api-docs/4.3/_keyword_hits_8java_source.html

 /*

  * Autopsy Forensic Browser

  *

  * Copyright 2011-2016 Basis Technology Corp.

  * Contact: carrier <at> sleuthkit <dot> org

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.sleuthkit.autopsy.datamodel;


 import java.beans.PropertyChangeEvent;

 import java.beans.PropertyChangeListener;

 import java.sql.ResultSet;

 import java.sql.SQLException;

 import java.util.ArrayList;

 import java.util.Collections;

 import java.util.HashMap;

 import java.util.HashSet;

 import java.util.LinkedHashMap;

 import java.util.List;

 import java.util.Map;

 import java.util.Observable;

 import java.util.Observer;

 import java.util.Set;

 import java.util.logging.Level;

 import org.openide.nodes.ChildFactory;

 import org.openide.nodes.Children;

 import org.openide.nodes.Node;

 import org.openide.nodes.Sheet;

 import org.openide.util.NbBundle;

 import org.openide.util.lookup.Lookups;

 import org.sleuthkit.autopsy.casemodule.Case;

 import org.sleuthkit.autopsy.coreutils.Logger;

 import org.sleuthkit.autopsy.ingest.IngestManager;

 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;

 import org.sleuthkit.datamodel.AbstractFile;

 import org.sleuthkit.datamodel.BlackboardArtifact;

 import org.sleuthkit.datamodel.BlackboardAttribute;

 import org.sleuthkit.datamodel.SleuthkitCase;

 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;

 import org.sleuthkit.datamodel.TskCoreException;

 import org.sleuthkit.datamodel.TskException;


 public class KeywordHits implements AutopsyVisitableItem {


     private SleuthkitCase skCase;

     private static final Logger logger = Logger.getLogger(KeywordHits.class.getName());

     private static final String KEYWORD_HITS = NbBundle.getMessage(KeywordHits.class, "KeywordHits.kwHits.text");

     public static final String NAME = BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getLabel();

     public static final String SIMPLE_LITERAL_SEARCH = NbBundle

             .getMessage(KeywordHits.class, "KeywordHits.simpleLiteralSearch.text");

     public static final String SIMPLE_REGEX_SEARCH = NbBundle

             .getMessage(KeywordHits.class, "KeywordHits.singleRegexSearch.text");

     private final KeywordResults keywordResults;

     // String used in the instance MAP so that exact matches and substring can fit into the same

     // data structure as regexps, even though they don't use instances.

     private final String DEFAULT_INSTANCE_NAME = "DEFAULT_INSTANCE_NAME";


     public KeywordHits(SleuthkitCase skCase) {

         this.skCase = skCase;

         keywordResults = new KeywordResults();

     }


     /* All of these maps and code assume the following:

      * Regexps will have an 'instance' layer that shows the specific words that matched the regexp

      * Exact match and substring will not have the instance layer and instead will have the specific hits

      * below their term.

      */


     private final class KeywordResults extends Observable {


         // Map from listName/Type to Map of keywords/regexp to Map of instance terms to Set of artifact Ids

         // NOTE: the map can be accessed by multiple worker threads and needs to be synchronized

         private final Map<String, Map<String, Map<String, Set<Long>>>> topLevelMap = new LinkedHashMap<>();


         KeywordResults() {

             update();

         }


         List<String> getListNames() {

             synchronized (topLevelMap) {

                 List<String> names = new ArrayList<>(topLevelMap.keySet());

                 // this causes the "Single ..." terms to be in the middle of the results,

                 // which is wierd.  Make a custom comparator or do something else to maek them on top

                 //Collections.sort(names);

                 return names;

             }

         }


         List<String> getKeywords(String listName) {

             List<String> keywords;

             synchronized (topLevelMap) {

                 keywords = new ArrayList<>(topLevelMap.get(listName).keySet());

             }

             Collections.sort(keywords);

             return keywords;

         }


         List<String> getKeywordInstances(String listName, String keyword) {

             List<String> instances;

             synchronized (topLevelMap) {

                 instances = new ArrayList<>(topLevelMap.get(listName).get(keyword).keySet());

             }

             Collections.sort(instances);

             return instances;

         }


         Set<Long> getArtifactIds(String listName, String keyword, String keywordInstance) {

             synchronized (topLevelMap) {

                 return topLevelMap.get(listName).get(keyword).get(keywordInstance);

             }

         }


         void addRegExpToList(Map<String, Map<String, Set<Long>>> listMap, String regExp, String keywordInstance, Long artifactId) {

             if (listMap.containsKey(regExp) == false) {

                 listMap.put(regExp, new LinkedHashMap<>());

             }

             Map<String, Set<Long>> instanceMap = listMap.get(regExp);


             // get or create keyword instances entry.

             if (instanceMap.containsKey(keywordInstance) == false) {

                 instanceMap.put(keywordInstance, new HashSet<>());

             }


             // add this ID to the instance

             instanceMap.get(keywordInstance).add(artifactId);

         }


         void addNonRegExpMatchToList(Map<String, Map<String, Set<Long>>> listMap, String keyWord, Long artifactId) {

             if (listMap.containsKey(keyWord) == false) {

                 listMap.put(keyWord, new LinkedHashMap<>());

             }

             Map<String, Set<Long>> instanceMap = listMap.get(keyWord);


             // Use the default instance name, since we don't need that level in the tree

             if (instanceMap.containsKey(DEFAULT_INSTANCE_NAME) == false) {

                 instanceMap.put(DEFAULT_INSTANCE_NAME, new HashSet<>());

             }

             instanceMap.get(DEFAULT_INSTANCE_NAME).add(artifactId);

         }


         void populateTreeMaps(Map<Long, Map<Long, String>> artifactIds) {

             synchronized (topLevelMap) {

                 topLevelMap.clear();


                 // map of list name to keword to artifact IDs

                 Map<String, Map<String, Map<String, Set<Long>>>> listsMap = new LinkedHashMap<>();


                 // Map from from literal keyword to instances (which will be empty) to artifact IDs

                 Map<String, Map<String, Set<Long>>> literalMap = new LinkedHashMap<>();


                 // Map from regex keyword artifact to instances to artifact IDs

                 Map<String, Map<String, Set<Long>>> regexMap = new LinkedHashMap<>();


                 // top-level nodes

                 topLevelMap.put(SIMPLE_LITERAL_SEARCH, literalMap);

                 topLevelMap.put(SIMPLE_REGEX_SEARCH, regexMap);


                 for (Map.Entry<Long, Map<Long, String>> art : artifactIds.entrySet()) {

                     long id = art.getKey();

                     Map<Long, String> attributes = art.getValue();


                     // I think we can use attributes.remove(...) here?

                     String listName = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()));

                     String word = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()));

                     String reg = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID()));

                     // new in 4.4

                     String kwType = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()));


                     // part of a list

                     if (listName != null) {

                         // get or create list entry

                         if (listsMap.containsKey(listName) == false) {

                             listsMap.put(listName, new LinkedHashMap<>());

                         }

                         Map<String, Map<String, Set<Long>>> listMap = listsMap.get(listName);


                         // substring, treated same as exact match

                         // Enum for "1" is defined in KeywordSearch.java

                         if ((kwType != null) && (kwType.equals("1"))) {

                             // original term should be stored in reg

                             if (reg != null) {

                                 addNonRegExpMatchToList(listMap, reg, id);

                             } else {

                                 addNonRegExpMatchToList(listMap, word, id);

                             }

                         }

                         else if (reg != null) {

                             addRegExpToList(listMap, reg, word, id);

                         } else {

                             addNonRegExpMatchToList(listMap, word, id);

                         }

                     } // regular expression, single term

                     else if (reg != null) {

                         // substring is treated same as exact

                         if ((kwType != null) && (kwType.equals("1"))) {

                             // original term should be stored in reg

                             addNonRegExpMatchToList(literalMap, reg, id);

                         } else {

                             addRegExpToList(regexMap, reg, word, id);

                         }

                     } // literal, single term

                     else {

                         addNonRegExpMatchToList(literalMap, word, id);

                     }

                 }

                 topLevelMap.putAll(listsMap);

             }


             setChanged();

             notifyObservers();

         }


         @SuppressWarnings("deprecation")

         public void update() {

             // maps Artifact ID to map of attribute types to attribute values

             Map<Long, Map<Long, String>> artifactIds = new LinkedHashMap<>();


             if (skCase == null) {

                 return;

             }


             // query attributes table for the ones that we need for the tree

             int setId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID();

             int wordId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID();

             int regexId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID();

             int artId = BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID();

             String query = "SELECT blackboard_attributes.value_text,blackboard_attributes.value_int32,"

                     + "blackboard_attributes.artifact_id," //NON-NLS

                     + "blackboard_attributes.attribute_type_id FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS

                     + "(blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id AND " //NON-NLS

                     + "blackboard_artifacts.artifact_type_id=" + artId //NON-NLS

                     + ") AND (attribute_type_id=" + setId + " OR " //NON-NLS

                     + "attribute_type_id=" + wordId + " OR " //NON-NLS

                     + "attribute_type_id=" + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID() + " OR " //NON-NLS

                     + "attribute_type_id=" + regexId + ")"; //NON-NLS


             try (CaseDbQuery dbQuery = skCase.executeQuery(query)) {

                 ResultSet resultSet = dbQuery.getResultSet();

                 while (resultSet.next()) {

                     String valueStr = resultSet.getString("value_text"); //NON-NLS

                     long artifactId = resultSet.getLong("artifact_id"); //NON-NLS

                     long typeId = resultSet.getLong("attribute_type_id"); //NON-NLS

                     if (!artifactIds.containsKey(artifactId)) {

                         artifactIds.put(artifactId, new LinkedHashMap<Long, String>());

                     }

                     if (valueStr != null && !valueStr.equals("")) {

                         artifactIds.get(artifactId).put(typeId, valueStr);

                     } else {

                         // Keyword Search Type is an int

                         Long valueLong = resultSet.getLong("value_int32");

                         artifactIds.get(artifactId).put(typeId, valueLong.toString());

                     }

                 }

             } catch (TskCoreException | SQLException ex) {

                 logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS

             }


             populateTreeMaps(artifactIds);

         }

     }


     @Override

     public <T> T accept(AutopsyItemVisitor<T> v) {

         return v.visit(this);

     }


     // Created by CreateAutopsyNodeVisitor

     public class RootNode extends DisplayableItemNode {


         public RootNode() {

             super(Children.create(new ListFactory(), true), Lookups.singleton(KEYWORD_HITS));

             super.setName(NAME);

             super.setDisplayName(KEYWORD_HITS);

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

         }


         @Override

         public boolean isLeafTypeNode() {

             return false;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> v) {

             return v.visit(this);

         }


         @Override

         protected Sheet createSheet() {

             Sheet s = super.createSheet();

             Sheet.Set ss = s.get(Sheet.PROPERTIES);

             if (ss == null) {

                 ss = Sheet.createPropertiesSet();

                 s.put(ss);

             }


             ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.name.name"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.name.displayName"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.name.desc"),

                     getName()));


             return s;

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }

     }


     private class ListFactory extends ChildFactory.Detachable<String> implements Observer {


         private final PropertyChangeListener pcl = new PropertyChangeListener() {

             @Override

             public void propertyChange(PropertyChangeEvent evt) {

                 String eventType = evt.getPropertyName();

                 if (eventType.equals(IngestManager.IngestModuleEvent.DATA_ADDED.toString())) {

                     try {

                         Case.getCurrentCase();

                         ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();

                         if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {

                             keywordResults.update();

                         }

                     } catch (IllegalStateException notUsed) {

                     }

                 } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())

                         || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())) {

                     try {

                         Case.getCurrentCase();

                         keywordResults.update();

                     } catch (IllegalStateException notUsed) {

                     }

                 } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {

                     // case was closed. Remove listeners so that we don't get called with a stale case handle

                     if (evt.getNewValue() == null) {

                         removeNotify();

                         skCase = null;

                     }

                 }

             }

         };


         @Override

         protected void addNotify() {

             IngestManager.getInstance().addIngestJobEventListener(pcl);

             IngestManager.getInstance().addIngestModuleEventListener(pcl);

             Case.addPropertyChangeListener(pcl);

             keywordResults.update();

             keywordResults.addObserver(this);

         }


         @Override

         protected void removeNotify() {

             IngestManager.getInstance().removeIngestJobEventListener(pcl);

             IngestManager.getInstance().removeIngestModuleEventListener(pcl);

             Case.removePropertyChangeListener(pcl);

             keywordResults.deleteObserver(this);

         }


         @Override

         protected boolean createKeys(List<String> list) {

             list.addAll(keywordResults.getListNames());

             return true;

         }


         @Override

         protected Node createNodeForKey(String key) {

             return new ListNode(key);

         }


         @Override

         public void update(Observable o, Object arg) {

             refresh(true);

         }

     }


     public class ListNode extends DisplayableItemNode implements Observer {


         private final String listName;


         public ListNode(String listName) {

             super(Children.create(new TermFactory(listName), true), Lookups.singleton(listName));

             super.setName(listName);

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             this.listName = listName;

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         private void updateDisplayName() {

             int totalDescendants = 0;

             for (String word : keywordResults.getKeywords(listName)) {

                 for (String instance : keywordResults.getKeywordInstances(listName, word)) {

                     Set<Long> ids = keywordResults.getArtifactIds(listName, word, instance);

                     totalDescendants += ids.size();

                 }

             }

             super.setDisplayName(listName + " (" + totalDescendants + ")");

         }


         @Override

         protected Sheet createSheet() {

             Sheet s = super.createSheet();

             Sheet.Set ss = s.get(Sheet.PROPERTIES);

             if (ss == null) {

                 ss = Sheet.createPropertiesSet();

                 s.put(ss);

             }


             ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.name"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.displayName"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.desc"),

                     listName));


             ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.numChildren.name"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.numChildren.displayName"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.numChildren.desc"),

                     keywordResults.getKeywords(listName).size()));


             return s;

         }


         @Override

         public boolean isLeafTypeNode() {

             return false;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> v) {

             return v.visit(this);

         }


         @Override

         public void update(Observable o, Object arg) {

             updateDisplayName();

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }

     }


     private class TermFactory extends ChildFactory.Detachable<String> implements Observer {


         private final String setName;


         private TermFactory(String setName) {

             super();

             this.setName = setName;

         }


         @Override

         protected void addNotify() {

             keywordResults.addObserver(this);

         }


         @Override

         protected void removeNotify() {

             keywordResults.deleteObserver(this);

         }


         @Override

         protected boolean createKeys(List<String> list) {

             list.addAll(keywordResults.getKeywords(setName));

             return true;

         }


         @Override

         protected Node createNodeForKey(String key) {

             return new TermNode(setName, key);

         }


         @Override

         public void update(Observable o, Object arg) {

             refresh(true);

         }

     }


     public class TermNode extends DisplayableItemNode implements Observer {


         private final String setName;

         private final String keyword;


         public TermNode(String setName, String keyword) {

             super(Children.create(new RegExpInstancesFactory(setName, keyword), true), Lookups.singleton(keyword));

             super.setName(keyword);

             this.setName = setName;

             this.keyword = keyword;

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         private void updateDisplayName() {

             int totalDescendants = 0;


             for (String instance : keywordResults.getKeywordInstances(setName, keyword)) {

                 Set<Long> ids = keywordResults.getArtifactIds(setName, keyword, instance);

                 totalDescendants += ids.size();

             }


             super.setDisplayName(keyword + " (" + totalDescendants + ")");

         }


         @Override

         public void update(Observable o, Object arg) {

             updateDisplayName();

         }


         @Override

         public boolean isLeafTypeNode() {

             List<String> instances = keywordResults.getKeywordInstances(setName, keyword);

             // is this an exact/substring match (i.e. did we use the DEFAULT name)?

             if (instances.size() == 1 && instances.get(0).equals(DEFAULT_INSTANCE_NAME)) {

                 return true;

             }

             else {

                 return false;

             }

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> v) {

             return v.visit(this);

         }


         @Override

         protected Sheet createSheet() {

             Sheet s = super.createSheet();

             Sheet.Set ss = s.get(Sheet.PROPERTIES);

             if (ss == null) {

                 ss = Sheet.createPropertiesSet();

                 s.put(ss);

             }


             ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.name"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.displayName"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.desc"),

                     getDisplayName()));


             ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.filesWithHits.name"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.filesWithHits.displayName"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.filesWithHits.desc"),

                     keywordResults.getKeywordInstances(setName, keyword).size()));


             return s;

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }

     }


     // Allows us to pass in either longs or strings

     // as they keys for different types of nodes at the

     // same level. Probably a better way to do this, but

     // it works.

     class RegExpInstanceKey {

         private final boolean isRegExp;

         private String strKey;

         private Long longKey;

         public RegExpInstanceKey(String key) {

             isRegExp = true;

             strKey = key;

         }

         public RegExpInstanceKey(Long key) {

             isRegExp = false;

             longKey = key;

         }

         boolean isRegExp() {

             return isRegExp;

         }

         Long getIdKey() {

             return longKey;

         }

         String getRegExpKey() {

             return strKey;

         }

     }


     public class RegExpInstancesFactory extends ChildFactory.Detachable<RegExpInstanceKey> implements Observer {

         private final String keyword;

         private final String setName;


         private Map<RegExpInstanceKey, DisplayableItemNode > nodesMap = new HashMap<>();


         public RegExpInstancesFactory(String setName, String keyword) {

             super();

             this.setName = setName;

             this.keyword = keyword;

         }


         @Override

         protected void addNotify() {

             keywordResults.addObserver(this);

         }


         @Override

         protected void removeNotify() {

             keywordResults.deleteObserver(this);

         }


         @Override

         protected boolean createKeys(List<RegExpInstanceKey> list) {

             List <String>instances = keywordResults.getKeywordInstances(setName, keyword);

             // The keys are different depending on what we are displaying.

             // regexp get another layer to show instances.

             // Exact/substring matches don't.

             if ((instances.size() == 1) && (instances.get(0).equals(DEFAULT_INSTANCE_NAME))) {

                 for (Long id : keywordResults.getArtifactIds(setName, keyword, DEFAULT_INSTANCE_NAME) ) {

                     RegExpInstanceKey key = new RegExpInstanceKey(id);

                     nodesMap.put(key, createNode(key));

                     list.add(key);


                 }

             } else {

                 for (String instance : instances) {

                     RegExpInstanceKey key = new RegExpInstanceKey(instance);

                     nodesMap.put(key, createNode(key));

                     list.add(key);

                 }


             }

             return true;

         }


         @Override

         protected Node createNodeForKey(RegExpInstanceKey key) {

             return nodesMap.get(key);

         }


         private DisplayableItemNode createNode(RegExpInstanceKey key) {

                         // if it isn't a regexp, then skip the 'instance' layer of the tree

             if (key.isRegExp() == false) {

                 return createBlackboardArtifactNode(key.getIdKey());

             } else {

                 return new RegExpInstanceNode(setName, keyword, key.getRegExpKey());

             }


         }

         @Override

         public void update(Observable o, Object arg) {

             refresh(true);

         }


     }


     public class RegExpInstanceNode extends DisplayableItemNode implements Observer {


         private final String setName;

         private final String keyword;

         private final String instance;


         public RegExpInstanceNode(String setName, String keyword, String instance) {

             super(Children.create(new HitsFactory(setName, keyword, instance), true), Lookups.singleton(keyword));

             super.setName(keyword);

             this.setName = setName;

             this.keyword = keyword;

             this.instance = instance;

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         private void updateDisplayName() {

             int totalDescendants = keywordResults.getArtifactIds(setName, keyword, instance).size();

             super.setDisplayName(instance + " (" + totalDescendants + ")");

         }


         @Override

         public void update(Observable o, Object arg) {

             updateDisplayName();

         }


         @Override

         public boolean isLeafTypeNode() {

             return true;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> v) {

             return v.visit(this);

         }


         @Override

         protected Sheet createSheet() {

             Sheet s = super.createSheet();

             Sheet.Set ss = s.get(Sheet.PROPERTIES);

             if (ss == null) {

                 ss = Sheet.createPropertiesSet();

                 s.put(ss);

             }


             ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.name"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.displayName"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.listName.desc"),

                     getDisplayName()));


             ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.filesWithHits.name"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.filesWithHits.displayName"),

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createSheet.filesWithHits.desc"),

                     keywordResults.getKeywordInstances(setName, keyword).size()));


             return s;

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }

     }


     private BlackboardArtifactNode createBlackboardArtifactNode (Long artifactId) {

         if (skCase == null) {

             return null;

         }


         try {

             BlackboardArtifact art = skCase.getBlackboardArtifact(artifactId);

             BlackboardArtifactNode n = new BlackboardArtifactNode(art);

             AbstractFile file;

             try {

                 file = skCase.getAbstractFileById(art.getObjectID());

             } catch (TskCoreException ex) {

                 logger.log(Level.SEVERE, "TskCoreException while constructing BlackboardArtifact Node from KeywordHitsKeywordChildren"); //NON-NLS

                 return n;

             }


             // It is possible to get a keyword hit on artifacts generated

             // for the underlying image in which case MAC times are not

             // available/applicable/useful.

             if (file == null) {

                 return n;

             }


             n.addNodeProperty(new NodeProperty<>(

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createNodeForKey.modTime.name"),

                     NbBundle.getMessage(this.getClass(),

                             "KeywordHits.createNodeForKey.modTime.displayName"),

                     NbBundle.getMessage(this.getClass(),

                             "KeywordHits.createNodeForKey.modTime.desc"),

                     ContentUtils.getStringTime(file.getMtime(), file)));

             n.addNodeProperty(new NodeProperty<>(

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createNodeForKey.accessTime.name"),

                     NbBundle.getMessage(this.getClass(),

                             "KeywordHits.createNodeForKey.accessTime.displayName"),

                     NbBundle.getMessage(this.getClass(),

                             "KeywordHits.createNodeForKey.accessTime.desc"),

                     ContentUtils.getStringTime(file.getAtime(), file)));

             n.addNodeProperty(new NodeProperty<>(

                     NbBundle.getMessage(this.getClass(), "KeywordHits.createNodeForKey.chgTime.name"),

                     NbBundle.getMessage(this.getClass(),

                             "KeywordHits.createNodeForKey.chgTime.displayName"),

                     NbBundle.getMessage(this.getClass(),

                             "KeywordHits.createNodeForKey.chgTime.desc"),

                     ContentUtils.getStringTime(file.getCtime(), file)));

             return n;

         } catch (TskException ex) {

             logger.log(Level.WARNING, "TSK Exception occurred", ex); //NON-NLS

         }

         return null;

     }


     public class HitsFactory extends ChildFactory.Detachable<Long> implements Observer {


         private final String keyword;

         private final String setName;

         private final String instance;


         private Map<Long, BlackboardArtifactNode > nodesMap = new HashMap<>();


         public HitsFactory(String setName, String keyword, String instance) {

             super();

             this.setName = setName;

             this.keyword = keyword;

             this.instance = instance;

         }


         @Override

         protected void addNotify() {

             keywordResults.addObserver(this);

         }


         @Override

         protected void removeNotify() {

             keywordResults.deleteObserver(this);

         }


         @Override

         protected boolean createKeys(List<Long> list) {

             list.addAll(keywordResults.getArtifactIds(setName, keyword, instance));

             for (Long id : keywordResults.getArtifactIds(setName, keyword, instance) ) {

                     nodesMap.put(id,  createBlackboardArtifactNode(id));

                     list.add(id);

                 }

             return true;

         }


         @Override

         protected Node createNodeForKey(Long artifactId) {

             return nodesMap.get(artifactId);

         }


         @Override

         public void update(Observable o, Object arg) {

             refresh(true);

         }

     }

 }

org::sleuthkit

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.pcl
final PropertyChangeListener pcl
Definition: KeywordHits.java:373

org::sleuthkit.autopsy.datamodel.KeywordHits
Definition: KeywordHits.java:57

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordHits
KeywordHits(SleuthkitCase skCase)
Definition: KeywordHits.java:72

org::sleuthkit.autopsy.datamodel.KeywordHits.KEYWORD_HITS
static final String KEYWORD_HITS
Definition: KeywordHits.java:61

org::sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType
BlackboardArtifact.Type getBlackboardArtifactType()
Definition: ModuleDataEvent.java:104

org::sleuthkit.autopsy.ingest.IngestManager.removeIngestModuleEventListener
void removeIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:691

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.createSheet
Sheet createSheet()
Definition: KeywordHits.java:346

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:600

org::sleuthkit.autopsy.casemodule.Case
Definition: Case.java:114

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createNodeForKey
Node createNodeForKey(RegExpInstanceKey key)
Definition: KeywordHits.java:726

org::sleuthkit.autopsy.datamodel.ContentUtils.getStringTime
static String getStringTime(long epochSeconds, TimeZone tzone)
Definition: ContentUtils.java:84

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createNodeForKey
Node createNodeForKey(String key)
Definition: KeywordHits.java:560

org::sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition: IngestManager.java:234

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:914

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.setName
final String setName
Definition: KeywordHits.java:751

org::sleuthkit.autopsy.datamodel.KeywordHits.keywordResults
final KeywordResults keywordResults
Definition: KeywordHits.java:67

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.removeNotify
void removeNotify()
Definition: KeywordHits.java:894

org::sleuthkit::datamodel::BlackboardAttribute

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.removeNotify
void removeNotify()
Definition: KeywordHits.java:437

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:772

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:456

org::sleuthkit.autopsy.casemodule.Case.removePropertyChangeListener
static void removePropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:384

org::sleuthkit::datamodel::BlackboardArtifact::getObjectID
long getObjectID()

org::sleuthkit::datamodel::BlackboardArtifact::ARTIFACT_TYPE::TSK_KEYWORD_HIT
TSK_KEYWORD_HIT

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode
Definition: KeywordHits.java:749

org::sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:53

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode
Definition: KeywordHits.java:326

org::sleuthkit.autopsy.datamodel.KeywordHits.skCase
SleuthkitCase skCase
Definition: KeywordHits.java:59

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.getItemType
String getItemType()
Definition: KeywordHits.java:363

org

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_KEYWORD
TSK_KEYWORD

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.nodesMap
Map< Long, BlackboardArtifactNode > nodesMap
Definition: KeywordHits.java:879

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode
Definition: KeywordHits.java:464

org::sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_REGEX_SEARCH
static final String SIMPLE_REGEX_SEARCH
Definition: KeywordHits.java:65

org::sleuthkit::datamodel::AbstractFile::getAtime
long getAtime()

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createNode
DisplayableItemNode createNode(RegExpInstanceKey key)
Definition: KeywordHits.java:730

org::sleuthkit.autopsy.casemodule
Definition: AddImageAction.java:19

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.addNotify
void addNotify()
Definition: KeywordHits.java:889

org::sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent
Definition: IngestManager.java:159

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.nodesMap
Map< RegExpInstanceKey, DisplayableItemNode > nodesMap
Definition: KeywordHits.java:683

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory
Definition: KeywordHits.java:371

org::sleuthkit.autopsy.ingest.ModuleDataEvent
Definition: ModuleDataEvent.java:49

org::sleuthkit::datamodel::AbstractFile::getCtime
long getCtime()

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode.createSheet
Sheet createSheet()
Definition: KeywordHits.java:489

org::sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.COMPLETED
COMPLETED
Definition: IngestManager.java:172

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory
Definition: KeywordHits.java:679

org::sleuthkit::datamodel::BlackboardArtifact

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.TermFactory
TermFactory(String setName)
Definition: KeywordHits.java:538

org::sleuthkit.autopsy.datamodel.KeywordHits.createBlackboardArtifactNode
BlackboardArtifactNode createBlackboardArtifactNode(Long artifactId)
Definition: KeywordHits.java:819

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.topLevelMap
final Map< String, Map< String, Map< String, Set< Long > > > > topLevelMap
Definition: KeywordHits.java:87

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition: KeywordHits.java:511

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.setName
final String setName
Definition: KeywordHits.java:681

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:740

org::sleuthkit::datamodel::TskException

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.updateDisplayName
void updateDisplayName()
Definition: KeywordHits.java:766

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.addNotify
void addNotify()
Definition: KeywordHits.java:428

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode.updateDisplayName
void updateDisplayName()
Definition: KeywordHits.java:477

org::sleuthkit::datamodel::SleuthkitCase::getBlackboardArtifact
BlackboardArtifact getBlackboardArtifact(long artifactID)

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.addNotify
void addNotify()
Definition: KeywordHits.java:692

org::sleuthkit.autopsy.coreutils
Definition: AutopsyExceptionHandler.java:19

org::sleuthkit.autopsy.coreutils.Logger
Definition: Logger.java:36

org::sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor.visit
T visit(DataSourcesNode in)

org::sleuthkit::datamodel::SleuthkitCase::getAbstractFileById
AbstractFile getAbstractFileById(long id)

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createKeys
boolean createKeys(List< String > list)
Definition: KeywordHits.java:445

org::sleuthkit.autopsy.ingest.IngestManager.removeIngestJobEventListener
void removeIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:673

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.TermNode
TermNode(String setName, String keyword)
Definition: KeywordHits.java:578

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createKeys
boolean createKeys(List< String > list)
Definition: KeywordHits.java:554

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:521

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory
Definition: KeywordHits.java:534

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.setName
final String setName
Definition: KeywordHits.java:876

org::sleuthkit.autopsy.casemodule.Case.Events
Definition: Case.java:257

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.setName
final String setName
Definition: KeywordHits.java:575

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.keyword
final String keyword
Definition: KeywordHits.java:576

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition: KeywordHits.java:777

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_SET_NAME
TSK_SET_NAME

org::sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor
Definition: DisplayableItemNodeVisitor.java:32

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode
Definition: KeywordHits.java:573

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createKeys
boolean createKeys(List< RegExpInstanceKey > list)
Definition: KeywordHits.java:702

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.RegExpInstancesFactory
RegExpInstancesFactory(String setName, String keyword)
Definition: KeywordHits.java:685

org::sleuthkit.autopsy.ingest
Definition: DataSourceIngestCancellationPanel.java:19

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_KEYWORD_REGEXP
TSK_KEYWORD_REGEXP

org::sleuthkit.autopsy.ingest.IngestManager.addIngestJobEventListener
void addIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:664

org::sleuthkit.autopsy.datamodel.KeywordHits.DEFAULT_INSTANCE_NAME
final String DEFAULT_INSTANCE_NAME
Definition: KeywordHits.java:70

org::sleuthkit::datamodel::TskCoreException

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.RootNode
RootNode()
Definition: KeywordHits.java:328

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.keyword
final String keyword
Definition: KeywordHits.java:875

org::sleuthkit.autopsy.ingest.IngestManager
Definition: IngestManager.java:68

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.keyword
final String keyword
Definition: KeywordHits.java:680

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.createNodeForKey
Node createNodeForKey(Long artifactId)
Definition: KeywordHits.java:909

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createNodeForKey
Node createNodeForKey(String key)
Definition: KeywordHits.java:451

org::sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent.DATA_ADDED
DATA_ADDED
Definition: IngestManager.java:210

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode.getItemType
String getItemType()
Definition: KeywordHits.java:526

org::sleuthkit.autopsy.datamodel.AutopsyItemVisitor.visit
T visit(DataSources i)

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults
Definition: KeywordHits.java:83

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.getItemType
String getItemType()
Definition: KeywordHits.java:809

org::sleuthkit::datamodel::SleuthkitCase::CaseDbQuery

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode.ListNode
ListNode(String listName)
Definition: KeywordHits.java:468

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.createKeys
boolean createKeys(List< Long > list)
Definition: KeywordHits.java:899

org::sleuthkit.autopsy.casemodule.Case.addPropertyChangeListener
static void addPropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:372

org::sleuthkit::datamodel::SleuthkitCase

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.updateDisplayName
void updateDisplayName()
Definition: KeywordHits.java:588

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.instance
final String instance
Definition: KeywordHits.java:753

org::sleuthkit.autopsy.casemodule.Case.Events.CURRENT_CASE
CURRENT_CASE
Definition: Case.java:326

org::sleuthkit.autopsy.datamodel.NodeProperty
Definition: NodeProperty.java:28

org::sleuthkit.autopsy.datamodel.KeywordHits.logger
static final Logger logger
Definition: KeywordHits.java:60

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.addNotify
void addNotify()
Definition: KeywordHits.java:544

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition: KeywordHits.java:605

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.removeNotify
void removeNotify()
Definition: KeywordHits.java:697

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.instance
final String instance
Definition: KeywordHits.java:877

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.removeNotify
void removeNotify()
Definition: KeywordHits.java:549

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.getItemType
String getItemType()
Definition: KeywordHits.java:644

org::sleuthkit::datamodel::AbstractFile

org::sleuthkit::datamodel::AbstractFile::getMtime
long getMtime()

org::sleuthkit.autopsy.ingest.IngestManager.addIngestModuleEventListener
void addIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:682

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.update
void update()
Definition: KeywordHits.java:272

org::sleuthkit::datamodel

org::sleuthkit.autopsy.casemodule.Case.getCurrentCase
static Case getCurrentCase()
Definition: Case.java:558

org::sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:161

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition: KeywordHits.java:336

org::sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.CANCELLED
CANCELLED
Definition: IngestManager.java:178

org::sleuthkit.autopsy

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.keyword
final String keyword
Definition: KeywordHits.java:752

org::sleuthkit.autopsy.datamodel.AutopsyItemVisitor
Definition: AutopsyItemVisitor.java:28

org::sleuthkit.autopsy.datamodel.AutopsyVisitableItem
Definition: AutopsyVisitableItem.java:26

org::sleuthkit.autopsy.datamodel.KeywordHits.ListNode.listName
final String listName
Definition: KeywordHits.java:466

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE

org::sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent
Definition: IngestManager.java:202

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.setName
final String setName
Definition: KeywordHits.java:536

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_KEYWORD_SEARCH_TYPE
TSK_KEYWORD_SEARCH_TYPE

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.HitsFactory
HitsFactory(String setName, String keyword, String instance)
Definition: KeywordHits.java:881

org::sleuthkit.autopsy.datamodel.BlackboardArtifactNode
Definition: BlackboardArtifactNode.java:60

org::sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addNodeProperty
void addNodeProperty(NodeProperty<?> np)
Definition: BlackboardArtifactNode.java:386

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.createSheet
Sheet createSheet()
Definition: KeywordHits.java:787

org::sleuthkit.autopsy.datamodel.KeywordHits.NAME
static final String NAME
Definition: KeywordHits.java:62

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory
Definition: KeywordHits.java:873

org::sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_LITERAL_SEARCH
static final String SIMPLE_LITERAL_SEARCH
Definition: KeywordHits.java:63

org::sleuthkit::datamodel::BlackboardArtifact::ARTIFACT_TYPE

org::sleuthkit.autopsy.datamodel.KeywordHits.TermNode.createSheet
Sheet createSheet()
Definition: KeywordHits.java:622

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:565

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceNode.RegExpInstanceNode
RegExpInstanceNode(String setName, String keyword, String instance)
Definition: KeywordHits.java:755

org::sleuthkit.autopsy.datamodel.DisplayableItemNode
Definition: DisplayableItemNode.java:34

org::sleuthkit::datamodel::SleuthkitCase::executeQuery
CaseDbQuery executeQuery(String query)