAttr != null
84 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()
85 || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()
86 || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()
87 || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
89 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
90 || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
91 || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
94 if (null != artifactForInstance.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
95 value = artifactForInstance.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
96 }
else if (null != artifactForInstance.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
97 value = artifactForInstance.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
98 }
else if (null != artifactForInstance.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
99 value = artifactForInstance.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
103 String newValue = value.replaceAll(
"\\D",
"");
104 if (value.startsWith(
"+")) {
105 newValue =
"+" + newValue;
110 if (value.length() > 5) {
113 eamArtifacts.add(inst);
117 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
120 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
122 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
123 || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
124 || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
126 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
130 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
133 }
else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
139 logger.log(Level.SEVERE,
"Error getting defined correlation types.", ex);
141 }
catch (TskCoreException ex) {
142 logger.log(Level.SEVERE,
"Error getting attribute while getting type from BlackboardArtifact.", ex);
145 logger.log(Level.SEVERE,
"Exception while getting open case.", ex);
170 BlackboardAttribute attribute = artifact.getAttribute(
new BlackboardAttribute.Type(bbAttributeType));
171 if (attribute != null) {
172 String value = attribute.getValueString();
173 if ((null != value) && (value.isEmpty() ==
false)) {
176 eamArtifacts.add(inst);
196 AbstractFile bbSourceFile = currentCase.
getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
197 if (null == bbSourceFile) {
198 logger.log(Level.SEVERE,
"Error creating artifact instance. Abstract File was null.");
209 bbSourceFile.getParentPath() + bbSourceFile.
getName(),
211 TskData.FileKnown.UNKNOWN,
212 bbSourceFile.getId());
215 logger.log(Level.SEVERE,
"Error creating artifact instance.", ex);
218 logger.log(Level.SEVERE,
"Case is closed.", ex);
232 if (!(content instanceof AbstractFile)) {
236 final AbstractFile file = (AbstractFile) content;
249 if (null == correlationCase) {
254 }
catch (TskCoreException | EamDbException ex) {
255 logger.log(Level.SEVERE,
"Error retrieving correlation attribute.", ex);
258 logger.log(Level.SEVERE,
"Case is closed.", ex);
266 logger.log(Level.WARNING, String.format(
267 "Correlation attribute could not be retrieved for '%s' (id=%d): ",
268 content.getName(), content.getId()), ex);
272 if (correlationAttributeInstance == null && file.getMd5Hash() != null) {
273 String filePath = (file.getParentPath() + file.getName()).toLowerCase();
277 logger.log(Level.WARNING, String.format(
278 "Correlation attribute could not be retrieved for '%s' (id=%d): ",
279 content.getName(), content.getId()), ex);
284 return correlationAttributeInstance;
302 if (!(content instanceof AbstractFile)) {
306 final AbstractFile af = (AbstractFile) content;
313 String md5 = af.getMd5Hash();
314 if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
327 af.getParentPath() + af.
getName(),
329 TskData.FileKnown.UNKNOWN,
333 logger.log(Level.SEVERE,
"Error making correlation attribute.", ex);
336 logger.log(Level.SEVERE,
"Case is closed.", ex);
354 switch (file.getType()) {
367 return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
369 logger.log(Level.WARNING,
"Unexpected file type {0}", file.getType().getName());
static final int EMAIL_TYPE_ID
static List< CorrelationAttributeInstance > makeInstancesFromBlackboardArtifact(BlackboardArtifact artifact, boolean checkEnabled)
static final int USBID_TYPE_ID
static final int ICCID_TYPE_ID
static final Logger logger
static void addCorrelationAttributeToList(List< CorrelationAttributeInstance > eamArtifacts, BlackboardArtifact artifact, ATTRIBUTE_TYPE bbAttributeType, int typeId)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
static String getEmailAddressAttrString()
static boolean isSupportedAbstractFileType(AbstractFile file)
static final int IMEI_TYPE_ID
static EamDb getInstance()
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
static CorrelationAttributeInstance getInstanceFromContent(Content content)
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
static final int DOMAIN_TYPE_ID
static final int PHONE_TYPE_ID
SleuthkitCase getSleuthkitCase()
static CorrelationAttributeInstance makeInstanceFromContent(Content content)
static final int MAC_TYPE_ID
static final int IMSI_TYPE_ID
CorrelationCase getCase(Case autopsyCase)
synchronized static Logger getLogger(String name)
static Case getCurrentCaseThrows()
static CorrelationAttributeInstance makeCorrelationAttributeInstanceUsingTypeValue(BlackboardArtifact bbArtifact, CorrelationAttributeInstance.Type correlationType, String value)
static final int SSID_TYPE_ID
static final int FILES_TYPE_ID