diff --git a/bindings/java/doxygen/artifact_catalog.dox b/bindings/java/doxygen/artifact_catalog.dox
index 466a53b420eb01e732f5b90a73e5bfc6014bd3a3..721665ab71d2e46e1998cb5ad1ebeb1ea6e2fbba 100644
--- a/bindings/java/doxygen/artifact_catalog.dox
+++ b/bindings/java/doxygen/artifact_catalog.dox
@@ -4,7 +4,9 @@
# Introduction
This document reflects current standard usage of artifact and attribute types for posting analysis results to the case blackboard in Autopsy. Refer to \ref mod_bbpage for more background on the blackboard and how to make artifacts.
-The catalog section below has one entry for each standard artifact type. Each entry lists the required and optional attributes of artifacts of the type.
+The catalog section below has one entry for each standard artifact type divided by categories. Each entry lists the required and optional attributes of artifacts of the type. The category types are:
+- \ref art_catalog_analysis "Analysis Result": Result from an analysis technique on a given object with a given configuration. Includes Conclusion, Relevance Score, and Confidence.
+- \ref art_catalog_data "Data Artifact": Data that was originally embedded by an application/OS in a file or other data container.
NOTE:
- While we have listed some attributes as "Required", nothing will enforce that they exist. Modules that use artifacts from the blackboard should assume that some of the attributes may not actually exist.
@@ -15,9 +17,143 @@ For the full list of types, refer to:
- org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE
-<h1>Artifacts Catalog</h1>
+\section art_catalog_analysis Analysis Result Types
-In alphabetical order.
+---
+## TSK_DATA_SOURCE_USAGE
+Describes how a data source was used, e.g., as a SIM card or an OS drive (such as for Windows or Android).
+
+### REQUIRED ATTRIBUTES
+- TSK_DESCRIPTION (Description of the usage, e.g., "OS Drive (Windows Vista)").
+
+---
+## TSK_ENCRYPTION_DETECTED
+An indication that the content is encrypted.
+
+### REQUIRED ATTRIBUTES
+- TSK_COMMENT (A comment on the encryption, e.g., encryption type or password)
+
+---
+## TSK_ENCRYPTION_SUSPECTED
+An indication that the content is likely encrypted.
+
+### REQUIRED ATTRIBUTES
+- TSK_COMMENT (Reason for suspecting encryption)
+
+---
+## TSK_EXT_MISMATCH_DETECTED
+An indication that the registered extensions for a file's mime type do not match the file's extension.
+
+### REQUIRED ATTRIBUTES
+None
+
+---
+## TSK_FACE_DETECTED
+An indication that a human face was detected in some content.
+
+### REQUIRED ATTRIBUTES
+None
+
+---
+## TSK_HASHSET_HIT
+Indicates that the MD5 hash of a file matches a set of known MD5s (possibly user defined).
+
+### REQUIRED ATTRIBUTES
+- TSK_SET_NAME (Name of hashset containing the file's MD5)
+
+### OPTIONAL ATTRIBUTES
+- TSK_COMMENT (Additional comments about the hit)
+
+---
+## TSK_INTERESTING_ARTIFACT_HIT
+Indicates that the source artifact matches some set of criteria which deem it interesting. Artifacts with this meta artifact will be brought to the attention of the user.
+
+### REQUIRED ATTRIBUTES
+- TSK_ASSOCIATED_ARTIFACT (The source artifact)
+- TSK_SET_NAME (The name of the set of criteria which deemed this artifact interesting)
+
+### OPTIONAL ATTRIBUTES
+- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
+- TSK_CATEGORY (The set membership rule that was satisfied)
+
+---
+## TSK_INTERESTING_FILE_HIT
+Indication that the source file matches some set of criteria (possibly user defined) which deem it interesting. Files with this artifact will be brought to the attention of the user.
+
+### REQUIRED ATTRIBUTES
+- TSK_SET_NAME (The name of the set of criteria which deemed this file interesting)
+
+### OPTIONAL ATTRIBUTES
+- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
+- TSK_CATEGORY (The set membership rule that was satisfied. I.e. a particular mime)
+
+---
+## TSK_KEYWORD_HIT
+Indication that the source artifact or file contains a keyword. Keywords are grouped into named sets.
+
+### REQUIRED ATTRIBUTES
+- TSK_KEYWORD (Keyword that was found in the artifact or file)
+- TSK_KEYWORD_SEARCH_TYPE (Specifies the type of match, e.g., an exact match, a substring match, or a regex match)
+- TSK_SET_NAME (The set name that the keyword was contained in)
+- TSK_KEYWORD_REGEXP (The regular expression that matched, only required for regex matches)
+- TSK_ASSOCIATED_ARTIFACT (Only required if the keyword hit source is an artifact)
+
+### OPTIONAL ATTRIBUTES
+- TSK_KEYWORD_PREVIEW (Snippet of text around keyword)
+
+---
+## TSK_OBJECT_DETECTED
+Indicates that an object was detected in a media file. Typically used by computer vision software to classify images.
+
+### REQUIRED ATTRIBUTES
+- TSK_COMMENT (What was detected)
+
+### OPTIONAL ATTRIBUTES
+- TSK_DESCRIPTION (Additional comments about the object or observer, e.g., what detected the object)
+
+---
+## TSK_USER_CONTENT_SUSPECTED
+An indication that some media file content was generated by the user.
+
+### REQUIRED ATTRIBUTES
+- TSK_COMMENT (The reason why user-generated content is suspected)
+
+---
+## TSK_VERIFICATION_FAILED
+An indication that some data did not pass verification. One example would be verifying a SHA-1 hash.
+
+### REQUIRED ATTRIBUTES
+- TSK_COMMENT (Reason for failure, what failed)
+
+---
+## TSK_WEB_ACCOUNT_TYPE
+A web account type entry.
+
+### REQUIRED ATTRIBUTES
+- TSK_DOMAIN (Domain of the URL)
+- TSK_TEXT (Indicates type of account (admin/moderator/user) and possible platform)
+- TSK_URL (URL indicating the user has an account on this domain)
+
+---
+## TSK_WEB_CATEGORIZATION
+The categorization of a web host using a specific usage type, e.g. mail.google.com would correspond to Web Email.
+
+### REQUIRED ATTRIBUTES
+- TSK_NAME (The usage category identifier, e.g. Web Email)
+- TSK_DOMAIN (The domain of the host, e.g. google.com)
+- TSK_HOST (The full host, e.g. mail.google.com)
+
+---
+## TSK_YARA_HIT
+Indicates that the some content of the file was a hit for a YARA rule match.
+
+### REQUIRED ATTRIBUTES
+- TSK_RULE (The rule that was a hit for this file)
+- TSK_SET_NAME (Name of the rule set containing the matching rule YARA rule)
+
+<br><br>
+
+\section art_catalog_data Data Artifact Types
---
## TSK_ACCOUNT
@@ -141,13 +277,6 @@ A contact book entry in an application file or database.
----
-## TSK_DATA_SOURCE_USAGE
-Describes how a data source was used, e.g., as a SIM card or an OS drive (such as for Windows or Android).
-
-### REQUIRED ATTRIBUTES
-- TSK_DESCRIPTION (Description of the usage, e.g., "OS Drive (Windows Vista)").
-
---
## TSK_DELETED_PROG
@@ -213,26 +342,6 @@ An email message found in an application file or database.
- TSK_SUBJECT (Subject of the email message)
- TSK_THREAD_ID (ID specified by the analysis module to group emails into threads for display purposes)
-
-
----
-## TSK_ENCRYPTION_DETECTED
-An indication that the content is encrypted.
-
-### REQUIRED ATTRIBUTES
-- TSK_COMMENT (A comment on the encryption, e.g., encryption type or password)
-
-
-
----
-## TSK_ENCRYPTION_SUSPECTED
-An indication that the content is likely encrypted.
-
-### REQUIRED ATTRIBUTES
-- TSK_COMMENT (Reason for suspecting encryption)
-
-
-
---
## TSK_EXTRACTED_TEXT
Text extracted from some content.
@@ -240,26 +349,6 @@ Text extracted from some content.
### REQUIRED ATTRIBUTES
TSK_TEXT (The extracted text)
-
-
----
-## TSK_EXT_MISMATCH_DETECTED
-An indication that the registered extensions for a file's mime type do not match the file's extension.
-
-### REQUIRED ATTRIBUTES
-None
-
-
-
----
-## TSK_FACE_DETECTED
-An indication that a human face was detected in some content.
-
-### REQUIRED ATTRIBUTES
-None
-
-
-
---
## TSK_GEN_INFO
A generic information artifact. Each content object will have at most one TSK_GEN_INFO artifact, which is easily accessed through org.sleuthkit.datamodel.AbstractContent.getGenInfoArtifact() and related methods. The TSK_GEN_INFO object is useful for storing values related to the content object without making a new artifact type.
@@ -359,18 +448,6 @@ A Global Positioning System (GPS) track artifact records the track, or path, of
----
-## TSK_HASHSET_HIT
-Indicates that the MD5 hash of a file matches a set of known MD5s (possibly user defined).
-
-### REQUIRED ATTRIBUTES
-- TSK_SET_NAME (Name of hashset containing the file's MD5)
-
-### OPTIONAL ATTRIBUTES
-- TSK_COMMENT (Additional comments about the hit)
-
-
-
---
## TSK_INSTALLED_PROG
Details about an installed program.
@@ -385,51 +462,6 @@ Details about an installed program.
- TSK_PATH_SOURCE (Path to an Android Package Kit (APK) file for an Android program)
- TSK_PERMISSIONS (Permissions of the installed program)
-
-
----
-## TSK_INTERESTING_ARTIFACT_HIT
-Indicates that the source artifact matches some set of criteria which deem it interesting. Artifacts with this meta artifact will be brought to the attention of the user.
-
-### REQUIRED ATTRIBUTES
-- TSK_ASSOCIATED_ARTIFACT (The source artifact)
-- TSK_SET_NAME (The name of the set of criteria which deemed this artifact interesting)
-
-### OPTIONAL ATTRIBUTES
-- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
-- TSK_CATEGORY (The set membership rule that was satisfied)
-
-
-
----
-## TSK_INTERESTING_FILE_HIT
-Indication that the source file matches some set of criteria (possibly user defined) which deem it interesting. Files with this artifact will be brought to the attention of the user.
-
-### REQUIRED ATTRIBUTES
-- TSK_SET_NAME (The name of the set of criteria which deemed this file interesting)
-
-### OPTIONAL ATTRIBUTES
-- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
-- TSK_CATEGORY (The set membership rule that was satisfied. I.e. a particular mime)
-
-
-
----
-## TSK_KEYWORD_HIT
-Indication that the source artifact or file contains a keyword. Keywords are grouped into named sets.
-
-### REQUIRED ATTRIBUTES
-- TSK_KEYWORD (Keyword that was found in the artifact or file)
-- TSK_KEYWORD_SEARCH_TYPE (Specifies the type of match, e.g., an exact match, a substring match, or a regex match)
-- TSK_SET_NAME (The set name that the keyword was contained in)
-- TSK_KEYWORD_REGEXP (The regular expression that matched, only required for regex matches)
-- TSK_ASSOCIATED_ARTIFACT (Only required if the keyword hit source is an artifact)
-
-### OPTIONAL ATTRIBUTES
-- TSK_KEYWORD_PREVIEW (Snippet of text around keyword)
-
-
-
---
## TSK_MESSAGE
A message that is found in some content.
@@ -485,18 +517,6 @@ EXIF metadata found in an image or audio file.
- TSK_GEO_LONGITUDE (The camera's longitude when the image/audio was taken)
----
-## TSK_OBJECT_DETECTED
-Indicates that an object was detected in a media file. Typically used by computer vision software to classify images.
-
-### REQUIRED ATTRIBUTES
-- TSK_COMMENT (What was detected)
-
-### OPTIONAL ATTRIBUTES
-- TSK_DESCRIPTION (Additional comments about the object or observer, e.g., what detected the object)
-
-
-
---
## TSK_OS_ACCOUNT
Details about an operating system account recovered from the data source. Examples include user or administrator accounts.
@@ -676,18 +696,7 @@ An event in the timeline of a case.
- TSK_DATETIME (When the event occurred, in seconds since 1970-01-01T00:00:00Z)
- TSK_DESCRIPTION (A description of the event)
-
-
----
-## TSK_USER_CONTENT_SUSPECTED
-An indication that some media file content was generated by the user.
-
-### REQUIRED ATTRIBUTES
-- TSK_COMMENT (The reason why user-generated content is suspected)
-
-
---
-
## TSK_USER_DEVICE_EVENT
Activity on the system or from an application. Example usage is a mobile device being locked and unlocked.
@@ -702,27 +711,6 @@ Activity on the system or from an application. Example usage is a mobile device
- TSK_PROG_NAME (Name of the program doing the activity)
- TSK_VALUE (Connection type)
-
----
-## TSK_VERIFICATION_FAILED
-An indication that some data did not pass verification. One example would be verifying a SHA-1 hash.
-
-### REQUIRED ATTRIBUTES
-- TSK_COMMENT (Reason for failure, what failed)
-
-
-
----
-## TSK_WEB_ACCOUNT_TYPE
-A web account type entry.
-
-### REQUIRED ATTRIBUTES
-- TSK_DOMAIN (Domain of the URL)
-- TSK_TEXT (Indicates type of account (admin/moderator/user) and possible platform)
-- TSK_URL (URL indicating the user has an account on this domain)
-
-
-
---
## TSK_WEB_BOOKMARK
A web bookmark entry.
@@ -737,8 +725,6 @@ A web bookmark entry.
- TSK_NAME (Name of the bookmark entry)
- TSK_TITLE (Title of the web page that was bookmarked)
-
-
---
## TSK_WEB_CACHE
A web cache entry. The resource that was cached may or may not be present in the data source.
@@ -753,19 +739,6 @@ A web cache entry. The resource that was cached may or may not be present in the
- TSK_PATH_ID (Object ID of the source cache file)
- TSK_DOMAIN (Domain of the URL)
-
-
----
-## TSK_WEB_CATEGORIZATION
-The categorization of a web host using a specific usage type, e.g. mail.google.com would correspond to Web Email.
-
-### REQUIRED ATTRIBUTES
-- TSK_NAME (The usage category identifier, e.g. Web Email)
-- TSK_DOMAIN (The domain of the host, e.g. google.com)
-- TSK_HOST (The full host, e.g. mail.google.com)
-
-
-
---
## TSK_WEB_COOKIE
A Web cookie found.
@@ -887,14 +860,4 @@ Details about a WiFi adapter.
----
-## TSK_YARA_HIT
-Indicates that the some content of the file was a hit for a YARA rule match.
-
-### REQUIRED ATTRIBUTES
-- TSK_RULE (The rule that was a hit for this file)
-- TSK_SET_NAME (Name of the rule set containing the matching rule YARA rule)
-
-
-
*/
diff --git a/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java b/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
index d4e9b0441f1180489846fd41282856b48cc8c12f..b1c0f10c05147111e039f91c467e3069460fcb66 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
@@ -1038,40 +1038,40 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* A generic information artifact.
*/
TSK_GEN_INFO(1, "TSK_GEN_INFO", //NON-NLS
- bundle.getString("BlackboardArtifact.tskGenInfo.text")),
+ bundle.getString("BlackboardArtifact.tskGenInfo.text"), Category.DATA_ARTIFACT),
/**
* A Web bookmark. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create bookmark artifacts.
*/
TSK_WEB_BOOKMARK(2, "TSK_WEB_BOOKMARK", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWebBookmark.text")),
+ bundle.getString("BlackboardArtifact.tskWebBookmark.text"), Category.DATA_ARTIFACT),
/**
* A Web cookie. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create cookie artifacts.
*/
TSK_WEB_COOKIE(3, "TSK_WEB_COOKIE",
- bundle.getString("BlackboardArtifact.tskWebCookie.text")), //NON-NLS
+ bundle.getString("BlackboardArtifact.tskWebCookie.text"), Category.DATA_ARTIFACT), //NON-NLS
/**
* A Web history. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create history artifacts.
*/
TSK_WEB_HISTORY(4, "TSK_WEB_HISTORY", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWebHistory.text")),
+ bundle.getString("BlackboardArtifact.tskWebHistory.text"), Category.DATA_ARTIFACT),
/**
* A Web download. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create download artifacts.
*/
TSK_WEB_DOWNLOAD(5, "TSK_WEB_DOWNLOAD", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWebDownload.text")),
+ bundle.getString("BlackboardArtifact.tskWebDownload.text"), Category.DATA_ARTIFACT),
/**
* A recent object.
*/
TSK_RECENT_OBJECT(6, "TSK_RECENT_OBJ", //NON-NLS
- bundle.getString("BlackboardArtifact.tsk.recentObject.text")),
+ bundle.getString("BlackboardArtifact.tsk.recentObject.text"), Category.DATA_ARTIFACT),
/**
* A GPS track point (geolocation data).
*
@@ -1079,12 +1079,12 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
*/
@Deprecated
TSK_GPS_TRACKPOINT(7, "TSK_GPS_TRACKPOINT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskGpsTrackpoint.text")),
+ bundle.getString("BlackboardArtifact.tskGpsTrackpoint.text"), Category.DATA_ARTIFACT),
/**
* An installed program.
*/
TSK_INSTALLED_PROG(8, "TSK_INSTALLED_PROG", //NON-NLS
- bundle.getString("BlackboardArtifact.tskInstalledProg.text")),
+ bundle.getString("BlackboardArtifact.tskInstalledProg.text"), Category.DATA_ARTIFACT),
/**
* A search hit for a keyword.
*/
@@ -1099,7 +1099,7 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* An attached device.
*/
TSK_DEVICE_ATTACHED(11, "TSK_DEVICE_ATTACHED", //NON-NLS
- bundle.getString("BlackboardArtifact.tskDeviceAttached.text")),
+ bundle.getString("BlackboardArtifact.tskDeviceAttached.text"), Category.DATA_ARTIFACT),
/**
* An meta-artifact to call attention to a file deemed to be
* interesting.
@@ -1110,22 +1110,22 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* An email message.
*/
TSK_EMAIL_MSG(13, "TSK_EMAIL_MSG", //NON-NLS
- bundle.getString("BlackboardArtifact.tskEmailMsg.text")),
+ bundle.getString("BlackboardArtifact.tskEmailMsg.text"), Category.DATA_ARTIFACT),
/**
* Text extracted from the source content.
*/
TSK_EXTRACTED_TEXT(14, "TSK_EXTRACTED_TEXT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskExtractedText.text")),
+ bundle.getString("BlackboardArtifact.tskExtractedText.text"), Category.DATA_ARTIFACT),
/**
* A Web search engine query extracted from Web history.
*/
TSK_WEB_SEARCH_QUERY(15, "TSK_WEB_SEARCH_QUERY", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWebSearchQuery.text")),
+ bundle.getString("BlackboardArtifact.tskWebSearchQuery.text"), Category.DATA_ARTIFACT),
/**
* EXIF metadata.
*/
TSK_METADATA_EXIF(16, "TSK_METADATA_EXIF", //NON-NLS
- bundle.getString("BlackboardArtifact.tskMetadataExif.text")),
+ bundle.getString("BlackboardArtifact.tskMetadataExif.text"), Category.DATA_ARTIFACT),
/**
* A tag applied to a file.
*
@@ -1133,7 +1133,7 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
*/
@Deprecated
TSK_TAG_FILE(17, "TSK_TAG_FILE", //NON-NLS
- bundle.getString("BlackboardArtifact.tagFile.text")),
+ bundle.getString("BlackboardArtifact.tagFile.text"), Category.ANALYSIS_RESULT),
/**
* A tag applied to an artifact.
*
@@ -1141,22 +1141,22 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
*/
@Deprecated
TSK_TAG_ARTIFACT(18, "TSK_TAG_ARTIFACT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskTagArtifact.text")),
+ bundle.getString("BlackboardArtifact.tskTagArtifact.text"), Category.ANALYSIS_RESULT),
/**
* Information pertaining to an operating system.
*/
TSK_OS_INFO(19, "TSK_OS_INFO", //NON-NLS
- bundle.getString("BlackboardArtifact.tskOsInfo.text")),
+ bundle.getString("BlackboardArtifact.tskOsInfo.text"), Category.DATA_ARTIFACT),
/**
* An operating system user account.
*/
TSK_OS_ACCOUNT(20, "TSK_OS_ACCOUNT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskOsAccount.text")),
+ bundle.getString("BlackboardArtifact.tskOsAccount.text"), Category.DATA_ARTIFACT),
/**
* An application or Web service account.
*/
TSK_SERVICE_ACCOUNT(21, "TSK_SERVICE_ACCOUNT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskServiceAccount.text")),
+ bundle.getString("BlackboardArtifact.tskServiceAccount.text"), Category.DATA_ARTIFACT),
/**
* Output from an external tool or module (raw text).
*
@@ -1164,7 +1164,7 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
*/
@Deprecated
TSK_TOOL_OUTPUT(22, "TSK_TOOL_OUTPUT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskToolOutput.text")),
+ bundle.getString("BlackboardArtifact.tskToolOutput.text"), Category.DATA_ARTIFACT),
/**
* A contact extracted from a phone, or from an address
* book/email/messaging application. Use methods in
@@ -1172,7 +1172,7 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* to create contact artifacts.
*/
TSK_CONTACT(23, "TSK_CONTACT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskContact.text")),
+ bundle.getString("BlackboardArtifact.tskContact.text"), Category.DATA_ARTIFACT),
/**
* An SMS/MMS message extracted from phone, or from another messaging
* application, like IM. Use methods in
@@ -1180,7 +1180,7 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* to create message artifacts.
*/
TSK_MESSAGE(24, "TSK_MESSAGE", //NON-NLS
- bundle.getString("BlackboardArtifact.tskMessage.text")),
+ bundle.getString("BlackboardArtifact.tskMessage.text"), Category.DATA_ARTIFACT),
/**
* A phone call log extracted from a phone or softphone application. Use
* methods in
@@ -1188,42 +1188,42 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* to create call log artifacts.
*/
TSK_CALLLOG(25, "TSK_CALLLOG", //NON-NLS
- bundle.getString("BlackboardArtifact.tskCalllog.text")),
+ bundle.getString("BlackboardArtifact.tskCalllog.text"), Category.DATA_ARTIFACT),
/**
* A calendar entry from a phone, PIM, or a calendar application.
*/
TSK_CALENDAR_ENTRY(26, "TSK_CALENDAR_ENTRY", //NON-NLS
- bundle.getString("BlackboardArtifact.tskCalendarEntry.text")),
+ bundle.getString("BlackboardArtifact.tskCalendarEntry.text"), Category.DATA_ARTIFACT),
/**
* A speed dial entry from a phone.
*/
TSK_SPEED_DIAL_ENTRY(27, "TSK_SPEED_DIAL_ENTRY", //NON-NLS
- bundle.getString("BlackboardArtifact.tskSpeedDialEntry.text")),
+ bundle.getString("BlackboardArtifact.tskSpeedDialEntry.text"), Category.DATA_ARTIFACT),
/**
* A bluetooth pairing entry.
*/
TSK_BLUETOOTH_PAIRING(28, "TSK_BLUETOOTH_PAIRING", //NON-NLS
- bundle.getString("BlackboardArtifact.tskBluetoothPairing.text")),
+ bundle.getString("BlackboardArtifact.tskBluetoothPairing.text"), Category.DATA_ARTIFACT),
/**
* A GPS bookmark / way point that the user saved.
*/
TSK_GPS_BOOKMARK(29, "TSK_GPS_BOOKMARK", //NON-NLS
- bundle.getString("BlackboardArtifact.tskGpsBookmark.text")),
+ bundle.getString("BlackboardArtifact.tskGpsBookmark.text"), Category.DATA_ARTIFACT),
/**
* A GPS last known location record.
*/
TSK_GPS_LAST_KNOWN_LOCATION(30, "TSK_GPS_LAST_KNOWN_LOCATION", //NON-NLS
- bundle.getString("BlackboardArtifact.tskGpsLastKnownLocation.text")),
+ bundle.getString("BlackboardArtifact.tskGpsLastKnownLocation.text"), Category.DATA_ARTIFACT),
/**
* A GPS search record.
*/
TSK_GPS_SEARCH(31, "TSK_GPS_SEARCH", //NON-NLS
- bundle.getString("BlackboardArtifact.tskGpsSearch.text")),
+ bundle.getString("BlackboardArtifact.tskGpsSearch.text"), Category.DATA_ARTIFACT),
/**
* Application run information.
*/
TSK_PROG_RUN(32, "TSK_PROG_RUN", //NON-NLS
- bundle.getString("BlackboardArtifact.tskProgRun.text")),
+ bundle.getString("BlackboardArtifact.tskProgRun.text"), Category.DATA_ARTIFACT),
/**
* An encrypted file.
*/
@@ -1246,12 +1246,12 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* to create route artifacts.
*/
TSK_GPS_ROUTE(36, "TSK_GPS_ROUTE", //NON-NLS
- bundle.getString("BlackboardArtifact.tskGpsRoute.text")),
+ bundle.getString("BlackboardArtifact.tskGpsRoute.text"), Category.DATA_ARTIFACT),
/**
* A remote drive.
*/
TSK_REMOTE_DRIVE(37, "TSK_REMOTE_DRIVE", //NON-NLS
- bundle.getString("BlackboardArtifact.tskRemoteDrive.text")),
+ bundle.getString("BlackboardArtifact.tskRemoteDrive.text"), Category.DATA_ARTIFACT),
/**
* A human face was detected in a media file.
*/
@@ -1261,7 +1261,7 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* An account.
*/
TSK_ACCOUNT(39, "TSK_ACCOUNT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskAccount.text")),
+ bundle.getString("BlackboardArtifact.tskAccount.text"), Category.DATA_ARTIFACT),
/**
* An encrypted file.
*/
@@ -1276,51 +1276,51 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* A wireless network.
*/
TSK_WIFI_NETWORK(42, "TSK_WIFI_NETWORK", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWIFINetwork.text")),
+ bundle.getString("BlackboardArtifact.tskWIFINetwork.text"), Category.DATA_ARTIFACT),
/**
* Information related to a device.
*/
TSK_DEVICE_INFO(43, "TSK_DEVICE_INFO", //NON-NLS
- bundle.getString("BlackboardArtifact.tskDeviceInfo.text")),
+ bundle.getString("BlackboardArtifact.tskDeviceInfo.text"), Category.DATA_ARTIFACT),
/**
* A SIM card.
*/
TSK_SIM_ATTACHED(44, "TSK_SIM_ATTACHED", //NON-NLS
- bundle.getString("BlackboardArtifact.tskSimAttached.text")),
+ bundle.getString("BlackboardArtifact.tskSimAttached.text"), Category.DATA_ARTIFACT),
/**
* A bluetooth adapter.
*/
TSK_BLUETOOTH_ADAPTER(45, "TSK_BLUETOOTH_ADAPTER", //NON-NLS
- bundle.getString("BlackboardArtifact.tskBluetoothAdapter.text")),
+ bundle.getString("BlackboardArtifact.tskBluetoothAdapter.text"), Category.DATA_ARTIFACT),
/**
* A wireless network adapter.
*/
TSK_WIFI_NETWORK_ADAPTER(46, "TSK_WIFI_NETWORK_ADAPTER", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWIFINetworkAdapter.text")),
+ bundle.getString("BlackboardArtifact.tskWIFINetworkAdapter.text"), Category.DATA_ARTIFACT),
/**
* Indicates a verification failure
*/
TSK_VERIFICATION_FAILED(47, "TSK_VERIFICATION_FAILED", //NON-NLS
- bundle.getString("BlackboardArtifact.tskVerificationFailed.text")),
+ bundle.getString("BlackboardArtifact.tskVerificationFailed.text"), Category.ANALYSIS_RESULT),
/**
* Categorization information for a data source.
*/
TSK_DATA_SOURCE_USAGE(48, "TSK_DATA_SOURCE_USAGE", //NON-NLS
- bundle.getString("BlackboardArtifact.tskDataSourceUsage.text")),
+ bundle.getString("BlackboardArtifact.tskDataSourceUsage.text"), Category.ANALYSIS_RESULT),
/**
* Indicates auto fill data from a Web form. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create web form autofill artifacts.
*/
TSK_WEB_FORM_AUTOFILL(49, "TSK_WEB_FORM_AUTOFILL", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWebFormAutofill.text")),
+ bundle.getString("BlackboardArtifact.tskWebFormAutofill.text"), Category.DATA_ARTIFACT),
/**
* Indicates an person's address filled in a web form. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create web form address artifacts.
*/
TSK_WEB_FORM_ADDRESS(50, "TSK_WEB_FORM_ADDRESSES ", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWebFormAddresses.text")),
+ bundle.getString("BlackboardArtifact.tskWebFormAddresses.text"), Category.DATA_ARTIFACT),
/**
* Indicates source of a file/object
*
@@ -1329,87 +1329,87 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
*/
@Deprecated
TSK_DOWNLOAD_SOURCE(51, "TSK_DOWNLOAD_SOURCE", //NON-NLS
- bundle.getString("BlackboardArtifact.tskDownloadSource.text")),
+ bundle.getString("BlackboardArtifact.tskDownloadSource.text"), Category.DATA_ARTIFACT),
/**
* Indicates web cache data
*/
TSK_WEB_CACHE(52, "TSK_WEB_CACHE", //NON-NLS
- bundle.getString("BlackboardArtifact.tskWebCache.text")),
+ bundle.getString("BlackboardArtifact.tskWebCache.text"), Category.DATA_ARTIFACT),
/**
* A generic (timeline) event.
*/
TSK_TL_EVENT(53, "TSK_TL_EVENT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskTLEvent.text")),
+ bundle.getString("BlackboardArtifact.tskTLEvent.text"), Category.DATA_ARTIFACT),
/**
* Indicates clipboard content
*/
TSK_CLIPBOARD_CONTENT(54, "TSK_CLIPBOARD_CONTENT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskClipboardContent.text")),
+ bundle.getString("BlackboardArtifact.tskClipboardContent.text"), Category.DATA_ARTIFACT),
/**
* An associated object.
*/
TSK_ASSOCIATED_OBJECT(55, "TSK_ASSOCIATED_OBJECT", //NON-NLS
- bundle.getString("BlackboardArtifact.tskAssociatedObject.text")),
+ bundle.getString("BlackboardArtifact.tskAssociatedObject.text"), Category.DATA_ARTIFACT),
/**
* Indicates file may have been created by the user.
*/
TSK_USER_CONTENT_SUSPECTED(56, "TSK_USER_CONTENT_SUSPECTED", //NON-NLS
- bundle.getString("BlackboardArtifact.tskUserContentSuspected.text")),
+ bundle.getString("BlackboardArtifact.tskUserContentSuspected.text"), Category.ANALYSIS_RESULT),
/**
* Stores metadata about an object.
*/
TSK_METADATA(57, "TSK_METADATA", //NON-NLS
- bundle.getString("BlackboardArtifact.tskMetadata.text")),
+ bundle.getString("BlackboardArtifact.tskMetadata.text"), Category.DATA_ARTIFACT),
/**
* Stores a GPS track log. Use
* org.sleuthkit.datamodel.blackboardutils.GeoArtifactsHelper.addTrack()
* to create track artifacts.
*/
TSK_GPS_TRACK(58, "TSK_GPS_TRACK",
- bundle.getString("BlackboardArtifact.tskTrack.text")),
+ bundle.getString("BlackboardArtifact.tskTrack.text"), Category.DATA_ARTIFACT),
/**
* Stores a role on a given domain.
*/
TSK_WEB_ACCOUNT_TYPE(59, "TSK_WEB_ACCOUNT_TYPE",
- bundle.getString("BlackboardArtifact.tskWebAccountType.text")),
+ bundle.getString("BlackboardArtifact.tskWebAccountType.text"), Category.ANALYSIS_RESULT),
/**
* Screen shots from device or Application.
*/
TSK_SCREEN_SHOTS(60, "TSK_SCREEN_SHOTS",
- bundle.getString("BlackboardArtifact.tskScreenShots.text")),
+ bundle.getString("BlackboardArtifact.tskScreenShots.text"), Category.DATA_ARTIFACT),
/**
* Notifications Sent to User.
*/
TSK_PROG_NOTIFICATIONS(62, "TSK_PROG_NOTIFICATIONS",
- bundle.getString("BlackboardArtifact.tskProgNotifications.text")),
+ bundle.getString("BlackboardArtifact.tskProgNotifications.text"), Category.DATA_ARTIFACT),
/**
* System/Application/File backup.
*/
TSK_BACKUP_EVENT(63, "TSK_BACKUP_EVENT",
- bundle.getString("BlackboardArtifact.tskBackupEvent.text")),
+ bundle.getString("BlackboardArtifact.tskBackupEvent.text"), Category.DATA_ARTIFACT),
/**
* Programs that have been deleted.
*/
TSK_DELETED_PROG(64, "TSK_DELETED_PROG",
- bundle.getString("BlackboardArtifact.tskDeletedProg.text")),
+ bundle.getString("BlackboardArtifact.tskDeletedProg.text"), Category.DATA_ARTIFACT),
/**
* Activity on the System/Application.
*/
TSK_USER_DEVICE_EVENT(65, "TSK_USER_DEVICE_EVENT",
- bundle.getString("BlackboardArtifact.tskUserDeviceEvent.text")),
+ bundle.getString("BlackboardArtifact.tskUserDeviceEvent.text"), Category.DATA_ARTIFACT),
/**
* Indicates that the file had a yara pattern match hit.
*/
TSK_YARA_HIT(66, "TSK_YARA_HIT",
- bundle.getString("BlackboardArtifact.tskYaraHit.text")),
+ bundle.getString("BlackboardArtifact.tskYaraHit.text"), Category.ANALYSIS_RESULT),
/**
* Stores the outline of an area using GPS coordinates.
*/
TSK_GPS_AREA(67, "TSK_GPS_AREA",
- bundle.getString("BlackboardArtifact.tskGPSArea.text")),
+ bundle.getString("BlackboardArtifact.tskGPSArea.text"), Category.DATA_ARTIFACT),
TSK_WEB_CATEGORIZATION(68, "TSK_WEB_CATEGORIZATION",
- bundle.getString("BlackboardArtifact.tskWebCategorization.text")),
+ bundle.getString("BlackboardArtifact.tskWebCategorization.text"), Category.ANALYSIS_RESULT),
;
diff --git a/bindings/java/src/org/sleuthkit/datamodel/CaseDatabaseFactory.java b/bindings/java/src/org/sleuthkit/datamodel/CaseDatabaseFactory.java
index be0550e7971f498415ea3b2e4bf71dd32d7e8c88..5e5bad91c5bfb75361cebee713116f0ee096ba53 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/CaseDatabaseFactory.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/CaseDatabaseFactory.java
@@ -442,13 +442,15 @@ private void createHostTables(Statement stmt) throws SQLException {
+ "FOREIGN KEY(ip_address_id) REFERENCES tsk_host_addresses(id) ON DELETE CASCADE,"
+ "FOREIGN KEY(source_obj_id) REFERENCES tsk_objects(obj_id) ON DELETE SET NULL )");
- // maps an address to an artifact using it
+ // maps an address to an content/item using it
stmt.execute("CREATE TABLE tsk_host_address_usage (id " + dbQueryHelper.getPrimaryKey() + " PRIMARY KEY, "
+ "addr_obj_id " + dbQueryHelper.getBigIntType() + " NOT NULL, "
- + "artifact_obj_id " + dbQueryHelper.getBigIntType() + " NOT NULL, "
- + "UNIQUE(addr_obj_id, artifact_obj_id), "
+ + "obj_id " + dbQueryHelper.getBigIntType() + " NOT NULL, " // obj id of the content/item using the address
+ + "data_source_obj_id " + dbQueryHelper.getBigIntType() + " NOT NULL, " // data source where the usage was found
+ + "UNIQUE(addr_obj_id, obj_id), "
+ "FOREIGN KEY(addr_obj_id) REFERENCES tsk_host_addresses(id) ON DELETE CASCADE, "
- + "FOREIGN KEY(artifact_obj_id) REFERENCES tsk_objects(obj_id) ON DELETE CASCADE )");
+ + "FOREIGN KEY(data_source_obj_id) REFERENCES tsk_objects(obj_id) ON DELETE CASCADE, "
+ + "FOREIGN KEY(obj_id) REFERENCES tsk_objects(obj_id) ON DELETE CASCADE )");
}
// Must be called after tsk_persons, tsk_hosts and tsk_objects have been created.
diff --git a/bindings/java/src/org/sleuthkit/datamodel/HostAddressManager.java b/bindings/java/src/org/sleuthkit/datamodel/HostAddressManager.java
index b38f5be5e415f277969da84f959921355098f22f..6cc054ed25a8ab9ff897ee09087466fdad073a36 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/HostAddressManager.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/HostAddressManager.java
@@ -212,7 +212,7 @@ private HostAddress createHostAddress(HostAddress.HostAddressType type, String a
*
* @throws TskCoreException
*/
- public void mapHostToAddress(Host host, HostAddress hostAddress, Long time, Content source) throws TskCoreException {
+ public void assignHostToAddress(Host host, HostAddress hostAddress, Long time, Content source) throws TskCoreException {
String insertSQL = db.getInsertOrIgnoreSQL(" INTO tsk_host_address_map(host_id, addr_obj_id, source_obj_id, time) "
+ " VALUES(?, ?, ?, ?) ");
@@ -242,13 +242,13 @@ public void mapHostToAddress(Host host, HostAddress hostAddress, Long time, Cont
}
/**
- * Get all the addresses that have been mapped to the given host
+ * Get all the addresses that have been assigned to the given host.
*
* @param host Host to get addresses for.
*
* @return List of addresses, may be empty.
*/
- List<HostAddress> getHostAddresses(Host host) throws TskCoreException {
+ List<HostAddress> getHostAddressesAssignedTo(Host host) throws TskCoreException {
String queryString = "SELECT addr_obj_id FROM tsk_host_address_map "
+ " WHERE host_id = " + host.getId();
@@ -588,24 +588,90 @@ List<HostAddress> getHostNameByIp(String ipAddress) throws TskCoreException {
/**
* Associate the given artifact with a HostAddress.
*
- * @param artifact The artifact to associate the host address with.
+ * @param content The content/item using the address.
* @param hostAddress The host address.
*/
- public void addUsage(BlackboardArtifact artifact, HostAddress hostAddress) throws TskCoreException {
- final String insertSQL = db.getInsertOrIgnoreSQL(" INTO tsk_host_address_usage(addr_obj_id, artifact_obj_id) "
- + " VALUES(" + hostAddress.getId() + ", " + artifact.getId() + ") ");
+ public void addUsage(Content content, HostAddress hostAddress) throws TskCoreException {
+ final String insertSQL = db.getInsertOrIgnoreSQL(" INTO tsk_host_address_usage(addr_obj_id, obj_id, data_source_obj_id) "
+ + " VALUES(" + hostAddress.getId() + ", " + content.getId() + ", " + content.getDataSource().getId() + ") ");
db.acquireSingleUserCaseWriteLock();
try (CaseDbConnection connection = this.db.getConnection();
Statement s = connection.createStatement()) {
connection.executeUpdate(s, insertSQL);
} catch (SQLException ex) {
- throw new TskCoreException(String.format("Error associating host address %s with artifact with id %d", hostAddress.getAddress(), artifact.getId()), ex);
+ throw new TskCoreException(String.format("Error associating host address %s with artifact with id %d", hostAddress.getAddress(), content.getId()), ex);
} finally {
db.releaseSingleUserCaseWriteLock();
}
}
+ private final String ADDRESS_USAGE_QUERY = "SELECT addresses.id as id, addresses.address_type as address_type, addresses.address as address "
+ + " FROM tsk_host_address_usage as usage "
+ + " JOIN tsk_host_addresses as addresses "
+ + " ON usage.addr_obj_id = addresses.id ";
+
+ /**
+ * Get all the addresses that have been used by the given content.
+ *
+ * @param content Content to get addresses used for.
+ *
+ * @return List of addresses, may be empty.
+ *
+ * @throws TskCoreException
+ */
+ public List<HostAddress> getHostAddressesUsedByContent(Content content) throws TskCoreException {
+ String queryString = ADDRESS_USAGE_QUERY
+ + " WHERE usage.obj_id = " + content.getId();
+
+ return getHostAddressesUsed(queryString);
+ }
+
+ /**
+ * Get all the addresses that have been used by the given data source.
+ *
+ * @param dataSource Data source to get addresses used for.
+ *
+ * @return List of addresses, may be empty.
+ *
+ * @throws TskCoreException
+ */
+ public List<HostAddress> getHostAddressesUsedOnDataSource(Content dataSource) throws TskCoreException {
+ String queryString = ADDRESS_USAGE_QUERY
+ + " WHERE usage.data_source_obj_id = " + dataSource.getId();
+
+ return getHostAddressesUsed(queryString);
+ }
+
+ /**
+ * Gets the host addresses used by running the given query.
+ *
+ * @param addressesUsedSQL SQL query to run.
+ *
+ * @return List of addresses, may be empty.
+ *
+ * @throws TskCoreException
+ */
+ private List<HostAddress> getHostAddressesUsed(String addressesUsedSQL) throws TskCoreException {
+
+ List<HostAddress> addressesUsed = new ArrayList<>();
+
+ db.acquireSingleUserCaseReadLock();
+ try (CaseDbConnection connection = this.db.getConnection();
+ Statement s = connection.createStatement();
+ ResultSet rs = connection.executeQuery(s, addressesUsedSQL)) {
+
+ while (rs.next()) {
+ addressesUsed.add(new HostAddress(db, rs.getLong("id"), HostAddress.HostAddressType.fromID(rs.getInt("address_type")), rs.getString("address")));
+ }
+ return addressesUsed;
+ } catch (SQLException ex) {
+ throw new TskCoreException(String.format("Error getting host addresses used with query string = %s", addressesUsedSQL), ex);
+ } finally {
+ db.releaseSingleUserCaseReadLock();
+ }
+ }
+
/**
* Detects format of address.
*
diff --git a/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java b/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
index acb6d44c5b3629f1e8880318e68b793bd29c9d23..17fb20ad11dae35381f31536520888966443b4fb 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
@@ -2536,10 +2536,12 @@ private CaseDbSchemaVersionNumber updateFromSchema8dot6toSchema8dot7(CaseDbSchem
// maps an address to an artifact using it
statement.execute("CREATE TABLE tsk_host_address_usage (id " + primaryKeyType + " PRIMARY KEY, "
+ "addr_obj_id " + bigIntDataType + " NOT NULL, "
- + "artifact_obj_id " + bigIntDataType + " NOT NULL, "
- + "UNIQUE(addr_obj_id, artifact_obj_id), "
+ + "obj_id " + bigIntDataType + " NOT NULL, "
+ + "data_source_obj_id " + bigIntDataType + " NOT NULL, " // data source where the usage was found
+ + "UNIQUE(addr_obj_id, obj_id), "
+ "FOREIGN KEY(addr_obj_id) REFERENCES tsk_host_addresses(id) ON DELETE CASCADE, "
- + "FOREIGN KEY(artifact_obj_id) REFERENCES tsk_objects(obj_id) ON DELETE CASCADE )");
+
+ + "FOREIGN KEY(obj_id) REFERENCES tsk_objects(obj_id) ON DELETE CASCADE )");
return new CaseDbSchemaVersionNumber(8, 7);
diff --git a/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java b/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java
index e1f77e99731adb5a448a8a77aa36d68ea0cbf21b..d5854935bdf5a520df5f973394e50971eadc1521 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/TimelineEventType.java
@@ -669,7 +669,7 @@ public SortedSet< TimelineEventType> getChildren() {
new BlackboardArtifact.Type(TSK_BACKUP_EVENT),
new BlackboardAttribute.Type(TSK_DATETIME_START),
artf -> {
- return getBundle().getString("TimelineEventType.BackupEvent.description.started");
+ return getBundle().getString("TimelineEventType.BackupEvent.description.start");
},
new EmptyExtractor(),
new EmptyExtractor());
diff --git a/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java b/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java
index 86a626efff38178b784b8b27219c1e1d91a517e3..29efc1cf49819b9e495a953f297fee7d11af01b0 100644
--- a/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java
+++ b/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java
@@ -240,6 +240,32 @@ public void mergeTests() throws TskCoreException {
@Test
public void hostAddressTests() throws TskCoreException {
+
+
+ // lets add a file
+ long dataSourceObjectId = fs.getDataSource().getId();
+
+ SleuthkitCase.CaseDbTransaction trans = caseDB.beginTransaction();
+
+ // Add a root folder
+ FsContent _root = caseDB.addFileSystemFile(dataSourceObjectId, fs.getId(), "", 0, 0,
+ TskData.TSK_FS_ATTR_TYPE_ENUM.TSK_FS_ATTR_TYPE_DEFAULT, 0, TskData.TSK_FS_NAME_FLAG_ENUM.ALLOC,
+ (short) 0, 200, 0, 0, 0, 0, null, null, null, false, fs, null, null, Collections.emptyList(), trans);
+
+ // Add a dir - no attributes
+ FsContent _windows = caseDB.addFileSystemFile(dataSourceObjectId, fs.getId(), "Windows", 0, 0,
+ TskData.TSK_FS_ATTR_TYPE_ENUM.TSK_FS_ATTR_TYPE_DEFAULT, 0, TskData.TSK_FS_NAME_FLAG_ENUM.ALLOC,
+ (short) 0, 200, 0, 0, 0, 0, null, null, null, false, _root, "S-1-5-80-956008885-3418522649-1831038044-1853292631-227147846", null, Collections.emptyList(), trans);
+
+ // add another no attribute file to same folder
+ FsContent _abcTextFile = caseDB.addFileSystemFile(dataSourceObjectId, fs.getId(), "abc.txt", 0, 0,
+ TskData.TSK_FS_ATTR_TYPE_ENUM.TSK_FS_ATTR_TYPE_DEFAULT, 0, TskData.TSK_FS_NAME_FLAG_ENUM.ALLOC,
+ (short) 0, 200, 0, 0, 0, 0, null, null, "Text/Plain", true, _windows, null, null, Collections.emptyList(), trans);
+
+ trans.commit();
+
+
+
String ipv4Str = "11.22.33.44";
String ipv6Str = "2001:0db8:85a3:0000:0000:8a2e:0370:6666";
String hostnameStr = "basis.com";
@@ -262,11 +288,13 @@ public void hostAddressTests() throws TskCoreException {
// Test host map
Host host = caseDB.getHostManager().createHost("TestHostAddress");
- SleuthkitCase.CaseDbTransaction trans = caseDB.beginTransaction();
+
+ trans = caseDB.beginTransaction();
DataSource ds = caseDB.addLocalFilesDataSource("devId", "pathToFiles", "EST", null, trans);
trans.commit();
- caseDB.getHostAddressManager().mapHostToAddress(host, ipv4addr, (long) 0, ds);
- List<HostAddress> hostAddrs = caseDB.getHostAddressManager().getHostAddresses(host);
+
+ caseDB.getHostAddressManager().assignHostToAddress(host, ipv4addr, (long) 0, ds);
+ List<HostAddress> hostAddrs = caseDB.getHostAddressManager().getHostAddressesAssignedTo(host);
assertEquals(hostAddrs.size() == 1, true);
// Test IP mapping
@@ -275,6 +303,23 @@ public void hostAddressTests() throws TskCoreException {
assertEquals(ipForHostSet.size() == 1, true);
List<HostAddress> hostForIpSet = caseDB.getHostAddressManager().getHostNameByIp(ipv4addr.getAddress());
assertEquals(hostForIpSet.size() == 1, true);
+
+
+ // add address usage
+ caseDB.getHostAddressManager().addUsage(_abcTextFile, ipv4addr);
+ caseDB.getHostAddressManager().addUsage(_abcTextFile, addr2);
+ caseDB.getHostAddressManager().addUsage(_abcTextFile, hostAddr);
+
+ //test get addressUsed methods
+ List<HostAddress> addrUsedByAbc = caseDB.getHostAddressManager().getHostAddressesUsedByContent(_abcTextFile);
+ assertEquals(addrUsedByAbc.size() == 3, true);
+
+ List<HostAddress> addrUsedByRoot = caseDB.getHostAddressManager().getHostAddressesUsedByContent(_root);
+ assertEquals(addrUsedByRoot.isEmpty(), true);
+
+ List<HostAddress> addrUsedOnDataSource = caseDB.getHostAddressManager().getHostAddressesUsedOnDataSource(_root.getDataSource());
+ assertEquals(addrUsedOnDataSource.size() == 3, true);
+
}
@Test