Autopsy  4.15.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CorrelationAttributeUtil.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2017-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.datamodel;
20 
21 import java.util.ArrayList;
22 import java.util.HashSet;
23 import java.util.List;
24 import java.util.Set;
25 import java.util.logging.Level;
26 import org.openide.util.NbBundle.Messages;
27 import org.sleuthkit.autopsy.casemodule.Case;
28 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
29 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount.CentralRepoAccountType;
30 import org.sleuthkit.autopsy.coreutils.Logger;
31 import org.sleuthkit.datamodel.AbstractFile;
32 import org.sleuthkit.datamodel.Account;
33 import org.sleuthkit.datamodel.BlackboardArtifact;
34 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
35 import org.sleuthkit.datamodel.BlackboardAttribute;
36 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
37 import org.sleuthkit.datamodel.CommunicationsUtils;
38 import org.sleuthkit.datamodel.HashUtility;
39 import org.sleuthkit.datamodel.TskCoreException;
40 import org.sleuthkit.datamodel.TskData;
41 
46 public class CorrelationAttributeUtil {
47 
48  private static final Logger logger = Logger.getLogger(CorrelationAttributeUtil.class.getName());
49 
60  @Messages({"CorrelationAttributeUtil.emailaddresses.text=Email Addresses"})
61  private static String getEmailAddressAttrDisplayName() {
62  return Bundle.CorrelationAttributeUtil_emailaddresses_text();
63  }
64 
65  // Defines which artifact types act as the sources for CR data.
66  // Most notably, does not include KEYWORD HIT, CALLLOGS, MESSAGES, CONTACTS
67  // TSK_INTERESTING_ARTIFACT_HIT (See JIRA-6129 for more details on the
68  // interesting artifact hit).
69 
70  // IMPORTANT: This set should be updated for new artifacts types that need to
71  // be inserted into the CR.
72  private static final Set<Integer> SOURCE_TYPES_FOR_CR_INSERT = new HashSet<Integer>() {{
73  add(ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID());
74  add(ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID());
75  add(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID());
76  add(ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID());
77  add(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID());
78  add(ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID());
79  add(ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID());
80  add(ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID());
81  add(ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID());
82  add(ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID());
83  add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID());
84  add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID());
85  add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID());
86  }};
87 
101  public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(BlackboardArtifact artifact) {
102  if(SOURCE_TYPES_FOR_CR_INSERT.contains(artifact.getArtifactTypeID())) {
103  // Restrict the correlation attributes to use for saving.
104  // The artifacts which are suitable for saving are a subset of the
105  // artifacts that are suitable for correlating.
106  return makeCorrAttrsForCorrelation(artifact);
107  }
108  // Return an empty collection.
109  return new ArrayList<>();
110  }
111 
136  public static List<CorrelationAttributeInstance> makeCorrAttrsForCorrelation(BlackboardArtifact artifact) {
137  List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
138  try {
139  BlackboardArtifact sourceArtifact = getCorrAttrSourceArtifact(artifact);
140  if (sourceArtifact != null) {
141  int artifactTypeID = sourceArtifact.getArtifactTypeID();
142  if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
143  BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
144  if (setNameAttr != null && CorrelationAttributeUtil.getEmailAddressAttrDisplayName().equals(setNameAttr.getValueString())) {
145  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, CorrelationAttributeInstance.EMAIL_TYPE_ID);
146  }
147  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()
148  || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()
149  || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()
150  || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
151  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, CorrelationAttributeInstance.DOMAIN_TYPE_ID);
152 
153  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
154  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID, CorrelationAttributeInstance.USBID_TYPE_ID);
155  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
156 
157  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
158  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SSID, CorrelationAttributeInstance.SSID_TYPE_ID);
159 
160  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
161  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
162  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
163  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
164 
165  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
166  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI, CorrelationAttributeInstance.IMEI_TYPE_ID);
167  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
168  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
169 
170  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
171  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
172  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
173 
174  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
175  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, CorrelationAttributeInstance.PHONE_TYPE_ID);
176  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, CorrelationAttributeInstance.EMAIL_TYPE_ID);
177 
178  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
179  makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact);
180 
181  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
182  || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
183  || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
184  makeCorrAttrsFromCommunicationArtifacts(correlationAttrs, sourceArtifact);
185  }
186  }
187  } catch (CentralRepoException ex) {
188  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
189  return correlationAttrs;
190  } catch (TskCoreException ex) {
191  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
192  return correlationAttrs;
193  } catch (NoCurrentCaseException ex) {
194  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
195  return correlationAttrs;
196  }
197  return correlationAttrs;
198  }
199 
212  private static void makeCorrAttrsFromCommunicationArtifacts(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact) throws TskCoreException, CentralRepoException {
213  CorrelationAttributeInstance corrAttr = null;
214 
215  /*
216  * Extract the phone number from the artifact attribute.
217  */
218  String value = null;
219  if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
220  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
221  } else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
222  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
223  } else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
224  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
225  }
226 
227  /*
228  * Normalize the phone number.
229  */
230  if (value != null) {
231  if(CommunicationsUtils.isValidPhoneNumber(value)) {
232  value = CommunicationsUtils.normalizePhoneNum(value);
233  corrAttr = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.PHONE_TYPE_ID), value);
234  if(corrAttr != null) {
235  corrAttrInstances.add(corrAttr);
236  }
237  }
238  }
239  }
240 
254  private static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact) throws NoCurrentCaseException, TskCoreException {
255  BlackboardArtifact sourceArtifact = null;
256  if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifact.getArtifactTypeID()) {
257  BlackboardAttribute assocArtifactAttr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
258  if (assocArtifactAttr != null) {
259  sourceArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(assocArtifactAttr.getValueLong());
260  }
261  } else {
262  sourceArtifact = artifact;
263  }
264  return sourceArtifact;
265  }
266 
280  private static void makeCorrAttrFromAcctArtifact(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact acctArtifact) throws TskCoreException, CentralRepoException {
281 
282  // Get the account type from the artifact
283  BlackboardAttribute accountTypeAttribute = acctArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE));
284  String accountTypeStr = accountTypeAttribute.getValueString();
285 
286  // @@TODO Vik-6136: CR currently does not know of custom account types.
287  // Ensure there is a predefined account type for this account.
288  Account.Type predefinedAccountType = Account.Type.PREDEFINED_ACCOUNT_TYPES.stream().filter(type -> type.getTypeName().equalsIgnoreCase(accountTypeStr)).findAny().orElse(null);
289 
290  // do not create any correlation attribute instance for a Device account
291  if (Account.Type.DEVICE.getTypeName().equalsIgnoreCase(accountTypeStr) == false && predefinedAccountType != null) {
292 
293  // Get the corresponding CentralRepoAccountType from the database.
294  CentralRepoAccountType crAccountType = CentralRepository.getInstance().getAccountTypeByName(accountTypeStr);
295 
296  int corrTypeId = crAccountType.getCorrelationTypeId();
297  CorrelationAttributeInstance.Type corrType = CentralRepository.getInstance().getCorrelationTypeById(corrTypeId);
298 
299  // Get the account identifier
300  BlackboardAttribute accountIdAttribute = acctArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ID));
301  String accountIdStr = accountIdAttribute.getValueString();
302 
303  // add/get the account and get its accountId.
304  CentralRepoAccount crAccount = CentralRepository.getInstance().getOrCreateAccount(crAccountType, accountIdStr);
305 
306  CorrelationAttributeInstance corrAttr = makeCorrAttr(acctArtifact, corrType, accountIdStr);
307  if (corrAttr != null) {
308  // set the account_id in correlation attribute
309  corrAttr.setAccountId(crAccount.getId());
310  corrAttrInstances.add(corrAttr);
311  }
312  }
313  }
314 
332  private static void makeCorrAttrFromArtifactAttr(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId) throws CentralRepoException, TskCoreException {
333  BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(artAttrType));
334  if (attribute != null) {
335  String value = attribute.getValueString();
336  if ((null != value) && (value.isEmpty() == false)) {
337  CorrelationAttributeInstance inst = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(typeId), value);
338  if (inst != null) {
339  corrAttrInstances.add(inst);
340  }
341  }
342  }
343  }
344 
362  private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) {
363  try {
364  Case currentCase = Case.getCurrentCaseThrows();
365  AbstractFile bbSourceFile = currentCase.getSleuthkitCase().getAbstractFileById(artifact.getObjectID());
366  if (null == bbSourceFile) {
367  logger.log(Level.SEVERE, "Error creating artifact instance. Abstract File was null."); // NON-NLS
368  return null;
369  }
370 
371  CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
372  return new CorrelationAttributeInstance(
373  correlationType,
374  value,
375  correlationCase,
376  CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()),
377  bbSourceFile.getParentPath() + bbSourceFile.getName(),
378  "",
379  TskData.FileKnown.UNKNOWN,
380  bbSourceFile.getId());
381 
382  } catch (TskCoreException ex) {
383  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
384  return null;
385  } catch (CentralRepoException ex) {
386  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
387  return null;
388  } catch (CorrelationAttributeNormalizationException ex) {
389  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", artifact), ex); // NON-NLS
390  return null;
391  } catch (NoCurrentCaseException ex) {
392  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
393  return null;
394  }
395  }
396 
413  public static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file) {
414 
415  if (!isSupportedAbstractFileType(file)) {
416  return null;
417  }
418 
419  CorrelationAttributeInstance.Type type;
420  CorrelationCase correlationCase;
421  CorrelationDataSource correlationDataSource;
422 
423  try {
424  type = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
425  correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
426  if (null == correlationCase) {
427  //if the correlationCase is not in the Central repo then attributes generated in relation to it will not be
428  return null;
429  }
430  correlationDataSource = CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource());
431  } catch (TskCoreException ex) {
432  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", file), ex); // NON-NLS
433  return null;
434  } catch (CentralRepoException ex) {
435  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
436  return null;
437  } catch (NoCurrentCaseException ex) {
438  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
439  return null;
440  }
441 
442  CorrelationAttributeInstance correlationAttributeInstance;
443  try {
444  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getId());
445  } catch (CentralRepoException ex) {
446  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
447  return null;
448  } catch (CorrelationAttributeNormalizationException ex) {
449  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
450  return null;
451  }
452 
453  /*
454  * If no correlation attribute instance was found when querying by file
455  * object ID, try searching by file path instead. This is necessary
456  * because file object IDs were not stored in the central repository in
457  * early versions of its schema.
458  */
459  if (correlationAttributeInstance == null && file.getMd5Hash() != null) {
460  String filePath = (file.getParentPath() + file.getName()).toLowerCase();
461  try {
462  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getMd5Hash(), filePath);
463  } catch (CentralRepoException ex) {
464  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
465  return null;
466  } catch (CorrelationAttributeNormalizationException ex) {
467  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
468  return null;
469  }
470  }
471 
472  return correlationAttributeInstance;
473  }
474 
493  public static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file) {
494 
495  if (!isSupportedAbstractFileType(file)) {
496  return null;
497  }
498 
499  // We need a hash to make the correlation artifact instance.
500  String md5 = file.getMd5Hash();
501  if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
502  return null;
503  }
504 
505  try {
506  CorrelationAttributeInstance.Type filesType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
507 
508  CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
509  return new CorrelationAttributeInstance(
510  filesType,
511  file.getMd5Hash(),
512  correlationCase,
513  CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource()),
514  file.getParentPath() + file.getName(),
515  "",
516  TskData.FileKnown.UNKNOWN,
517  file.getId());
518 
519  } catch (TskCoreException ex) {
520  logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS
521  return null;
522  } catch (CentralRepoException ex) {
523  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
524  return null;
525  } catch (CorrelationAttributeNormalizationException ex) {
526  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
527  return null;
528  } catch (NoCurrentCaseException ex) {
529  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
530  return null;
531  }
532  }
533 
542  public static boolean isSupportedAbstractFileType(AbstractFile file) {
543  if (file == null) {
544  return false;
545  }
546  switch (file.getType()) {
547  case UNALLOC_BLOCKS:
548  case UNUSED_BLOCKS:
549  case SLACK:
550  case VIRTUAL_DIR:
551  case LOCAL_DIR:
552  return false;
553  case CARVED:
554  case DERIVED:
555  case LOCAL:
556  case LAYOUT_FILE:
557  return true;
558  case FS:
559  return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
560  default:
561  logger.log(Level.WARNING, "Unexpected file type {0}", file.getType().getName());
562  return false;
563  }
564  }
565 
569  private CorrelationAttributeUtil() {
570  }
571 
572 }
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)
Definition: CorrelationAttributeUtil.java:362
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
Definition: CorrelationDataSource.java:113
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromFile
static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file)
Definition: CorrelationAttributeUtil.java:493
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation
static List< CorrelationAttributeInstance > makeCorrAttrsForCorrelation(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:136
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts
static void makeCorrAttrsFromCommunicationArtifacts(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:212
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile
static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file)
Definition: CorrelationAttributeUtil.java:413
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr
static void makeCorrAttrFromArtifactAttr(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId)
Definition: CorrelationAttributeUtil.java:332
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationAttributeInstance
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrSourceArtifact
static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:254
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:101
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact
static void makeCorrAttrFromAcctArtifact(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact)
Definition: CorrelationAttributeUtil.java:280
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getAccountTypeByName
CentralRepoAccountType getAccountTypeByName(String accountTypeName)
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getOrCreateAccount
CentralRepoAccount getOrCreateAccount(CentralRepoAccount.CentralRepoAccountType crAccountType, String accountUniqueID)

Copyright © 2012-2020 Basis Technology. Generated on: Mon Jul 6 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.