QueryResults.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2011-2018 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.keywordsearch;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import javax.swing.SwingWorker;
import org.apache.commons.lang.StringUtils;
import org.netbeans.api.progress.ProgressHandle;
import org.netbeans.api.progress.aggregate.ProgressContributor;
import org.openide.util.NbBundle;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
import org.sleuthkit.autopsy.coreutils.EscapeUtil;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.ingest.IngestMessage;
import org.sleuthkit.autopsy.ingest.IngestServices;;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Blackboard;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;

class QueryResults {

    private static final Logger logger = Logger.getLogger(QueryResults.class.getName());
    private static final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName();
    private final KeywordSearchQuery query;
    private final Map<Keyword, List<KeywordHit>> results = new HashMap<>();

    QueryResults(KeywordSearchQuery query) {
        this.query = query;
    }

    KeywordSearchQuery getQuery() {
        return query;
    }

    void addResult(Keyword keyword, List<KeywordHit> hits) {
        results.put(keyword, hits);
    }

    List<KeywordHit> getResults(Keyword keyword) {
        return results.get(keyword);
    }

    Set<Keyword> getKeywords() {
        return results.keySet();
    }

    void process(ProgressHandle progress, ProgressContributor subProgress, SwingWorker<?, ?> worker, boolean notifyInbox, boolean saveResults) {
        /*
         * Initialize the progress indicator to the number of keywords that will
         * be processed.
         */
        if (null != progress) {
            progress.start(getKeywords().size());
        }

        /*
         * Process the keyword hits for each keyword.
         */
        int keywordsProcessed = 0;
        final Collection<BlackboardArtifact> hitArtifacts = new ArrayList<>();
        for (final Keyword keyword : getKeywords()) {
            /*
             * Cancellation check.
             */
            if (worker.isCancelled()) {
                logger.log(Level.INFO, "Processing cancelled, exiting before processing search term {0}", keyword.getSearchTerm()); //NON-NLS
                break;
            }

            /*
             * Update the progress indicator and the show the current keyword
             * via the progress contributor.
             */
            if (progress != null) {
                progress.progress(keyword.toString(), keywordsProcessed);
            }
            if (subProgress != null) {
                String hitDisplayStr = keyword.getSearchTerm();
                if (hitDisplayStr.length() > 50) {
                    hitDisplayStr = hitDisplayStr.substring(0, 49) + "...";
                }
                subProgress.progress(query.getKeywordList().getName() + ": " + hitDisplayStr, keywordsProcessed);
            }

            /*
             * Reduce the hits for this keyword to one hit per text source
             * object so that only one hit artifact is generated per text source
             * object, no matter how many times the keyword was actually found.
             */
            for (KeywordHit hit : getOneHitPerTextSourceObject(keyword)) {
                /*
                 * Get a snippet (preview) for the hit. Regex queries always
                 * have snippets made from the content_str pulled back from Solr
                 * for executing the search. Other types of queries may or may
                 * not have snippets yet.
                 */
                String snippet = hit.getSnippet();
                if (StringUtils.isBlank(snippet)) {
                    final String snippetQuery = KeywordSearchUtil.escapeLuceneQuery(keyword.getSearchTerm());
                    try {
                        snippet = LuceneQuery.querySnippet(snippetQuery, hit.getSolrObjectId(), hit.getChunkId(), !query.isLiteral(), true);
                    } catch (NoOpenCoreException e) {
                        logger.log(Level.SEVERE, "Solr core closed while executing snippet query " + snippetQuery, e); //NON-NLS
                        break; // Stop processing.
                    } catch (Exception e) {
                        logger.log(Level.SEVERE, "Error executing snippet query " + snippetQuery, e); //NON-NLS
                        continue; // Try processing the next hit.
                    }
                }

                /*
                 * Get the content (file or artifact) that is the text source
                 * for the hit.
                 */
                Content content = null;
                try {
                    SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
                    content = tskCase.getContentById(hit.getContentID());
                } catch (TskCoreException | NoCurrentCaseException tskCoreException) {
                    logger.log(Level.SEVERE, "Failed to get text source object for keyword hit", tskCoreException); //NON-NLS
                }
                
                if ((content != null) && saveResults) {
                    /*
                    * Post an artifact for the hit to the blackboard.
                     */
                    BlackboardArtifact artifact = query.createKeywordHitArtifact(content, keyword, hit, snippet, query.getKeywordList().getName());

                    /*
                    * Send an ingest inbox message for the hit.
                     */
                    if (null != artifact) {
                        hitArtifacts.add(artifact);
                        if (notifyInbox) {
                            try {
                                writeSingleFileInboxMessage(artifact, content);
                            } catch (TskCoreException ex) {
                                logger.log(Level.SEVERE, "Error sending message to ingest messages inbox", ex); //NON-NLS
                            }
                        }
                    }
                }
            }

            ++keywordsProcessed;
        }

        /*
         * Post the artifacts to the blackboard which will publish an event to
         * notify subscribers of the new artifacts.
         */
        if (!hitArtifacts.isEmpty()) {
            try {
                SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
                Blackboard blackboard = tskCase.getBlackboard();

                blackboard.postArtifacts(hitArtifacts, MODULE_NAME);
            } catch (NoCurrentCaseException | Blackboard.BlackboardException ex) {
                logger.log(Level.SEVERE, "Failed to post KWH artifact to blackboard.", ex); //NON-NLS
            }
        }
    }

    private Collection<KeywordHit> getOneHitPerTextSourceObject(Keyword keyword) {
        /*
         * For each Solr document (chunk) for a text source object, return only
         * a single keyword hit from the first chunk of text (the one with the
         * lowest chunk id).
         */
        HashMap< Long, KeywordHit> hits = new HashMap<>();
        getResults(keyword).forEach((hit) -> {
            if (!hits.containsKey(hit.getSolrObjectId())) {
                hits.put(hit.getSolrObjectId(), hit);
            } else if (hit.getChunkId() < hits.get(hit.getSolrObjectId()).getChunkId()) {
                hits.put(hit.getSolrObjectId(), hit);
            }
        });
        return hits.values();
    }

    private void writeSingleFileInboxMessage(BlackboardArtifact artifact, Content hitContent) throws TskCoreException {
        StringBuilder subjectSb = new StringBuilder(1024);
        if (!query.isLiteral()) {
            subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExpHitLbl"));
        } else {
            subjectSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitLbl"));
        }

        StringBuilder detailsSb = new StringBuilder(1024);
        String uniqueKey = null;
        BlackboardAttribute attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD));
        if (attr != null) {
            final String keyword = attr.getValueString();
            subjectSb.append(keyword);
            uniqueKey = keyword.toLowerCase();
            detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
            detailsSb.append("<tr>"); //NON-NLS
            detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.kwHitThLbl"));
            detailsSb.append("<td>").append(EscapeUtil.escapeHtml(keyword)).append("</td>"); //NON-NLS
            detailsSb.append("</tr>"); //NON-NLS
        }

        //preview
        attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW));
        if (attr != null) {
            detailsSb.append("<tr>"); //NON-NLS
            detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.previewThLbl"));
            detailsSb.append("<td>").append(EscapeUtil.escapeHtml(attr.getValueString())).append("</td>"); //NON-NLS
            detailsSb.append("</tr>"); //NON-NLS
        }

        //file
        detailsSb.append("<tr>"); //NON-NLS
        detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.fileThLbl"));
        if (hitContent instanceof AbstractFile) {
            AbstractFile hitFile = (AbstractFile) hitContent;
            detailsSb.append("<td>").append(hitFile.getParentPath()).append(hitFile.getName()).append("</td>"); //NON-NLS
        } else {
            detailsSb.append("<td>").append(hitContent.getName()).append("</td>"); //NON-NLS
        }
        detailsSb.append("</tr>"); //NON-NLS

        //list
        attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
        if (attr != null) {
            detailsSb.append("<tr>"); //NON-NLS
            detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.listThLbl"));
            detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
            detailsSb.append("</tr>"); //NON-NLS
        }

        //regex
        if (!query.isLiteral()) {
            attr = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP));
            if (attr != null) {
                detailsSb.append("<tr>"); //NON-NLS
                detailsSb.append(NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.regExThLbl"));
                detailsSb.append("<td>").append(attr.getValueString()).append("</td>"); //NON-NLS
                detailsSb.append("</tr>"); //NON-NLS
            }
        }
        detailsSb.append("</table>"); //NON-NLS

        IngestServices.getInstance().postMessage(IngestMessage.createDataMessage(MODULE_NAME, subjectSb.toString(), detailsSb.toString(), uniqueKey, artifact));
    }
}