Using TSK_MALWARE standard Autopsy artifact

db2a4979 · eugene.livis · c1c19dba · db2a4979 · db2a4979 · db2a4979
Commit db2a4979 authored 1 year ago by eugene.livis
--- a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
+++ b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
@@ -134,8 +134,7 @@ private static class SharedProcessing {
                "application/x-msdos-program"//NON-NLS
        ).collect(Collectors.toSet());
-        private static final String MALWARE_TYPE_NAME = "TSK_MALWARE";
+        private static final String MALWARE_CONFIG = ""; // NOTE: Adding a configuration complicates NTL branch UI
-        private static final String MALWARE_CONFIG = "Cyber Triage Cloud";
        private static final Logger logger = Logger.getLogger(MalwareScanIngestModule.class.getName());
@@ -235,18 +234,13 @@ private IngestJobState getNewJobState(IngestJobContext context, boolean uploadFi
            // setup necessary variables for processing
            SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
-            BlackboardArtifact.Type malwareType = tskCase.getBlackboard().getOrAddArtifactType(
-                    MALWARE_TYPE_NAME,
-                    Bundle.MalwareScanIngestModule_malwareTypeDisplayName(),
-                    BlackboardArtifact.Category.ANALYSIS_RESULT);
            return new IngestJobState(
                    context,
                    tskCase,
                    new PathNormalizer(tskCase),
                    new FileTypeDetector(),
                    licenseInfoOpt.get(),
-                    malwareType,
+                    BlackboardArtifact.Type.TSK_MALWARE,
                    uploadFiles,
                    true
            );

--- a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java
+++ b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java
@@ -64,6 +64,7 @@
 import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_TL_EVENT;
 import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_ASSOCIATED_OBJECT;
 import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_KEYWORD_HIT;
+import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE;
 /**
 * Classes for creating nodes for BlackboardArtifacts.
@@ -73,10 +74,6 @@ public class Artifacts {
    private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST
            = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
-    // this is currently a custom TSK artifact type, created in MalwareScanIngestModule
-    private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null;
-    private static final String MALWARE_HITS = "TSK_MALWARE";
    /**
     * Base class for a parent node of artifacts.
     */
@@ -247,15 +244,6 @@ static class TypeFactory extends ChildFactory.Detachable<TypeNodeKey> implements
        @SuppressWarnings("deprecation")
        private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCase skCase, long dsObjId) {
-            // Get the custom TSK_MALWARE artifact type from case database
-            if (MALWARE_ARTIFACT_TYPE == null) {
-                try {
-                    MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS);
-                } catch (TskCoreException ex) {
-                    logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS
-                }
-            }
            int typeId = type.getTypeID();
            if (TSK_EMAIL_MSG.getTypeID() == typeId) {
                EmailExtracted.RootNode emailNode = new EmailExtracted(skCase, dsObjId).new RootNode();
@@ -281,9 +269,9 @@ private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCas
            } else if (TSK_HASHSET_HIT.getTypeID() == typeId) {
                HashsetHits.RootNode hashsetHits = new HashsetHits(skCase, dsObjId).new RootNode();
                return new TypeNodeKey(hashsetHits, TSK_HASHSET_HIT);
-            } else if (MALWARE_ARTIFACT_TYPE != null && MALWARE_ARTIFACT_TYPE.getTypeID() == typeId) {
+            } else if (TSK_MALWARE.getTypeID() == typeId) {
                MalwareHits.RootNode malwareHits = new MalwareHits(skCase, dsObjId).new RootNode();
-                return new TypeNodeKey(malwareHits, MALWARE_ARTIFACT_TYPE);
+                return new TypeNodeKey(malwareHits, TSK_MALWARE);
            } else {
                return new TypeNodeKey(type, dsObjId);
            }

--- a/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java
+++ b/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java
@@ -44,12 +44,12 @@
 import org.sleuthkit.autopsy.coreutils.Logger;
 import org.sleuthkit.autopsy.ingest.IngestManager;
 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
-import org.sleuthkit.datamodel.BlackboardArtifact;
 import org.sleuthkit.datamodel.SleuthkitCase;
 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode;
 import org.sleuthkit.datamodel.AnalysisResult;
+import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE;
 import org.sleuthkit.datamodel.Score;
 /**
@@ -57,9 +57,6 @@
 */
 public class MalwareHits implements AutopsyVisitableItem {
-    private static final String MALWARE_HITS = "TSK_MALWARE"; // this is currently a custom TSK artifact type, created in MalwareScanIngestModule
-    private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null;
-    private static String DISPLAY_NAME;
    private static final Logger logger = Logger.getLogger(MalwareHits.class.getName());
    private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
    private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestModuleEvent.DATA_ADDED);
@@ -126,20 +123,9 @@ final void update() {
                return;
            }
-            // Get the custom TSK_MALWARE artifact type from case database
-            if (MALWARE_ARTIFACT_TYPE == null) {
-                try {
-                    MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS);
-                    DISPLAY_NAME = MALWARE_ARTIFACT_TYPE.getDisplayName();
-                } catch (TskCoreException ex) {
-                    logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS
-                    return;
-                }
-            }
            String query = "SELECT blackboard_artifacts.artifact_obj_id " //NON-NLS
                    + "FROM blackboard_artifacts,tsk_analysis_results WHERE " //NON-NLS
-                    + "blackboard_artifacts.artifact_type_id=" + MALWARE_ARTIFACT_TYPE.getTypeID() //NON-NLS
+                    + "blackboard_artifacts.artifact_type_id=" + TSK_MALWARE.getTypeID() //NON-NLS
                    + " AND tsk_analysis_results.artifact_obj_id=blackboard_artifacts.artifact_obj_id" //NON-NLS
                    + " AND (tsk_analysis_results.significance=" + Score.Significance.NOTABLE.getId() //NON-NLS
                    + " OR tsk_analysis_results.significance=" + Score.Significance.LIKELY_NOTABLE.getId() + " )"; //NON-NLS
@@ -182,7 +168,7 @@ public void propertyChange(PropertyChangeEvent evt) {
                         * oldValue if the event is a remote event.
                         */
                        ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();
-                        if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == MALWARE_ARTIFACT_TYPE.getTypeID()) {
+                        if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == TSK_MALWARE.getTypeID()) {
                            malwareResults.update();
                        }
                    } catch (NoCurrentCaseException notUsed) {
@@ -248,13 +234,13 @@ public void update(Observable o, Object arg) {
    public class RootNode extends UpdatableCountTypeNode {
        public RootNode() {
-            super(Children.create(new HitFactory(DISPLAY_NAME), true),
+            super(Children.create(new HitFactory(TSK_MALWARE.getDisplayName()), true),
-                    Lookups.singleton(DISPLAY_NAME),
+                    Lookups.singleton(TSK_MALWARE.getDisplayName()),
-                    DISPLAY_NAME,
+                    TSK_MALWARE.getDisplayName(),
                    filteringDSObjId,
-                    MALWARE_ARTIFACT_TYPE);
+                    TSK_MALWARE);
-            super.setName(MALWARE_HITS);
+            super.setName(TSK_MALWARE.getTypeName());
            // TODO make an icon
            this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/artifact-icon.png");
        }
@@ -297,7 +283,7 @@ public String getItemType() {
         */
        @Override
        void updateDisplayName() {
-            super.setDisplayName(DISPLAY_NAME + " (" + malwareResults.getArtifactIds().size() + ")");
+            super.setDisplayName(TSK_MALWARE.getDisplayName() + " (" + malwareResults.getArtifactIds().size() + ")");
        }
    }