Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
BlackboardArtifactNode.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datamodel;
20 
21 import com.google.common.cache.Cache;
22 import com.google.common.cache.CacheBuilder;
23 import java.beans.PropertyChangeEvent;
24 import java.beans.PropertyChangeListener;
25 import java.text.MessageFormat;
26 import java.util.ArrayList;
27 import java.util.Arrays;
28 import java.util.EnumSet;
29 import java.util.LinkedHashMap;
30 import java.util.List;
31 import java.util.Map;
32 import java.util.MissingResourceException;
33 import java.util.Set;
34 import java.util.concurrent.ExecutionException;
35 import java.util.concurrent.TimeUnit;
36 import java.util.logging.Level;
37 import java.util.stream.Collectors;
38 import javax.swing.Action;
39 import org.apache.commons.lang3.StringUtils;
40 import org.openide.nodes.Sheet;
41 import org.openide.util.Lookup;
42 import org.openide.util.NbBundle;
43 import org.openide.util.WeakListeners;
44 import org.openide.util.lookup.Lookups;
45 import org.sleuthkit.autopsy.casemodule.Case;
46 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
47 import org.sleuthkit.autopsy.casemodule.events.BlackBoardArtifactTagAddedEvent;
48 import org.sleuthkit.autopsy.casemodule.events.BlackBoardArtifactTagDeletedEvent;
49 import org.sleuthkit.autopsy.casemodule.events.CommentChangedEvent;
50 import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent;
51 import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent;
52 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
53 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
54 import org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil;
55 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb;
56 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException;
57 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbUtil;
58 import org.sleuthkit.autopsy.core.UserPreferences;
59 import org.sleuthkit.autopsy.corecomponents.DataResultViewerTable.Score;
60 import org.sleuthkit.autopsy.coreutils.Logger;
61 import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
62 import static org.sleuthkit.autopsy.datamodel.DisplayableItemNode.findLinked;
63 import org.sleuthkit.autopsy.corecomponents.DataResultViewerTable.HasCommentStatus;
64 import org.sleuthkit.autopsy.modules.hashdatabase.HashDbManager;
65 import org.sleuthkit.autopsy.timeline.actions.ViewArtifactInTimelineAction;
66 import org.sleuthkit.autopsy.timeline.actions.ViewFileInTimelineAction;
67 import org.sleuthkit.datamodel.AbstractFile;
68 import org.sleuthkit.datamodel.BlackboardArtifact;
69 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
70 import org.sleuthkit.datamodel.BlackboardAttribute;
71 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
72 import org.sleuthkit.datamodel.Content;
73 import org.sleuthkit.datamodel.Tag;
74 import org.sleuthkit.datamodel.TskCoreException;
75 import org.sleuthkit.datamodel.TskData;
76 
81 public class BlackboardArtifactNode extends AbstractContentNode<BlackboardArtifact> {
82 
83  private static final Logger logger = Logger.getLogger(BlackboardArtifactNode.class.getName());
84  private static final Set<Case.Events> CASE_EVENTS_OF_INTEREST = EnumSet.of(Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED,
85  Case.Events.BLACKBOARD_ARTIFACT_TAG_DELETED,
86  Case.Events.CONTENT_TAG_ADDED,
87  Case.Events.CONTENT_TAG_DELETED,
88  Case.Events.CURRENT_CASE,
89  Case.Events.CR_COMMENT_CHANGED);
90 
91  private static Cache<Long, Content> contentCache = CacheBuilder.newBuilder()
92  .expireAfterWrite(1, TimeUnit.MINUTES).
93  build();
94 
95  private final BlackboardArtifact artifact;
96  private Content associated = null;
97 
98  private List<NodeProperty<? extends Object>> customProperties;
99 
100  private final static String NO_DESCR = NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.noDesc.text");
101 
102 
103  /*
104  * Artifact types which should have the full unique path of the associated
105  * content as a property.
106  */
107  private static final Integer[] SHOW_UNIQUE_PATH = new Integer[]{
108  BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID(),
109  BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID(),
110  BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID(),
111  BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID(),};
112 
113  // TODO (RC): This is an unattractive alternative to subclassing BlackboardArtifactNode,
114  // cut from the same cloth as the equally unattractive SHOW_UNIQUE_PATH array
115  // above. It should be removed when and if the subclassing is implemented.
116  private static final Integer[] SHOW_FILE_METADATA = new Integer[]{
117  BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID(),};
118 
119  private final PropertyChangeListener pcl = new PropertyChangeListener() {
120  @Override
121  public void propertyChange(PropertyChangeEvent evt) {
122  String eventType = evt.getPropertyName();
123  if (eventType.equals(Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED.toString())) {
124  BlackBoardArtifactTagAddedEvent event = (BlackBoardArtifactTagAddedEvent) evt;
125  if (event.getAddedTag().getArtifact().equals(artifact)) {
126  updateSheet();
127  }
128  } else if (eventType.equals(Case.Events.BLACKBOARD_ARTIFACT_TAG_DELETED.toString())) {
129  BlackBoardArtifactTagDeletedEvent event = (BlackBoardArtifactTagDeletedEvent) evt;
130  if (event.getDeletedTagInfo().getArtifactID() == artifact.getArtifactID()) {
131  updateSheet();
132  }
133  } else if (eventType.equals(Case.Events.CONTENT_TAG_ADDED.toString())) {
134  ContentTagAddedEvent event = (ContentTagAddedEvent) evt;
135  if (event.getAddedTag().getContent().equals(associated)) {
136  updateSheet();
137  }
138  } else if (eventType.equals(Case.Events.CONTENT_TAG_DELETED.toString())) {
139  ContentTagDeletedEvent event = (ContentTagDeletedEvent) evt;
140  if (event.getDeletedTagInfo().getContentID() == associated.getId()) {
141  updateSheet();
142  }
143  } else if (eventType.equals(Case.Events.CR_COMMENT_CHANGED.toString())) {
144  CommentChangedEvent event = (CommentChangedEvent) evt;
145  if (event.getContentID() == associated.getId()) {
146  updateSheet();
147  }
148  } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {
149  if (evt.getNewValue() == null) {
150  // case was closed. Remove listeners so that we don't get called with a stale case handle
151  removeListeners();
152  contentCache.invalidateAll();
153  }
154  }
155  }
156  };
157 
166  private final PropertyChangeListener weakPcl = WeakListeners.propertyChange(pcl, null);
167 
176  public BlackboardArtifactNode(BlackboardArtifact artifact, String iconPath) {
177  super(artifact, createLookup(artifact));
178 
179  this.artifact = artifact;
180 
181  // Look for associated Content i.e. the source file for the artifact
182  for (Content lookupContent : this.getLookup().lookupAll(Content.class)) {
183  if ((lookupContent != null) && (!(lookupContent instanceof BlackboardArtifact))) {
184  this.associated = lookupContent;
185  break;
186  }
187  }
188 
189  this.setName(Long.toString(artifact.getArtifactID()));
190  this.setDisplayName();
191  this.setIconBaseWithExtension(iconPath);
192  Case.addEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, weakPcl);
193  }
194 
201  public BlackboardArtifactNode(BlackboardArtifact artifact) {
202  this(artifact, ExtractedContent.getIconFilePath(artifact.getArtifactTypeID()));
203  }
204 
214  @Override
215  protected void finalize() throws Throwable {
216  super.finalize();
217  removeListeners();
218  }
219 
220  private void removeListeners() {
221  Case.removeEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, weakPcl);
222  }
223 
224  public BlackboardArtifact getArtifact() {
225  return this.artifact;
226  }
227 
228  @Override
229  @NbBundle.Messages({
230  "BlackboardArtifactNode.getAction.errorTitle=Error getting actions",
231  "BlackboardArtifactNode.getAction.resultErrorMessage=There was a problem getting actions for the selected result."
232  + " The 'View Result in Timeline' action will not be available.",
233  "BlackboardArtifactNode.getAction.linkedFileMessage=There was a problem getting actions for the selected result. "
234  + " The 'View File in Timeline' action will not be available."})
235  public Action[] getActions(boolean context) {
236  List<Action> actionsList = new ArrayList<>();
237  actionsList.addAll(Arrays.asList(super.getActions(context)));
238  AbstractFile file = getLookup().lookup(AbstractFile.class);
239 
240  //if this artifact has a time stamp add the action to view it in the timeline
241  try {
242  if (ViewArtifactInTimelineAction.hasSupportedTimeStamp(artifact)) {
243  actionsList.add(new ViewArtifactInTimelineAction(artifact));
244  }
245  } catch (TskCoreException ex) {
246  logger.log(Level.SEVERE, MessageFormat.format("Error getting arttribute(s) from blackboard artifact{0}.", artifact.getArtifactID()), ex); //NON-NLS
247  MessageNotifyUtil.Notify.error(Bundle.BlackboardArtifactNode_getAction_errorTitle(), Bundle.BlackboardArtifactNode_getAction_resultErrorMessage());
248  }
249 
250  // if the artifact links to another file, add an action to go to that file
251  try {
252  AbstractFile c = findLinked(artifact);
253  if (c != null) {
254  actionsList.add(ViewFileInTimelineAction.createViewFileAction(c));
255  }
256  } catch (TskCoreException ex) {
257  logger.log(Level.SEVERE, MessageFormat.format("Error getting linked file from blackboard artifact{0}.", artifact.getArtifactID()), ex); //NON-NLS
258  MessageNotifyUtil.Notify.error(Bundle.BlackboardArtifactNode_getAction_errorTitle(), Bundle.BlackboardArtifactNode_getAction_linkedFileMessage());
259  }
260 
261  //if the artifact has associated content, add the action to view the content in the timeline
262  if (null != file) {
263  actionsList.add(ViewFileInTimelineAction.createViewSourceFileAction(file));
264  }
265 
266  return actionsList.toArray(new Action[actionsList.size()]);
267  }
268 
269  @NbBundle.Messages({"# {0} - artifactDisplayName", "BlackboardArtifactNode.displayName.artifact={0} Artifact"})
275  private void setDisplayName() {
276  String displayName = ""; //NON-NLS
277 
278  // If this is a node for a keyword hit on an artifact, we set the
279  // display name to be the artifact type name followed by " Artifact"
280  // e.g. "Messages Artifact".
281  if (artifact != null
282  && (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()
283  || artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID())) {
284  try {
285  for (BlackboardAttribute attribute : artifact.getAttributes()) {
286  if (attribute.getAttributeType().getTypeID() == ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID()) {
287  BlackboardArtifact associatedArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(attribute.getValueLong());
288  if (associatedArtifact != null) {
289  if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()) {
290  artifact.getDisplayName();
291  } else {
292  displayName = NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.displayName.artifact", associatedArtifact.getDisplayName());
293  }
294  }
295  }
296  }
297  } catch (TskCoreException | NoCurrentCaseException ex) {
298  // Do nothing since the display name will be set to the file name.
299  }
300  }
301 
302  if (displayName.isEmpty() && artifact != null) {
303  displayName = artifact.getName();
304  }
305 
306  this.setDisplayName(displayName);
307 
308  }
309 
315  public String getSourceName() {
316 
317  String srcName = "";
318  if (associated != null) {
319  srcName = associated.getName();
320  }
321  return srcName;
322  }
323 
324  @NbBundle.Messages({
325  "BlackboardArtifactNode.createSheet.artifactType.displayName=Result Type",
326  "BlackboardArtifactNode.createSheet.artifactType.name=Result Type",
327  "BlackboardArtifactNode.createSheet.artifactDetails.displayName=Result Details",
328  "BlackboardArtifactNode.createSheet.artifactDetails.name=Result Details",
329  "BlackboardArtifactNode.createSheet.artifactMD5.displayName=MD5 Hash",
330  "BlackboardArtifactNode.createSheet.artifactMD5.name=MD5 Hash",
331  "BlackboardArtifactNode.createSheet.fileSize.name=Size",
332  "BlackboardArtifactNode.createSheet.fileSize.displayName=Size",
333  "BlackboardArtifactNode.createSheet.path.displayName=Path",
334  "BlackboardArtifactNode.createSheet.path.name=Path"})
335 
336  @Override
337  protected Sheet createSheet() {
338  Sheet sheet = super.createSheet();
339  List<Tag> tags = getAllTagsFromDatabase();
340 
341  Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);
342  if (sheetSet == null) {
343  sheetSet = Sheet.createPropertiesSet();
344  sheet.put(sheetSet);
345  }
346 
347  Map<String, Object> map = new LinkedHashMap<>();
348  fillPropertyMap(map, artifact);
349 
350  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.srcFile.name"),
351  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.srcFile.displayName"),
352  NO_DESCR,
353  this.getSourceName()));
354 
355  addScoreProperty(sheetSet, tags);
356 
357  CorrelationAttributeInstance correlationAttribute = null;
358  if (UserPreferences.hideCentralRepoCommentsAndOccurrences() == false) {
359  correlationAttribute = getCorrelationAttributeInstance();
360  }
361  addCommentProperty(sheetSet, tags, correlationAttribute);
362 
363  if (UserPreferences.hideCentralRepoCommentsAndOccurrences() == false) {
364  addCountProperty(sheetSet, correlationAttribute);
365  }
366  if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()) {
367  try {
368  BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
369  if (attribute != null) {
370  BlackboardArtifact associatedArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(attribute.getValueLong());
371  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.artifactType.name"),
372  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.artifactType.displayName"),
373  NO_DESCR,
374  associatedArtifact.getDisplayName()));
375  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.artifactDetails.name"),
376  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.artifactDetails.displayName"),
377  NO_DESCR,
378  associatedArtifact.getShortDescription()));
379  }
380  } catch (TskCoreException | NoCurrentCaseException ex) {
381  // Do nothing since the display name will be set to the file name.
382  }
383  }
384 
385  for (Map.Entry<String, Object> entry : map.entrySet()) {
386  sheetSet.put(new NodeProperty<>(entry.getKey(),
387  entry.getKey(),
388  NO_DESCR,
389  entry.getValue()));
390  }
391 
392  //append custom node properties
393  if (customProperties != null) {
394  for (NodeProperty<? extends Object> np : customProperties) {
395  sheetSet.put(np);
396  }
397  }
398 
399  final int artifactTypeId = artifact.getArtifactTypeID();
400 
401  // If mismatch, add props for extension and file type
402  if (artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED.getTypeID()) {
403  String ext = ""; //NON-NLS
404  String actualMimeType = ""; //NON-NLS
405  if (associated instanceof AbstractFile) {
406  AbstractFile af = (AbstractFile) associated;
407  ext = af.getNameExtension();
408  actualMimeType = af.getMIMEType();
409  if (actualMimeType == null) {
410  actualMimeType = ""; //NON-NLS
411  }
412  }
413  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.ext.name"),
414  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.ext.displayName"),
415  NO_DESCR,
416  ext));
417  sheetSet.put(new NodeProperty<>(
418  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.mimeType.name"),
419  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.mimeType.displayName"),
420  NO_DESCR,
421  actualMimeType));
422  }
423 
424  if (Arrays.asList(SHOW_UNIQUE_PATH).contains(artifactTypeId)) {
425  String sourcePath = ""; //NON-NLS
426  try {
427  sourcePath = associated.getUniquePath();
428  } catch (TskCoreException ex) {
429  logger.log(Level.WARNING, "Failed to get unique path from: {0}", associated.getName()); //NON-NLS
430  }
431 
432  if (sourcePath.isEmpty() == false) {
433  sheetSet.put(new NodeProperty<>(
434  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.filePath.name"),
435  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.filePath.displayName"),
436  NO_DESCR,
437  sourcePath));
438  }
439 
440  if (Arrays.asList(SHOW_FILE_METADATA).contains(artifactTypeId)) {
441  AbstractFile file = associated instanceof AbstractFile ? (AbstractFile) associated : null;
442  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileModifiedTime.name"),
443  NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileModifiedTime.displayName"),
444  "",
445  file == null ? "" : ContentUtils.getStringTime(file.getMtime(), file)));
446  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileChangedTime.name"),
447  NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileChangedTime.displayName"),
448  "",
449  file == null ? "" : ContentUtils.getStringTime(file.getCtime(), file)));
450  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileAccessedTime.name"),
451  NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileAccessedTime.displayName"),
452  "",
453  file == null ? "" : ContentUtils.getStringTime(file.getAtime(), file)));
454  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileCreatedTime.name"),
455  NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileCreatedTime.displayName"),
456  "",
457  file == null ? "" : ContentUtils.getStringTime(file.getCrtime(), file)));
458  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileSize.name"),
459  NbBundle.getMessage(BlackboardArtifactNode.class, "ContentTagNode.createSheet.fileSize.displayName"),
460  "",
461  associated.getSize()));
462  sheetSet.put(new NodeProperty<>(Bundle.BlackboardArtifactNode_createSheet_artifactMD5_name(),
463  Bundle.BlackboardArtifactNode_createSheet_artifactMD5_displayName(),
464  "",
465  file == null ? "" : StringUtils.defaultString(file.getMd5Hash())));
466  }
467  } else {
468  String dataSourceStr = "";
469  try {
470  Content dataSource = associated.getDataSource();
471  if (dataSource != null) {
472  dataSourceStr = dataSource.getName();
473  } else {
474  dataSourceStr = getRootParentName();
475  }
476  } catch (TskCoreException ex) {
477  logger.log(Level.WARNING, "Failed to get image name from {0}", associated.getName()); //NON-NLS
478  }
479 
480  if (dataSourceStr.isEmpty() == false) {
481  sheetSet.put(new NodeProperty<>(
482  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.dataSrc.name"),
483  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.dataSrc.displayName"),
484  NO_DESCR,
485  dataSourceStr));
486  }
487  }
488 
489  // If EXIF, add props for file size and path
490  if (artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA_EXIF.getTypeID()) {
491 
492  long size = 0;
493  String path = ""; //NON-NLS
494  if (associated instanceof AbstractFile) {
495  AbstractFile af = (AbstractFile) associated;
496  size = af.getSize();
497  try {
498  path = af.getUniquePath();
499  } catch (TskCoreException ex) {
500  path = af.getParentPath();
501  }
502  }
503  sheetSet.put(new NodeProperty<>(NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.fileSize.name"),
504  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.fileSize.displayName"),
505  NO_DESCR,
506  size));
507  sheetSet.put(new NodeProperty<>(
508  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.path.name"),
509  NbBundle.getMessage(BlackboardArtifactNode.class, "BlackboardArtifactNode.createSheet.path.displayName"),
510  NO_DESCR,
511  path));
512  }
513 
514  return sheet;
515  }
516 
524  protected final List<Tag> getAllTagsFromDatabase() {
525  List<Tag> tags = new ArrayList<>();
526  try {
527  tags.addAll(Case.getCurrentCaseThrows().getServices().getTagsManager().getBlackboardArtifactTagsByArtifact(artifact));
528  tags.addAll(Case.getCurrentCaseThrows().getServices().getTagsManager().getContentTagsByContent(associated));
529  } catch (TskCoreException | NoCurrentCaseException ex) {
530  logger.log(Level.SEVERE, "Failed to get tags for artifact " + artifact.getDisplayName(), ex);
531  }
532  return tags;
533  }
534 
542  @NbBundle.Messages({
543  "BlackboardArtifactNode.createSheet.tags.displayName=Tags"})
544  @Deprecated
545  protected void addTagProperty(Sheet.Set sheetSet) throws MissingResourceException {
546  // add properties for tags
547  List<Tag> tags = new ArrayList<>();
548  try {
549  tags.addAll(Case.getCurrentCaseThrows().getServices().getTagsManager().getBlackboardArtifactTagsByArtifact(artifact));
550  tags.addAll(Case.getCurrentCaseThrows().getServices().getTagsManager().getContentTagsByContent(associated));
551  } catch (TskCoreException | NoCurrentCaseException ex) {
552  logger.log(Level.SEVERE, "Failed to get tags for artifact " + artifact.getDisplayName(), ex);
553  }
554  sheetSet.put(new NodeProperty<>("Tags", Bundle.BlackboardArtifactNode_createSheet_tags_displayName(),
555  NO_DESCR, tags.stream().map(t -> t.getName().getDisplayName()).collect(Collectors.joining(", "))));
556  }
557 
567  @Deprecated
568  protected final void addTagProperty(Sheet.Set sheetSet, List<Tag> tags) {
569  sheetSet.put(new NodeProperty<>("Tags", Bundle.BlackboardArtifactNode_createSheet_tags_displayName(),
570  NO_DESCR, tags.stream().map(t -> t.getName().getDisplayName()).collect(Collectors.joining(", "))));
571  }
572 
573  protected final CorrelationAttributeInstance getCorrelationAttributeInstance() {
574  CorrelationAttributeInstance correlationAttribute = null;
575  if (EamDbUtil.useCentralRepo()) {
576  correlationAttribute = EamArtifactUtil.getInstanceFromContent(associated);
577  }
578  return correlationAttribute;
579  }
580 
592  @NbBundle.Messages({"BlackboardArtifactNode.createSheet.comment.name=C",
593  "BlackboardArtifactNode.createSheet.comment.displayName=C"})
594  protected final void addCommentProperty(Sheet.Set sheetSet, List<Tag> tags, CorrelationAttributeInstance attribute) {
595  HasCommentStatus status = tags.size() > 0 ? HasCommentStatus.TAG_NO_COMMENT : HasCommentStatus.NO_COMMENT;
596  for (Tag tag : tags) {
597  if (!StringUtils.isBlank(tag.getComment())) {
598  //if the tag is null or empty or contains just white space it will indicate there is not a comment
599  status = HasCommentStatus.TAG_COMMENT;
600  break;
601  }
602  }
603  //currently checks for a comment on the associated file in the central repo not the artifact itself
604  //what we want the column property to reflect should be revisted when we have added a way to comment
605  //on the artifact itself
606  if (attribute != null && !StringUtils.isBlank(attribute.getComment())) {
607  if (status == HasCommentStatus.TAG_COMMENT) {
608  status = HasCommentStatus.CR_AND_TAG_COMMENTS;
609  } else {
610  status = HasCommentStatus.CR_COMMENT;
611  }
612  }
613  sheetSet.put(new NodeProperty<>(Bundle.BlackboardArtifactNode_createSheet_comment_name(), Bundle.BlackboardArtifactNode_createSheet_comment_displayName(), NO_DESCR,
614  status));
615  }
616 
625  @NbBundle.Messages({"BlackboardArtifactNode.createSheet.score.name=S",
626  "BlackboardArtifactNode.createSheet.score.displayName=S",
627  "BlackboardArtifactNode.createSheet.notableFile.description=Associated file recognized as notable.",
628  "BlackboardArtifactNode.createSheet.interestingResult.description=Result has an interesting result associated with it.",
629  "BlackboardArtifactNode.createSheet.taggedItem.description=Result or associated file has been tagged.",
630  "BlackboardArtifactNode.createSheet.notableTaggedItem.description=Result or associated file tagged with notable tag.",
631  "BlackboardArtifactNode.createSheet.noScore.description=No score"})
632  protected final void addScoreProperty(Sheet.Set sheetSet, List<Tag> tags) {
633  Score score = Score.NO_SCORE;
634  String description = Bundle.BlackboardArtifactNode_createSheet_noScore_description();
635  if (associated instanceof AbstractFile) {
636  if (((AbstractFile) associated).getKnown() == TskData.FileKnown.BAD) {
637  score = Score.NOTABLE_SCORE;
638  description = Bundle.BlackboardArtifactNode_createSheet_notableFile_description();
639  }
640  }
641  //if the artifact being viewed is a hashhit check if the hashset is notable
642  if ((score == Score.NO_SCORE || score == Score.INTERESTING_SCORE) && content.getArtifactTypeID() == ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
643  try {
644  BlackboardAttribute attr = content.getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_SET_NAME));
645  List<HashDbManager.HashDb> notableHashsets = HashDbManager.getInstance().getKnownBadFileHashSets();
646  for (HashDbManager.HashDb hashDb : notableHashsets) {
647  if (hashDb.getHashSetName().equals(attr.getValueString())) {
648  score = Score.NOTABLE_SCORE;
649  description = Bundle.BlackboardArtifactNode_createSheet_notableFile_description();
650  break;
651  }
652  }
653  } catch (TskCoreException ex) {
654  //unable to get the attribute so we can not update the status based on the attribute
655  logger.log(Level.WARNING, "Unable to get TSK_SET_NAME attribute for artifact of type TSK_HASHSET_HIT with artifact ID " + content.getArtifactID(), ex);
656  }
657  }
658  try {
659  if (score == Score.NO_SCORE && !content.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT).isEmpty()) {
660  score = Score.INTERESTING_SCORE;
661  description = Bundle.BlackboardArtifactNode_createSheet_interestingResult_description();
662  }
663  } catch (TskCoreException ex) {
664  logger.log(Level.WARNING, "Error getting artifacts for artifact: " + content.getName(), ex);
665  }
666  if (tags.size() > 0 && (score == Score.NO_SCORE || score == Score.INTERESTING_SCORE)) {
667  score = Score.INTERESTING_SCORE;
668  description = Bundle.BlackboardArtifactNode_createSheet_taggedItem_description();
669  for (Tag tag : tags) {
670  if (tag.getName().getKnownStatus() == TskData.FileKnown.BAD) {
671  score = Score.NOTABLE_SCORE;
672  description = Bundle.BlackboardArtifactNode_createSheet_notableTaggedItem_description();
673  break;
674  }
675  }
676  }
677  sheetSet.put(new NodeProperty<>(Bundle.BlackboardArtifactNode_createSheet_score_name(), Bundle.BlackboardArtifactNode_createSheet_score_displayName(), description, score));
678  }
679 
680  @NbBundle.Messages({"BlackboardArtifactNode.createSheet.count.name=O",
681  "BlackboardArtifactNode.createSheet.count.displayName=O",
682  "BlackboardArtifactNode.createSheet.count.noCentralRepo.description=Central repository was not enabled when this column was populated",
683  "BlackboardArtifactNode.createSheet.count.hashLookupNotRun.description=Hash lookup had not been run on this artifact's associated file when the column was populated",
684  "# {0} - occuranceCount",
685  "BlackboardArtifactNode.createSheet.count.description=There were {0} datasource(s) found with occurances of the correlation value"})
686 
687  protected final void addCountProperty(Sheet.Set sheetSet, CorrelationAttributeInstance attribute) {
688  Long count = -1L; //The column renderer will not display negative values, negative value used when count unavailble to preserve sorting
689  String description = Bundle.BlackboardArtifactNode_createSheet_count_noCentralRepo_description();
690  try {
691  //don't perform the query if there is no correlation value
692  if (attribute != null && StringUtils.isNotBlank(attribute.getCorrelationValue())) {
693  count = EamDb.getInstance().getCountUniqueCaseDataSourceTuplesHavingTypeValue(attribute.getCorrelationType(), attribute.getCorrelationValue());
694  description = Bundle.BlackboardArtifactNode_createSheet_count_description(count);
695  } else if (attribute != null) {
696  description = Bundle.BlackboardArtifactNode_createSheet_count_hashLookupNotRun_description();
697  }
698  } catch (EamDbException ex) {
699  logger.log(Level.WARNING, "Error getting count of datasources with correlation attribute", ex);
700  } catch (CorrelationAttributeNormalizationException ex) {
701  logger.log(Level.WARNING, "Unable to normalize data to get count of datasources with correlation attribute", ex);
702  }
703  sheetSet.put(
704  new NodeProperty<>(Bundle.BlackboardArtifactNode_createSheet_count_name(), Bundle.BlackboardArtifactNode_createSheet_count_displayName(), description, count));
705  }
706 
707  private void updateSheet() {
708  this.setSheet(createSheet());
709  }
710 
711  private String getRootParentName() {
712  String parentName = associated.getName();
713  Content parent = associated;
714  try {
715  while ((parent = parent.getParent()) != null) {
716  parentName = parent.getName();
717  }
718  } catch (TskCoreException ex) {
719  logger.log(Level.WARNING, "Failed to get parent name from {0}", associated.getName()); //NON-NLS
720  return "";
721  }
722  return parentName;
723  }
724 
731  public void addNodeProperty(NodeProperty<?> np) {
732  if (null == customProperties) {
733  //lazy create the list
734  customProperties = new ArrayList<>();
735  }
736  customProperties.add(np);
737  }
738 
746  @SuppressWarnings("deprecation")
747  private void fillPropertyMap(Map<String, Object> map, BlackboardArtifact artifact) {
748  try {
749  for (BlackboardAttribute attribute : artifact.getAttributes()) {
750  final int attributeTypeID = attribute.getAttributeType().getTypeID();
751  //skip some internal attributes that user shouldn't see
752  if (attributeTypeID == ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID()
753  || attributeTypeID == ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID()
754  || attributeTypeID == ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID()
755  || attributeTypeID == ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()
756  || attributeTypeID == ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()) {
757  } else if (artifact.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) {
758  addEmailMsgProperty(map, attribute);
759  } else if (attribute.getAttributeType().getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME) {
760  map.put(attribute.getAttributeType().getDisplayName(), ContentUtils.getStringTime(attribute.getValueLong(), associated));
761  } else if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_TOOL_OUTPUT.getTypeID()
762  && attributeTypeID == ATTRIBUTE_TYPE.TSK_TEXT.getTypeID()) {
763  /*
764  * This was added because the RegRipper output would often
765  * cause the UI to get a black line accross it and hang if
766  * you hovered over large output or selected it. This
767  * reduces the amount of data in the table. Could consider
768  * doing this for all fields in the UI.
769  */
770  String value = attribute.getDisplayString();
771  if (value.length() > 512) {
772  value = value.substring(0, 512);
773  }
774  map.put(attribute.getAttributeType().getDisplayName(), value);
775  } else {
776  map.put(attribute.getAttributeType().getDisplayName(), attribute.getDisplayString());
777  }
778  }
779  } catch (TskCoreException ex) {
780  logger.log(Level.SEVERE, "Getting attributes failed", ex); //NON-NLS
781  }
782  }
783 
791  private void addEmailMsgProperty(Map<String, Object> map, BlackboardAttribute attribute) {
792 
793  final int attributeTypeID = attribute.getAttributeType().getTypeID();
794 
795  // Skip certain Email msg attributes
796  if (attributeTypeID == ATTRIBUTE_TYPE.TSK_DATETIME_SENT.getTypeID()
797  || attributeTypeID == ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_HTML.getTypeID()
798  || attributeTypeID == ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_RTF.getTypeID()
799  || attributeTypeID == ATTRIBUTE_TYPE.TSK_EMAIL_BCC.getTypeID()
800  || attributeTypeID == ATTRIBUTE_TYPE.TSK_EMAIL_CC.getTypeID()
801  || attributeTypeID == ATTRIBUTE_TYPE.TSK_HEADERS.getTypeID()) {
802 
803  // do nothing
804  } else if (attributeTypeID == ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_PLAIN.getTypeID()) {
805 
806  String value = attribute.getDisplayString();
807  if (value.length() > 160) {
808  value = value.substring(0, 160) + "...";
809  }
810  map.put(attribute.getAttributeType().getDisplayName(), value);
811  } else if (attribute.getAttributeType().getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME) {
812  map.put(attribute.getAttributeType().getDisplayName(), ContentUtils.getStringTime(attribute.getValueLong(), associated));
813  } else {
814  map.put(attribute.getAttributeType().getDisplayName(), attribute.getDisplayString());
815  }
816 
817  }
818 
819  @Override
820  public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {
821  return visitor.visit(this);
822  }
823 
832  private static Lookup createLookup(BlackboardArtifact artifact) {
833  // Add the content the artifact is associated with
834  final long objectID = artifact.getObjectID();
835  try {
836  Content content = contentCache.get(objectID, () -> artifact.getSleuthkitCase().getContentById(objectID));
837  if (content == null) {
838  return Lookups.fixed(artifact);
839  } else {
840  return Lookups.fixed(artifact, content);
841  }
842  } catch (ExecutionException ex) {
843  logger.log(Level.WARNING, "Getting associated content for artifact failed", ex); //NON-NLS
844  return Lookups.fixed(artifact);
845  }
846  }
847 
848  @Override
849  public boolean isLeafTypeNode() {
850  return true;
851  }
852 
853  @Override
854  public String getItemType() {
855  return getClass().getName();
856  }
857 
858  @Override
859  public <T> T accept(ContentNodeVisitor<T> visitor) {
860  return visitor.visit(this);
861  }
862 }
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addTagProperty
final void addTagProperty(Sheet.Set sheetSet, List< Tag > tags)
Definition: BlackboardArtifactNode.java:568
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.fillPropertyMap
void fillPropertyMap(Map< String, Object > map, BlackboardArtifact artifact)
Definition: BlackboardArtifactNode.java:747
org.sleuthkit.autopsy.datamodel.ContentUtils.getStringTime
static String getStringTime(long epochSeconds, TimeZone tzone)
Definition: ContentUtils.java:88
org.sleuthkit.autopsy.datamodel.AbstractContentNode< BlackboardArtifact >::setName
void setName(String name)
Definition: AbstractContentNode.java:85
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.BlackboardArtifactNode
BlackboardArtifactNode(BlackboardArtifact artifact, String iconPath)
Definition: BlackboardArtifactNode.java:176
org.sleuthkit.autopsy.casemodule.services.TagsManager.getContentTagsByContent
List< ContentTag > getContentTagsByContent(Content content)
Definition: TagsManager.java:605
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.createLookup
static Lookup createLookup(BlackboardArtifact artifact)
Definition: BlackboardArtifactNode.java:832
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addScoreProperty
final void addScoreProperty(Sheet.Set sheetSet, List< Tag > tags)
Definition: BlackboardArtifactNode.java:632
org.sleuthkit.autopsy.timeline.actions.ViewFileInTimelineAction.createViewSourceFileAction
static ViewFileInTimelineAction createViewSourceFileAction(AbstractFile file)
Definition: ViewFileInTimelineAction.java:59
org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent
Definition: ContentTagAddedEvent.java:32
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getCountUniqueCaseDataSourceTuplesHavingTypeValue
Long getCountUniqueCaseDataSourceTuplesHavingTypeValue(CorrelationAttributeInstance.Type aType, String value)
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.getInstanceFromContent
static CorrelationAttributeInstance getInstanceFromContent(Content content)
Definition: EamArtifactUtil.java:232
org.sleuthkit.autopsy.datamodel.ExtractedContent
Definition: ExtractedContent.java:61
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addEmailMsgProperty
void addEmailMsgProperty(Map< String, Object > map, BlackboardAttribute attribute)
Definition: BlackboardArtifactNode.java:791
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addCommentProperty
final void addCommentProperty(Sheet.Set sheetSet, List< Tag > tags, CorrelationAttributeInstance attribute)
Definition: BlackboardArtifactNode.java:594
org.sleuthkit.autopsy.datamodel.AbstractContentNode
Definition: AbstractContentNode.java:44
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.getCorrelationAttributeInstance
final CorrelationAttributeInstance getCorrelationAttributeInstance()
Definition: BlackboardArtifactNode.java:573
org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addCountProperty
final void addCountProperty(Sheet.Set sheetSet, CorrelationAttributeInstance attribute)
Definition: BlackboardArtifactNode.java:687
org.sleuthkit.autopsy.coreutils.MessageNotifyUtil.Notify.error
static void error(String title, String message)
Definition: MessageNotifyUtil.java:227
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.casemodule.Case.addEventTypeSubscriber
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:429
org.sleuthkit.autopsy.datamodel.AbstractContentNode.getName
String getName()
Definition: AbstractContentNode.java:90
org.sleuthkit.autopsy.casemodule.Case.removeEventTypeSubscriber
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:474
org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent
Definition: ContentTagDeletedEvent.java:30
org.sleuthkit.autopsy.timeline.actions.ViewFileInTimelineAction.createViewFileAction
static ViewFileInTimelineAction createViewFileAction(AbstractFile file)
Definition: ViewFileInTimelineAction.java:54
org.sleuthkit.autopsy.casemodule.services.TagsManager.getBlackboardArtifactTagsByArtifact
List< BlackboardArtifactTag > getBlackboardArtifactTagsByArtifact(BlackboardArtifact artifact)
Definition: TagsManager.java:825

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.