Autopsy  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CorrelationAttributeUtil.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2017-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.datamodel;
20 
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.HashSet;
24 import java.util.List;
25 import java.util.Optional;
26 import java.util.Set;
27 import java.util.logging.Level;
28 import org.openide.util.NbBundle.Messages;
29 import org.sleuthkit.autopsy.casemodule.Case;
30 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
31 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount.CentralRepoAccountType;
32 import org.sleuthkit.autopsy.coreutils.Logger;
33 import org.sleuthkit.datamodel.AbstractFile;
34 import org.sleuthkit.datamodel.Account;
35 import org.sleuthkit.datamodel.BlackboardArtifact;
36 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
37 import org.sleuthkit.datamodel.BlackboardAttribute;
38 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
39 import org.sleuthkit.datamodel.Content;
40 import org.sleuthkit.datamodel.DataSource;
41 import org.sleuthkit.datamodel.HashUtility;
42 import org.sleuthkit.datamodel.InvalidAccountIDException;
43 import org.sleuthkit.datamodel.TskCoreException;
44 import org.sleuthkit.datamodel.TskData;
45 
50 public class CorrelationAttributeUtil {
51 
52  private static final Logger logger = Logger.getLogger(CorrelationAttributeUtil.class.getName());
53  private static final List<String> domainsToSkip = Arrays.asList("localhost", "127.0.0.1");
54 
55  // artifact ids that specifically have a TSK_DOMAIN attribute that should be handled by CR
56  private static Set<Integer> DOMAIN_ARTIFACT_TYPE_IDS = new HashSet<>(Arrays.asList(
57  ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID(),
58  ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID(),
59  ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID(),
60  ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID(),
61  ARTIFACT_TYPE.TSK_WEB_CACHE.getTypeID()
62  ));
63 
74  @Messages({"CorrelationAttributeUtil.emailaddresses.text=Email Addresses"})
75  private static String getEmailAddressAttrDisplayName() {
76  return Bundle.CorrelationAttributeUtil_emailaddresses_text();
77  }
78 
79  // Defines which artifact types act as the sources for CR data.
80  // Most notably, does not include KEYWORD HIT, CALLLOGS, MESSAGES, CONTACTS
81  // TSK_INTERESTING_ARTIFACT_HIT (See JIRA-6129 for more details on the
82  // interesting artifact hit).
83  // IMPORTANT: This set should be updated for new artifacts types that need to
84  // be inserted into the CR.
85  private static final Set<Integer> SOURCE_TYPES_FOR_CR_INSERT = new HashSet<Integer>() {
86  {
87  addAll(DOMAIN_ARTIFACT_TYPE_IDS);
88 
89  add(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID());
90  add(ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID());
91  add(ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID());
92  add(ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID());
93  add(ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID());
94  add(ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID());
95  add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID());
96  add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID());
97  add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID());
98  add(ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID());
99  }
100  };
101 
115  public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(BlackboardArtifact artifact) {
116  if (SOURCE_TYPES_FOR_CR_INSERT.contains(artifact.getArtifactTypeID())) {
117  // Restrict the correlation attributes to use for saving.
118  // The artifacts which are suitable for saving are a subset of the
119  // artifacts that are suitable for correlating.
120  return makeCorrAttrsForCorrelation(artifact);
121  }
122  // Return an empty collection.
123  return new ArrayList<>();
124  }
125 
150  public static List<CorrelationAttributeInstance> makeCorrAttrsForCorrelation(BlackboardArtifact artifact) {
151  List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
152  try {
153  BlackboardArtifact sourceArtifact = getCorrAttrSourceArtifact(artifact);
154  if (sourceArtifact != null) {
155  int artifactTypeID = sourceArtifact.getArtifactTypeID();
156  if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
157  BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
158  if (setNameAttr != null && CorrelationAttributeUtil.getEmailAddressAttrDisplayName().equals(setNameAttr.getValueString())) {
159  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, CorrelationAttributeInstance.EMAIL_TYPE_ID);
160  }
161  } else if (DOMAIN_ARTIFACT_TYPE_IDS.contains(artifactTypeID)) {
162  BlackboardAttribute domainAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
163  if ((domainAttr != null)
164  && !domainsToSkip.contains(domainAttr.getValueString())) {
165  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, CorrelationAttributeInstance.DOMAIN_TYPE_ID);
166  }
167  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
168  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID, CorrelationAttributeInstance.USBID_TYPE_ID);
169  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
170 
171  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
172  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SSID, CorrelationAttributeInstance.SSID_TYPE_ID);
173 
174  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
175  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
176  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
177  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
178 
179  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
180  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI, CorrelationAttributeInstance.IMEI_TYPE_ID);
181  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
182  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
183 
184  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
185  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
186  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
187 
188  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
189  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, CorrelationAttributeInstance.PHONE_TYPE_ID);
190  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, CorrelationAttributeInstance.EMAIL_TYPE_ID);
191 
192  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
193  makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact);
194 
195  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
196  BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
197  String pathAttrString = null;
198  if (setNameAttr != null) {
199  pathAttrString = setNameAttr.getValueString();
200  }
201  if (pathAttrString != null && !pathAttrString.isEmpty()) {
202  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
203  } else {
204  makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
205  }
206  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
207  || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
208  || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
209  makeCorrAttrsFromCommunicationArtifacts(correlationAttrs, sourceArtifact);
210  }
211  }
212  } catch (CorrelationAttributeNormalizationException ex) {
213  logger.log(Level.WARNING, String.format("Error normalizing correlation attribute (%s)", artifact), ex); // NON-NLS
214  return correlationAttrs;
215  } catch (InvalidAccountIDException ex) {
216  logger.log(Level.WARNING, String.format("Invalid account identifier (artifactID: %d)", artifact.getId())); // NON-NLS
217  return correlationAttrs;
218  } catch (CentralRepoException ex) {
219  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
220  return correlationAttrs;
221  } catch (TskCoreException ex) {
222  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
223  return correlationAttrs;
224  } catch (NoCurrentCaseException ex) {
225  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
226  return correlationAttrs;
227  }
228  return correlationAttrs;
229  }
230 
244  private static void makeCorrAttrsFromCommunicationArtifacts(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact) throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException {
245  CorrelationAttributeInstance corrAttr = null;
246 
247  /*
248  * Extract the phone number from the artifact attribute.
249  */
250  String value = null;
251  if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
252  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
253  } else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
254  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
255  } else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
256  value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
257  }
258 
259  /*
260  * Normalize the phone number.
261  */
262  if (value != null
263  && CorrelationAttributeNormalizer.isValidPhoneNumber(value)) {
264 
265  value = CorrelationAttributeNormalizer.normalizePhone(value);
266  corrAttr = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.PHONE_TYPE_ID), value);
267  if (corrAttr != null) {
268  corrAttrInstances.add(corrAttr);
269  }
270  }
271  }
272 
286  private static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact) throws NoCurrentCaseException, TskCoreException {
287  BlackboardArtifact sourceArtifact = null;
288  if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifact.getArtifactTypeID()) {
289  BlackboardAttribute assocArtifactAttr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
290  if (assocArtifactAttr != null) {
291  sourceArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(assocArtifactAttr.getValueLong());
292  }
293  } else {
294  sourceArtifact = artifact;
295  }
296  return sourceArtifact;
297  }
298 
312  private static void makeCorrAttrFromAcctArtifact(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact acctArtifact) throws InvalidAccountIDException, TskCoreException, CentralRepoException {
313 
314  // Get the account type from the artifact
315  BlackboardAttribute accountTypeAttribute = acctArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE));
316  String accountTypeStr = accountTypeAttribute.getValueString();
317 
318  // @@TODO Vik-6136: CR currently does not know of custom account types.
319  // Ensure there is a predefined account type for this account.
320  Account.Type predefinedAccountType = Account.Type.PREDEFINED_ACCOUNT_TYPES.stream().filter(type -> type.getTypeName().equalsIgnoreCase(accountTypeStr)).findAny().orElse(null);
321 
322  // do not create any correlation attribute instance for a Device account
323  if (Account.Type.DEVICE.getTypeName().equalsIgnoreCase(accountTypeStr) == false && predefinedAccountType != null) {
324 
325  // Get the corresponding CentralRepoAccountType from the database.
326  Optional<CentralRepoAccountType> optCrAccountType = CentralRepository.getInstance().getAccountTypeByName(accountTypeStr);
327  if (!optCrAccountType.isPresent()) {
328  return;
329  }
330  CentralRepoAccountType crAccountType = optCrAccountType.get();
331 
332  int corrTypeId = crAccountType.getCorrelationTypeId();
333  CorrelationAttributeInstance.Type corrType = CentralRepository.getInstance().getCorrelationTypeById(corrTypeId);
334 
335  // Get the account identifier
336  BlackboardAttribute accountIdAttribute = acctArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ID));
337  String accountIdStr = accountIdAttribute.getValueString();
338 
339  // add/get the account and get its accountId.
340  CentralRepoAccount crAccount = CentralRepository.getInstance().getOrCreateAccount(crAccountType, accountIdStr);
341 
342  CorrelationAttributeInstance corrAttr = makeCorrAttr(acctArtifact, corrType, accountIdStr);
343  if (corrAttr != null) {
344  // set the account_id in correlation attribute
345  corrAttr.setAccountId(crAccount.getId());
346  corrAttrInstances.add(corrAttr);
347  }
348  }
349  }
350 
365  private static void makeCorrAttrFromArtifactAttr(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId) throws CentralRepoException, TskCoreException {
366  BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(artAttrType));
367  if (attribute != null) {
368  String value = attribute.getValueString();
369  if ((null != value) && (value.isEmpty() == false)) {
370  CorrelationAttributeInstance inst = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(typeId), value);
371  if (inst != null) {
372  corrAttrInstances.add(inst);
373  }
374  }
375  }
376  }
377 
395  private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) {
396  try {
397  Case currentCase = Case.getCurrentCaseThrows();
398  Content sourceContent = currentCase.getSleuthkitCase().getContentById(artifact.getObjectID());
399  if (null == sourceContent) {
400  logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load content with ID: {1} associated with artifact with ID: {2}",
401  new Object[]{correlationType.getDisplayName(), artifact.getObjectID(), artifact.getId()}); // NON-NLS
402  return null;
403  }
404 
405  Content ds = sourceContent.getDataSource();
406  if (ds == null) {
407  logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load data source for content with ID: {1}",
408  new Object[]{correlationType.getDisplayName(), artifact.getObjectID()}); // NON-NLS
409  return null;
410  }
411 
412  CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
413  if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
414  return new CorrelationAttributeInstance(
415  correlationType,
416  value,
417  correlationCase,
418  CorrelationDataSource.fromTSKDataSource(correlationCase, ds),
419  "",
420  "",
421  TskData.FileKnown.UNKNOWN,
422  sourceContent.getId());
423  } else {
424  if (! (sourceContent instanceof AbstractFile)) {
425  logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Source content of artifact with ID: {1} is not an AbstractFile",
426  new Object[]{correlationType.getDisplayName(), artifact.getId()});
427  return null;
428  }
429  AbstractFile bbSourceFile = (AbstractFile) sourceContent;
430 
431  return new CorrelationAttributeInstance(
432  correlationType,
433  value,
434  correlationCase,
435  CorrelationDataSource.fromTSKDataSource(correlationCase, ds),
436  bbSourceFile.getParentPath() + bbSourceFile.getName(),
437  "",
438  TskData.FileKnown.UNKNOWN,
439  bbSourceFile.getId());
440  }
441  } catch (TskCoreException ex) {
442  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
443  return null;
444  } catch (CentralRepoException ex) {
445  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", artifact), ex); // NON-NLS
446  return null;
447  } catch (CorrelationAttributeNormalizationException ex) {
448  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", artifact), ex); // NON-NLS
449  return null;
450  } catch (NoCurrentCaseException ex) {
451  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
452  return null;
453  }
454  }
455 
472  public static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file) {
473 
474  if (!isSupportedAbstractFileType(file)) {
475  return null;
476  }
477 
478  CorrelationAttributeInstance.Type type;
479  CorrelationCase correlationCase;
480  CorrelationDataSource correlationDataSource;
481 
482  try {
483  type = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
484  correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
485  if (null == correlationCase) {
486  //if the correlationCase is not in the Central repo then attributes generated in relation to it will not be
487  return null;
488  }
489  correlationDataSource = CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource());
490  } catch (TskCoreException ex) {
491  logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", file), ex); // NON-NLS
492  return null;
493  } catch (CentralRepoException ex) {
494  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
495  return null;
496  } catch (NoCurrentCaseException ex) {
497  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
498  return null;
499  }
500 
501  CorrelationAttributeInstance correlationAttributeInstance;
502  try {
503  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getId());
504  } catch (CentralRepoException ex) {
505  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
506  return null;
507  } catch (CorrelationAttributeNormalizationException ex) {
508  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
509  return null;
510  }
511 
512  /*
513  * If no correlation attribute instance was found when querying by file
514  * object ID, try searching by file path instead. This is necessary
515  * because file object IDs were not stored in the central repository in
516  * early versions of its schema.
517  */
518  if (correlationAttributeInstance == null && file.getMd5Hash() != null) {
519  String filePath = (file.getParentPath() + file.getName()).toLowerCase();
520  try {
521  correlationAttributeInstance = CentralRepository.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getMd5Hash(), filePath);
522  } catch (CentralRepoException ex) {
523  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
524  return null;
525  } catch (CorrelationAttributeNormalizationException ex) {
526  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
527  return null;
528  }
529  }
530 
531  return correlationAttributeInstance;
532  }
533 
552  public static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file) {
553 
554  if (!isSupportedAbstractFileType(file)) {
555  return null;
556  }
557 
558  // We need a hash to make the correlation artifact instance.
559  String md5 = file.getMd5Hash();
560  if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
561  return null;
562  }
563 
564  try {
565  CorrelationAttributeInstance.Type filesType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
566 
567  CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
568  return new CorrelationAttributeInstance(
569  filesType,
570  file.getMd5Hash(),
571  correlationCase,
572  CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource()),
573  file.getParentPath() + file.getName(),
574  "",
575  TskData.FileKnown.UNKNOWN,
576  file.getId());
577 
578  } catch (TskCoreException ex) {
579  logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS
580  return null;
581  } catch (CentralRepoException ex) {
582  logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
583  return null;
584  } catch (CorrelationAttributeNormalizationException ex) {
585  logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
586  return null;
587  } catch (NoCurrentCaseException ex) {
588  logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
589  return null;
590  }
591  }
592 
601  public static boolean isSupportedAbstractFileType(AbstractFile file) {
602  if (file == null) {
603  return false;
604  }
605  switch (file.getType()) {
606  case UNALLOC_BLOCKS:
607  case UNUSED_BLOCKS:
608  case SLACK:
609  case VIRTUAL_DIR:
610  case LOCAL_DIR:
611  return false;
612  case CARVED:
613  case DERIVED:
614  case LOCAL:
615  case LAYOUT_FILE:
616  return true;
617  case FS:
618  return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
619  default:
620  logger.log(Level.WARNING, "Unexpected file type {0}", file.getType().getName());
621  return false;
622  }
623  }
624 
628  private CorrelationAttributeUtil() {
629  }
630 
631 }
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttr
static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value)
Definition: CorrelationAttributeUtil.java:395
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
Definition: CorrelationDataSource.java:113
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromFile
static CorrelationAttributeInstance makeCorrAttrFromFile(AbstractFile file)
Definition: CorrelationAttributeUtil.java:552
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getAccountTypeByName
Optional< CentralRepoAccountType > getAccountTypeByName(String accountTypeName)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsForCorrelation
static List< CorrelationAttributeInstance > makeCorrAttrsForCorrelation(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:150
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsFromCommunicationArtifacts
static void makeCorrAttrsFromCommunicationArtifacts(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:244
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrForFile
static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file)
Definition: CorrelationAttributeUtil.java:472
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromArtifactAttr
static void makeCorrAttrFromArtifactAttr(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId)
Definition: CorrelationAttributeUtil.java:365
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationAttributeInstance
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.getCorrAttrSourceArtifact
static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:286
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrsToSave
static List< CorrelationAttributeInstance > makeCorrAttrsToSave(BlackboardArtifact artifact)
Definition: CorrelationAttributeUtil.java:115
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil.makeCorrAttrFromAcctArtifact
static void makeCorrAttrFromAcctArtifact(List< CorrelationAttributeInstance > corrAttrInstances, BlackboardArtifact acctArtifact)
Definition: CorrelationAttributeUtil.java:312
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCorrelationTypeById
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getOrCreateAccount
CentralRepoAccount getOrCreateAccount(CentralRepoAccount.CentralRepoAccountType crAccountType, String accountUniqueID)

Copyright © 2012-2021 Basis Technology. Generated on: Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.