/** Search for the registry hives on the system. Mostly copied from RecentActivity */
private static List<AbstractFile> findRegistryFiles() throws TskCoreException {
List<AbstractFile> registryFiles = new ArrayList<AbstractFile>();
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager =
Case.getCurrentCase().getServices().getFileManager();
for (Content ds : Case.getCurrentCase().getDataSources()) {
// find the user-specific ntuser-dat files
registryFiles.addAll(fileManager.findFiles(ds, "ntuser.dat")); // NON-NLS
// find the system hives
String[] regFileNames = new String[] {"system", "software", "security", "sam"}; // NON-NLS
for (String regFileName : regFileNames) {
List<AbstractFile> allRegistryFiles =
fileManager.findFiles(ds, regFileName, "/system32/config"); // NON-NLS
for (AbstractFile regFile : allRegistryFiles) {
// Don't want anything from regback
if (!regFile.getParentPath().contains("RegBack")) { // NON-NLS
registryFiles.add(regFile);
}
}
}
}
return registryFiles;
}
/**
* Create a tag for an artifact with TSK_TAG_NAME as tagName.
*
* @param artifact to create tag for
* @param tagName TSK_TAG_NAME
* @param comment the tag comment or null if not present
*/
public static void createTag(BlackboardArtifact artifact, String tagName, String comment) {
try {
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
AbstractFile file = skCase.getAbstractFileById(artifact.getObjectID());
final BlackboardArtifact bookArt =
file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT);
List<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>();
BlackboardAttribute attr1 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(), "", tagName);
if (comment != null && !comment.isEmpty()) {
BlackboardAttribute attr2 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), "", comment);
attrs.add(attr2);
}
BlackboardAttribute attr3 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID(),
"",
artifact.getArtifactID());
attrs.add(attr1);
attrs.add(attr3);
bookArt.addAttributes(attrs);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to create tag for artifact " + artifact.getArtifactID());
}
}
@Override
public void startUp(IngestJobContext context) throws IngestModuleException {
this.context = context;
refCounter.incrementAndGet(context.getJobId());
synchronized (SampleFileIngestModule.class) {
if (attrId == -1) {
// For this sample, make a new attribute type to use to post
// results to the blackboard. There are many standard blackboard
// artifact and attribute types and you should use them instead
// creating new ones to facilitate use of your results by other
// modules.
Case autopsyCase = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = autopsyCase.getSleuthkitCase();
try {
// See if the attribute type has already been defined.
attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE");
if (attrId == -1) {
attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute");
}
} catch (TskCoreException ex) {
IngestServices ingestServices = IngestServices.getInstance();
Logger logger = ingestServices.getLogger(SampleIngestModuleFactory.getModuleName());
logger.log(Level.SEVERE, "Failed to create blackboard attribute", ex);
attrId = -1;
throw new IngestModuleException(ex.getLocalizedMessage());
}
}
}
}
@Override
public boolean canClose() {
return !Case.existsCurrentCase()
|| Case.getCurrentCase().hasData()
== false; // only allow this window to be closed when there's no case opened or no image
// in this case
}
/**
* Deletes the current opened case.
*
* @param e
*/
@Override
public void actionPerformed(ActionEvent e) {
Logger.noteAction(this.getClass());
Case currentCase = Case.getCurrentCase();
File configFile = new File(currentCase.getConfigFilePath());
File caseFolder = new File(configFile.getParent());
String caseName = currentCase.getName();
if (!caseFolder.exists()) {
// throw an error
logger.log(
Level.WARNING,
"Couldn't delete case.",
new Exception("The case directory doesn't exist."));
} else {
// show the confirmation first to close the current case and open the "New Case" wizard panel
String closeCurrentCase =
"Are you sure want to close and delete this case? \n Case Name: "
+ caseName
+ "\n Case Directory: "
+ caseFolder.getPath();
NotifyDescriptor d =
new NotifyDescriptor.Confirmation(
closeCurrentCase,
"Warning: Closing the Current Case",
NotifyDescriptor.YES_NO_OPTION,
NotifyDescriptor.WARNING_MESSAGE);
d.setValue(NotifyDescriptor.NO_OPTION);
Object res = DialogDisplayer.getDefault().notify(d);
if (res != null && res == DialogDescriptor.YES_OPTION) {
boolean success = false;
try {
Case.getCurrentCase().deleteCase(caseFolder); // delete the current case
success = true;
} catch (CaseActionException ex) {
logger.log(Level.WARNING, "Could not delete the case folder: " + caseFolder);
}
// show notification whether the case has been deleted or it failed to delete...
if (!success) {
JOptionPane.showMessageDialog(
caller,
"The delete action can't be fully completed because the folder or file in it is open by another program.\n \nClose the folder and file and try again or you can delete the case manually.",
"Error: Folder In Use",
JOptionPane.ERROR_MESSAGE); // throw an error
} else {
CasePropertiesAction
.closeCasePropertiesWindow(); // because the "Delete Case" button is in the
// "CaseProperties" window, we have to close that window
// when we delete the case.
JOptionPane.showMessageDialog(caller, "Case " + caseName + " has been deleted.");
}
}
}
}
/**
* Get a list of all the bookmarks.
*
* @return a list of all bookmark artifacts
*/
static List<BlackboardArtifact> getBookmarks() {
try {
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
return skCase.getBlackboardArtifacts(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME, Tags.BOOKMARK_TAG_NAME);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to get list of artifacts from the case.");
}
return new ArrayList<BlackboardArtifact>();
}
@SuppressWarnings("deprecation")
protected void initialize() {
followUpToggle.setOnAction(
(ActionEvent t) -> {
if (followUpToggle.isSelected() == true) {
globalSelectionModel.clearAndSelect(fileID);
try {
AddDrawableTagAction.getInstance().addTag(TagUtils.getFollowUpTagName(), "");
} catch (TskCoreException ex) {
LOGGER.log(Level.SEVERE, "Failed to add follow up tag. Could not load TagName.", ex);
}
} else {
// TODO: convert this to an action!
final ImageGalleryController controller = ImageGalleryController.getDefault();
try {
// remove file from old category group
controller
.getGroupManager()
.removeFromGroup(
new GroupKey<TagName>(DrawableAttribute.TAGS, TagUtils.getFollowUpTagName()),
fileID);
List<ContentTag> contentTagsByContent =
Case.getCurrentCase()
.getServices()
.getTagsManager()
.getContentTagsByContent(file);
for (ContentTag ct : contentTagsByContent) {
if (ct.getName()
.getDisplayName()
.equals(TagUtils.getFollowUpTagName().getDisplayName())) {
Case.getCurrentCase().getServices().getTagsManager().deleteContentTag(ct);
}
}
IngestServices.getInstance()
.fireModuleDataEvent(
new ModuleDataEvent(
"TagAction", BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE)); // NON-NLS
controller
.getGroupManager()
.handleFileUpdate(
FileUpdateEvent.newUpdateEvent(
Collections.singleton(fileID), DrawableAttribute.TAGS));
} catch (TskCoreException ex) {
LOGGER.log(Level.SEVERE, "Failed to delete follow up tag.", ex);
}
}
});
}
@Override
public synchronized void setFile(final Long fileID) {
if (Objects.equals(fileID, this.fileID) == false) {
this.fileID = fileID;
disposeContent();
if (this.fileID == null || Case.isCaseOpen() == false) {
if (registered == true) {
ImageGalleryController.getDefault().getCategoryManager().unregisterListener(this);
TagUtils.unregisterListener(this);
registered = false;
}
file = null;
Platform.runLater(
() -> {
clearContent();
});
} else {
if (registered == false) {
ImageGalleryController.getDefault().getCategoryManager().registerListener(this);
TagUtils.registerListener(this);
registered = true;
}
file = null;
getFile();
updateSelectionState();
updateCategoryBorder();
updateFollowUpIcon();
updateUI();
Platform.runLater(getContentUpdateRunnable());
}
}
}
/**
* get the BlackboardArtifactTag that was added by its id
*
* @return BlackboardArtifactTag that was added
* @throws IllegalStateException
* @throws TskCoreException
*/
@Override
BlackboardArtifactTag getTagByID() throws IllegalStateException, TskCoreException {
return Case.getCurrentCase()
.getServices()
.getTagsManager()
.getBlackboardArtifactTagByTagID(getTagID());
}
// case name change helper
private static void doCaseNameChange(String newCaseName) {
// update case name
if (!newCaseName.equals("")) {
Frame f = WindowManager.getDefault().getMainWindow();
f.setTitle(newCaseName + " - " + Case.getAppName()); // set the window name to the new value
}
}
// delete image helper
private void doDeleteImage() {
// no more image left in this case
if (currentCase.getRootObjectsCount() == 0) {
// close all top components
CoreComponentControl.closeCoreWindows();
}
}
/**
* Copy all registry hives to the temp directory and return the list of created files.
*
* @return Paths to copied registry files.
*/
public static List<RegistryFileInfo> copyRegistryFiles() throws TskCoreException {
// First get all the abstract files
List<AbstractFile> regFilesAbstract = findRegistryFiles();
// List to hold all the extracted file names plus their abstract file
List<RegistryFileInfo> regFilesLocal = new ArrayList<RegistryFileInfo>();
// Make the temp directory
String tmpDir = Case.getCurrentCase().getTempDirectory() + File.separator + "STIX"; // NON-NLS
File dir = new File(tmpDir);
if (dir.exists() == false) {
dir.mkdirs();
}
long index = 1;
for (AbstractFile regFile : regFilesAbstract) {
String regFileName = regFile.getName();
String regFileNameLocal = tmpDir + File.separator + regFileName + "_" + index;
File regFileNameLocalFile = new File(regFileNameLocal);
try {
// Don't save any unallocated versions
if (regFile.getMetaFlagsAsString().contains("Allocated")) { // NON-NLS
ContentUtils.writeToFile(regFile, regFileNameLocalFile);
regFilesLocal.add(new EvalRegistryObj().new RegistryFileInfo(regFile, regFileNameLocal));
}
} catch (IOException ex) {
throw new TskCoreException(ex.getLocalizedMessage());
}
index++;
}
return regFilesLocal;
}
/**
* Creates a new case (create the XML config file and database)
*
* @param caseDir The directory to store case data in. Will be created if it doesn't already
* exist. If it exists, it should have all of the needed sub dirs that createCaseDirectory()
* will create.
* @param caseName the name of case
* @param caseNumber the case number
* @param examiner the examiner for this case
*/
public static void create(String caseDir, String caseName, String caseNumber, String examiner)
throws CaseActionException {
logger.log(
Level.INFO,
"Creating new case.\ncaseDir: {0}\ncaseName: {1}",
new Object[] {caseDir, caseName});
// create case directory if it doesn't already exist.
if (new File(caseDir).exists() == false) {
Case.createCaseDirectory(caseDir);
}
String configFilePath = caseDir + File.separator + caseName + CASE_DOT_EXTENSION;
XMLCaseManagement xmlcm = new XMLCaseManagement();
xmlcm.create(caseDir, caseName, examiner, caseNumber); // create a new XML config file
xmlcm.writeFile();
String dbPath = caseDir + File.separator + "autopsy.db";
SleuthkitCase db = null;
try {
db = SleuthkitCase.newCase(dbPath);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error creating a case: " + caseName + " in dir " + caseDir, ex);
throw new CaseActionException(
"Error creating a case: " + caseName + " in dir " + caseDir, ex);
}
Case newCase = new Case(caseName, caseNumber, examiner, configFilePath, xmlcm, db);
changeCase(newCase);
}
// case change helper
private static void doCaseChange(Case toChangeTo) {
logger.log(Level.INFO, "Changing Case to: " + toChangeTo);
if (toChangeTo != null) { // new case is open
// clear the temp folder when the case is created / opened
Case.clearTempFolder();
checkSubFolders(toChangeTo);
// enable these menus
CallableSystemAction.get(AddImageAction.class).setEnabled(true);
CallableSystemAction.get(CaseCloseAction.class).setEnabled(true);
CallableSystemAction.get(CasePropertiesAction.class).setEnabled(true);
CallableSystemAction.get(CaseDeleteAction.class).setEnabled(true); // Delete Case menu
if (toChangeTo.getRootObjectsCount() > 0) {
// open all top components
CoreComponentControl.openCoreWindows();
} else {
// close all top components
CoreComponentControl.closeCoreWindows();
}
} else { // case is closed
// close all top components first
CoreComponentControl.closeCoreWindows();
// disable these menus
CallableSystemAction.get(AddImageAction.class).setEnabled(false); // Add Image menu
CallableSystemAction.get(CaseCloseAction.class).setEnabled(false); // Case Close menu
CallableSystemAction.get(CasePropertiesAction.class)
.setEnabled(false); // Case Properties menu
CallableSystemAction.get(CaseDeleteAction.class).setEnabled(false); // Delete Case menu
// clear pending notifications
MessageNotifyUtil.Notify.clear();
Frame f = WindowManager.getDefault().getMainWindow();
f.setTitle(Case.getAppName()); // set the window name to just application name
// try to force gc to happen
System.gc();
System.gc();
}
// log memory usage after case changed
logger.log(Level.INFO, PlatformUtil.getAllMemUsageInfo());
}
@Override
public JComponent[] getMenuPresenters() {
List<DataContentTopComponent> newWindowLists = DataContentTopComponent.getNewWindowList();
// Get DataContent provider to include in the menu
int totalItems = newWindowLists.size() > 0 ? 2 : 1;
JComponent[] comps = new JComponent[totalItems];
int counter = 0;
TopComponent contentWin = DataContentTopComponent.findInstance();
JMenuItem defaultItem = new JMenuItem(contentWin.getName()); // set the main name
defaultItem.addActionListener(new OpenTopComponentAction(contentWin));
if (!Case.isCaseOpen() || Case.getCurrentCase().hasData() == false) {
defaultItem.setEnabled(false); // disable the menu items when no case is opened
} else {
defaultItem.setEnabled(true); // enable the menu items when there's a case opened / created
}
comps[counter++] = defaultItem;
// add the submenu
if (newWindowLists != null) {
if (newWindowLists.size() > 0) {
JMenu submenu =
new JMenu(
NbBundle.getMessage(
this.getClass(), "DataContentDynamicMenu.menu.dataContentWin.text"));
for (int i = 0; i < newWindowLists.size(); i++) {
DataContentTopComponent dctc = newWindowLists.get(i);
JMenuItem item = new JMenuItem(dctc.getName());
item.addActionListener(new OpenTopComponentAction(dctc));
submenu.add(item);
}
comps[counter++] = submenu;
}
}
return comps;
}
private void setMonitorDir() {
String caseDir = Case.getCurrentCase().getCaseDirectory();
File curDir = new File(caseDir);
File tempF = null;
while ((tempF = curDir.getParentFile()) != null) {
curDir = tempF;
}
root = curDir;
logger.log(Level.INFO, "Monitoring disk space of case root: " + curDir.getAbsolutePath());
}
@Override
public void propertyChange(PropertyChangeEvent evt) {
String eventType = evt.getPropertyName();
if (eventType.equals(IngestManager.IngestModuleEvent.CONTENT_CHANGED.toString())) {
/**
* Checking for a current case is a stop gap measure until a different way of
* handling the closing of cases is worked out. Currently, remote events may be
* received for a case that is already closed.
*/
try {
// new file was added
// @@@ could check the size here and only fire off updates if we know the file
// meets the min size criteria
Case.getCurrentCase();
update();
} catch (IllegalStateException notUsed) {
/** Case is closed, do nothing. */
}
} else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())
|| eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())
|| eventType.equals(Case.Events.DATA_SOURCE_ADDED.toString())) {
/**
* Checking for a current case is a stop gap measure until a different way of
* handling the closing of cases is worked out. Currently, remote events may be
* received for a case that is already closed.
*/
try {
Case.getCurrentCase();
update();
} catch (IllegalStateException notUsed) {
/** Case is closed, do nothing. */
}
} else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {
// case was closed. Remove listeners so that we don't get called with a stale case
// handle
if (evt.getNewValue() == null) {
removeListeners();
}
}
}
/**
* Initializes the service for new ingest run Sets up threads, timers, retrieves settings, keyword
* lists to run on
*
* @param managerProxy
*/
@Override
public void init(IngestManagerProxy managerProxy) {
logger.log(Level.INFO, "init()");
initialized = false;
caseHandle = Case.getCurrentCase().getSleuthkitCase();
this.managerProxy = managerProxy;
Server solrServer = KeywordSearch.getServer();
ingester = solrServer.getIngester();
ingestStatus = new HashMap<Long, IngestStatus>();
keywords = new ArrayList<Keyword>();
keywordLists = new ArrayList<String>();
keywordToList = new HashMap<String, KeywordSearchList>();
initKeywords();
if (keywords.isEmpty() || keywordLists.isEmpty()) {
managerProxy.postMessage(
IngestMessage.createWarningMessage(
++messageID,
instance,
"No keywords in keyword list.",
"Only indexing will be done and and keyword search will be skipped (it can be executed later again as ingest or using toolbar search feature)."));
}
processedFiles = false;
finalSearcherDone = false;
searcherDone = true; // make sure to start the initial currentSearcher
// keeps track of all results per run not to repeat reporting the same hits
currentResults = new HashMap<Keyword, List<ContentHit>>();
indexer = new Indexer();
final int updateIntervalMs = managerProxy.getUpdateFrequency() * 60 * 1000;
logger.log(Level.INFO, "Using commit interval (ms): " + updateIntervalMs);
logger.log(Level.INFO, "Using searcher interval (ms): " + updateIntervalMs);
commitTimer = new Timer(updateIntervalMs, new CommitTimerAction());
searchTimer = new Timer(updateIntervalMs, new SearchTimerAction());
initialized = true;
commitTimer.start();
searchTimer.start();
managerProxy.postMessage(
IngestMessage.createMessage(++messageID, MessageType.INFO, this, "Started"));
}
/**
* Get a list of all the tag names. Uses a custom query for speed when dealing with thousands of
* Tags.
*
* @return a list of all tag names.
*/
@SuppressWarnings("deprecation")
public static List<String> getTagNames() {
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
List<String> names = new ArrayList<>();
ResultSet rs = null;
try {
rs =
skCase.runQuery(
"SELECT value_text"
+ " FROM blackboard_attributes"
+ " WHERE attribute_type_id = "
+ ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID()
+ " GROUP BY value_text"
+ " ORDER BY value_text");
while (rs.next()) {
names.add(rs.getString("value_text"));
}
} catch (SQLException ex) {
logger.log(Level.SEVERE, "Failed to query the blackboard for tag names.");
} finally {
if (rs != null) {
try {
skCase.closeRunQuery(rs);
} catch (SQLException ex) {
logger.log(Level.SEVERE, "Failed to close the query for blackboard for tag names.");
}
}
}
// add the 'Bookmark' tag, if it's not already in the list
if (!names.contains(BOOKMARK_TAG_NAME)) {
names.add(BOOKMARK_TAG_NAME);
}
return names;
}
/**
* Get the artifact for a result tag.
*
* @param tagArtifactId artifact id of the tag
* @return the tag's artifact
*/
static BlackboardArtifact getArtifactFromTag(long tagArtifactId) {
try {
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
BlackboardArtifact artifact = skCase.getBlackboardArtifact(tagArtifactId);
if (artifact.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID()
|| artifact.getArtifactTypeID()
== BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) {
List<BlackboardAttribute> attributes = artifact.getAttributes();
for (BlackboardAttribute att : attributes) {
if (att.getAttributeTypeID()
== BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID()) {
return skCase.getBlackboardArtifact(att.getValueLong());
}
}
}
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to get artifact " + tagArtifactId + " from case.");
}
return null;
}
/**
* Looks up the tag names associated with either a tagged artifact or a tag artifact.
*
* @param artifactID The ID of the artifact
* @param artifactTypeID The ID of the artifact type
* @return A set of unique tag names
*/
public static HashSet<String> getUniqueTagNames(long artifactID, int artifactTypeID) {
HashSet<String> tagNames = new HashSet<>();
try {
ArrayList<Long> tagArtifactIDs = new ArrayList<>();
if (artifactTypeID == ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID()
|| artifactTypeID == ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) {
tagArtifactIDs.add(artifactID);
} else {
List<BlackboardArtifact> tags =
Case.getCurrentCase()
.getSleuthkitCase()
.getBlackboardArtifacts(ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT, artifactID);
for (BlackboardArtifact tag : tags) {
tagArtifactIDs.add(tag.getArtifactID());
}
}
for (Long tagArtifactID : tagArtifactIDs) {
String whereClause =
"WHERE artifact_id = "
+ tagArtifactID
+ " AND attribute_type_id = "
+ ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID();
List<BlackboardAttribute> attributes =
Case.getCurrentCase().getSleuthkitCase().getMatchingAttributes(whereClause);
for (BlackboardAttribute attr : attributes) {
tagNames.add(attr.getValueString());
}
}
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to get tags for artifact " + artifactID, ex);
}
return tagNames;
}
private static void clearTempFolder() {
File tempFolder = new File(currentCase.getTempDirectory());
if (tempFolder.isDirectory()) {
File[] files = tempFolder.listFiles();
if (files.length > 0) {
for (int i = 0; i < files.length; i++) {
if (files[i].isDirectory()) {
deleteCaseDirectory(files[i]);
} else {
files[i].delete();
}
}
}
}
}
/**
* Delete this case. This methods delete all folders and files of this case.
*
* @param caseDir case dir to delete
* @throws CaseActionException exception throw if case could not be deleted
*/
void deleteCase(File caseDir) throws CaseActionException {
logger.log(Level.INFO, "Deleting case.\ncaseDir: {0}", caseDir);
try {
xmlcm.close(); // close the xmlcm
boolean result = deleteCaseDirectory(caseDir); // delete the directory
RecentCases.getInstance()
.removeRecentCase(this.name, this.configFilePath); // remove it from the recent case
Case.changeCase(null);
if (result == false) {
throw new CaseActionException("Error deleting the case dir: " + caseDir);
}
} catch (Exception ex) {
logger.log(Level.SEVERE, "Error deleting the current case dir: " + caseDir, ex);
throw new CaseActionException("Error deleting the case dir: " + caseDir, ex);
}
}
/**
* Check for existence of certain case sub dirs and create them if needed.
*
* @param openedCase
*/
private static void checkSubFolders(Case openedCase) {
String modulesOutputDir = openedCase.getModulesOutputDirAbsPath();
File modulesOutputDirF = new File(modulesOutputDir);
if (!modulesOutputDirF.exists()) {
logger.log(Level.INFO, "Creating modules output dir for the case.");
try {
if (!modulesOutputDirF.mkdir()) {
logger.log(
Level.SEVERE,
"Error creating modules output dir for the case, dir: " + modulesOutputDir);
}
} catch (SecurityException e) {
logger.log(
Level.SEVERE,
"Error creating modules output dir for the case, dir: " + modulesOutputDir,
e);
}
}
}
MonitorAction() {
// find drive where case is located
setMonitorDir();
// update monitor dir if case changed
Case.addPropertyChangeListener(
new PropertyChangeListener() {
@Override
public void propertyChange(PropertyChangeEvent evt) {
String changed = evt.getPropertyName();
Object newValue = evt.getNewValue();
if (changed.equals(Case.CASE_CURRENT_CASE)) {
if (newValue != null) {
setMonitorDir();
}
}
}
});
}
/** Make this TopComponent a listener to various change events. */
private void subscribeToChangeEvents() {
UserPreferences.addChangeListener(
new PreferenceChangeListener() {
@Override
public void preferenceChange(PreferenceChangeEvent evt) {
switch (evt.getKey()) {
case UserPreferences.HIDE_KNOWN_FILES_IN_DATA_SOURCES_TREE:
refreshContentTreeSafe();
break;
case UserPreferences.HIDE_KNOWN_FILES_IN_VIEWS_TREE:
// TODO: Need a way to refresh the Views subtree
break;
}
}
});
Case.addPropertyChangeListener(this);
this.em.addPropertyChangeListener(this);
IngestManager.getInstance().addIngestJobEventListener(this);
IngestManager.getInstance().addIngestModuleEventListener(this);
}
public abstract class Extract implements IngestModuleImage {
protected Case currentCase = Case.getCurrentCase(); // get the most updated case
protected SleuthkitCase tskCase = currentCase.getSleuthkitCase();
public final Logger logger = Logger.getLogger(this.getClass().getName());
protected final ArrayList<String> errorMessages = new ArrayList<String>();
protected String moduleName = "";
// hide public constructor to prevent from instantiation by ingest module loader
Extract() {}
List<String> getErrorMessages() {
return errorMessages;
}
/**
* Returns a List of FsContent objects from TSK based on sql query.
*
* @param image is a Image object that denotes which image to get the files from
* @param query is a sql string query that is to be run
* @return FFSqlitedb is a List of FsContent objects
*/
@SuppressWarnings("deprecation")
public List<FsContent> extractFiles(Image image, String query) {
Collection<FileSystem> imageFS = tskCase.getFileSystems(image);
List<String> fsIds = new LinkedList<String>();
for (FileSystem img : imageFS) {
Long tempID = img.getId();
fsIds.add(tempID.toString());
}
String allFS = new String();
for (int i = 0; i < fsIds.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + fsIds.get(i) + "'";
if (i == fsIds.size() - 1) {
allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
ResultSet rs = null;
try {
rs = tskCase.runQuery(query + allFS);
FFSqlitedb = tskCase.resultSetToFsContents(rs);
} catch (SQLException ex) {
logger.log(
Level.SEVERE, "Error while trying to extract files for:" + this.getClass().getName(), ex);
this.addErrorMessage(this.getName() + ": Error while trying to extract files to analyze.");
} finally {
if (rs != null) {
try {
tskCase.closeRunQuery(rs);
} catch (SQLException ex) {
logger.log(
Level.SEVERE,
"Error while trying to close result set after extract files for:"
+ this.getClass().getName(),
ex);
}
}
}
return FFSqlitedb;
}
/**
* Generic method for adding a blackboard artifact to the blackboard
*
* @param type is a blackboard.artifact_type enum to determine which type the artifact should be
* @param content is the FsContent object that needs to have the artifact added for it
* @param bbattributes is the collection of blackboard attributes that need to be added to the
* artifact after the artifact has been created
*/
public void addArtifact(
BlackboardArtifact.ARTIFACT_TYPE type,
FsContent content,
Collection<BlackboardAttribute> bbattributes) {
try {
BlackboardArtifact bbart = content.newArtifact(type);
bbart.addAttributes(bbattributes);
} catch (TskException ex) {
logger.log(Level.SEVERE, "Error while trying to add an artifact: " + ex);
}
}
/**
* Returns a List from a result set based on sql query.
*
* @param path is the string path to the sqlite db file
* @param query is a sql string query that is to be run
* @return list is the ArrayList that contains the resultset information in it that the query
* obtained
*/
public List<HashMap<String, Object>> dbConnect(String path, String query) {
ResultSet temprs = null;
List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>();
String connectionString = "jdbc:sqlite:" + path;
try {
SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString);
temprs = tempdbconnect.executeQry(query);
list = this.resultSetToArrayList(temprs);
tempdbconnect.closeConnection();
} catch (SQLException ex) {
logger.log(
Level.SEVERE, "Error while trying to read into a sqlite db." + connectionString, ex);
return Collections.<HashMap<String, Object>>emptyList();
}
return list;
}
/**
* Returns a List of FsContent objects from TSK based on sql query.
*
* @param rs is the resultset that needs to be converted to an arraylist
* @return list returns the arraylist built from the converted resultset
*/
public List<HashMap<String, Object>> resultSetToArrayList(ResultSet rs) throws SQLException {
ResultSetMetaData md = rs.getMetaData();
int columns = md.getColumnCount();
List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>(50);
while (rs.next()) {
HashMap<String, Object> row = new HashMap<String, Object>(columns);
for (int i = 1; i <= columns; ++i) {
if (rs.getObject(i) == null) {
row.put(md.getColumnName(i), "");
} else {
row.put(md.getColumnName(i), rs.getObject(i));
}
}
list.add(row);
}
return list;
}
/**
* Returns a List of string error messages from the inheriting class
*
* @return errorMessages returns all error messages logged
*/
public ArrayList<String> getErrorMessage() {
return errorMessages;
}
/**
* Adds a string to the error message list
*
* @param message is an error message represented as a string
*/
public void addErrorMessage(String message) {
errorMessages.add(message);
}
/**
* Returns the name of the inheriting class
*
* @return Gets the moduleName set in the moduleName data member
*/
public String getName() {
return moduleName;
}
}
private void removeListeners() {
deleteObservers();
IngestManager.getInstance().removeIngestJobEventListener(pcl);
IngestManager.getInstance().removeIngestModuleEventListener(pcl);
Case.removePropertyChangeListener(pcl);
}
FileSizeRootChildrenObservable() {
IngestManager.getInstance().addIngestJobEventListener(pcl);
IngestManager.getInstance().addIngestModuleEventListener(pcl);
Case.addPropertyChangeListener(pcl);
}
/**
* Get the cached file of the content object with the given id.
*
* <p>The returned file may not exist.
*
* @param id
* @return
*/
public static File getFile(long id) {
return new File(Case.getCurrentCase().getCacheDirectory() + File.separator + id + ".png");
}
