Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EamArtifactUtil.java
Go to the documentation of this file.
1 /*
2  * Central Repository
3  *
4  * Copyright 2015-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.centralrepository.datamodel;
20 
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.logging.Level;
24 import org.openide.util.NbBundle.Messages;
25 import org.sleuthkit.autopsy.casemodule.Case;
26 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
27 import org.sleuthkit.autopsy.coreutils.Logger;
28 import org.sleuthkit.datamodel.AbstractFile;
29 import org.sleuthkit.datamodel.BlackboardArtifact;
30 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
31 import org.sleuthkit.datamodel.BlackboardAttribute;
32 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
33 import org.sleuthkit.datamodel.Content;
34 import org.sleuthkit.datamodel.HashUtility;
35 import org.sleuthkit.datamodel.TskCoreException;
36 import org.sleuthkit.datamodel.TskData;
37 
41 public class EamArtifactUtil {
42 
43  private static final Logger logger = Logger.getLogger(EamArtifactUtil.class.getName());
44 
45  public EamArtifactUtil() {
46  }
47 
48  @Messages({"EamArtifactUtil.emailaddresses.text=Email Addresses"})
49  public static String getEmailAddressAttrString() {
50  return Bundle.EamArtifactUtil_emailaddresses_text();
51  }
52 
65  public static List<CorrelationAttributeInstance> makeInstancesFromBlackboardArtifact(BlackboardArtifact artifact,
66  boolean checkEnabled) {
67  List<CorrelationAttributeInstance> eamArtifacts = new ArrayList<>();
68  try {
69  BlackboardArtifact artifactForInstance = null;
70  if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifact.getArtifactTypeID()) {
71  // Get the associated artifactForInstance
72  BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
73  if (attribute != null) {
74  artifactForInstance = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(attribute.getValueLong());
75  }
76  } else {
77  artifactForInstance = artifact;
78  }
79  if (artifactForInstance != null) {
80  int artifactTypeID = artifactForInstance.getArtifactTypeID();
81  if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
82  BlackboardAttribute setNameAttr = artifactForInstance.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
83  if (setNameAttr != null
84  && EamArtifactUtil.getEmailAddressAttrString().equals(setNameAttr.getValueString())) {
85  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, CorrelationAttributeInstance.EMAIL_TYPE_ID);
86  }
87  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()
88  || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()
89  || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()
90  || artifactTypeID == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
91  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, CorrelationAttributeInstance.DOMAIN_TYPE_ID);
92  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
93  || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
94  || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
95 
96  String value = null;
97  if (null != artifactForInstance.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
98  value = artifactForInstance.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
99  } else if (null != artifactForInstance.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
100  value = artifactForInstance.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
101  } else if (null != artifactForInstance.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
102  value = artifactForInstance.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
103  }
104  // Remove all non-numeric symbols to semi-normalize phone numbers, preserving leading "+" character
105  if (value != null) {
106  String newValue = value.replaceAll("\\D", "");
107  if (value.startsWith("+")) {
108  newValue = "+" + newValue;
109  }
110  value = newValue;
111  // Only add the correlation attribute if the resulting phone number large enough to be of use
112  // (these 3-5 digit numbers can be valid, but are not useful for correlation)
113  if (value.length() > 5) {
114  CorrelationAttributeInstance inst = makeCorrelationAttributeInstanceUsingTypeValue(artifactForInstance, EamDb.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.PHONE_TYPE_ID), value);
115  if (inst != null) {
116  eamArtifacts.add(inst);
117  }
118  }
119  }
120  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
121  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID, CorrelationAttributeInstance.USBID_TYPE_ID);
122  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
123  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
124  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SSID, CorrelationAttributeInstance.SSID_TYPE_ID);
125  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
126  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
127  || artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
128  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
129  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
130  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI, CorrelationAttributeInstance.IMEI_TYPE_ID);
131  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
132  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
133  } else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
134  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
135  addCorrelationAttributeToList(eamArtifacts, artifactForInstance, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
136  }
137  }
138  } catch (EamDbException ex) {
139  logger.log(Level.SEVERE, "Error getting defined correlation types.", ex); // NON-NLS
140  return eamArtifacts;
141  } catch (TskCoreException ex) {
142  logger.log(Level.SEVERE, "Error getting attribute while getting type from BlackboardArtifact.", ex); // NON-NLS
143  return null;
144  } catch (NoCurrentCaseException ex) {
145  logger.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS
146  return null;
147  }
148  return eamArtifacts;
149  }
150 
169  private static void addCorrelationAttributeToList(List<CorrelationAttributeInstance> eamArtifacts, BlackboardArtifact artifact, ATTRIBUTE_TYPE bbAttributeType, int typeId) throws EamDbException, TskCoreException {
170  BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(bbAttributeType));
171  if (attribute != null) {
172  String value = attribute.getValueString();
173  if ((null != value) && (value.isEmpty() == false)) {
174  CorrelationAttributeInstance inst = makeCorrelationAttributeInstanceUsingTypeValue(artifact, EamDb.getInstance().getCorrelationTypeById(typeId), value);
175  if (inst != null) {
176  eamArtifacts.add(inst);
177  }
178  }
179  }
180  }
181 
192  private static CorrelationAttributeInstance makeCorrelationAttributeInstanceUsingTypeValue(BlackboardArtifact bbArtifact, CorrelationAttributeInstance.Type correlationType, String value) {
193  try {
194  Case currentCase = Case.getCurrentCaseThrows();
195  AbstractFile bbSourceFile = currentCase.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
196  if (null == bbSourceFile) {
197  logger.log(Level.SEVERE, "Error creating artifact instance. Abstract File was null."); // NON-NLS
198  return null;
199  }
200 
201  // make an instance for the BB source file
202  CorrelationCase correlationCase = EamDb.getInstance().getCase(Case.getCurrentCaseThrows());
203  if (null == correlationCase) {
204  correlationCase = EamDb.getInstance().newCase(Case.getCurrentCaseThrows());
205  }
206  return new CorrelationAttributeInstance(
207  correlationType,
208  value,
209  correlationCase,
210  CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()),
211  bbSourceFile.getParentPath() + bbSourceFile.getName(),
212  "",
213  TskData.FileKnown.UNKNOWN,
214  bbSourceFile.getId());
215 
216  } catch (TskCoreException | EamDbException | CorrelationAttributeNormalizationException ex) {
217  logger.log(Level.SEVERE, "Error creating artifact instance.", ex); // NON-NLS
218  return null;
219  } catch (NoCurrentCaseException ex) {
220  logger.log(Level.SEVERE, "Case is closed.", ex); // NON-NLS
221  return null;
222  }
223  }
224 
232  public static CorrelationAttributeInstance getInstanceFromContent(Content content) {
233 
234  if (!(content instanceof AbstractFile)) {
235  return null;
236  }
237 
238  final AbstractFile file = (AbstractFile) content;
239 
240  if (!isSupportedAbstractFileType(file)) {
241  return null;
242  }
243 
244  CorrelationAttributeInstance.Type type;
245  CorrelationCase correlationCase;
246  CorrelationDataSource correlationDataSource;
247 
248  try {
249  type = EamDb.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
250  correlationCase = EamDb.getInstance().getCase(Case.getCurrentCaseThrows());
251  if (null == correlationCase) {
252  //if the correlationCase is not in the Central repo then attributes generated in relation to it will not be
253  return null;
254  }
255  correlationDataSource = CorrelationDataSource.fromTSKDataSource(correlationCase, file.getDataSource());
256  } catch (TskCoreException | EamDbException ex) {
257  logger.log(Level.SEVERE, "Error retrieving correlation attribute.", ex);
258  return null;
259  } catch (NoCurrentCaseException ex) {
260  logger.log(Level.SEVERE, "Case is closed.", ex);
261  return null;
262  }
263 
264  CorrelationAttributeInstance correlationAttributeInstance;
265  try {
266  correlationAttributeInstance = EamDb.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, file.getId());
267  } catch (EamDbException | CorrelationAttributeNormalizationException ex) {
268  logger.log(Level.WARNING, String.format(
269  "Correlation attribute could not be retrieved for '%s' (id=%d): %s",
270  content.getName(), content.getId(), ex.getMessage()));
271  return null;
272  }
273  //if there was no correlation attribute found for the item using object_id then check for attributes added with schema 1,1 which lack object_id
274  if (correlationAttributeInstance == null) {
275  String value = file.getMd5Hash();
276  String filePath = (file.getParentPath() + file.getName()).toLowerCase();
277  try {
278  correlationAttributeInstance = EamDb.getInstance().getCorrelationAttributeInstance(type, correlationCase, correlationDataSource, value, filePath);
279  } catch (EamDbException | CorrelationAttributeNormalizationException ex) {
280  logger.log(Level.WARNING, String.format(
281  "Correlation attribute could not be retrieved for '%s' (id=%d): %s",
282  content.getName(), content.getId(), ex.getMessage()));
283  return null;
284  }
285  }
286 
287  return correlationAttributeInstance;
288  }
289 
303  public static CorrelationAttributeInstance makeInstanceFromContent(Content content) {
304 
305  if (!(content instanceof AbstractFile)) {
306  return null;
307  }
308 
309  final AbstractFile af = (AbstractFile) content;
310 
311  if (!isSupportedAbstractFileType(af)) {
312  return null;
313  }
314 
315  // We need a hash to make the artifactForInstance
316  String md5 = af.getMd5Hash();
317  if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
318  return null;
319  }
320 
321  try {
322  CorrelationAttributeInstance.Type filesType = EamDb.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
323 
324  CorrelationCase correlationCase = EamDb.getInstance().getCase(Case.getCurrentCaseThrows());
325  if (null == correlationCase) {
326  correlationCase = EamDb.getInstance().newCase(Case.getCurrentCaseThrows());
327  }
328  return new CorrelationAttributeInstance(
329  filesType,
330  af.getMd5Hash(),
331  correlationCase,
332  CorrelationDataSource.fromTSKDataSource(correlationCase, af.getDataSource()),
333  af.getParentPath() + af.getName(),
334  "",
335  TskData.FileKnown.UNKNOWN,
336  af.getId());
337 
338  } catch (TskCoreException | EamDbException | CorrelationAttributeNormalizationException ex) {
339  logger.log(Level.SEVERE, "Error making correlation attribute.", ex);
340  return null;
341  } catch (NoCurrentCaseException ex) {
342  logger.log(Level.SEVERE, "Case is closed.", ex);
343  return null;
344  }
345  }
346 
356  public static boolean isSupportedAbstractFileType(AbstractFile file) {
357  if (file == null) {
358  return false;
359  }
360 
361  switch (file.getType()) {
362  case UNALLOC_BLOCKS:
363  case UNUSED_BLOCKS:
364  case SLACK:
365  case VIRTUAL_DIR:
366  case LOCAL_DIR:
367  return false;
368  case CARVED:
369  case DERIVED:
370  case LOCAL:
371  return true;
372  case FS:
373  return file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC);
374  default:
375  logger.log(Level.WARNING, "Unexpected file type {0}", file.getType().getName());
376  return false;
377  }
378  }
379 }
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.makeInstancesFromBlackboardArtifact
static List< CorrelationAttributeInstance > makeInstancesFromBlackboardArtifact(BlackboardArtifact artifact, boolean checkEnabled)
Definition: EamArtifactUtil.java:65
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.newCase
CorrelationCase newCase(CorrelationCase eamCase)
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.addCorrelationAttributeToList
static void addCorrelationAttributeToList(List< CorrelationAttributeInstance > eamArtifacts, BlackboardArtifact artifact, ATTRIBUTE_TYPE bbAttributeType, int typeId)
Definition: EamArtifactUtil.java:169
org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource.fromTSKDataSource
static CorrelationDataSource fromTSKDataSource(CorrelationCase correlationCase, Content dataSource)
Definition: CorrelationDataSource.java:92
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getCorrelationAttributeInstance
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.getInstanceFromContent
static CorrelationAttributeInstance getInstanceFromContent(Content content)
Definition: EamArtifactUtil.java:232
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getCorrelationTypeById
CorrelationAttributeInstance.Type getCorrelationTypeById(int typeId)
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.makeInstanceFromContent
static CorrelationAttributeInstance makeInstanceFromContent(Content content)
Definition: EamArtifactUtil.java:303
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil.makeCorrelationAttributeInstanceUsingTypeValue
static CorrelationAttributeInstance makeCorrelationAttributeInstanceUsingTypeValue(BlackboardArtifact bbArtifact, CorrelationAttributeInstance.Type correlationType, String value)
Definition: EamArtifactUtil.java:192

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.