/** Search for the registry hives on the system. Mostly copied from RecentActivity */ private static List<AbstractFile> findRegistryFiles() throws TskCoreException { List<AbstractFile> registryFiles = new ArrayList<AbstractFile>(); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = Case.getCurrentCase().getServices().getFileManager(); for (Content ds : Case.getCurrentCase().getDataSources()) { // find the user-specific ntuser-dat files registryFiles.addAll(fileManager.findFiles(ds, "ntuser.dat")); // NON-NLS // find the system hives String[] regFileNames = new String[] {"system", "software", "security", "sam"}; // NON-NLS for (String regFileName : regFileNames) { List<AbstractFile> allRegistryFiles = fileManager.findFiles(ds, regFileName, "/system32/config"); // NON-NLS for (AbstractFile regFile : allRegistryFiles) { // Don't want anything from regback if (!regFile.getParentPath().contains("RegBack")) { // NON-NLS registryFiles.add(regFile); } } } } return registryFiles; }
/** * Create a tag for an artifact with TSK_TAG_NAME as tagName. * * @param artifact to create tag for * @param tagName TSK_TAG_NAME * @param comment the tag comment or null if not present */ public static void createTag(BlackboardArtifact artifact, String tagName, String comment) { try { Case currentCase = Case.getCurrentCase(); SleuthkitCase skCase = currentCase.getSleuthkitCase(); AbstractFile file = skCase.getAbstractFileById(artifact.getObjectID()); final BlackboardArtifact bookArt = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT); List<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>(); BlackboardAttribute attr1 = new BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(), "", tagName); if (comment != null && !comment.isEmpty()) { BlackboardAttribute attr2 = new BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), "", comment); attrs.add(attr2); } BlackboardAttribute attr3 = new BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID(), "", artifact.getArtifactID()); attrs.add(attr1); attrs.add(attr3); bookArt.addAttributes(attrs); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Failed to create tag for artifact " + artifact.getArtifactID()); } }
@Override public void startUp(IngestJobContext context) throws IngestModuleException { this.context = context; refCounter.incrementAndGet(context.getJobId()); synchronized (SampleFileIngestModule.class) { if (attrId == -1) { // For this sample, make a new attribute type to use to post // results to the blackboard. There are many standard blackboard // artifact and attribute types and you should use them instead // creating new ones to facilitate use of your results by other // modules. Case autopsyCase = Case.getCurrentCase(); SleuthkitCase sleuthkitCase = autopsyCase.getSleuthkitCase(); try { // See if the attribute type has already been defined. attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE"); if (attrId == -1) { attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute"); } } catch (TskCoreException ex) { IngestServices ingestServices = IngestServices.getInstance(); Logger logger = ingestServices.getLogger(SampleIngestModuleFactory.getModuleName()); logger.log(Level.SEVERE, "Failed to create blackboard attribute", ex); attrId = -1; throw new IngestModuleException(ex.getLocalizedMessage()); } } } }
@Override public boolean canClose() { return !Case.existsCurrentCase() || Case.getCurrentCase().hasData() == false; // only allow this window to be closed when there's no case opened or no image // in this case }
/** * Deletes the current opened case. * * @param e */ @Override public void actionPerformed(ActionEvent e) { Logger.noteAction(this.getClass()); Case currentCase = Case.getCurrentCase(); File configFile = new File(currentCase.getConfigFilePath()); File caseFolder = new File(configFile.getParent()); String caseName = currentCase.getName(); if (!caseFolder.exists()) { // throw an error logger.log( Level.WARNING, "Couldn't delete case.", new Exception("The case directory doesn't exist.")); } else { // show the confirmation first to close the current case and open the "New Case" wizard panel String closeCurrentCase = "Are you sure want to close and delete this case? \n Case Name: " + caseName + "\n Case Directory: " + caseFolder.getPath(); NotifyDescriptor d = new NotifyDescriptor.Confirmation( closeCurrentCase, "Warning: Closing the Current Case", NotifyDescriptor.YES_NO_OPTION, NotifyDescriptor.WARNING_MESSAGE); d.setValue(NotifyDescriptor.NO_OPTION); Object res = DialogDisplayer.getDefault().notify(d); if (res != null && res == DialogDescriptor.YES_OPTION) { boolean success = false; try { Case.getCurrentCase().deleteCase(caseFolder); // delete the current case success = true; } catch (CaseActionException ex) { logger.log(Level.WARNING, "Could not delete the case folder: " + caseFolder); } // show notification whether the case has been deleted or it failed to delete... if (!success) { JOptionPane.showMessageDialog( caller, "The delete action can't be fully completed because the folder or file in it is open by another program.\n \nClose the folder and file and try again or you can delete the case manually.", "Error: Folder In Use", JOptionPane.ERROR_MESSAGE); // throw an error } else { CasePropertiesAction .closeCasePropertiesWindow(); // because the "Delete Case" button is in the // "CaseProperties" window, we have to close that window // when we delete the case. JOptionPane.showMessageDialog(caller, "Case " + caseName + " has been deleted."); } } } }
/** * Get a list of all the bookmarks. * * @return a list of all bookmark artifacts */ static List<BlackboardArtifact> getBookmarks() { try { Case currentCase = Case.getCurrentCase(); SleuthkitCase skCase = currentCase.getSleuthkitCase(); return skCase.getBlackboardArtifacts( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME, Tags.BOOKMARK_TAG_NAME); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Failed to get list of artifacts from the case."); } return new ArrayList<BlackboardArtifact>(); }
@SuppressWarnings("deprecation") protected void initialize() { followUpToggle.setOnAction( (ActionEvent t) -> { if (followUpToggle.isSelected() == true) { globalSelectionModel.clearAndSelect(fileID); try { AddDrawableTagAction.getInstance().addTag(TagUtils.getFollowUpTagName(), ""); } catch (TskCoreException ex) { LOGGER.log(Level.SEVERE, "Failed to add follow up tag. Could not load TagName.", ex); } } else { // TODO: convert this to an action! final ImageGalleryController controller = ImageGalleryController.getDefault(); try { // remove file from old category group controller .getGroupManager() .removeFromGroup( new GroupKey<TagName>(DrawableAttribute.TAGS, TagUtils.getFollowUpTagName()), fileID); List<ContentTag> contentTagsByContent = Case.getCurrentCase() .getServices() .getTagsManager() .getContentTagsByContent(file); for (ContentTag ct : contentTagsByContent) { if (ct.getName() .getDisplayName() .equals(TagUtils.getFollowUpTagName().getDisplayName())) { Case.getCurrentCase().getServices().getTagsManager().deleteContentTag(ct); } } IngestServices.getInstance() .fireModuleDataEvent( new ModuleDataEvent( "TagAction", BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE)); // NON-NLS controller .getGroupManager() .handleFileUpdate( FileUpdateEvent.newUpdateEvent( Collections.singleton(fileID), DrawableAttribute.TAGS)); } catch (TskCoreException ex) { LOGGER.log(Level.SEVERE, "Failed to delete follow up tag.", ex); } } }); }
@Override public synchronized void setFile(final Long fileID) { if (Objects.equals(fileID, this.fileID) == false) { this.fileID = fileID; disposeContent(); if (this.fileID == null || Case.isCaseOpen() == false) { if (registered == true) { ImageGalleryController.getDefault().getCategoryManager().unregisterListener(this); TagUtils.unregisterListener(this); registered = false; } file = null; Platform.runLater( () -> { clearContent(); }); } else { if (registered == false) { ImageGalleryController.getDefault().getCategoryManager().registerListener(this); TagUtils.registerListener(this); registered = true; } file = null; getFile(); updateSelectionState(); updateCategoryBorder(); updateFollowUpIcon(); updateUI(); Platform.runLater(getContentUpdateRunnable()); } } }
/** * get the BlackboardArtifactTag that was added by its id * * @return BlackboardArtifactTag that was added * @throws IllegalStateException * @throws TskCoreException */ @Override BlackboardArtifactTag getTagByID() throws IllegalStateException, TskCoreException { return Case.getCurrentCase() .getServices() .getTagsManager() .getBlackboardArtifactTagByTagID(getTagID()); }
// case name change helper private static void doCaseNameChange(String newCaseName) { // update case name if (!newCaseName.equals("")) { Frame f = WindowManager.getDefault().getMainWindow(); f.setTitle(newCaseName + " - " + Case.getAppName()); // set the window name to the new value } }
// delete image helper private void doDeleteImage() { // no more image left in this case if (currentCase.getRootObjectsCount() == 0) { // close all top components CoreComponentControl.closeCoreWindows(); } }
/** * Copy all registry hives to the temp directory and return the list of created files. * * @return Paths to copied registry files. */ public static List<RegistryFileInfo> copyRegistryFiles() throws TskCoreException { // First get all the abstract files List<AbstractFile> regFilesAbstract = findRegistryFiles(); // List to hold all the extracted file names plus their abstract file List<RegistryFileInfo> regFilesLocal = new ArrayList<RegistryFileInfo>(); // Make the temp directory String tmpDir = Case.getCurrentCase().getTempDirectory() + File.separator + "STIX"; // NON-NLS File dir = new File(tmpDir); if (dir.exists() == false) { dir.mkdirs(); } long index = 1; for (AbstractFile regFile : regFilesAbstract) { String regFileName = regFile.getName(); String regFileNameLocal = tmpDir + File.separator + regFileName + "_" + index; File regFileNameLocalFile = new File(regFileNameLocal); try { // Don't save any unallocated versions if (regFile.getMetaFlagsAsString().contains("Allocated")) { // NON-NLS ContentUtils.writeToFile(regFile, regFileNameLocalFile); regFilesLocal.add(new EvalRegistryObj().new RegistryFileInfo(regFile, regFileNameLocal)); } } catch (IOException ex) { throw new TskCoreException(ex.getLocalizedMessage()); } index++; } return regFilesLocal; }
/** * Creates a new case (create the XML config file and database) * * @param caseDir The directory to store case data in. Will be created if it doesn't already * exist. If it exists, it should have all of the needed sub dirs that createCaseDirectory() * will create. * @param caseName the name of case * @param caseNumber the case number * @param examiner the examiner for this case */ public static void create(String caseDir, String caseName, String caseNumber, String examiner) throws CaseActionException { logger.log( Level.INFO, "Creating new case.\ncaseDir: {0}\ncaseName: {1}", new Object[] {caseDir, caseName}); // create case directory if it doesn't already exist. if (new File(caseDir).exists() == false) { Case.createCaseDirectory(caseDir); } String configFilePath = caseDir + File.separator + caseName + CASE_DOT_EXTENSION; XMLCaseManagement xmlcm = new XMLCaseManagement(); xmlcm.create(caseDir, caseName, examiner, caseNumber); // create a new XML config file xmlcm.writeFile(); String dbPath = caseDir + File.separator + "autopsy.db"; SleuthkitCase db = null; try { db = SleuthkitCase.newCase(dbPath); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error creating a case: " + caseName + " in dir " + caseDir, ex); throw new CaseActionException( "Error creating a case: " + caseName + " in dir " + caseDir, ex); } Case newCase = new Case(caseName, caseNumber, examiner, configFilePath, xmlcm, db); changeCase(newCase); }
// case change helper private static void doCaseChange(Case toChangeTo) { logger.log(Level.INFO, "Changing Case to: " + toChangeTo); if (toChangeTo != null) { // new case is open // clear the temp folder when the case is created / opened Case.clearTempFolder(); checkSubFolders(toChangeTo); // enable these menus CallableSystemAction.get(AddImageAction.class).setEnabled(true); CallableSystemAction.get(CaseCloseAction.class).setEnabled(true); CallableSystemAction.get(CasePropertiesAction.class).setEnabled(true); CallableSystemAction.get(CaseDeleteAction.class).setEnabled(true); // Delete Case menu if (toChangeTo.getRootObjectsCount() > 0) { // open all top components CoreComponentControl.openCoreWindows(); } else { // close all top components CoreComponentControl.closeCoreWindows(); } } else { // case is closed // close all top components first CoreComponentControl.closeCoreWindows(); // disable these menus CallableSystemAction.get(AddImageAction.class).setEnabled(false); // Add Image menu CallableSystemAction.get(CaseCloseAction.class).setEnabled(false); // Case Close menu CallableSystemAction.get(CasePropertiesAction.class) .setEnabled(false); // Case Properties menu CallableSystemAction.get(CaseDeleteAction.class).setEnabled(false); // Delete Case menu // clear pending notifications MessageNotifyUtil.Notify.clear(); Frame f = WindowManager.getDefault().getMainWindow(); f.setTitle(Case.getAppName()); // set the window name to just application name // try to force gc to happen System.gc(); System.gc(); } // log memory usage after case changed logger.log(Level.INFO, PlatformUtil.getAllMemUsageInfo()); }
@Override public JComponent[] getMenuPresenters() { List<DataContentTopComponent> newWindowLists = DataContentTopComponent.getNewWindowList(); // Get DataContent provider to include in the menu int totalItems = newWindowLists.size() > 0 ? 2 : 1; JComponent[] comps = new JComponent[totalItems]; int counter = 0; TopComponent contentWin = DataContentTopComponent.findInstance(); JMenuItem defaultItem = new JMenuItem(contentWin.getName()); // set the main name defaultItem.addActionListener(new OpenTopComponentAction(contentWin)); if (!Case.isCaseOpen() || Case.getCurrentCase().hasData() == false) { defaultItem.setEnabled(false); // disable the menu items when no case is opened } else { defaultItem.setEnabled(true); // enable the menu items when there's a case opened / created } comps[counter++] = defaultItem; // add the submenu if (newWindowLists != null) { if (newWindowLists.size() > 0) { JMenu submenu = new JMenu( NbBundle.getMessage( this.getClass(), "DataContentDynamicMenu.menu.dataContentWin.text")); for (int i = 0; i < newWindowLists.size(); i++) { DataContentTopComponent dctc = newWindowLists.get(i); JMenuItem item = new JMenuItem(dctc.getName()); item.addActionListener(new OpenTopComponentAction(dctc)); submenu.add(item); } comps[counter++] = submenu; } } return comps; }
private void setMonitorDir() { String caseDir = Case.getCurrentCase().getCaseDirectory(); File curDir = new File(caseDir); File tempF = null; while ((tempF = curDir.getParentFile()) != null) { curDir = tempF; } root = curDir; logger.log(Level.INFO, "Monitoring disk space of case root: " + curDir.getAbsolutePath()); }
@Override public void propertyChange(PropertyChangeEvent evt) { String eventType = evt.getPropertyName(); if (eventType.equals(IngestManager.IngestModuleEvent.CONTENT_CHANGED.toString())) { /** * Checking for a current case is a stop gap measure until a different way of * handling the closing of cases is worked out. Currently, remote events may be * received for a case that is already closed. */ try { // new file was added // @@@ could check the size here and only fire off updates if we know the file // meets the min size criteria Case.getCurrentCase(); update(); } catch (IllegalStateException notUsed) { /** Case is closed, do nothing. */ } } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString()) || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString()) || eventType.equals(Case.Events.DATA_SOURCE_ADDED.toString())) { /** * Checking for a current case is a stop gap measure until a different way of * handling the closing of cases is worked out. Currently, remote events may be * received for a case that is already closed. */ try { Case.getCurrentCase(); update(); } catch (IllegalStateException notUsed) { /** Case is closed, do nothing. */ } } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) { // case was closed. Remove listeners so that we don't get called with a stale case // handle if (evt.getNewValue() == null) { removeListeners(); } } }
/** * Initializes the service for new ingest run Sets up threads, timers, retrieves settings, keyword * lists to run on * * @param managerProxy */ @Override public void init(IngestManagerProxy managerProxy) { logger.log(Level.INFO, "init()"); initialized = false; caseHandle = Case.getCurrentCase().getSleuthkitCase(); this.managerProxy = managerProxy; Server solrServer = KeywordSearch.getServer(); ingester = solrServer.getIngester(); ingestStatus = new HashMap<Long, IngestStatus>(); keywords = new ArrayList<Keyword>(); keywordLists = new ArrayList<String>(); keywordToList = new HashMap<String, KeywordSearchList>(); initKeywords(); if (keywords.isEmpty() || keywordLists.isEmpty()) { managerProxy.postMessage( IngestMessage.createWarningMessage( ++messageID, instance, "No keywords in keyword list.", "Only indexing will be done and and keyword search will be skipped (it can be executed later again as ingest or using toolbar search feature).")); } processedFiles = false; finalSearcherDone = false; searcherDone = true; // make sure to start the initial currentSearcher // keeps track of all results per run not to repeat reporting the same hits currentResults = new HashMap<Keyword, List<ContentHit>>(); indexer = new Indexer(); final int updateIntervalMs = managerProxy.getUpdateFrequency() * 60 * 1000; logger.log(Level.INFO, "Using commit interval (ms): " + updateIntervalMs); logger.log(Level.INFO, "Using searcher interval (ms): " + updateIntervalMs); commitTimer = new Timer(updateIntervalMs, new CommitTimerAction()); searchTimer = new Timer(updateIntervalMs, new SearchTimerAction()); initialized = true; commitTimer.start(); searchTimer.start(); managerProxy.postMessage( IngestMessage.createMessage(++messageID, MessageType.INFO, this, "Started")); }
/** * Get a list of all the tag names. Uses a custom query for speed when dealing with thousands of * Tags. * * @return a list of all tag names. */ @SuppressWarnings("deprecation") public static List<String> getTagNames() { Case currentCase = Case.getCurrentCase(); SleuthkitCase skCase = currentCase.getSleuthkitCase(); List<String> names = new ArrayList<>(); ResultSet rs = null; try { rs = skCase.runQuery( "SELECT value_text" + " FROM blackboard_attributes" + " WHERE attribute_type_id = " + ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID() + " GROUP BY value_text" + " ORDER BY value_text"); while (rs.next()) { names.add(rs.getString("value_text")); } } catch (SQLException ex) { logger.log(Level.SEVERE, "Failed to query the blackboard for tag names."); } finally { if (rs != null) { try { skCase.closeRunQuery(rs); } catch (SQLException ex) { logger.log(Level.SEVERE, "Failed to close the query for blackboard for tag names."); } } } // add the 'Bookmark' tag, if it's not already in the list if (!names.contains(BOOKMARK_TAG_NAME)) { names.add(BOOKMARK_TAG_NAME); } return names; }
/** * Get the artifact for a result tag. * * @param tagArtifactId artifact id of the tag * @return the tag's artifact */ static BlackboardArtifact getArtifactFromTag(long tagArtifactId) { try { Case currentCase = Case.getCurrentCase(); SleuthkitCase skCase = currentCase.getSleuthkitCase(); BlackboardArtifact artifact = skCase.getBlackboardArtifact(tagArtifactId); if (artifact.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID() || artifact.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) { List<BlackboardAttribute> attributes = artifact.getAttributes(); for (BlackboardAttribute att : attributes) { if (att.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID()) { return skCase.getBlackboardArtifact(att.getValueLong()); } } } } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Failed to get artifact " + tagArtifactId + " from case."); } return null; }
/** * Looks up the tag names associated with either a tagged artifact or a tag artifact. * * @param artifactID The ID of the artifact * @param artifactTypeID The ID of the artifact type * @return A set of unique tag names */ public static HashSet<String> getUniqueTagNames(long artifactID, int artifactTypeID) { HashSet<String> tagNames = new HashSet<>(); try { ArrayList<Long> tagArtifactIDs = new ArrayList<>(); if (artifactTypeID == ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) { tagArtifactIDs.add(artifactID); } else { List<BlackboardArtifact> tags = Case.getCurrentCase() .getSleuthkitCase() .getBlackboardArtifacts(ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT, artifactID); for (BlackboardArtifact tag : tags) { tagArtifactIDs.add(tag.getArtifactID()); } } for (Long tagArtifactID : tagArtifactIDs) { String whereClause = "WHERE artifact_id = " + tagArtifactID + " AND attribute_type_id = " + ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(); List<BlackboardAttribute> attributes = Case.getCurrentCase().getSleuthkitCase().getMatchingAttributes(whereClause); for (BlackboardAttribute attr : attributes) { tagNames.add(attr.getValueString()); } } } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Failed to get tags for artifact " + artifactID, ex); } return tagNames; }
private static void clearTempFolder() { File tempFolder = new File(currentCase.getTempDirectory()); if (tempFolder.isDirectory()) { File[] files = tempFolder.listFiles(); if (files.length > 0) { for (int i = 0; i < files.length; i++) { if (files[i].isDirectory()) { deleteCaseDirectory(files[i]); } else { files[i].delete(); } } } } }
/** * Delete this case. This methods delete all folders and files of this case. * * @param caseDir case dir to delete * @throws CaseActionException exception throw if case could not be deleted */ void deleteCase(File caseDir) throws CaseActionException { logger.log(Level.INFO, "Deleting case.\ncaseDir: {0}", caseDir); try { xmlcm.close(); // close the xmlcm boolean result = deleteCaseDirectory(caseDir); // delete the directory RecentCases.getInstance() .removeRecentCase(this.name, this.configFilePath); // remove it from the recent case Case.changeCase(null); if (result == false) { throw new CaseActionException("Error deleting the case dir: " + caseDir); } } catch (Exception ex) { logger.log(Level.SEVERE, "Error deleting the current case dir: " + caseDir, ex); throw new CaseActionException("Error deleting the case dir: " + caseDir, ex); } }
/** * Check for existence of certain case sub dirs and create them if needed. * * @param openedCase */ private static void checkSubFolders(Case openedCase) { String modulesOutputDir = openedCase.getModulesOutputDirAbsPath(); File modulesOutputDirF = new File(modulesOutputDir); if (!modulesOutputDirF.exists()) { logger.log(Level.INFO, "Creating modules output dir for the case."); try { if (!modulesOutputDirF.mkdir()) { logger.log( Level.SEVERE, "Error creating modules output dir for the case, dir: " + modulesOutputDir); } } catch (SecurityException e) { logger.log( Level.SEVERE, "Error creating modules output dir for the case, dir: " + modulesOutputDir, e); } } }
MonitorAction() { // find drive where case is located setMonitorDir(); // update monitor dir if case changed Case.addPropertyChangeListener( new PropertyChangeListener() { @Override public void propertyChange(PropertyChangeEvent evt) { String changed = evt.getPropertyName(); Object newValue = evt.getNewValue(); if (changed.equals(Case.CASE_CURRENT_CASE)) { if (newValue != null) { setMonitorDir(); } } } }); }
/** Make this TopComponent a listener to various change events. */ private void subscribeToChangeEvents() { UserPreferences.addChangeListener( new PreferenceChangeListener() { @Override public void preferenceChange(PreferenceChangeEvent evt) { switch (evt.getKey()) { case UserPreferences.HIDE_KNOWN_FILES_IN_DATA_SOURCES_TREE: refreshContentTreeSafe(); break; case UserPreferences.HIDE_KNOWN_FILES_IN_VIEWS_TREE: // TODO: Need a way to refresh the Views subtree break; } } }); Case.addPropertyChangeListener(this); this.em.addPropertyChangeListener(this); IngestManager.getInstance().addIngestJobEventListener(this); IngestManager.getInstance().addIngestModuleEventListener(this); }
public abstract class Extract implements IngestModuleImage { protected Case currentCase = Case.getCurrentCase(); // get the most updated case protected SleuthkitCase tskCase = currentCase.getSleuthkitCase(); public final Logger logger = Logger.getLogger(this.getClass().getName()); protected final ArrayList<String> errorMessages = new ArrayList<String>(); protected String moduleName = ""; // hide public constructor to prevent from instantiation by ingest module loader Extract() {} List<String> getErrorMessages() { return errorMessages; } /** * Returns a List of FsContent objects from TSK based on sql query. * * @param image is a Image object that denotes which image to get the files from * @param query is a sql string query that is to be run * @return FFSqlitedb is a List of FsContent objects */ @SuppressWarnings("deprecation") public List<FsContent> extractFiles(Image image, String query) { Collection<FileSystem> imageFS = tskCase.getFileSystems(image); List<String> fsIds = new LinkedList<String>(); for (FileSystem img : imageFS) { Long tempID = img.getId(); fsIds.add(tempID.toString()); } String allFS = new String(); for (int i = 0; i < fsIds.size(); i++) { if (i == 0) { allFS += " AND (0"; } allFS += " OR fs_obj_id = '" + fsIds.get(i) + "'"; if (i == fsIds.size() - 1) { allFS += ")"; } } List<FsContent> FFSqlitedb = null; ResultSet rs = null; try { rs = tskCase.runQuery(query + allFS); FFSqlitedb = tskCase.resultSetToFsContents(rs); } catch (SQLException ex) { logger.log( Level.SEVERE, "Error while trying to extract files for:" + this.getClass().getName(), ex); this.addErrorMessage(this.getName() + ": Error while trying to extract files to analyze."); } finally { if (rs != null) { try { tskCase.closeRunQuery(rs); } catch (SQLException ex) { logger.log( Level.SEVERE, "Error while trying to close result set after extract files for:" + this.getClass().getName(), ex); } } } return FFSqlitedb; } /** * Generic method for adding a blackboard artifact to the blackboard * * @param type is a blackboard.artifact_type enum to determine which type the artifact should be * @param content is the FsContent object that needs to have the artifact added for it * @param bbattributes is the collection of blackboard attributes that need to be added to the * artifact after the artifact has been created */ public void addArtifact( BlackboardArtifact.ARTIFACT_TYPE type, FsContent content, Collection<BlackboardAttribute> bbattributes) { try { BlackboardArtifact bbart = content.newArtifact(type); bbart.addAttributes(bbattributes); } catch (TskException ex) { logger.log(Level.SEVERE, "Error while trying to add an artifact: " + ex); } } /** * Returns a List from a result set based on sql query. * * @param path is the string path to the sqlite db file * @param query is a sql string query that is to be run * @return list is the ArrayList that contains the resultset information in it that the query * obtained */ public List<HashMap<String, Object>> dbConnect(String path, String query) { ResultSet temprs = null; List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>(); String connectionString = "jdbc:sqlite:" + path; try { SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString); temprs = tempdbconnect.executeQry(query); list = this.resultSetToArrayList(temprs); tempdbconnect.closeConnection(); } catch (SQLException ex) { logger.log( Level.SEVERE, "Error while trying to read into a sqlite db." + connectionString, ex); return Collections.<HashMap<String, Object>>emptyList(); } return list; } /** * Returns a List of FsContent objects from TSK based on sql query. * * @param rs is the resultset that needs to be converted to an arraylist * @return list returns the arraylist built from the converted resultset */ public List<HashMap<String, Object>> resultSetToArrayList(ResultSet rs) throws SQLException { ResultSetMetaData md = rs.getMetaData(); int columns = md.getColumnCount(); List<HashMap<String, Object>> list = new ArrayList<HashMap<String, Object>>(50); while (rs.next()) { HashMap<String, Object> row = new HashMap<String, Object>(columns); for (int i = 1; i <= columns; ++i) { if (rs.getObject(i) == null) { row.put(md.getColumnName(i), ""); } else { row.put(md.getColumnName(i), rs.getObject(i)); } } list.add(row); } return list; } /** * Returns a List of string error messages from the inheriting class * * @return errorMessages returns all error messages logged */ public ArrayList<String> getErrorMessage() { return errorMessages; } /** * Adds a string to the error message list * * @param message is an error message represented as a string */ public void addErrorMessage(String message) { errorMessages.add(message); } /** * Returns the name of the inheriting class * * @return Gets the moduleName set in the moduleName data member */ public String getName() { return moduleName; } }
private void removeListeners() { deleteObservers(); IngestManager.getInstance().removeIngestJobEventListener(pcl); IngestManager.getInstance().removeIngestModuleEventListener(pcl); Case.removePropertyChangeListener(pcl); }
FileSizeRootChildrenObservable() { IngestManager.getInstance().addIngestJobEventListener(pcl); IngestManager.getInstance().addIngestModuleEventListener(pcl); Case.addPropertyChangeListener(pcl); }
/** * Get the cached file of the content object with the given id. * * <p>The returned file may not exist. * * @param id * @return */ public static File getFile(long id) { return new File(Case.getCurrentCase().getCacheDirectory() + File.separator + id + ".png"); }