Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
S
Sleuthkit
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
IRT
Sleuthkit
Commits
f877f574
Commit
f877f574
authored
2 years ago
by
Greg DiCristofaro
Browse files
Options
Downloads
Patches
Plain Diff
new api for adding timeline event manually
parent
13fa58fc
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
+17
-0
17 additions, 0 deletions
bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
bindings/java/src/org/sleuthkit/datamodel/TimelineManager.java
+49
-0
49 additions, 0 deletions
...ngs/java/src/org/sleuthkit/datamodel/TimelineManager.java
with
66 additions
and
0 deletions
bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
+
17
−
0
View file @
f877f574
...
@@ -95,6 +95,7 @@
...
@@ -95,6 +95,7 @@
import org.sqlite.SQLiteDataSource;
import org.sqlite.SQLiteDataSource;
import org.sqlite.SQLiteJDBCLoader;
import org.sqlite.SQLiteJDBCLoader;
import org.sleuthkit.datamodel.ContentStream.ContentProvider;
import org.sleuthkit.datamodel.ContentStream.ContentProvider;
import org.sleuthkit.datamodel.TimelineManager.TimelineEventAddedEvent;
/**
/**
* Represents the case database with methods that provide abstractions for
* Represents the case database with methods that provide abstractions for
...
@@ -13940,6 +13941,7 @@ public static final class CaseDbTransaction {
...
@@ -13940,6 +13941,7 @@ public static final class CaseDbTransaction {
// Score changes are stored as a map keyed by objId to prevent duplicates.
// Score changes are stored as a map keyed by objId to prevent duplicates.
private Map<Long, ScoreChange> scoreChangeMap = new HashMap<>();
private Map<Long, ScoreChange> scoreChangeMap = new HashMap<>();
private List<Host> hostsAdded = new ArrayList<>();
private List<Host> hostsAdded = new ArrayList<>();
private List<TimelineEventAddedEvent> timelineEvents = new ArrayList<>();
private List<OsAccount> accountsChanged = new ArrayList<>();
private List<OsAccount> accountsChanged = new ArrayList<>();
private List<OsAccount> accountsAdded = new ArrayList<>();
private List<OsAccount> accountsAdded = new ArrayList<>();
private List<TskEvent.MergedAccountsPair> accountsMerged = new ArrayList<>();
private List<TskEvent.MergedAccountsPair> accountsMerged = new ArrayList<>();
...
@@ -13987,6 +13989,16 @@ CaseDbConnection getConnection() {
...
@@ -13987,6 +13989,16 @@ CaseDbConnection getConnection() {
void registerScoreChange(ScoreChange scoreChange) {
void registerScoreChange(ScoreChange scoreChange) {
scoreChangeMap.put(scoreChange.getObjectId(), scoreChange);
scoreChangeMap.put(scoreChange.getObjectId(), scoreChange);
}
}
/**
* Register timeline event to be fired when transaction finishes.
* @param timelineEvent The timeline event.
*/
void registerTimelineEvent(TimelineEventAddedEvent timelineEvent) {
if (timelineEvent != null) {
timelineEvents.add(timelineEvent);
}
}
/**
/**
* Saves a host that has been added as a part of this transaction.
* Saves a host that has been added as a part of this transaction.
...
@@ -14085,6 +14097,11 @@ public void commit() throws TskCoreException {
...
@@ -14085,6 +14097,11 @@ public void commit() throws TskCoreException {
sleuthkitCase.fireTSKEvent(new TskEvent.AggregateScoresChangedEvent(entry.getKey(), ImmutableSet.copyOf(entry.getValue())));
sleuthkitCase.fireTSKEvent(new TskEvent.AggregateScoresChangedEvent(entry.getKey(), ImmutableSet.copyOf(entry.getValue())));
}
}
}
}
if (!timelineEvents.isEmpty()) {
for (TimelineEventAddedEvent evt : timelineEvents) {
sleuthkitCase.fireTSKEvent(evt);
}
}
if (!hostsAdded.isEmpty()) {
if (!hostsAdded.isEmpty()) {
sleuthkitCase.fireTSKEvent(new TskEvent.HostsAddedTskEvent(hostsAdded));
sleuthkitCase.fireTSKEvent(new TskEvent.HostsAddedTskEvent(hostsAdded));
}
}
...
...
This diff is collapsed.
Click to expand it.
bindings/java/src/org/sleuthkit/datamodel/TimelineManager.java
+
49
−
0
View file @
f877f574
...
@@ -48,6 +48,7 @@
...
@@ -48,6 +48,7 @@
import
static
org
.
sleuthkit
.
datamodel
.
CollectionUtils
.
isNotEmpty
;
import
static
org
.
sleuthkit
.
datamodel
.
CollectionUtils
.
isNotEmpty
;
import
static
org
.
sleuthkit
.
datamodel
.
CommManagerSqlStringUtils
.
buildCSVString
;
import
static
org
.
sleuthkit
.
datamodel
.
CommManagerSqlStringUtils
.
buildCSVString
;
import
org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection
;
import
org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection
;
import
org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction
;
import
static
org
.
sleuthkit
.
datamodel
.
SleuthkitCase
.
escapeSingleQuotes
;
import
static
org
.
sleuthkit
.
datamodel
.
SleuthkitCase
.
escapeSingleQuotes
;
/**
/**
...
@@ -790,6 +791,54 @@ private Optional<TimelineEvent> addOtherEventDesc(BlackboardArtifact artifact) t
...
@@ -790,6 +791,54 @@ private Optional<TimelineEvent> addOtherEventDesc(BlackboardArtifact artifact) t
return
addArtifactEvent
(
evtWDesc
,
evtType
,
artifact
);
return
addArtifactEvent
(
evtWDesc
,
evtType
,
artifact
);
}
}
/**
* Adds a timeline event to the database in a transaction.
* @param eventType The event type.
* @param shortDesc The short description.
* @param medDesc The medium description.
* @param longDesc The long description.
* @param dataSourceId The data source id of the event.
* @param contentId The content id of the event.
* @param artifactId The artifact id of the event (can be null).
* @param time Unix epoch offset time of the event in seconds.
* @param hashHit True if a hash hit.
* @param tagged True if tagged.
* @param trans The transaction.
* @return The added event.
* @throws TskCoreException
*/
@Beta
public
TimelineEvent
addTimelineEvent
(
TimelineEventType
eventType
,
String
shortDesc
,
String
medDesc
,
String
longDesc
,
long
dataSourceId
,
long
contentId
,
Long
artifactId
,
long
time
,
boolean
hashHit
,
boolean
tagged
,
CaseDbTransaction
trans
)
throws
TskCoreException
{
caseDB
.
acquireSingleUserCaseWriteLock
();
try
{
Long
descriptionID
=
addEventDescription
(
dataSourceId
,
contentId
,
artifactId
,
longDesc
,
medDesc
,
shortDesc
,
hashHit
,
tagged
,
trans
.
getConnection
());
if
(
descriptionID
==
null
)
{
descriptionID
=
getEventDescription
(
dataSourceId
,
contentId
,
artifactId
,
longDesc
,
trans
.
getConnection
());
}
if
(
descriptionID
!=
null
)
{
long
eventID
=
addEventWithExistingDescription
(
time
,
eventType
,
descriptionID
,
trans
.
getConnection
());
return
new
TimelineEvent
(
eventID
,
descriptionID
,
contentId
,
artifactId
,
time
,
eventType
,
longDesc
,
medDesc
,
shortDesc
,
hashHit
,
tagged
);
}
else
{
// GVDTODO
throw
new
TskCoreException
(
String
.
format
(
"Failed to get event description"
));
}
}
catch
(
DuplicateException
dupEx
)
{
logger
.
log
(
Level
.
SEVERE
,
"Attempt to make file event duplicate."
,
dupEx
);
return
null
;
}
finally
{
caseDB
.
releaseSingleUserCaseWriteLock
();
}
}
/**
/**
* Add an event of the given type from the given artifact to the database.
* Add an event of the given type from the given artifact to the database.
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment