Esempio n. 1
0
  /**
   * Create a tag for an artifact with TSK_TAG_NAME as tagName.
   *
   * @param artifact to create tag for
   * @param tagName TSK_TAG_NAME
   * @param comment the tag comment or null if not present
   */
  public static void createTag(BlackboardArtifact artifact, String tagName, String comment) {
    try {
      Case currentCase = Case.getCurrentCase();
      SleuthkitCase skCase = currentCase.getSleuthkitCase();

      AbstractFile file = skCase.getAbstractFileById(artifact.getObjectID());
      final BlackboardArtifact bookArt =
          file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT);
      List<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>();

      BlackboardAttribute attr1 =
          new BlackboardAttribute(
              BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(), "", tagName);

      if (comment != null && !comment.isEmpty()) {
        BlackboardAttribute attr2 =
            new BlackboardAttribute(
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), "", comment);
        attrs.add(attr2);
      }

      BlackboardAttribute attr3 =
          new BlackboardAttribute(
              BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID(),
              "",
              artifact.getArtifactID());
      attrs.add(attr1);

      attrs.add(attr3);
      bookArt.addAttributes(attrs);
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Failed to create tag for artifact " + artifact.getArtifactID());
    }
  }
Esempio n. 2
0
  @Override
  public void startUp(IngestJobContext context) throws IngestModuleException {
    this.context = context;
    refCounter.incrementAndGet(context.getJobId());

    synchronized (SampleFileIngestModule.class) {
      if (attrId == -1) {
        // For this sample, make a new attribute type to use to post
        // results to the blackboard. There are many standard blackboard
        // artifact and attribute types and you should use them instead
        // creating new ones to facilitate use of your results by other
        // modules.
        Case autopsyCase = Case.getCurrentCase();
        SleuthkitCase sleuthkitCase = autopsyCase.getSleuthkitCase();
        try {
          // See if the attribute type has already been defined.
          attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE");
          if (attrId == -1) {
            attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute");
          }
        } catch (TskCoreException ex) {
          IngestServices ingestServices = IngestServices.getInstance();
          Logger logger = ingestServices.getLogger(SampleIngestModuleFactory.getModuleName());
          logger.log(Level.SEVERE, "Failed to create blackboard attribute", ex);
          attrId = -1;
          throw new IngestModuleException(ex.getLocalizedMessage());
        }
      }
    }
  }
Esempio n. 3
0
 /**
  * Get a list of all the bookmarks.
  *
  * @return a list of all bookmark artifacts
  */
 static List<BlackboardArtifact> getBookmarks() {
   try {
     Case currentCase = Case.getCurrentCase();
     SleuthkitCase skCase = currentCase.getSleuthkitCase();
     return skCase.getBlackboardArtifacts(
         BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME, Tags.BOOKMARK_TAG_NAME);
   } catch (TskCoreException ex) {
     logger.log(Level.SEVERE, "Failed to get list of artifacts from the case.");
   }
   return new ArrayList<BlackboardArtifact>();
 }
Esempio n. 4
0
  /**
   * Get a list of all the tag names. Uses a custom query for speed when dealing with thousands of
   * Tags.
   *
   * @return a list of all tag names.
   */
  @SuppressWarnings("deprecation")
  public static List<String> getTagNames() {
    Case currentCase = Case.getCurrentCase();
    SleuthkitCase skCase = currentCase.getSleuthkitCase();
    List<String> names = new ArrayList<>();

    ResultSet rs = null;
    try {
      rs =
          skCase.runQuery(
              "SELECT value_text"
                  + " FROM blackboard_attributes"
                  + " WHERE attribute_type_id = "
                  + ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID()
                  + " GROUP BY value_text"
                  + " ORDER BY value_text");
      while (rs.next()) {
        names.add(rs.getString("value_text"));
      }
    } catch (SQLException ex) {
      logger.log(Level.SEVERE, "Failed to query the blackboard for tag names.");
    } finally {
      if (rs != null) {
        try {
          skCase.closeRunQuery(rs);
        } catch (SQLException ex) {
          logger.log(Level.SEVERE, "Failed to close the query for blackboard for tag names.");
        }
      }
    }

    // add the 'Bookmark' tag, if it's not already in the list
    if (!names.contains(BOOKMARK_TAG_NAME)) {
      names.add(BOOKMARK_TAG_NAME);
    }

    return names;
  }
Esempio n. 5
0
  /**
   * Get the artifact for a result tag.
   *
   * @param tagArtifactId artifact id of the tag
   * @return the tag's artifact
   */
  static BlackboardArtifact getArtifactFromTag(long tagArtifactId) {
    try {
      Case currentCase = Case.getCurrentCase();
      SleuthkitCase skCase = currentCase.getSleuthkitCase();

      BlackboardArtifact artifact = skCase.getBlackboardArtifact(tagArtifactId);
      if (artifact.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID()
          || artifact.getArtifactTypeID()
              == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) {
        List<BlackboardAttribute> attributes = artifact.getAttributes();
        for (BlackboardAttribute att : attributes) {
          if (att.getAttributeTypeID()
              == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID()) {
            return skCase.getBlackboardArtifact(att.getValueLong());
          }
        }
      }
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Failed to get artifact " + tagArtifactId + " from case.");
    }

    return null;
  }
Esempio n. 6
0
public abstract class Extract implements IngestModuleImage {

  protected Case currentCase = Case.getCurrentCase(); // get the most updated case
  protected SleuthkitCase tskCase = currentCase.getSleuthkitCase();
  public final Logger logger = Logger.getLogger(this.getClass().getName());
  protected final ArrayList<String> errorMessages = new ArrayList<String>();
  protected String moduleName = "";

  // hide public constructor to prevent from instantiation by ingest module loader
  Extract() {}

  List<String> getErrorMessages() {
    return errorMessages;
  }

  /**
   * Returns a List of FsContent objects from TSK based on sql query.
   *
   * @param image is a Image object that denotes which image to get the files from
   * @param query is a sql string query that is to be run
   * @return FFSqlitedb is a List of FsContent objects
   */
  @SuppressWarnings("deprecation")
  public List<FsContent> extractFiles(Image image, String query) {

    Collection<FileSystem> imageFS = tskCase.getFileSystems(image);
    List<String> fsIds = new LinkedList<String>();
    for (FileSystem img : imageFS) {
      Long tempID = img.getId();
      fsIds.add(tempID.toString());
    }

    String allFS = new String();
    for (int i = 0; i < fsIds.size(); i++) {
      if (i == 0) {
        allFS += " AND (0";
      }
      allFS += " OR fs_obj_id = '" + fsIds.get(i) + "'";
      if (i == fsIds.size() - 1) {
        allFS += ")";
      }
    }
    List<FsContent> FFSqlitedb = null;
    ResultSet rs = null;
    try {
      rs = tskCase.runQuery(query + allFS);
      FFSqlitedb = tskCase.resultSetToFsContents(rs);
    } catch (SQLException ex) {
      logger.log(
          Level.SEVERE, "Error while trying to extract files for:" + this.getClass().getName(), ex);
      this.addErrorMessage(this.getName() + ": Error while trying to extract files to analyze.");
    } finally {
      if (rs != null) {
        try {
          tskCase.closeRunQuery(rs);
        } catch (SQLException ex) {
          logger.log(
              Level.SEVERE,
              "Error while trying to close result set after extract files for:"
                  + this.getClass().getName(),
              ex);
        }
      }
    }
    return FFSqlitedb;
  }

  /**
   * Generic method for adding a blackboard artifact to the blackboard
   *
   * @param type is a blackboard.artifact_type enum to determine which type the artifact should be
   * @param content is the FsContent object that needs to have the artifact added for it
   * @param bbattributes is the collection of blackboard attributes that need to be added to the
   *     artifact after the artifact has been created
   */
  public void addArtifact(
      BlackboardArtifact.ARTIFACT_TYPE type,
      FsContent content,
      Collection<BlackboardAttribute> bbattributes) {

    try {
      BlackboardArtifact bbart = content.newArtifact(type);
      bbart.addAttributes(bbattributes);
    } catch (TskException ex) {
      logger.log(Level.SEVERE, "Error while trying to add an artifact: " + ex);
    }
  }

  /**
   * Returns a List from a result set based on sql query.
   *
   * @param path is the string path to the sqlite db file
   * @param query is a sql string query that is to be run
   * @return list is the ArrayList that contains the resultset information in it that the query
   *     obtained
   */
  public List<HashMap<String, Object>> dbConnect(String path, String query) {
    ResultSet temprs = null;
    List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>();
    String connectionString = "jdbc:sqlite:" + path;
    try {
      SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString);
      temprs = tempdbconnect.executeQry(query);
      list = this.resultSetToArrayList(temprs);
      tempdbconnect.closeConnection();
    } catch (SQLException ex) {
      logger.log(
          Level.SEVERE, "Error while trying to read into a sqlite db." + connectionString, ex);
      return Collections.<HashMap<String, Object>>emptyList();
    }
    return list;
  }

  /**
   * Returns a List of FsContent objects from TSK based on sql query.
   *
   * @param rs is the resultset that needs to be converted to an arraylist
   * @return list returns the arraylist built from the converted resultset
   */
  public List<HashMap<String, Object>> resultSetToArrayList(ResultSet rs) throws SQLException {
    ResultSetMetaData md = rs.getMetaData();
    int columns = md.getColumnCount();
    List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>(50);
    while (rs.next()) {
      HashMap<String, Object> row = new HashMap<String, Object>(columns);
      for (int i = 1; i <= columns; ++i) {
        if (rs.getObject(i) == null) {
          row.put(md.getColumnName(i), "");
        } else {
          row.put(md.getColumnName(i), rs.getObject(i));
        }
      }
      list.add(row);
    }

    return list;
  }
  /**
   * Returns a List of string error messages from the inheriting class
   *
   * @return errorMessages returns all error messages logged
   */
  public ArrayList<String> getErrorMessage() {
    return errorMessages;
  }

  /**
   * Adds a string to the error message list
   *
   * @param message is an error message represented as a string
   */
  public void addErrorMessage(String message) {
    errorMessages.add(message);
  }

  /**
   * Returns the name of the inheriting class
   *
   * @return Gets the moduleName set in the moduleName data member
   */
  public String getName() {
    return moduleName;
  }
}
  /**
   * Called only when top component was closed on all workspaces before and now is opened for the
   * first time on some workspace. The intent is to provide subclasses information about
   * TopComponent's life cycle across all existing workspaces. Subclasses will usually perform
   * initializing tasks here.
   */
  @Override
  public void componentOpened() {
    // change the cursor to "waiting cursor" for this operation
    this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
    try {
      if (Case.existsCurrentCase()) {
        Case currentCase = Case.getCurrentCase();

        // close the top component if there's no image in this case
        if (currentCase.hasData() == false) {
          // this.close();
          ((BeanTreeView) this.jScrollPane1).setRootVisible(false); // hide the root
        } else {
          // if there's at least one image, load the image and open the top component
          List<Object> items = new ArrayList<>();
          final SleuthkitCase tskCase = currentCase.getSleuthkitCase();
          items.add(new DataSources());
          items.add(new Views(tskCase));
          items.add(new Results(tskCase));
          items.add(new Reports());
          contentChildren = new RootContentChildren(items);
          Node root =
              new AbstractNode(contentChildren) {
                /**
                 * to override the right click action in the white blank space area on the directory
                 * tree window
                 */
                @Override
                public Action[] getActions(boolean popup) {
                  return new Action[] {};
                }

                // Overide the AbstractNode use of DefaultHandle to return
                // a handle which can be serialized without a parent
                @Override
                public Node.Handle getHandle() {
                  return new Node.Handle() {
                    @Override
                    public Node getNode() throws IOException {
                      return em.getRootContext();
                    }
                  };
                }
              };

          root = new DirectoryTreeFilterNode(root, true);

          em.setRootContext(root);
          em.getRootContext().setName(currentCase.getName());
          em.getRootContext().setDisplayName(currentCase.getName());
          ((BeanTreeView) this.jScrollPane1).setRootVisible(false); // hide the root

          // Reset the forward and back lists because we're resetting the root context
          resetHistory();

          Children childNodes = em.getRootContext().getChildren();
          TreeView tree = getTree();

          Node results = childNodes.findChild(ResultsNode.NAME);
          tree.expandNode(results);

          Children resultsChilds = results.getChildren();
          tree.expandNode(resultsChilds.findChild(KeywordHits.NAME));
          tree.expandNode(resultsChilds.findChild(ExtractedContent.NAME));

          Node views = childNodes.findChild(ViewsNode.NAME);
          Children viewsChilds = views.getChildren();
          for (Node n : viewsChilds.getNodes()) {
            tree.expandNode(n);
          }

          tree.collapseNode(views);

          // if the dataResult is not opened
          if (!dataResult.isOpened()) {
            dataResult
                .open(); // open the data result top component as well when the directory tree is
                         // opened
          }

          // select the first image node, if there is one
          // (this has to happen after dataResult is opened, because the event
          // of changing the selected node fires a handler that tries to make
          // dataResult active)
          if (childNodes.getNodesCount() > 0) {
            try {
              em.setSelectedNodes(new Node[] {childNodes.getNodeAt(0)});
            } catch (Exception ex) {
              logger.log(Level.SEVERE, "Error setting default selected node.", ex); // NON-NLS
            }
          }
        }
      }
    } finally {
      this.setCursor(null);
    }
  }
Esempio n. 8
0
  @Override
  public synchronized ObservableResult evaluate() {

    setWarnings("");

    if (obj.getAddressValue() == null) {
      return new ObservableResult(
          id,
          "AddressObject: No address value field found", // NON-NLS
          spacing,
          ObservableResult.ObservableState.INDETERMINATE,
          null);
    }

    String origAddressStr = obj.getAddressValue().getValue().toString();

    // For now, we don't support "NONE" because it honestly doesn't seem like it
    // would ever appear in practice.
    if (((obj.getAddressValue().getApplyCondition() != null)
        && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.NONE))) {
      return new ObservableResult(
          id,
          "AddressObject: Can not process apply condition "
              + obj.getAddressValue().getApplyCondition().toString() // NON-NLS
              + " on Address object",
          spacing,
          ObservableResult.ObservableState.INDETERMINATE,
          null); // NON-NLS
    }

    // Set warnings for any unsupported fields
    setUnsupportedFieldWarnings();

    Case case1 = Case.getCurrentCase();
    SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();

    try {
      // Need to check that every part of the string had at least one match
      // in the AND case
      boolean everyPartMatched = true;
      List<BlackboardArtifact> combinedArts = new ArrayList<BlackboardArtifact>();
      String searchString = "";
      String[] parts = origAddressStr.split("##comma##"); // NON-NLS

      for (String addressStr : parts) {

        // Update the string to show in the results
        if (!searchString.isEmpty()) {

          if ((obj.getAddressValue().getApplyCondition() != null)
              && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)) {
            searchString += " AND "; // NON-NLS
          } else {
            searchString += " OR "; // NON-NLS
          }
        }
        searchString += addressStr;

        if ((obj.getAddressValue().getCondition() == null)
            || (obj.getAddressValue().getCondition() == ConditionTypeEnum.EQUALS)) {
          List<BlackboardArtifact> arts =
              sleuthkitCase.getBlackboardArtifacts(
                  BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT,
                  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD,
                  addressStr);

          if (arts.isEmpty()) {
            everyPartMatched = false;
          } else {
            combinedArts.addAll(arts);
          }

        } else {
          // This is inefficient, but the easiest way to do it.

          List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();

          // Get all the URL artifacts
          List<BlackboardArtifact> artList =
              sleuthkitCase.getBlackboardArtifacts(
                  BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);

          for (BlackboardArtifact art : artList) {

            for (BlackboardAttribute attr : art.getAttributes()) {
              if (attr.getAttributeTypeID()
                  == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
                if (compareStringObject(
                    addressStr,
                    obj.getAddressValue().getCondition(),
                    obj.getAddressValue().getApplyCondition(),
                    attr.getValueString())) {
                  finalHits.add(art);
                }
              }
            }
          }

          if (finalHits.isEmpty()) {
            everyPartMatched = false;
          } else {
            combinedArts.addAll(finalHits);
          }
        }
      }

      // If we're in the ALL case, make sure every piece matched
      if ((obj.getAddressValue().getApplyCondition() != null)
          && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)
          && (!everyPartMatched)) {
        return new ObservableResult(
            id,
            "AddressObject: No matches for " + searchString, // NON-NLS
            spacing,
            ObservableResult.ObservableState.FALSE,
            null);
      }

      if (!combinedArts.isEmpty()) {
        List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
        for (BlackboardArtifact a : combinedArts) {
          artData.add(new StixArtifactData(a.getObjectID(), id, "AddressObject")); // NON-NLS
        }
        return new ObservableResult(
            id,
            "AddressObject: Found a match for " + searchString, // NON-NLS
            spacing,
            ObservableResult.ObservableState.TRUE,
            artData);
      }

      return new ObservableResult(
          id,
          "AddressObject: Found no matches for " + searchString, // NON-NLS
          spacing,
          ObservableResult.ObservableState.FALSE,
          null);

    } catch (TskCoreException ex) {
      return new ObservableResult(
          id,
          "AddressObject: Exception during evaluation: " + ex.getLocalizedMessage(), // NON-NLS
          spacing,
          ObservableResult.ObservableState.INDETERMINATE,
          null);
    }
  }