From 0d46f308f29e6094ba0de0e70aa4f133041bafa9 Mon Sep 17 00:00:00 2001
From: Kelly Kelly <kelly@basistech.com>
Date: Fri, 5 Feb 2021 17:57:30 -0500
Subject: [PATCH] Cleaned up getDescription method and some event descriptions
---
...ineEventArtifactTypeSingleDescription.java | 1 -
.../datamodel/TimelineEventType.java | 159 +++++++++---------
.../sleuthkit/datamodel/TimelineManager.java | 33 ++--
3 files changed, 102 insertions(+), 91 deletions(-)
diff --git a/bindings/java/src/org/sleuthkit/datamodel/TimelineEventArtifactTypeSingleDescription.java b/bindings/java/src/org/sleuthkit/datamodel/TimelineEventArtifactTypeSingleDescription.java
index f1c297f21..6134d6d19 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/TimelineEventArtifactTypeSingleDescription.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/TimelineEventArtifactTypeSingleDescription.java
@@ -39,7 +39,6 @@ public TimelineEventDescriptionWithTime makeEventDescription(BlackboardArtifact
BlackboardAttribute timeAttribute = artifact.getAttribute(getDateTimeAttributeType());
if (timeAttribute == null) {
- logger.log(Level.WARNING, "Artifact {0} has no date/time attribute, skipping it.", artifact.toString()); // NON-NLS
return null;
}
diff --git a/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java b/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java
index 8c188f6b4..a0bca13c4 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java
@@ -202,11 +202,11 @@ public SortedSet< TimelineEventType> getChildren() {
HierarchyLevel.CATEGORY, ROOT_EVENT_TYPE) {
@Override
public SortedSet< TimelineEventType> getChildren() {
- return ImmutableSortedSet.of(WEB_DOWNLOADS, WEB_COOKIE,
- WEB_COOKIE_ACCESSED, WEB_COOKIE_START,
+ return ImmutableSortedSet.of(WEB_DOWNLOADS, WEB_COOKIE,
+ WEB_COOKIE_ACCESSED,
WEB_COOKIE_END, WEB_BOOKMARK,
- WEB_HISTORY, WEB_SEARCH, WEB_FORM_AUTOFILL,
- WEB_FORM_ADDRESSES, WEB_FORM_ADDRESSES_MODIFIED,
+ WEB_HISTORY, WEB_SEARCH, WEB_FORM_AUTOFILL,
+ WEB_FORM_ADDRESSES, WEB_FORM_ADDRESSES_MODIFIED,
WEB_FORM_AUTOFILL_ACCESSED);
}
};
@@ -238,15 +238,15 @@ public int compare(TimelineEventType o1, TimelineEventType o2) {
TimelineEventType FILE_MODIFIED = new FilePathEventType(4,
getBundle().getString("FileSystemTypes.fileModified.name"), // NON-NLS
HierarchyLevel.EVENT, FILE_SYSTEM);
-
+
TimelineEventType FILE_ACCESSED = new FilePathEventType(5,
getBundle().getString("FileSystemTypes.fileAccessed.name"), // NON-NLS
HierarchyLevel.EVENT, FILE_SYSTEM);
-
+
TimelineEventType FILE_CREATED = new FilePathEventType(6,
getBundle().getString("FileSystemTypes.fileCreated.name"), // NON-NLS
HierarchyLevel.EVENT, FILE_SYSTEM);
-
+
TimelineEventType FILE_CHANGED = new FilePathEventType(7,
getBundle().getString("FileSystemTypes.fileChanged.name"), // NON-NLS
HierarchyLevel.EVENT, FILE_SYSTEM);
@@ -257,28 +257,28 @@ public int compare(TimelineEventType o1, TimelineEventType o2) {
new BlackboardArtifact.Type(TSK_WEB_DOWNLOAD),
new Type(TSK_DATETIME_ACCESSED),
new Type(TSK_URL));
-
+
TimelineEventType WEB_COOKIE = new URLArtifactEventType(9,
getBundle().getString("WebTypes.webCookies.name"),// NON-NLS
WEB_ACTIVITY,
new BlackboardArtifact.Type(TSK_WEB_COOKIE),
new Type(TSK_DATETIME_CREATED),
new Type(TSK_URL));
-
+
TimelineEventType WEB_BOOKMARK = new URLArtifactEventType(10,
getBundle().getString("WebTypes.webBookmarks.name"), // NON-NLS
WEB_ACTIVITY,
new BlackboardArtifact.Type(TSK_WEB_BOOKMARK),
new Type(TSK_DATETIME_CREATED),
new Type(TSK_URL));
-
+
TimelineEventType WEB_HISTORY = new URLArtifactEventType(11,
getBundle().getString("WebTypes.webHistory.name"), // NON-NLS
WEB_ACTIVITY,
new BlackboardArtifact.Type(TSK_WEB_HISTORY),
new Type(TSK_DATETIME_ACCESSED),
new Type(TSK_URL));
-
+
TimelineEventType WEB_SEARCH = new URLArtifactEventType(12,
getBundle().getString("WebTypes.webSearch.name"), // NON-NLS
WEB_ACTIVITY,
@@ -330,7 +330,7 @@ public int compare(TimelineEventType o1, TimelineEventType o2) {
final BlackboardAttribute longStart = getAttributeSafe(artf, new Type(TSK_GEO_LONGITUDE_START));
final BlackboardAttribute latEnd = getAttributeSafe(artf, new Type(TSK_GEO_LATITUDE_END));
final BlackboardAttribute longEnd = getAttributeSafe(artf, new Type(TSK_GEO_LONGITUDE_END));
- return String.format("from %1$s %2$s to %3$s %4$s", stringValueOf(latStart), stringValueOf(longStart), stringValueOf(latEnd), stringValueOf(longEnd)); // NON-NLS
+ return String.format("From latitude: %1$s longitude: %2$s To latitude: %3$s longitude: %4$s", stringValueOf(latStart), stringValueOf(longStart), stringValueOf(latEnd), stringValueOf(longEnd)); // NON-NLS
});
@SuppressWarnings("deprecation")
@@ -343,7 +343,7 @@ public int compare(TimelineEventType o1, TimelineEventType o2) {
artf -> {
final BlackboardAttribute longitude = getAttributeSafe(artf, new Type(TSK_GEO_LONGITUDE));
final BlackboardAttribute latitude = getAttributeSafe(artf, new Type(TSK_GEO_LATITUDE));
- return stringValueOf(latitude) + " " + stringValueOf(longitude); // NON-NLS
+ return "Latitude: " + stringValueOf(latitude) + " Longitude: " + stringValueOf(longitude); // NON-NLS
},
new EmptyExtractor());
@@ -362,7 +362,7 @@ public int compare(TimelineEventType o1, TimelineEventType o2) {
phoneNumber = getAttributeSafe(artf, new Type(TSK_PHONE_NUMBER_FROM));
}
- return "Start: " + stringValueOf(phoneNumber);
+ return "Phone Number: " + stringValueOf(phoneNumber);
},
new AttributeExtractor(new Type(TSK_DIRECTION)));
@@ -486,7 +486,7 @@ public SortedSet< TimelineEventType> getChildren() {
new BlackboardArtifact.Type(TSK_WEB_FORM_ADDRESS),
new Type(TSK_DATETIME_ACCESSED),
new Type(TSK_EMAIL));
-
+
TimelineEventType GPS_BOOKMARK = new TimelineEventArtifactTypeImpl(29,
getBundle().getString("MiscTypes.GPSBookmark.name"), // NON-NLS
MISC_TYPES,
@@ -496,7 +496,7 @@ public SortedSet< TimelineEventType> getChildren() {
artf -> {
final BlackboardAttribute longitude = getAttributeSafe(artf, new Type(TSK_GEO_LONGITUDE));
final BlackboardAttribute latitude = getAttributeSafe(artf, new Type(TSK_GEO_LATITUDE));
- return stringValueOf(latitude) + " " + stringValueOf(longitude); // NON-NLS
+ return "Latitude: " + stringValueOf(latitude) + " Longitude: " + stringValueOf(longitude); // NON-NLS
},
new EmptyExtractor());
@@ -509,7 +509,7 @@ public SortedSet< TimelineEventType> getChildren() {
artf -> {
final BlackboardAttribute longitude = getAttributeSafe(artf, new Type(TSK_GEO_LONGITUDE));
final BlackboardAttribute latitude = getAttributeSafe(artf, new Type(TSK_GEO_LATITUDE));
- return stringValueOf(latitude) + " " + stringValueOf(longitude); // NON-NLS
+ return "Latitude: " + stringValueOf(latitude) + " Longitude: " + stringValueOf(longitude); // NON-NLS
},
new EmptyExtractor());
@@ -522,7 +522,7 @@ public SortedSet< TimelineEventType> getChildren() {
artf -> {
final BlackboardAttribute longitude = getAttributeSafe(artf, new Type(TSK_GEO_LONGITUDE));
final BlackboardAttribute latitude = getAttributeSafe(artf, new Type(TSK_GEO_LATITUDE));
- return stringValueOf(latitude) + " " + stringValueOf(longitude); // NON-NLS
+ return "Latitude: " + stringValueOf(latitude) + " Longitude: " + stringValueOf(longitude); // NON-NLS
},
new EmptyExtractor());
@@ -531,34 +531,39 @@ public SortedSet< TimelineEventType> getChildren() {
MISC_TYPES,
new BlackboardArtifact.Type(TSK_GPS_TRACK),
new Type(TSK_NAME));
-
+
TimelineEventType METADATA_LAST_PRINTED = new TimelineEventArtifactTypeImpl(33,
getBundle().getString("MiscTypes.metadataLastPrinted.name"),// NON-NLS
MISC_TYPES,
new BlackboardArtifact.Type(TSK_METADATA),
new BlackboardAttribute.Type(TSK_LAST_PRINTED_DATETIME),
- artf -> {return getBundle().getString("MiscTypes.metadataLastPrinted.name");},
- new EmptyExtractor(),
- new EmptyExtractor());
-
+ artf -> {
+ return getBundle().getString("MiscTypes.metadataLastPrinted.name");
+ },
+ new EmptyExtractor(),
+ new EmptyExtractor());
TimelineEventType METADATA_LAST_SAVED = new TimelineEventArtifactTypeImpl(34,
getBundle().getString("MiscTypes.metadataLastSaved.name"),// NON-NLS
MISC_TYPES,
new BlackboardArtifact.Type(TSK_METADATA),
new BlackboardAttribute.Type(TSK_DATETIME_MODIFIED),
- artf -> {return getBundle().getString("MiscTypes.metadataLastSaved.name");},
- new EmptyExtractor(),
- new EmptyExtractor());
+ artf -> {
+ return getBundle().getString("MiscTypes.metadataLastSaved.name");
+ },
+ new EmptyExtractor(),
+ new EmptyExtractor());
TimelineEventType METADATA_CREATED = new TimelineEventArtifactTypeImpl(35,
getBundle().getString("MiscTypes.metadataCreated.name"),// NON-NLS
MISC_TYPES,
new BlackboardArtifact.Type(TSK_METADATA),
new BlackboardAttribute.Type(TSK_DATETIME_CREATED),
- artf -> {return getBundle().getString("MiscTypes.metadataCreated.name");},
- new EmptyExtractor(),
- new EmptyExtractor());
+ artf -> {
+ return getBundle().getString("MiscTypes.metadataCreated.name");
+ },
+ new EmptyExtractor(),
+ new EmptyExtractor());
TimelineEventType PROGRAM_EXECUTION = new TimelineEventArtifactTypeImpl(36,
getBundle().getString("MiscTypes.programexecuted.name"),// NON-NLS
@@ -566,26 +571,27 @@ public SortedSet< TimelineEventType> getChildren() {
new BlackboardArtifact.Type(TSK_PROG_RUN),
new Type(TSK_DATETIME),
new AttributeExtractor(new Type(TSK_PROG_NAME)),
- artf -> {
- String userName = stringValueOf(getAttributeSafe(artf, new Type(TSK_USER_NAME)));
- if (userName != null) {
- return userName;
- }
- return "";},
+ artf -> {
+ String userName = stringValueOf(getAttributeSafe(artf, new Type(TSK_USER_NAME)));
+ if (userName != null) {
+ return userName;
+ }
+ return "";
+ },
new AttributeExtractor(new Type(TSK_COMMENT)));
-
+
TimelineEventType WEB_FORM_AUTOFILL_ACCESSED = new TimelineEventArtifactTypeImpl(37,
- getBundle().getString("WebTypes.webFormAutofillAccessed.name"),
- WEB_ACTIVITY,
- new BlackboardArtifact.Type(TSK_WEB_FORM_AUTOFILL),
- new Type(TSK_DATETIME_ACCESSED),
- artf -> {
- final BlackboardAttribute name = getAttributeSafe(artf, new Type(TSK_NAME));
- final BlackboardAttribute value = getAttributeSafe(artf, new Type(TSK_VALUE));
- final BlackboardAttribute count = getAttributeSafe(artf, new Type(TSK_COUNT));
- return stringValueOf(name) + ":" + stringValueOf(value) + " Access count: " + stringValueOf(count); // NON-NLS
- }, new EmptyExtractor(), new EmptyExtractor());
-
+ getBundle().getString("WebTypes.webFormAutofillAccessed.name"),
+ WEB_ACTIVITY,
+ new BlackboardArtifact.Type(TSK_WEB_FORM_AUTOFILL),
+ new Type(TSK_DATETIME_ACCESSED),
+ artf -> {
+ final BlackboardAttribute name = getAttributeSafe(artf, new Type(TSK_NAME));
+ final BlackboardAttribute value = getAttributeSafe(artf, new Type(TSK_VALUE));
+ final BlackboardAttribute count = getAttributeSafe(artf, new Type(TSK_COUNT));
+ return stringValueOf(name) + ":" + stringValueOf(value) + " Access count: " + stringValueOf(count); // NON-NLS
+ }, new EmptyExtractor(), new EmptyExtractor());
+
TimelineEventType CALL_LOG_END = new TimelineEventArtifactTypeImpl(38,
getBundle().getString("MiscTypes.CallsEnd.name"), // NON-NLS
MISC_TYPES,
@@ -601,11 +607,11 @@ public SortedSet< TimelineEventType> getChildren() {
phoneNumber = getAttributeSafe(artf, new Type(TSK_PHONE_NUMBER_FROM));
}
- return "End: " + stringValueOf(phoneNumber);
+ return "Phone number: " + stringValueOf(phoneNumber);
},
new AttributeExtractor(new Type(TSK_DIRECTION)));
-
- TimelineEventType EMAIL_RCVD = new TimelineEventArtifactTypeImpl(38,
+
+ TimelineEventType EMAIL_RCVD = new TimelineEventArtifactTypeImpl(39,
getBundle().getString("MiscTypes.EmailRcvd.name"), // NON-NLS
MISC_TYPES,
new BlackboardArtifact.Type(TSK_EMAIL_MSG),
@@ -619,7 +625,7 @@ public SortedSet< TimelineEventType> getChildren() {
if (emailTo.length() > TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX) {
emailTo = emailTo.substring(0, TimelineEventArtifactTypeImpl.EMAIL_TO_FROM_LENGTH_MAX);
}
- return "Received from: " + emailFrom + " Received by: " + emailTo; // NON-NLS
+ return "Message from: " + emailFrom + " To: " + emailTo; // NON-NLS
},
new AttributeExtractor(new Type(TSK_SUBJECT)),
artf -> {
@@ -630,35 +636,28 @@ public SortedSet< TimelineEventType> getChildren() {
}
return msg;
});
-
- TimelineEventType WEB_FORM_ADDRESSES_MODIFIED = new URLArtifactEventType(39,
- getBundle().getString("WebTypes.webFormAddressModified.name"),//NON-NLS
- WEB_ACTIVITY,
- new BlackboardArtifact.Type(TSK_WEB_FORM_ADDRESS),
- new Type(TSK_DATETIME_MODIFIED),
- new Type(TSK_EMAIL));
-
- TimelineEventType WEB_COOKIE_ACCESSED = new URLArtifactEventType(40,
- getBundle().getString("WebTypes.webCookiesAccessed.name"),// NON-NLS
- WEB_ACTIVITY,
- new BlackboardArtifact.Type(TSK_WEB_COOKIE),
- new Type(TSK_DATETIME_ACCESSED),
- new Type(TSK_URL));
-
- TimelineEventType WEB_COOKIE_END = new URLArtifactEventType(41,
- getBundle().getString("WebTypes.webCookiesEnd.name"),// NON-NLS
- WEB_ACTIVITY,
- new BlackboardArtifact.Type(TSK_WEB_COOKIE),
- new Type(TSK_DATETIME_END),
- new Type(TSK_URL));
-
- TimelineEventType WEB_COOKIE_START = new URLArtifactEventType(42,
- getBundle().getString("WebTypes.webCookiesStart.name"),// NON-NLS
- WEB_ACTIVITY,
- new BlackboardArtifact.Type(TSK_WEB_COOKIE),
- new Type(TSK_DATETIME_START),
- new Type(TSK_URL));
-
+
+ TimelineEventType WEB_FORM_ADDRESSES_MODIFIED = new URLArtifactEventType(40,
+ getBundle().getString("WebTypes.webFormAddressModified.name"),//NON-NLS
+ WEB_ACTIVITY,
+ new BlackboardArtifact.Type(TSK_WEB_FORM_ADDRESS),
+ new Type(TSK_DATETIME_MODIFIED),
+ new Type(TSK_EMAIL));
+
+ TimelineEventType WEB_COOKIE_ACCESSED = new URLArtifactEventType(41,
+ getBundle().getString("WebTypes.webCookiesAccessed.name"),// NON-NLS
+ WEB_ACTIVITY,
+ new BlackboardArtifact.Type(TSK_WEB_COOKIE),
+ new Type(TSK_DATETIME_ACCESSED),
+ new Type(TSK_URL));
+
+ TimelineEventType WEB_COOKIE_END = new URLArtifactEventType(42,
+ getBundle().getString("WebTypes.webCookiesEnd.name"),// NON-NLS
+ WEB_ACTIVITY,
+ new BlackboardArtifact.Type(TSK_WEB_COOKIE),
+ new Type(TSK_DATETIME_END),
+ new Type(TSK_URL));
+
static SortedSet<? extends TimelineEventType> getCategoryTypes() {
return ROOT_EVENT_TYPE.getChildren();
}
diff --git a/bindings/java/src/org/sleuthkit/datamodel/TimelineManager.java b/bindings/java/src/org/sleuthkit/datamodel/TimelineManager.java
index e154b775f..1cd7e945f 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/TimelineManager.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/TimelineManager.java
@@ -512,28 +512,41 @@ private Long addEventDescription(long dataSourceObjId, long fileObjId, Long arti
}
}
+ /**
+ * Returns an event description id for an existing event.
+ *
+ * @param dataSourceObjId Existing data source object id
+ * @param fileObjId Existing content object id
+ * @param artifactID Existing artifact id
+ * @param fullDescription Full event description
+ * @param connection Database connection
+ *
+ * @return The id of an existing description or null if none what found.
+ *
+ * @throws TskCoreException
+ */
private Long getEventDescription(long dataSourceObjId, long fileObjId, Long artifactID,
String fullDescription, CaseDbConnection connection) throws TskCoreException {
-
+
String query = "SELECT event_description_id FROM tsk_event_descriptions "
+ "WHERE data_source_obj_id = " + dataSourceObjId
+ " AND content_obj_id = " + fileObjId
+ " AND artifact_id = " + artifactID
- + " AND full_description " + (fullDescription != null ? "= '" + fullDescription + "'" : "IS null");
-
+ + " AND full_description " + (fullDescription != null ? "= '" + fullDescription + "'" : "IS null");
+
caseDB.acquireSingleUserCaseReadLock();
- try(ResultSet resultSet = connection.createStatement().executeQuery(query)) {
+ try (ResultSet resultSet = connection.createStatement().executeQuery(query)) {
- if(resultSet.next()) {
+ if (resultSet.next()) {
long id = resultSet.getLong(1);
return id;
}
- } catch(SQLException ex) {
+ } catch (SQLException ex) {
throw new TskCoreException(String.format("Failed to get description, dataSource=%d, fileObjId=%d, artifactId=%d", dataSourceObjId, fileObjId, artifactID), ex);
- }finally {
+ } finally {
caseDB.releaseSingleUserCaseReadLock();
}
-
+
return null;
}
@@ -667,7 +680,7 @@ Set<TimelineEvent> addArtifactEvents(BlackboardArtifact artifact) throws TskCore
.ifPresent(newEvents::add);
} catch (DuplicateException ex) {
duplicateExists = true;
- logger.log(Level.SEVERE, getDuplicateExceptionMessage(artifact, "Attempt to make artifact event duplicate"), ex);
+ logger.log(Level.INFO, getDuplicateExceptionMessage(artifact, "Attempt to make artifact event duplicate"), ex);
}
}
@@ -676,7 +689,7 @@ Set<TimelineEvent> addArtifactEvents(BlackboardArtifact artifact) throws TskCore
try {
addOtherEventDesc(artifact).ifPresent(newEvents::add);
} catch (DuplicateException ex) {
- logger.log(Level.SEVERE, getDuplicateExceptionMessage(artifact, "Attempt to make 'other' artifact event duplicate"), ex);
+ logger.log(Level.INFO, getDuplicateExceptionMessage(artifact, "Attempt to make 'other' artifact event duplicate"), ex);
}
}
}
--
GitLab