diff --git a/bindings/java/doxygen/artifact_catalog.dox b/bindings/java/doxygen/artifact_catalog.dox
index 95c019c8233e9ec0069af145d3c3753829f65ae6..a90d971b313cb88ce28b01c3088c97a6fa122022 100644
--- a/bindings/java/doxygen/artifact_catalog.dox
+++ b/bindings/java/doxygen/artifact_catalog.dox
@@ -71,28 +71,16 @@ Indicates that the MD5 hash of a file matches a set of known MD5s (possibly user
---
-## TSK_INTERESTING_ARTIFACT_HIT
-Indicates that the source artifact matches some set of criteria which deem it interesting. Artifacts with this meta artifact will be brought to the attention of the user.
+## TSK_INTERESTING_ITEM
+Indicates that the source item matches some set of criteria which deem it interesting. Items with this meta artifact will be brought to the attention of the user.
### REQUIRED ATTRIBUTES
-- TSK_ASSOCIATED_ARTIFACT (The source artifact)
-- TSK_SET_NAME (The name of the set of criteria which deemed this artifact interesting)
+- TSK_SET_NAME (The name of the set of criteria which deemed this item interesting)
### OPTIONAL ATTRIBUTES
-- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
+- TSK_COMMENT (Comment on the reason that the source item is interesting)
- TSK_CATEGORY (The set membership rule that was satisfied)
-
-
----
-## TSK_INTERESTING_FILE_HIT
-Indication that the source file matches some set of criteria (possibly user defined) which deem it interesting. Files with this artifact will be brought to the attention of the user.
-
-### REQUIRED ATTRIBUTES
-- TSK_SET_NAME (The name of the set of criteria which deemed this file interesting)
-
-### OPTIONAL ATTRIBUTES
-- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
-- TSK_CATEGORY (The set membership rule that was satisfied. I.e. a particular mime)
+- TSK_ASSOCIATED_ARTIFACT (The source artifact when the source item is an artifact)
---
diff --git a/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java b/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
index 2486f229aa57e27d9293d44515fbc6318b9128e9..520efbd6882a56f1c067ead59af4c79f4132a5c9 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
@@ -283,6 +283,7 @@ public String getShortDescription() throws TskCoreException {
case TSK_HASHSET_HIT:
case TSK_INTERESTING_ARTIFACT_HIT:
case TSK_INTERESTING_FILE_HIT:
+ case TSK_INTERESTING_ITEM:
case TSK_YARA_HIT:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_SET_NAME));
break;
@@ -771,7 +772,7 @@ public BlackboardArtifact newArtifact(int artifactTypeID) throws TskCoreExceptio
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type artifactType, Score score, String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
// Get the ID before starting the transaction
long dataSourceId = this.getDataSource().getId();
-
+
CaseDbTransaction trans = sleuthkitCase.beginTransaction();
try {
AnalysisResultAdded resultAdded = sleuthkitCase.getBlackboard().newAnalysisResult(artifactType, this.getId(), dataSourceId, score, conclusion, configuration, justification, attributesList, trans);
@@ -1076,7 +1077,10 @@ public static final class Type implements Serializable {
/**
* An meta-artifact to call attention to a file deemed to be
* interesting.
+ *
+ * @deprecated Use TSK_INTERESTING_ITEM instead.
*/
+ @Deprecated
public static final Type TSK_INTERESTING_FILE_HIT = new BlackboardArtifact.Type(12, "TSK_INTERESTING_FILE_HIT", bundle.getString("BlackboardArtifact.tskInterestingFileHit.text"), Category.ANALYSIS_RESULT);
/**
@@ -1185,7 +1189,10 @@ public static final class Type implements Serializable {
/**
* An meta-artifact to call attention to an artifact deemed to be
* interesting.
+ *
+ * @deprecated Use TSK_INTERESTING_ITEM instead.
*/
+ @Deprecated
public static final Type TSK_INTERESTING_ARTIFACT_HIT = new BlackboardArtifact.Type(35, "TSK_INTERESTING_ARTIFACT_HIT", bundle.getString("BlackboardArtifact.tskInterestingArtifactHit.text"), Category.ANALYSIS_RESULT);
/**
@@ -1369,6 +1376,12 @@ public static final class Type implements Serializable {
* "Notable" in another Autopsy case.
*/
public static final Type TSK_PREVIOUSLY_NOTABLE = new BlackboardArtifact.Type(71, "TSK_PREVIOUSLY_NOTABLE", bundle.getString("BlackboardArtifact.tskPreviouslyNotable.text"), Category.ANALYSIS_RESULT);
+
+ /**
+ * An meta-artifact to call attention to an item deemed to be
+ * interesting.
+ */
+ public static final Type TSK_INTERESTING_ITEM = new BlackboardArtifact.Type(72, "TSK_INTERESTING_ITEM", bundle.getString("BlackboardArtifact.tskInterestingItem.text"), Category.ANALYSIS_RESULT);
/*
* IMPORTANT!
*
@@ -1396,7 +1409,6 @@ public static final class Type implements Serializable {
TSK_KEYWORD_HIT,
TSK_HASHSET_HIT,
TSK_DEVICE_ATTACHED,
- TSK_INTERESTING_FILE_HIT,
TSK_EMAIL_MSG,
TSK_EXTRACTED_TEXT,
TSK_WEB_SEARCH_QUERY,
@@ -1415,7 +1427,6 @@ public static final class Type implements Serializable {
TSK_PROG_RUN,
TSK_ENCRYPTION_DETECTED,
TSK_EXT_MISMATCH_DETECTED,
- TSK_INTERESTING_ARTIFACT_HIT,
TSK_GPS_ROUTE,
TSK_REMOTE_DRIVE,
TSK_FACE_DETECTED,
@@ -1449,7 +1460,8 @@ public static final class Type implements Serializable {
TSK_WEB_CATEGORIZATION,
TSK_PREVIOUSLY_SEEN,
TSK_PREVIOUSLY_UNSEEN,
- TSK_PREVIOUSLY_NOTABLE
+ TSK_PREVIOUSLY_NOTABLE,
+ TSK_INTERESTING_ITEM
).collect(Collectors.toMap(type -> type.getTypeID(), type -> type)));
private final String typeName;
@@ -1639,7 +1651,10 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
/**
* An meta-artifact to call attention to a file deemed to be
* interesting.
+ *
+ * @deprecated Use TSK_INTERESTING_ITEM instead.
*/
+ @Deprecated
TSK_INTERESTING_FILE_HIT(12, "TSK_INTERESTING_FILE_HIT", //NON-NLS
bundle.getString("BlackboardArtifact.tskInterestingFileHit.text"), Category.ANALYSIS_RESULT), ///< an interesting/notable file hit
/**
@@ -1774,7 +1789,10 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
/**
* An meta-artifact to call attention to an artifact deemed to be
* interesting.
+ *
+ * @deprecated Use TSK_INTERESTING_ITEM instead.
*/
+ @Deprecated
TSK_INTERESTING_ARTIFACT_HIT(35, "TSK_INTERESTING_ARTIFACT_HIT", //NON-NLS
bundle.getString("BlackboardArtifact.tskInterestingArtifactHit.text"), Category.ANALYSIS_RESULT),
/**
@@ -1963,7 +1981,13 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
* "Notable" in another Autopsy case.
*/
TSK_PREVIOUSLY_NOTABLE(71, "TSK_PREVIOUSLY_NOTABLE",
- bundle.getString("BlackboardArtifact.tskPreviouslyNotable.text"), Category.ANALYSIS_RESULT);
+ bundle.getString("BlackboardArtifact.tskPreviouslyNotable.text"), Category.ANALYSIS_RESULT),
+ /**
+ * An meta-artifact to call attention to an item deemed to be
+ * interesting.
+ */
+ TSK_INTERESTING_ITEM(72, "TSK_INTERESTING_ITEM", //NON-NLS
+ bundle.getString("BlackboardArtifact.tskInterestingItem.text"), Category.ANALYSIS_RESULT);
/*
* IMPORTANT!
*
diff --git a/bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java b/bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java
index fdc720da84b0157e67fcbd7684f76daeb158ad9f..2ff874e5b9ce71571df81968d1bde7833d313639 100755
--- a/bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java
@@ -455,7 +455,7 @@ public static final class Type implements Serializable {
public static final Type TSK_ENTROPY = new Type(29, "TSK_ENTROPY", bundle.getString("BlackboardAttribute.tskEntropy.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
// TSK_HASHSET_NAME (id: 30) has been deprecated. Please use TSK_SET_NAME instead.
- // TSK_INTERESTING_FILE (id: 31) has been deprecated. Please use TSK_INTERESTING_FILE_HIT instead.
+ // TSK_INTERESTING_FILE (id: 31) has been deprecated. Please use TSK_INTERESTING_ITEM instead.
public static final Type TSK_REFERRER = new Type(32, "TSK_REFERRER", bundle.getString("BlackboardAttribute.tskReferrer.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DATETIME_ACCESSED = new Type(33, "TSK_DATETIME_ACCESSED", bundle.getString("BlackboardAttribute.tskDateTimeAccessed.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_IP_ADDRESS = new Type(34, "TSK_IP_ADDRESS", bundle.getString("BlackboardAttribute.tskIpAddress.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
@@ -1112,7 +1112,7 @@ public enum ATTRIBUTE_TYPE {
bundle.getString("BlackboardAttribute.tskHashsetName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
- * @deprecated Use a TSK_INTERESTING_FILE_HIT artifact instead.
+ * @deprecated Use a TSK_INTERESTING_ITEM artifact instead.
*/
@Deprecated
TSK_INTERESTING_FILE(31, "TSK_INTERESTING_FILE", //NON-NLS
diff --git a/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties b/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties
index 604e85f8857b71fe2ff117ca6db92955046bf012..0c4c2356b0c449d5f60e47778dc33fd1bfb442fb 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties
+++ b/bindings/java/src/org/sleuthkit/datamodel/Bundle.properties
@@ -67,6 +67,7 @@ BlackboardArtifact.tskWebCategorization.text=Web Categories
BlackboardArtifact.tskPreviouslySeen.text=Previously Seen
BlackboardArtifact.tskPreviouslyUnseen.text=Previously Unseen
BlackboardArtifact.tskPreviouslyNotable.text=Previously Notable
+BlackboardArtifact.tskInterestingItem.text=Interesting Items
BlackboardArtifact.tskYaraHit.text=YARA Hit
BlackboardArtifact.tskGPSArea.text=GPS Area
BlackboardAttribute.tskAccountType.text=Account Type
diff --git a/case-uco/java/src/org/sleuthkit/caseuco/CaseUcoExporter.java b/case-uco/java/src/org/sleuthkit/caseuco/CaseUcoExporter.java
index dd21f2d494b887853d45cd6c0800bb4e3e0b70fb..8be4a9d6c17c3cf92f68730c3731c32fab80c48b 100755
--- a/case-uco/java/src/org/sleuthkit/caseuco/CaseUcoExporter.java
+++ b/case-uco/java/src/org/sleuthkit/caseuco/CaseUcoExporter.java
@@ -121,7 +121,7 @@ public class CaseUcoExporter {
* Creates a default CaseUcoExporter.
*
* @param sleuthkitCase The sleuthkit case instance containing the data to
- * be exported.
+ * be exported.
*/
public CaseUcoExporter(SleuthkitCase sleuthkitCase) {
this(sleuthkitCase, new Properties());
@@ -135,9 +135,9 @@ public CaseUcoExporter(SleuthkitCase sleuthkitCase) {
* README.md file.
*
* @param sleuthkitCase The sleuthkit case instance containing the data to
- * be exported.
- * @param props Properties instance containing supported configuration
- * parameters.
+ * be exported.
+ * @param props Properties instance containing supported
+ * configuration parameters.
*/
public CaseUcoExporter(SleuthkitCase sleuthkitCase, Properties props) {
this.sleuthkitCase = sleuthkitCase;
@@ -153,7 +153,7 @@ public CaseUcoExporter(SleuthkitCase sleuthkitCase, Properties props) {
* contain a URL).
*
* @param uuidService A custom UUID implementation, which will be used to
- * generate @id values in all export methods.
+ * generate @id values in all export methods.
*
* @return reference to this, for chaining configuration method calls.
*/
@@ -196,6 +196,7 @@ public List<JsonElement> exportSleuthkitCase() throws TskCoreException {
* Exports an AbstractFile instance to CASE.
*
* @param file AbstractFile instance to export
+ *
* @return A collection of CASE JSON elements
*
* @throws TskCoreException If an error occurred during database access.
@@ -207,10 +208,11 @@ public List<JsonElement> exportAbstractFile(AbstractFile file) throws TskCoreExc
/**
* Exports an AbstractFile instance to CASE.
*
- * @param file AbstractFile instance to export
+ * @param file AbstractFile instance to export
* @param localPath The location of the file on secondary storage, somewhere
- * other than the case. Example: local disk. This value will be ignored if
- * null
+ * other than the case. Example: local disk. This value
+ * will be ignored if null
+ *
* @return A collection of CASE JSON elements
*
* @throws TskCoreException If an error occurred during database access.
@@ -257,7 +259,9 @@ public List<JsonElement> exportAbstractFile(AbstractFile file, String localPath)
* Exports a ContentTag instance to CASE.
*
* @param contentTag ContentTag instance to export
+ *
* @return A collection of CASE JSON elements
+ *
* @throws TskCoreException If an error occurred during database access.
*/
public List<JsonElement> exportContentTag(ContentTag contentTag) throws TskCoreException {
@@ -276,7 +280,9 @@ public List<JsonElement> exportContentTag(ContentTag contentTag) throws TskCoreE
* Exports a DataSource instance to CASE.
*
* @param dataSource DataSource instance to export
+ *
* @return A collection of CASE JSON elements
+ *
* @throws TskCoreException If an error occurred during database access.
*/
public List<JsonElement> exportDataSource(DataSource dataSource) throws TskCoreException {
@@ -313,7 +319,9 @@ String getDataSourcePath(DataSource dataSource) {
* Exports a FileSystem instance to CASE.
*
* @param fileSystem FileSystem instance to export
+ *
* @return A collection of CASE JSON elements
+ *
* @throws TskCoreException If an error occurred during database access.
*/
public List<JsonElement> exportFileSystem(FileSystem fileSystem) throws TskCoreException {
@@ -335,6 +343,7 @@ public List<JsonElement> exportFileSystem(FileSystem fileSystem) throws TskCoreE
* Exports a Pool instance to CASE.
*
* @param pool Pool instance to export
+ *
* @return A collection of CASE JSON elements
*
* @throws TskCoreException If an error occurred during database access.
@@ -357,7 +366,9 @@ public List<JsonElement> exportPool(Pool pool) throws TskCoreException {
* Exports a Volume instance to CASE.
*
* @param volume Volume instance to export
+ *
* @return A collection of CASE JSON elements
+ *
* @throws TskCoreException If an error occurred during database access.
*/
public List<JsonElement> exportVolume(Volume volume) throws TskCoreException {
@@ -384,6 +395,7 @@ public List<JsonElement> exportVolume(Volume volume) throws TskCoreException {
* Exports a VolumeSystem instance to CASE.
*
* @param volumeSystem VolumeSystem instance to export
+ *
* @return A collection of CASE JSON elements
*
* @throws TskCoreException If an error occurred during database access.
@@ -406,15 +418,21 @@ public List<JsonElement> exportVolumeSystem(VolumeSystem volumeSystem) throws Ts
* Exports a BlackboardArtifact instance to CASE.
*
* @param artifact BlackboardArtifact instance to export
+ *
* @return A collection of CASE JSON elements
*
- * @throws TskCoreException If an error occurred during database access.
- * @throws ContentNotExportableException if the content could not be
- * exported, even in part, to CASE.
+ * @throws TskCoreException If an error occurred
+ * during database
+ * access.
+ * @throws ContentNotExportableException if the content could
+ * not be exported, even
+ * in part, to CASE.
* @throws BlackboardJsonAttrUtil.InvalidJsonException If a JSON valued
- * attribute could not be correctly deserialized.
+ * attribute could not
+ * be correctly
+ * deserialized.
*/
- @SuppressWarnings( "deprecation" )
+ @SuppressWarnings("deprecation")
public List<JsonElement> exportBlackboardArtifact(BlackboardArtifact artifact) throws TskCoreException,
ContentNotExportableException, BlackboardJsonAttrUtil.InvalidJsonException {
List<JsonElement> output = new ArrayList<>();
@@ -440,8 +458,6 @@ public List<JsonElement> exportBlackboardArtifact(BlackboardArtifact artifact) t
assembleHashsetHit(uuid, artifact, output);
} else if (TSK_DEVICE_ATTACHED.getTypeID() == artifactTypeId) {
assembleDeviceAttached(uuid, artifact, output);
- } else if (TSK_INTERESTING_FILE_HIT.getTypeID() == artifactTypeId) {
- assembleInterestingFileHit(uuid, artifact, output);
} else if (TSK_EMAIL_MSG.getTypeID() == artifactTypeId) {
assembleEmailMessage(uuid, artifact, output);
} else if (TSK_EXTRACTED_TEXT.getTypeID() == artifactTypeId) {
@@ -478,8 +494,8 @@ public List<JsonElement> exportBlackboardArtifact(BlackboardArtifact artifact) t
assembleProgRun(uuid, artifact, output);
} else if (TSK_ENCRYPTION_DETECTED.getTypeID() == artifactTypeId) {
assembleEncryptionDetected(uuid, artifact, output);
- } else if (TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifactTypeId) {
- assembleInterestingArtifact(uuid, artifact, output);
+ } else if (TSK_INTERESTING_FILE_HIT.getTypeID() == artifactTypeId || TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifactTypeId || TSK_INTERESTING_ITEM.getTypeID() == artifactTypeId) {
+ assembleInterestingItem(uuid, artifact, output);
} else if (TSK_GPS_ROUTE.getTypeID() == artifactTypeId) {
assembleGPSRoute(uuid, artifact, output);
} else if (TSK_REMOTE_DRIVE.getTypeID() == artifactTypeId) {
@@ -688,13 +704,6 @@ private void assembleRecentObject(String uuid, BlackboardArtifact artifact, List
.setTarget(uuid), output);
}
- private void assembleInterestingFileHit(String uuid, BlackboardArtifact artifact, List<JsonElement> output) throws TskCoreException {
- Assertion export = new Assertion(uuid);
- export.setName(getValueIfPresent(artifact, StandardAttributeTypes.TSK_SET_NAME));
- export.setStatement(getValueIfPresent(artifact, StandardAttributeTypes.TSK_COMMENT));
- addToOutput(export, output);
- }
-
private void assembleExtractedText(String uuid, BlackboardArtifact artifact, List<JsonElement> output) throws TskCoreException {
Trace export = new Trace(uuid)
.addBundle(new ExtractedString()
@@ -1133,11 +1142,10 @@ private void assembleEncryptionDetected(String uuid, BlackboardArtifact artifact
addToOutput(export, output);
}
- private void assembleInterestingArtifact(String uuid, BlackboardArtifact artifact, List<JsonElement> output) throws TskCoreException {
+ private void assembleInterestingItem(String uuid, BlackboardArtifact artifact, List<JsonElement> output) throws TskCoreException {
Assertion export = new Assertion(uuid);
export.setName(getValueIfPresent(artifact, StandardAttributeTypes.TSK_SET_NAME));
export.setStatement(getValueIfPresent(artifact, StandardAttributeTypes.TSK_COMMENT));
-
Long associatedArtifactId = getLongIfPresent(artifact, StandardAttributeTypes.TSK_ASSOCIATED_ARTIFACT);
if (associatedArtifactId != null) {
BlackboardArtifact associatedArtifact = artifact.getSleuthkitCase().getBlackboardArtifact(associatedArtifactId);