From db2a4979cec69b480da5bd75d2b1c80f1fe956ac Mon Sep 17 00:00:00 2001
From: "eugene.livis" <elivis@basistech.com>
Date: Tue, 29 Aug 2023 11:57:47 -0400
Subject: [PATCH] Using TSK_MALWARE standard Autopsy artifact
---
.../malwarescan/MalwareScanIngestModule.java | 10 ++----
.../autopsy/datamodel/Artifacts.java | 18 ++---------
.../autopsy/datamodel/MalwareHits.java | 32 ++++++-------------
3 files changed, 14 insertions(+), 46 deletions(-)
diff --git a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
index ba8bd556b1..fee67fdff2 100644
--- a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
+++ b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
@@ -134,8 +134,7 @@ private static class SharedProcessing {
"application/x-msdos-program"//NON-NLS
).collect(Collectors.toSet());
- private static final String MALWARE_TYPE_NAME = "TSK_MALWARE";
- private static final String MALWARE_CONFIG = "Cyber Triage Cloud";
+ private static final String MALWARE_CONFIG = ""; // NOTE: Adding a configuration complicates NTL branch UI
private static final Logger logger = Logger.getLogger(MalwareScanIngestModule.class.getName());
@@ -235,18 +234,13 @@ private IngestJobState getNewJobState(IngestJobContext context, boolean uploadFi
// setup necessary variables for processing
SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
- BlackboardArtifact.Type malwareType = tskCase.getBlackboard().getOrAddArtifactType(
- MALWARE_TYPE_NAME,
- Bundle.MalwareScanIngestModule_malwareTypeDisplayName(),
- BlackboardArtifact.Category.ANALYSIS_RESULT);
-
return new IngestJobState(
context,
tskCase,
new PathNormalizer(tskCase),
new FileTypeDetector(),
licenseInfoOpt.get(),
- malwareType,
+ BlackboardArtifact.Type.TSK_MALWARE,
uploadFiles,
true
);
diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java
index a38383c183..4475b682c5 100644
--- a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java
+++ b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java
@@ -64,6 +64,7 @@
import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_TL_EVENT;
import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_ASSOCIATED_OBJECT;
import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_KEYWORD_HIT;
+import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE;
/**
* Classes for creating nodes for BlackboardArtifacts.
@@ -73,10 +74,6 @@ public class Artifacts {
private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST
= EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
- // this is currently a custom TSK artifact type, created in MalwareScanIngestModule
- private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null;
- private static final String MALWARE_HITS = "TSK_MALWARE";
-
/**
* Base class for a parent node of artifacts.
*/
@@ -247,15 +244,6 @@ static class TypeFactory extends ChildFactory.Detachable<TypeNodeKey> implements
@SuppressWarnings("deprecation")
private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCase skCase, long dsObjId) {
- // Get the custom TSK_MALWARE artifact type from case database
- if (MALWARE_ARTIFACT_TYPE == null) {
- try {
- MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS);
- } catch (TskCoreException ex) {
- logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS
- }
- }
-
int typeId = type.getTypeID();
if (TSK_EMAIL_MSG.getTypeID() == typeId) {
EmailExtracted.RootNode emailNode = new EmailExtracted(skCase, dsObjId).new RootNode();
@@ -281,9 +269,9 @@ private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCas
} else if (TSK_HASHSET_HIT.getTypeID() == typeId) {
HashsetHits.RootNode hashsetHits = new HashsetHits(skCase, dsObjId).new RootNode();
return new TypeNodeKey(hashsetHits, TSK_HASHSET_HIT);
- } else if (MALWARE_ARTIFACT_TYPE != null && MALWARE_ARTIFACT_TYPE.getTypeID() == typeId) {
+ } else if (TSK_MALWARE.getTypeID() == typeId) {
MalwareHits.RootNode malwareHits = new MalwareHits(skCase, dsObjId).new RootNode();
- return new TypeNodeKey(malwareHits, MALWARE_ARTIFACT_TYPE);
+ return new TypeNodeKey(malwareHits, TSK_MALWARE);
} else {
return new TypeNodeKey(type, dsObjId);
}
diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java b/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java
index c1761a7ad5..2524650178 100755
--- a/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java
+++ b/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java
@@ -44,12 +44,12 @@
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
-import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode;
import org.sleuthkit.datamodel.AnalysisResult;
+import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE;
import org.sleuthkit.datamodel.Score;
/**
@@ -57,9 +57,6 @@
*/
public class MalwareHits implements AutopsyVisitableItem {
- private static final String MALWARE_HITS = "TSK_MALWARE"; // this is currently a custom TSK artifact type, created in MalwareScanIngestModule
- private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null;
- private static String DISPLAY_NAME;
private static final Logger logger = Logger.getLogger(MalwareHits.class.getName());
private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestModuleEvent.DATA_ADDED);
@@ -126,20 +123,9 @@ final void update() {
return;
}
- // Get the custom TSK_MALWARE artifact type from case database
- if (MALWARE_ARTIFACT_TYPE == null) {
- try {
- MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS);
- DISPLAY_NAME = MALWARE_ARTIFACT_TYPE.getDisplayName();
- } catch (TskCoreException ex) {
- logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS
- return;
- }
- }
-
String query = "SELECT blackboard_artifacts.artifact_obj_id " //NON-NLS
+ "FROM blackboard_artifacts,tsk_analysis_results WHERE " //NON-NLS
- + "blackboard_artifacts.artifact_type_id=" + MALWARE_ARTIFACT_TYPE.getTypeID() //NON-NLS
+ + "blackboard_artifacts.artifact_type_id=" + TSK_MALWARE.getTypeID() //NON-NLS
+ " AND tsk_analysis_results.artifact_obj_id=blackboard_artifacts.artifact_obj_id" //NON-NLS
+ " AND (tsk_analysis_results.significance=" + Score.Significance.NOTABLE.getId() //NON-NLS
+ " OR tsk_analysis_results.significance=" + Score.Significance.LIKELY_NOTABLE.getId() + " )"; //NON-NLS
@@ -182,7 +168,7 @@ public void propertyChange(PropertyChangeEvent evt) {
* oldValue if the event is a remote event.
*/
ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();
- if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == MALWARE_ARTIFACT_TYPE.getTypeID()) {
+ if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == TSK_MALWARE.getTypeID()) {
malwareResults.update();
}
} catch (NoCurrentCaseException notUsed) {
@@ -248,13 +234,13 @@ public void update(Observable o, Object arg) {
public class RootNode extends UpdatableCountTypeNode {
public RootNode() {
- super(Children.create(new HitFactory(DISPLAY_NAME), true),
- Lookups.singleton(DISPLAY_NAME),
- DISPLAY_NAME,
+ super(Children.create(new HitFactory(TSK_MALWARE.getDisplayName()), true),
+ Lookups.singleton(TSK_MALWARE.getDisplayName()),
+ TSK_MALWARE.getDisplayName(),
filteringDSObjId,
- MALWARE_ARTIFACT_TYPE);
+ TSK_MALWARE);
- super.setName(MALWARE_HITS);
+ super.setName(TSK_MALWARE.getTypeName());
// TODO make an icon
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/artifact-icon.png");
}
@@ -297,7 +283,7 @@ public String getItemType() {
*/
@Override
void updateDisplayName() {
- super.setDisplayName(DISPLAY_NAME + " (" + malwareResults.getArtifactIds().size() + ")");
+ super.setDisplayName(TSK_MALWARE.getDisplayName() + " (" + malwareResults.getArtifactIds().size() + ")");
}
}
--
GitLab