Sleuth Kit Java Bindings (JNI)  4.10.1
Java bindings for using The Sleuth Kit
BlackboardArtifact.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2011-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import java.io.Serializable;
22 import java.io.UnsupportedEncodingException;
23 import java.text.MessageFormat;
24 import java.util.ArrayList;
25 import java.util.Collection;
26 import java.util.HashMap;
27 import java.util.HashSet;
28 import java.util.List;
29 import java.util.Map;
30 import java.util.Objects;
31 import java.util.ResourceBundle;
32 import java.util.Set;
33 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
34 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
35 import org.sleuthkit.datamodel.SleuthkitCase.ObjectInfo;
36 
48 public class BlackboardArtifact implements Content {
49 
50  private static final ResourceBundle bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle");
51  private final long artifactId;
52  private final long sourceObjId; // refers to objID of parent/source object
53  private final long artifactObjId; // objId of the artifact in tsk_objects. TBD: replace artifactID with this
54  private final long dataSourceObjId; // objId of the data source in tsk_objects.
55  private final int artifactTypeId;
56  private final String artifactTypeName;
57  private final String displayName;
58  private ReviewStatus reviewStatus;
59  private final SleuthkitCase sleuthkitCase;
60  private final List<BlackboardAttribute> attrsCache = new ArrayList<BlackboardAttribute>();
61  private boolean loadedCacheFromDb = false;
62  private Content parent;
63  private String uniquePath;
64 
65  private byte[] contentBytes = null;
66 
67  private volatile boolean checkedHasChildren;
68  private volatile boolean hasChildren;
69  private volatile int childrenCount;
70 
91  BlackboardArtifact(SleuthkitCase sleuthkitCase, long artifactID, long sourceObjId, long artifactObjId, long dataSourceObjId, int artifactTypeID, String artifactTypeName, String displayName, ReviewStatus reviewStatus) {
92 
93  this.sleuthkitCase = sleuthkitCase;
94  this.artifactId = artifactID;
95  this.sourceObjId = sourceObjId;
96  this.artifactObjId = artifactObjId;
97  this.artifactTypeId = artifactTypeID;
98  this.dataSourceObjId = dataSourceObjId;
99  this.artifactTypeName = artifactTypeName;
100  this.displayName = displayName;
101  this.reviewStatus = reviewStatus;
102 
103  this.checkedHasChildren = false;
104  this.hasChildren = false;
105  this.childrenCount = -1;
106 
107  }
108 
128  BlackboardArtifact(SleuthkitCase sleuthkitCase, long artifactID, long sourceObjId, long artifactObjID, long dataSourceObjID, int artifactTypeID, String artifactTypeName, String displayName, ReviewStatus reviewStatus, boolean isNew) {
129  this(sleuthkitCase, artifactID, sourceObjId, artifactObjID, dataSourceObjID, artifactTypeID, artifactTypeName, displayName, reviewStatus);
130  if (isNew) {
131  /*
132  * If this object represents a newly created artifact, then its
133  * collection of attributes has already been populated and there is
134  * no need to fetch them form the case database.
135  */
136  this.loadedCacheFromDb = true;
137  }
138  }
139 
146  public SleuthkitCase getSleuthkitCase() {
147  return sleuthkitCase;
148  }
149 
155  public long getArtifactID() {
156  return this.artifactId;
157  }
158 
165  public long getObjectID() {
166  return this.sourceObjId;
167  }
168 
174  long getDataSourceObjectID() {
175  return this.dataSourceObjId;
176  }
177 
183  public int getArtifactTypeID() {
184  return this.artifactTypeId;
185  }
186 
192  public String getArtifactTypeName() {
193  return this.artifactTypeName;
194  }
195 
201  public String getDisplayName() {
202  return this.displayName;
203  }
204 
212  public String getShortDescription() throws TskCoreException {
213  BlackboardAttribute attr = null;
214  StringBuilder shortDescription = new StringBuilder("");
215  switch (ARTIFACT_TYPE.fromID(artifactTypeId)) {
216  case TSK_WEB_BOOKMARK: //web_bookmark, web_cookie, web_download, and web_history are the same attribute for now
217  case TSK_WEB_COOKIE:
218  case TSK_WEB_DOWNLOAD:
219  case TSK_WEB_HISTORY:
220  attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
221  break;
222  case TSK_KEYWORD_HIT:
223  attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW));
224  break;
225  case TSK_DEVICE_ATTACHED:
226  attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DEVICE_ID));
227  break;
228  case TSK_CONTACT: //contact, message, and calllog are the same attributes for now
229  case TSK_MESSAGE:
230  case TSK_CALLLOG:
231  //get the first of these attributes which exists and is non null
232  final ATTRIBUTE_TYPE[] typesThatCanHaveName = {ATTRIBUTE_TYPE.TSK_NAME,
233  ATTRIBUTE_TYPE.TSK_PHONE_NUMBER,
234  ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM,
235  ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO,
236  ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_HOME,
237  ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_MOBILE,
238  ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_OFFICE,
239  ATTRIBUTE_TYPE.TSK_EMAIL,
240  ATTRIBUTE_TYPE.TSK_EMAIL_FROM,
241  ATTRIBUTE_TYPE.TSK_EMAIL_TO,
242  ATTRIBUTE_TYPE.TSK_EMAIL_HOME,
243  ATTRIBUTE_TYPE.TSK_EMAIL_OFFICE}; //in the order we want to use them
244  for (ATTRIBUTE_TYPE t : typesThatCanHaveName) {
245  attr = getAttribute(new BlackboardAttribute.Type(t));
246  if (attr != null && !attr.getDisplayString().isEmpty()) {
247  break;
248  }
249  }
250  break;
251  default:
252  break;
253  }
254  if (attr != null) {
255  shortDescription.append(attr.getAttributeType().getDisplayName()).append(": ").append(attr.getDisplayString());
256  } else {
257  shortDescription.append(getDisplayName());
258  }
259  //get the first of these date attributes which exists and is non null
260  final ATTRIBUTE_TYPE[] typesThatCanHaveDate = {ATTRIBUTE_TYPE.TSK_DATETIME,
261  ATTRIBUTE_TYPE.TSK_DATETIME_SENT,
262  ATTRIBUTE_TYPE.TSK_DATETIME_RCVD,
263  ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
264  ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED,
265  ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
266  ATTRIBUTE_TYPE.TSK_DATETIME_START,
267  ATTRIBUTE_TYPE.TSK_DATETIME_END}; //in the order we want to use them
268  BlackboardAttribute date;
269  for (ATTRIBUTE_TYPE t : typesThatCanHaveDate) {
270  date = getAttribute(new BlackboardAttribute.Type(t));
271  if (date != null && !date.getDisplayString().isEmpty()) {
272  shortDescription.append(" ");
273  shortDescription.append(MessageFormat.format(bundle.getString("BlackboardArtifact.shortDescriptionDate.text"), date.getDisplayString())); //NON-NLS
274  break;
275  }
276  }
277  return shortDescription.toString();
278  }
279 
286  public ReviewStatus getReviewStatus() {
287  return reviewStatus;
288  }
289 
298  public void setReviewStatus(ReviewStatus newStatus) throws TskCoreException {
299  getSleuthkitCase().setReviewStatus(this, newStatus);
300  reviewStatus = newStatus;
301  }
302 
314  public void addAttribute(BlackboardAttribute attribute) throws TskCoreException {
315  attribute.setArtifactId(artifactId);
316  attribute.setCaseDatabase(getSleuthkitCase());
317  getSleuthkitCase().addBlackboardAttribute(attribute, this.artifactTypeId);
318  attrsCache.add(attribute);
319  }
320 
329  public List<BlackboardAttribute> getAttributes() throws TskCoreException {
330  ArrayList<BlackboardAttribute> attributes;
331  if (false == loadedCacheFromDb) {
332  attributes = getSleuthkitCase().getBlackboardAttributes(this);
333  attrsCache.clear();
334  attrsCache.addAll(attributes);
335  loadedCacheFromDb = true;
336  } else {
337  attributes = new ArrayList<BlackboardAttribute>(attrsCache);
338  }
339  return attributes;
340  }
341 
356  public BlackboardAttribute getAttribute(BlackboardAttribute.Type attributeType) throws TskCoreException {
357  List<BlackboardAttribute> attributes = this.getAttributes();
358  for (BlackboardAttribute attribute : attributes) {
359  if (attribute.getAttributeType().equals(attributeType)) {
360  return attribute;
361  }
362  }
363  return null;
364  }
365 
375  public void addAttributes(Collection<BlackboardAttribute> attributes) throws TskCoreException {
376  if (attributes.isEmpty()) {
377  return;
378  }
379  for (BlackboardAttribute attribute : attributes) {
380  attribute.setArtifactId(artifactId);
381  attribute.setCaseDatabase(getSleuthkitCase());
382  }
383  getSleuthkitCase().addBlackboardAttributes(attributes, artifactTypeId);
384  attrsCache.addAll(attributes);
385  }
386 
393  @Override
394  public synchronized String getUniquePath() throws TskCoreException {
395 
396  // Return the path of the parrent file
397  if (uniquePath == null) {
398  uniquePath = "";
399  Content myParent = getParent();
400  if (myParent != null) {
401  uniquePath = myParent.getUniquePath();
402  }
403  }
404  return uniquePath;
405  }
406 
407  @Override
408  public synchronized Content getParent() throws TskCoreException {
409  if (parent == null) {
410  ObjectInfo parentInfo;
411  parentInfo = getSleuthkitCase().getParentInfo(this);
412  if (parentInfo == null) {
413  parent = null;
414  } else {
415  parent = getSleuthkitCase().getContentById(parentInfo.getId());
416  }
417  }
418  return parent;
419  }
420 
428  @Override
429  public ArrayList<BlackboardArtifact> getAllArtifacts() throws TskCoreException {
430  // Currently we don't have any artifacts derived from an artifact.
431  return new ArrayList<BlackboardArtifact>();
432  }
433 
444  @Override
445  public ArrayList<BlackboardArtifact> getArtifacts(String artifactTypeName) throws TskCoreException {
446  // Currently we don't have any artifacts derived from an artifact.
447  return new ArrayList<BlackboardArtifact>();
448  }
449 
460  @Override
461  public ArrayList<BlackboardArtifact> getArtifacts(int artifactTypeID) throws TskCoreException {
462  // Currently we don't have any artifacts derived from an artifact.
463  return new ArrayList<BlackboardArtifact>();
464  }
465 
475  @Override
476  public ArrayList<BlackboardArtifact> getArtifacts(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
477  // Currently we don't have any artifacts derived from an artifact.
478  return new ArrayList<BlackboardArtifact>();
479  }
480 
488  @Override
489  public long getAllArtifactsCount() throws TskCoreException {
490  // Currently we don't have any artifacts derived from an artifact.
491  return 0;
492  }
493 
504  @Override
505  public long getArtifactsCount(String artifactTypeName) throws TskCoreException {
506  // Currently we don't have any artifacts derived from an artifact.
507  return 0;
508  }
509 
520  @Override
521  public long getArtifactsCount(int artifactTypeID) throws TskCoreException {
522  // Currently we don't have any artifacts derived from an artifact.
523  return 0;
524  }
525 
536  @Override
537  public long getArtifactsCount(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
538  // Currently we don't have any artifacts derived from an artifact.
539  return 0;
540  }
541 
550  @Override
551  public BlackboardArtifact getGenInfoArtifact() throws TskCoreException {
552  // Currently we don't have any artifacts derived from an artifact.
553  return null;
554  }
555 
569  @Override
570  public BlackboardArtifact getGenInfoArtifact(boolean create) throws TskCoreException {
571  // Currently we don't have any artifacts derived from an artifact.
572  if (create) {
573  throw new TskCoreException("Artifacts of artifacts are not supported.");
574  }
575 
576  return null;
577  }
578 
589  @Override
590  public ArrayList<BlackboardAttribute> getGenInfoAttributes(BlackboardAttribute.ATTRIBUTE_TYPE attr_type) throws TskCoreException {
591  // Currently we don't have any artifacts derived from an artifact.
592  return new ArrayList<>();
593  }
594 
602  @Override
603  public Set<String> getHashSetNames() throws TskCoreException {
604  // Currently we don't have any artifacts derived from an artifact.
605  return new HashSet<String>();
606  }
607 
619  @Override
620  public BlackboardArtifact newArtifact(int artifactTypeID) throws TskCoreException {
621  throw new TskCoreException("Cannot create artifact of an artifact. Not supported.");
622  }
623 
634  @Override
635  public BlackboardArtifact newArtifact(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
636  throw new TskCoreException("Cannot create artifact of an artifact. Not supported.");
637  }
638 
647  @Override
648  public <T> T accept(ContentVisitor<T> visitor) {
649  return visitor.visit(this);
650  }
651 
659  @Override
660  public boolean equals(Object object) {
661  if (object == null) {
662  return false;
663  }
664  if (getClass() != object.getClass()) {
665  return false;
666  }
667  final BlackboardArtifact other = (BlackboardArtifact) object;
668  return artifactId == other.getArtifactID();
669  }
670 
676  @Override
677  public int hashCode() {
678  int hash = 7;
679  hash = 41 * hash + (int) (this.artifactId ^ (this.artifactId >>> 32));
680  return hash;
681  }
682 
688  @Override
689  public String toString() {
690  return "BlackboardArtifact{" + "artifactID=" + artifactId + ", objID=" + getObjectID() + ", artifactObjID=" + artifactObjId + ", artifactTypeID=" + artifactTypeId + ", artifactTypeName=" + artifactTypeName + ", displayName=" + displayName + ", Case=" + getSleuthkitCase() + '}'; //NON-NLS
691  }
692 
703  @Override
704  public <T> T accept(SleuthkitItemVisitor<T> visitor) {
705  return visitor.visit(this);
706  }
707 
714  @Override
715  public long getSize() {
716 
717  if (contentBytes == null) {
718  try {
719  loadArtifactContent();
720  } catch (TskCoreException ex) {
721  return 0;
722  }
723  }
724 
725  return contentBytes.length;
726  }
727 
731  @Override
732  public void close() {
733  contentBytes = null;
734  }
735 
749  @Override
750  public final int read(byte[] buf, long offset, long len) throws TskCoreException {
751 
752  if (contentBytes == null) {
753  loadArtifactContent();
754  }
755 
756  if (0 == contentBytes.length) {
757  return 0;
758  }
759 
760  // Copy bytes
761  long readLen = Math.min(contentBytes.length - offset, len);
762  System.arraycopy(contentBytes, 0, buf, 0, (int) readLen);
763 
764  return (int) readLen;
765  }
766 
767  @Override
768  public String getName() {
769  return this.displayName + getArtifactID();
770  }
771 
772  @Override
773  public Content getDataSource() throws TskCoreException {
774  return getSleuthkitCase().getContentById(dataSourceObjId);
775  }
776 
783  private void loadArtifactContent() throws TskCoreException {
784  StringBuilder artifactContents = new StringBuilder();
785 
786  Content dataSource = null;
787  try {
788  dataSource = getDataSource();
789  } catch (TskCoreException ex) {
790  throw new TskCoreException("Unable to get datasource for artifact: " + this.toString(), ex);
791  }
792  if (dataSource == null) {
793  throw new TskCoreException("Datasource was null for artifact: " + this.toString());
794  }
795 
796  try {
797  for (BlackboardAttribute attribute : getAttributes()) {
798  artifactContents.append(attribute.getAttributeType().getDisplayName());
799  artifactContents.append(" : ");
800  artifactContents.append(attribute.getDisplayString());
801  artifactContents.append(System.lineSeparator());
802  }
803  } catch (TskCoreException ex) {
804  throw new TskCoreException("Unable to get attributes for artifact: " + this.toString(), ex);
805  }
806 
807  try {
808  contentBytes = artifactContents.toString().getBytes("UTF-8");
809  } catch (UnsupportedEncodingException ex) {
810  throw new TskCoreException("Failed to convert artifact string to bytes for artifact: " + this.toString(), ex);
811  }
812 
813  }
814 
818  public static final class Type implements Serializable {
819 
820  private static final long serialVersionUID = 1L;
821  private final String typeName;
822  private final int typeID;
823  private final String displayName;
824 
832  public Type(int typeID, String typeName, String displayName) {
833  this.typeID = typeID;
834  this.typeName = typeName;
835  this.displayName = displayName;
836  }
837 
843  public Type(ARTIFACT_TYPE type) {
844  this(type.getTypeID(), type.getLabel(), type.getDisplayName());
845  }
846 
852  public String getTypeName() {
853  return this.typeName;
854  }
855 
861  public int getTypeID() {
862  return this.typeID;
863  }
864 
870  public String getDisplayName() {
871  return this.displayName;
872  }
873 
881  @Override
882  public boolean equals(Object that) {
883  if (this == that) {
884  return true;
885  } else if (!(that instanceof Type)) {
886  return false;
887  } else {
888  return ((Type) that).sameType(this);
889  }
890  }
891 
899  private boolean sameType(Type that) {
900  return this.typeName.equals(that.getTypeName())
901  && this.displayName.equals(that.getDisplayName())
902  && this.typeID == that.getTypeID();
903  }
904 
910  @Override
911  public int hashCode() {
912  int hash = 11;
913  hash = 83 * hash + Objects.hashCode(this.typeID);
914  hash = 83 * hash + Objects.hashCode(this.displayName);
915  hash = 83 * hash + Objects.hashCode(this.typeName);
916  return hash;
917  }
918  }
919 
925  public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
926 
930  TSK_GEN_INFO(1, "TSK_GEN_INFO", //NON-NLS
931  bundle.getString("BlackboardArtifact.tskGenInfo.text")),
937  TSK_WEB_BOOKMARK(2, "TSK_WEB_BOOKMARK", //NON-NLS
938  bundle.getString("BlackboardArtifact.tskWebBookmark.text")),
944  TSK_WEB_COOKIE(3, "TSK_WEB_COOKIE",
945  bundle.getString("BlackboardArtifact.tskWebCookie.text")), //NON-NLS
951  TSK_WEB_HISTORY(4, "TSK_WEB_HISTORY", //NON-NLS
952  bundle.getString("BlackboardArtifact.tskWebHistory.text")),
958  TSK_WEB_DOWNLOAD(5, "TSK_WEB_DOWNLOAD", //NON-NLS
959  bundle.getString("BlackboardArtifact.tskWebDownload.text")),
963  TSK_RECENT_OBJECT(6, "TSK_RECENT_OBJ", //NON-NLS
964  bundle.getString("BlackboardArtifact.tsk.recentObject.text")),
970  @Deprecated
971  TSK_GPS_TRACKPOINT(7, "TSK_GPS_TRACKPOINT", //NON-NLS
972  bundle.getString("BlackboardArtifact.tskGpsTrackpoint.text")),
976  TSK_INSTALLED_PROG(8, "TSK_INSTALLED_PROG", //NON-NLS
977  bundle.getString("BlackboardArtifact.tskInstalledProg.text")),
981  TSK_KEYWORD_HIT(9, "TSK_KEYWORD_HIT",
982  bundle.getString("BlackboardArtifact.tskKeywordHits.text")),
986  TSK_HASHSET_HIT(10, "TSK_HASHSET_HIT", //NON-NLS
987  bundle.getString("BlackboardArtifact.tskHashsetHit.text")),
991  TSK_DEVICE_ATTACHED(11, "TSK_DEVICE_ATTACHED", //NON-NLS
992  bundle.getString("BlackboardArtifact.tskDeviceAttached.text")),
997  TSK_INTERESTING_FILE_HIT(12, "TSK_INTERESTING_FILE_HIT", //NON-NLS
998  bundle.getString("BlackboardArtifact.tskInterestingFileHit.text")),
999 
1002  TSK_EMAIL_MSG(13, "TSK_EMAIL_MSG", //NON-NLS
1003  bundle.getString("BlackboardArtifact.tskEmailMsg.text")),
1007  TSK_EXTRACTED_TEXT(14, "TSK_EXTRACTED_TEXT", //NON-NLS
1008  bundle.getString("BlackboardArtifact.tskExtractedText.text")),
1012  TSK_WEB_SEARCH_QUERY(15, "TSK_WEB_SEARCH_QUERY", //NON-NLS
1013  bundle.getString("BlackboardArtifact.tskWebSearchQuery.text")),
1017  TSK_METADATA_EXIF(16, "TSK_METADATA_EXIF", //NON-NLS
1018  bundle.getString("BlackboardArtifact.tskMetadataExif.text")),
1024  @Deprecated
1025  TSK_TAG_FILE(17, "TSK_TAG_FILE", //NON-NLS
1026  bundle.getString("BlackboardArtifact.tagFile.text")),
1032  @Deprecated
1033  TSK_TAG_ARTIFACT(18, "TSK_TAG_ARTIFACT", //NON-NLS
1034  bundle.getString("BlackboardArtifact.tskTagArtifact.text")),
1038  TSK_OS_INFO(19, "TSK_OS_INFO", //NON-NLS
1039  bundle.getString("BlackboardArtifact.tskOsInfo.text")),
1043  TSK_OS_ACCOUNT(20, "TSK_OS_ACCOUNT", //NON-NLS
1044  bundle.getString("BlackboardArtifact.tskOsAccount.text")),
1048  TSK_SERVICE_ACCOUNT(21, "TSK_SERVICE_ACCOUNT", //NON-NLS
1049  bundle.getString("BlackboardArtifact.tskServiceAccount.text")),
1055  @Deprecated
1056  TSK_TOOL_OUTPUT(22, "TSK_TOOL_OUTPUT", //NON-NLS
1057  bundle.getString("BlackboardArtifact.tskToolOutput.text")),
1064  TSK_CONTACT(23, "TSK_CONTACT", //NON-NLS
1065  bundle.getString("BlackboardArtifact.tskContact.text")),
1072  TSK_MESSAGE(24, "TSK_MESSAGE", //NON-NLS
1073  bundle.getString("BlackboardArtifact.tskMessage.text")),
1080  TSK_CALLLOG(25, "TSK_CALLLOG", //NON-NLS
1081  bundle.getString("BlackboardArtifact.tskCalllog.text")),
1085  TSK_CALENDAR_ENTRY(26, "TSK_CALENDAR_ENTRY", //NON-NLS
1086  bundle.getString("BlackboardArtifact.tskCalendarEntry.text")),
1090  TSK_SPEED_DIAL_ENTRY(27, "TSK_SPEED_DIAL_ENTRY", //NON-NLS
1091  bundle.getString("BlackboardArtifact.tskSpeedDialEntry.text")),
1095  TSK_BLUETOOTH_PAIRING(28, "TSK_BLUETOOTH_PAIRING", //NON-NLS
1096  bundle.getString("BlackboardArtifact.tskBluetoothPairing.text")),
1100  TSK_GPS_BOOKMARK(29, "TSK_GPS_BOOKMARK", //NON-NLS
1101  bundle.getString("BlackboardArtifact.tskGpsBookmark.text")),
1105  TSK_GPS_LAST_KNOWN_LOCATION(30, "TSK_GPS_LAST_KNOWN_LOCATION", //NON-NLS
1106  bundle.getString("BlackboardArtifact.tskGpsLastKnownLocation.text")),
1110  TSK_GPS_SEARCH(31, "TSK_GPS_SEARCH", //NON-NLS
1111  bundle.getString("BlackboardArtifact.tskGpsSearch.text")),
1115  TSK_PROG_RUN(32, "TSK_PROG_RUN", //NON-NLS
1116  bundle.getString("BlackboardArtifact.tskProgRun.text")),
1120  TSK_ENCRYPTION_DETECTED(33, "TSK_ENCRYPTION_DETECTED", //NON-NLS
1121  bundle.getString("BlackboardArtifact.tskEncryptionDetected.text")),
1125  TSK_EXT_MISMATCH_DETECTED(34, "TSK_EXT_MISMATCH_DETECTED", //NON-NLS
1126  bundle.getString("BlackboardArtifact.tskExtMismatchDetected.text")),
1131  TSK_INTERESTING_ARTIFACT_HIT(35, "TSK_INTERESTING_ARTIFACT_HIT", //NON-NLS
1132  bundle.getString("BlackboardArtifact.tskInterestingArtifactHit.text")),
1138  TSK_GPS_ROUTE(36, "TSK_GPS_ROUTE", //NON-NLS
1139  bundle.getString("BlackboardArtifact.tskGpsRoute.text")),
1143  TSK_REMOTE_DRIVE(37, "TSK_REMOTE_DRIVE", //NON-NLS
1144  bundle.getString("BlackboardArtifact.tskRemoteDrive.text")),
1148  TSK_FACE_DETECTED(38, "TSK_FACE_DETECTED", //NON-NLS
1149  bundle.getString("BlackboardArtifact.tskFaceDetected.text")),
1153  TSK_ACCOUNT(39, "TSK_ACCOUNT", //NON-NLS
1154  bundle.getString("BlackboardArtifact.tskAccount.text")),
1158  TSK_ENCRYPTION_SUSPECTED(40, "TSK_ENCRYPTION_SUSPECTED", //NON-NLS
1159  bundle.getString("BlackboardArtifact.tskEncryptionSuspected.text")),
1160  /*
1161  * A classifier detected an object in a media file.
1162  */
1163  TSK_OBJECT_DETECTED(41, "TSK_OBJECT_DETECTED", //NON-NLS
1164  bundle.getString("BlackboardArtifact.tskObjectDetected.text")),
1168  TSK_WIFI_NETWORK(42, "TSK_WIFI_NETWORK", //NON-NLS
1169  bundle.getString("BlackboardArtifact.tskWIFINetwork.text")),
1173  TSK_DEVICE_INFO(43, "TSK_DEVICE_INFO", //NON-NLS
1174  bundle.getString("BlackboardArtifact.tskDeviceInfo.text")),
1178  TSK_SIM_ATTACHED(44, "TSK_SIM_ATTACHED", //NON-NLS
1179  bundle.getString("BlackboardArtifact.tskSimAttached.text")),
1183  TSK_BLUETOOTH_ADAPTER(45, "TSK_BLUETOOTH_ADAPTER", //NON-NLS
1184  bundle.getString("BlackboardArtifact.tskBluetoothAdapter.text")),
1188  TSK_WIFI_NETWORK_ADAPTER(46, "TSK_WIFI_NETWORK_ADAPTER", //NON-NLS
1189  bundle.getString("BlackboardArtifact.tskWIFINetworkAdapter.text")),
1193  TSK_VERIFICATION_FAILED(47, "TSK_VERIFICATION_FAILED", //NON-NLS
1194  bundle.getString("BlackboardArtifact.tskVerificationFailed.text")),
1198  TSK_DATA_SOURCE_USAGE(48, "TSK_DATA_SOURCE_USAGE", //NON-NLS
1199  bundle.getString("BlackboardArtifact.tskDataSourceUsage.text")),
1205  TSK_WEB_FORM_AUTOFILL(49, "TSK_WEB_FORM_AUTOFILL", //NON-NLS
1206  bundle.getString("BlackboardArtifact.tskWebFormAutofill.text")),
1212  TSK_WEB_FORM_ADDRESS(50, "TSK_WEB_FORM_ADDRESSES ", //NON-NLS
1213  bundle.getString("BlackboardArtifact.tskWebFormAddresses.text")),
1220  @Deprecated
1221  TSK_DOWNLOAD_SOURCE(51, "TSK_DOWNLOAD_SOURCE", //NON-NLS
1222  bundle.getString("BlackboardArtifact.tskDownloadSource.text")),
1226  TSK_WEB_CACHE(52, "TSK_WEB_CACHE", //NON-NLS
1227  bundle.getString("BlackboardArtifact.tskWebCache.text")),
1231  TSK_TL_EVENT(53, "TSK_TL_EVENT", //NON-NLS
1232  bundle.getString("BlackboardArtifact.tskTLEvent.text")),
1236  TSK_CLIPBOARD_CONTENT(54, "TSK_CLIPBOARD_CONTENT", //NON-NLS
1237  bundle.getString("BlackboardArtifact.tskClipboardContent.text")),
1241  TSK_ASSOCIATED_OBJECT(55, "TSK_ASSOCIATED_OBJECT", //NON-NLS
1242  bundle.getString("BlackboardArtifact.tskAssociatedObject.text")),
1246  TSK_USER_CONTENT_SUSPECTED(56, "TSK_USER_CONTENT_SUSPECTED", //NON-NLS
1247  bundle.getString("BlackboardArtifact.tskUserContentSuspected.text")),
1251  TSK_METADATA(57, "TSK_METADATA", //NON-NLS
1252  bundle.getString("BlackboardArtifact.tskMetadata.text")),
1258  TSK_GPS_TRACK(58, "TSK_GPS_TRACK",
1259  bundle.getString("BlackboardArtifact.tskTrack.text")),
1263  TSK_WEB_ACCOUNT_TYPE(59, "TSK_WEB_ACCOUNT_TYPE",
1264  bundle.getString("BlackboardArtifact.tskWebAccountType.text")),
1268  TSK_SCREEN_SHOTS(60, "TSK_SCREEN_SHOTS",
1269  bundle.getString("BlackboardArtifact.tskScreenShots.text")),
1273  TSK_IP_DHCP(61, "TSK_IP_DHCP",
1274  bundle.getString("BlackboardArtifact.tskDhcpInfo.text")),
1278  TSK_PROG_NOTIFICATIONS(62, "TSK_PROG_NOTIFICATIONS",
1279  bundle.getString("BlackboardArtifact.tskProgNotifications.text")),
1283  TSK_BACKUP_EVENT(63, "TSK_BACKUP_EVENT",
1284  bundle.getString("BlackboardArtifact.tskBackupEvent.text")),
1288  TSK_DELETED_PROG(64, "TSK_DELETED_PROG",
1289  bundle.getString("BlackboardArtifact.tskDeletedProg.text")),
1293  TSK_USER_DEVICE_EVENT(65, "TSK_USER_DEVICE_EVENT",
1294  bundle.getString("BlackboardArtifact.tskUserDeviceEvent.text")),
1298  TSK_YARA_HIT(66, "TSK_YARA_HIT",
1299  bundle.getString("BlackboardArtifact.tskYaraHit.text")),
1303  TSK_GPS_AREA(67, "TSK_GPS_AREA",
1304  bundle.getString("BlackboardArtifact.tskGPSArea.text")),
1305 
1306  TSK_WEB_CATEGORIZATION(68, "TSK_WEB_CATEGORIZATION",
1307  bundle.getString("BlackboardArtifact.tskWebCategorization.text")),
1308 
1309  ;
1310 
1311  /*
1312  * To developers: For each new artifact, ensure that: - The enum value
1313  * has 1-line JavaDoc description - The artifact catalog
1314  * (artifact_catalog.dox) is updated to reflect the attributes it uses
1315  */
1316  private final String label;
1317  private final int typeId;
1318  private final String displayName;
1319 
1327  private ARTIFACT_TYPE(int typeId, String label, String displayName) {
1328  this.typeId = typeId;
1329  this.label = label;
1330  this.displayName = displayName;
1331  }
1332 
1338  public int getTypeID() {
1339  return this.typeId;
1340  }
1341 
1347  public String getLabel() {
1348  return this.label;
1349  }
1350 
1359  static public ARTIFACT_TYPE fromLabel(String label) {
1360  for (ARTIFACT_TYPE value : ARTIFACT_TYPE.values()) {
1361  if (value.getLabel().equals(label)) {
1362  return value;
1363  }
1364  }
1365  throw new IllegalArgumentException("No ARTIFACT_TYPE matching type: " + label);
1366  }
1367 
1378  static public ARTIFACT_TYPE fromID(int id) {
1379  for (ARTIFACT_TYPE value : ARTIFACT_TYPE.values()) {
1380  if (value.getTypeID() == id) {
1381  return value;
1382  }
1383  }
1384  throw new IllegalArgumentException("No ARTIFACT_TYPE matching type: " + id);
1385  }
1386 
1392  public String getDisplayName() {
1393  return displayName;
1394  }
1395 
1407  @Override
1408  public <T> T accept(SleuthkitItemVisitor<T> visitor) {
1409  return visitor.visit(this);
1410  }
1411 
1412  }
1413 
1417  public enum ReviewStatus {
1418 
1419  APPROVED(1, "APPROVED", "ReviewStatus.Approved"), //approved by human user
1420  REJECTED(2, "REJECTED", "ReviewStatus.Rejected"), //rejected by humna user
1421  UNDECIDED(3, "UNDECIDED", "ReviewStatus.Undecided"); // not yet reviewed by human user
1422 
1423  private final Integer id;
1424  private final String name;
1425  private final String displayName;
1426  private final static Map<Integer, ReviewStatus> idToStatus = new HashMap<Integer, ReviewStatus>();
1427 
1428  static {
1429  for (ReviewStatus status : values()) {
1430  idToStatus.put(status.getID(), status);
1431  }
1432  }
1433 
1442  private ReviewStatus(Integer id, String name, String displayNameKey) {
1443  this.id = id;
1444  this.name = name;
1445  this.displayName = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle").getString(displayNameKey);
1446  }
1447 
1455  public static ReviewStatus withID(int id) {
1456  return idToStatus.get(id);
1457  }
1458 
1464  public Integer getID() {
1465  return id;
1466  }
1467 
1473  String getName() {
1474  return name;
1475  }
1476 
1482  public String getDisplayName() {
1483  return displayName;
1484  }
1485  }
1486 
1508  @Deprecated
1509  protected BlackboardArtifact(SleuthkitCase sleuthkitCase, long artifactID, long objID, long artifactObjID, long dataSourceObjId, int artifactTypeID, String artifactTypeName, String displayName) {
1510  this(sleuthkitCase, artifactID, objID, artifactObjID, dataSourceObjId, artifactTypeID, artifactTypeName, displayName, ReviewStatus.UNDECIDED);
1511  }
1512 
1527  @Deprecated
1528  public List<BlackboardAttribute> getAttributes(final BlackboardAttribute.ATTRIBUTE_TYPE attributeType) throws TskCoreException {
1529  if (loadedCacheFromDb == false) {
1530  List<BlackboardAttribute> attrs = getSleuthkitCase().getBlackboardAttributes(this);
1531  attrsCache.clear();
1532  attrsCache.addAll(attrs);
1533  loadedCacheFromDb = true;
1534  }
1535  ArrayList<BlackboardAttribute> filteredAttributes = new ArrayList<BlackboardAttribute>();
1536  for (BlackboardAttribute attr : attrsCache) {
1537  if (attr.getAttributeType().getTypeID() == attributeType.getTypeID()) {
1538  filteredAttributes.add(attr);
1539  }
1540  }
1541  return filteredAttributes;
1542  }
1543 
1544  @Override
1545  public long getId() {
1546  return this.artifactObjId;
1547  }
1548 
1557  @Override
1558  public List<Long> getChildrenIds() throws TskCoreException {
1559  List<Long> childrenIDs = new ArrayList<Long>();
1560  childrenIDs.addAll(getSleuthkitCase().getAbstractFileChildrenIds(this));
1561  childrenIDs.addAll(getSleuthkitCase().getBlackboardArtifactChildrenIds(this));
1562 
1563  return childrenIDs;
1564  }
1565 
1566  @Override
1567  public int getChildrenCount() throws TskCoreException {
1568  if (childrenCount != -1) {
1569  return childrenCount;
1570  }
1571 
1572  childrenCount = this.getSleuthkitCase().getContentChildrenCount(this);
1573 
1574  hasChildren = childrenCount > 0;
1575  checkedHasChildren = true;
1576 
1577  return childrenCount;
1578  }
1579 
1580  @Override
1581  public boolean hasChildren() throws TskCoreException {
1582  if (checkedHasChildren == true) {
1583  return hasChildren;
1584  }
1585 
1586  childrenCount = this.getSleuthkitCase().getContentChildrenCount(this);
1587 
1588  hasChildren = childrenCount > 0;
1589  checkedHasChildren = true;
1590 
1591  return hasChildren;
1592  }
1593 
1602  @Override
1603  public List<Content> getChildren() throws TskCoreException {
1604  List<Content> children = new ArrayList<>();
1605  children.addAll(getSleuthkitCase().getAbstractFileChildren(this));
1606  children.addAll(getSleuthkitCase().getBlackboardArtifactChildren(this));
1607 
1608  return children;
1609  }
1610 }
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.fromID
static ARTIFACT_TYPE fromID(int id)
Definition: BlackboardArtifact.java:1378
org.sleuthkit.datamodel.BlackboardArtifact.getArtifacts
ArrayList< BlackboardArtifact > getArtifacts(int artifactTypeID)
Definition: BlackboardArtifact.java:461
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO
TSK_PHONE_NUMBER_TO
Definition: BlackboardAttribute.java:1194
org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributes
ArrayList< BlackboardAttribute > getBlackboardAttributes(final BlackboardArtifact artifact)
Definition: SleuthkitCase.java:4369
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.fromLabel
static ARTIFACT_TYPE fromLabel(String label)
Definition: BlackboardArtifact.java:1359
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW
TSK_KEYWORD_PREVIEW
Definition: BlackboardAttribute.java:962
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME
TSK_NAME
Definition: BlackboardAttribute.java:941
org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttributes
void addBlackboardAttributes(Collection< BlackboardAttribute > attributes, int artifactTypeId)
Definition: SleuthkitCase.java:3921
org.sleuthkit.datamodel.BlackboardArtifact.Type.Type
Type(int typeID, String typeName, String displayName)
Definition: BlackboardArtifact.java:832
org.sleuthkit.datamodel.BlackboardArtifact.addAttributes
void addAttributes(Collection< BlackboardAttribute > attributes)
Definition: BlackboardArtifact.java:375
org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttribute
void addBlackboardAttribute(BlackboardAttribute attr, int artifactTypeId)
Definition: SleuthkitCase.java:3899
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN
TSK_DOMAIN
Definition: BlackboardAttribute.java:975
org.sleuthkit.datamodel.BlackboardArtifact.getAttributes
List< BlackboardAttribute > getAttributes(final BlackboardAttribute.ATTRIBUTE_TYPE attributeType)
Definition: BlackboardArtifact.java:1528
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER
TSK_PHONE_NUMBER
Definition: BlackboardAttribute.java:1043
org.sleuthkit.datamodel.ContentVisitor.visit
T visit(Directory d)
org.sleuthkit.datamodel.BlackboardArtifact.read
final int read(byte[] buf, long offset, long len)
Definition: BlackboardArtifact.java:750
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START
TSK_DATETIME_START
Definition: BlackboardAttribute.java:1206
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_OFFICE
TSK_EMAIL_OFFICE
Definition: BlackboardAttribute.java:1203
org.sleuthkit.datamodel.BlackboardArtifact.addAttribute
void addAttribute(BlackboardAttribute attribute)
Definition: BlackboardArtifact.java:314
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID
TSK_DEVICE_ID
Definition: BlackboardAttribute.java:990
org.sleuthkit.datamodel.BlackboardArtifact.getArtifacts
ArrayList< BlackboardArtifact > getArtifacts(BlackboardArtifact.ARTIFACT_TYPE type)
Definition: BlackboardArtifact.java:476
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_HOME
TSK_EMAIL_HOME
Definition: BlackboardAttribute.java:1200
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME
TSK_DATETIME
Definition: BlackboardAttribute.java:938
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_MOBILE
TSK_PHONE_NUMBER_MOBILE
Definition: BlackboardAttribute.java:1188
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.accept
public< T > T accept(SleuthkitItemVisitor< T > visitor)
Definition: BlackboardArtifact.java:1408
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_RCVD
TSK_DATETIME_RCVD
Definition: BlackboardAttribute.java:1092
org.sleuthkit.datamodel.BlackboardArtifact.newArtifact
BlackboardArtifact newArtifact(int artifactTypeID)
Definition: BlackboardArtifact.java:620
org.sleuthkit.datamodel.BlackboardArtifact.getAttribute
BlackboardAttribute getAttribute(BlackboardAttribute.Type attributeType)
Definition: BlackboardArtifact.java:356
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_SENT
TSK_DATETIME_SENT
Definition: BlackboardAttribute.java:1095
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_OFFICE
TSK_PHONE_NUMBER_OFFICE
Definition: BlackboardAttribute.java:1185
org.sleuthkit.datamodel.BlackboardArtifact.getArtifactsCount
long getArtifactsCount(String artifactTypeName)
Definition: BlackboardArtifact.java:505
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_HOME
TSK_PHONE_NUMBER_HOME
Definition: BlackboardAttribute.java:1182
org.sleuthkit.datamodel.Content
Definition: Content.java:32
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END
TSK_DATETIME_END
Definition: BlackboardAttribute.java:1209
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL
TSK_EMAIL
Definition: BlackboardAttribute.java:993
org.sleuthkit.datamodel.ContentVisitor
Definition: ContentVisitor.java:32
org.sleuthkit.datamodel.BlackboardArtifact.getGenInfoArtifact
BlackboardArtifact getGenInfoArtifact(boolean create)
Definition: BlackboardArtifact.java:570
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getDisplayName
String getDisplayName()
Definition: BlackboardArtifact.java:1392
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getLabel
String getLabel()
Definition: BlackboardArtifact.java:1347
org.sleuthkit.datamodel.BlackboardArtifact.getArtifacts
ArrayList< BlackboardArtifact > getArtifacts(String artifactTypeName)
Definition: BlackboardArtifact.java:445
org.sleuthkit.datamodel.BlackboardArtifact.BlackboardArtifact
BlackboardArtifact(SleuthkitCase sleuthkitCase, long artifactID, long objID, long artifactObjID, long dataSourceObjId, int artifactTypeID, String artifactTypeName, String displayName)
Definition: BlackboardArtifact.java:1509
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED
TSK_DATETIME_ACCESSED
Definition: BlackboardAttribute.java:1037
org.sleuthkit.datamodel.BlackboardArtifact.getAllArtifacts
ArrayList< BlackboardArtifact > getAllArtifacts()
Definition: BlackboardArtifact.java:429
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM
TSK_PHONE_NUMBER_FROM
Definition: BlackboardAttribute.java:1191
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED
TSK_DATETIME_CREATED
Definition: BlackboardAttribute.java:1161
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getTypeID
int getTypeID()
Definition: BlackboardArtifact.java:1338
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE
Definition: BlackboardAttribute.java:933
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED
TSK_DATETIME_MODIFIED
Definition: BlackboardAttribute.java:1164
org.sleuthkit.datamodel.BlackboardArtifact.getArtifactsCount
long getArtifactsCount(BlackboardArtifact.ARTIFACT_TYPE type)
Definition: BlackboardArtifact.java:537
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_TO
TSK_EMAIL_TO
Definition: BlackboardAttribute.java:1065
org.sleuthkit.datamodel.BlackboardArtifact.getGenInfoAttributes
ArrayList< BlackboardAttribute > getGenInfoAttributes(BlackboardAttribute.ATTRIBUTE_TYPE attr_type)
Definition: BlackboardArtifact.java:590
org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE
Definition: BlackboardArtifact.java:925
org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_FROM
TSK_EMAIL_FROM
Definition: BlackboardAttribute.java:1074
org.sleuthkit.datamodel.Content.getUniquePath
String getUniquePath()
org.sleuthkit.datamodel.BlackboardArtifact.newArtifact
BlackboardArtifact newArtifact(BlackboardArtifact.ARTIFACT_TYPE type)
Definition: BlackboardArtifact.java:635
org.sleuthkit.datamodel.SleuthkitCase.setReviewStatus
void setReviewStatus(BlackboardArtifact artifact, BlackboardArtifact.ReviewStatus newStatus)
Definition: SleuthkitCase.java:9538

Copyright © 2011-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.