Autopsy  4.4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
CaseEventListener.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2015-2017 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.eventlisteners;
20 
21 import java.beans.PropertyChangeEvent;
22 import java.beans.PropertyChangeListener;
23 import java.util.List;
24 import java.util.logging.Level;
25 import java.util.stream.Collectors;
26 import org.openide.util.NbBundle.Messages;
42 import org.sleuthkit.datamodel.AbstractFile;
43 import org.sleuthkit.datamodel.BlackboardArtifact;
44 import org.sleuthkit.datamodel.BlackboardArtifactTag;
45 import org.sleuthkit.datamodel.Content;
46 import org.sleuthkit.datamodel.ContentTag;
47 import org.sleuthkit.datamodel.TskCoreException;
48 import org.sleuthkit.datamodel.TskData;
49 import org.sleuthkit.datamodel.TskDataException;
50 
55 @Messages({"caseeventlistener.evidencetag=Evidence"})
56 public class CaseEventListener implements PropertyChangeListener {
57 
58  private static final Logger LOGGER = Logger.getLogger(CaseEventListener.class.getName());
59 
60  @Override
61  public void propertyChange(PropertyChangeEvent evt) {
62  EamDb dbManager;
63  try {
64  dbManager = EamDb.getInstance();
65  } catch (EamDbException ex) {
66  LOGGER.log(Level.SEVERE, "Failed to get instance of db manager.", ex);
67  return;
68  }
69  switch (Case.Events.valueOf(evt.getPropertyName())) {
70  case CONTENT_TAG_ADDED:
71  case CONTENT_TAG_DELETED: {
72  if (!EamDb.isEnabled()) {
73  return;
74  }
75 
76  AbstractFile af;
77  TskData.FileKnown knownStatus;
78  String comment;
79  if(Case.Events.valueOf(evt.getPropertyName()) == Case.Events.CONTENT_TAG_ADDED){
80  // For added tags, we want to change the known status to BAD if the
81  // tag that was just added is in the list of central repo tags.
82  final ContentTagAddedEvent tagAddedEvent = (ContentTagAddedEvent) evt;
83  final ContentTag tagAdded = tagAddedEvent.getAddedTag();
84 
85  if(dbManager.getBadTags().contains(tagAdded.getName().getDisplayName())){
86  if(tagAdded.getContent() instanceof AbstractFile){
87  af = (AbstractFile) tagAdded.getContent();
88  knownStatus = TskData.FileKnown.BAD;
89  comment = tagAdded.getComment();
90  } else {
91  LOGGER.log(Level.WARNING, "Error updating non-file object");
92  return;
93  }
94  } else {
95  // The added tag isn't flagged as bad in central repo, so do nothing
96  return;
97  }
98  } else { // CONTENT_TAG_DELETED
99  // For deleted tags, we want to set the file status to UNKNOWN if:
100  // - The tag that was just removed is notable in central repo
101  // - There are no remaining tags that are notable
102  final ContentTagDeletedEvent tagDeletedEvent = (ContentTagDeletedEvent) evt;
103  long contentID = tagDeletedEvent.getDeletedTagInfo().getContentID();
104 
105  String tagName = tagDeletedEvent.getDeletedTagInfo().getName().getDisplayName();
106  if(! dbManager.getBadTags().contains(tagName)){
107  // If the tag that got removed isn't on the list of central repo tags, do nothing
108  return;
109  }
110 
111  try{
112  // Get the remaining tags on the content object
113  Content content = Case.getCurrentCase().getSleuthkitCase().getContentById(contentID);
115  List<ContentTag> tags = tagsManager.getContentTagsByContent(content);
116 
117  if(tags.stream()
118  .map(tag -> tag.getName().getDisplayName())
119  .filter(dbManager.getBadTags()::contains)
120  .collect(Collectors.toList())
121  .isEmpty()){
122 
123  // There are no more bad tags on the object
124  if(content instanceof AbstractFile){
125  af = (AbstractFile) content;
126  knownStatus = TskData.FileKnown.UNKNOWN;
127  comment = "";
128  } else {
129  LOGGER.log(Level.WARNING, "Error updating non-file object");
130  return;
131  }
132  } else {
133  // There's still at least one bad tag, so leave the known status as is
134  return;
135  }
136  } catch (TskCoreException ex){
137  LOGGER.log(Level.SEVERE, "Failed to find content", ex);
138  return;
139  }
140  }
141 
143  knownStatus, comment);
144 
145  if(eamArtifact != null){
146  // send update to Central Repository db
147  Runnable r = new KnownStatusChangeRunner(eamArtifact, knownStatus);
148  // TODO: send r into a thread pool instead
149  Thread t = new Thread(r);
150  t.start();
151  }
152  } // CONTENT_TAG_ADDED, CONTENT_TAG_DELETED
153  break;
154 
155  case BLACKBOARD_ARTIFACT_TAG_DELETED:
156  case BLACKBOARD_ARTIFACT_TAG_ADDED: {
157  if (!EamDb.isEnabled()) {
158  return;
159  }
160 
161  Content content;
162  BlackboardArtifact bbArtifact;
163  TskData.FileKnown knownStatus;
164  String comment;
165  if(Case.Events.valueOf(evt.getPropertyName()) == Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED){
166  // For added tags, we want to change the known status to BAD if the
167  // tag that was just added is in the list of central repo tags.
169  final BlackboardArtifactTag tagAdded = tagAddedEvent.getAddedTag();
170 
171  if(dbManager.getBadTags().contains(tagAdded.getName().getDisplayName())){
172  content = tagAdded.getContent();
173  bbArtifact = tagAdded.getArtifact();
174  knownStatus = TskData.FileKnown.BAD;
175  comment = tagAdded.getComment();
176  } else {
177  // The added tag isn't flagged as bad in central repo, so do nothing
178  return;
179  }
180  } else { //BLACKBOARD_ARTIFACT_TAG_DELETED
181  // For deleted tags, we want to set the file status to UNKNOWN if:
182  // - The tag that was just removed is notable in central repo
183  // - There are no remaining tags that are notable
185  long contentID = tagDeletedEvent.getDeletedTagInfo().getContentID();
186  long artifactID = tagDeletedEvent.getDeletedTagInfo().getArtifactID();
187 
188  String tagName = tagDeletedEvent.getDeletedTagInfo().getName().getDisplayName();
189  if(! dbManager.getBadTags().contains(tagName)){
190  // If the tag that got removed isn't on the list of central repo tags, do nothing
191  return;
192  }
193 
194  try{
195  // Get the remaining tags on the artifact
196  content = Case.getCurrentCase().getSleuthkitCase().getContentById(contentID);
197  bbArtifact = Case.getCurrentCase().getSleuthkitCase().getBlackboardArtifact(artifactID);
199  List<BlackboardArtifactTag> tags = tagsManager.getBlackboardArtifactTagsByArtifact(bbArtifact);
200 
201  if(tags.stream()
202  .map(tag -> tag.getName().getDisplayName())
203  .filter(dbManager.getBadTags()::contains)
204  .collect(Collectors.toList())
205  .isEmpty()){
206 
207  // There are no more bad tags on the object
208  knownStatus = TskData.FileKnown.UNKNOWN;
209  comment = "";
210 
211  } else {
212  // There's still at least one bad tag, so leave the known status as is
213  return;
214  }
215  } catch (TskCoreException ex){
216  LOGGER.log(Level.SEVERE, "Failed to find content", ex);
217  return;
218  }
219  }
220 
221  if((content instanceof AbstractFile) && (((AbstractFile)content).getKnown() == TskData.FileKnown.KNOWN)){
222  return;
223  }
224 
225  List<CorrelationAttribute> convertedArtifacts = EamArtifactUtil.getCorrelationAttributeFromBlackboardArtifact(bbArtifact, true, true);
226  for (CorrelationAttribute eamArtifact : convertedArtifacts) {
227  eamArtifact.getInstances().get(0).setComment(comment);
228  Runnable r = new KnownStatusChangeRunner(eamArtifact, knownStatus);
229  // TODO: send r into a thread pool instead
230  Thread t = new Thread(r);
231  t.start();
232  }
233 
234  } // BLACKBOARD_ARTIFACT_TAG_ADDED, BLACKBOARD_ARTIFACT_TAG_DELETED
235  break;
236 
237  case DATA_SOURCE_ADDED: {
238  if (!EamDb.isEnabled()) {
239  break;
240  }
241 
242  final DataSourceAddedEvent dataSourceAddedEvent = (DataSourceAddedEvent) evt;
243  Content newDataSource = dataSourceAddedEvent.getDataSource();
244 
245  try {
246  String deviceId = Case.getCurrentCase().getSleuthkitCase().getDataSource(newDataSource.getId()).getDeviceId();
247  if (null == dbManager.getDataSourceDetails(deviceId)) {
248  dbManager.newDataSource(CorrelationDataSource.fromTSKDataSource(newDataSource));
249  }
250  } catch (EamDbException ex) {
251  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database.", ex); //NON-NLS
252  } catch (TskCoreException | TskDataException ex) {
253  LOGGER.log(Level.SEVERE, "Error getting data source from DATA_SOURCE_ADDED event content.", ex); //NON-NLS
254  }
255  } // DATA_SOURCE_ADDED
256  break;
257 
258  case CURRENT_CASE: {
259  /*
260  * A case has been opened if evt.getOldValue() is null and
261  * evt.getNewValue() is a valid Case.
262  */
263  if ((null == evt.getOldValue()) && (evt.getNewValue() instanceof Case)) {
264  Case curCase = (Case) evt.getNewValue();
265  IngestEventsListener.resetCeModuleInstanceCount();
266  try {
267  // only add default evidence tag if case is open and it doesn't already exist in the tags list.
268  if (Case.isCaseOpen()
270  .map(tag -> tag.getDisplayName())
271  .filter(tagName -> Bundle.caseeventlistener_evidencetag().equals(tagName))
272  .collect(Collectors.toList())
273  .isEmpty()) {
274  curCase.getServices().getTagsManager().addTagName(Bundle.caseeventlistener_evidencetag());
275  }
277  LOGGER.info("Evidence tag already exists"); // NON-NLS
278  } catch (TskCoreException ex) {
279  LOGGER.log(Level.SEVERE, "Error adding tag.", ex); // NON-NLS
280  }
281 
282  CorrelationCase curCeCase = new CorrelationCase(
283  -1,
284  curCase.getName(), // unique case ID
286  curCase.getDisplayName(),
287  curCase.getCreatedDate(),
288  curCase.getNumber(),
289  curCase.getExaminer(),
290  null,
291  null,
292  null);
293 
294  if (!EamDb.isEnabled()) {
295  break;
296  }
297 
298  try {
299  // NOTE: Cannot determine if the opened case is a new case or a reopened case,
300  // so check for existing name in DB and insert if missing.
301  CorrelationCase existingCase = dbManager.getCaseByUUID(curCeCase.getCaseUUID());
302 
303  if (null == existingCase) {
304  dbManager.newCase(curCeCase);
305  }
306  } catch (EamDbException ex) {
307  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database.", ex); //NON-NLS
308  }
309  }
310  } // CURRENT_CASE
311  break;
312 
313  case NAME: {
314  // The display name of the case has been changed
315 
316  if (!EamDb.isEnabled()) {
317  break;
318  }
319 
320  if(evt.getNewValue() instanceof String){
321  String newName = (String)evt.getNewValue();
322  try {
323  // See if the case is in the database. If it is, update the display name.
324  CorrelationCase existingCase = dbManager.getCaseByUUID(Case.getCurrentCase().getName());
325 
326  if (null != existingCase) {
327  existingCase.setDisplayName(newName);
328  dbManager.updateCase(existingCase);
329  }
330  } catch (EamDbException ex) {
331  LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database.", ex); //NON-NLS
332  }
333  }
334  } // NAME
335  break;
336  }
337  }
338 }
CorrelationCase getCaseByUUID(String caseUUID)
synchronized TagName addTagName(String displayName)
List< ContentTag > getContentTagsByContent(Content content)
CorrelationDataSource getDataSourceDetails(String dataSourceDeviceId)
static CorrelationAttribute getEamArtifactFromContent(Content content, TskData.FileKnown knownStatus, String comment)
synchronized static Logger getLogger(String name)
Definition: Logger.java:161
void newDataSource(CorrelationDataSource eamDataSource)
static List< CorrelationAttribute > getCorrelationAttributeFromBlackboardArtifact(BlackboardArtifact bbArtifact, boolean addInstanceDetails, boolean checkEnabled)
List< BlackboardArtifactTag > getBlackboardArtifactTagsByArtifact(BlackboardArtifact artifact)

Copyright © 2012-2016 Basis Technology. Generated on: Fri Sep 29 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.