示例#1
0
文件: Tags.java 项目: halbbob/autopsy
  /**
   * Create a tag for an artifact with TSK_TAG_NAME as tagName.
   *
   * @param artifact to create tag for
   * @param tagName TSK_TAG_NAME
   * @param comment the tag comment or null if not present
   */
  public static void createTag(BlackboardArtifact artifact, String tagName, String comment) {
    try {
      Case currentCase = Case.getCurrentCase();
      SleuthkitCase skCase = currentCase.getSleuthkitCase();

      AbstractFile file = skCase.getAbstractFileById(artifact.getObjectID());
      final BlackboardArtifact bookArt =
          file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT);
      List<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>();

      BlackboardAttribute attr1 =
          new BlackboardAttribute(
              BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(), "", tagName);

      if (comment != null && !comment.isEmpty()) {
        BlackboardAttribute attr2 =
            new BlackboardAttribute(
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), "", comment);
        attrs.add(attr2);
      }

      BlackboardAttribute attr3 =
          new BlackboardAttribute(
              BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID(),
              "",
              artifact.getArtifactID());
      attrs.add(attr1);

      attrs.add(attr3);
      bookArt.addAttributes(attrs);
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Failed to create tag for artifact " + artifact.getArtifactID());
    }
  }
示例#2
0
文件: Tags.java 项目: halbbob/autopsy
  /**
   * Looks up the tag names associated with either a tagged artifact or a tag artifact.
   *
   * @param artifactID The ID of the artifact
   * @param artifactTypeID The ID of the artifact type
   * @return A set of unique tag names
   */
  public static HashSet<String> getUniqueTagNames(long artifactID, int artifactTypeID) {
    HashSet<String> tagNames = new HashSet<>();

    try {
      ArrayList<Long> tagArtifactIDs = new ArrayList<>();
      if (artifactTypeID == ARTIFACT_TYPE.TSK_TAG_FILE.getTypeID()
          || artifactTypeID == ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) {
        tagArtifactIDs.add(artifactID);
      } else {
        List<BlackboardArtifact> tags =
            Case.getCurrentCase()
                .getSleuthkitCase()
                .getBlackboardArtifacts(ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT, artifactID);
        for (BlackboardArtifact tag : tags) {
          tagArtifactIDs.add(tag.getArtifactID());
        }
      }

      for (Long tagArtifactID : tagArtifactIDs) {
        String whereClause =
            "WHERE artifact_id = "
                + tagArtifactID
                + " AND attribute_type_id = "
                + ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID();
        List<BlackboardAttribute> attributes =
            Case.getCurrentCase().getSleuthkitCase().getMatchingAttributes(whereClause);
        for (BlackboardAttribute attr : attributes) {
          tagNames.add(attr.getValueString());
        }
      }
    } catch (TskCoreException ex) {
      logger.log(Level.SEVERE, "Failed to get tags for artifact " + artifactID, ex);
    }

    return tagNames;
  }
示例#3
0
文件: Tags.java 项目: halbbob/autopsy
 /**
  * Looks up the tag names associated with either a tagged artifact or a tag artifact.
  *
  * @param artifact The artifact
  * @return A set of unique tag names
  */
 public static HashSet<String> getUniqueTagNames(BlackboardArtifact artifact) {
   return getUniqueTagNames(artifact.getArtifactID(), artifact.getArtifactTypeID());
 }
示例#4
0
文件: Tags.java 项目: halbbob/autopsy
    @Override
    protected Node createNodeForKey(final BlackboardArtifact artifact) {
      // create node with action
      BlackboardArtifactNode tagNode = null;

      String iconPath;
      if (tagName.equals(BOOKMARK_TAG_NAME)) {
        iconPath = BOOKMARK_ICON_PATH;
      } else {
        iconPath = TAG_ICON_PATH;
      }

      // create actions here where Tag logic belongs
      // instead of DataResultFilterNode w/visitors, which is much less pluggable and cluttered
      if (tagType.equals(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT)) {
        // in case of result tag, add a action by sublcassing bb art node
        // this action will be merged with other actions set  DataResultFIlterNode
        // otherwise in case of
        tagNode =
            new BlackboardArtifactNode(artifact, iconPath) {
              @Override
              public Action[] getActions(boolean bln) {
                // Action [] actions = super.getActions(bln); //To change body of generated methods,
                // choose Tools | Templates.
                Action[] actions = new Action[1];
                actions[0] =
                    new AbstractAction("View Source Result") {
                      @Override
                      public void actionPerformed(ActionEvent e) {
                        // open the source artifact in dir tree
                        BlackboardArtifact sourceArt =
                            Tags.getArtifactFromTag(artifact.getArtifactID());
                        if (sourceArt != null) {
                          BlackboardResultViewer v =
                              Lookup.getDefault().lookup(BlackboardResultViewer.class);
                          v.viewArtifact(sourceArt);
                        }
                      }
                    };
                return actions;
              }
            };
      } else {
        // for file tag, don't subclass to add the additional actions
        tagNode = new BlackboardArtifactNode(artifact, iconPath);
      }

      // add some additional node properties
      int artifactTypeID = artifact.getArtifactTypeID();
      final String NO_DESCR = "no description";
      if (artifactTypeID == BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getTypeID()) {
        BlackboardArtifact sourceResult = Tags.getArtifactFromTag(artifact.getArtifactID());
        String resultType = sourceResult.getDisplayName();

        NodeProperty resultTypeProp =
            new NodeProperty("Source Result Type", "Result Type", NO_DESCR, resultType);

        tagNode.addNodeProperty(resultTypeProp);
      }
      try {
        // add source path property
        final AbstractFile sourceFile = skCase.getAbstractFileById(artifact.getObjectID());
        final String sourcePath = sourceFile.getUniquePath();
        NodeProperty sourcePathProp =
            new NodeProperty("Source File Path", "Source File Path", NO_DESCR, sourcePath);

        tagNode.addNodeProperty(sourcePathProp);
      } catch (TskCoreException ex) {
        logger.log(
            Level.SEVERE,
            "Error getting a file from artifact to get source file path for a tag, ",
            ex);
      }

      return tagNode;
    }
  /** @inheritDoc */
  @Override
  @Messages({
    "FilesIdentifierIngestModule.indexError.message=Failed to index interesting file hit artifact for keyword search."
  })
  public ProcessResult process(AbstractFile file) {
    blackboard = Case.getCurrentCase().getServices().getBlackboard();

    // See if the file belongs to any defined interesting files set.
    List<FilesSet> filesSets =
        FilesIdentifierIngestModule.interestingFileSetsByJob.get(this.context.getJobId());
    for (FilesSet filesSet : filesSets) {
      String ruleSatisfied = filesSet.fileIsMemberOf(file);
      if (ruleSatisfied != null) {
        try {
          // Post an interesting files set hit artifact to the
          // blackboard.
          String moduleName = InterestingItemsIngestModuleFactory.getModuleName();
          BlackboardArtifact artifact =
              file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);

          // Add a set name attribute to the artifact. This adds a
          // fair amount of redundant data to the attributes table
          // (i.e., rows that differ only in artifact id), but doing
          // otherwise would requires reworking the interesting files
          // set hit artifact.
          BlackboardAttribute setNameAttribute =
              new BlackboardAttribute(
                  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, moduleName, filesSet.getName());
          artifact.addAttribute(setNameAttribute);

          // Add a category attribute to the artifact to record the
          // interesting files set membership rule that was satisfied.
          BlackboardAttribute ruleNameAttribute =
              new BlackboardAttribute(
                  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, moduleName, ruleSatisfied);
          artifact.addAttribute(ruleNameAttribute);

          try {
            // index the artifact for keyword search
            blackboard.indexArtifact(artifact);
          } catch (Blackboard.BlackboardException ex) {
            logger.log(
                Level.SEVERE,
                "Unable to index blackboard artifact " + artifact.getArtifactID(),
                ex); // NON-NLS
            MessageNotifyUtil.Notify.error(
                Bundle.FilesIdentifierIngestModule_indexError_message(), artifact.getDisplayName());
          }

          IngestServices.getInstance()
              .fireModuleDataEvent(
                  new ModuleDataEvent(
                      moduleName,
                      BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT,
                      Collections.singletonList(artifact)));

        } catch (TskCoreException ex) {
          FilesIdentifierIngestModule.logger.log(
              Level.SEVERE, "Error posting to the blackboard", ex); // NOI18N NON-NLS
        }
      }
    }
    return ProcessResult.OK;
  }