AnalysisResultsViewModel.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2021 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.contentviewers.analysisresults;

import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.tuple.Pair;
import org.openide.nodes.Node;
import org.openide.util.NbBundle;
import org.sleuthkit.datamodel.AnalysisResult;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.Score;
import org.sleuthkit.datamodel.TskCoreException;

public class AnalysisResultsViewModel {

    private static final Logger logger = Logger.getLogger(AnalysisResultsViewModel.class.getName());

    static class ResultDisplayAttributes {

        private final AnalysisResult analysisResult;
        private final List<Pair<String, String>> attributesToDisplay;

        ResultDisplayAttributes(AnalysisResult analysisResult, List<Pair<String, String>> attributesToDisplay) {
            this.analysisResult = analysisResult;
            this.attributesToDisplay = attributesToDisplay;
        }

        List<Pair<String, String>> getAttributesToDisplay() {
            return attributesToDisplay;
        }

        AnalysisResult getAnalysisResult() {
            return analysisResult;
        }
    }

    static class NodeResults {

        private final List<ResultDisplayAttributes> analysisResults;
        private final Optional<AnalysisResult> selectedResult;
        private final Optional<Score> aggregateScore;
        private final Optional<Content> content;

        NodeResults(List<ResultDisplayAttributes> analysisResults, Optional<AnalysisResult> selectedResult, Optional<Score> aggregateScore, Optional<Content> content) {
            this.analysisResults = analysisResults;
            this.selectedResult = selectedResult;
            this.aggregateScore = aggregateScore;
            this.content = content;
        }

        List<ResultDisplayAttributes> getAnalysisResults() {
            return analysisResults;
        }

        Optional<AnalysisResult> getSelectedResult() {
            return selectedResult;
        }

        Optional<Score> getAggregateScore() {
            return aggregateScore;
        }

        Optional<Content> getContent() {
            return content;
        }
    }

    private String normalizeAttr(String originalAttrStr) {
        return (originalAttrStr == null) ? "" : originalAttrStr.trim();
    }

    @NbBundle.Messages({
        "AnalysisResultsViewModel_displayAttributes_score=Score",
        "AnalysisResultsViewModel_displayAttributes_type=Type",
        "AnalysisResultsViewModel_displayAttributes_configuration=Configuration",
        "AnalysisResultsViewModel_displayAttributes_conclusion=Conclusion"
    })
    private ResultDisplayAttributes getDisplayAttributes(AnalysisResult analysisResult) {
        // The type of BlackboardArtifact.Type of the analysis result.
        String type = "";
        try {
            type = normalizeAttr(analysisResult.getType().getDisplayName());
        } catch (TskCoreException ex) {
            logger.log(Level.SEVERE, "Unable to get type for analysis result with id: " + analysisResult.getArtifactID(), ex);
        }

        // The standard attributes to display (score, type, configuration, conclusion)
        Stream<Pair<String, String>> baseAnalysisAttrs = Stream.of(
                Pair.of(Bundle.AnalysisResultsViewModel_displayAttributes_score(),
                        normalizeAttr(analysisResult.getScore().getSignificance().getDisplayName())),
                Pair.of(Bundle.AnalysisResultsViewModel_displayAttributes_type(),
                        normalizeAttr(type)),
                Pair.of(Bundle.AnalysisResultsViewModel_displayAttributes_configuration(),
                        normalizeAttr(analysisResult.getConfiguration())),
                Pair.of(Bundle.AnalysisResultsViewModel_displayAttributes_conclusion(),
                        normalizeAttr(analysisResult.getConclusion()))
        );

        // The BlackboardAttributes sorted by type display name.
        Stream<Pair<String, String>> blackboardAttributes = Stream.empty();
        try {

            blackboardAttributes = analysisResult.getAttributes().stream()
                    .filter(attr -> attr != null && attr.getAttributeType() != null && attr.getAttributeType().getDisplayName() != null)
                    .map(attr -> Pair.of(attr.getAttributeType().getDisplayName(), normalizeAttr(attr.getDisplayString())))
                    .sorted((a, b) -> a.getKey().compareToIgnoreCase(b.getKey()));
        } catch (TskCoreException ex) {
            logger.log(Level.SEVERE, "Unable to get attributes for analysis result with id: " + analysisResult.getArtifactID(), ex);
        }

        // return the standard attributes along with the key value pairs of the BlackboardAttribute values.
        List<Pair<String, String>> allDisplayAttributes = Stream.concat(baseAnalysisAttrs, blackboardAttributes)
                .collect(Collectors.toList());

        return new ResultDisplayAttributes(analysisResult, allDisplayAttributes);
    }

    private List<ResultDisplayAttributes> getOrderedDisplayAttributes(Collection<AnalysisResult> analysisResults) {
        return analysisResults.stream()
                .filter(ar -> ar != null && ar.getScore() != null)
                // reverse order to push more important scores to the top
                .sorted((a, b) -> -a.getScore().compareTo(b.getScore()))
                .map((ar) -> getDisplayAttributes(ar))
                .collect(Collectors.toList());
    }

    NodeResults getAnalysisResults(Node node) {
        if (node == null) {
            return new NodeResults(Collections.emptyList(), Optional.empty(), Optional.empty(), Optional.empty());
        }

        Optional<Score> aggregateScore = Optional.empty();
        Optional<Content> nodeContent = Optional.empty();
        // maps id of analysis result to analysis result to prevent duplication
        Map<Long, AnalysisResult> allAnalysisResults = new HashMap<>();
        Optional<AnalysisResult> selectedResult = Optional.empty();

        // Find first content that is not an artifact within node
        for (Content content : node.getLookup().lookupAll(Content.class)) {
            if (content == null || content instanceof BlackboardArtifact) {
                continue;
            }

            try {
                nodeContent = Optional.of(content);
                
                // get the aggregate score of that content
                aggregateScore = Optional.ofNullable(content.getAggregateScore());

                // and add all analysis results to mapping
                content.getAllAnalysisResults().stream()
                        .forEach((ar) -> allAnalysisResults.put(ar.getArtifactID(), ar));

                break;
            } catch (TskCoreException ex) {
                logger.log(Level.SEVERE, "Unable to get analysis results for content with obj id " + content.getId(), ex);
            }
        }

        // Find any analysis results in the node
        Collection<? extends AnalysisResult> analysisResults = node.getLookup().lookupAll(AnalysisResult.class);
        if (analysisResults.size() > 0) {

            // get any items with a score
            List<AnalysisResult> filteredResults = analysisResults.stream()
                    .collect(Collectors.toList());

            // add them to the map to display
            filteredResults.forEach((ar) -> allAnalysisResults.put(ar.getArtifactID(), ar));

            // the selected result will be the highest scored analysis result in the node.
            selectedResult = filteredResults.stream()
                    .max((a, b) -> a.getScore().compareTo(b.getScore()));

            // if no aggregate score determined at this point, use the selected result score.
            if (!aggregateScore.isPresent()) {
                aggregateScore = selectedResult.flatMap(selectedRes -> Optional.ofNullable(selectedRes.getScore()));
            }
        }

        // get view model representation
        List<ResultDisplayAttributes> displayAttributes = getOrderedDisplayAttributes(allAnalysisResults.values());

        return new NodeResults(displayAttributes, selectedResult, aggregateScore, nodeContent);
    }
}