Autopsy  4.19.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
AnalysisSummary.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2020-2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datasourcesummary.datamodel;
20 
21 import java.util.ArrayList;
22 import java.util.Collections;
23 import java.util.HashSet;
24 import java.util.List;
25 import java.util.Map;
26 import java.util.Set;
27 import java.util.function.Function;
28 import java.util.stream.Collectors;
29 import org.apache.commons.lang3.StringUtils;
30 import org.apache.commons.lang3.tuple.Pair;
31 import org.sleuthkit.autopsy.datasourcesummary.datamodel.SleuthkitCaseProvider.SleuthkitCaseProviderException;
32 import org.sleuthkit.datamodel.SleuthkitCase;
33 import org.sleuthkit.datamodel.BlackboardArtifact;
34 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
35 import org.sleuthkit.datamodel.BlackboardAttribute;
36 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
37 import org.sleuthkit.datamodel.DataSource;
38 import org.sleuthkit.datamodel.TskCoreException;
39 
44 public class AnalysisSummary {
45 
46  private static final BlackboardAttribute.Type TYPE_SET_NAME = new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_SET_NAME);
47  private static final Set<String> EXCLUDED_KEYWORD_SEARCH_ITEMS = new HashSet<>();
48 
49  private final SleuthkitCaseProvider provider;
50 
54  public AnalysisSummary() {
55  this(SleuthkitCaseProvider.DEFAULT);
56  }
57 
63  public AnalysisSummary(SleuthkitCaseProvider provider) {
64  this.provider = provider;
65  }
66 
77  public List<Pair<String, Long>> getHashsetCounts(DataSource dataSource) throws SleuthkitCaseProviderException, TskCoreException {
78  return getCountsData(dataSource, TYPE_SET_NAME, ARTIFACT_TYPE.TSK_HASHSET_HIT);
79  }
80 
91  public List<Pair<String, Long>> getKeywordCounts(DataSource dataSource) throws SleuthkitCaseProviderException, TskCoreException {
92  return getCountsData(dataSource, TYPE_SET_NAME, ARTIFACT_TYPE.TSK_KEYWORD_HIT).stream()
93  // make sure we have a valid set and that that set does not belong to the set of excluded items
94  .filter((pair) -> pair != null && pair.getKey() != null && !EXCLUDED_KEYWORD_SEARCH_ITEMS.contains(pair.getKey().toUpperCase().trim()))
95  .collect(Collectors.toList());
96  }
97 
110  public List<Pair<String, Long>> getInterestingItemCounts(DataSource dataSource) throws SleuthkitCaseProviderException, TskCoreException {
111  return getCountsData(dataSource, TYPE_SET_NAME, ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
112  }
113 
128  private List<Pair<String, Long>> getCountsData(DataSource dataSource, BlackboardAttribute.Type keyType, ARTIFACT_TYPE... artifactTypes)
129  throws SleuthkitCaseProviderException, TskCoreException {
130 
131  if (dataSource == null) {
132  return Collections.emptyList();
133  }
134 
135  List<BlackboardArtifact> artifacts = new ArrayList<>();
136  SleuthkitCase skCase = provider.get();
137 
138  // get all artifacts in one list for each artifact type
139  for (ARTIFACT_TYPE type : artifactTypes) {
140  artifacts.addAll(skCase.getBlackboard().getArtifacts(type.getTypeID(), dataSource.getId()));
141  }
142 
143  // group those based on the value of the attribute type that should serve as a key
144  Map<String, Long> countedKeys = artifacts.stream()
145  .map((art) -> {
146  String key = DataSourceInfoUtilities.getStringOrNull(art, keyType);
147  return (StringUtils.isBlank(key)) ? null : key;
148  })
149  .filter((key) -> key != null)
150  .collect(Collectors.groupingBy(Function.identity(), Collectors.counting()));
151 
152  // sort from max to min counts
153  return countedKeys.entrySet().stream()
154  .map((e) -> Pair.of(e.getKey(), e.getValue()))
155  .sorted((a, b) -> -a.getValue().compareTo(b.getValue()))
156  .collect(Collectors.toList());
157  }
158 }
org.sleuthkit.autopsy.datasourcesummary.datamodel.AnalysisSummary.getInterestingItemCounts
List< Pair< String, Long > > getInterestingItemCounts(DataSource dataSource)
Definition: AnalysisSummary.java:110
org.sleuthkit.autopsy.datasourcesummary.datamodel.AnalysisSummary.getCountsData
List< Pair< String, Long > > getCountsData(DataSource dataSource, BlackboardAttribute.Type keyType, ARTIFACT_TYPE...artifactTypes)
Definition: AnalysisSummary.java:128
org.sleuthkit.autopsy.datasourcesummary.datamodel.AnalysisSummary.getHashsetCounts
List< Pair< String, Long > > getHashsetCounts(DataSource dataSource)
Definition: AnalysisSummary.java:77
org.sleuthkit.autopsy.datasourcesummary.datamodel.AnalysisSummary.getKeywordCounts
List< Pair< String, Long > > getKeywordCounts(DataSource dataSource)
Definition: AnalysisSummary.java:91
org.sleuthkit.autopsy.datasourcesummary.datamodel.DataSourceInfoUtilities.getStringOrNull
static String getStringOrNull(BlackboardArtifact artifact, Type attributeType)
Definition: DataSourceInfoUtilities.java:387

Copyright © 2012-2021 Basis Technology. Generated on: Thu Sep 30 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.