Classes
class	CaseDbConnection

class	CaseDbQuery

class	CaseDbTransaction

class	ConnectionPerThreadDispenser

interface	ErrorObserver

class	ObjectInfo

Public Member Functions
void	acquireExclusiveLock ()

void	acquireSharedLock ()

int	addArtifactType (String artifactTypeName, String displayName) throws TskCoreException

int	addAttrType (String attrTypeString, String displayName) throws TskCoreException

BlackboardArtifactTag	addBlackboardArtifactTag (BlackboardArtifact artifact, TagName tagName, String comment) throws TskCoreException

void	addBlackboardAttribute (BlackboardAttribute attr, int artifactTypeId) throws TskCoreException

void	addBlackboardAttributes (Collection< BlackboardAttribute > attributes, int artifactTypeId) throws TskCoreException

LayoutFile	addCarvedFile (String carvedFileName, long carvedFileSize, long containerId, List< TskFileRange > data) throws TskCoreException

List< LayoutFile >	addCarvedFiles (List< CarvedFileContainer > filesToAdd) throws TskCoreException

ContentTag	addContentTag (Content content, TagName tagName, String comment, long beginByteOffset, long endByteOffset) throws TskCoreException

DerivedFile	addDerivedFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parentFile, String rederiveDetails, String toolName, String toolVersion, String otherDetails) throws TskCoreException

void	addErrorObserver (ErrorObserver observer)

LocalFile	addLocalFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parent) throws TskCoreException

LocalFile	addLocalFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parent, CaseDbTransaction trans) throws TskCoreException

Report	addReport (String localPath, String sourceModuleName, String reportName) throws TskCoreException

TagName	addTagName (String displayName, String description, TagName.HTML_COLOR color) throws TskCoreException

VirtualDirectory	addVirtualDirectory (long parentId, String directoryName) throws TskCoreException

VirtualDirectory	addVirtualDirectory (long parentId, String directoryName, CaseDbTransaction trans) throws TskCoreException

boolean	allFilesMd5Hashed ()

CaseDbTransaction	beginTransaction () throws TskCoreException

void	close ()

void	closeRunQuery (ResultSet resultSet) throws SQLException

void	copyCaseDB (String newDBPath) throws IOException

int	countFilesMd5Hashed ()

long	countFilesWhere (String sqlWhereClause) throws TskCoreException

int	countFsContentType (TskData.TSK_FS_META_TYPE_ENUM contentType) throws TskCoreException

void	deleteBlackboardArtifactTag (BlackboardArtifactTag tag) throws TskCoreException

void	deleteContentTag (ContentTag tag) throws TskCoreException

void	deleteReport (Report report) throws TskCoreException

CaseDbQuery	executeQuery (String query) throws TskCoreException

void	finalize () throws Throwable

List< Long >	findAllFileIdsWhere (String sqlWhereClause) throws TskCoreException

List< AbstractFile >	findAllFilesWhere (String sqlWhereClause) throws TskCoreException

List< AbstractFile >	findFiles (Content dataSource, String fileName) throws TskCoreException

List< AbstractFile >	findFiles (Content dataSource, String fileName, String dirName) throws TskCoreException

List< AbstractFile >	findFiles (Content dataSource, String fileName, AbstractFile parentFile) throws TskCoreException

List< AbstractFile >	findFilesByMd5 (String md5Hash)

List< FsContent >	findFilesWhere (String sqlWhereClause) throws TskCoreException

AbstractFile	getAbstractFileById (long id) throws TskCoreException

List< BlackboardArtifactTag >	getAllBlackboardArtifactTags () throws TskCoreException

List< ContentTag >	getAllContentTags () throws TskCoreException

List< Report >	getAllReports () throws TskCoreException

List< TagName >	getAllTagNames () throws TskCoreException

int	getArtifactTypeID (String artifactTypeName) throws TskCoreException

String	getAttrTypeDisplayName (int attrTypeID) throws TskCoreException

int	getAttrTypeID (String attrTypeName) throws TskCoreException

String	getAttrTypeString (int attrTypeID) throws TskCoreException

String	getBackupDatabasePath ()

BlackboardArtifact	getBlackboardArtifact (long artifactID) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (int artifactTypeID) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, String value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, String subString, boolean startsWith) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, int value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, long value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, double value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, byte value) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (String artifactTypeName, long obj_id) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (int artifactTypeID, long obj_id) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (ARTIFACT_TYPE artifactType, long obj_id) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (String artifactTypeName) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (ARTIFACT_TYPE artifactType) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (ARTIFACT_TYPE artifactType, BlackboardAttribute.ATTRIBUTE_TYPE attrType, String value) throws TskCoreException

long	getBlackboardArtifactsCount (long objId) throws TskCoreException

long	getBlackboardArtifactsCount (String artifactTypeName, long obj_id) throws TskCoreException

long	getBlackboardArtifactsCount (int artifactTypeID, long obj_id) throws TskCoreException

long	getBlackboardArtifactsCount (ARTIFACT_TYPE artifactType, long obj_id) throws TskCoreException

long	getBlackboardArtifactsTypeCount (int artifactTypeID) throws TskCoreException

List< BlackboardArtifactTag >	getBlackboardArtifactTagsByArtifact (BlackboardArtifact artifact) throws TskCoreException

List< BlackboardArtifactTag >	getBlackboardArtifactTagsByTagName (TagName tagName) throws TskCoreException

long	getBlackboardArtifactTagsCountByTagName (TagName tagName) throws TskCoreException

ArrayList< BlackboardArtifact.ARTIFACT_TYPE >	getBlackboardArtifactTypes () throws TskCoreException

ArrayList< BlackboardArtifact.ARTIFACT_TYPE >	getBlackboardArtifactTypesInUse () throws TskCoreException

ArrayList< BlackboardAttribute >	getBlackboardAttributes (final BlackboardArtifact artifact) throws TskCoreException

ArrayList< BlackboardAttribute.ATTRIBUTE_TYPE >	getBlackboardAttributeTypes () throws TskCoreException

int	getBlackboardAttributeTypesCount () throws TskCoreException

Content	getContentById (long id) throws TskCoreException

List< ContentTag >	getContentTagsByContent (Content content) throws TskCoreException

List< ContentTag >	getContentTagsByTagName (TagName tagName) throws TskCoreException

long	getContentTagsCountByTagName (TagName tagName) throws TskCoreException

String	getDbDirPath ()

List< TskFileRange >	getFileRanges (long id) throws TskCoreException

Collection< FileSystem >	getFileSystems (Image image)

Image	getImageById (long id) throws TskCoreException

Map< Long, List< String > >	getImagePaths () throws TskCoreException

List< Image >	getImages () throws TskCoreException

long	getLastObjectId () throws TskCoreException

ArrayList< BlackboardArtifact >	getMatchingArtifacts (String whereClause) throws TskCoreException

ArrayList< BlackboardAttribute >	getMatchingAttributes (String whereClause) throws TskCoreException

List< Content >	getRootObjects () throws TskCoreException

int	getSchemaVersion ()

List< TagName >	getTagNamesInUse () throws TskCoreException

List< VirtualDirectory >	getVirtualDirectoryRoots () throws TskCoreException

boolean	isFileFromSource (Content dataSource, long fileId) throws TskCoreException

AddImageProcess	makeAddImageProcess (String timezone, boolean processUnallocSpace, boolean noFatFsOrphans)

BlackboardArtifact	newBlackboardArtifact (int artifactTypeID, long obj_id) throws TskCoreException

BlackboardArtifact	newBlackboardArtifact (ARTIFACT_TYPE artifactType, long obj_id) throws TskCoreException

List< AbstractFile >	openFiles (Content dataSource, String filePath) throws TskCoreException

void	releaseExclusiveLock ()

void	releaseSharedLock ()

void	removerErrorObserver (ErrorObserver observer)

ResultSet	runQuery (String query) throws SQLException

void	setImagePaths (long obj_id, List< String > paths) throws TskCoreException

boolean	setKnown (AbstractFile file, FileKnown fileKnown) throws TskCoreException

void	submitError (String context, String errorMessage)

Static Public Member Functions
static SleuthkitCase	newCase (String dbPath) throws TskCoreException

static SleuthkitCase	openCase (String dbPath) throws TskCoreException

Private Member Functions
	SleuthkitCase (String dbPath, SleuthkitJNI.CaseDbHandle caseHandle) throws Exception

void	addBlackBoardAttribute (BlackboardAttribute attr, int artifactTypeId, CaseDbConnection connection) throws SQLException, TskCoreException

void	addFilePath (CaseDbConnection connection, long objId, String path) throws SQLException

long	getArtifactsCountHelper (int artifactTypeID, long obj_id) throws TskCoreException

List< BlackboardArtifact >	getArtifactsHelper (ResultSet rs) throws SQLException

ArrayList< BlackboardArtifact >	getArtifactsHelper (int artifactTypeID, String artifactTypeName, long obj_id) throws TskCoreException

ArrayList< BlackboardArtifact >	getArtifactsHelper (int artifactTypeID, String artifactTypeName) throws TskCoreException

FileSystem	getFileSystemByIdHelper (long id, Content parent) throws TskCoreException

long	getFileSystemId (long fileId)

void	initBlackboardArtifactTypes () throws SQLException, TskCoreException

void	initBlackboardAttributeTypes () throws SQLException, TskCoreException

void	initNextArtifactId () throws TskCoreException, SQLException

void	logSQLiteJDBCDriverInfo ()

BlackboardArtifact	newBlackboardArtifact (int artifact_type_id, long obj_id, String artifactTypeName, String artifactDisplayName) throws TskCoreException

List< AbstractFile >	resultSetToAbstractFiles (ResultSet rs) throws SQLException

List< FsContent >	resultSetToFsContents (ResultSet rs) throws SQLException

void	updateDatabaseSchema () throws Exception

int	updateFromSchema2toSchema3 (int schemaVersionNumber) throws SQLException, TskCoreException

Static Private Member Functions
static void	closeResultSet (ResultSet resultSet)

static void	closeStatement (Statement statement)

static String	escapeForBlackboard (String text)

Private Attributes
final Map< Long, Long >	carvedFileContainersCache = new HashMap<Long, Long>()

SleuthkitJNI.CaseDbHandle	caseHandle

final ConnectionPerThreadDispenser	connections = new ConnectionPerThreadDispenser()

String	dbBackupPath

final String	dbDirPath

final String	dbPath

final ArrayList< ErrorObserver >	errorObservers = new ArrayList<ErrorObserver>()

final Map< Long, FileSystem >	fileSystemIdMap = new HashMap<Long, FileSystem>()

long	nextArtifactId

final ResultSetHelper	rsHelper = new ResultSetHelper(this)

final ReentrantReadWriteLock	rwLock = new ReentrantReadWriteLock(true)

int	versionNumber

Static Private Attributes
static final long	BASE_ARTIFACT_ID = Long.MIN_VALUE

static final ResourceBundle	bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle")

static final int	DATABASE_LOCKED_ERROR = 0

static final Logger	logger = Logger.getLogger(SleuthkitCase.class.getName())

static final int	SCHEMA_VERSION_NUMBER = 3

static final int	SQLITE_BUSY_ERROR = 5

Detailed Description

Represents the case database with methods that provide abstractions for database operations.

Definition at line 67 of file SleuthkitCase.java.

Constructor & Destructor Documentation

org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase	(	String	dbPath,
		SleuthkitJNI.CaseDbHandle	caseHandle
	)		throws Exception

private

Private constructor, clients must use newCase() or openCase() method to create an instance of this class.

Parameters

dbPath	The full path to a SQLite case database file.
caseHandle	A handle to a case database object in the native code SleuthKit layer.

Exceptions

Exception

Definition at line 102 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.caseHandle, org.sleuthkit.datamodel.SleuthkitCase.dbPath, org.sleuthkit.datamodel.SleuthkitCase.initBlackboardArtifactTypes(), org.sleuthkit.datamodel.SleuthkitCase.initBlackboardAttributeTypes(), org.sleuthkit.datamodel.SleuthkitCase.initNextArtifactId(), org.sleuthkit.datamodel.SleuthkitCase.logSQLiteJDBCDriverInfo(), and org.sleuthkit.datamodel.SleuthkitCase.updateDatabaseSchema().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.newCase(), and org.sleuthkit.datamodel.SleuthkitCase.openCase().

Member Function Documentation

void org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock ( )

Acquire the lock that provides exclusive access to the case database. Call this method in a try block with a call to the lock release method in an associated finally block.

Definition at line 475 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock ( )

Acquire the lock that provides shared access to the case database. Call this method in a try block with a call to the lock release method in an associated finally block.

Definition at line 493 of file SleuthkitCase.java.

int org.sleuthkit.datamodel.SleuthkitCase.addArtifactType	(	String	artifactTypeName,
		String	displayName
	)		throws TskCoreException

Add an artifact type with the given name. Will return an id that can be used to look that artifact type up.

Parameters

artifactTypeName	System (unique) name of artifact
displayName	Display (non-unique) name of artifact

Returns: ID of artifact added

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1644 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

int org.sleuthkit.datamodel.SleuthkitCase.addAttrType	(	String	attrTypeString,
		String	displayName
	)		throws TskCoreException

add an attribute type with the given name

Parameters

attrTypeString	name of the new attribute
displayName	the (non-unique) display name of the attribute type

Returns: the id of the new attribute

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1420 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

BlackboardArtifactTag org.sleuthkit.datamodel.SleuthkitCase.addBlackboardArtifactTag	(	BlackboardArtifact	artifact,
		TagName	tagName,
		String	comment
	)		throws TskCoreException

Inserts a row into the blackboard_artifact_tags table in the case database.

Parameters

artifact	The blackboard artifact to tag.
tagName	The name to use for the tag.
comment	A comment to store with the tag.

Returns: A BlackboardArtifactTag data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Definition at line 4740 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3().

void org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttribute	(	BlackboardAttribute	attr,
		int	artifactTypeId
	)		throws TskCoreException

Add a blackboard attribute.

Parameters

attr	A blackboard attribute.
artifactTypeId	The type of artifact associated with the attribute.

Exceptions

TskCoreException thrown if a critical error occurs.

Definition at line 1334 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.addBlackBoardAttribute(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.addAttribute().

void org.sleuthkit.datamodel.SleuthkitCase.addBlackBoardAttribute	(	BlackboardAttribute	attr,
		int	artifactTypeId,
		CaseDbConnection	connection
	)		throws SQLException, TskCoreException

private

Definition at line 1371 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.escapeForBlackboard().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttribute(), and org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttributes().

void org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttributes	(	Collection< BlackboardAttribute >	attributes,
		int	artifactTypeId
	)		throws TskCoreException

Add a set blackboard attributes.

Parameters

attributes	A set of blackboard attribute.
artifactTypeId	The type of artifact associated with the attributes.

Exceptions

TskCoreException thrown if a critical error occurs.

Definition at line 1354 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.addBlackBoardAttribute(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.addAttributes().

LayoutFile org.sleuthkit.datamodel.SleuthkitCase.addCarvedFile	(	String	carvedFileName,
		long	carvedFileSize,
		long	containerId,
		List< TskFileRange >	data
	)		throws TskCoreException

Adds a carved file to the VirtualDirectory '$CarvedFiles' in the volume or image given by systemId. Creates $CarvedFiles virtual directory if it does not exist already.

Parameters

carvedFileName	the name of the carved file to add
carvedFileSize	the size of the carved file to add
containerId	the ID of the parent volume, file system, or image
data	the layout information - a list of offsets that make up this carved file.

Returns: A LayoutFile object representing the carved file.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 2738 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles().

List<LayoutFile> org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles ( List< CarvedFileContainer > filesToAdd ) throws TskCoreException

Adds a collection of carved files to the VirtualDirectory '$CarvedFiles' in the volume or image given by systemId. Creates $CarvedFiles virtual directory if it does not exist already.

Parameters

filesToAdd a list of CarvedFileContainer files to add as carved files

Returns: List<LayoutFile> This is a list of the files added to the database

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 2762 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addCarvedFile().

ContentTag org.sleuthkit.datamodel.SleuthkitCase.addContentTag	(	Content	content,
		TagName	tagName,
		String	comment,
		long	beginByteOffset,
		long	endByteOffset
	)		throws TskCoreException

Inserts a row into the content_tags table in the case database.

Parameters

content	The content to tag.
tagName	The name to use for the tag.
comment	A comment to store with the tag.
beginByteOffset	Designates the beginning of a tagged section.
endByteOffset	Designates the end of a tagged section.

Returns: A ContentTag data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Definition at line 4549 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3().

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parentFile,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails
	)		throws TskCoreException

Creates a new derived file object, adds it to database and returns it.

TODO add support for adding derived method

Parameters

fileName	file name the derived file
localPath	local path of the derived file, including the file name. The path is relative to the database path.
size	size of the derived file in bytes
ctime
crtime
atime
mtime
isFile	whether a file or directory, true if a file
parentFile	parent file object (derived or local file)
rederiveDetails	details needed to re-derive file (will be specific to the derivation method), currently unused
toolName	name of derivation method/tool, currently unused
toolVersion	version of derivation method/tool, currently unused
otherDetails	details of derivation method/tool, currently unused

Returns: newly created derived file object

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Definition at line 2968 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.addErrorObserver ( ErrorObserver observer )

This is a temporary workaround to avoid an API change.

Parameters

observer The observer to add.

Deprecated:

Definition at line 4417 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.addFilePath	(	CaseDbConnection	connection,
		long	objId,
		String	path
	)		throws SQLException

private

Add a path (such as a local path) for a content object to tsk_file_paths

Parameters

objId	object id of the file to add the path for
path	the path to add

Exceptions

SQLException exception thrown when database error occurred and path was not added

Definition at line 3212 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile(), and org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parent
	)		throws TskCoreException

wraps the version of addLocalFile that takes a Transaction in a transaction local to this method.

Parameters

fileName
localPath
size
ctime
crtime
atime
mtime
isFile
parent

Returns

Exceptions

TskCoreException

Definition at line 3074 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parent,
		CaseDbTransaction	trans
	)		throws TskCoreException

Creates a new local file object, adds it to database and returns it.

todo: at the moment we trust the transaction and don't do anything to check it is valid or in the correct state. we should.

Parameters

fileName	file name the derived file
localPath	local absolute path of the local file, including the file name.
size	size of the derived file in bytes
ctime
crtime
atime
mtime
isFile	whether a file or directory, true if a file
parent	parent file object (such as virtual directory, another local file, or FsContent type of file)
trans	the transaction in the scope of which the operation is to be performed, managed by the caller

Returns: newly created derived file object

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Definition at line 3116 of file SleuthkitCase.java.

Report org.sleuthkit.datamodel.SleuthkitCase.addReport	(	String	localPath,
		String	sourceModuleName,
		String	reportName
	)		throws TskCoreException

Inserts a row into the reports table in the case database.

Parameters

localPath	The path of the report file, must be in the database directory (case directory in Autopsy) or one of its subdirectories.
sourceModuleName	The name of the module that created the report.
reportName	The report name, may be empty.

Returns: A Report data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Definition at line 4934 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

TagName org.sleuthkit.datamodel.SleuthkitCase.addTagName	(	String	displayName,
		String	description,
		TagName.HTML_COLOR	color
	)		throws TskCoreException

Inserts row into the tags_names table in the case database.

Parameters

displayName	The display name for the new tag name.
description	The description for the new tag name.
color	The HTML color to associate with the new tag name.

Returns: A TagName data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Definition at line 4516 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3().

VirtualDirectory org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory	(	long	parentId,
		String	directoryName
	)		throws TskCoreException

wraps the version of addVirtualDirectory that takes a Transaction in a transaction local to this method

Parameters

parentId
directoryName

Returns

Exceptions

TskCoreException

Definition at line 2581 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles().

VirtualDirectory org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory	(	long	parentId,
		String	directoryName,
		CaseDbTransaction	trans
	)		throws TskCoreException

Adds a virtual directory to the database and returns a VirtualDirectory object representing it.

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the virtual directory to create
trans	the transaction in the scope of which the operation is to be performed, managed by the caller

Returns: a VirtualDirectory object representing the one added to the database.

Exceptions

TskCoreException

Definition at line 2608 of file SleuthkitCase.java.

boolean org.sleuthkit.datamodel.SleuthkitCase.allFilesMd5Hashed ( )

Query all the files to verify if they have an MD5 hash associated with them.

Returns: true if all files have an MD5 hash

Definition at line 4333 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.TskData.TSK_FS_NAME_TYPE_ENUM.REG, and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

CaseDbTransaction org.sleuthkit.datamodel.SleuthkitCase.beginTransaction ( ) throws TskCoreException

Create a new transaction on the case database. The transaction object that is returned can be passed to methods that take a CaseDbTransaction. The caller is responsible for calling either commit() or rollback() on the transaction object.

Returns: A CaseDbTransaction object.

Exceptions

TskCoreException

Definition at line 457 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles(), org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(), and org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory().

void org.sleuthkit.datamodel.SleuthkitCase.close ( )

Call to free resources when done with instance.

Definition at line 4162 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.caseHandle, org.sleuthkit.datamodel.SleuthkitCase.ConnectionPerThreadDispenser.close(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.finalize().

static void org.sleuthkit.datamodel.SleuthkitCase.closeResultSet ( ResultSet resultSet )

staticprivate

Definition at line 5029 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.closeRunQuery ( ResultSet resultSet ) throws SQLException

Closes ResultSet and its Statement previously retrieved from runQuery()

Parameters

resultSet with its Statement to close

Exceptions

SQLException of closing the query results failed

Deprecated:: use specific datamodel methods that encapsulate SQL layer

Definition at line 4126 of file SleuthkitCase.java.

static void org.sleuthkit.datamodel.SleuthkitCase.closeStatement ( Statement statement )

staticprivate

Definition at line 5039 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.copyCaseDB ( String newDBPath ) throws IOException

Make a duplicate / backup copy of the current case database. Makes a new copy only, and continues to use the current connection.

Parameters

newDBPath Path to the copy to be created. File will be overwritten if it exists.

Exceptions

IOException if copying fails.

Definition at line 251 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.updateDatabaseSchema().

int org.sleuthkit.datamodel.SleuthkitCase.countFilesMd5Hashed ( )

Query all the files and counts how many have an MD5 hash.

Returns: the number of files with an MD5 hash

Definition at line 4369 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

long org.sleuthkit.datamodel.SleuthkitCase.countFilesWhere ( String sqlWhereClause ) throws TskCoreException

Count files matching the specific Where clause

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: count of files each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Definition at line 3243 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

int org.sleuthkit.datamodel.SleuthkitCase.countFsContentType ( TskData.TSK_FS_META_TYPE_ENUM contentType ) throws TskCoreException

Return the number of objects in the database of a given file type.

Parameters

contentType Type of file to count

Returns: Number of objects with that type.

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 4254 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

void org.sleuthkit.datamodel.SleuthkitCase.deleteBlackboardArtifactTag ( BlackboardArtifactTag tag ) throws TskCoreException

Definition at line 4767 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

void org.sleuthkit.datamodel.SleuthkitCase.deleteContentTag ( ContentTag tag ) throws TskCoreException

Definition at line 4578 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

void org.sleuthkit.datamodel.SleuthkitCase.deleteReport ( Report report ) throws TskCoreException

Deletes a row from the reports table in the case database.

Parameters

report A Report data transfer object (DTO) for the row to delete.

Exceptions

TskCoreException

Definition at line 5015 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

static String org.sleuthkit.datamodel.SleuthkitCase.escapeForBlackboard ( String text )

staticprivate

Escape the single quotes in the given string so they can be added to the SQL caseDbConnection

Parameters

text

Returns: text the escaped version

Definition at line 4284 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addBlackBoardAttribute().

CaseDbQuery org.sleuthkit.datamodel.SleuthkitCase.executeQuery ( String query ) throws TskCoreException

This method allows developers to run arbitrary SQL "SELECT" queries. The CaseDbQuery object will take care of acquiring the necessary database lock and when used in a try-with-resources block will automatically take care of releasing the lock. If you do not use a try-with-resources block you must call CaseDbQuery.close() once you are done processing the results of the query.

Parameters

query The query string to execute.

Returns: A CaseDbQuery instance.

Exceptions

TskCoreException

Definition at line 4146 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.finalize ( ) throws Throwable

Definition at line 4151 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.close().

List<Long> org.sleuthkit.datamodel.SleuthkitCase.findAllFileIdsWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of all (abstract) ids of files matching the specific Where clause

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of file ids each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Definition at line 3299 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findAllFilesWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of all (abstract) files matching the specific Where clause. You need to know the database schema to use this, which is outlined on the wiki. You should use enums from org.sleuthkit.datamodel.TskData to make the queries easier to maintain and understand.

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of AbstractFile each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Definition at line 3272 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.SleuthkitCase.resultSetToAbstractFiles().

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName
	)		throws TskCoreException

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).

Returns: a list of AbstractFile for files/directories whose name matches the given fileName

Exceptions

TskCoreException thrown if check failed

Definition at line 2468 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.getFileSystems(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.SleuthkitCase.resultSetToAbstractFiles().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.findFiles(), and org.sleuthkit.datamodel.SleuthkitCase.openFiles().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName,
		String	dirName
	)		throws TskCoreException

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).
dirName	Pattern of the name of a parent directory of fileName (case insensitive, used in LIKE SQL statement)

Returns: a list of AbstractFile for files/directories whose name matches fileName and whose parent directory contains dirName.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 2522 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.getFileSystems(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.SleuthkitCase.resultSetToAbstractFiles().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName,
		AbstractFile	parentFile
	)		throws TskCoreException

Find all files in the data source, by name and parent

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).
parentFile	Object for parent file/directory to find children in

Returns: a list of AbstractFile for files/directories whose name matches fileName and that were inside a directory described by parentFile.

Definition at line 3231 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.findFiles().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFilesByMd5 ( String md5Hash )

Find all the files with the given MD5 hash.

Parameters

md5Hash hash value to match files with

Returns: List of AbstractFile with the given hash

Definition at line 4297 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.SleuthkitCase.resultSetToAbstractFiles().

List<FsContent> org.sleuthkit.datamodel.SleuthkitCase.findFilesWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of files matching the specific Where clause. Use findAllFilesWhere instead. It returns a more generic data type

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of FsContent each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Deprecated:: use SleuthkitCase.findAllFilesWhere() instead

Definition at line 3332 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.SleuthkitCase.resultSetToFsContents().

AbstractFile org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById ( long id ) throws TskCoreException

Get abstract file object from tsk_files table by its id

Parameters

id	id of the file object in tsk_files table

Returns: AbstractFile object populated, or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core and file could not be queried

Definition at line 2351 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.SleuthkitCase.resultSetToAbstractFiles().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.getRootObjects().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getAllBlackboardArtifactTags ( ) throws TskCoreException

Selects all of the rows from the blackboard_artifacts_tags table in the case database.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4791 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.BlackboardArtifact.getObjectID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getAllContentTags ( ) throws TskCoreException

Selects all of the rows from the content_tags table in the case database.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4601 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<Report> org.sleuthkit.datamodel.SleuthkitCase.getAllReports ( ) throws TskCoreException

Selects all of the rows from the reports table in the case database.

Returns: A list, possibly empty, of Report data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4985 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getAllTagNames ( ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database.

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4456 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

long org.sleuthkit.datamodel.SleuthkitCase.getArtifactsCountHelper	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

private

Helper method to get count of all artifacts matching the type id name and object id

Parameters

artifactTypeID	artifact type id
obj_id	associated object id

Returns: count of matching blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1086 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper ( ResultSet rs ) throws SQLException

private

Helper to iterate over blackboard artifacts result set containing all columns and return a list of artifacts in the set. Must be enclosed in acquireSharedLock. Result set and statement must be freed by the caller.

Parameters

rs	existing, active result set (not closed by this method)

Returns: a list of blackboard artifacts in the result set

Exceptions

SQLException if result set could not be iterated upon

Definition at line 699 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.fromID(), org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getDisplayName(), and org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getLabel().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper	(	int	artifactTypeID,
		String	artifactTypeName,
		long	obj_id
	)		throws TskCoreException

private

Helper method to get all artifacts matching the type id name and object id

Parameters

artifactTypeID	artifact type id
artifactTypeName	artifact type name
obj_id	associated object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1053 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper	(	int	artifactTypeID,
		String	artifactTypeName
	)		throws TskCoreException

private

Helper method to get all artifacts matching the type id name.

Parameters

artifactTypeID	artifact type id
artifactTypeName	artifact type name

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1118 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

int org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypeID ( String artifactTypeName ) throws TskCoreException

Get the artifact type id associated with an artifact type name.

Parameters

artifactTypeName An artifact type name.

Returns: An artifact id or -1 if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Definition at line 1547 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts(), and org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount().

String org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeDisplayName ( int attrTypeID ) throws TskCoreException

Get the display name for the attribute with the given id. Will throw an error if that id does not exist

Parameters

attrTypeID attribute id

Returns: string associated with the given id

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1517 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.BlackboardAttribute.getAttributeTypeDisplayName().

int org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeID ( String attrTypeName ) throws TskCoreException

Get the attribute type id associated with an attribute type name.

Parameters

attrTypeName An attribute type name.

Returns: An attribute id or -1 if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Definition at line 1455 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

String org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeString ( int attrTypeID ) throws TskCoreException

Get the string associated with the given id. Will throw an error if that id does not exist

Parameters

attrTypeID attribute id

Returns: string associated with the given id

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1486 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.BlackboardAttribute.getAttributeTypeName().

String org.sleuthkit.datamodel.SleuthkitCase.getBackupDatabasePath ( )

Returns the path of a backup copy of the database made when a schema version upgrade has occurred.

Returns: The path of the backup file or null if no backup was made.

Definition at line 444 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.dbBackupPath.

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact ( long artifactID ) throws TskCoreException

Get the blackboard artifact with the given artifact id

Parameters

artifactID artifact ID

Returns: blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1301 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getAllBlackboardArtifactTags(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName(), org.sleuthkit.datamodel.BlackboardAttribute.getParentArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( int artifactTypeID ) throws TskCoreException

Get all blackboard artifacts of a given type.

Parameters

artifactTypeID artifact type id (must exist in database)

Returns: list of blackboard artifacts.

Exceptions

TskCoreException

Definition at line 608 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.fromID(), org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getDisplayName(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.AbstractContent.getArtifacts(), org.sleuthkit.datamodel.AbstractContent.getGenInfoArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and String value

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 721 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	subString,
		boolean	startsWith
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and String value

Parameters

attrType	attribute of this attribute type to look for in the artifacts
subString	value substring of the string attribute of the attrType type to look for
startsWith	if true, the artifact attribute string should start with the substring, if false, it should just contain it

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 758 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		int	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and integer value

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 796 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		long	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and long value

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 830 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		double	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and double value

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 864 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		byte	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and byte value

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 898 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	String	artifactTypeName,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id

Parameters

artifactTypeName	artifact type name
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1149 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypeID().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id

Parameters

artifactTypeID	artifact type id (must exist in database)
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1166 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id

Parameters

artifactType	artifact type enum
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1180 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( String artifactTypeName ) throws TskCoreException

Get all blackboard artifacts of a given type

Parameters

artifactTypeName artifact type name

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1238 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypeID().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( ARTIFACT_TYPE artifactType ) throws TskCoreException

Get all blackboard artifacts of a given type

Parameters

artifactType artifact type enum

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1254 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	ARTIFACT_TYPE	artifactType,
		BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	value
	)		throws TskCoreException

Get all blackboard artifacts of a given type with an attribute of a given type and String value.

Parameters

artifactType	artifact type enum
attrType	attribute type enum
value	String value of attribute

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1269 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactsHelper(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount ( long objId ) throws TskCoreException

Get a count of blackboard artifacts for a given content.

Parameters

objId Id of the content.

Returns: The artifacts count for the content.

Exceptions

TskCoreException

Definition at line 639 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.AbstractContent.getAllArtifactsCount(), and org.sleuthkit.datamodel.AbstractContent.getArtifactsCount().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	String	artifactTypeName,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id

Parameters

artifactTypeName	artifact type name
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1194 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsCountHelper(), and org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypeID().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id

Parameters

artifactTypeID	artifact type id (must exist in database)
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1212 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsCountHelper().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id

Parameters

artifactType	artifact type enum
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1226 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactsCountHelper().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsTypeCount ( int artifactTypeID ) throws TskCoreException

Get a count of artifacts of a given type.

Parameters

artifactTypeID Id of the artifact type.

Returns: The artifacts count for the type.

Exceptions

TskCoreException

Definition at line 668 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypesInUse().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByArtifact ( BlackboardArtifact artifact ) throws TskCoreException

Selects the rows in the blackboard_artifacts_tags table in the case database with a specified foreign key into the blackboard_artifacts table.

Parameters

artifact A data transfer object (DTO) for the artifact to match.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4898 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName ( TagName tagName ) throws TskCoreException

Selects the rows in the blackboard_artifacts_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4859 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.BlackboardArtifact.getObjectID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsCountByTagName ( TagName tagName ) throws TskCoreException

Gets a count of the rows in the blackboard_artifact_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: The count, possibly zero.

Exceptions

TskCoreException

Definition at line 4824 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

ArrayList<BlackboardArtifact.ARTIFACT_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypes ( ) throws TskCoreException

Get standard blackboard artifact types in use. This does not currently return user-defined ones.

Returns: list of blackboard artifact types

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core

Definition at line 929 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypesInUse().

ArrayList<BlackboardArtifact.ARTIFACT_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypesInUse ( ) throws TskCoreException

Get all of the blackboard artifact types that are in use in the blackboard.

Returns: List of blackboard artifact types

Exceptions

TskCoreException

Definition at line 966 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsTypeCount(), and org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypes().

ArrayList<BlackboardAttribute> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributes ( final BlackboardArtifact artifact ) throws TskCoreException

Definition at line 1671 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.getAttributes(), and org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3().

ArrayList<BlackboardAttribute.ATTRIBUTE_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributeTypes ( ) throws TskCoreException

Get all blackboard attribute types

Gets both static (in enum) and dynamic attributes types (created by modules at runtime)

Returns: list of blackboard attribute types

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core

Definition at line 988 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.fromLabel(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

int org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributeTypesCount ( ) throws TskCoreException

Get count of blackboard attribute types

Counts both static (in enum) and dynamic attributes types (created by modules at runtime)

Returns: count of attribute types

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 1020 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Content org.sleuthkit.datamodel.SleuthkitCase.getContentById ( long id ) throws TskCoreException

Get content object by content id

Parameters

id	to get content object for

Returns: instance of a Content object (one of its subclasses), or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core

Definition at line 2154 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById(), org.sleuthkit.datamodel.SleuthkitCase.getImageById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.TskData.ObjectType.valueOf().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByContent ( Content content ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified foreign key into the tsk_objects table.

Parameters

content A data transfer object (DTO) for the content to match.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4704 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByTagName ( TagName tagName ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4667 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

long org.sleuthkit.datamodel.SleuthkitCase.getContentTagsCountByTagName ( TagName tagName ) throws TskCoreException

Gets a count of the rows in the content_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: The count, possibly zero.

Exceptions

TskCoreException

Definition at line 4632 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

String org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath ( )

Get the full path to the case database directory.

Returns: Absolute database directory path.

Definition at line 466 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.dbDirPath.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addReport(), org.sleuthkit.datamodel.SleuthkitCase.getAllReports(), and org.sleuthkit.datamodel.AbstractFile.setLocalPath().

List<TskFileRange> org.sleuthkit.datamodel.SleuthkitCase.getFileRanges ( long id ) throws TskCoreException

Get file layout ranges from tsk_file_layout, for a file with specified id

Parameters

id	of the file to get file layout ranges for

Returns: list of populated file ranges

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 3387 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.AbstractFile.getRanges().

FileSystem org.sleuthkit.datamodel.SleuthkitCase.getFileSystemByIdHelper	(	long	id,
		Content	parent
	)		throws TskCoreException

private

Get file system by id and Content parent

Parameters

id	of the filesystem to get
parent	a direct parent Content object

Returns: populated FileSystem object

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 3541 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.fileSystemIdMap, and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

long org.sleuthkit.datamodel.SleuthkitCase.getFileSystemId ( long fileId )

private

Get the object ID of the file system that a file is located in.

Note: for FsContent files, this is the real fs for other non-fs AbstractFile files, this field is used internally for data source id (the root content obj)

Parameters

fileId object id of the file to get fs column id for

Returns: fs_id or -1 if not present

Definition at line 2384 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile(), org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory(), and org.sleuthkit.datamodel.SleuthkitCase.isFileFromSource().

Collection<FileSystem> org.sleuthkit.datamodel.SleuthkitCase.getFileSystems ( Image image )

Helper to return FileSystems in an Image

Parameters

image Image to lookup FileSystem for

Returns: Collection of FileSystems in the image

Definition at line 3668 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.AbstractContent.getId(), org.sleuthkit.datamodel.TskData.ObjectType.IMG, and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.findFiles(), and org.sleuthkit.datamodel.SleuthkitCase.isFileFromSource().

Image org.sleuthkit.datamodel.SleuthkitCase.getImageById ( long id ) throws TskCoreException

Get am image by the image object id

Parameters

id	of the image object

Returns: Image object populated

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 3417 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.getImages(), and org.sleuthkit.datamodel.SleuthkitCase.getRootObjects().

Map<Long, List<String> > org.sleuthkit.datamodel.SleuthkitCase.getImagePaths ( ) throws TskCoreException

Returns a map of image object IDs to a list of fully qualified file paths for that image

Returns: map of image object IDs to file paths

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 3886 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<Image> org.sleuthkit.datamodel.SleuthkitCase.getImages ( ) throws TskCoreException

Returns: a collection of Images associated with this instance of SleuthkitCase

Exceptions

TskCoreException

Definition at line 3926 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.getImageById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

long org.sleuthkit.datamodel.SleuthkitCase.getLastObjectId ( ) throws TskCoreException

Get last (max) object id of content object in tsk_objects.

Returns: currently max id

Exceptions

TskCoreException exception thrown when database error occurs and last object id could not be queried

Definition at line 3959 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getMatchingArtifacts ( String whereClause ) throws TskCoreException

Get all artifacts that match a where clause. The clause should begin with "WHERE" or "JOIN". To use this method you must know the database tables

Parameters

whereClause a sqlite where clause

Returns: a list of matching artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1749 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

Referenced by org.sleuthkit.datamodel.AbstractContent.getAllArtifacts().

ArrayList<BlackboardAttribute> org.sleuthkit.datamodel.SleuthkitCase.getMatchingAttributes ( String whereClause ) throws TskCoreException

Get all attributes that match a where clause. The clause should begin with "WHERE" or "JOIN". To use this method you must know the database tables

Parameters

whereClause a sqlite where clause

Returns: a list of matching attributes

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1714 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<Content> org.sleuthkit.datamodel.SleuthkitCase.getRootObjects ( ) throws TskCoreException

Get the list of root objects (data sources) from the case database, e.g., image files, logical (local) files, virtual directories.

Returns: List of content objects representing root objects.

Exceptions

TskCoreException

Definition at line 561 of file SleuthkitCase.java.

int org.sleuthkit.datamodel.SleuthkitCase.getSchemaVersion ( )

Returns case database schema version number.

Returns: The schema version number as an integer.

Definition at line 434 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.versionNumber.

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getTagNamesInUse ( ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database for which there is at least one matching row in the content_tags or blackboard_artifact_tags tables.

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 4486 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

List<VirtualDirectory> org.sleuthkit.datamodel.SleuthkitCase.getVirtualDirectoryRoots ( ) throws TskCoreException

Get IDs of the virtual folder roots (at the same level as image), used for containers such as for local files.

Returns: IDs of virtual directory root objects.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 2698 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.ObjectType.ABSTRACTFILE, org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock(), and org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.

void org.sleuthkit.datamodel.SleuthkitCase.initBlackboardArtifactTypes ( ) throws SQLException, TskCoreException

private

Make sure the predefined artifact types are in the artifact types table.

Exceptions

SQLException

Definition at line 119 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

void org.sleuthkit.datamodel.SleuthkitCase.initBlackboardAttributeTypes ( ) throws SQLException, TskCoreException

private

Make sure the predefined artifact attribute types are in the artifact attribute types table.

Exceptions

SQLException

Definition at line 145 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

void org.sleuthkit.datamodel.SleuthkitCase.initNextArtifactId ( ) throws TskCoreException, SQLException

private

Initialize the next artifact id. If there are entries in the blackboard_artifacts table we will use max(artifact_id) + 1 otherwise we will initialize the value to 0x8000000000000000 (the maximum negative signed long).

Exceptions

TskCoreException
SQLException

Definition at line 174 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.BASE_ARTIFACT_ID, org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

boolean org.sleuthkit.datamodel.SleuthkitCase.isFileFromSource	(	Content	dataSource,
		long	fileId
	)		throws TskCoreException

Checks if the file is a (sub)child of the data source (parentless Content object such as Image or VirtualDirectory representing filesets)

Parameters

dataSource	dataSource to check
fileId	id of file to check

Returns: true if the file is in the dataSource hierarchy

Exceptions

TskCoreException thrown if check failed

Definition at line 2424 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getFileSystemId(), and org.sleuthkit.datamodel.SleuthkitCase.getFileSystems().

void org.sleuthkit.datamodel.SleuthkitCase.logSQLiteJDBCDriverInfo ( )

private

Write some SQLite JDBC driver details to the log file.

Definition at line 283 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.logger.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

AddImageProcess org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess	(	String	timezone,
		boolean	processUnallocSpace,
		boolean	noFatFsOrphans
	)

Start process of adding a image to the case. Adding an image is a multi-step process and this returns an object that allows it to happen.

Parameters

timezone	TZ time zone string to use for ingest of image.
processUnallocSpace	Set to true to process unallocated space in the image.
noFatFsOrphans	Set to true to skip processing orphan files of FAT file systems.

Returns: Object that encapsulates control of adding an image via the SleuthKit native code layer.

Definition at line 550 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.caseHandle.

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Add a new blackboard artifact with the given type. If that artifact type does not exist an error will be thrown. The artifact type name can be looked up in the returned blackboard artifact.

Parameters

artifactTypeID	the type the given artifact should have
obj_id	the content object id associated with this artifact

Returns: a new blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1783 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.AbstractContent.getGenInfoArtifact(), org.sleuthkit.datamodel.AbstractContent.newArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Add a new blackboard artifact with the given type.

Parameters

artifactType	the type the given artifact should have
obj_id	the content object id associated with this artifact

Returns: a new blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 1796 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact	(	int	artifact_type_id,
		long	obj_id,
		String	artifactTypeName,
		String	artifactDisplayName
	)		throws TskCoreException

private

Definition at line 1800 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.newCase ( String dbPath ) throws TskCoreException

static

Create a new case database.

Parameters

dbPath Path to where SQlite case database should be created.

Returns: Case database object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 529 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.caseHandle, and org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.openCase ( String dbPath ) throws TskCoreException

static

Open an existing case database.

Parameters

dbPath Path to SQLite case database.

Returns: Case database object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 513 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.caseHandle, and org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.openFiles	(	Content	dataSource,
		String	filePath
	)		throws TskCoreException

Parameters

dataSource	the data source (Image, VirtualDirectory for file-sets, etc) to search for the given file name
filePath	The full path to the file(statement) of interest. This can optionally include the image and volume names. Treated in a case- insensitive manner.

Returns: a list of AbstractFile that have the given file path.

Definition at line 3358 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.AbstractFile.createNonUniquePath(), and org.sleuthkit.datamodel.SleuthkitCase.findFiles().

void org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock ( )

Release the lock that provides exclusive access to the database. This method should always be called in the finally block of a try block in which the lock was acquired.

Definition at line 484 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock ( )

Release the lock that provides shared access to the database. This method should always be called in the finally block of a try block in which the lock was acquired.

Definition at line 502 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.removerErrorObserver ( ErrorObserver observer )

This is a temporary workaround to avoid an API change.

Parameters

observer The observer to remove.

Deprecated:

Definition at line 4428 of file SleuthkitCase.java.

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.resultSetToAbstractFiles ( ResultSet rs ) throws SQLException

private

Creates file object from a SQL query result set of rows from the tsk_files table. Assumes that the query was of the form "SELECT * FROM tsk_files WHERE XYZ".

Parameters

rs	ResultSet to get content from. Caller is responsible for closing it.

Returns: list of file objects from tsk_files table containing the results

Exceptions

SQLException if the query fails

Definition at line 4018 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.findAllFilesWhere(), org.sleuthkit.datamodel.SleuthkitCase.findFiles(), org.sleuthkit.datamodel.SleuthkitCase.findFilesByMd5(), org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById(), and org.sleuthkit.datamodel.SleuthkitCase.resultSetToFsContents().

List<FsContent> org.sleuthkit.datamodel.SleuthkitCase.resultSetToFsContents ( ResultSet rs ) throws SQLException

private

Creates FsContent objects from SQL query result set on tsk_files table

Parameters

rs	the result set with the query results

Returns: list of fscontent objects matching the query

Exceptions

SQLException if SQL query result getting failed

Definition at line 4075 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM.FS, and org.sleuthkit.datamodel.SleuthkitCase.resultSetToAbstractFiles().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.findFilesWhere().

ResultSet org.sleuthkit.datamodel.SleuthkitCase.runQuery ( String query ) throws SQLException

Process a read-only query on the tsk database, any table Can be used to e.g. to find files of a given criteria. resultSetToFsContents() will convert the results to useful objects. MUST CALL closeRunQuery() when done

Parameters

query the given string query to run

Returns: the resultSet from running the query. Caller MUST CALL closeRunQuery(resultSet) as soon as possible, when done with retrieving data from the resultSet

Exceptions

SQLException if error occurred during the query

Deprecated:: use specific datamodel methods that encapsulate SQL layer

Definition at line 4101 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock().

void org.sleuthkit.datamodel.SleuthkitCase.setImagePaths	(	long	obj_id,
		List< String >	paths
	)		throws TskCoreException

Set the file paths for the image given by obj_id

Parameters

obj_id	the ID of the image to update
paths	the fully qualified path to the files that make up the image

Exceptions

TskCoreException exception thrown when critical error occurs within tsk core and the update fails

Definition at line 3987 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

boolean org.sleuthkit.datamodel.SleuthkitCase.setKnown	(	AbstractFile	file,
		FileKnown	fileKnown
	)		throws TskCoreException

Store the known status for the FsContent in the database Note: will not update status if content is already 'Known Bad'

Parameters

file	The AbstractFile object
fileKnown	The object'statement known status

Returns: true if the known status was updated, false otherwise

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 4193 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), and org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock().

void org.sleuthkit.datamodel.SleuthkitCase.submitError	(	String	context,
		String	errorMessage
	)

This is a temporary workaround to avoid an API change.

Parameters

context	The context in which the error occurred.
errorMessage	A description of the error that occurred.

Deprecated:

Definition at line 4443 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.FsContent.readInt().

void org.sleuthkit.datamodel.SleuthkitCase.updateDatabaseSchema ( ) throws Exception

private

Modify the case database to bring it up-to-date with the current version of the database schema.

Exceptions

Exception

Definition at line 197 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.closeResultSet(), org.sleuthkit.datamodel.SleuthkitCase.closeStatement(), org.sleuthkit.datamodel.SleuthkitCase.copyCaseDB(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), org.sleuthkit.datamodel.SleuthkitCase.SCHEMA_VERSION_NUMBER, and org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

int org.sleuthkit.datamodel.SleuthkitCase.updateFromSchema2toSchema3 ( int schemaVersionNumber ) throws SQLException, TskCoreException

private

Update a version 2 database schema to a version 3 database schema.

Parameters

schemaVersionNumber The schema version number of the database.

Returns: 3, if the input database schema version number was 2.

Exceptions

SQLException
TskCoreException

Definition at line 302 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.updateDatabaseSchema().

Member Data Documentation

final long org.sleuthkit.datamodel.SleuthkitCase.BASE_ARTIFACT_ID = Long.MIN_VALUE

staticprivate

Definition at line 72 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.initNextArtifactId().

final ResourceBundle org.sleuthkit.datamodel.SleuthkitCase.bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle")

staticprivate

Definition at line 74 of file SleuthkitCase.java.

final Map<Long, Long> org.sleuthkit.datamodel.SleuthkitCase.carvedFileContainersCache = new HashMap<Long, Long>()

private

Definition at line 77 of file SleuthkitCase.java.

SleuthkitJNI.CaseDbHandle org.sleuthkit.datamodel.SleuthkitCase.caseHandle

private

Definition at line 82 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.close(), org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess(), org.sleuthkit.datamodel.SleuthkitCase.newCase(), org.sleuthkit.datamodel.SleuthkitCase.openCase(), and org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

final ConnectionPerThreadDispenser org.sleuthkit.datamodel.SleuthkitCase.connections = new ConnectionPerThreadDispenser()

private

Definition at line 75 of file SleuthkitCase.java.

final int org.sleuthkit.datamodel.SleuthkitCase.DATABASE_LOCKED_ERROR = 0

staticprivate

Definition at line 70 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.executeQuery(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection.prepareStatement().

String org.sleuthkit.datamodel.SleuthkitCase.dbBackupPath

private

Definition at line 84 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getBackupDatabasePath().

final String org.sleuthkit.datamodel.SleuthkitCase.dbDirPath

private

Definition at line 81 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath().

final String org.sleuthkit.datamodel.SleuthkitCase.dbPath

private

Definition at line 80 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.SleuthkitCase().

final ArrayList<ErrorObserver> org.sleuthkit.datamodel.SleuthkitCase.errorObservers = new ArrayList<ErrorObserver>()

private

Definition at line 79 of file SleuthkitCase.java.

final Map<Long, FileSystem> org.sleuthkit.datamodel.SleuthkitCase.fileSystemIdMap = new HashMap<Long, FileSystem>()

private

Definition at line 78 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getFileSystemByIdHelper().

final Logger org.sleuthkit.datamodel.SleuthkitCase.logger = Logger.getLogger(SleuthkitCase.class.getName())

staticprivate

Definition at line 73 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.logSQLiteJDBCDriverInfo().

long org.sleuthkit.datamodel.SleuthkitCase.nextArtifactId

private

Definition at line 85 of file SleuthkitCase.java.

final ResultSetHelper org.sleuthkit.datamodel.SleuthkitCase.rsHelper = new ResultSetHelper(this)

private

Definition at line 76 of file SleuthkitCase.java.

final ReentrantReadWriteLock org.sleuthkit.datamodel.SleuthkitCase.rwLock = new ReentrantReadWriteLock(true)

private

Definition at line 91 of file SleuthkitCase.java.

final int org.sleuthkit.datamodel.SleuthkitCase.SCHEMA_VERSION_NUMBER = 3

staticprivate

Definition at line 69 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.updateDatabaseSchema().

final int org.sleuthkit.datamodel.SleuthkitCase.SQLITE_BUSY_ERROR = 5

staticprivate

Definition at line 71 of file SleuthkitCase.java.

int org.sleuthkit.datamodel.SleuthkitCase.versionNumber

private

Definition at line 83 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getSchemaVersion().

The documentation for this class was generated from the following file:

bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java

Classes

Public Member Functions

Static Public Member Functions

Private Member Functions

Static Private Member Functions

Private Attributes

Static Private Attributes

Detailed Description

Constructor & Destructor Documentation

Member Function Documentation

Member Data Documentation