Exemple #1
0
  /** Search for the registry hives on the system. Mostly copied from RecentActivity */
  private static List<AbstractFile> findRegistryFiles() throws TskCoreException {
    List<AbstractFile> registryFiles = new ArrayList<AbstractFile>();
    org.sleuthkit.autopsy.casemodule.services.FileManager fileManager =
        Case.getCurrentCase().getServices().getFileManager();

    for (Content ds : Case.getCurrentCase().getDataSources()) {

      // find the user-specific ntuser-dat files
      registryFiles.addAll(fileManager.findFiles(ds, "ntuser.dat")); // NON-NLS

      // find the system hives
      String[] regFileNames = new String[] {"system", "software", "security", "sam"}; // NON-NLS
      for (String regFileName : regFileNames) {
        List<AbstractFile> allRegistryFiles =
            fileManager.findFiles(ds, regFileName, "/system32/config"); // NON-NLS
        for (AbstractFile regFile : allRegistryFiles) {
          // Don't want anything from regback
          if (!regFile.getParentPath().contains("RegBack")) { // NON-NLS
            registryFiles.add(regFile);
          }
        }
      }
    }

    return registryFiles;
  }
Exemple #2
0
  /**
   * Create a tag for an artifact with TSK_TAG_NAME as tagName.
   *
   * @param artifact to create tag for
   * @param tagName TSK_TAG_NAME
   * @param comment the tag comment or null if not present
   */
  public static void createTag(BlackboardArtifact artifact, String tagName, String comment) {
    try {
      Case currentCase = Case.getCurrentCase();
      SleuthkitCase skCase = currentCase.getSleuthkitCase();

      AbstractFile file = skCase.getAbstractFileById(artifact.getObjectID());
      final BlackboardArtifact bookArt =
          file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT);
      List<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>();

      BlackboardAttribute attr1 =
          new BlackboardAttribute(
              BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(), "", tagName);

      if (comment != null && !comment.isEmpty()) {
        BlackboardAttribute attr2 =
            new BlackboardAttribute(
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), "", comment);
        attrs.add(attr2);
      }

      BlackboardAttribute attr3 =
          new BlackboardAttribute(
              BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID(),
              "",
              artifact.getArtifactID());
      attrs.add(attr1);

      attrs.add(attr3);
      bookArt.addAttributes(attrs);
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Failed to create tag for artifact " + artifact.getArtifactID());
    }
  }
  @Override
  public void startUp(IngestJobContext context) throws IngestModuleException {
    this.context = context;
    refCounter.incrementAndGet(context.getJobId());

    synchronized (SampleFileIngestModule.class) {
      if (attrId == -1) {
        // For this sample, make a new attribute type to use to post
        // results to the blackboard. There are many standard blackboard
        // artifact and attribute types and you should use them instead
        // creating new ones to facilitate use of your results by other
        // modules.
        Case autopsyCase = Case.getCurrentCase();
        SleuthkitCase sleuthkitCase = autopsyCase.getSleuthkitCase();
        try {
          // See if the attribute type has already been defined.
          attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE");
          if (attrId == -1) {
            attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute");
          }
        } catch (TskCoreException ex) {
          IngestServices ingestServices = IngestServices.getInstance();
          Logger logger = ingestServices.getLogger(SampleIngestModuleFactory.getModuleName());
          logger.log(Level.SEVERE, "Failed to create blackboard attribute", ex);
          attrId = -1;
          throw new IngestModuleException(ex.getLocalizedMessage());
        }
      }
    }
  }
 @Override
 public boolean canClose() {
   return !Case.existsCurrentCase()
       || Case.getCurrentCase().hasData()
           == false; // only allow this window to be closed when there's no case opened or no image
                     // in this case
 }
Exemple #5
0
  /**
   * Deletes the current opened case.
   *
   * @param e
   */
  @Override
  public void actionPerformed(ActionEvent e) {
    Logger.noteAction(this.getClass());

    Case currentCase = Case.getCurrentCase();
    File configFile = new File(currentCase.getConfigFilePath());
    File caseFolder = new File(configFile.getParent());
    String caseName = currentCase.getName();
    if (!caseFolder.exists()) {
      // throw an error

      logger.log(
          Level.WARNING,
          "Couldn't delete case.",
          new Exception("The case directory doesn't exist."));
    } else {
      // show the confirmation first to close the current case and open the "New Case" wizard panel
      String closeCurrentCase =
          "Are you sure want to close and delete this case? \n     Case Name: "
              + caseName
              + "\n     Case Directory: "
              + caseFolder.getPath();
      NotifyDescriptor d =
          new NotifyDescriptor.Confirmation(
              closeCurrentCase,
              "Warning: Closing the Current Case",
              NotifyDescriptor.YES_NO_OPTION,
              NotifyDescriptor.WARNING_MESSAGE);
      d.setValue(NotifyDescriptor.NO_OPTION);

      Object res = DialogDisplayer.getDefault().notify(d);
      if (res != null && res == DialogDescriptor.YES_OPTION) {
        boolean success = false;

        try {
          Case.getCurrentCase().deleteCase(caseFolder); // delete the current case
          success = true;
        } catch (CaseActionException ex) {
          logger.log(Level.WARNING, "Could not delete the case folder: " + caseFolder);
        }

        // show notification whether the case has been deleted or it failed to delete...
        if (!success) {
          JOptionPane.showMessageDialog(
              caller,
              "The delete action can't be fully completed because the folder or file in it is open by another program.\n \nClose the folder and file and try again or you can delete the case manually.",
              "Error: Folder In Use",
              JOptionPane.ERROR_MESSAGE); // throw an error
        } else {
          CasePropertiesAction
              .closeCasePropertiesWindow(); // because the "Delete Case" button is in the
                                            // "CaseProperties" window, we have to close that window
                                            // when we delete the case.
          JOptionPane.showMessageDialog(caller, "Case " + caseName + " has been deleted.");
        }
      }
    }
  }
Exemple #6
0
 /**
  * Get a list of all the bookmarks.
  *
  * @return a list of all bookmark artifacts
  */
 static List<BlackboardArtifact> getBookmarks() {
   try {
     Case currentCase = Case.getCurrentCase();
     SleuthkitCase skCase = currentCase.getSleuthkitCase();
     return skCase.getBlackboardArtifacts(
         BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME, Tags.BOOKMARK_TAG_NAME);
   } catch (TskCoreException ex) {
     logger.log(Level.SEVERE, "Failed to get list of artifacts from the case.");
   }
   return new ArrayList<BlackboardArtifact>();
 }
  @SuppressWarnings("deprecation")
  protected void initialize() {
    followUpToggle.setOnAction(
        (ActionEvent t) -> {
          if (followUpToggle.isSelected() == true) {
            globalSelectionModel.clearAndSelect(fileID);
            try {
              AddDrawableTagAction.getInstance().addTag(TagUtils.getFollowUpTagName(), "");
            } catch (TskCoreException ex) {
              LOGGER.log(Level.SEVERE, "Failed to add follow up tag.  Could not load TagName.", ex);
            }
          } else {
            // TODO: convert this to an action!
            final ImageGalleryController controller = ImageGalleryController.getDefault();
            try {
              // remove file from old category group
              controller
                  .getGroupManager()
                  .removeFromGroup(
                      new GroupKey<TagName>(DrawableAttribute.TAGS, TagUtils.getFollowUpTagName()),
                      fileID);

              List<ContentTag> contentTagsByContent =
                  Case.getCurrentCase()
                      .getServices()
                      .getTagsManager()
                      .getContentTagsByContent(file);
              for (ContentTag ct : contentTagsByContent) {
                if (ct.getName()
                    .getDisplayName()
                    .equals(TagUtils.getFollowUpTagName().getDisplayName())) {
                  Case.getCurrentCase().getServices().getTagsManager().deleteContentTag(ct);
                }
              }
              IngestServices.getInstance()
                  .fireModuleDataEvent(
                      new ModuleDataEvent(
                          "TagAction", BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE)); // NON-NLS
              controller
                  .getGroupManager()
                  .handleFileUpdate(
                      FileUpdateEvent.newUpdateEvent(
                          Collections.singleton(fileID), DrawableAttribute.TAGS));
            } catch (TskCoreException ex) {
              LOGGER.log(Level.SEVERE, "Failed to delete follow up tag.", ex);
            }
          }
        });
  }
  @Override
  public synchronized void setFile(final Long fileID) {
    if (Objects.equals(fileID, this.fileID) == false) {
      this.fileID = fileID;
      disposeContent();

      if (this.fileID == null || Case.isCaseOpen() == false) {
        if (registered == true) {
          ImageGalleryController.getDefault().getCategoryManager().unregisterListener(this);
          TagUtils.unregisterListener(this);
          registered = false;
        }
        file = null;
        Platform.runLater(
            () -> {
              clearContent();
            });
      } else {
        if (registered == false) {
          ImageGalleryController.getDefault().getCategoryManager().registerListener(this);
          TagUtils.registerListener(this);
          registered = true;
        }
        file = null;
        getFile();
        updateSelectionState();
        updateCategoryBorder();
        updateFollowUpIcon();
        updateUI();
        Platform.runLater(getContentUpdateRunnable());
      }
    }
  }
 /**
  * get the BlackboardArtifactTag that was added by its id
  *
  * @return BlackboardArtifactTag that was added
  * @throws IllegalStateException
  * @throws TskCoreException
  */
 @Override
 BlackboardArtifactTag getTagByID() throws IllegalStateException, TskCoreException {
   return Case.getCurrentCase()
       .getServices()
       .getTagsManager()
       .getBlackboardArtifactTagByTagID(getTagID());
 }
Exemple #10
0
 // case name change helper
 private static void doCaseNameChange(String newCaseName) {
   // update case name
   if (!newCaseName.equals("")) {
     Frame f = WindowManager.getDefault().getMainWindow();
     f.setTitle(newCaseName + " - " + Case.getAppName()); // set the window name to the new value
   }
 }
Exemple #11
0
 // delete image helper
 private void doDeleteImage() {
   // no more image left in this case
   if (currentCase.getRootObjectsCount() == 0) {
     // close all top components
     CoreComponentControl.closeCoreWindows();
   }
 }
Exemple #12
0
  /**
   * Copy all registry hives to the temp directory and return the list of created files.
   *
   * @return Paths to copied registry files.
   */
  public static List<RegistryFileInfo> copyRegistryFiles() throws TskCoreException {

    // First get all the abstract files
    List<AbstractFile> regFilesAbstract = findRegistryFiles();

    // List to hold all the extracted file names plus their abstract file
    List<RegistryFileInfo> regFilesLocal = new ArrayList<RegistryFileInfo>();

    // Make the temp directory
    String tmpDir = Case.getCurrentCase().getTempDirectory() + File.separator + "STIX"; // NON-NLS
    File dir = new File(tmpDir);
    if (dir.exists() == false) {
      dir.mkdirs();
    }

    long index = 1;
    for (AbstractFile regFile : regFilesAbstract) {
      String regFileName = regFile.getName();
      String regFileNameLocal = tmpDir + File.separator + regFileName + "_" + index;
      File regFileNameLocalFile = new File(regFileNameLocal);
      try {
        // Don't save any unallocated versions
        if (regFile.getMetaFlagsAsString().contains("Allocated")) { // NON-NLS
          ContentUtils.writeToFile(regFile, regFileNameLocalFile);
          regFilesLocal.add(new EvalRegistryObj().new RegistryFileInfo(regFile, regFileNameLocal));
        }
      } catch (IOException ex) {
        throw new TskCoreException(ex.getLocalizedMessage());
      }
      index++;
    }

    return regFilesLocal;
  }
Exemple #13
0
  /**
   * Creates a new case (create the XML config file and database)
   *
   * @param caseDir The directory to store case data in. Will be created if it doesn't already
   *     exist. If it exists, it should have all of the needed sub dirs that createCaseDirectory()
   *     will create.
   * @param caseName the name of case
   * @param caseNumber the case number
   * @param examiner the examiner for this case
   */
  public static void create(String caseDir, String caseName, String caseNumber, String examiner)
      throws CaseActionException {
    logger.log(
        Level.INFO,
        "Creating new case.\ncaseDir: {0}\ncaseName: {1}",
        new Object[] {caseDir, caseName});

    // create case directory if it doesn't already exist.
    if (new File(caseDir).exists() == false) {
      Case.createCaseDirectory(caseDir);
    }

    String configFilePath = caseDir + File.separator + caseName + CASE_DOT_EXTENSION;

    XMLCaseManagement xmlcm = new XMLCaseManagement();
    xmlcm.create(caseDir, caseName, examiner, caseNumber); // create a new XML config file
    xmlcm.writeFile();

    String dbPath = caseDir + File.separator + "autopsy.db";
    SleuthkitCase db = null;
    try {
      db = SleuthkitCase.newCase(dbPath);
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Error creating a case: " + caseName + " in dir " + caseDir, ex);
      throw new CaseActionException(
          "Error creating a case: " + caseName + " in dir " + caseDir, ex);
    }

    Case newCase = new Case(caseName, caseNumber, examiner, configFilePath, xmlcm, db);

    changeCase(newCase);
  }
Exemple #14
0
  // case change helper
  private static void doCaseChange(Case toChangeTo) {
    logger.log(Level.INFO, "Changing Case to: " + toChangeTo);
    if (toChangeTo != null) { // new case is open

      // clear the temp folder when the case is created / opened
      Case.clearTempFolder();
      checkSubFolders(toChangeTo);

      // enable these menus
      CallableSystemAction.get(AddImageAction.class).setEnabled(true);
      CallableSystemAction.get(CaseCloseAction.class).setEnabled(true);
      CallableSystemAction.get(CasePropertiesAction.class).setEnabled(true);
      CallableSystemAction.get(CaseDeleteAction.class).setEnabled(true); // Delete Case menu

      if (toChangeTo.getRootObjectsCount() > 0) {
        // open all top components
        CoreComponentControl.openCoreWindows();
      } else {
        // close all top components
        CoreComponentControl.closeCoreWindows();
      }
    } else { // case is closed
      // close all top components first
      CoreComponentControl.closeCoreWindows();

      // disable these menus
      CallableSystemAction.get(AddImageAction.class).setEnabled(false); // Add Image menu
      CallableSystemAction.get(CaseCloseAction.class).setEnabled(false); // Case Close menu
      CallableSystemAction.get(CasePropertiesAction.class)
          .setEnabled(false); // Case Properties menu
      CallableSystemAction.get(CaseDeleteAction.class).setEnabled(false); // Delete Case menu

      // clear pending notifications
      MessageNotifyUtil.Notify.clear();

      Frame f = WindowManager.getDefault().getMainWindow();
      f.setTitle(Case.getAppName()); // set the window name to just application name

      // try to force gc to happen
      System.gc();
      System.gc();
    }

    // log memory usage after case changed
    logger.log(Level.INFO, PlatformUtil.getAllMemUsageInfo());
  }
  @Override
  public JComponent[] getMenuPresenters() {
    List<DataContentTopComponent> newWindowLists = DataContentTopComponent.getNewWindowList();

    // Get DataContent provider to include in the menu
    int totalItems = newWindowLists.size() > 0 ? 2 : 1;
    JComponent[] comps = new JComponent[totalItems];
    int counter = 0;

    TopComponent contentWin = DataContentTopComponent.findInstance();
    JMenuItem defaultItem = new JMenuItem(contentWin.getName()); // set the main name

    defaultItem.addActionListener(new OpenTopComponentAction(contentWin));

    if (!Case.isCaseOpen() || Case.getCurrentCase().hasData() == false) {
      defaultItem.setEnabled(false); // disable the menu items when no case is opened
    } else {
      defaultItem.setEnabled(true); // enable the menu items when there's a case opened / created
    }

    comps[counter++] = defaultItem;

    // add the submenu
    if (newWindowLists != null) {
      if (newWindowLists.size() > 0) {

        JMenu submenu =
            new JMenu(
                NbBundle.getMessage(
                    this.getClass(), "DataContentDynamicMenu.menu.dataContentWin.text"));
        for (int i = 0; i < newWindowLists.size(); i++) {
          DataContentTopComponent dctc = newWindowLists.get(i);
          JMenuItem item = new JMenuItem(dctc.getName());
          item.addActionListener(new OpenTopComponentAction(dctc));
          submenu.add(item);
        }

        comps[counter++] = submenu;
      }
    }

    return comps;
  }
Exemple #16
0
 private void setMonitorDir() {
   String caseDir = Case.getCurrentCase().getCaseDirectory();
   File curDir = new File(caseDir);
   File tempF = null;
   while ((tempF = curDir.getParentFile()) != null) {
     curDir = tempF;
   }
   root = curDir;
   logger.log(Level.INFO, "Monitoring disk space of case root: " + curDir.getAbsolutePath());
 }
Exemple #17
0
            @Override
            public void propertyChange(PropertyChangeEvent evt) {
              String eventType = evt.getPropertyName();

              if (eventType.equals(IngestManager.IngestModuleEvent.CONTENT_CHANGED.toString())) {
                /**
                 * Checking for a current case is a stop gap measure until a different way of
                 * handling the closing of cases is worked out. Currently, remote events may be
                 * received for a case that is already closed.
                 */
                try {
                  // new file was added
                  // @@@ could check the size here and only fire off updates if we know the file
                  // meets the min size criteria
                  Case.getCurrentCase();
                  update();
                } catch (IllegalStateException notUsed) {
                  /** Case is closed, do nothing. */
                }
              } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())
                  || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())
                  || eventType.equals(Case.Events.DATA_SOURCE_ADDED.toString())) {
                /**
                 * Checking for a current case is a stop gap measure until a different way of
                 * handling the closing of cases is worked out. Currently, remote events may be
                 * received for a case that is already closed.
                 */
                try {
                  Case.getCurrentCase();
                  update();
                } catch (IllegalStateException notUsed) {
                  /** Case is closed, do nothing. */
                }
              } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {
                // case was closed. Remove listeners so that we don't get called with a stale case
                // handle
                if (evt.getNewValue() == null) {
                  removeListeners();
                }
              }
            }
  /**
   * Initializes the service for new ingest run Sets up threads, timers, retrieves settings, keyword
   * lists to run on
   *
   * @param managerProxy
   */
  @Override
  public void init(IngestManagerProxy managerProxy) {
    logger.log(Level.INFO, "init()");
    initialized = false;

    caseHandle = Case.getCurrentCase().getSleuthkitCase();

    this.managerProxy = managerProxy;

    Server solrServer = KeywordSearch.getServer();

    ingester = solrServer.getIngester();

    ingestStatus = new HashMap<Long, IngestStatus>();

    keywords = new ArrayList<Keyword>();
    keywordLists = new ArrayList<String>();
    keywordToList = new HashMap<String, KeywordSearchList>();

    initKeywords();

    if (keywords.isEmpty() || keywordLists.isEmpty()) {
      managerProxy.postMessage(
          IngestMessage.createWarningMessage(
              ++messageID,
              instance,
              "No keywords in keyword list.",
              "Only indexing will be done and and keyword search will be skipped (it can be executed later again as ingest or using toolbar search feature)."));
    }

    processedFiles = false;
    finalSearcherDone = false;
    searcherDone = true; // make sure to start the initial currentSearcher
    // keeps track of all results per run not to repeat reporting the same hits
    currentResults = new HashMap<Keyword, List<ContentHit>>();

    indexer = new Indexer();

    final int updateIntervalMs = managerProxy.getUpdateFrequency() * 60 * 1000;
    logger.log(Level.INFO, "Using commit interval (ms): " + updateIntervalMs);
    logger.log(Level.INFO, "Using searcher interval (ms): " + updateIntervalMs);

    commitTimer = new Timer(updateIntervalMs, new CommitTimerAction());
    searchTimer = new Timer(updateIntervalMs, new SearchTimerAction());

    initialized = true;

    commitTimer.start();
    searchTimer.start();

    managerProxy.postMessage(
        IngestMessage.createMessage(++messageID, MessageType.INFO, this, "Started"));
  }
Exemple #19
0
  /**
   * Get a list of all the tag names. Uses a custom query for speed when dealing with thousands of
   * Tags.
   *
   * @return a list of all tag names.
   */
  @SuppressWarnings("deprecation")
  public static List<String> getTagNames() {
    Case currentCase = Case.getCurrentCase();
    SleuthkitCase skCase = currentCase.getSleuthkitCase();
    List<String> names = new ArrayList<>();

    ResultSet rs = null;
    try {
      rs =
          skCase.runQuery(
              "SELECT value_text"
                  + " FROM blackboard_attributes"
                  + " WHERE attribute_type_id = "
                  + ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID()
                  + " GROUP BY value_text"
                  + " ORDER BY value_text");
      while (rs.next()) {
        names.add(rs.getString("value_text"));
      }
    } catch (SQLException ex) {
      logger.log(Level.SEVERE, "Failed to query the blackboard for tag names.");
    } finally {
      if (rs != null) {
        try {
          skCase.closeRunQuery(rs);
        } catch (SQLException ex) {
          logger.log(Level.SEVERE, "Failed to close the query for blackboard for tag names.");
        }
      }
    }

    // add the 'Bookmark' tag, if it's not already in the list
    if (!names.contains(BOOKMARK_TAG_NAME)) {
      names.add(BOOKMARK_TAG_NAME);
    }

    return names;
  }
Exemple #20
0
  /**
   * Get the artifact for a result tag.
   *
   * @param tagArtifactId artifact id of the tag
   * @return the tag's artifact
   */
  static BlackboardArtifact getArtifactFromTag(long tagArtifactId) {
    try {
      Case currentCase = Case.getCurrentCase();
      SleuthkitCase skCase = currentCase.getSleuthkitCase();

      BlackboardArtifact artifact = skCase.getBlackboardArtifact(tagArtifactId);
      if (artifact.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID()
          || artifact.getArtifactTypeID()
              == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) {
        List<BlackboardAttribute> attributes = artifact.getAttributes();
        for (BlackboardAttribute att : attributes) {
          if (att.getAttributeTypeID()
              == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID()) {
            return skCase.getBlackboardArtifact(att.getValueLong());
          }
        }
      }
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Failed to get artifact " + tagArtifactId + " from case.");
    }

    return null;
  }
Exemple #21
0
  /**
   * Looks up the tag names associated with either a tagged artifact or a tag artifact.
   *
   * @param artifactID The ID of the artifact
   * @param artifactTypeID The ID of the artifact type
   * @return A set of unique tag names
   */
  public static HashSet<String> getUniqueTagNames(long artifactID, int artifactTypeID) {
    HashSet<String> tagNames = new HashSet<>();

    try {
      ArrayList<Long> tagArtifactIDs = new ArrayList<>();
      if (artifactTypeID == ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID()
          || artifactTypeID == ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) {
        tagArtifactIDs.add(artifactID);
      } else {
        List<BlackboardArtifact> tags =
            Case.getCurrentCase()
                .getSleuthkitCase()
                .getBlackboardArtifacts(ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT, artifactID);
        for (BlackboardArtifact tag : tags) {
          tagArtifactIDs.add(tag.getArtifactID());
        }
      }

      for (Long tagArtifactID : tagArtifactIDs) {
        String whereClause =
            "WHERE artifact_id = "
                + tagArtifactID
                + " AND attribute_type_id = "
                + ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID();
        List<BlackboardAttribute> attributes =
            Case.getCurrentCase().getSleuthkitCase().getMatchingAttributes(whereClause);
        for (BlackboardAttribute attr : attributes) {
          tagNames.add(attr.getValueString());
        }
      }
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Failed to get tags for artifact " + artifactID, ex);
    }

    return tagNames;
  }
Exemple #22
0
 private static void clearTempFolder() {
   File tempFolder = new File(currentCase.getTempDirectory());
   if (tempFolder.isDirectory()) {
     File[] files = tempFolder.listFiles();
     if (files.length > 0) {
       for (int i = 0; i < files.length; i++) {
         if (files[i].isDirectory()) {
           deleteCaseDirectory(files[i]);
         } else {
           files[i].delete();
         }
       }
     }
   }
 }
Exemple #23
0
  /**
   * Delete this case. This methods delete all folders and files of this case.
   *
   * @param caseDir case dir to delete
   * @throws CaseActionException exception throw if case could not be deleted
   */
  void deleteCase(File caseDir) throws CaseActionException {
    logger.log(Level.INFO, "Deleting case.\ncaseDir: {0}", caseDir);

    try {

      xmlcm.close(); // close the xmlcm
      boolean result = deleteCaseDirectory(caseDir); // delete the directory

      RecentCases.getInstance()
          .removeRecentCase(this.name, this.configFilePath); // remove it from the recent case
      Case.changeCase(null);
      if (result == false) {
        throw new CaseActionException("Error deleting the case dir: " + caseDir);
      }
    } catch (Exception ex) {
      logger.log(Level.SEVERE, "Error deleting the current case dir: " + caseDir, ex);
      throw new CaseActionException("Error deleting the case dir: " + caseDir, ex);
    }
  }
Exemple #24
0
  /**
   * Check for existence of certain case sub dirs and create them if needed.
   *
   * @param openedCase
   */
  private static void checkSubFolders(Case openedCase) {
    String modulesOutputDir = openedCase.getModulesOutputDirAbsPath();
    File modulesOutputDirF = new File(modulesOutputDir);
    if (!modulesOutputDirF.exists()) {
      logger.log(Level.INFO, "Creating modules output dir for the case.");

      try {
        if (!modulesOutputDirF.mkdir()) {
          logger.log(
              Level.SEVERE,
              "Error creating modules output dir for the case, dir: " + modulesOutputDir);
        }
      } catch (SecurityException e) {
        logger.log(
            Level.SEVERE,
            "Error creating modules output dir for the case, dir: " + modulesOutputDir,
            e);
      }
    }
  }
Exemple #25
0
    MonitorAction() {
      // find drive where case is located
      setMonitorDir();

      // update monitor dir if case changed
      Case.addPropertyChangeListener(
          new PropertyChangeListener() {
            @Override
            public void propertyChange(PropertyChangeEvent evt) {
              String changed = evt.getPropertyName();
              Object newValue = evt.getNewValue();

              if (changed.equals(Case.CASE_CURRENT_CASE)) {
                if (newValue != null) {
                  setMonitorDir();
                }
              }
            }
          });
    }
 /** Make this TopComponent a listener to various change events. */
 private void subscribeToChangeEvents() {
   UserPreferences.addChangeListener(
       new PreferenceChangeListener() {
         @Override
         public void preferenceChange(PreferenceChangeEvent evt) {
           switch (evt.getKey()) {
             case UserPreferences.HIDE_KNOWN_FILES_IN_DATA_SOURCES_TREE:
               refreshContentTreeSafe();
               break;
             case UserPreferences.HIDE_KNOWN_FILES_IN_VIEWS_TREE:
               // TODO: Need a way to refresh the Views subtree
               break;
           }
         }
       });
   Case.addPropertyChangeListener(this);
   this.em.addPropertyChangeListener(this);
   IngestManager.getInstance().addIngestJobEventListener(this);
   IngestManager.getInstance().addIngestModuleEventListener(this);
 }
Exemple #27
0
public abstract class Extract implements IngestModuleImage {

  protected Case currentCase = Case.getCurrentCase(); // get the most updated case
  protected SleuthkitCase tskCase = currentCase.getSleuthkitCase();
  public final Logger logger = Logger.getLogger(this.getClass().getName());
  protected final ArrayList<String> errorMessages = new ArrayList<String>();
  protected String moduleName = "";

  // hide public constructor to prevent from instantiation by ingest module loader
  Extract() {}

  List<String> getErrorMessages() {
    return errorMessages;
  }

  /**
   * Returns a List of FsContent objects from TSK based on sql query.
   *
   * @param image is a Image object that denotes which image to get the files from
   * @param query is a sql string query that is to be run
   * @return FFSqlitedb is a List of FsContent objects
   */
  @SuppressWarnings("deprecation")
  public List<FsContent> extractFiles(Image image, String query) {

    Collection<FileSystem> imageFS = tskCase.getFileSystems(image);
    List<String> fsIds = new LinkedList<String>();
    for (FileSystem img : imageFS) {
      Long tempID = img.getId();
      fsIds.add(tempID.toString());
    }

    String allFS = new String();
    for (int i = 0; i < fsIds.size(); i++) {
      if (i == 0) {
        allFS += " AND (0";
      }
      allFS += " OR fs_obj_id = '" + fsIds.get(i) + "'";
      if (i == fsIds.size() - 1) {
        allFS += ")";
      }
    }
    List<FsContent> FFSqlitedb = null;
    ResultSet rs = null;
    try {
      rs = tskCase.runQuery(query + allFS);
      FFSqlitedb = tskCase.resultSetToFsContents(rs);
    } catch (SQLException ex) {
      logger.log(
          Level.SEVERE, "Error while trying to extract files for:" + this.getClass().getName(), ex);
      this.addErrorMessage(this.getName() + ": Error while trying to extract files to analyze.");
    } finally {
      if (rs != null) {
        try {
          tskCase.closeRunQuery(rs);
        } catch (SQLException ex) {
          logger.log(
              Level.SEVERE,
              "Error while trying to close result set after extract files for:"
                  + this.getClass().getName(),
              ex);
        }
      }
    }
    return FFSqlitedb;
  }

  /**
   * Generic method for adding a blackboard artifact to the blackboard
   *
   * @param type is a blackboard.artifact_type enum to determine which type the artifact should be
   * @param content is the FsContent object that needs to have the artifact added for it
   * @param bbattributes is the collection of blackboard attributes that need to be added to the
   *     artifact after the artifact has been created
   */
  public void addArtifact(
      BlackboardArtifact.ARTIFACT_TYPE type,
      FsContent content,
      Collection<BlackboardAttribute> bbattributes) {

    try {
      BlackboardArtifact bbart = content.newArtifact(type);
      bbart.addAttributes(bbattributes);
    } catch (TskException ex) {
      logger.log(Level.SEVERE, "Error while trying to add an artifact: " + ex);
    }
  }

  /**
   * Returns a List from a result set based on sql query.
   *
   * @param path is the string path to the sqlite db file
   * @param query is a sql string query that is to be run
   * @return list is the ArrayList that contains the resultset information in it that the query
   *     obtained
   */
  public List<HashMap<String, Object>> dbConnect(String path, String query) {
    ResultSet temprs = null;
    List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>();
    String connectionString = "jdbc:sqlite:" + path;
    try {
      SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString);
      temprs = tempdbconnect.executeQry(query);
      list = this.resultSetToArrayList(temprs);
      tempdbconnect.closeConnection();
    } catch (SQLException ex) {
      logger.log(
          Level.SEVERE, "Error while trying to read into a sqlite db." + connectionString, ex);
      return Collections.<HashMap<String, Object>>emptyList();
    }
    return list;
  }

  /**
   * Returns a List of FsContent objects from TSK based on sql query.
   *
   * @param rs is the resultset that needs to be converted to an arraylist
   * @return list returns the arraylist built from the converted resultset
   */
  public List<HashMap<String, Object>> resultSetToArrayList(ResultSet rs) throws SQLException {
    ResultSetMetaData md = rs.getMetaData();
    int columns = md.getColumnCount();
    List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>(50);
    while (rs.next()) {
      HashMap<String, Object> row = new HashMap<String, Object>(columns);
      for (int i = 1; i <= columns; ++i) {
        if (rs.getObject(i) == null) {
          row.put(md.getColumnName(i), "");
        } else {
          row.put(md.getColumnName(i), rs.getObject(i));
        }
      }
      list.add(row);
    }

    return list;
  }
  /**
   * Returns a List of string error messages from the inheriting class
   *
   * @return errorMessages returns all error messages logged
   */
  public ArrayList<String> getErrorMessage() {
    return errorMessages;
  }

  /**
   * Adds a string to the error message list
   *
   * @param message is an error message represented as a string
   */
  public void addErrorMessage(String message) {
    errorMessages.add(message);
  }

  /**
   * Returns the name of the inheriting class
   *
   * @return Gets the moduleName set in the moduleName data member
   */
  public String getName() {
    return moduleName;
  }
}
Exemple #28
0
 private void removeListeners() {
   deleteObservers();
   IngestManager.getInstance().removeIngestJobEventListener(pcl);
   IngestManager.getInstance().removeIngestModuleEventListener(pcl);
   Case.removePropertyChangeListener(pcl);
 }
Exemple #29
0
 FileSizeRootChildrenObservable() {
   IngestManager.getInstance().addIngestJobEventListener(pcl);
   IngestManager.getInstance().addIngestModuleEventListener(pcl);
   Case.addPropertyChangeListener(pcl);
 }
Exemple #30
0
 /**
  * Get the cached file of the content object with the given id.
  *
  * <p>The returned file may not exist.
  *
  * @param id
  * @return
  */
 public static File getFile(long id) {
   return new File(Case.getCurrentCase().getCacheDirectory() + File.separator + id + ".png");
 }