Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
FilesIdentifierIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.interestingitems;
20 
21 import java.util.ArrayList;
22 import java.util.Collections;
23 import java.util.List;
24 import java.util.Map;
25 import java.util.concurrent.ConcurrentHashMap;
26 import java.util.logging.Level;
27 import org.openide.util.NbBundle;
28 import org.openide.util.NbBundle.Messages;
29 import org.sleuthkit.autopsy.casemodule.Case;
30 import org.sleuthkit.autopsy.casemodule.services.Blackboard;
31 import org.sleuthkit.autopsy.coreutils.Logger;
32 import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
33 import org.sleuthkit.autopsy.ingest.FileIngestModule;
34 import org.sleuthkit.autopsy.ingest.IngestJobContext;
35 import org.sleuthkit.autopsy.ingest.IngestMessage;
36 import org.sleuthkit.autopsy.ingest.IngestModuleReferenceCounter;
37 import org.sleuthkit.autopsy.ingest.IngestServices;
38 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.BlackboardArtifact;
41 import org.sleuthkit.datamodel.BlackboardAttribute;
42 import org.sleuthkit.datamodel.TskCoreException;
43 import org.sleuthkit.datamodel.TskData;
44 
49 @NbBundle.Messages({
50  "FilesIdentifierIngestModule.getFilesError=Error getting interesting files sets from file."
51 })
52 final class FilesIdentifierIngestModule implements FileIngestModule {
53 
54  private static final Object sharedResourcesLock = new Object();
55  private static final Logger logger = Logger.getLogger(FilesIdentifierIngestModule.class.getName());
56  private static final IngestModuleReferenceCounter refCounter = new IngestModuleReferenceCounter();
57  private static final Map<Long, List<FilesSet>> interestingFileSetsByJob = new ConcurrentHashMap<>();
58  private final FilesIdentifierIngestJobSettings settings;
59  private final IngestServices services = IngestServices.getInstance();
60  private IngestJobContext context;
61  private Blackboard blackboard;
62 
69  FilesIdentifierIngestModule(FilesIdentifierIngestJobSettings settings) {
70  this.settings = settings;
71  }
72 
76  @Override
77  public void startUp(IngestJobContext context) throws IngestModuleException {
78  this.context = context;
79  synchronized (FilesIdentifierIngestModule.sharedResourcesLock) {
80  if (FilesIdentifierIngestModule.refCounter.incrementAndGet(context.getJobId()) == 1) {
81  // Starting up the first instance of this module for this ingest
82  // job, so get the interesting file sets definitions snapshot
83  // for the job. Note that getting this snapshot atomically via a
84  // synchronized definitions manager method eliminates the need
85  // to disable the interesting files set definition UI during ingest.
86  List<FilesSet> filesSets = new ArrayList<>();
87  try {
88  for (FilesSet set : FilesSetsManager.getInstance().getInterestingFilesSets().values()) {
89  if (settings.interestingFilesSetIsEnabled(set.getName())) {
90  filesSets.add(set);
91  }
92  }
93  } catch (FilesSetsManager.FilesSetsManagerException ex) {
94  throw new IngestModuleException(Bundle.FilesIdentifierIngestModule_getFilesError(), ex);
95  }
96  FilesIdentifierIngestModule.interestingFileSetsByJob.put(context.getJobId(), filesSets);
97  }
98  }
99  }
100 
104  @Override
105  @Messages({"FilesIdentifierIngestModule.indexError.message=Failed to index interesting file hit artifact for keyword search."})
106  public ProcessResult process(AbstractFile file) {
107  blackboard = Case.getCurrentCase().getServices().getBlackboard();
108 
109  // Skip slack space files.
110  if (file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK)) {
111  return ProcessResult.OK;
112  }
113 
114  // See if the file belongs to any defined interesting files set.
115  List<FilesSet> filesSets = FilesIdentifierIngestModule.interestingFileSetsByJob.get(this.context.getJobId());
116  for (FilesSet filesSet : filesSets) {
117  String ruleSatisfied = filesSet.fileIsMemberOf(file);
118  if (ruleSatisfied != null) {
119  try {
120  // Post an interesting files set hit artifact to the
121  // blackboard.
122  String moduleName = InterestingItemsIngestModuleFactory.getModuleName();
123  BlackboardArtifact artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
124 
125  // Add a set name attribute to the artifact. This adds a
126  // fair amount of redundant data to the attributes table
127  // (i.e., rows that differ only in artifact id), but doing
128  // otherwise would requires reworking the interesting files
129  // set hit artifact.
130  BlackboardAttribute setNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, moduleName, filesSet.getName());
131  artifact.addAttribute(setNameAttribute);
132 
133  // Add a category attribute to the artifact to record the
134  // interesting files set membership rule that was satisfied.
135  BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, moduleName, ruleSatisfied);
136  artifact.addAttribute(ruleNameAttribute);
137 
138  try {
139  // index the artifact for keyword search
140  blackboard.indexArtifact(artifact);
141  } catch (Blackboard.BlackboardException ex) {
142  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
143  MessageNotifyUtil.Notify.error(Bundle.FilesIdentifierIngestModule_indexError_message(), artifact.getDisplayName());
144  }
145 
146  services.fireModuleDataEvent(new ModuleDataEvent(moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, Collections.singletonList(artifact)));
147 
148  // make an ingest inbox message
149  StringBuilder detailsSb = new StringBuilder();
150  detailsSb.append("File: " + file.getParentPath() + file.getName() + "<br/>\n");
151  detailsSb.append("Rule Set: " + filesSet.getName());
152 
153  services.postMessage(IngestMessage.createDataMessage(InterestingItemsIngestModuleFactory.getModuleName(),
154  "Interesting File Match: " + filesSet.getName() + "(" + file.getName() +")",
155  detailsSb.toString(),
156  file.getName(),
157  artifact));
158 
159  } catch (TskCoreException ex) {
160  FilesIdentifierIngestModule.logger.log(Level.SEVERE, "Error posting to the blackboard", ex); //NOI18N NON-NLS
161  }
162  }
163  }
164  return ProcessResult.OK;
165  }
166 
170  @Override
171  public void shutDown() {
172  if (context != null) {
173  if (refCounter.decrementAndGet(this.context.getJobId()) == 0) {
174  // Shutting down the last instance of this module for this ingest
175  // job, so discard the interesting file sets definitions snapshot
176  // for the job.
177  FilesIdentifierIngestModule.interestingFileSetsByJob.remove(this.context.getJobId());
178  }
179  }
180  }
181 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Apr 24 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.