Autopsy  4.17.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
FilesIdentifierIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.interestingitems;
20 
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.Collection;
24 import java.util.List;
25 import java.util.Map;
26 import java.util.concurrent.ConcurrentHashMap;
27 import java.util.logging.Level;
28 import org.openide.util.NbBundle;
29 import org.openide.util.NbBundle.Messages;
30 import org.sleuthkit.autopsy.casemodule.Case;
31 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
32 import org.sleuthkit.autopsy.coreutils.Logger;
33 import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
34 import org.sleuthkit.autopsy.ingest.FileIngestModule;
35 import org.sleuthkit.autopsy.ingest.IngestJobContext;
36 import org.sleuthkit.autopsy.ingest.IngestMessage;
37 import org.sleuthkit.autopsy.ingest.IngestModuleReferenceCounter;
38 import org.sleuthkit.autopsy.ingest.IngestServices;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.Blackboard;
41 import org.sleuthkit.datamodel.BlackboardArtifact;
42 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT;
43 import org.sleuthkit.datamodel.BlackboardAttribute;
44 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY;
45 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
46 import org.sleuthkit.datamodel.TskCoreException;
47 import org.sleuthkit.datamodel.TskData;
48 
53 @NbBundle.Messages({"FilesIdentifierIngestModule.getFilesError=Error getting interesting files sets from file."})
54 final class FilesIdentifierIngestModule implements FileIngestModule {
55 
56  private static final Object sharedResourcesLock = new Object();
57  private static final Logger logger = Logger.getLogger(FilesIdentifierIngestModule.class.getName());
58  private static final IngestModuleReferenceCounter refCounter = new IngestModuleReferenceCounter();
59  private static final Map<Long, List<FilesSet>> interestingFileSetsByJob = new ConcurrentHashMap<>();
60  private static final String MODULE_NAME = InterestingItemsIngestModuleFactory.getModuleName();
61 
62  private final FilesIdentifierIngestJobSettings settings;
63  private final IngestServices services = IngestServices.getInstance();
64  private IngestJobContext context;
65  private Blackboard blackboard;
66 
73  FilesIdentifierIngestModule(FilesIdentifierIngestJobSettings settings) {
74  this.settings = settings;
75  }
76 
77  @Override
78  public void startUp(IngestJobContext context) throws IngestModuleException {
79  this.context = context;
80  synchronized (FilesIdentifierIngestModule.sharedResourcesLock) {
81  if (FilesIdentifierIngestModule.refCounter.incrementAndGet(context.getJobId()) == 1) {
82  // Starting up the first instance of this module for this ingest
83  // job, so get the interesting file sets definitions snapshot
84  // for the job. Note that getting this snapshot atomically via a
85  // synchronized definitions manager method eliminates the need
86  // to disable the interesting files set definition UI during ingest.
87  List<FilesSet> filesSets = new ArrayList<>();
88  try {
89  for (FilesSet set : FilesSetsManager.getInstance().getInterestingFilesSets().values()) {
90  if (settings.interestingFilesSetIsEnabled(set.getName())) {
91  filesSets.add(set);
92  }
93  }
94  } catch (FilesSetsManager.FilesSetsManagerException ex) {
95  throw new IngestModuleException(Bundle.FilesIdentifierIngestModule_getFilesError(), ex);
96  }
97  FilesIdentifierIngestModule.interestingFileSetsByJob.put(context.getJobId(), filesSets);
98  }
99  }
100  }
101 
102  @Override
103  @Messages({"FilesIdentifierIngestModule.indexError.message=Failed to index interesting file hit artifact for keyword search."})
104  public ProcessResult process(AbstractFile file) {
105  try {
106  blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard();
107  } catch (NoCurrentCaseException ex) {
108  logger.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
109  return ProcessResult.ERROR;
110  }
111 
112  // Skip slack space files.
113  if (file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK)) {
114  return ProcessResult.OK;
115  }
116 
117  // See if the file belongs to any defined interesting files set.
118  List<FilesSet> filesSets = FilesIdentifierIngestModule.interestingFileSetsByJob.get(this.context.getJobId());
119  for (FilesSet filesSet : filesSets) {
120  String ruleSatisfied = filesSet.fileIsMemberOf(file);
121  if (ruleSatisfied != null) {
122  try {
123 
124  Collection<BlackboardAttribute> attributes = Arrays.asList(
125  /*
126  * Add a set name attribute to the artifact. This
127  * adds a fair amount of redundant data to the
128  * attributes table (i.e., rows that differ only in
129  * artifact id), but doing otherwise would requires
130  * reworking the interesting files set hit artifact. */
131  new BlackboardAttribute(
132  TSK_SET_NAME, MODULE_NAME,
133  filesSet.getName()),
134  /*
135  * Add a category attribute to the artifact to
136  * record the interesting files set membership rule
137  * that was satisfied. */
138  new BlackboardAttribute(
139  TSK_CATEGORY, MODULE_NAME,
140  ruleSatisfied)
141  );
142 
143  // Create artifact if it doesn't already exist.
144  if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
145  BlackboardArtifact artifact = file.newArtifact(TSK_INTERESTING_FILE_HIT);
146  artifact.addAttributes(attributes);
147  try {
148 
149  // Post thet artifact to the blackboard.
150  blackboard.postArtifact(artifact, MODULE_NAME);
151  } catch (Blackboard.BlackboardException ex) {
152  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
153  MessageNotifyUtil.Notify.error(Bundle.FilesIdentifierIngestModule_indexError_message(), artifact.getDisplayName());
154  }
155 
156  // make an ingest inbox message
157  StringBuilder detailsSb = new StringBuilder();
158  detailsSb.append("File: ").append(file.getParentPath()).append(file.getName()).append("<br/>\n");
159  detailsSb.append("Rule Set: ").append(filesSet.getName());
160 
161  services.postMessage(IngestMessage.createDataMessage(InterestingItemsIngestModuleFactory.getModuleName(),
162  "Interesting File Match: " + filesSet.getName() + "(" + file.getName() + ")",
163  detailsSb.toString(),
164  file.getName(),
165  artifact));
166  }
167  } catch (TskCoreException ex) {
168  FilesIdentifierIngestModule.logger.log(Level.SEVERE, "Error posting to the blackboard", ex); //NOI18N NON-NLS
169  }
170  }
171  }
172  return ProcessResult.OK;
173  }
174 
175  @Override
176  public void shutDown() {
177  if (context != null) {
178  if (refCounter.decrementAndGet(this.context.getJobId()) == 0) {
179  // Shutting down the last instance of this module for this ingest
180  // job, so discard the interesting file sets definitions snapshot
181  // for the job.
182  FilesIdentifierIngestModule.interestingFileSetsByJob.remove(this.context.getJobId());
183  }
184  }
185  }
186 }

Copyright © 2012-2021 Basis Technology. Generated on: Tue Jan 19 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.