Autopsy  4.18.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CaseEventListener.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2017-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
20 
21 import com.google.common.util.concurrent.ThreadFactoryBuilder;
22 import java.beans.PropertyChangeEvent;
23 import java.beans.PropertyChangeListener;
24 import java.util.Arrays;
25 import java.util.Collection;
26 import java.util.EnumSet;
27 import java.util.List;
28 import java.util.Optional;
29 import java.util.Set;
30 import java.util.concurrent.ExecutorService;
31 import java.util.concurrent.Executors;
32 import java.util.logging.Level;
33 import java.util.stream.Collectors;
34 import org.apache.commons.lang.StringUtils;
35 import org.openide.util.Exceptions;
36 import org.openide.util.NbBundle;
37 import org.openide.util.NbBundle.Messages;
55 import org.sleuthkit.datamodel.AbstractFile;
56 import org.sleuthkit.datamodel.BlackboardArtifact;
57 import org.sleuthkit.datamodel.BlackboardArtifactTag;
58 import org.sleuthkit.datamodel.Content;
59 import org.sleuthkit.datamodel.ContentTag;
60 import org.sleuthkit.datamodel.TagName;
61 import org.sleuthkit.datamodel.TskCoreException;
62 import org.sleuthkit.datamodel.TskData;
65 import org.sleuthkit.datamodel.Tag;
67 import org.sleuthkit.datamodel.Blackboard;
68 import org.sleuthkit.datamodel.BlackboardAttribute;
69 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT;
70 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT;
71 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
72 import org.sleuthkit.datamodel.OsAccount;
73 import org.sleuthkit.datamodel.OsAccountInstance;
74 import org.sleuthkit.datamodel.Score;
75 import org.sleuthkit.datamodel.SleuthkitCase;
76 
81 @Messages({"caseeventlistener.evidencetag=Evidence"})
82 public final class CaseEventListener implements PropertyChangeListener {
83 
84  private static final Logger LOGGER = Logger.getLogger(CaseEventListener.class.getName());
85  private final ExecutorService jobProcessingExecutor;
86  private static final String CASE_EVENT_THREAD_NAME = "Case-Event-Listener-%d";
87 
88  private static final Set<Case.Events> CASE_EVENTS_OF_INTEREST = EnumSet.of(
97 
98  public CaseEventListener() {
99  jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build());
100  }
101 
102  public void shutdown() {
103  ThreadUtils.shutDownTaskExecutor(jobProcessingExecutor);
104  }
105 
106  @Override
107  public void propertyChange(PropertyChangeEvent evt) {
108  if (!(evt instanceof AutopsyEvent) || (((AutopsyEvent) evt).getSourceType() != AutopsyEvent.SourceType.LOCAL)) {
109  return;
110  }
111 
112  CentralRepository dbManager;
113  try {
114  dbManager = CentralRepository.getInstance();
115  } catch (CentralRepoException ex) {
116  LOGGER.log(Level.SEVERE, "Failed to get instance of db manager.", ex);
117  return;
118  }
119 
120  // If any changes are made to which event types are handled the change
121  // must also be made to CASE_EVENTS_OF_INTEREST.
122  switch (Case.Events.valueOf(evt.getPropertyName())) {
123  case CONTENT_TAG_ADDED:
124  case CONTENT_TAG_DELETED: {
125  jobProcessingExecutor.submit(new ContentTagTask(dbManager, evt));
126  }
127  break;
128 
129  case BLACKBOARD_ARTIFACT_TAG_DELETED:
130  case BLACKBOARD_ARTIFACT_TAG_ADDED: {
131  jobProcessingExecutor.submit(new BlackboardTagTask(dbManager, evt));
132  }
133  break;
134 
135  case DATA_SOURCE_ADDED: {
136  jobProcessingExecutor.submit(new DataSourceAddedTask(dbManager, evt));
137  }
138  break;
139  case TAG_DEFINITION_CHANGED: {
140  jobProcessingExecutor.submit(new TagDefinitionChangeTask(evt));
141  }
142  break;
143  case CURRENT_CASE: {
144  jobProcessingExecutor.submit(new CurrentCaseTask(dbManager, evt));
145  }
146  break;
147  case DATA_SOURCE_NAME_CHANGED: {
148  jobProcessingExecutor.submit(new DataSourceNameChangedTask(dbManager, evt));
149  }
150  break;
151  case OS_ACCT_INSTANCES_ADDED: {
152  if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) {
153  jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt));
154  }
155  }
156  break;
157  }
158  }
159 
160  /*
161  * Add all of our Case Event Listeners to the case.
162  */
163  public void installListeners() {
164  Case.addEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this);
165  }
166 
167  /*
168  * Remove all of our Case Event Listeners from the case.
169  */
170  public void uninstallListeners() {
171  Case.removeEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this);
172  }
173 
181  private static boolean isNotableTag(Tag t) {
182  return (t != null && isNotableTagName(t.getName()));
183  }
184 
192  private static boolean isNotableTagName(TagName t) {
193  return (t != null && TagsManager.getNotableTagDisplayNames().contains(t.getDisplayName()));
194  }
195 
203  private static boolean hasNotableTag(List<? extends Tag> tags) {
204  if (tags == null) {
205  return false;
206  }
207 
208  return tags.stream()
210  .findFirst()
211  .isPresent();
212  }
213 
214  private final class ContentTagTask implements Runnable {
215 
217  private final PropertyChangeEvent event;
218 
219  private ContentTagTask(CentralRepository db, PropertyChangeEvent evt) {
220  dbManager = db;
221  event = evt;
222  }
223 
224  @Override
225  public void run() {
226  if (!CentralRepository.isEnabled()) {
227  return;
228  }
229 
230  Case.Events curEventType = Case.Events.valueOf(event.getPropertyName());
231  if (curEventType == Case.Events.CONTENT_TAG_ADDED && event instanceof ContentTagAddedEvent) {
232  handleTagAdded((ContentTagAddedEvent) event);
233  } else if (curEventType == Case.Events.CONTENT_TAG_DELETED && event instanceof ContentTagDeletedEvent) {
234  handleTagDeleted((ContentTagDeletedEvent) event);
235  } else {
236  LOGGER.log(Level.SEVERE,
237  String.format("Received an event %s of type %s and was expecting either CONTENT_TAG_ADDED or CONTENT_TAG_DELETED.",
238  event, curEventType));
239  }
240  }
241 
243  // ensure tag deleted event has a valid content id
244  if (evt.getDeletedTagInfo() == null) {
245  LOGGER.log(Level.SEVERE, "ContentTagDeletedEvent did not have valid content to provide a content id.");
246  return;
247  }
248 
249  try {
250  // obtain content
251  Content content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(evt.getDeletedTagInfo().getContentID());
252  if (content == null) {
253  LOGGER.log(Level.WARNING,
254  String.format("Unable to get content for item with content id: %d.", evt.getDeletedTagInfo().getContentID()));
255  return;
256  }
257 
258  // then handle the event
259  handleTagChange(content);
260  } catch (NoCurrentCaseException | TskCoreException ex) {
261  LOGGER.log(Level.WARNING, "Error updating non-file object: " + evt.getDeletedTagInfo().getContentID(), ex);
262  }
263  }
264 
266  // ensure tag added event has a valid content id
267  if (evt.getAddedTag() == null || evt.getAddedTag().getContent() == null) {
268  LOGGER.log(Level.SEVERE, "ContentTagAddedEvent did not have valid content to provide a content id.");
269  return;
270  }
271 
272  // then handle the event
273  handleTagChange(evt.getAddedTag().getContent());
274  }
275 
283  private void handleTagChange(Content content) {
284  AbstractFile af = null;
285  try {
286  af = Case.getCurrentCaseThrows().getSleuthkitCase().getAbstractFileById(content.getId());
287  } catch (NoCurrentCaseException | TskCoreException ex) {
288  Long contentID = (content != null) ? content.getId() : null;
289  LOGGER.log(Level.WARNING, "Error updating non-file object: " + contentID, ex);
290  }
291 
292  if (af == null) {
293  return;
294  }
295 
296  try {
297  // Get the tags on the content object
299 
300  if (hasNotableTag(tagsManager.getContentTagsByContent(content))) {
301  // if there is a notable tag on the object, set content known status to bad
302  setContentKnownStatus(af, TskData.FileKnown.BAD);
303  } else {
304  // otherwise, set to unknown
305  setContentKnownStatus(af, TskData.FileKnown.UNKNOWN);
306  }
307  } catch (TskCoreException | NoCurrentCaseException ex) {
308  LOGGER.log(Level.SEVERE, "Failed to obtain tags manager for case.", ex);
309  }
310  }
311 
321  private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) {
323 
324  if (eamArtifact != null) {
325  // send update to Central Repository db
326  try {
327  dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus);
328  } catch (CentralRepoException ex) {
329  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS
330  }
331  }
332  }
333  }
334 
335  private final class BlackboardTagTask implements Runnable {
336 
338  private final PropertyChangeEvent event;
339 
340  private BlackboardTagTask(CentralRepository db, PropertyChangeEvent evt) {
341  dbManager = db;
342  event = evt;
343  }
344 
345  @Override
346  public void run() {
347  if (!CentralRepository.isEnabled()) {
348  return;
349  }
350 
351  Case.Events curEventType = Case.Events.valueOf(event.getPropertyName());
352  if (curEventType == Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED && event instanceof BlackBoardArtifactTagAddedEvent) {
353  handleTagAdded((BlackBoardArtifactTagAddedEvent) event);
354  } else if (curEventType == Case.Events.BLACKBOARD_ARTIFACT_TAG_DELETED && event instanceof BlackBoardArtifactTagDeletedEvent) {
355  handleTagDeleted((BlackBoardArtifactTagDeletedEvent) event);
356  } else {
357  LOGGER.log(Level.WARNING,
358  String.format("Received an event %s of type %s and was expecting either CONTENT_TAG_ADDED or CONTENT_TAG_DELETED.",
359  event, curEventType));
360  }
361  }
362 
364  // ensure tag deleted event has a valid content id
365  if (evt.getDeletedTagInfo() == null) {
366  LOGGER.log(Level.SEVERE, "BlackBoardArtifactTagDeletedEvent did not have valid content to provide a content id.");
367  return;
368  }
369 
370  try {
371  Case openCase = Case.getCurrentCaseThrows();
372 
373  // obtain content
374  Content content = openCase.getSleuthkitCase().getContentById(evt.getDeletedTagInfo().getContentID());
375  if (content == null) {
376  LOGGER.log(Level.WARNING,
377  String.format("Unable to get content for item with content id: %d.", evt.getDeletedTagInfo().getContentID()));
378  return;
379  }
380 
381  // obtain blackboard artifact
382  BlackboardArtifact bbArtifact = openCase.getSleuthkitCase().getBlackboardArtifact(evt.getDeletedTagInfo().getArtifactID());
383  if (bbArtifact == null) {
384  LOGGER.log(Level.WARNING,
385  String.format("Unable to get blackboard artifact for item with artifact id: %d.", evt.getDeletedTagInfo().getArtifactID()));
386  return;
387  }
388 
389  // then handle the event
390  handleTagChange(content, bbArtifact);
391  } catch (NoCurrentCaseException | TskCoreException ex) {
392  LOGGER.log(Level.WARNING, "Error updating non-file object.", ex);
393  }
394  }
395 
397  // ensure tag added event has a valid content id
398  if (evt.getAddedTag() == null || evt.getAddedTag().getContent() == null || evt.getAddedTag().getArtifact() == null) {
399  LOGGER.log(Level.SEVERE, "BlackBoardArtifactTagAddedEvent did not have valid content to provide a content id.");
400  return;
401  }
402 
403  // then handle the event
404  handleTagChange(evt.getAddedTag().getContent(), evt.getAddedTag().getArtifact());
405  }
406 
415  private void handleTagChange(Content content, BlackboardArtifact bbArtifact) {
416  Case openCase;
417  try {
418  openCase = Case.getCurrentCaseThrows();
419  } catch (NoCurrentCaseException ex) {
420  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex);
421  return;
422  }
423 
424  try {
425  if (isKnownFile(content)) {
426  return;
427  }
428 
429  TagsManager tagsManager = openCase.getServices().getTagsManager();
430  List<BlackboardArtifactTag> tags = tagsManager.getBlackboardArtifactTagsByArtifact(bbArtifact);
431  if (hasNotableTag(tags)) {
432  setArtifactKnownStatus(bbArtifact, TskData.FileKnown.BAD);
433  } else {
434  setArtifactKnownStatus(bbArtifact, TskData.FileKnown.UNKNOWN);
435  }
436  } catch (TskCoreException ex) {
437  LOGGER.log(Level.SEVERE, "Failed to obtain tags manager for case.", ex);
438  return;
439  }
440  }
441 
449  private boolean isKnownFile(Content content) {
450  return ((content instanceof AbstractFile) && (((AbstractFile) content).getKnown() == TskData.FileKnown.KNOWN));
451  }
452 
460  private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) {
461  List<CorrelationAttributeInstance> convertedArtifacts = CorrelationAttributeUtil.makeCorrAttrsForCorrelation(bbArtifact);
462  for (CorrelationAttributeInstance eamArtifact : convertedArtifacts) {
463  try {
464  dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus);
465  } catch (CentralRepoException ex) {
466  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS
467  }
468  }
469  }
470 
471  }
472 
473  private final class TagDefinitionChangeTask implements Runnable {
474 
475  private final PropertyChangeEvent event;
476 
477  private TagDefinitionChangeTask(PropertyChangeEvent evt) {
478  event = evt;
479  }
480 
481  @Override
482  public void run() {
483  if (!CentralRepository.isEnabled()) {
484  return;
485  }
486  //get the display name of the tag that has had it's definition modified
487  String modifiedTagName = (String) event.getOldValue();
488 
489  /*
490  * Set knownBad status for all files/artifacts in the given case
491  * that are tagged with the given tag name.
492  */
493  try {
494  TagName tagName = Case.getCurrentCaseThrows().getServices().getTagsManager().getDisplayNamesToTagNamesMap().get(modifiedTagName);
495  //First update the artifacts
496  //Get all BlackboardArtifactTags with this tag name
497  List<BlackboardArtifactTag> artifactTags = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifactTagsByTagName(tagName);
498  for (BlackboardArtifactTag bbTag : artifactTags) {
499  //start with assumption that none of the other tags applied to this Correlation Attribute will prevent it's status from being changed
500  boolean hasTagWithConflictingKnownStatus = false;
501  // if the status of the tag has been changed to TskData.FileKnown.UNKNOWN
502  // we need to check the status of all other tags on this correlation attribute before changing
503  // the status of the correlation attribute in the central repository
504  if (tagName.getKnownStatus() == TskData.FileKnown.UNKNOWN) {
505  Content content = bbTag.getContent();
506  // If the content which this Blackboard Artifact Tag is linked to is an AbstractFile with KNOWN status then
507  // it's status in the central reporsitory should not be changed to UNKNOWN
508  if ((content instanceof AbstractFile) && (((AbstractFile) content).getKnown() == TskData.FileKnown.KNOWN)) {
509  continue;
510  }
511  //Get the BlackboardArtifact which this BlackboardArtifactTag has been applied to.
512  BlackboardArtifact bbArtifact = bbTag.getArtifact();
514  List<BlackboardArtifactTag> tags = tagsManager.getBlackboardArtifactTagsByArtifact(bbArtifact);
515  //get all tags which are on this blackboard artifact
516  for (BlackboardArtifactTag t : tags) {
517  //All instances of the modified tag name will be changed, they can not conflict with each other
518  if (t.getName().equals(tagName)) {
519  continue;
520  }
521  //if any other tags on this artifact are Notable in status then this artifact can not have its status changed
522  if (TskData.FileKnown.BAD == t.getName().getKnownStatus()) {
523  //a tag with a conflicting status has been found, the status of this correlation attribute can not be modified
524  hasTagWithConflictingKnownStatus = true;
525  break;
526  }
527  }
528  }
529  //if the Correlation Attribute will have no tags with a status which would prevent the current status from being changed
530  if (!hasTagWithConflictingKnownStatus) {
531  //Get the correlation atttributes that correspond to the current BlackboardArtifactTag if their status should be changed
532  //with the initial set of correlation attributes this should be a single correlation attribute
533  List<CorrelationAttributeInstance> convertedArtifacts = CorrelationAttributeUtil.makeCorrAttrsForCorrelation(bbTag.getArtifact());
534  for (CorrelationAttributeInstance eamArtifact : convertedArtifacts) {
535  CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact, tagName.getKnownStatus());
536  }
537  }
538  }
539  // Next update the files
540 
541  List<ContentTag> fileTags = Case.getCurrentCaseThrows().getSleuthkitCase().getContentTagsByTagName(tagName);
542  //Get all ContentTags with this tag name
543  for (ContentTag contentTag : fileTags) {
544  //start with assumption that none of the other tags applied to this ContentTag will prevent it's status from being changed
545  boolean hasTagWithConflictingKnownStatus = false;
546  // if the status of the tag has been changed to TskData.FileKnown.UNKNOWN
547  // we need to check the status of all other tags on this file before changing
548  // the status of the file in the central repository
549  if (tagName.getKnownStatus() == TskData.FileKnown.UNKNOWN) {
550  Content content = contentTag.getContent();
552  List<ContentTag> tags = tagsManager.getContentTagsByContent(content);
553  //get all tags which are on this file
554  for (ContentTag t : tags) {
555  //All instances of the modified tag name will be changed, they can not conflict with each other
556  if (t.getName().equals(tagName)) {
557  continue;
558  }
559  //if any other tags on this file are Notable in status then this file can not have its status changed
560  if (TskData.FileKnown.BAD == t.getName().getKnownStatus()) {
561  //a tag with a conflicting status has been found, the status of this file can not be modified
562  hasTagWithConflictingKnownStatus = true;
563  break;
564  }
565  }
566  }
567  //if the file will have no tags with a status which would prevent the current status from being changed
568  if (!hasTagWithConflictingKnownStatus) {
569  Content taggedContent = contentTag.getContent();
570  if (taggedContent instanceof AbstractFile) {
571  final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile((AbstractFile) taggedContent);
572  if (eamArtifact != null) {
574  }
575  }
576  }
577  }
578  } catch (TskCoreException ex) {
579  LOGGER.log(Level.SEVERE, "Cannot update known status in central repository for tag: " + modifiedTagName, ex); //NON-NLS
580  } catch (CentralRepoException ex) {
581  LOGGER.log(Level.SEVERE, "Cannot get central repository for tag: " + modifiedTagName, ex); //NON-NLS
582  } catch (NoCurrentCaseException ex) {
583  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
584  }
585  } //TAG_STATUS_CHANGED
586  }
587 
588  private final class DataSourceAddedTask implements Runnable {
589 
591  private final PropertyChangeEvent event;
592 
593  private DataSourceAddedTask(CentralRepository db, PropertyChangeEvent evt) {
594  dbManager = db;
595  event = evt;
596  }
597 
598  @Override
599  public void run() {
600  if (!CentralRepository.isEnabled()) {
601  return;
602  }
603  Case openCase;
604  try {
605  openCase = Case.getCurrentCaseThrows();
606  } catch (NoCurrentCaseException ex) {
607  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex);
608  return;
609  }
610 
611  final DataSourceAddedEvent dataSourceAddedEvent = (DataSourceAddedEvent) event;
612  Content newDataSource = dataSourceAddedEvent.getDataSource();
613 
614  try {
615  CorrelationCase correlationCase = dbManager.getCase(openCase);
616  if (null == dbManager.getDataSource(correlationCase, newDataSource.getId())) {
617  CorrelationDataSource.fromTSKDataSource(correlationCase, newDataSource);
618  }
619  } catch (CentralRepoException ex) {
620  LOGGER.log(Level.SEVERE, "Error adding new data source to the central repository", ex); //NON-NLS
621  }
622  } // DATA_SOURCE_ADDED
623  }
624 
625  private final class CurrentCaseTask implements Runnable {
626 
628  private final PropertyChangeEvent event;
629 
630  private CurrentCaseTask(CentralRepository db, PropertyChangeEvent evt) {
631  dbManager = db;
632  event = evt;
633  }
634 
635  @Override
636  public void run() {
637  /*
638  * A case has been opened if evt.getOldValue() is null and
639  * evt.getNewValue() is a valid Case.
640  */
641  if ((null == event.getOldValue()) && (event.getNewValue() instanceof Case)) {
642  Case curCase = (Case) event.getNewValue();
643  IngestEventsListener.resetCeModuleInstanceCount();
644 
645  if (!CentralRepository.isEnabled()) {
646  return;
647  }
648 
649  try {
650  // NOTE: Cannot determine if the opened case is a new case or a reopened case,
651  // so check for existing name in DB and insert if missing.
652  if (dbManager.getCase(curCase) == null) {
653  dbManager.newCase(curCase);
654  }
655  } catch (CentralRepoException ex) {
656  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database.", ex); //NON-NLS
657  }
658  }
659  } // CURRENT_CASE
660  }
661 
662  @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository",
663  "CaseEventsListener.prevCaseComment.text=Users seen in previous cases",
664  "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"})
668  private final class OsAccountInstancesAddedTask implements Runnable {
669 
671  private final PropertyChangeEvent event;
672  private final String MODULE_NAME = Bundle.CaseEventsListener_module_name();
673 
674  private OsAccountInstancesAddedTask(CentralRepository db, PropertyChangeEvent evt) {
675  dbManager = db;
676  event = evt;
677  }
678 
679  @Override
680  public void run() {
681  if (!CentralRepository.isEnabled()) {
682  return;
683  }
684 
685  final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event;
686  List<OsAccountInstance> addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances();
687  for (OsAccountInstance osAccountInstance : addedOsAccountNew) {
688  try {
689  OsAccount osAccount = osAccountInstance.getOsAccount();
690  Optional<String> accountAddr = osAccount.getAddr();
691  // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system
692  // and they are not unique
693  if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) {
694  return;
695  }
696  try {
697 
699  CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
701  accountAddr.get(),
702  correlationCase,
703  CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()),
704  "",
705  "",
706  TskData.FileKnown.KNOWN,
707  osAccount.getId());
708 
709  dbManager.addArtifactInstance(correlationAttributeInstance);
710 
711  List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue());
712  List<String> caseDisplayNames;
713  for (CorrelationAttributeInstance instance : previousOccurences) {
714  if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) {
715  caseDisplayNames = dbManager.getListCasesHavingArtifactInstances(correlationAttributeInstance.getCorrelationType(), correlationAttributeInstance.getCorrelationValue());
716  SleuthkitCase tskCase = osAccount.getSleuthkitCase();
717  Blackboard blackboard = tskCase.getBlackboard();
718 
719  Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(
720  new BlackboardAttribute(
721  TSK_SET_NAME, MODULE_NAME,
722  Bundle.CaseEventsListener_prevExists_text()),
723  new BlackboardAttribute(
724  TSK_COMMENT, MODULE_NAME,
725  Bundle.CaseEventsListener_prevCaseComment_text()));
726  BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult(
727  BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE,
728  null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult();
729  try {
730  // index the artifact for keyword search
731  blackboard.postArtifact(newAnalysisResult, MODULE_NAME);
732  break;
733  } catch (Blackboard.BlackboardException ex) {
734  LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS
735  }
736  }
737  }
738 
739  } catch (CentralRepoException ex) {
740  LOGGER.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", accountAddr.get()), ex); //NON-NLS
741  } catch (NoCurrentCaseException ex) {
742  LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
744  LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS
745  }
746 
747  } catch (TskCoreException ex) {
748  LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex);
749  }
750  }
751  }
752  }
753 
754  private final class DataSourceNameChangedTask implements Runnable {
755 
757  private final PropertyChangeEvent event;
758 
759  private DataSourceNameChangedTask(CentralRepository db, PropertyChangeEvent evt) {
760  dbManager = db;
761  event = evt;
762  }
763 
764  @Override
765  public void run() {
766 
767  final DataSourceNameChangedEvent dataSourceNameChangedEvent = (DataSourceNameChangedEvent) event;
768  Content dataSource = dataSourceNameChangedEvent.getDataSource();
769  String newName = (String) event.getNewValue();
770 
771  if (!StringUtils.isEmpty(newName)) {
772 
773  if (!CentralRepository.isEnabled()) {
774  return;
775  }
776 
777  try {
778  CorrelationCase correlationCase = dbManager.getCase(Case.getCurrentCaseThrows());
779  CorrelationDataSource existingEamDataSource = dbManager.getDataSource(correlationCase, dataSource.getId());
780  dbManager.updateDataSourceName(existingEamDataSource, newName);
781  } catch (CentralRepoException ex) {
782  LOGGER.log(Level.SEVERE, "Error updating data source with ID " + dataSource.getId() + " to " + newName, ex); //NON-NLS
783  } catch (NoCurrentCaseException ex) {
784  LOGGER.log(Level.SEVERE, "No open case", ex);
785  }
786  }
787  } // DATA_SOURCE_NAME_CHANGED
788  }
789 }
List< String > getListCasesHavingArtifactInstances(CorrelationAttributeInstance.Type aType, String value)
List< CorrelationAttributeInstance > getArtifactInstancesByTypeValue(CorrelationAttributeInstance.Type aType, String value)
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
List< ContentTag > getContentTagsByContent(Content content)
static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file)
void setAttributeInstanceKnownStatus(CorrelationAttributeInstance eamArtifact, TskData.FileKnown knownStatus)
void addArtifactInstance(CorrelationAttributeInstance eamArtifact)
static List< CorrelationAttributeInstance > makeCorrAttrsForCorrelation(BlackboardArtifact artifact)
static void shutDownTaskExecutor(ExecutorService executor)
void updateDataSourceName(CorrelationDataSource eamDataSource, String newName)
void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus)
CorrelationDataSource getDataSource(CorrelationCase correlationCase, Long caseDbDataSourceId)
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:676
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:721
List< BlackboardArtifactTag > getBlackboardArtifactTagsByArtifact(BlackboardArtifact artifact)

Copyright © 2012-2021 Basis Technology. Generated on: Thu Jul 8 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.