Classes
class	CaseDbConnection

class	CaseDbQuery

class	CaseDbTransaction

interface	ErrorObserver

class	ObjectInfo

Public Member Functions
void	acquireExclusiveLock ()

void	acquireSharedLock ()

void	acquireSingleUserCaseReadLock ()

void	acquireSingleUserCaseWriteLock ()

BlackboardAttribute.Type	addArtifactAttributeType (String attrTypeString, TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType, String displayName) throws TskCoreException, TskDataException

int	addArtifactType (String artifactTypeName, String displayName) throws TskCoreException

int	addAttrType (String attrTypeString, String displayName) throws TskCoreException

BlackboardArtifactTag	addBlackboardArtifactTag (BlackboardArtifact artifact, TagName tagName, String comment) throws TskCoreException

BlackboardArtifact.Type	addBlackboardArtifactType (String artifactTypeName, String displayName) throws TskCoreException, TskDataException

void	addBlackboardAttribute (BlackboardAttribute attr, int artifactTypeId) throws TskCoreException

void	addBlackboardAttributes (Collection< BlackboardAttribute > attributes, int artifactTypeId) throws TskCoreException

LayoutFile	addCarvedFile (String carvedFileName, long carvedFileSize, long containerId, List< TskFileRange > data) throws TskCoreException

final List< LayoutFile >	addCarvedFiles (CarvingResult carvingResult) throws TskCoreException

List< LayoutFile >	addCarvedFiles (List< CarvedFileContainer > filesToAdd) throws TskCoreException

ContentTag	addContentTag (Content content, TagName tagName, String comment, long beginByteOffset, long endByteOffset) throws TskCoreException

DerivedFile	addDerivedFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, Content parentObj, String rederiveDetails, String toolName, String toolVersion, String otherDetails, TskData.EncodingType encodingType) throws TskCoreException

DerivedFile	addDerivedFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parentFile, String rederiveDetails, String toolName, String toolVersion, String otherDetails) throws TskCoreException

void	addErrorObserver (ErrorObserver observer)

FileSystem	addFileSystem (long parentObjId, long imgOffset, TskData.TSK_FS_TYPE_ENUM type, long blockSize, long blockCount, long rootInum, long firstInum, long lastInum, String displayName, CaseDbTransaction transaction) throws TskCoreException

FsContent	addFileSystemFile (long dataSourceObjId, long fsObjId, String fileName, long metaAddr, int metaSeq, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, TSK_FS_NAME_FLAG_ENUM dirFlag, short metaFlags, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, Content parent) throws TskCoreException

Image	addImage (TskData.TSK_IMG_TYPE_ENUM type, long sectorSize, long size, String displayName, List< String > imagePaths, String timezone, String md5, String sha1, String sha256, String deviceId, CaseDbTransaction transaction) throws TskCoreException

Image	addImageInfo (long deviceObjId, List< String > imageFilePaths, String timeZone) throws TskCoreException

final IngestJobInfo	addIngestJob (Content dataSource, String hostName, List< IngestModuleInfo > ingestModules, Date jobStart, Date jobEnd, IngestJobStatusType status, String settingsDir) throws TskCoreException

final IngestModuleInfo	addIngestModule (String displayName, String factoryClassName, IngestModuleType type, String version) throws TskCoreException

LayoutFile	addLayoutFile (String fileName, long size, TSK_FS_NAME_FLAG_ENUM dirFlag, TSK_FS_META_FLAG_ENUM metaFlag, long ctime, long crtime, long atime, long mtime, List< TskFileRange > fileRanges, Content parent) throws TskCoreException

final List< LayoutFile >	addLayoutFiles (Content parent, List< TskFileRange > fileRanges) throws TskCoreException

LocalDirectory	addLocalDirectory (long parentId, String directoryName) throws TskCoreException

LocalDirectory	addLocalDirectory (long parentId, String directoryName, CaseDbTransaction transaction) throws TskCoreException

LocalFile	addLocalFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, TskData.EncodingType encodingType, AbstractFile parent) throws TskCoreException

LocalFile	addLocalFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, TskData.EncodingType encodingType, Content parent, CaseDbTransaction transaction) throws TskCoreException

LocalFile	addLocalFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, String md5, FileKnown known, String mimeType, boolean isFile, TskData.EncodingType encodingType, Content parent, CaseDbTransaction transaction) throws TskCoreException

LocalFile	addLocalFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parent, CaseDbTransaction transaction) throws TskCoreException

LocalFile	addLocalFile (String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parent) throws TskCoreException

LocalFilesDataSource	addLocalFilesDataSource (String deviceId, String rootDirectoryName, String timeZone, CaseDbTransaction transaction) throws TskCoreException

TagName	addOrUpdateTagName (String displayName, String description, TagName.HTML_COLOR color, TskData.FileKnown knownStatus) throws TskCoreException

Pool	addPool (long parentObjId, TskData.TSK_POOL_TYPE_ENUM type, CaseDbTransaction transaction) throws TskCoreException

Report	addReport (String localPath, String sourceModuleName, String reportName) throws TskCoreException

Report	addReport (String localPath, String sourceModuleName, String reportName, Content parent) throws TskCoreException

TagName	addTagName (String displayName, String description, TagName.HTML_COLOR color) throws TskCoreException

VirtualDirectory	addVirtualDirectory (long parentId, String directoryName) throws TskCoreException

VirtualDirectory	addVirtualDirectory (long parentId, String directoryName, CaseDbTransaction transaction) throws TskCoreException

Volume	addVolume (long parentObjId, long addr, long start, long length, String desc, long flags, CaseDbTransaction transaction) throws TskCoreException

VolumeSystem	addVolumeSystem (long parentObjId, TskData.TSK_VS_TYPE_ENUM type, long imgOffset, long blockSize, CaseDbTransaction transaction) throws TskCoreException

boolean	allFilesMd5Hashed ()

CaseDbTransaction	beginTransaction () throws TskCoreException

synchronized void	close ()

void	closeRunQuery (ResultSet resultSet) throws SQLException

void	copyCaseDB (String newDBPath) throws IOException

int	countFilesMd5Hashed ()

long	countFilesWhere (String sqlWhereClause) throws TskCoreException

int	countFsContentType (TskData.TSK_FS_META_TYPE_ENUM contentType) throws TskCoreException

void	deleteBlackboardArtifactTag (BlackboardArtifactTag tag) throws TskCoreException

void	deleteContentTag (ContentTag tag) throws TskCoreException

void	deleteReport (Report report) throws TskCoreException

CaseDbQuery	executeInsertOrUpdate (String query) throws TskCoreException

CaseDbQuery	executeQuery (String query) throws TskCoreException

List< Long >	findAllFileIdsWhere (String sqlWhereClause) throws TskCoreException

List< AbstractFile >	findAllFilesWhere (String sqlWhereClause) throws TskCoreException

List< AbstractFile >	findFiles (Content dataSource, String fileName) throws TskCoreException

List< AbstractFile >	findFiles (Content dataSource, String fileName, String dirSubString) throws TskCoreException

List< AbstractFile >	findFiles (Content dataSource, String fileName, AbstractFile parentFile) throws TskCoreException

List< AbstractFile >	findFilesByMd5 (String md5Hash)

List< FsContent >	findFilesWhere (String sqlWhereClause) throws TskCoreException

AbstractFile	getAbstractFileById (long id) throws TskCoreException

List< BlackboardArtifactTag >	getAllBlackboardArtifactTags () throws TskCoreException

List< ContentTag >	getAllContentTags () throws TskCoreException

List< Report >	getAllReports () throws TskCoreException

List< TagName >	getAllTagNames () throws TskCoreException

BlackboardArtifact	getArtifactByArtifactId (long id) throws TskCoreException

BlackboardArtifact	getArtifactById (long id) throws TskCoreException

BlackboardArtifact.Type	getArtifactType (String artTypeName) throws TskCoreException

int	getArtifactTypeID (String artifactTypeName) throws TskCoreException

Iterable< BlackboardArtifact.Type >	getArtifactTypes () throws TskCoreException

List< BlackboardArtifact.Type >	getArtifactTypesInUse () throws TskCoreException

BlackboardAttribute.Type	getAttributeType (String attrTypeName) throws TskCoreException

List< BlackboardAttribute.Type >	getAttributeTypes () throws TskCoreException

String	getAttrTypeDisplayName (int attrTypeID) throws TskCoreException

int	getAttrTypeID (String attrTypeName) throws TskCoreException

String	getAttrTypeString (int attrTypeID) throws TskCoreException

String	getBackupDatabasePath ()

Blackboard	getBlackboard ()

BlackboardArtifact	getBlackboardArtifact (long artifactID) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (int artifactTypeID) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, String value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, String subString, boolean startsWith) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, int value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, long value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, double value) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (BlackboardAttribute.ATTRIBUTE_TYPE attrType, byte value) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (String artifactTypeName, long obj_id) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (int artifactTypeID, long obj_id) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (ARTIFACT_TYPE artifactType, long obj_id) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (String artifactTypeName) throws TskCoreException

ArrayList< BlackboardArtifact >	getBlackboardArtifacts (ARTIFACT_TYPE artifactType) throws TskCoreException

List< BlackboardArtifact >	getBlackboardArtifacts (ARTIFACT_TYPE artifactType, BlackboardAttribute.ATTRIBUTE_TYPE attrType, String value) throws TskCoreException

long	getBlackboardArtifactsCount (long objId) throws TskCoreException

long	getBlackboardArtifactsCount (String artifactTypeName, long obj_id) throws TskCoreException

long	getBlackboardArtifactsCount (int artifactTypeID, long obj_id) throws TskCoreException

long	getBlackboardArtifactsCount (ARTIFACT_TYPE artifactType, long obj_id) throws TskCoreException

long	getBlackboardArtifactsTypeCount (int artifactTypeID) throws TskCoreException

long	getBlackboardArtifactsTypeCount (int artifactTypeID, long dataSourceID) throws TskCoreException

BlackboardArtifactTag	getBlackboardArtifactTagByID (long artifactTagID) throws TskCoreException

List< BlackboardArtifactTag >	getBlackboardArtifactTagsByArtifact (BlackboardArtifact artifact) throws TskCoreException

List< BlackboardArtifactTag >	getBlackboardArtifactTagsByTagName (TagName tagName) throws TskCoreException

List< BlackboardArtifactTag >	getBlackboardArtifactTagsByTagName (TagName tagName, long dsObjId) throws TskCoreException

long	getBlackboardArtifactTagsCountByTagName (TagName tagName) throws TskCoreException

long	getBlackboardArtifactTagsCountByTagName (TagName tagName, long dsObjId) throws TskCoreException

ArrayList< BlackboardArtifact.ARTIFACT_TYPE >	getBlackboardArtifactTypes () throws TskCoreException

ArrayList< BlackboardArtifact.ARTIFACT_TYPE >	getBlackboardArtifactTypesInUse () throws TskCoreException

ArrayList< BlackboardAttribute >	getBlackboardAttributes (final BlackboardArtifact artifact) throws TskCoreException

ArrayList< BlackboardAttribute.ATTRIBUTE_TYPE >	getBlackboardAttributeTypes () throws TskCoreException

int	getBlackboardAttributeTypesCount () throws TskCoreException

synchronized CaseDbAccessManager	getCaseDbAccessManager () throws TskCoreException

CommunicationsManager	getCommunicationsManager () throws TskCoreException

Content	getContentById (long id) throws TskCoreException

ContentTag	getContentTagByID (long contentTagID) throws TskCoreException

List< ContentTag >	getContentTagsByContent (Content content) throws TskCoreException

List< ContentTag >	getContentTagsByTagName (TagName tagName) throws TskCoreException

List< ContentTag >	getContentTagsByTagName (TagName tagName, long dsObjId) throws TskCoreException

long	getContentTagsCountByTagName (TagName tagName) throws TskCoreException

long	getContentTagsCountByTagName (TagName tagName, long dsObjId) throws TskCoreException

Examiner	getCurrentExaminer () throws TskCoreException

String	getDatabaseName ()

DbType	getDatabaseType ()

DataSource	getDataSource (long objectId) throws TskDataException, TskCoreException

List< DataSource >	getDataSources () throws TskCoreException

String	getDbDirPath ()

CaseDbSchemaVersionNumber	getDBSchemaCreationVersion ()

VersionNumber	getDBSchemaVersion ()

List< TskFileRange >	getFileRanges (long id) throws TskCoreException

Collection< FileSystem >	getFileSystems (Image image)

Image	getImageById (long id) throws TskCoreException

Collection< FileSystem >	getImageFileSystems (Image image) throws TskCoreException

Map< Long, List< String > >	getImagePaths () throws TskCoreException

List< Image >	getImages () throws TskCoreException

final List< IngestJobInfo >	getIngestJobs () throws TskCoreException

long	getLastObjectId () throws TskCoreException

ArrayList< BlackboardArtifact >	getMatchingArtifacts (String whereClause) throws TskCoreException

ArrayList< BlackboardAttribute >	getMatchingAttributes (String whereClause) throws TskCoreException

Report	getReportById (long id) throws TskCoreException

List< Content >	getRootObjects () throws TskCoreException

int	getSchemaVersion ()

synchronized TaggingManager	getTaggingManager ()

List< TagName >	getTagNamesInUse () throws TskCoreException

List< TagName >	getTagNamesInUse (long dsObjId) throws TskCoreException

TimelineManager	getTimelineManager () throws TskCoreException

List< VirtualDirectory >	getVirtualDirectoryRoots () throws TskCoreException

boolean	isFileFromSource (Content dataSource, long fileId) throws TskCoreException

AddImageProcess	makeAddImageProcess (String timeZone, boolean addUnallocSpace, boolean noFatFsOrphans, String imageCopyPath)

AddImageProcess	makeAddImageProcess (String timezone, boolean addUnallocSpace, boolean noFatFsOrphans)

BlackboardArtifact	newBlackboardArtifact (int artifactTypeID, long obj_id) throws TskCoreException

BlackboardArtifact	newBlackboardArtifact (ARTIFACT_TYPE artifactType, long obj_id) throws TskCoreException

List< AbstractFile >	openFiles (Content dataSource, String filePath) throws TskCoreException

void	registerForEvents (Object listener)

void	releaseExclusiveLock ()

void	releaseSharedLock ()

void	releaseSingleUserCaseReadLock ()

void	releaseSingleUserCaseWriteLock ()

void	removeErrorObserver (ErrorObserver observer)

ResultSet	runQuery (String query) throws SQLException

void	setFileMIMEType (AbstractFile file, String mimeType) throws TskCoreException

void	setImagePaths (long obj_id, List< String > paths) throws TskCoreException

boolean	setKnown (AbstractFile file, FileKnown fileKnown) throws TskCoreException

void	setReviewStatus (BlackboardArtifact artifact, BlackboardArtifact.ReviewStatus newStatus) throws TskCoreException

void	submitError (String context, String errorMessage)

void	unregisterForEvents (Object listener)

DerivedFile	updateDerivedFile (DerivedFile derivedFile, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, String mimeType, String rederiveDetails, String toolName, String toolVersion, String otherDetails, TskData.EncodingType encodingType) throws TskCoreException

void	updateImagePath (String newPath, long objectId) throws TskCoreException

Static Public Member Functions
static String	escapeSingleQuotes (String text)

static SleuthkitCase	newCase (String dbPath) throws TskCoreException

static SleuthkitCase	newCase (String caseName, CaseDbConnectionInfo info, String caseDirPath) throws TskCoreException

static SleuthkitCase	openCase (String dbPath) throws TskCoreException

static SleuthkitCase	openCase (String databaseName, CaseDbConnectionInfo info, String caseDir) throws TskCoreException

static void	tryConnect (CaseDbConnectionInfo info) throws TskCoreException

Protected Member Functions
void	finalize () throws Throwable

Detailed Description

Represents the case database with methods that provide abstractions for database operations.

Definition at line 91 of file SleuthkitCase.java.

Member Function Documentation

void org.sleuthkit.datamodel.SleuthkitCase.acquireExclusiveLock ( )

Acquires a write lock, but only if this is a single-user case. Always call this method in a try block with a call to the lock release method in an associated finally block.

Deprecated:: Use acquireSingleUserCaseWriteLock.

Definition at line 12892 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.acquireSharedLock ( )

Acquires a read lock, but only if this is a single-user case. Call this method in a try block with a call to the lock release method in an associated finally block.

Deprecated:: Use acquireSingleUserCaseReadLock.

Definition at line 12916 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock().

void org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock ( )

Acquires a read lock, but only if this is a single-user case. Call this method in a try block with a call to the lock release method in an associated finally block.

Definition at line 2353 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

void org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock ( )

Acquires a write lock, but only if this is a single-user case. Always call this method in a try block with a call to the lock release method in an associated finally block.

Definition at line 2331 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

BlackboardAttribute.Type org.sleuthkit.datamodel.SleuthkitCase.addArtifactAttributeType	(	String	attrTypeString,
		TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE	valueType,
		String	displayName
	)		throws TskCoreException, TskDataException

Add an attribute type with the given name

Parameters

attrTypeString	Name of the new attribute
valueType	The value type of this new attribute type
displayName	The (non-unique) display name of the attribute type

Returns: the id of the new attribute

Exceptions

TskCoreException	exception thrown if a critical error occurs within tsk core
TskDataException	exception thrown if attribute type was already in the system

Definition at line 4084 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addAttrType(), and org.sleuthkit.datamodel.Blackboard.getOrAddAttributeType().

int org.sleuthkit.datamodel.SleuthkitCase.addArtifactType	(	String	artifactTypeName,
		String	displayName
	)		throws TskCoreException

Adds a custom artifact type. The artifact type name must be unique, but the display name need not be unique.

Parameters

artifactTypeName	The artifact type name.
displayName	The artifact type display name.

Returns: The artifact type id assigned to the artifact type.

Exceptions

TskCoreException If there is an error adding the type to the case database.

Deprecated:: Use SleuthkitCase.addBlackboardArtifactType instead.

Definition at line 12476 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addBlackboardArtifactType().

int org.sleuthkit.datamodel.SleuthkitCase.addAttrType	(	String	attrTypeString,
		String	displayName
	)		throws TskCoreException

Adds a custom attribute type with a string value type. The attribute type name must be unique, but the display name need not be unique.

Parameters

attrTypeString	The attribute type name.
displayName	The attribute type display name.

Returns: The attribute type id.

Exceptions

TskCoreException If there is an error adding the type to the case database.

Deprecated:: Use SleuthkitCase.addArtifactAttributeType instead.

Definition at line 12498 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addArtifactAttributeType(), and org.sleuthkit.datamodel.BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING.

BlackboardArtifactTag org.sleuthkit.datamodel.SleuthkitCase.addBlackboardArtifactTag	(	BlackboardArtifact	artifact,
		TagName	tagName,
		String	comment
	)		throws TskCoreException

Inserts a row into the blackboard_artifact_tags table in the case database.

Parameters

artifact	The blackboard artifact to tag.
tagName	The name to use for the tag.
comment	A comment to store with the tag.

Returns: A BlackboardArtifactTag data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Deprecated:: User TaggingManager.addArtifactTag instead.

Definition at line 10154 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TaggingManager.addArtifactTag(), and org.sleuthkit.datamodel.TaggingManager.BlackboardArtifactTagChange.getAddedTag().

BlackboardArtifact.Type org.sleuthkit.datamodel.SleuthkitCase.addBlackboardArtifactType	(	String	artifactTypeName,
		String	displayName
	)		throws TskCoreException, TskDataException

Add an artifact type with the given name. Will return an artifact Type.

Parameters

artifactTypeName	System (unique) name of artifact
displayName	Display (non-unique) name of artifact

Returns: Type of the artifact added

Exceptions

TskCoreException	exception thrown if a critical error occurs
TskDataException	exception thrown if given data is already in db within tsk core

Definition at line 4294 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addArtifactType(), and org.sleuthkit.datamodel.Blackboard.getOrAddArtifactType().

void org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttribute	(	BlackboardAttribute	attr,
		int	artifactTypeId
	)		throws TskCoreException

Add a blackboard attribute.

Parameters

attr	A blackboard attribute.
artifactTypeId	The type of artifact associated with the attribute.

Exceptions

TskCoreException thrown if a critical error occurs.

Definition at line 3865 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.addAttribute().

void org.sleuthkit.datamodel.SleuthkitCase.addBlackboardAttributes	(	Collection< BlackboardAttribute >	attributes,
		int	artifactTypeId
	)		throws TskCoreException

Add a set blackboard attributes.

Parameters

attributes	A set of blackboard attribute.
artifactTypeId	The type of artifact associated with the attributes.

Exceptions

TskCoreException thrown if a critical error occurs.

Definition at line 3887 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.addAttributes().

LayoutFile org.sleuthkit.datamodel.SleuthkitCase.addCarvedFile	(	String	carvedFileName,
		long	carvedFileSize,
		long	containerId,
		List< TskFileRange >	data
	)		throws TskCoreException

Adds a carved file to the VirtualDirectory '$CarvedFiles' in the volume or image given by systemId. Creates $CarvedFiles virtual directory if it does not exist already.

Parameters

carvedFileName	the name of the carved file to add
carvedFileSize	the size of the carved file to add
containerId	the ID of the parent volume, file system, or image
data	the layout information - a list of offsets that make up this carved file.

Returns: A LayoutFile object representing the carved file.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Deprecated:: Use addCarvedFile(CarvingResult) instead

Definition at line 12695 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles(), and org.sleuthkit.datamodel.SleuthkitCase.getContentById().

final List<LayoutFile> org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles ( CarvingResult carvingResult ) throws TskCoreException

Adds a carving result to the case database.

Parameters

carvingResult The carving result (a set of carved files and their parent) to be added.

Returns: A list of LayoutFile representations of the carved files.

Exceptions

TskCoreException If there is a problem completing a case database operation.

Definition at line 6422 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addCarvedFile(), and org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles().

List<LayoutFile> org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles ( List< CarvedFileContainer > filesToAdd ) throws TskCoreException

Adds a collection of carved files to the VirtualDirectory '$CarvedFiles' in the volume or image given by systemId. Creates $CarvedFiles virtual directory if it does not exist already.

Parameters

filesToAdd A list of CarvedFileContainer files to add as carved files.

Returns: A list of the files added to the database.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Deprecated:: Use addCarvedFile(CarvingResult) instead

Definition at line 12725 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.Content.getId().

ContentTag org.sleuthkit.datamodel.SleuthkitCase.addContentTag	(	Content	content,
		TagName	tagName,
		String	comment,
		long	beginByteOffset,
		long	endByteOffset
	)		throws TskCoreException

Inserts a row into the content_tags table in the case database.

Parameters

content	The content to tag.
tagName	The name to use for the tag.
comment	A comment to store with the tag.
beginByteOffset	Designates the beginning of a tagged section.
endByteOffset	Designates the end of a tagged section.

Returns: A ContentTag data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Deprecated:: Use TaggingManager.addContentTag

Definition at line 9809 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TaggingManager.addContentTag(), and org.sleuthkit.datamodel.TaggingManager.ContentTagChange.getAddedTag().

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		Content	parentObj,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails,
		TskData.EncodingType	encodingType
	)		throws TskCoreException

Creates a new derived file object, adds it to database and returns it.

TODO add support for adding derived method

Parameters

fileName	file name the derived file
localPath	local path of the derived file, including the file name. The path is relative to the database path.
size	size of the derived file in bytes
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	whether a file or directory, true if a file
parentObj	parent content object
rederiveDetails	details needed to re-derive file (will be specific to the derivation method), currently unused
toolName	name of derivation method/tool, currently unused
toolVersion	version of derivation method/tool, currently unused
otherDetails	details of derivation method/tool, currently unused
encodingType	Type of encoding used on the file (or NONE if no encoding)

Returns: newly created derived file object

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Definition at line 6628 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile().

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parentFile,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails
	)		throws TskCoreException

Creates a new derived file object, adds it to database and returns it.

TODO add support for adding derived method

Parameters

fileName	file name the derived file
localPath	local path of the derived file, including the file name. The path is relative to the database path.
size	size of the derived file in bytes
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	whether a file or directory, true if a file
parentFile	parent file object (derived or local file)
rederiveDetails	details needed to re-derive file (will be specific to the derivation method), currently unused
toolName	name of derivation method/tool, currently unused
toolVersion	version of derivation method/tool, currently unused
otherDetails	details of derivation method/tool, currently unused

Returns: newly created derived file object

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Deprecated:: Use the newer version with explicit encoding type parameter

Definition at line 12773 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile(), and org.sleuthkit.datamodel.TskData.EncodingType.NONE.

void org.sleuthkit.datamodel.SleuthkitCase.addErrorObserver ( ErrorObserver observer )

Add an observer for SleuthkitCase errors.

Parameters

observer The observer to add.

Deprecated:: Catch exceptions instead.

Definition at line 12235 of file SleuthkitCase.java.

FileSystem org.sleuthkit.datamodel.SleuthkitCase.addFileSystem	(	long	parentObjId,
		long	imgOffset,
		TskData.TSK_FS_TYPE_ENUM	type,
		long	blockSize,
		long	blockCount,
		long	rootInum,
		long	firstInum,
		long	lastInum,
		String	displayName,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a FileSystem to the database.

Parameters

parentObjId	Object ID of the file system's parent
imgOffset	Offset in the image
type	Type of file system
blockSize	Block size
blockCount	Block count
rootInum	root inum
firstInum	first inum
lastInum	last inum
displayName	display name
transaction	Case DB transaction

Returns: the newly created FileSystem

Exceptions

TskCoreException

Definition at line 6093 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.TskData.ObjectType.FS, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

FsContent org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile	(	long	dataSourceObjId,
		long	fsObjId,
		String	fileName,
		long	metaAddr,
		int	metaSeq,
		TSK_FS_ATTR_TYPE_ENUM	attrType,
		int	attrId,
		TSK_FS_NAME_FLAG_ENUM	dirFlag,
		short	metaFlags,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		Content	parent
	)		throws TskCoreException

Add a file system file.

Parameters

dataSourceObjId	The object id of the root data source of this file.
fsObjId	The file system object id.
fileName	The name of the file.
metaAddr	The meta address of the file.
metaSeq	The meta address sequence of the file.
attrType	The attributed type of the file.
attrId	The attribute id
dirFlag	The allocated status from the name structure
metaFlags
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	True, unless the file is a directory.
parent	The parent of the file (e.g., a virtual directory)

Returns: Newly created file

Exceptions

TskCoreException

Definition at line 6159 of file SleuthkitCase.java.

Image org.sleuthkit.datamodel.SleuthkitCase.addImage	(	TskData.TSK_IMG_TYPE_ENUM	type,
		long	sectorSize,
		long	size,
		String	displayName,
		List< String >	imagePaths,
		String	timezone,
		String	md5,
		String	sha1,
		String	sha256,
		String	deviceId,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add an image to the database.

Parameters

type	Type of image
sectorSize	Sector size
size	Image size
displayName	Display name for the image
imagePaths	Image path(s)
timezone	Time zone
md5	MD5 hash
sha1	SHA1 hash
sha256	SHA256 hash
deviceId	Device ID
transaction	Case DB transaction

Returns: the newly added Image

Exceptions

TskCoreException

Definition at line 5876 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.TskData.ObjectType.IMG, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Image org.sleuthkit.datamodel.SleuthkitCase.addImageInfo	(	long	deviceObjId,
		List< String >	imageFilePaths,
		String	timeZone
	)		throws TskCoreException

Adds an image to the case database.

Parameters

deviceObjId	The object id of the device associated with the image.
imageFilePaths	The image file paths.
timeZone	The time zone for the image.

Returns: An Image object.

Exceptions

TskCoreException if there is an error adding the image to case database.

Definition at line 8212 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getImageById().

final IngestJobInfo org.sleuthkit.datamodel.SleuthkitCase.addIngestJob	(	Content	dataSource,
		String	hostName,
		List< IngestModuleInfo >	ingestModules,
		Date	jobStart,
		Date	jobEnd,
		IngestJobStatusType	status,
		String	settingsDir
	)		throws TskCoreException

Parameters

dataSource	The datasource the ingest job is being run on
hostName	The name of the host
ingestModules	The ingest modules being run during the ingest job. Should be in pipeline order.
jobStart	The time the job started
jobEnd	The time the job ended
status	The ingest job status
settingsDir	The directory of the job's settings

Returns: An information object representing the ingest job added to the database.

Exceptions

TskCoreException If adding the job to the database fails.

Definition at line 10839 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.IngestModuleInfo.getIngestModuleId(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

final IngestModuleInfo org.sleuthkit.datamodel.SleuthkitCase.addIngestModule	(	String	displayName,
		String	factoryClassName,
		IngestModuleType	type,
		String	version
	)		throws TskCoreException

Adds the given ingest module to the database.

Parameters

displayName	The display name of the module
factoryClassName	The factory class name of the module.
type	The type of the module.
version	The version of the module.

Returns: An ingest module info object representing the module added to the db.

Exceptions

TskCoreException When the ingest module cannot be added.

Definition at line 10890 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.IngestModuleInfo.IngestModuleType.fromID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

LayoutFile org.sleuthkit.datamodel.SleuthkitCase.addLayoutFile	(	String	fileName,
		long	size,
		TSK_FS_NAME_FLAG_ENUM	dirFlag,
		TSK_FS_META_FLAG_ENUM	metaFlag,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		List< TskFileRange >	fileRanges,
		Content	parent
	)		throws TskCoreException

Add a new layout file to the database.

Parameters

fileName	The name of the file.
size	The size of the file in bytes.
dirFlag	The allocated status from the name structure
metaFlag	The allocated status from the metadata structure
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
fileRanges	The byte ranges that belong to this file (relative to start of image)
parent	The parent of the file

Returns: The new LayoutFile

Exceptions

TskCoreException

Definition at line 7104 of file SleuthkitCase.java.

final List<LayoutFile> org.sleuthkit.datamodel.SleuthkitCase.addLayoutFiles	(	Content	parent,
		List< TskFileRange >	fileRanges
	)		throws TskCoreException

Adds one or more layout files for a parent Content object to the case database.

Parameters

parent	The parent Content.
fileRanges	File range objects for the file(s).

Returns: A list of LayoutFile objects.

Exceptions

TskCoreException If there is a problem completing a case database operation.

Definition at line 6296 of file SleuthkitCase.java.

LocalDirectory org.sleuthkit.datamodel.SleuthkitCase.addLocalDirectory	(	long	parentId,
		String	directoryName
	)		throws TskCoreException

Adds a local directory to the database and returns a LocalDirectory object representing it.

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the local directory to create

Returns: a LocalDirectory object representing the one added to the database.

Exceptions

TskCoreException

Definition at line 5657 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

LocalDirectory org.sleuthkit.datamodel.SleuthkitCase.addLocalDirectory	(	long	parentId,
		String	directoryName,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local directory to the database and returns a LocalDirectory object representing it.

Make sure the connection in transaction is used for all database interactions called by this method

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the local directory to create
transaction	the transaction in the scope of which the operation is to be performed, managed by the caller

Returns: a LocalDirectory object representing the one added to the database.

Exceptions

TskCoreException

Definition at line 5690 of file SleuthkitCase.java.

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		AbstractFile	parent
	)		throws TskCoreException

Wraps the version of addLocalFile that takes a Transaction in a transaction local to this method.

Parameters

fileName
localPath
size
ctime
crtime
atime
mtime
isFile
encodingType
parent

Returns

Exceptions

TskCoreException

Definition at line 6860 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		Content	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	True, unless the file is a directory.
encodingType	Type of encoding used on the file
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Definition at line 6906 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		String	md5,
		FileKnown	known,
		String	mimeType,
		boolean	isFile,
		TskData.EncodingType	encodingType,
		Content	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
md5	The MD5 hash of the file
known	The known status of the file (can be null)
mimeType	The MIME type of the file
isFile	True, unless the file is a directory.
encodingType	Type of encoding used on the file
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Definition at line 6945 of file SleuthkitCase.java.

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parent,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical file to the case database. The database operations are done within a caller-managed transaction; the caller is responsible for committing or rolling back the transaction.

Parameters

fileName	The name of the file.
localPath	The absolute path (including the file name) of the local/logical in secondary storage.
size	The size of the file in bytes.
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	True, unless the file is a directory.
parent	The parent of the file (e.g., a virtual directory)
transaction	A caller-managed transaction within which the add file operations are performed.

Returns: An object representing the local/logical file.

Exceptions

TskCoreException if there is an error completing a case database operation.

Deprecated:: Use the newer version with explicit encoding type parameter

Definition at line 12807 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(), and org.sleuthkit.datamodel.TskData.EncodingType.NONE.

LocalFile org.sleuthkit.datamodel.SleuthkitCase.addLocalFile	(	String	fileName,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		AbstractFile	parent
	)		throws TskCoreException

Wraps the version of addLocalFile that takes a Transaction in a transaction local to this method.

Parameters

fileName
localPath
size
ctime
crtime
atime
mtime
isFile
parent

Returns

Exceptions

TskCoreException

Deprecated:: Use the newer version with explicit encoding type parameter

Definition at line 12835 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(), and org.sleuthkit.datamodel.TskData.EncodingType.NONE.

LocalFilesDataSource org.sleuthkit.datamodel.SleuthkitCase.addLocalFilesDataSource	(	String	deviceId,
		String	rootDirectoryName,
		String	timeZone,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a local/logical files and/or directories data source.

Parameters

deviceId	An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
rootDirectoryName	The name for the root virtual directory for the data source.
timeZone	The time zone used to process the data source, may be the empty string.
transaction	A transaction in the scope of which the operation is to be performed, managed by the caller.

Returns: The new local files data source.

Exceptions

TskCoreException if there is an error adding the data source.

Definition at line 5795 of file SleuthkitCase.java.

TagName org.sleuthkit.datamodel.SleuthkitCase.addOrUpdateTagName	(	String	displayName,
		String	description,
		TagName.HTML_COLOR	color,
		TskData.FileKnown	knownStatus
	)		throws TskCoreException

Inserts row into the tags_names table, or updates the existing row if the displayName already exists in the tag_names table in the case database.

Parameters

displayName	The display name for the new tag name.
description	The description for the new tag name.
color	The HTML color to associate with the new tag name.
knownStatus	The TskData.FileKnown value to associate with the new tag name.

Returns: A TagName data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Definition at line 9754 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addTagName().

Pool org.sleuthkit.datamodel.SleuthkitCase.addPool	(	long	parentObjId,
		TskData.TSK_POOL_TYPE_ENUM	type,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a pool to the database.

Parameters

parentObjId	Object ID of the pool's parent
type	Type of pool
transaction	Case DB transaction

Returns: the newly created Pool

Exceptions

TskCoreException

Definition at line 6049 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.TskData.ObjectType.POOL, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Report org.sleuthkit.datamodel.SleuthkitCase.addReport	(	String	localPath,
		String	sourceModuleName,
		String	reportName
	)		throws TskCoreException

Inserts a row into the reports table in the case database.

Parameters

localPath	The path of the report file, must be in the database directory (case directory in Autopsy) or one of its subdirectories.
sourceModuleName	The name of the module that created the report.
reportName	The report name.

Returns: A Report object for the new row.

Exceptions

TskCoreException

Definition at line 10537 of file SleuthkitCase.java.

Report org.sleuthkit.datamodel.SleuthkitCase.addReport	(	String	localPath,
		String	sourceModuleName,
		String	reportName,
		Content	parent
	)		throws TskCoreException

Inserts a row into the reports table in the case database.

Parameters

localPath	The path of the report file, must be in the database directory (case directory in Autopsy) or one of its subdirectories.
sourceModuleName	The name of the module that created the report.
reportName	The report name.
parent	The Content from which the report was created, if available.

Returns: A Report object for the new row.

Exceptions

TskCoreException

Definition at line 10556 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.TskData.ObjectType.REPORT.

TagName org.sleuthkit.datamodel.SleuthkitCase.addTagName	(	String	displayName,
		String	description,
		TagName.HTML_COLOR	color
	)		throws TskCoreException

Inserts row into the tags_names table in the case database.

Parameters

displayName	The display name for the new tag name.
description	The description for the new tag name.
color	The HTML color to associate with the new tag name.

Returns: A TagName data transfer object (DTO) for the new row.

Exceptions

TskCoreException

Deprecated:: addOrUpdateTagName should be used this method calls addOrUpdateTagName with a default knownStatus value

Definition at line 9736 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.addOrUpdateTagName(), and org.sleuthkit.datamodel.TskData.FileKnown.UNKNOWN.

VirtualDirectory org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory	(	long	parentId,
		String	directoryName
	)		throws TskCoreException

Adds a virtual directory to the database and returns a VirtualDirectory object representing it.

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the virtual directory to create

Returns

Exceptions

TskCoreException

Definition at line 5463 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.beginTransaction(), org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addCarvedFiles().

VirtualDirectory org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory	(	long	parentId,
		String	directoryName,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Adds a virtual directory to the database and returns a VirtualDirectory object representing it.

Make sure the connection in transaction is used for all database interactions called by this method

Parameters

parentId	the ID of the parent, or 0 if NULL
directoryName	the name of the virtual directory to create
transaction	the transaction in the scope of which the operation is to be performed, managed by the caller

Returns: a VirtualDirectory object representing the one added to the database.

Exceptions

TskCoreException

Definition at line 5540 of file SleuthkitCase.java.

Volume org.sleuthkit.datamodel.SleuthkitCase.addVolume	(	long	parentObjId,
		long	addr,
		long	start,
		long	length,
		String	desc,
		long	flags,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a volume to the database

Parameters

parentObjId	Object ID of the volume's parent
addr	Address of the volume
start	Start of the volume
length	Length of the volume
desc	Description of the volume
flags	Flags
transaction	Case DB transaction

Returns: the newly created Volume

Exceptions

TskCoreException

Definition at line 6002 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.TskData.DbType.POSTGRESQL, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.TskData.ObjectType.VOL.

VolumeSystem org.sleuthkit.datamodel.SleuthkitCase.addVolumeSystem	(	long	parentObjId,
		TskData.TSK_VS_TYPE_ENUM	type,
		long	imgOffset,
		long	blockSize,
		CaseDbTransaction	transaction
	)		throws TskCoreException

Add a volume system to the database.

Parameters

parentObjId	Object ID of the volume system's parent
type	Type of volume system
imgOffset	Image offset
blockSize	Block size
transaction	Case DB transaction

Returns: the newly added VolumeSystem

Exceptions

TskCoreException

Definition at line 5959 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.TskData.ObjectType.VS.

boolean org.sleuthkit.datamodel.SleuthkitCase.allFilesMd5Hashed ( )

Query all the files to verify if they have an MD5 hash associated with them.

Returns: true if all files have an MD5 hash

Definition at line 9543 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_FS_NAME_TYPE_ENUM.REG, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

CaseDbTransaction org.sleuthkit.datamodel.SleuthkitCase.beginTransaction ( ) throws TskCoreException

Create a new transaction on the case database. The transaction object that is returned can be passed to methods that take a CaseDbTransaction. The caller is responsible for calling either commit() or rollback() on the transaction object.

Note that this beginning the transaction also acquires the single user case write lock, which will be automatically released when the transaction is closed.

Returns: A CaseDbTransaction object.

Exceptions

TskCoreException

Definition at line 2303 of file SleuthkitCase.java.

synchronized void org.sleuthkit.datamodel.SleuthkitCase.close ( )

Call to free resources when done with instance.

Definition at line 8969 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.commit(), org.sleuthkit.datamodel.SleuthkitCase.finalize(), and org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction.rollback().

void org.sleuthkit.datamodel.SleuthkitCase.closeRunQuery ( ResultSet resultSet ) throws SQLException

Closes ResultSet and its Statement previously retrieved from runQuery()

Parameters

resultSet with its Statement to close

Exceptions

SQLException of closing the query files failed

Deprecated:: Do not use runQuery() and closeRunQuery(), use executeQuery() instead. Query the Database

Definition at line 12670 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.copyCaseDB ( String newDBPath ) throws IOException

Make a duplicate / backup copy of the current case database. Makes a new copy only, and continues to use the current connection.

Parameters

newDBPath Path to the copy to be created. File will be overwritten if it exists.

Exceptions

IOException if copying fails.

Definition at line 970 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

int org.sleuthkit.datamodel.SleuthkitCase.countFilesMd5Hashed ( )

Query all the files and counts how many have an MD5 hash.

Returns: the number of files with an MD5 hash

Definition at line 9580 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.countFilesWhere ( String sqlWhereClause ) throws TskCoreException

Count files matching the specific Where clause

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: count of files each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Query the Database

Definition at line 7347 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

int org.sleuthkit.datamodel.SleuthkitCase.countFsContentType ( TskData.TSK_FS_META_TYPE_ENUM contentType ) throws TskCoreException

Return the number of objects in the database of a given file type.

Parameters

contentType Type of file to count

Returns: Number of objects with that type.

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 9459 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

void org.sleuthkit.datamodel.SleuthkitCase.deleteBlackboardArtifactTag ( BlackboardArtifactTag tag ) throws TskCoreException

Definition at line 10163 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.deleteContentTag ( ContentTag tag ) throws TskCoreException

Definition at line 9818 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.deleteReport ( Report report ) throws TskCoreException

Deletes a row from the reports table in the case database.

Parameters

report A Report data transfer object (DTO) for the row to delete.

Exceptions

TskCoreException

Definition at line 10750 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

static String org.sleuthkit.datamodel.SleuthkitCase.escapeSingleQuotes ( String text )

static

Escape the single quotes in the given string so they can be added to the SQL caseDbConnection

Parameters

text

Returns: text the escaped version

Definition at line 9491 of file SleuthkitCase.java.

CaseDbQuery org.sleuthkit.datamodel.SleuthkitCase.executeInsertOrUpdate ( String query ) throws TskCoreException

This method allows developers to run arbitrary SQL queries, including INSERT and UPDATE. The CaseDbQuery object will take care of acquiring the necessary database lock and when used in a try-with-resources block will automatically take care of releasing the lock. If you do not use a try-with-resources block you must call CaseDbQuery.close() once you are done processing the files of the query.

Also note that if you use it within a transaction to insert something into the database, and then within that same transaction query the inserted item from the database, you will likely not see your inserted item, as the method uses new connections for each execution. With this method, you must close your transaction before successfully querying for newly-inserted items.

Parameters

query The query string to execute.

Returns: A CaseDbQuery instance.

Exceptions

TskCoreException

Definition at line 8935 of file SleuthkitCase.java.

CaseDbQuery org.sleuthkit.datamodel.SleuthkitCase.executeQuery ( String query ) throws TskCoreException

This method allows developers to run arbitrary SQL "SELECT" queries. The CaseDbQuery object will take care of acquiring the necessary database lock and when used in a try-with-resources block will automatically take care of releasing the lock. If you do not use a try-with-resources block you must call CaseDbQuery.close() once you are done processing the files of the query.

Also note that if you use it within a transaction to insert something into the database, and then within that same transaction query the inserted item from the database, you will likely not see your inserted item, as the method uses new connections for each execution. With this method, you must close your transaction before successfully querying for newly-inserted items.

Parameters

query The query string to execute.

Returns: A CaseDbQuery instance.

Exceptions

TskCoreException

Definition at line 8910 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.finalize ( ) throws Throwable

protected

Definition at line 8958 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.close().

List<Long> org.sleuthkit.datamodel.SleuthkitCase.findAllFileIdsWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of all (abstract) ids of files matching the specific Where clause

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of file ids each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Query the Database

Definition at line 7415 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findAllFilesWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of all (abstract) files matching the specific Where clause. You need to know the database schema to use this, which is outlined on the wiki. You should use enums from org.sleuthkit.datamodel.TskData to make the queries easier to maintain and understand.

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of AbstractFile each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Query the Database

Definition at line 7384 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName
	)		throws TskCoreException

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).

Returns: a list of AbstractFile for files/directories whose name matches the given fileName

Exceptions

TskCoreException thrown if check failed

Definition at line 5394 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.findFiles(), and org.sleuthkit.datamodel.SleuthkitCase.openFiles().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName,
		String	dirSubString
	)		throws TskCoreException

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).
dirSubString	Substring that must exist in parent path. Will be surrounded by % in LIKE query

Returns: a list of AbstractFile for files/directories whose name matches fileName and whose parent directory contains dirName.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 5429 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFiles	(	Content	dataSource,
		String	fileName,
		AbstractFile	parentFile
	)		throws TskCoreException

Find all files in the data source, by name and parent

Parameters

dataSource	the dataSource (Image, parent-less VirtualDirectory) to search for the given file name
fileName	Pattern of the name of the file or directory to match (case insensitive, used in LIKE SQL statement).
parentFile	Object for parent file/directory to find children in

Returns: a list of AbstractFile for files/directories whose name matches fileName and that were inside a directory described by parentFile.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 7332 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.findFiles().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.findFilesByMd5 ( String md5Hash )

Find all the files with the given MD5 hash.

Parameters

md5Hash hash value to match files with

Returns: List of AbstractFile with the given hash

Definition at line 9506 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<FsContent> org.sleuthkit.datamodel.SleuthkitCase.findFilesWhere ( String sqlWhereClause ) throws TskCoreException

Find and return list of files matching the specific Where clause. Use findAllFilesWhere instead. It returns a more generic data type

Parameters

sqlWhereClause a SQL where clause appropriate for the desired files (do not begin the WHERE clause with the word WHERE!)

Returns: a list of FsContent each of which satisfy the given WHERE clause

Exceptions

TskCoreException

Deprecated:: use SleuthkitCase.findAllFilesWhere() instead

Definition at line 12386 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM.FS, and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

AbstractFile org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById ( long id ) throws TskCoreException

Get abstract file object from tsk_files table by its id

Parameters

id	id of the file object in tsk_files table

Returns: AbstractFile object populated, or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core and file could not be queried

Definition at line 5204 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper.addAttachments(), org.sleuthkit.datamodel.SleuthkitCase.addLocalDirectory(), org.sleuthkit.datamodel.SleuthkitCase.addVirtualDirectory(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.getRootObjects().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getAllBlackboardArtifactTags ( ) throws TskCoreException

Selects all of the rows from the blackboard_artifacts_tags table in the case database.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 10189 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getAllContentTags ( ) throws TskCoreException

Selects all of the rows from the content_tags table in the case database.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 9843 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

List<Report> org.sleuthkit.datamodel.SleuthkitCase.getAllReports ( ) throws TskCoreException

Selects all of the rows from the reports table in the case database.

Returns: A list, possibly empty, of Report data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 10632 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getAllTagNames ( ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database.

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 9620 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.getArtifactByArtifactId ( long id ) throws TskCoreException

Get artifact from blackboard_artifacts table by its artifact_id

Parameters

id	Artifact ID of the artifact in blackboard_artifacts table

Returns: Artifact object populated, or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core and file could not be queried

Definition at line 5291 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.getArtifactById ( long id ) throws TskCoreException

Get artifact from blackboard_artifacts table by its artifact_obj_id

Parameters

id	id of the artifact in blackboard_artifacts table

Returns: Artifact object populated, or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core and file could not be queried

Definition at line 5257 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getContentById().

BlackboardArtifact.Type org.sleuthkit.datamodel.SleuthkitCase.getArtifactType ( String artTypeName ) throws TskCoreException

Get the artifact type associated with an artifact type name.

Parameters

artTypeName An artifact type name.

Returns: An artifact type or null if the artifact type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Definition at line 4214 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.Report.getArtifacts(), org.sleuthkit.datamodel.AbstractContent.getArtifacts(), org.sleuthkit.datamodel.Report.getArtifactsCount(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount(), org.sleuthkit.datamodel.SleuthkitCase.getMatchingArtifacts(), org.sleuthkit.datamodel.Blackboard.getOrAddArtifactType(), org.sleuthkit.datamodel.CommunicationsManager.getRelationshipSources(), and org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

int org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypeID ( String artifactTypeName ) throws TskCoreException

Get the artifact type id associated with an artifact type name.

Parameters

artifactTypeName An artifact type name.

Returns: An artifact id or -1 if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Deprecated:: Use getArtifactType instead

Definition at line 12425 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Iterable<BlackboardArtifact.Type> org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypes ( ) throws TskCoreException

Gets a list of all the artifact types for this case

Returns: a list of artifact types

Exceptions

TskCoreException when there is an error getting the types

Definition at line 3382 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifact.Type> org.sleuthkit.datamodel.SleuthkitCase.getArtifactTypesInUse ( ) throws TskCoreException

Gets the list of all unique artifact IDs in use.

Gets both static and dynamic IDs.

Returns: The list of unique IDs

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core

Definition at line 3456 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

BlackboardAttribute.Type org.sleuthkit.datamodel.SleuthkitCase.getAttributeType ( String attrTypeName ) throws TskCoreException

Get the attribute type associated with an attribute type name.

Parameters

attrTypeName An attribute type name.

Returns: An attribute type or null if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Definition at line 4136 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getMatchingAttributes(), and org.sleuthkit.datamodel.Blackboard.getOrAddAttributeType().

List<BlackboardAttribute.Type> org.sleuthkit.datamodel.SleuthkitCase.getAttributeTypes ( ) throws TskCoreException

Gets a list of all the attribute types for this case

Returns: a list of attribute types

Exceptions

TskCoreException when there is an error getting the types

Definition at line 3492 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

String org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeDisplayName ( int attrTypeID ) throws TskCoreException

Get the display name for the attribute with the given id. Will throw an error if that id does not exist

Parameters

attrTypeID attribute id

Returns: string associated with the given id

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Deprecated:: Use getAttributeType instead

Definition at line 12589 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

int org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeID ( String attrTypeName ) throws TskCoreException

Gets the attribute type id associated with an attribute type name.

Parameters

attrTypeName An attribute type name.

Returns: An attribute id or -1 if the attribute type does not exist.

Exceptions

TskCoreException If an error occurs accessing the case database.

Deprecated:: Use SleuthkitCase.getAttributeType instead.

Definition at line 12517 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

String org.sleuthkit.datamodel.SleuthkitCase.getAttrTypeString ( int attrTypeID ) throws TskCoreException

Get the string associated with the given id. Will throw an error if that id does not exist

Parameters

attrTypeID attribute id

Returns: string associated with the given id

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Deprecated:: Use getAttributeType instead

Definition at line 12553 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

String org.sleuthkit.datamodel.SleuthkitCase.getBackupDatabasePath ( )

Returns the path of a backup copy of the database made when a schema version upgrade has occurred.

Returns: The path of the backup file or null if no backup was made.

Definition at line 2285 of file SleuthkitCase.java.

Blackboard org.sleuthkit.datamodel.SleuthkitCase.getBlackboard ( )

Gets the artifacts blackboard for this case.

Returns: The per case Blackboard object.

Definition at line 457 of file SleuthkitCase.java.

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact ( long artifactID ) throws TskCoreException

Get the blackboard artifact with the given artifact id

Parameters

artifactID artifact ID

Returns: blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3822 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getAllBlackboardArtifactTags(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagByID(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName(), and org.sleuthkit.datamodel.BlackboardAttribute.getParentArtifact().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( int artifactTypeID ) throws TskCoreException

Get all blackboard artifacts of a given type. Does not included rejected artifacts.

Parameters

artifactTypeID artifact type id (must exist in database)

Returns: list of blackboard artifacts.

Exceptions

TskCoreException

Definition at line 2972 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.CommunicationsManager.getAccountFileInstances(), org.sleuthkit.datamodel.Report.getArtifacts(), org.sleuthkit.datamodel.AbstractContent.getArtifacts(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts(), and org.sleuthkit.datamodel.AbstractContent.getGenInfoArtifact().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and String value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 3094 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	subString,
		boolean	startsWith
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and String value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
subString	value substring of the string attribute of the attrType type to look for
startsWith	if true, the artifact attribute string should start with the substring, if false, it should just contain it

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 3145 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		int	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and integer value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 3197 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		long	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and long value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 3245 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		double	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and double value. Does not included rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 3293 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		byte	value
	)		throws TskCoreException

Get all blackboard artifacts that have an attribute of the given type and byte value. Does not include rejected artifacts.

Parameters

attrType	attribute of this attribute type to look for in the artifacts
value	value of the attribute of the attrType type to look for

Returns: a list of blackboard artifacts with such an attribute

Exceptions

TskCoreException exception thrown if a critical error occurred within tsk core and artifacts could not be queried

Definition at line 3341 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	String	artifactTypeName,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id. Does not included rejected artifacts.

Parameters

artifactTypeName	artifact type name
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3646 of file SleuthkitCase.java.

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id. Does not included rejected artifacts.

Parameters

artifactTypeID	artifact type id (must exist in database)
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3662 of file SleuthkitCase.java.

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Get all blackboard artifacts of a given type for the given object id. Does not included rejected artifacts.

Parameters

artifactType	artifact type enum
obj_id	object id

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3678 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( String artifactTypeName ) throws TskCoreException

Get all blackboard artifacts of a given type. Does not included rejected artifacts.

Parameters

artifactTypeName artifact type name

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3745 of file SleuthkitCase.java.

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts ( ARTIFACT_TYPE artifactType ) throws TskCoreException

Get all blackboard artifacts of a given type. Does not included rejected artifacts.

Parameters

artifactType artifact type enum

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3760 of file SleuthkitCase.java.

List<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifacts	(	ARTIFACT_TYPE	artifactType,
		BlackboardAttribute.ATTRIBUTE_TYPE	attrType,
		String	value
	)		throws TskCoreException

Get all blackboard artifacts of a given type with an attribute of a given type and String value. Does not included rejected artifacts.

Parameters

artifactType	artifact type enum
attrType	attribute type enum
value	String value of attribute

Returns: list of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3777 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.REJECTED, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount ( long objId ) throws TskCoreException

Get a count of blackboard artifacts for a given content. Does not include rejected artifacts.

Parameters

objId Id of the content.

Returns: The artifacts count for the content.

Exceptions

TskCoreException

Definition at line 2986 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.Report.getAllArtifactsCount(), org.sleuthkit.datamodel.AbstractContent.getAllArtifactsCount(), org.sleuthkit.datamodel.Report.getArtifactsCount(), and org.sleuthkit.datamodel.AbstractContent.getArtifactsCount().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	String	artifactTypeName,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id. Does not include rejected artifacts.

Parameters

artifactTypeName	artifact type name
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3694 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactType().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id. Does not include rejected artifacts.

Parameters

artifactTypeID	artifact type id (must exist in database)
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3714 of file SleuthkitCase.java.

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsCount	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Get count of all blackboard artifacts of a given type for the given object id. Does not include rejected artifacts.

Parameters

artifactType	artifact type enum
obj_id	object id

Returns: count of blackboard artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3730 of file SleuthkitCase.java.

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsTypeCount ( int artifactTypeID ) throws TskCoreException

Get a count of artifacts of a given type. Does not include rejected artifacts.

Parameters

artifactTypeID Id of the artifact type.

Returns: The artifacts count for the type.

Exceptions

TskCoreException

Definition at line 3020 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactsTypeCount	(	int	artifactTypeID,
		long	dataSourceID
	)		throws TskCoreException

Get a count of artifacts of a given type for the given data source. Does not include rejected artifacts.

Parameters

artifactTypeID	Id of the artifact type.
dataSourceID

Returns: The artifacts count for the type.

Exceptions

TskCoreException

Definition at line 3055 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

BlackboardArtifactTag org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagByID ( long artifactTagID ) throws TskCoreException

Selects the row in the blackboard artifact tags table in the case database with a specified tag id.

Parameters

artifactTagID the tag id of the BlackboardArtifactTag to retrieve.

Returns: the BlackBoardArtifact Tag with the given tag id, or null if no such tag could be found

Exceptions

TskCoreException

Definition at line 10414 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByArtifact ( BlackboardArtifact artifact ) throws TskCoreException

Selects the rows in the blackboard_artifacts_tags table in the case database with a specified foreign key into the blackboard_artifacts table.

Parameters

artifact A data transfer object (DTO) for the artifact to match.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 10464 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Referenced by org.sleuthkit.datamodel.TimelineManager.updateEventsForArtifactTagDeleted().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName ( TagName tagName ) throws TskCoreException

Selects the rows in the blackboard_artifacts_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: A list, possibly empty, of BlackboardArtifactTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 10315 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.BlackboardArtifact.getObjectID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<BlackboardArtifactTag> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets artifact tags by tag name, for specified data source.

Parameters

tagName	The representation of the desired tag type in the case database, which can be obtained by calling getTagNames and/or addTagName.
dsObjId	data source object id

Returns: A list, possibly empty, of the artifact tags with the specified tag name, for the specified data source.

Exceptions

TskCoreException If there is an error getting the tags from the case database.

Definition at line 10363 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifact(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.BlackboardArtifact.getObjectID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsCountByTagName ( TagName tagName ) throws TskCoreException

Gets a count of the rows in the blackboard_artifact_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: The count, possibly zero.

Exceptions

TskCoreException

Definition at line 10231 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTagsCountByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets an artifact tags count by tag name, for the given data source.

Parameters

tagName	The representation of the desired tag type in the case database, which can be obtained by calling getTagNames and/or addTagName.
dsObjId	data source object id

Returns: A count of the artifact tags with the specified tag name, for the given data source.

Exceptions

TskCoreException If there is an error getting the tags count from the case database.

Definition at line 10272 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

ArrayList<BlackboardArtifact.ARTIFACT_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypes ( ) throws TskCoreException

Gets a list of the standard blackboard artifact type enum objects.

Returns: The members of the BlackboardArtifact.ARTIFACT_TYPE enum.

Exceptions

TskCoreException Specified, but not thrown.

Deprecated:: For a list of standard blackboard artifacts type enum objects, use BlackboardArtifact.ARTIFACT_TYPE.values.

Definition at line 12458 of file SleuthkitCase.java.

ArrayList<BlackboardArtifact.ARTIFACT_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardArtifactTypesInUse ( ) throws TskCoreException

Get all of the standard blackboard artifact types that are in use in the blackboard.

Returns: List of standard blackboard artifact types

Exceptions

TskCoreException

Definition at line 3414 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.fromID(), org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.getTypeID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

ArrayList<BlackboardAttribute> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributes ( final BlackboardArtifact artifact ) throws TskCoreException

Definition at line 4335 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.getAttributes().

ArrayList<BlackboardAttribute.ATTRIBUTE_TYPE> org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributeTypes ( ) throws TskCoreException

Gets a list of the standard blackboard attribute type enum objects.

Returns: The members of the BlackboardAttribute.ATTRIBUTE_TYPE enum.

Exceptions

TskCoreException Specified, but not thrown.

Deprecated:: For a list of standard blackboard attribute types enum objects, use BlackboardAttribute.ATTRIBUTE_TYP.values.

Definition at line 12622 of file SleuthkitCase.java.

int org.sleuthkit.datamodel.SleuthkitCase.getBlackboardAttributeTypesCount ( ) throws TskCoreException

Get count of blackboard attribute types

Counts both static (in enum) and dynamic attributes types (created by modules at runtime)

Returns: count of attribute types

Exceptions

TskCoreException exception thrown if a critical error occurs within TSK core

Definition at line 3527 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

synchronized CaseDbAccessManager org.sleuthkit.datamodel.SleuthkitCase.getCaseDbAccessManager ( ) throws TskCoreException

Definition at line 479 of file SleuthkitCase.java.

CommunicationsManager org.sleuthkit.datamodel.SleuthkitCase.getCommunicationsManager ( ) throws TskCoreException

Gets the communications manager for this case.

Returns: The per case CommunicationsManager object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 448 of file SleuthkitCase.java.

Content org.sleuthkit.datamodel.SleuthkitCase.getContentById ( long id ) throws TskCoreException

Get content object by content id

Parameters

id	to get content object for

Returns: instance of a Content object (one of its subclasses), or null if not found.

Exceptions

TskCoreException thrown if critical error occurred within tsk core

Definition at line 4942 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactById(), org.sleuthkit.datamodel.SleuthkitCase.getImageById(), org.sleuthkit.datamodel.SleuthkitCase.getReportById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.ObjectType.valueOf().

ContentTag org.sleuthkit.datamodel.SleuthkitCase.getContentTagByID ( long contentTagID ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified tag id.

Parameters

contentTagID the tag id of the ContentTag to retrieve.

Returns: The content tag.

Exceptions

TskCoreException

Definition at line 9968 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByContent ( Content content ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified foreign key into the tsk_objects table.

Parameters

content A data transfer object (DTO) for the content to match.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 10106 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

Referenced by org.sleuthkit.datamodel.TimelineManager.updateEventsForContentTagDeleted().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByTagName ( TagName tagName ) throws TskCoreException

Selects the rows in the content_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: A list, possibly empty, of ContentTag data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 10015 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

List<ContentTag> org.sleuthkit.datamodel.SleuthkitCase.getContentTagsByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets content tags by tag name, for the given data source.

Parameters

tagName	The tag name of interest.
dsObjId	data source object id

Returns: A list, possibly empty, of the content tags with the specified tag name, and for the given data source.

Exceptions

TskCoreException If there is an error getting the tags from the case database.

Definition at line 10060 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getContentTagsCountByTagName ( TagName tagName ) throws TskCoreException

Gets a count of the rows in the content_tags table in the case database with a specified foreign key into the tag_names table.

Parameters

tagName A data transfer object (DTO) for the tag name to match.

Returns: The count, possibly zero.

Exceptions

TskCoreException

Definition at line 9883 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getContentTagsCountByTagName	(	TagName	tagName,
		long	dsObjId
	)		throws TskCoreException

Gets content tags count by tag name, for the given data source

Parameters

tagName	The representation of the desired tag type in the case database, which can be obtained by calling getTagNames and/or addTagName.
dsObjId	data source object id

Returns: A count of the content tags with the specified tag name, and for the given data source

Exceptions

TskCoreException If there is an error getting the tags count from the case database.

Definition at line 9925 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Examiner org.sleuthkit.datamodel.SleuthkitCase.getCurrentExaminer ( ) throws TskCoreException

Returns the Examiner object for currently logged in user

Returns: A Examiner object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 2567 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.TaggingManager.addArtifactTag(), and org.sleuthkit.datamodel.TaggingManager.addContentTag().

String org.sleuthkit.datamodel.SleuthkitCase.getDatabaseName ( )

Gets the case database name.

Returns: The case database name.

Definition at line 2312 of file SleuthkitCase.java.

DbType org.sleuthkit.datamodel.SleuthkitCase.getDatabaseType ( )

Returns the type of database in use.

Returns: database type

Definition at line 2275 of file SleuthkitCase.java.

DataSource org.sleuthkit.datamodel.SleuthkitCase.getDataSource ( long objectId ) throws TskDataException, TskCoreException

Gets a specific data source for the case. If it is an image, an Image will be instantiated. Otherwise, a LocalFilesDataSource will be instantiated.

NOTE: The DataSource class is an emerging feature and at present is only useful for obtaining the object id and the data source identifier, an ASCII-printable identifier for the data source that is intended to be unique across multiple cases (e.g., a UUID). In the future, this method will be a replacement for the getRootObjects method.

Parameters

objectId The object id of the data source.

Returns: The data source.

Exceptions

TskDataException	If there is no data source for the given object id.
TskCoreException	If there is a problem getting the data source.

Definition at line 2883 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM.ALLOC, org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.ALLOC, org.sleuthkit.datamodel.TskData.TSK_FS_NAME_TYPE_ENUM.DIR, org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), org.sleuthkit.datamodel.TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR, org.sleuthkit.datamodel.TskData.FileKnown.UNKNOWN, and org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM.USED.

List<DataSource> org.sleuthkit.datamodel.SleuthkitCase.getDataSources ( ) throws TskCoreException

Gets the data sources for the case. For each data source, if it is an image, an Image will be instantiated. Otherwise, a LocalFilesDataSource will be instantiated.

NOTE: The DataSource interface is an emerging feature and at present is only useful for obtaining the object id and the device id, an ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID). In the future, this method will be a replacement for the getRootObjects method.

Returns: A list of the data sources for the case.

Exceptions

TskCoreException if there is a problem getting the data sources.

Definition at line 2779 of file SleuthkitCase.java.

String org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath ( )

Get the full path to the case directory. For a SQLite case database, this is the same as the database directory path.

Returns: Case directory path.

Definition at line 2322 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addReport(), org.sleuthkit.datamodel.SleuthkitCase.getAllReports(), and org.sleuthkit.datamodel.SleuthkitCase.getReportById().

CaseDbSchemaVersionNumber org.sleuthkit.datamodel.SleuthkitCase.getDBSchemaCreationVersion ( )

Gets the creation version of the database schema.

Returns: the creation version for the database schema, the creation version will be 0.0 for databases created prior to 8.2

Definition at line 2266 of file SleuthkitCase.java.

VersionNumber org.sleuthkit.datamodel.SleuthkitCase.getDBSchemaVersion ( )

Gets the database schema version in use.

Returns: the database schema version in use.

Definition at line 2256 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getSchemaVersion().

List<TskFileRange> org.sleuthkit.datamodel.SleuthkitCase.getFileRanges ( long id ) throws TskCoreException

Get file layout ranges from tsk_file_layout, for a file with specified id

Parameters

id	of the file to get file layout ranges for

Returns: list of populated file ranges

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 7480 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.AbstractFile.getRanges().

Collection<FileSystem> org.sleuthkit.datamodel.SleuthkitCase.getFileSystems ( Image image )

Helper to return FileSystems in an Image

Parameters

image Image to lookup FileSystem for

Returns: Collection of FileSystems in the image

Deprecated:: Use getImageFileSystems which throws an exception if an error occurs.

Definition at line 12875 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.AbstractContent.getId(), and org.sleuthkit.datamodel.SleuthkitCase.getImageFileSystems().

Image org.sleuthkit.datamodel.SleuthkitCase.getImageById ( long id ) throws TskCoreException

Get am image by the image object id

Parameters

id	of the image object

Returns: Image object populated

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 7515 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addImageInfo(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.getImages(), and org.sleuthkit.datamodel.SleuthkitCase.getRootObjects().

Collection<FileSystem> org.sleuthkit.datamodel.SleuthkitCase.getImageFileSystems ( Image image ) throws TskCoreException

Helper to return FileSystems in an Image

Parameters

image Image to lookup FileSystem for

Returns: Collection of FileSystems in the image

Exceptions

TskCoreException

Definition at line 7903 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.TSK_FS_TYPE_ENUM.valueOf().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getFileSystems().

Map<Long, List<String> > org.sleuthkit.datamodel.SleuthkitCase.getImagePaths ( ) throws TskCoreException

Returns a map of image object IDs to a list of fully qualified file paths for that image

Returns: map of image object IDs to file paths

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 8226 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getDataSources().

List<Image> org.sleuthkit.datamodel.SleuthkitCase.getImages ( ) throws TskCoreException

Returns: a collection of Images associated with this instance of SleuthkitCase

Exceptions

TskCoreException

Definition at line 8302 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getImageById(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

final List<IngestJobInfo> org.sleuthkit.datamodel.SleuthkitCase.getIngestJobs ( ) throws TskCoreException

Gets all of the ingest jobs that have been run.

Returns: The information about the ingest jobs that have been run

Exceptions

TskCoreException If there is a problem getting the ingest jobs

Definition at line 10947 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.IngestJobInfo.IngestJobStatusType.fromID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

long org.sleuthkit.datamodel.SleuthkitCase.getLastObjectId ( ) throws TskCoreException

Get last (max) object id of content object in tsk_objects.

Returns: currently max id

Exceptions

TskCoreException exception thrown when database error occurs and last object id could not be queried

Deprecated:: Do not use, assumes a single-threaded, single-user case.

Definition at line 12350 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

ArrayList<BlackboardArtifact> org.sleuthkit.datamodel.SleuthkitCase.getMatchingArtifacts ( String whereClause ) throws TskCoreException

Get all artifacts that match a where clause. The clause should begin with "WHERE" or "JOIN". To use this method you must know the database tables

Parameters

whereClause a sqlite where clause

Returns: a list of matching artifacts

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core Query the Database

Definition at line 4453 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getArtifactType(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.BlackboardArtifact.ReviewStatus.withID().

Referenced by org.sleuthkit.datamodel.Report.getAllArtifacts(), and org.sleuthkit.datamodel.AbstractContent.getAllArtifacts().

ArrayList<BlackboardAttribute> org.sleuthkit.datamodel.SleuthkitCase.getMatchingAttributes ( String whereClause ) throws TskCoreException

Get all attributes that match a where clause. The clause should begin with "WHERE" or "JOIN". To use this method you must know the database tables

Parameters

whereClause a sqlite where clause

Returns: a list of matching attributes

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core Query the Database

Definition at line 4399 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getAttributeType(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Report org.sleuthkit.datamodel.SleuthkitCase.getReportById ( long id ) throws TskCoreException

Get a Report object for the given id.

Parameters

id

Returns: A new Report object for the given id.

Exceptions

TskCoreException

Definition at line 10694 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getContentById(), org.sleuthkit.datamodel.SleuthkitCase.getDbDirPath(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

Referenced by org.sleuthkit.datamodel.SleuthkitCase.getContentById().

List<Content> org.sleuthkit.datamodel.SleuthkitCase.getRootObjects ( ) throws TskCoreException

Get the list of root objects (data sources) from the case database, e.g., image files, logical (local) files, virtual directories.

Returns: List of content objects representing root objects.

Exceptions

TskCoreException

Definition at line 2665 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById(), org.sleuthkit.datamodel.SleuthkitCase.getImageById(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.ObjectType.valueOf().

int org.sleuthkit.datamodel.SleuthkitCase.getSchemaVersion ( )

Returns case database schema version number. As of TSK 4.5.0 db schema versions are two part Major.minor. This method only returns the major part. Use getDBSchemaVersion() for the complete version.

Returns: The schema version number as an integer.

Deprecated:: since 4.5.0 Use getDBSchemaVersion() instead for more complete version info.

Definition at line 2247 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getDBSchemaVersion(), and org.sleuthkit.datamodel.VersionNumber.getMajor().

synchronized TaggingManager org.sleuthkit.datamodel.SleuthkitCase.getTaggingManager ( )

Get the case database TaggingManager object.

Returns: The per case TaggingManager object.

Definition at line 488 of file SleuthkitCase.java.

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getTagNamesInUse ( ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database for which there is at least one matching row in the content_tags or blackboard_artifact_tags tables.

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 9654 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

List<TagName> org.sleuthkit.datamodel.SleuthkitCase.getTagNamesInUse ( long dsObjId ) throws TskCoreException

Selects all of the rows from the tag_names table in the case database for which there is at least one matching row in the content_tags or blackboard_artifact_tags tables, for the given data source object id.

Parameters

dsObjId data source object id

Returns: A list, possibly empty, of TagName data transfer objects (DTOs) for the rows.

Exceptions

TskCoreException

Definition at line 9690 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.TagName.HTML_COLOR.getColorByName(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.FileKnown.valueOf().

TimelineManager org.sleuthkit.datamodel.SleuthkitCase.getTimelineManager ( ) throws TskCoreException

Gets the communications manager for this case.

Returns: The per case TimelineManager object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 468 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.addDerivedFile(), org.sleuthkit.datamodel.SleuthkitCase.addFileSystemFile(), org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(), and org.sleuthkit.datamodel.Blackboard.postArtifacts().

List<VirtualDirectory> org.sleuthkit.datamodel.SleuthkitCase.getVirtualDirectoryRoots ( ) throws TskCoreException

Get IDs of the virtual folder roots (at the same level as image), used for containers such as for local files.

Returns: IDs of virtual directory root objects.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 6258 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock(), and org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.

boolean org.sleuthkit.datamodel.SleuthkitCase.isFileFromSource	(	Content	dataSource,
		long	fileId
	)		throws TskCoreException

Checks if the file is a (sub)child of the data source (parentless Content object such as Image or VirtualDirectory representing filesets)

Parameters

dataSource	dataSource to check
fileId	id of file to check

Returns: true if the file is in the dataSource hierarchy

Exceptions

TskCoreException thrown if check failed

Definition at line 5362 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

AddImageProcess org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess	(	String	timeZone,
		boolean	addUnallocSpace,
		boolean	noFatFsOrphans,
		String	imageCopyPath
	)

Starts the multi-step process of adding an image data source to the case by creating an object that can be used to control the process and get progress messages from it.

Parameters

timeZone	The time zone of the image.
addUnallocSpace	Set to true to create virtual files for unallocated space in the image.
noFatFsOrphans	Set to true to skip processing orphan files of FAT file systems.
imageCopyPath	Path to which a copy of the image should be written. Use the empty string to disable image writing.

Returns: An object that encapsulates control of adding an image via the SleuthKit native code layer.

Definition at line 2653 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

AddImageProcess org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess	(	String	timezone,
		boolean	addUnallocSpace,
		boolean	noFatFsOrphans
	)

Start process of adding a image to the case. Adding an image is a multi-step process and this returns an object that allows it to happen.

Parameters

timezone	TZ time zone string to use for ingest of image.
addUnallocSpace	Set to true to create virtual files for unallocated space in the image.
noFatFsOrphans	Set to true to skip processing orphan files of FAT file systems.

Returns: Object that encapsulates control of adding an image via the SleuthKit native code layer

Deprecated:: Use the newer version with explicit image writer path parameter

Definition at line 12860 of file SleuthkitCase.java.

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact	(	int	artifactTypeID,
		long	obj_id
	)		throws TskCoreException

Add a new blackboard artifact with the given type. If that artifact type does not exist an error will be thrown. The artifact type name can be looked up in the returned blackboard artifact.

Parameters

artifactTypeID	the type the given artifact should have
obj_id	the content object id associated with this artifact

Returns: a new blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 4498 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.getArtifactType().

Referenced by org.sleuthkit.datamodel.AbstractContent.getGenInfoArtifact(), org.sleuthkit.datamodel.Report.newArtifact(), org.sleuthkit.datamodel.AbstractContent.newArtifact(), and org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

BlackboardArtifact org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact	(	ARTIFACT_TYPE	artifactType,
		long	obj_id
	)		throws TskCoreException

Add a new blackboard artifact with the given type.

Parameters

artifactType	the type the given artifact should have
obj_id	the content object id associated with this artifact

Returns: a new blackboard artifact

Exceptions

TskCoreException exception thrown if a critical error occurs within tsk core

Definition at line 4514 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.newBlackboardArtifact().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.newCase ( String dbPath ) throws TskCoreException

static

Creates a new SQLite case database.

Parameters

dbPath Path to where SQlite case database should be created.

Returns: A case database object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 2439 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

Referenced by org.sleuthkit.datamodel.Examples.Sample.run().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.newCase	(	String	caseName,
		CaseDbConnectionInfo	info,
		String	caseDirPath
	)		throws TskCoreException

static

Creates a new PostgreSQL case database.

Parameters

caseName	The name of the case. It will be used to create a case database name that can be safely used in SQL commands and will not be subject to name collisions on the case database server. Use getDatabaseName to get the created name.
info	The information to connect to the database.
caseDirPath	The case directory path.

Returns: A case database object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

The flow of this method involves trying to create a new case and if successful, return that case. If unsuccessful, an exception is thrown. We catch any exceptions, and use tryConnect() to attempt to obtain further information about the error. If tryConnect() is unable to successfully connect, tryConnect() will throw a TskCoreException with a message containing user-level error reporting. If tryConnect() is able to connect, flow continues and we rethrow the original exception obtained from trying to create the case. In this way, we obtain more detailed information if we are able, but do not lose any information if unable.

Definition at line 2466 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.tryConnect().

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.openCase ( String dbPath ) throws TskCoreException

static

Open an existing case database.

Parameters

dbPath Path to SQLite case database.

Returns: Case database object.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 2379 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

static SleuthkitCase org.sleuthkit.datamodel.SleuthkitCase.openCase	(	String	databaseName,
		CaseDbConnectionInfo	info,
		String	caseDir
	)		throws TskCoreException

static

Open an existing multi-user case database.

Parameters

databaseName	The name of the database.
info	Connection information for the the database.
caseDir	The folder where the case metadata fils is stored.

Returns: A case database object.

Exceptions

TskCoreException If there is a problem opening the database.

Definition at line 2402 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.tryConnect().

List<AbstractFile> org.sleuthkit.datamodel.SleuthkitCase.openFiles	(	Content	dataSource,
		String	filePath
	)		throws TskCoreException

Parameters

dataSource	the data source (Image, VirtualDirectory for file-sets, etc) to search for the given file name
filePath	The full path to the file(s) of interest. This can optionally include the image and volume names. Treated in a case- insensitive manner.

Returns: a list of AbstractFile that have the given file path.

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 7449 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.AbstractFile.createNonUniquePath(), and org.sleuthkit.datamodel.SleuthkitCase.findFiles().

void org.sleuthkit.datamodel.SleuthkitCase.registerForEvents ( Object listener )

Definition at line 216 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.releaseExclusiveLock ( )

Releases a write lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Deprecated:: Use releaseSingleUserCaseWriteLock.

Definition at line 12904 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.releaseSharedLock ( )

Releases a read lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Deprecated:: Use releaseSingleUserCaseReadLock.

Definition at line 12928 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

void org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock ( )

Releases a read lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Definition at line 2364 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

void org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock ( )

Releases a write lock, but only if this is a single-user case. This method should always be called in the finally block of a try block in which the lock was acquired.

Definition at line 2342 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.TskData.DbType.SQLITE.

void org.sleuthkit.datamodel.SleuthkitCase.removeErrorObserver ( ErrorObserver observer )

Remove an observer for SleuthkitCase errors.

Parameters

observer The observer to remove.

Deprecated:: Catch exceptions instead.

Definition at line 12247 of file SleuthkitCase.java.

ResultSet org.sleuthkit.datamodel.SleuthkitCase.runQuery ( String query ) throws SQLException

Process a read-only query on the tsk database, any table Can be used to e.g. to find files of a given criteria. resultSetToFsContents() will convert the files to useful objects. MUST CALL closeRunQuery() when done

Parameters

query the given string query to run

Returns: the resultSet from running the query. Caller MUST CALL closeRunQuery(resultSet) as soon as possible, when done with retrieving data from the resultSet

Exceptions

SQLException if error occurred during the query

Deprecated:: Do not use runQuery(), use executeQuery() instead. Query the Database

Definition at line 12642 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseReadLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseReadLock().

void org.sleuthkit.datamodel.SleuthkitCase.setFileMIMEType	(	AbstractFile	file,
		String	mimeType
	)		throws TskCoreException

Stores the MIME type of a file in the case database and updates the MIME type of the given file object.

Parameters

file	A file.
mimeType	The MIME type.

Exceptions

TskCoreException If there is an error updating the case database.

Definition at line 9091 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.setImagePaths	(	long	obj_id,
		List< String >	paths
	)		throws TskCoreException

Set the file paths for the image given by obj_id

Parameters

obj_id	the ID of the image to update
paths	the fully qualified path to the files that make up the image

Exceptions

TskCoreException exception thrown when critical error occurs within tsk core and the update fails

Definition at line 8339 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

boolean org.sleuthkit.datamodel.SleuthkitCase.setKnown	(	AbstractFile	file,
		FileKnown	fileKnown
	)		throws TskCoreException

Store the known status for the FsContent in the database Note: will not update status if content is already 'Known Bad'

Parameters

file	The AbstractFile object
fileKnown	The object's known status

Returns: true if the known status was updated, false otherwise

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 9004 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

void org.sleuthkit.datamodel.SleuthkitCase.setReviewStatus	(	BlackboardArtifact	artifact,
		BlackboardArtifact.ReviewStatus	newStatus
	)		throws TskCoreException

Set the review status of the given artifact to newStatus

Parameters

artifact	The artifact whose review status is being set.
newStatus	The new review status for the given artifact. Must not be null.

Exceptions

TskCoreException thrown if a critical error occurred within tsk core

Definition at line 9428 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), org.sleuthkit.datamodel.BlackboardArtifact.getArtifactID(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

Referenced by org.sleuthkit.datamodel.BlackboardArtifact.setReviewStatus().

void org.sleuthkit.datamodel.SleuthkitCase.submitError	(	String	context,
		String	errorMessage
	)

Submit an error to all clients that are listening.

Parameters

context	The context in which the error occurred.
errorMessage	A description of the error that occurred.

Deprecated:: Catch exceptions instead.

Definition at line 12263 of file SleuthkitCase.java.

static void org.sleuthkit.datamodel.SleuthkitCase.tryConnect ( CaseDbConnectionInfo info ) throws TskCoreException

static

Attempts to connect to the database with the passed in settings, throws if the settings are not sufficient to connect to the database type indicated. Only attempts to connect to remote databases.

When issues occur, it attempts to diagnose them by looking at the exception messages, returning the appropriate user-facing text for the exception received. This method expects the Exceptions messages to be in English and compares against English text.

Parameters

info	The connection information

Exceptions

org.sleuthkit.datamodel.TskCoreException

Definition at line 247 of file SleuthkitCase.java.

Referenced by org.sleuthkit.datamodel.SleuthkitCase.newCase(), and org.sleuthkit.datamodel.SleuthkitCase.openCase().

void org.sleuthkit.datamodel.SleuthkitCase.unregisterForEvents ( Object listener )

Definition at line 220 of file SleuthkitCase.java.

DerivedFile org.sleuthkit.datamodel.SleuthkitCase.updateDerivedFile	(	DerivedFile	derivedFile,
		String	localPath,
		long	size,
		long	ctime,
		long	crtime,
		long	atime,
		long	mtime,
		boolean	isFile,
		String	mimeType,
		String	rederiveDetails,
		String	toolName,
		String	toolVersion,
		String	otherDetails,
		TskData.EncodingType	encodingType
	)		throws TskCoreException

Updates an existing derived file in the database and returns a new derived file object with the updated contents

Parameters

derivedFile	The derived file you wish to update
localPath	local path of the derived file, including the file name. The path is relative to the database path.
size	size of the derived file in bytes
ctime	The changed time of the file.
crtime	The creation time of the file.
atime	The accessed time of the file
mtime	The modified time of the file.
isFile	whether a file or directory, true if a file
mimeType	The MIME type the updated file should have, null to unset it
rederiveDetails	details needed to re-derive file (will be specific to the derivation method), currently unused
toolName	name of derivation method/tool, currently unused
toolVersion	version of derivation method/tool, currently unused
otherDetails	details of derivation method/tool, currently unused
encodingType	Type of encoding used on the file (or NONE if no encoding)

Returns: newly created derived file object which contains the updated data

Exceptions

TskCoreException exception thrown if the object creation failed due to a critical system error

Definition at line 6764 of file SleuthkitCase.java.

void org.sleuthkit.datamodel.SleuthkitCase.updateImagePath	(	String	newPath,
		long	objectId
	)		throws TskCoreException

Change the path for an image in the database.

Parameters

newPath	New path to the image
objectId	Data source ID of the image

Exceptions

TskCoreException

Definition at line 10506 of file SleuthkitCase.java.

References org.sleuthkit.datamodel.SleuthkitCase.acquireSingleUserCaseWriteLock(), and org.sleuthkit.datamodel.SleuthkitCase.releaseSingleUserCaseWriteLock().

The documentation for this class was generated from the following file:

/home/carriersleuth/repos/sleuthkit/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java

Classes

Public Member Functions

Static Public Member Functions

Protected Member Functions

Detailed Description

Member Function Documentation