api-docs/4.19.1/_search_filtering_8java_source.html

 /*

  * Autopsy Forensic Browser

  *

  * Copyright 2019-2021 Basis Technology Corp.

  * Contact: carrier <at> sleuthkit <dot> org

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.sleuthkit.autopsy.discovery.search;


 import java.text.SimpleDateFormat;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoException;

 import org.sleuthkit.autopsy.discovery.search.SearchData.FileSize;

 import org.sleuthkit.autopsy.discovery.search.SearchData.Type;

 import org.sleuthkit.autopsy.discovery.search.SearchData.Frequency;

 import org.sleuthkit.autopsy.discovery.search.SearchData.Score;

 import org.sleuthkit.datamodel.AbstractFile;

 import org.sleuthkit.datamodel.DataSource;

 import org.sleuthkit.datamodel.SleuthkitCase;

 import org.sleuthkit.datamodel.TagName;

 import org.sleuthkit.datamodel.TskCoreException;

 import java.util.ArrayList;

 import java.util.Arrays;

 import java.util.Collection;

 import java.util.Collections;

 import java.util.Date;

 import java.util.List;

 import java.util.Locale;

 import java.util.StringJoiner;

 import java.util.concurrent.TimeUnit;

 import java.util.stream.Collectors;

 import org.openide.util.NbBundle;

 import org.sleuthkit.datamodel.BlackboardArtifact;

 import org.sleuthkit.datamodel.BlackboardAttribute;

 import org.sleuthkit.datamodel.TskData;

 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;

 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;


 public class SearchFiltering {


     static List<Result> runQueries(List<AbstractFilter> filters, SleuthkitCase caseDb, CentralRepository centralRepoDb, SearchContext context) throws DiscoveryException, SearchCancellationException {

         if (caseDb == null) {

             throw new DiscoveryException("Case DB parameter is null"); // NON-NLS

         }

         // Combine all the SQL queries from the filters into one query

         String combinedQuery = "";

         for (AbstractFilter filter : filters) {

             if (!filter.getWhereClause().isEmpty()) {

                 if (!combinedQuery.isEmpty()) {

                     combinedQuery += " AND "; // NON-NLS

                 }

                 combinedQuery += "(" + filter.getWhereClause() + ")"; // NON-NLS

             }

         }


         if (combinedQuery.isEmpty()) {

             // The file search filter is required, so this should never be empty.

             throw new DiscoveryException("Selected filters do not include a case database query");

         }

         if (context.searchIsCancelled()) {

             throw new SearchCancellationException("The search was cancelled before result list could be retrieved.");

         }

         try {

             return getResultList(filters, combinedQuery, caseDb, centralRepoDb, context);

         } catch (TskCoreException ex) {

             throw new DiscoveryException("Error querying case database", ex); // NON-NLS

         }

     }


     private static List<Result> getResultList(List<AbstractFilter> filters, String combinedQuery, SleuthkitCase caseDb, CentralRepository centralRepoDb, SearchContext context) throws TskCoreException, DiscoveryException, SearchCancellationException {

         // Get all matching abstract files

         List<Result> resultList = new ArrayList<>();

         List<AbstractFile> sqlResults = caseDb.findAllFilesWhere(combinedQuery);

         if (context.searchIsCancelled()) {

             throw new SearchCancellationException("The search was cancelled while the case database query was being performed.");

         }

         // If there are no results, return now

         if (sqlResults.isEmpty()) {

             return resultList;

         }


         // Wrap each result in a ResultFile

         for (AbstractFile abstractFile : sqlResults) {

             resultList.add(new ResultFile(abstractFile));

         }


         // Now run any non-SQL filters.

         for (AbstractFilter filter : filters) {

             if (context.searchIsCancelled()) {

                 throw new SearchCancellationException("The search was cancelled while alternate filters were being applied.");

             }

             if (filter.useAlternateFilter()) {

                 resultList = filter.applyAlternateFilter(resultList, caseDb, centralRepoDb, context);

             }

             // There are no matches for the filters run so far, so return

             if (resultList.isEmpty()) {

                 return resultList;

             }

         }

         return resultList;

     }


     public static class ArtifactDateRangeFilter extends AbstractFilter {


         private final Long startDate;

         private final Long endDate;


         // Attributes to search for date

         private static List<BlackboardAttribute.ATTRIBUTE_TYPE> dateAttributes

                 = Arrays.asList(

                         BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME,

                         BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,

                         BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED

                 );


         public ArtifactDateRangeFilter(Long startDate, Long endDate) {

             this.startDate = startDate;

             this.endDate = endDate;

         }


         static String createAttributeTypeClause() {

             StringJoiner joiner = new StringJoiner(",");

             for (BlackboardAttribute.ATTRIBUTE_TYPE type : dateAttributes) {

                 joiner.add("\'" + type.getTypeID() + "\'");

             }

             return "attribute_type_id IN (" + joiner.toString() + ")";

         }


         @Override

         public String getWhereClause() {

             return createAttributeTypeClause()

                     + " AND (value_int64 BETWEEN " + startDate + " AND " + endDate + ")";

         }


         @NbBundle.Messages({"SearchFiltering.dateRangeFilter.lable=Activity date ",

             "# {0} - startDate",

             "SearchFiltering.dateRangeFilter.after=after: {0}",

             "# {0} - endDate",

             "SearchFiltering.dateRangeFilter.before=before: {0}",

             "SearchFiltering.dateRangeFilter.and= and "})

         @Override

         public String getDesc() {

             String desc = ""; // NON-NLS

             if (startDate > 0) {

                 desc += Bundle.SearchFiltering_dateRangeFilter_after(new SimpleDateFormat("yyyy/MM/dd", Locale.getDefault()).format(new Date(TimeUnit.SECONDS.toMillis(startDate))));

             }

             if (endDate < 10000000000L) { //arbitrary time sometime in the 23rd century to check that they specified a date and the max date isn't being used

                 if (!desc.isEmpty()) {

                     desc += Bundle.SearchFiltering_dateRangeFilter_and();

                 }

                 desc += Bundle.SearchFiltering_dateRangeFilter_before(new SimpleDateFormat("yyyy/MM/dd", Locale.getDefault()).format(new Date(TimeUnit.SECONDS.toMillis(endDate))));

             }

             if (!desc.isEmpty()) {

                 desc = Bundle.SearchFiltering_dateRangeFilter_lable() + desc;

             }

             return desc;

         }

     }


     public static class ArtifactTypeFilter extends AbstractFilter {


         private final Collection<ARTIFACT_TYPE> types;


         public ArtifactTypeFilter(Collection<ARTIFACT_TYPE> types) {

             this.types = types;

         }


         public Collection<ARTIFACT_TYPE> getTypes() {

             return Collections.unmodifiableCollection(types);

         }


         private StringJoiner joinStandardArtifactTypes() {

             StringJoiner joiner = new StringJoiner(",");

             for (ARTIFACT_TYPE type : types) {

                 joiner.add("\'" + type.getTypeID() + "\'");

             }

             return joiner;

         }


         @Override

         public String getWhereClause() {

             StringJoiner joiner = joinStandardArtifactTypes();

             return "artifact_type_id IN (" + joiner + ")";

         }


         String getWhereClause(List<ARTIFACT_TYPE> nonVisibleArtifactTypesToInclude) {

             StringJoiner joiner = joinStandardArtifactTypes();

             for (ARTIFACT_TYPE type : nonVisibleArtifactTypesToInclude) {

                 joiner.add("\'" + type.getTypeID() + "\'");

             }

             return "artifact_type_id IN (" + joiner + ")";

         }


         @NbBundle.Messages({"# {0} - artifactTypes",

             "SearchFiltering.artifactTypeFilter.desc=Result type(s): {0}",

             "SearchFiltering.artifactTypeFilter.or=, "})

         @Override

         public String getDesc() {

             String desc = ""; // NON-NLS

             for (ARTIFACT_TYPE type : types) {

                 if (!desc.isEmpty()) {

                     desc += Bundle.SearchFiltering_artifactTypeFilter_or();

                 }

                 desc += type.getDisplayName();

             }

             desc = Bundle.SearchFiltering_artifactTypeFilter_desc(desc);

             return desc;

         }


     }


     public static class SizeFilter extends AbstractFilter {


         private final List<FileSize> fileSizes;


         public SizeFilter(List<FileSize> fileSizes) {

             this.fileSizes = fileSizes;

         }


         @Override

         public String getWhereClause() {

             String queryStr = ""; // NON-NLS

             for (FileSize size : fileSizes) {

                 if (!queryStr.isEmpty()) {

                     queryStr += " OR "; // NON-NLS

                 }

                 if (size.getMaxBytes() != FileSize.NO_MAXIMUM) {

                     queryStr += "(size > \'" + size.getMinBytes() + "\' AND size <= \'" + size.getMaxBytes() + "\')"; // NON-NLS

                 } else {

                     queryStr += "(size >= \'" + size.getMinBytes() + "\')"; // NON-NLS

                 }

             }

             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.SizeFilter.desc=Size(s): {0}",

             "SearchFiltering.SizeFilter.or=, "})

         @Override

         public String getDesc() {

             String desc = ""; // NON-NLS

             for (FileSize size : fileSizes) {

                 if (!desc.isEmpty()) {

                     desc += Bundle.SearchFiltering_SizeFilter_or();

                 }

                 desc += size.getSizeGroup();

             }

             desc = Bundle.SearchFiltering_SizeFilter_desc(desc);

             return desc;

         }

     }


     public static class ParentSearchTerm {


         private final String searchStr;

         private final boolean fullPath;

         private final boolean included;


         public ParentSearchTerm(String searchStr, boolean isFullPath, boolean isIncluded) {

             this.searchStr = searchStr;

             this.fullPath = isFullPath;

             this.included = isIncluded;

         }


         public String getSQLForTerm() {

             // TODO - these should really be prepared statements

             if (isIncluded()) {

                 if (isFullPath()) {

                     return "parent_path=\'" + getSearchStr() + "\'"; // NON-NLS

                 } else {

                     return "parent_path LIKE \'%" + getSearchStr() + "%\'"; // NON-NLS

                 }

             } else {

                 if (isFullPath()) {

                     return "parent_path!=\'" + getSearchStr() + "\'"; // NON-NLS

                 } else {

                     return "parent_path NOT LIKE \'%" + getSearchStr() + "%\'"; // NON-NLS

                 }

             }

         }


         @NbBundle.Messages({

             "SearchFiltering.ParentSearchTerm.fullString= (exact)",

             "SearchFiltering.ParentSearchTerm.subString= (substring)",

             "SearchFiltering.ParentSearchTerm.includeString= (include)",

             "SearchFiltering.ParentSearchTerm.excludeString= (exclude)",})

         @Override

         public String toString() {

             String returnString = getSearchStr();

             if (isFullPath()) {

                 returnString += Bundle.SearchFiltering_ParentSearchTerm_fullString();

             } else {

                 returnString += Bundle.SearchFiltering_ParentSearchTerm_subString();

             }

             if (isIncluded()) {

                 returnString += Bundle.SearchFiltering_ParentSearchTerm_includeString();

             } else {

                 returnString += Bundle.SearchFiltering_ParentSearchTerm_excludeString();

             }

             return returnString;

         }


         public boolean isFullPath() {

             return fullPath;

         }


         public boolean isIncluded() {

             return included;

         }


         public String getSearchStr() {

             return searchStr;

         }

     }


     public static class ParentFilter extends AbstractFilter {


         private final List<ParentSearchTerm> parentSearchTerms;


         public ParentFilter(List<ParentSearchTerm> parentSearchTerms) {

             this.parentSearchTerms = parentSearchTerms;

         }


         @Override

         public String getWhereClause() {

             String includeQueryStr = ""; // NON-NLS

             String excludeQueryStr = "";

             for (ParentSearchTerm searchTerm : parentSearchTerms) {

                 if (searchTerm.isIncluded()) {

                     if (!includeQueryStr.isEmpty()) {

                         includeQueryStr += " OR "; // NON-NLS

                     }

                     includeQueryStr += searchTerm.getSQLForTerm();

                 } else {

                     if (!excludeQueryStr.isEmpty()) {

                         excludeQueryStr += " AND "; // NON-NLS

                     }

                     excludeQueryStr += searchTerm.getSQLForTerm();

                 }

             }

             if (!includeQueryStr.isEmpty()) {

                 includeQueryStr = "(" + includeQueryStr + ")";

             }

             if (!excludeQueryStr.isEmpty()) {

                 excludeQueryStr = "(" + excludeQueryStr + ")";

             }

             if (includeQueryStr.isEmpty() || excludeQueryStr.isEmpty()) {

                 return includeQueryStr + excludeQueryStr;

             } else {

                 return includeQueryStr + " AND " + excludeQueryStr;

             }

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.ParentFilter.desc=Paths matching: {0}",

             "SearchFiltering.ParentFilter.or=, ",

             "SearchFiltering.ParentFilter.exact=(exact match)",

             "SearchFiltering.ParentFilter.substring=(substring)",

             "SearchFiltering.ParentFilter.included=(included)",

             "SearchFiltering.ParentFilter.excluded=(excluded)"})

         @Override

         public String getDesc() {

             String desc = ""; // NON-NLS

             for (ParentSearchTerm searchTerm : parentSearchTerms) {

                 if (!desc.isEmpty()) {

                     desc += Bundle.SearchFiltering_ParentFilter_or();

                 }

                 if (searchTerm.isFullPath()) {

                     desc += searchTerm.getSearchStr() + Bundle.SearchFiltering_ParentFilter_exact();

                 } else {

                     desc += searchTerm.getSearchStr() + Bundle.SearchFiltering_ParentFilter_substring();

                 }

                 if (searchTerm.isIncluded()) {

                     desc += Bundle.SearchFiltering_ParentFilter_included();

                 } else {

                     desc += Bundle.SearchFiltering_ParentFilter_excluded();

                 }

             }

             desc = Bundle.SearchFiltering_ParentFilter_desc(desc);

             return desc;

         }

     }


     public static class DataSourceFilter extends AbstractFilter {


         private final List<DataSource> dataSources;


         public DataSourceFilter(List<DataSource> dataSources) {

             this.dataSources = dataSources;

         }


         @Override

         public String getWhereClause() {

             String queryStr = ""; // NON-NLS

             for (DataSource ds : dataSources) {

                 if (!queryStr.isEmpty()) {

                     queryStr += ","; // NON-NLS

                 }

                 queryStr += "\'" + ds.getId() + "\'"; // NON-NLS

             }

             queryStr = "data_source_obj_id IN (" + queryStr + ")"; // NON-NLS

             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.DataSourceFilter.desc=Data source(s): {0}",

             "SearchFiltering.DataSourceFilter.or=, ",

             "# {0} - Data source name",

             "# {1} - Data source ID",

             "SearchFiltering.DataSourceFilter.datasource={0}({1})",})

         @Override

         public String getDesc() {

             String desc = ""; // NON-NLS

             for (DataSource ds : dataSources) {

                 if (!desc.isEmpty()) {

                     desc += Bundle.SearchFiltering_DataSourceFilter_or();

                 }

                 desc += Bundle.SearchFiltering_DataSourceFilter_datasource(ds.getName(), ds.getId());

             }

             desc = Bundle.SearchFiltering_DataSourceFilter_desc(desc);

             return desc;

         }

     }


     public static class KeywordListFilter extends AbstractFilter {


         private final List<String> listNames;


         public KeywordListFilter(List<String> listNames) {

             this.listNames = listNames;

         }


         @Override

         public String getWhereClause() {

             String keywordListPart = concatenateNamesForSQL(listNames);


             String queryStr = "(obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_id IN "

                     + "(SELECT artifact_id FROM blackboard_attributes WHERE artifact_type_id = 9 AND attribute_type_ID = 37 "

                     + "AND (" + keywordListPart + "))))";  // NON-NLS


             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.KeywordListFilter.desc=Keywords in list(s): {0}",})

         @Override

         public String getDesc() {

             return Bundle.SearchFiltering_KeywordListFilter_desc(concatenateSetNamesForDisplay(listNames));

         }

     }


     public static class FileTypeFilter extends AbstractFilter {


         private final List<Type> categories;


         public FileTypeFilter(List<Type> categories) {

             this.categories = categories;

         }


         public FileTypeFilter(Type category) {

             this.categories = new ArrayList<>();

             this.categories.add(category);

         }


         @Override

         public String getWhereClause() {

             String queryStr = ""; // NON-NLS

             for (Type cat : categories) {

                 for (String type : cat.getMediaTypes()) {

                     if (!queryStr.isEmpty()) {

                         queryStr += ","; // NON-NLS

                     }

                     queryStr += "\'" + type + "\'"; // NON-NLS

                 }

             }

             queryStr = "mime_type IN (" + queryStr + ")"; // NON-NLS

             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.FileTypeFilter.desc=Type: {0}",

             "SearchFiltering.FileTypeFilter.or=, ",})

         @Override

         public String getDesc() {

             String desc = "";

             for (Type cat : categories) {

                 if (!desc.isEmpty()) {

                     desc += Bundle.SearchFiltering_FileTypeFilter_or();

                 }

                 desc += cat.toString();

             }

             desc = Bundle.SearchFiltering_FileTypeFilter_desc(desc);

             return desc;

         }

     }


     public static class FrequencyFilter extends AbstractFilter {


         private final List<Frequency> frequencies;


         public FrequencyFilter(List<Frequency> frequencies) {

             this.frequencies = frequencies;

         }


         @Override

         public String getWhereClause() {

             // Since this relies on the central repository database, there is no

             // query on the case database.

             return ""; // NON-NLS

         }


         @Override

         public boolean useAlternateFilter() {

             return true;

         }


         @Override

         public List<Result> applyAlternateFilter(List<Result> currentResults, SleuthkitCase caseDb,

                 CentralRepository centralRepoDb, SearchContext context) throws DiscoveryException, SearchCancellationException {

             // Set the frequency for each file

             DiscoveryAttributes.FrequencyAttribute freqAttr = new DiscoveryAttributes.FrequencyAttribute();

             freqAttr.addAttributeToResults(currentResults, caseDb, centralRepoDb, context);


             // If the frequency matches the filter, add the file to the results

             List<Result> frequencyResults = new ArrayList<>();

             for (Result file : currentResults) {

                 if (context.searchIsCancelled()) {

                     throw new SearchCancellationException("The search was cancelled while Frequency alternate filter was being applied.");

                 }

                 if (frequencies.contains(file.getFrequency())) {

                     frequencyResults.add(file);

                 }

             }

             return frequencyResults;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.FrequencyFilter.desc=Past occurrences: {0}",

             "SearchFiltering.FrequencyFilter.or=, ",})

         @Override

         public String getDesc() {

             String desc = ""; // NON-NLS

             for (Frequency freq : frequencies) {

                 if (!desc.isEmpty()) {

                     desc += Bundle.SearchFiltering_FrequencyFilter_or();

                 }

                 desc += freq.toString();

             }

             return Bundle.SearchFiltering_FrequencyFilter_desc(desc);

         }

     }


     public static class KnownAccountTypeFilter extends AbstractFilter {


         @Override

         public String getWhereClause() {

             throw new UnsupportedOperationException("Not supported, this is an alternative filter.");

         }


         @Override

         public boolean useAlternateFilter() {

             return true;

         }


         @Override

         public List<Result> applyAlternateFilter(List<Result> currentResults, SleuthkitCase caseDb,

                 CentralRepository centralRepoDb, SearchContext context) throws DiscoveryException, SearchCancellationException {

             List<Result> filteredResults = new ArrayList<>();

             for (Result result : currentResults) {

                 if (context.searchIsCancelled()) {

                     throw new SearchCancellationException("The search was cancelled while Known Account Type alternate filter was being applied.");

                 }

                 if (result instanceof ResultDomain) {

                     ResultDomain domain = (ResultDomain) result;

                     if (domain.hasKnownAccountType()) {

                         filteredResults.add(domain);

                     }

                 } else {

                     filteredResults.add(result);

                 }

             }

             return filteredResults;

         }


         @NbBundle.Messages({

             "SearchFiltering.KnownAccountTypeFilter.desc=Only domains with known account type"

         })

         @Override

         public String getDesc() {

             return Bundle.SearchFiltering_KnownAccountTypeFilter_desc();

         }


     }


     public static class PreviouslyNotableFilter extends AbstractFilter {


         @Override

         public String getWhereClause() {

             throw new UnsupportedOperationException("Not supported, this is an alternative filter.");

         }


         @Override

         public boolean useAlternateFilter() {

             return true;

         }


         @Override

         public List<Result> applyAlternateFilter(List<Result> currentResults, SleuthkitCase caseDb,

                 CentralRepository centralRepoDb, SearchContext context) throws DiscoveryException, SearchCancellationException {

             DiscoveryAttributes.PreviouslyNotableAttribute previouslyNotableAttr = new DiscoveryAttributes.PreviouslyNotableAttribute();

             previouslyNotableAttr.addAttributeToResults(currentResults, caseDb, centralRepoDb, context);

             List<Result> filteredResults = new ArrayList<>();

             for (Result file : currentResults) {

                 if (context.searchIsCancelled()) {

                     throw new SearchCancellationException("The search was cancelled while Previously Notable alternate filter was being applied.");

                 }

                 if (file.getPreviouslyNotableInCR() == SearchData.PreviouslyNotable.PREVIOUSLY_NOTABLE) {

                     filteredResults.add(file);

                 }

             }

             return filteredResults;

         }


         @NbBundle.Messages({

             "SearchFiltering.PreviouslyNotableFilter.desc=Previously marked as notable in central repository"

         })

         @Override

         public String getDesc() {

             return Bundle.SearchFiltering_PreviouslyNotableFilter_desc();

         }


     }


     public static class HashSetFilter extends AbstractFilter {


         private final List<String> setNames;


         public HashSetFilter(List<String> setNames) {

             this.setNames = setNames;

         }


         @Override

         public String getWhereClause() {

             String hashSetPart = concatenateNamesForSQL(setNames);


             String queryStr = "(obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_id IN "

                     + "(SELECT artifact_id FROM blackboard_attributes WHERE artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()

                     + " AND attribute_type_ID = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " "

                     + "AND (" + hashSetPart + "))))";  // NON-NLS


             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "FileSearchFiltering.HashSetFilter.desc=Hash set hits in set(s): {0}",})

         @Override

         public String getDesc() {

             return Bundle.FileSearchFiltering_HashSetFilter_desc(concatenateSetNamesForDisplay(setNames));

         }

     }


     public static class InterestingFileSetFilter extends AbstractFilter {


         private final List<String> setNames;


         public InterestingFileSetFilter(List<String> setNames) {

             this.setNames = setNames;

         }


         @Override

         public String getWhereClause() {

             String intItemSetPart = concatenateNamesForSQL(setNames);


             String queryStr = "(obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_id IN "

                     + "(SELECT artifact_id FROM blackboard_attributes WHERE artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID()

                     + " AND attribute_type_ID = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " "

                     + "AND (" + intItemSetPart + "))))";  // NON-NLS


             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.InterestingItemSetFilter.desc=Interesting item hits in set(s): {0}",})

         @Override

         public String getDesc() {

             return Bundle.SearchFiltering_InterestingItemSetFilter_desc(concatenateSetNamesForDisplay(setNames));

         }

     }


     public static class ObjectDetectionFilter extends AbstractFilter {


         private final List<String> typeNames;


         public ObjectDetectionFilter(List<String> typeNames) {

             this.typeNames = typeNames;

         }


         @Override

         public String getWhereClause() {

             String objTypePart = concatenateNamesForSQL(typeNames);


             String queryStr = "(obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_id IN "

                     + "(SELECT artifact_id FROM blackboard_attributes WHERE artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_OBJECT_DETECTED.getTypeID()

                     + " AND attribute_type_ID = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION.getTypeID() + " "

                     + "AND (" + objTypePart + "))))";  // NON-NLS


             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.ObjectDetectionFilter.desc=Objects detected in set(s): {0}",})

         @Override

         public String getDesc() {

             return Bundle.SearchFiltering_ObjectDetectionFilter_desc(concatenateSetNamesForDisplay(typeNames));

         }

     }


     public static class ScoreFilter extends AbstractFilter {


         private final List<Score> scores;


         public ScoreFilter(List<Score> scores) {

             this.scores = scores;

         }


         @Override

         public String getWhereClause() {


             // Current algorithm:

             // "Notable" if the file is a match for a notable hashset or has been tagged with a notable tag.

             // "Interesting" if the file has an interesting item match or has been tagged with a non-notable tag.

             String hashsetQueryPart = "";

             String tagQueryPart = "";

             String intItemQueryPart = "";


             if (scores.contains(Score.NOTABLE)) {

                 // do hashset

                 hashsetQueryPart = " (known = " + TskData.FileKnown.BAD.getFileKnownValue() + ") ";

             }


             if (scores.contains(Score.INTERESTING)) {

                 // Matches interesting item artifact

                 intItemQueryPart = " (obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_type_id = "

                         + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() + ")) ";

             }


             if (scores.contains(Score.NOTABLE) && scores.contains(Score.INTERESTING)) {

                 // Any tag will work

                 tagQueryPart = "(obj_id IN (SELECT obj_id FROM content_tags))";

             } else if (scores.contains(Score.NOTABLE)) {

                 // Notable tags

                 tagQueryPart = "(obj_id IN (SELECT obj_id FROM content_tags WHERE tag_name_id IN (SELECT tag_name_id FROM tag_names WHERE knownStatus = "

                         + TskData.FileKnown.BAD.getFileKnownValue() + ")))";

             } else if (scores.contains(Score.INTERESTING)) {

                 // Non-notable tags

                 tagQueryPart = "(obj_id IN (SELECT obj_id FROM content_tags WHERE tag_name_id IN (SELECT tag_name_id FROM tag_names WHERE knownStatus != "

                         + TskData.FileKnown.BAD.getFileKnownValue() + ")))";

             }


             String queryStr = hashsetQueryPart;

             if (!intItemQueryPart.isEmpty()) {

                 if (!queryStr.isEmpty()) {

                     queryStr += " OR ";

                 }

                 queryStr += intItemQueryPart;

             }

             if (!tagQueryPart.isEmpty()) {

                 if (!queryStr.isEmpty()) {

                     queryStr += " OR ";

                 }

                 queryStr += tagQueryPart;

             }

             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - filters",

             "SearchFiltering.ScoreFilter.desc=Score(s) of : {0}",})

         @Override

         public String getDesc() {

             return Bundle.SearchFiltering_ScoreFilter_desc(

                     concatenateSetNamesForDisplay(scores.stream().map(p -> p.toString()).collect(Collectors.toList())));

         }

     }


     public static class TagsFilter extends AbstractFilter {


         private final List<TagName> tagNames;


         public TagsFilter(List<TagName> tagNames) {

             this.tagNames = tagNames;

         }


         @Override

         public String getWhereClause() {

             String tagIDs = ""; // NON-NLS

             for (TagName tagName : tagNames) {

                 if (!tagIDs.isEmpty()) {

                     tagIDs += ",";

                 }

                 tagIDs += tagName.getId();

             }


             String queryStr = "(obj_id IN (SELECT obj_id FROM content_tags WHERE tag_name_id IN (" + tagIDs + ")))";


             return queryStr;

         }


         @NbBundle.Messages({

             "# {0} - tag names",

             "FileSearchFiltering.TagsFilter.desc=Tagged {0}",

             "FileSearchFiltering.TagsFilter.or=, ",})

         @Override

         public String getDesc() {

             String desc = ""; // NON-NLS

             for (TagName name : tagNames) {

                 if (!desc.isEmpty()) {

                     desc += Bundle.FileSearchFiltering_TagsFilter_or();

                 }

                 desc += name.getDisplayName();

             }

             return Bundle.FileSearchFiltering_TagsFilter_desc(desc);

         }

     }


     public static class UserCreatedFilter extends AbstractFilter {


         @Override

         public String getWhereClause() {

             return "(obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_id IN "

                     + "(SELECT artifact_id FROM blackboard_attributes WHERE artifact_type_id = "

                     + BlackboardArtifact.ARTIFACT_TYPE.TSK_USER_CONTENT_SUSPECTED.getTypeID() + ")))";

         }


         @NbBundle.Messages({

             "FileSearchFiltering.UserCreatedFilter.desc=that contain EXIF data",})

         @Override

         public String getDesc() {

             return Bundle.FileSearchFiltering_UserCreatedFilter_desc();

         }

     }


     public static class NotableFilter extends AbstractFilter {


         @Override

         public String getWhereClause() {

             // Since this relies on the central repository database, there is no

             // query on the case database.

             return ""; // NON-NLS

         }


         @Override

         public boolean useAlternateFilter() {

             return true;

         }


         @Override

         public List<Result> applyAlternateFilter(List<Result> currentResults, SleuthkitCase caseDb,

                 CentralRepository centralRepoDb, SearchContext context) throws DiscoveryException, SearchCancellationException {


             if (centralRepoDb == null) {

                 throw new DiscoveryException("Can not run Previously Notable filter with null Central Repository DB"); // NON-NLS

             }


             // We have to have run some kind of SQL filter before getting to this point,

             // and should have checked afterward to see if the results were empty.

             if (currentResults.isEmpty()) {

                 throw new DiscoveryException("Can not run on empty list"); // NON-NLS

             }


             // The matching files

             List<Result> notableResults = new ArrayList<>();


             try {

                 CorrelationAttributeInstance.Type type = CorrelationAttributeInstance.getDefaultCorrelationTypes().get(CorrelationAttributeInstance.FILES_TYPE_ID);


                 for (Result result : currentResults) {

                     if (context.searchIsCancelled()) {

                         throw new SearchCancellationException("The search was cancelled while Notable alternate filter was being applied.");

                     }

                     ResultFile file = (ResultFile) result;

                     if (result.getType() == SearchData.Type.DOMAIN) {

                         break;

                     }

                     if (file.getFirstInstance().getMd5Hash() != null && !file.getFirstInstance().getMd5Hash().isEmpty()) {

                         // Check if this file hash is marked as notable in the CR

                         String value = file.getFirstInstance().getMd5Hash();

                         if (centralRepoDb.getCountArtifactInstancesKnownBad(type, value) > 0) {

                             notableResults.add(result);

                         }

                     }

                 }

                 return notableResults;

             } catch (CentralRepoException | CorrelationAttributeNormalizationException ex) {

                 throw new DiscoveryException("Error querying central repository", ex); // NON-NLS

             }

         }


         @NbBundle.Messages({

             "FileSearchFiltering.PreviouslyNotableFilter.desc=that were previously marked as notable",})

         @Override

         public String getDesc() {

             return Bundle.FileSearchFiltering_PreviouslyNotableFilter_desc();

         }

     }


     public static class KnownFilter extends AbstractFilter {


         @Override

         public String getWhereClause() {

             return "known!=" + TskData.FileKnown.KNOWN.getFileKnownValue(); // NON-NLS

         }


         @NbBundle.Messages({

             "FileSearchFiltering.KnownFilter.desc=which are not known"})

         @Override

         public String getDesc() {

             return Bundle.FileSearchFiltering_KnownFilter_desc();

         }

     }


     @NbBundle.Messages({

         "FileSearchFiltering.concatenateSetNamesForDisplay.comma=, ",})

     private static String concatenateSetNamesForDisplay(List<String> setNames) {

         String desc = ""; // NON-NLS

         for (String setName : setNames) {

             if (!desc.isEmpty()) {

                 desc += Bundle.FileSearchFiltering_concatenateSetNamesForDisplay_comma();

             }

             desc += setName;

         }

         return desc;

     }


     private static String concatenateNamesForSQL(List<String> setNames) {

         String result = ""; // NON-NLS

         for (String setName : setNames) {

             if (!result.isEmpty()) {

                 result += " OR "; // NON-NLS

             }

             result += "value_text = \'" + setName + "\'";  // NON-NLS

         }

         return result;

     }


     private SearchFiltering() {

         // Class should not be instantiated

     }

 }

org.sleuthkit

org.sleuthkit.autopsy.discovery.search.SearchFiltering.concatenateNamesForSQL
static String concatenateNamesForSQL(List< String > setNames)
Definition: SearchFiltering.java:1193

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactDateRangeFilter.dateAttributes
static List< BlackboardAttribute.ATTRIBUTE_TYPE > dateAttributes
Definition: SearchFiltering.java:163

org.sleuthkit.autopsy.discovery.search.ResultDomain
Definition: ResultDomain.java:31

org.sleuthkit.autopsy.discovery.search.SearchFiltering.TagsFilter.TagsFilter
TagsFilter(List< TagName > tagNames)
Definition: SearchFiltering.java:1022

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ScoreFilter.scores
final List< Score > scores
Definition: SearchFiltering.java:938

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FrequencyFilter
Definition: SearchFiltering.java:669

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FrequencyFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:683

org.sleuthkit.autopsy.discovery.search.SearchData.Frequency
Definition: SearchData.java:142

org.sleuthkit.autopsy.discovery.search.SearchFiltering.NotableFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:1086

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.Type
Definition: CorrelationAttributeInstance.java:318

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FrequencyFilter.FrequencyFilter
FrequencyFilter(List< Frequency > frequencies)
Definition: SearchFiltering.java:678

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentFilter
Definition: SearchFiltering.java:446

org.sleuthkit.autopsy.discovery.search
Definition: AbstractFilter.java:19

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FrequencyFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:719

org.sleuthkit.autopsy.discovery.search.SearchData.FileSize.NO_MAXIMUM
staticfinal long NO_MAXIMUM
Definition: SearchData.java:270

org.sleuthkit.autopsy.discovery.search.SearchFiltering.DataSourceFilter
Definition: SearchFiltering.java:523

org.sleuthkit.autopsy.discovery.search.SearchFiltering.HashSetFilter
Definition: SearchFiltering.java:822

org.sleuthkit.autopsy.discovery.search.Result
Definition: Result.java:31

org.sleuthkit.autopsy.discovery.search.SearchFiltering.InterestingFileSetFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:889

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.isFullPath
boolean isFullPath()
Definition: SearchFiltering.java:418

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentFilter.ParentFilter
ParentFilter(List< ParentSearchTerm > parentSearchTerms)
Definition: SearchFiltering.java:455

org.sleuthkit.autopsy.discovery.search.SearchFiltering.PreviouslyNotableFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:812

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FileTypeFilter
Definition: SearchFiltering.java:610

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactDateRangeFilter
Definition: SearchFiltering.java:156

org.sleuthkit.autopsy.discovery.search.SearchFiltering.PreviouslyNotableFilter.applyAlternateFilter
List< Result > applyAlternateFilter(List< Result > currentResults, SleuthkitCase caseDb, CentralRepository centralRepoDb, SearchContext context)
Definition: SearchFiltering.java:792

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactTypeFilter.types
final Collection< ARTIFACT_TYPE > types
Definition: SearchFiltering.java:228

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KeywordListFilter.listNames
final List< String > listNames
Definition: SearchFiltering.java:576

org.sleuthkit.autopsy.discovery.search.SearchFiltering.HashSetFilter.HashSetFilter
HashSetFilter(List< String > setNames)
Definition: SearchFiltering.java:831

org.sleuthkit.autopsy.discovery.search.SearchFiltering.UserCreatedFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:1065

org.sleuthkit.autopsy.centralrepository.datamodel
Definition: CentralRepoAccount.java:19

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:1160

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactTypeFilter.ArtifactTypeFilter
ArtifactTypeFilter(Collection< ARTIFACT_TYPE > types)
Definition: SearchFiltering.java:236

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:1153

org.sleuthkit.autopsy.discovery.search.DiscoveryException
Definition: DiscoveryException.java:24

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FileTypeFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:634

org

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.ParentSearchTerm
ParentSearchTerm(String searchStr, boolean isFullPath, boolean isIncluded)
Definition: SearchFiltering.java:362

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactTypeFilter.getTypes
Collection< ARTIFACT_TYPE > getTypes()
Definition: SearchFiltering.java:245

org.sleuthkit.autopsy.discovery.search.ResultFile
Definition: ResultFile.java:42

org.sleuthkit.autopsy.discovery

org.sleuthkit.autopsy.discovery.search.SearchFiltering.SizeFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:310

org.sleuthkit.autopsy.centralrepository
Definition: AddEditCentralRepoCommentAction.java:19

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactDateRangeFilter.startDate
final Long startDate
Definition: SearchFiltering.java:158

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactDateRangeFilter.endDate
final Long endDate
Definition: SearchFiltering.java:159

org.sleuthkit.autopsy.discovery.search.SearchFiltering.UserCreatedFilter
Definition: SearchFiltering.java:1062

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FrequencyFilter.applyAlternateFilter
List< Result > applyAlternateFilter(List< Result > currentResults, SleuthkitCase caseDb, CentralRepository centralRepoDb, SearchContext context)
Definition: SearchFiltering.java:695

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ObjectDetectionFilter
Definition: SearchFiltering.java:898

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm
Definition: SearchFiltering.java:347

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.getDefaultCorrelationTypes
static List< CorrelationAttributeInstance.Type > getDefaultCorrelationTypes()
Definition: CorrelationAttributeInstance.java:284

org.sleuthkit.autopsy.discovery.search.SearchFiltering.NotableFilter.applyAlternateFilter
List< Result > applyAlternateFilter(List< Result > currentResults, SleuthkitCase caseDb, CentralRepository centralRepoDb, SearchContext context)
Definition: SearchFiltering.java:1098

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ObjectDetectionFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:927

org.sleuthkit.autopsy.discovery.search.SearchFiltering.PreviouslyNotableFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:782

org.sleuthkit.autopsy.discovery.search.SearchFiltering.UserCreatedFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:1074

org.sleuthkit.autopsy.discovery.search.SearchFiltering.DataSourceFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:537

org.sleuthkit.autopsy.discovery.search.SearchContext
Definition: SearchContext.java:25

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactDateRangeFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:193

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ObjectDetectionFilter.ObjectDetectionFilter
ObjectDetectionFilter(List< String > typeNames)
Definition: SearchFiltering.java:907

org.sleuthkit.autopsy.discovery.search.SearchFiltering.PreviouslyNotableFilter.useAlternateFilter
boolean useAlternateFilter()
Definition: SearchFiltering.java:787

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactDateRangeFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:205

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KeywordListFilter.KeywordListFilter
KeywordListFilter(List< String > listNames)
Definition: SearchFiltering.java:583

org.sleuthkit.autopsy.discovery.search.SearchFiltering.HashSetFilter.setNames
final List< String > setNames
Definition: SearchFiltering.java:824

org.sleuthkit.autopsy.discovery.search.ResultDomain.hasKnownAccountType
boolean hasKnownAccountType()
Definition: ResultDomain.java:170

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactDateRangeFilter.ArtifactDateRangeFilter
ArtifactDateRangeFilter(Long startDate, Long endDate)
Definition: SearchFiltering.java:175

org.sleuthkit.autopsy.discovery.search.SearchFiltering.PreviouslyNotableFilter
Definition: SearchFiltering.java:779

org.sleuthkit.autopsy.discovery.search.SearchFiltering.TagsFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:1046

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.toString
String toString()
Definition: SearchFiltering.java:396

org.sleuthkit.autopsy.discovery.search.DiscoveryAttributes
Definition: DiscoveryAttributes.java:55

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FileTypeFilter.FileTypeFilter
FileTypeFilter(Type category)
Definition: SearchFiltering.java:628

org.sleuthkit.autopsy.discovery.search.SearchData.PreviouslyNotable
Definition: SearchData.java:55

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository.getCountArtifactInstancesKnownBad
Long getCountArtifactInstancesKnownBad(CorrelationAttributeInstance.Type aType, String value)

org.sleuthkit.autopsy.discovery.search.DiscoveryAttributes.PreviouslyNotableAttribute
Definition: DiscoveryAttributes.java:353

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.fullPath
final boolean fullPath
Definition: SearchFiltering.java:350

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.searchStr
final String searchStr
Definition: SearchFiltering.java:349

org.sleuthkit.autopsy.discovery.search.SearchFiltering.HashSetFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:851

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FileTypeFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:653

org.sleuthkit.autopsy.discovery.search.SearchFiltering.NotableFilter.useAlternateFilter
boolean useAlternateFilter()
Definition: SearchFiltering.java:1093

org.sleuthkit.autopsy.discovery.search.ResultFile.getFirstInstance
AbstractFile getFirstInstance()
Definition: ResultFile.java:249

org.sleuthkit.autopsy.discovery.search.DiscoveryAttributes.FrequencyAttribute
Definition: DiscoveryAttributes.java:484

org.sleuthkit.autopsy.discovery.search.SearchData.FileSize
Definition: SearchData.java:251

org.sleuthkit.autopsy.discovery.search.SearchFiltering.NotableFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:1142

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactTypeFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:279

org.sleuthkit.autopsy.discovery.search.SearchFiltering.concatenateSetNamesForDisplay
static String concatenateSetNamesForDisplay(List< String > setNames)
Definition: SearchFiltering.java:1174

org.sleuthkit.autopsy.discovery.search.SearchFiltering.DataSourceFilter.dataSources
final List< DataSource > dataSources
Definition: SearchFiltering.java:525

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.included
final boolean included
Definition: SearchFiltering.java:351

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ScoreFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:1003

org.sleuthkit.autopsy.discovery.search.SearchData.Score
Definition: SearchData.java:526

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ObjectDetectionFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:912

org.sleuthkit.autopsy.discovery.search.SearchData.PreviouslyNotable.PREVIOUSLY_NOTABLE
PREVIOUSLY_NOTABLE
Definition: SearchData.java:56

org.sleuthkit.autopsy.discovery.search.SearchFiltering.getResultList
static List< Result > getResultList(List< AbstractFilter > filters, String combinedQuery, SleuthkitCase caseDb, CentralRepository centralRepoDb, SearchContext context)
Definition: SearchFiltering.java:119

org.sleuthkit.autopsy.discovery.search.SearchFiltering.SearchFiltering
SearchFiltering()
Definition: SearchFiltering.java:1207

org.sleuthkit.autopsy.discovery.search.SearchData.Type
Definition: SearchData.java:453

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.getSQLForTerm
String getSQLForTerm()
Definition: SearchFiltering.java:373

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoException
Definition: CentralRepoException.java:26

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KeywordListFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:602

org.sleuthkit.autopsy.discovery.search.SearchFiltering.SizeFilter
Definition: SearchFiltering.java:296

org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository
Definition: CentralRepository.java:36

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownAccountTypeFilter.applyAlternateFilter
List< Result > applyAlternateFilter(List< Result > currentResults, SleuthkitCase caseDb, CentralRepository centralRepoDb, SearchContext context)
Definition: SearchFiltering.java:747

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentFilter.parentSearchTerms
final List< ParentSearchTerm > parentSearchTerms
Definition: SearchFiltering.java:448

org.sleuthkit.autopsy.discovery.search.SearchFiltering.HashSetFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:836

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactTypeFilter
Definition: SearchFiltering.java:226

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownFilter
Definition: SearchFiltering.java:1150

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FrequencyFilter.useAlternateFilter
boolean useAlternateFilter()
Definition: SearchFiltering.java:690

org.sleuthkit.autopsy.discovery.search.SearchFiltering.SizeFilter.SizeFilter
SizeFilter(List< FileSize > fileSizes)
Definition: SearchFiltering.java:305

org.sleuthkit.autopsy.discovery.search.SearchData
Definition: SearchData.java:36

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KeywordListFilter
Definition: SearchFiltering.java:574

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:460

org.sleuthkit.autopsy.discovery.search.SearchFiltering.TagsFilter.tagNames
final List< TagName > tagNames
Definition: SearchFiltering.java:1015

org.sleuthkit.autopsy.discovery.search.SearchCancellationException
Definition: SearchCancellationException.java:27

org.sleuthkit.autopsy.discovery.search.SearchFiltering.DataSourceFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:557

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactTypeFilter.joinStandardArtifactTypes
StringJoiner joinStandardArtifactTypes()
Definition: SearchFiltering.java:249

org.sleuthkit.autopsy.discovery.search.SearchData.Type.DOMAIN
DOMAIN
Definition: SearchData.java:460

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownAccountTypeFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:737

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ScoreFilter.ScoreFilter
ScoreFilter(List< Score > scores)
Definition: SearchFiltering.java:945

org.sleuthkit.autopsy.discovery.search.SearchFiltering.InterestingFileSetFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:874

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ScoreFilter
Definition: SearchFiltering.java:936

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ObjectDetectionFilter.typeNames
final List< String > typeNames
Definition: SearchFiltering.java:900

org.sleuthkit.autopsy.discovery.search.SearchFiltering.SizeFilter.fileSizes
final List< FileSize > fileSizes
Definition: SearchFiltering.java:298

org.sleuthkit.autopsy.discovery.search.SearchFiltering.NotableFilter
Definition: SearchFiltering.java:1083

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:498

org.sleuthkit.autopsy

org.sleuthkit.autopsy.discovery.search.SearchFiltering
Definition: SearchFiltering.java:54

org.sleuthkit.autopsy.discovery.search.SearchData.Score.INTERESTING
INTERESTING
Definition: SearchData.java:528

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ScoreFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:950

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownAccountTypeFilter.useAlternateFilter
boolean useAlternateFilter()
Definition: SearchFiltering.java:742

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.getSearchStr
String getSearchStr()
Definition: SearchFiltering.java:438

org.sleuthkit.autopsy.discovery.search.SearchFiltering.TagsFilter
Definition: SearchFiltering.java:1013

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FrequencyFilter.frequencies
final List< Frequency > frequencies
Definition: SearchFiltering.java:671

org.sleuthkit.autopsy.discovery.search.SearchData.Score.NOTABLE
NOTABLE
Definition: SearchData.java:527

org.sleuthkit.autopsy.discovery.search.SearchFiltering.InterestingFileSetFilter
Definition: SearchFiltering.java:860

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ParentSearchTerm.isIncluded
boolean isIncluded()
Definition: SearchFiltering.java:429

org.sleuthkit.autopsy.discovery.search.AbstractFilter
Definition: AbstractFilter.java:29

org.sleuthkit.autopsy.discovery.search.SearchFiltering.DataSourceFilter.DataSourceFilter
DataSourceFilter(List< DataSource > dataSources)
Definition: SearchFiltering.java:532

org.sleuthkit.autopsy.discovery.search.SearchFiltering.InterestingFileSetFilter.InterestingFileSetFilter
InterestingFileSetFilter(List< String > setNames)
Definition: SearchFiltering.java:869

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FileTypeFilter.FileTypeFilter
FileTypeFilter(List< Type > categories)
Definition: SearchFiltering.java:619

org.sleuthkit.autopsy.discovery.search.SearchContext.searchIsCancelled
boolean searchIsCancelled()

org.sleuthkit.autopsy.discovery.search.SearchFiltering.InterestingFileSetFilter.setNames
final List< String > setNames
Definition: SearchFiltering.java:862

org.sleuthkit.autopsy.discovery.search.SearchFiltering.TagsFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:1027

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KeywordListFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:588

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.FILES_TYPE_ID
static final int FILES_TYPE_ID
Definition: CorrelationAttributeInstance.java:250

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance
Definition: CorrelationAttributeInstance.java:40

org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException
Definition: CorrelationAttributeNormalizationException.java:25

org.sleuthkit.autopsy.discovery.search.SearchFiltering.SizeFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:330

org.sleuthkit.autopsy.discovery.search.SearchFiltering.ArtifactTypeFilter.getWhereClause
String getWhereClause()
Definition: SearchFiltering.java:258

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownAccountTypeFilter
Definition: SearchFiltering.java:734

org.sleuthkit.autopsy.discovery.search.SearchFiltering.KnownAccountTypeFilter.getDesc
String getDesc()
Definition: SearchFiltering.java:770

org.sleuthkit.autopsy.discovery.search.SearchFiltering.FileTypeFilter.categories
final List< Type > categories
Definition: SearchFiltering.java:612