Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • irt/sleuthkit
1 result
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 12219 additions and 0 deletions
bindings/java/jni/dataModel_SleuthkitJNI.h 0 → 100644
View file @ a73ef106
/* DO NOT EDIT THIS FILE - it is machine generated */
#include <jni.h>
/* Header for class org_sleuthkit_datamodel_SleuthkitJNI */
#ifndef _Included_org_sleuthkit_datamodel_SleuthkitJNI
#define _Included_org_sleuthkit_datamodel_SleuthkitJNI
#ifdef __cplusplus
extern "C" {
#endif
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getVersionNat
* Signature: ()Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getVersionNat
(JNIEnv *, jclass);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: startVerboseLoggingNat
* Signature: (Ljava/lang/String;)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_startVerboseLoggingNat
(JNIEnv *, jclass, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbOpenNat
* Signature: (Ljava/lang/String;)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbOpenNat
(JNIEnv *, jclass, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbNewNat
* Signature: (Ljava/lang/String;)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbNewNat
(JNIEnv *, jclass, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbBeginTransactionNat
* Signature: (I)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbBeginTransactionNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbCommitTransactionNat
* Signature: (I)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbCommitTransactionNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbRollbackTransactionNat
* Signature: (I)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbRollbackTransactionNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbAddEntryNat
* Signature: (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;I)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbAddEntryNat
(JNIEnv *, jclass, jstring, jstring, jstring, jstring, jstring, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbIsUpdateableNat
* Signature: (I)Z
*/
JNIEXPORT jboolean JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbIsUpdateableNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbIsReindexableNat
* Signature: (I)Z
*/
JNIEXPORT jboolean JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbIsReindexableNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbPathNat
* Signature: (I)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbPathNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbIndexPathNat
* Signature: (I)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbIndexPathNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbGetDisplayName
* Signature: (I)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbGetDisplayName
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbCloseAll
* Signature: ()V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbCloseAll
(JNIEnv *, jclass);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbClose
* Signature: (I)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbClose
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbCreateIndexNat
* Signature: (I)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbCreateIndexNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbIndexExistsNat
* Signature: (I)Z
*/
JNIEXPORT jboolean JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbIndexExistsNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbIsIdxOnlyNat
* Signature: (I)Z
*/
JNIEXPORT jboolean JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbIsIdxOnlyNat
(JNIEnv *, jclass, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbLookup
* Signature: (Ljava/lang/String;I)Z
*/
JNIEXPORT jboolean JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbLookup
(JNIEnv *, jclass, jstring, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: hashDbLookupVerbose
* Signature: (Ljava/lang/String;I)Lorg/sleuthkit/datamodel/HashHitInfo;
*/
JNIEXPORT jobject JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_hashDbLookupVerbose
(JNIEnv *, jclass, jstring, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: initAddImgNat
* Signature: (Lorg/sleuthkit/datamodel/TskCaseDbBridge;Ljava/lang/String;ZZ)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_initAddImgNat
(JNIEnv *, jclass, jobject, jstring, jboolean, jboolean);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: initializeAddImgNat
* Signature: (Lorg/sleuthkit/datamodel/TskCaseDbBridge;Ljava/lang/String;ZZZ)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_initializeAddImgNat
(JNIEnv *, jclass, jobject, jstring, jboolean, jboolean, jboolean);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: runOpenAndAddImgNat
* Signature: (JLjava/lang/String;[Ljava/lang/String;ILjava/lang/String;)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_runOpenAndAddImgNat
(JNIEnv *, jclass, jlong, jstring, jobjectArray, jint, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: runAddImgNat
* Signature: (JLjava/lang/String;JJLjava/lang/String;Ljava/lang/String;)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_runAddImgNat
(JNIEnv *, jclass, jlong, jstring, jlong, jlong, jstring, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: stopAddImgNat
* Signature: (J)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_stopAddImgNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: finishAddImgNat
* Signature: (J)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_finishAddImgNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: openImgNat
* Signature: ([Ljava/lang/String;II)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openImgNat
(JNIEnv *, jclass, jobjectArray, jint, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: openVsNat
* Signature: (JJ)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openVsNat
(JNIEnv *, jclass, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: openVolNat
* Signature: (JJ)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openVolNat
(JNIEnv *, jclass, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: openPoolNat
* Signature: (JJ)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openPoolNat
(JNIEnv *, jclass, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getImgInfoForPoolNat
* Signature: (JJ)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getImgInfoForPoolNat
(JNIEnv *, jclass, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: openFsNat
* Signature: (JJ)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openFsNat
(JNIEnv *, jclass, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: openFileNat
* Signature: (JJII)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openFileNat
(JNIEnv *, jclass, jlong, jlong, jint, jint);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: readImgNat
* Signature: (J[BJJ)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_readImgNat
(JNIEnv *, jclass, jlong, jbyteArray, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: readVsNat
* Signature: (J[BJJ)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_readVsNat
(JNIEnv *, jclass, jlong, jbyteArray, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: readPoolNat
* Signature: (J[BJJ)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_readPoolNat
(JNIEnv *, jclass, jlong, jbyteArray, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: readVolNat
* Signature: (J[BJJ)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_readVolNat
(JNIEnv *, jclass, jlong, jbyteArray, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: readFsNat
* Signature: (J[BJJ)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_readFsNat
(JNIEnv *, jclass, jlong, jbyteArray, jlong, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: readFileNat
* Signature: (J[BJIJ)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_readFileNat
(JNIEnv *, jclass, jlong, jbyteArray, jlong, jint, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: saveFileMetaDataTextNat
* Signature: (JLjava/lang/String;)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_saveFileMetaDataTextNat
(JNIEnv *, jclass, jlong, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getPathsForImageNat
* Signature: (J)[Ljava/lang/String;
*/
JNIEXPORT jobjectArray JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getPathsForImageNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getSizeForImageNat
* Signature: (J)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getSizeForImageNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getTypeForImageNat
* Signature: (J)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getTypeForImageNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getSectorSizeForImageNat
* Signature: (J)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getSectorSizeForImageNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getMD5HashForImageNat
* Signature: (J)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getMD5HashForImageNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getSha1HashForImageNat
* Signature: (J)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getSha1HashForImageNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getCollectionDetailsForImageNat
* Signature: (J)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getCollectionDetailsForImageNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: closeImgNat
* Signature: (J)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closeImgNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: closePoolNat
* Signature: (J)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closePoolNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: closeVsNat
* Signature: (J)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closeVsNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: closeFsNat
* Signature: (J)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closeFsNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: closeFileNat
* Signature: (J)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closeFileNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: findDeviceSizeNat
* Signature: (Ljava/lang/String;)J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_findDeviceSizeNat
(JNIEnv *, jclass, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getCurDirNat
* Signature: (J)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getCurDirNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: isImageSupportedNat
* Signature: (Ljava/lang/String;)Z
*/
JNIEXPORT jboolean JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_isImageSupportedNat
(JNIEnv *, jclass, jstring);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getSleuthkitVersionNat
* Signature: ()J
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getSleuthkitVersionNat
(JNIEnv *, jclass);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: finishImageWriterNat
* Signature: (J)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_finishImageWriterNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: getFinishImageProgressNat
* Signature: (J)I
*/
JNIEXPORT jint JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getFinishImageProgressNat
(JNIEnv *, jclass, jlong);
/*
* Class: org_sleuthkit_datamodel_SleuthkitJNI
* Method: cancelFinishImageNat
* Signature: (J)V
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_cancelFinishImageNat
(JNIEnv *, jclass, jlong);
#ifdef __cplusplus
}
#endif
#endif
/* Header for class org_sleuthkit_datamodel_SleuthkitJNI_TSK_FS_FILE_READ_OFFSET_TYPE_ENUM */
#ifndef _Included_org_sleuthkit_datamodel_SleuthkitJNI_TSK_FS_FILE_READ_OFFSET_TYPE_ENUM
#define _Included_org_sleuthkit_datamodel_SleuthkitJNI_TSK_FS_FILE_READ_OFFSET_TYPE_ENUM
#ifdef __cplusplus
extern "C" {
#endif
#ifdef __cplusplus
}
#endif
#endif
/* Header for class org_sleuthkit_datamodel_SleuthkitJNI_CaseDbHandle */
#ifndef _Included_org_sleuthkit_datamodel_SleuthkitJNI_CaseDbHandle
#define _Included_org_sleuthkit_datamodel_SleuthkitJNI_CaseDbHandle
#ifdef __cplusplus
extern "C" {
#endif
#ifdef __cplusplus
}
#endif
#endif
/* Header for class org_sleuthkit_datamodel_SleuthkitJNI_CaseDbHandle_AddImageProcess */
#ifndef _Included_org_sleuthkit_datamodel_SleuthkitJNI_CaseDbHandle_AddImageProcess
#define _Included_org_sleuthkit_datamodel_SleuthkitJNI_CaseDbHandle_AddImageProcess
#ifdef __cplusplus
extern "C" {
#endif
#ifdef __cplusplus
}
#endif
#endif
/* Header for class org_sleuthkit_datamodel_SleuthkitJNI_HandleCache */
#ifndef _Included_org_sleuthkit_datamodel_SleuthkitJNI_HandleCache
#define _Included_org_sleuthkit_datamodel_SleuthkitJNI_HandleCache
#ifdef __cplusplus
extern "C" {
#endif
#ifdef __cplusplus
}
#endif
#endif
/* Header for class org_sleuthkit_datamodel_SleuthkitJNI_CaseHandles */
#ifndef _Included_org_sleuthkit_datamodel_SleuthkitJNI_CaseHandles
#define _Included_org_sleuthkit_datamodel_SleuthkitJNI_CaseHandles
#ifdef __cplusplus
extern "C" {
#endif
#ifdef __cplusplus
}
#endif
#endif
bindings/java/nbproject/project.properties 0 → 100755
View file @ a73ef106
auxiliary.org-netbeans-modules-editor-indent.text.x-java.CodeStyle.project.alignJavadocExceptionDescriptions=true
auxiliary.org-netbeans-modules-editor-indent.text.x-java.CodeStyle.project.alignJavadocParameterDescriptions=true
auxiliary.org-netbeans-modules-editor-indent.text.x-java.CodeStyle.project.alignJavadocReturnDescription=true
auxiliary.org-netbeans-modules-editor-indent.text.x-java.CodeStyle.project.blankLineAfterJavadocParameterDescriptions=true
auxiliary.org-netbeans-modules-editor-indent.text.x-java.CodeStyle.project.blankLineAfterJavadocReturnTag=true
auxiliary.org-netbeans-modules-editor-indent.text.x-java.CodeStyle.project.enableBlockCommentFormatting=true
bindings/java/nbproject/project.xml 0 → 100755
View file @ a73ef106
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://www.netbeans.org/ns/project/1">
<type>org.netbeans.modules.ant.freeform</type>
<configuration>
<general-data xmlns="http://www.netbeans.org/ns/freeform-project/1">
<name>DataModel</name>
</general-data>
<general-data xmlns="http://www.netbeans.org/ns/freeform-project/2">
<!-- Do not use Project Properties customizer when editing this file manually. -->
<name>DataModel</name>
<properties/>
<folders>
<source-folder>
<label>DataModel</label>
<location>.</location>
<encoding>windows-1252</encoding>
</source-folder>
<source-folder>
<label>src</label>
<type>java</type>
<location>src</location>
<encoding>windows-1252</encoding>
</source-folder>
<source-folder>
<label>test</label>
<type>java</type>
<location>test</location>
<encoding>windows-1252</encoding>
</source-folder>
</folders>
<ide-actions>
<action name="build">
<target>dist</target>
</action>
<action name="clean">
<target>clean</target>
</action>
<action name="rebuild">
<target>clean</target>
<target>dist</target>
</action>
<action name="run.single">
<script>nbproject/ide-file-targets.xml</script>
<target>run-selected-file-in-test</target>
<context>
<property>run.class</property>
<folder>test</folder>
<pattern>\.java$</pattern>
<format>java-name</format>
<arity>
<one-file-only/>
</arity>
</context>
</action>
<action name="compile.single">
<script>nbproject/ide-file-targets.xml</script>
<target>compile-selected-files-in-test</target>
<context>
<property>files</property>
<folder>test</folder>
<pattern>\.java$</pattern>
<format>relative-path</format>
<arity>
<separated-files>,</separated-files>
</arity>
</context>
</action>
<action name="test">
<target>test</target>
</action>
<action name="javadoc">
<target>javadoc</target>
</action>
</ide-actions>
<export>
<type>folder</type>
<location>build</location>
<build-target>dist</build-target>
</export>
<export>
<type>folder</type>
<location>build</location>
<build-target>dist</build-target>
</export>
<export>
<type>folder</type>
<location>test</location>
<build-target>dist</build-target>
</export>
<view>
<items>
<source-folder style="packages">
<label>src</label>
<location>src</location>
</source-folder>
<source-folder style="packages">
<label>test</label>
<location>test</location>
</source-folder>
<source-file>
<location>build.xml</location>
</source-file>
</items>
<context-menu>
<ide-action name="build"/>
<ide-action name="rebuild"/>
<ide-action name="clean"/>
<ide-action name="javadoc"/>
<ide-action name="test"/>
</context-menu>
</view>
<subprojects/>
</general-data>
<java-data xmlns="http://www.netbeans.org/ns/freeform-project-java/4">
<compilation-unit>
<package-root>src</package-root>
<classpath mode="compile">lib;lib/diffutils-1.2.1.jar;lib/junit-4.12.jar;lib/postgresql-42.2.18.jar;lib/c3p0-0.9.5.5.jar;lib/mchange-commons-java-0.2.20.jar;lib/joda-time-2.4.jar;lib/commons-lang3-3.0.jar;lib/guava-31.1-jre.jar;lib/SparseBitSet-1.1.jar;lib/gson-2.8.5.jar;lib/commons-validator-1.6.jar</classpath>
<built-to>build</built-to>
<source-level>1.8</source-level>
</compilation-unit>
<compilation-unit>
<package-root>test</package-root>
<unit-tests/>
<classpath mode="compile">build;lib/diffutils-1.2.1.jar;lib/diffutils-1.2.1-javadoc.jar;lib/diffutils-1.2.1-sources.jar;lib/junit-4.12.jar</classpath>
<built-to>build</built-to>
<built-to>test</built-to>
<source-level>1.8</source-level>
</compilation-unit>
</java-data>
<preferences xmlns="http://www.netbeans.org/ns/auxiliary-configuration-preferences/1">
<module name="org-netbeans-modules-html-editor-lib"/>
<module name="org-netbeans-modules-editor-indent">
<node name="CodeStyle">
<property name="usedProfile" value="project"/>
<node name="project">
<property name="spaces-per-tab" value="4"/>
<property name="tab-size" value="4"/>
<property name="indent-shift-width" value="4"/>
<property name="expand-tabs" value="false"/>
<property name="text-limit-width" value="80"/>
<property name="text-line-wrap" value="none"/>
</node>
</node>
<node name="text">
<node name="x-java">
<node name="CodeStyle">
<node name="project"/>
</node>
</node>
</node>
</module>
<module name="org-netbeans-modules-projectimport-eclipse-core"/>
</preferences>
</configuration>
</project>
bindings/java/src/org/sleuthkit/datamodel/AbstractAttribute.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import java.util.Arrays;
import java.util.Objects;
/**
* An abstract base class for attributes as name-value pairs with type safety.
* The attribute type field indicates which one of the value fields is valid.
*/
public abstract class AbstractAttribute {
private static final char[] HEX_ARRAY = "0123456789ABCDEF".toCharArray();
private final BlackboardAttribute.Type attributeType;
private final int valueInt;
private final long valueLong;
private final double valueDouble;
private final String valueString;
private final byte[] valueBytes;
private SleuthkitCase sleuthkitCase;
/**
* Constructs an attribute with an integer value.
*
* @param attributeType The attribute type.
* @param valueInt The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER.
*/
public AbstractAttribute(BlackboardAttribute.Type attributeType, int valueInt) {
if (attributeType.getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER) {
throw new IllegalArgumentException("Type mismatched with value type");
}
this.attributeType = attributeType;
this.valueInt = valueInt;
this.valueLong = 0;
this.valueDouble = 0;
this.valueString = "";
this.valueBytes = new byte[0];
}
/**
* Constructs an attribute with a long/datetime value.
*
* @param attributeType The attribute type.
* @param valueLong The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG
* or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME.
*/
public AbstractAttribute(BlackboardAttribute.Type attributeType, long valueLong) {
if (attributeType.getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG
&& attributeType.getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME) {
throw new IllegalArgumentException("Type mismatched with value type");
}
this.attributeType = attributeType;
this.valueInt = 0;
this.valueLong = valueLong;
this.valueDouble = 0;
this.valueString = "";
this.valueBytes = new byte[0];
}
/**
* Constructs an attribute with a double value.
*
* @param attributeType The attribute type.
* @param valueDouble The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE.
*/
public AbstractAttribute(BlackboardAttribute.Type attributeType, double valueDouble) {
if (attributeType.getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE) {
throw new IllegalArgumentException("Type mismatched with value type");
}
this.attributeType = attributeType;
this.valueInt = 0;
this.valueLong = 0;
this.valueDouble = valueDouble;
this.valueString = "";
this.valueBytes = new byte[0];
}
/**
* Constructs an attribute with a string value.
*
* @param attributeType The attribute type.
* @param valueString The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING.
*/
public AbstractAttribute(BlackboardAttribute.Type attributeType, String valueString) {
if (attributeType.getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING
&& attributeType.getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON) {
throw new IllegalArgumentException("Type mismatched with value type");
}
this.attributeType = attributeType;
this.valueInt = 0;
this.valueLong = 0;
this.valueDouble = 0;
if (valueString == null) {
this.valueString = "";
} else {
this.valueString = replaceNulls(valueString).trim();
}
this.valueBytes = new byte[0];
}
/**
* Constructs an attribute with a byte array value.
*
* @param attributeType The attribute type.
* @param valueBytes The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE.
*/
public AbstractAttribute(BlackboardAttribute.Type attributeType, byte[] valueBytes) {
if (attributeType.getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE) {
throw new IllegalArgumentException("Type mismatched with value type");
}
this.attributeType = attributeType;
this.valueInt = 0;
this.valueLong = 0;
this.valueDouble = 0;
this.valueString = "";
if (valueBytes == null) {
this.valueBytes = new byte[0];
} else {
this.valueBytes = valueBytes;
}
}
/**
* Constructs an attribute.
*
* @param attributeTypeID The attribute type id.
* @param valueType The attribute value type.
* @param valueInt The value from the the value_int32 column.
* @param valueLong The value from the the value_int64 column.
* @param valueDouble The value from the the value_double column.
* @param valueString The value from the the value_text column.
* @param valueBytes The value from the the value_byte column.
* @param sleuthkitCase A reference to the SleuthkitCase object
* representing the case database.
*/
AbstractAttribute(BlackboardAttribute.Type attributeType,
int valueInt, long valueLong, double valueDouble, String valueString, byte[] valueBytes,
SleuthkitCase sleuthkitCase) {
this.attributeType = attributeType;
this.valueInt = valueInt;
this.valueLong = valueLong;
this.valueDouble = valueDouble;
if (valueString == null) {
this.valueString = "";
} else {
this.valueString = replaceNulls(valueString).trim();
}
if (valueBytes == null) {
this.valueBytes = new byte[0];
} else {
this.valueBytes = valueBytes;
}
this.sleuthkitCase = sleuthkitCase;
}
/**
* Gets the attribute value as a string, formatted as required.
*
* @return The value as a string.
*/
public String getDisplayString() {
switch (attributeType.getValueType()) {
case STRING:
return getValueString();
case INTEGER:
if (attributeType.getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_READ_STATUS.getTypeID()) {
if (getValueInt() == 0) {
return "Unread";
} else {
return "Read";
}
}
return Integer.toString(getValueInt());
case LONG:
return Long.toString(getValueLong());
case DOUBLE:
return Double.toString(getValueDouble());
case BYTE:
return bytesToHexString(getValueBytes());
case DATETIME:
// once we have TSK timezone, that should be used here.
return TimeUtilities.epochToTime(getValueLong());
case JSON: {
return getValueString();
}
}
return "";
}
/**
* Gets the type of this attribute.
*
* @return The attribute type.
*/
public BlackboardAttribute.Type getAttributeType() {
return this.attributeType;
}
/**
* Gets the value type of this attribute.
*
* @return The value type
*/
public BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE getValueType() {
return attributeType.getValueType();
}
/**
* Gets the value of this attribute. The value is only valid if the
* attribute value type is TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER.
*
* @return The attribute value.
*/
public int getValueInt() {
return valueInt;
}
/**
* Gets the value of this attribute. The value is only valid if the
* attribute value type is TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG.
*
* @return The attribute value.
*/
public long getValueLong() {
return valueLong;
}
/**
* Gets the value of this attribute. The value is only valid if the
* attribute value type is TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE.
*
* @return The attribute value.
*/
public double getValueDouble() {
return valueDouble;
}
/**
* Gets the value of this attribute. The value is only valid if the
* attribute value type is TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON.
*
* @return The attribute value.
*/
public String getValueString() {
return valueString;
}
/**
* Gets the value of this attribute. The value is only valid if the
* attribute value type is TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE.
*
* @return The attribute value.
*/
public byte[] getValueBytes() {
return Arrays.copyOf(valueBytes, valueBytes.length);
}
/**
* Gets the reference to the SleuthkitCase object that represents the case
* database where this attribute is stored.
*
* @return A reference to a SleuthkitCase object.
*/
SleuthkitCase getCaseDatabase() {
return this.sleuthkitCase;
}
/**
* Sets the reference to the SleuthkitCase object that represents the case
* database where this attribute is stored.
*
* @param sleuthkitCase A reference to a SleuthkitCase object.
*/
void setCaseDatabase(SleuthkitCase sleuthkitCase) {
this.sleuthkitCase = sleuthkitCase;
}
/**
* Converts a byte array to a string.
*
* @param bytes The byte array.
*
* @return The string.
*/
static String bytesToHexString(byte[] bytes) {
// from http://stackoverflow.com/questions/9655181/convert-from-byte-array-to-hex-string-in-java
char[] hexChars = new char[bytes.length * 2];
for (int j = 0; j < bytes.length; j++) {
int v = bytes[j] & 0xFF;
hexChars[j * 2] = HEX_ARRAY[v >>> 4];
hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
}
return new String(hexChars);
}
/**
* Replace all NUL characters in the string with the SUB character
*
* @param text The input string.
*
* @return The output string.
*/
static String replaceNulls(String text) {
return text.replace((char) 0x00, (char) 0x1A);
}
/**
* Checks whether all of the the value fields of this attribute are equal to
* that of another attribute.
*
* @param that Another attribute.
*
* @return True or false.
*/
boolean areValuesEqual(Object that) {
if (that instanceof AbstractAttribute) {
AbstractAttribute other = (AbstractAttribute) that;
Object[] thisObject = new Object[]{this.getAttributeType(), this.getValueInt(), this.getValueLong(), this.getValueDouble(),
this.getValueString(), this.getValueBytes()};
Object[] otherObject = new Object[]{other.getAttributeType(), other.getValueInt(), other.getValueLong(), other.getValueDouble(),
other.getValueString(), other.getValueBytes()};
return Objects.deepEquals(thisObject, otherObject);
} else {
return false;
}
}
}
bindings/java/src/org/sleuthkit/datamodel/AbstractContent.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2011-2016 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import com.google.common.annotations.Beta;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.sleuthkit.datamodel.Blackboard.BlackboardException;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection;
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
import org.sleuthkit.datamodel.SleuthkitCase.ObjectInfo;
/**
* Implements some general methods from the Content interface common across many
* content sub types
*/
public abstract class AbstractContent implements Content {
private final static BlackboardArtifact.Type GEN_INFO_TYPE = new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_GEN_INFO);
public final static long UNKNOWN_ID = -1;
private final SleuthkitCase db;
private final long objId;
private final String name;
private volatile Content parent;
private volatile String uniquePath;
protected long parentId;
private volatile boolean hasChildren;
private volatile boolean checkedHasChildren;
private volatile int childrenCount;
private BlackboardArtifact genInfoArtifact = null;
protected AbstractContent(SleuthkitCase db, long obj_id, String name) {
this.db = db;
this.objId = obj_id;
this.name = name;
this.parentId = UNKNOWN_ID;
checkedHasChildren = false;
hasChildren = false;
childrenCount = -1;
}
@Override
public String getName() {
return this.name;
}
/*
* This base implementation simply walks the hierarchy appending its own
* name to the result of calling its parent's getUniquePath() method (with
* interleaving forward slashes).
*/
@Override
public String getUniquePath() throws TskCoreException {
// It is possible that multiple threads could be doing this calculation
// simultaneously, but it's worth the potential extra processing to prevent deadlocks.
if (uniquePath == null) {
String tempUniquePath = "";
if (!name.isEmpty()) {
tempUniquePath = "/" + getName();
}
Content myParent = getParent();
if (myParent != null) {
tempUniquePath = myParent.getUniquePath() + tempUniquePath;
}
// Don't update uniquePath until it is complete.
uniquePath = tempUniquePath;
}
return uniquePath;
}
@Override
public boolean hasChildren() throws TskCoreException {
if (checkedHasChildren == true) {
return hasChildren;
}
hasChildren = this.getSleuthkitCase().getHasChildren(this);
checkedHasChildren = true;
return hasChildren;
}
@Override
public int getChildrenCount() throws TskCoreException {
if (childrenCount != -1) {
return childrenCount;
}
childrenCount = this.getSleuthkitCase().getContentChildrenCount(this);
hasChildren = childrenCount > 0;
checkedHasChildren = true;
return childrenCount;
}
@Override
public Content getParent() throws TskCoreException {
// It is possible that multiple threads could be doing this calculation
// simultaneously, but it's worth the potential extra processing to prevent deadlocks.
if (parent == null) {
Optional<Long> parentIdOpt = getParentId();
if (!parentIdOpt.isPresent()) {
parent = null;
} else {
parent = db.getContentById(parentIdOpt.get());
}
}
return parent;
}
void setParent(Content parent) {
this.parent = parent;
}
/**
* Returns the parent object id of the content or empty if no parent can be
* identified.
*
* @return An optional of the parent object id.
*
* @throws TskCoreException
*/
@Beta
public Optional<Long> getParentId() throws TskCoreException {
if (parentId == UNKNOWN_ID) {
ObjectInfo parentInfo = db.getParentInfo(this);
if (parentInfo != null) {
parentId = parentInfo.getId();
}
}
return parentId == UNKNOWN_ID
? Optional.empty()
: Optional.of(parentId);
}
/**
* Set the ID of the this AbstractContent's parent
*
* @param parentId the ID of the parent. Note: use
* AbstractContent.UNKNOWN_ID if the parent's ID is not
* known.
*/
void setParentId(long parentId) {
this.parentId = parentId;
}
@Override
public long getId() {
return this.objId;
}
/**
* Gets all children of this abstract content, if any.
*
* @return A list of the children.
*
* @throws TskCoreException if there was an error querying the case
* database.
*/
@Override
public List<Content> getChildren() throws TskCoreException {
List<Content> children = new ArrayList<Content>();
children.addAll(getSleuthkitCase().getAbstractFileChildren(this));
children.addAll(getSleuthkitCase().getBlackboardArtifactChildren(this));
return children;
}
/**
* Gets the object ids of objects, if any, that are children of this
* abstract content.
*
* @return A list of the object ids.
*
* @throws TskCoreException if there was an error querying the case
* database.
*/
@Override
public List<Long> getChildrenIds() throws TskCoreException {
List<Long> childrenIDs = new ArrayList<Long>();
childrenIDs.addAll(getSleuthkitCase().getAbstractFileChildrenIds(this));
childrenIDs.addAll(getSleuthkitCase().getBlackboardArtifactChildrenIds(this));
return childrenIDs;
}
// classes should override this if they can be a data source
@Override
public Content getDataSource() throws TskCoreException {
Content myParent = getParent();
if (myParent == null) {
return null;
}
return myParent.getDataSource();
}
/**
* Return whether this content has a Pool above it
*
* @return true if there is a Pool object in the parent structure
*
* @throws TskCoreException
*/
boolean isPoolContent() throws TskCoreException {
return getPool() != null;
}
/**
* Get the pool volume
*
* @return the volume above this content and below a Pool object or null if
* not found
*
* @throws TskCoreException
*/
Volume getPoolVolume() throws TskCoreException {
Content myParent = getParent();
if (myParent == null) {
return null;
}
if (!(myParent instanceof AbstractContent)) {
return null;
}
if (myParent instanceof Volume) {
// This is potentially it, but need to check that this is a volume under a pool
if (((Volume) myParent).isPoolContent()) {
return (Volume) myParent;
} else {
// There are no pools in the hierarchy, so we're done
return null;
}
}
// Try one level higher
return ((AbstractContent) myParent).getPoolVolume();
}
/**
* Get the pool
*
* @return the pool above this content or null if not found
*
* @throws TskCoreException
*/
Pool getPool() throws TskCoreException {
Content myParent = getParent();
if (myParent == null) {
return null;
}
if (!(myParent instanceof AbstractContent)) {
return null;
}
if (myParent instanceof Pool) {
return (Pool) myParent;
}
// Try one level higher
return ((AbstractContent) myParent).getPool();
}
/**
* Gets handle of SleuthkitCase to which this content belongs
*
* @return the case handle
*/
public SleuthkitCase getSleuthkitCase() {
return db;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final AbstractContent other = (AbstractContent) obj;
if (this.objId != other.objId) {
return false;
}
try {
// New children may have been added to an existing content
// object in which case they are not equal.
if (this.getChildrenCount() != other.getChildrenCount()) {
return false;
}
} catch (TskCoreException ex) {
Logger.getLogger(AbstractContent.class.getName()).log(Level.SEVERE, null, ex);
}
return true;
}
@Override
public int hashCode() {
int hash = 7 + (int) (this.objId ^ (this.objId >>> 32));
try {
hash = 41 * hash + this.getChildrenCount();
} catch (TskCoreException ex) {
Logger.getLogger(AbstractContent.class.getName()).log(Level.SEVERE, null, ex);
}
return hash;
}
@Deprecated
@Override
public BlackboardArtifact newArtifact(int artifactTypeID) throws TskCoreException {
// don't let them make more than 1 GEN_INFO
if (artifactTypeID == ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
return getGenInfoArtifact(true);
}
BlackboardArtifact.Type artifactType = db.getBlackboard().getArtifactType(artifactTypeID);
switch (artifactType.getCategory()) {
case DATA_ARTIFACT:
return this.newDataArtifact(artifactType, Collections.emptyList());
case ANALYSIS_RESULT: {
AnalysisResultAdded addedResult = this.newAnalysisResult(artifactType, Score.SCORE_UNKNOWN, null, null, null, Collections.emptyList());
return addedResult.getAnalysisResult();
}
default:
throw new TskCoreException(String.format("Unknown category: %s for artifact type id: %d",
artifactType.getCategory().getName(), artifactTypeID));
}
}
@Override
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type artifactType, Score score, String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
long dataSourceObjectId = this.getDataSource().getId();
CaseDbTransaction trans = db.beginTransaction();
try {
AnalysisResultAdded resultAdded = db.getBlackboard().newAnalysisResult(artifactType, objId, dataSourceObjectId, score, conclusion, configuration, justification, attributesList, trans);
trans.commit();
return resultAdded;
} catch (BlackboardException ex) {
trans.rollback();
throw new TskCoreException(String.format("Error adding analysis result to content with objId = %d.", objId), ex);
}
}
@Override
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type artifactType, Score score, String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList, long dataSourceId) throws TskCoreException {
long dataSourceObjectId = dataSourceId;
CaseDbTransaction trans = db.beginTransaction();
try {
AnalysisResultAdded resultAdded = db.getBlackboard().newAnalysisResult(artifactType, objId, dataSourceObjectId, score, conclusion, configuration, justification, attributesList, trans);
trans.commit();
return resultAdded;
} catch (BlackboardException ex) {
trans.rollback();
throw new TskCoreException(String.format("Error adding analysis result to content with objId = %d.", objId), ex);
}
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList, Long osAccountId) throws TskCoreException {
return db.getBlackboard().newDataArtifact(artifactType, objId, this.getDataSource().getId(), attributesList, osAccountId);
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList, Long osAccountId, long dataSourceId) throws TskCoreException {
return db.getBlackboard().newDataArtifact(artifactType, objId, dataSourceId, attributesList, osAccountId);
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
return newDataArtifact(artifactType, attributesList, null);
}
@Deprecated
@SuppressWarnings("deprecation")
@Override
public BlackboardArtifact newArtifact(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
return newArtifact(type.getTypeID());
}
@Override
public ArrayList<BlackboardArtifact> getArtifacts(String artifactTypeName) throws TskCoreException {
return getArtifacts(db.getBlackboard().getArtifactType(artifactTypeName).getTypeID());
}
@Override
public ArrayList<BlackboardArtifact> getArtifacts(int artifactTypeID) throws TskCoreException {
if (artifactTypeID == ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
if (genInfoArtifact == null) // don't make one if it doesn't already exist
{
getGenInfoArtifact(false);
}
ArrayList<BlackboardArtifact> list = new ArrayList<BlackboardArtifact>();
// genInfoArtifact coudl still be null if there isn't an artifact
if (genInfoArtifact != null) {
list.add(genInfoArtifact);
}
return list;
}
return db.getBlackboardArtifacts(artifactTypeID, objId);
}
@Override
public ArrayList<BlackboardArtifact> getArtifacts(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
return getArtifacts(type.getTypeID());
}
@Override
public BlackboardArtifact getGenInfoArtifact() throws TskCoreException {
return getGenInfoArtifact(true);
}
@Override
public BlackboardArtifact getGenInfoArtifact(boolean create) throws TskCoreException {
if (genInfoArtifact != null) {
return genInfoArtifact;
}
// go to db directly to avoid infinite loop
ArrayList<BlackboardArtifact> arts = db.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO, objId);
BlackboardArtifact retArt;
if (arts.isEmpty()) {
if (create) {
retArt = this.newDataArtifact(GEN_INFO_TYPE, Collections.emptyList());
} else {
return null;
}
} else {
retArt = arts.get(0);
}
genInfoArtifact = retArt;
return retArt;
}
@Override
public ArrayList<BlackboardAttribute> getGenInfoAttributes(ATTRIBUTE_TYPE attr_type) throws TskCoreException {
ArrayList<BlackboardAttribute> returnList = new ArrayList<BlackboardAttribute>();
if (genInfoArtifact == null) {
getGenInfoArtifact(false);
if (genInfoArtifact == null) {
return returnList;
}
}
for (BlackboardAttribute attribute : genInfoArtifact.getAttributes()) {
if (attribute.getAttributeType().getTypeID() == attr_type.getTypeID()) {
returnList.add(attribute);
}
}
return returnList;
}
@Override
public ArrayList<BlackboardArtifact> getAllArtifacts() throws TskCoreException {
return db.getMatchingArtifacts("WHERE obj_id = " + objId); //NON-NLS
}
@Override
public List<AnalysisResult> getAllAnalysisResults() throws TskCoreException {
return db.getBlackboard().getAnalysisResults(objId);
}
@Override
public List<DataArtifact> getAllDataArtifacts() throws TskCoreException {
return db.getBlackboard().getDataArtifactsBySource(objId);
}
@Override
public Score getAggregateScore() throws TskCoreException {
return db.getScoringManager().getAggregateScore(objId);
}
@Override
public List<AnalysisResult> getAnalysisResults(BlackboardArtifact.Type artifactType) throws TskCoreException {
return db.getBlackboard().getAnalysisResults(objId, artifactType.getTypeID()); //NON-NLS
}
@Override
public long getArtifactsCount(String artifactTypeName) throws TskCoreException {
return db.getBlackboardArtifactsCount(artifactTypeName, objId);
}
@Override
public long getArtifactsCount(int artifactTypeID) throws TskCoreException {
return db.getBlackboardArtifactsCount(artifactTypeID, objId);
}
@Override
public long getArtifactsCount(ARTIFACT_TYPE type) throws TskCoreException {
return db.getBlackboardArtifactsCount(type, objId);
}
@Override
public long getAllArtifactsCount() throws TskCoreException {
return db.getBlackboardArtifactsCount(objId);
}
@Override
public Set<String> getHashSetNames() throws TskCoreException {
Set<String> hashNames = new HashSet<String>();
ArrayList<BlackboardArtifact> artifacts = getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT);
for (BlackboardArtifact a : artifacts) {
BlackboardAttribute attribute = a.getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_SET_NAME));
if (attribute != null) {
hashNames.add(attribute.getValueString());
}
}
return Collections.unmodifiableSet(hashNames);
}
@Override
public String toString() {
return toString(true);
}
public String toString(boolean preserveState) {
if (preserveState) {
return "AbstractContent [\t" + "objId " + String.format("%010d", objId) + "\t" //NON-NLS
+ "name " + name + "\t" + "parentId " + parentId + "\t" //NON-NLS
+ "\t" + "checkedHasChildren " + checkedHasChildren //NON-NLS
+ "\t" + "hasChildren " + hasChildren //NON-NLS
+ "\t" + "childrenCount " + childrenCount //NON-NLS
+ "uniquePath " + uniquePath + "]\t"; //NON-NLS
} else {
try {
if (getParent() != null) {
return "AbstractContent [\t" + "objId " + String.format("%010d", objId) //NON-NLS
+ "\t" + "name " + name //NON-NLS
+ "\t" + "checkedHasChildren " + checkedHasChildren //NON-NLS
+ "\t" + "hasChildren " + hasChildren //NON-NLS
+ "\t" + "childrenCount " + childrenCount //NON-NLS
+ "\t" + "getUniquePath " + getUniquePath() //NON-NLS
+ "\t" + "getParent " + getParent().getId() + "]\t"; //NON-NLS
} else {
return "AbstractContent [\t" + "objId " //NON-NLS
+ String.format("%010d", objId) + "\t" + "name " + name //NON-NLS
+ "\t" + "checkedHasChildren " + checkedHasChildren //NON-NLS
+ "\t" + "hasChildren " + hasChildren //NON-NLS
+ "\t" + "childrenCount " + childrenCount //NON-NLS
+ "\t" + "uniquePath " + getUniquePath() //NON-NLS
+ "\t" + "parentId " + parentId + "]\t"; //NON-NLS
}
} catch (TskCoreException ex) {
Logger.getLogger(AbstractContent.class.getName()).log(Level.SEVERE, "Could not find Parent", ex); //NON-NLS
return "AbstractContent [\t" + "objId " + String.format("%010d", objId) + "\t" //NON-NLS
+ "name " + name + "\t" + "parentId " + parentId + "\t" //NON-NLS
+ "\t" + "checkedHasChildren " + checkedHasChildren //NON-NLS
+ "\t" + "hasChildren " + hasChildren //NON-NLS
+ "\t" + "childrenCount " + childrenCount //NON-NLS
+ "uniquePath " + uniquePath + "]\t"; //NON-NLS
}
}
}
}
bindings/java/src/org/sleuthkit/datamodel/AbstractFile.java 0 → 100644
View file @ a73ef106
/*
* SleuthKit Java Bindings
*
* Copyright 2011-2022 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.lang.ref.SoftReference;
import java.sql.SQLException;
import java.sql.Statement;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.SortedSet;
import java.util.TimeZone;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
import org.sleuthkit.datamodel.TskData.CollectedStatus;
import org.sleuthkit.datamodel.TskData.FileKnown;
import org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM;
import org.sleuthkit.datamodel.TskData.TSK_FS_META_TYPE_ENUM;
import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM;
import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_TYPE_ENUM;
/**
* An abstract base class for classes that represent files that have been added
* to the case.
*/
public abstract class AbstractFile extends AbstractContent {
protected final TskData.TSK_DB_FILES_TYPE_ENUM fileType;
protected final TSK_FS_NAME_TYPE_ENUM dirType;
protected final TSK_FS_META_TYPE_ENUM metaType;
protected TSK_FS_NAME_FLAG_ENUM dirFlag;
protected Set<TSK_FS_META_FLAG_ENUM> metaFlags;
protected final Long fileSystemObjectId; // File system object ID; may be null
protected long size;
protected final long metaAddr, ctime, crtime, atime, mtime;
protected final int metaSeq;
protected final int uid, gid;
protected final int attrId;
protected final TskData.TSK_FS_ATTR_TYPE_ENUM attrType;
protected final Set<TskData.TSK_FS_META_MODE_ENUM> modes;
//local file support
private boolean localPathSet = false; ///< if set by setLocalPath(), reads are done on local file
private String localPath; ///< local path as stored in db tsk_files_path, is relative to the db,
private String localAbsPath; ///< absolute path representation of the local path
private volatile RandomAccessFile localFileHandle;
private volatile java.io.File localFile;
private TskData.EncodingType encodingType;
//range support
private List<TskFileRange> ranges;
/*
* path of parent directory
*/
protected final String parentPath;
/**
* knownState status in database
*/
protected TskData.FileKnown knownState;
private boolean knownStateDirty = false;
/*
* md5 hash
*/
protected String md5Hash;
private boolean md5HashDirty = false;
/*
* SHA-256 hash
*/
protected String sha256Hash;
private boolean sha256HashDirty = false;
/*
* SHA-1 hash
*/
protected String sha1Hash;
private boolean sha1HashDirty = false;
private TskData.CollectedStatus collected; // Collected status of file data
private boolean collectedDirty = false;
private String mimeType;
private boolean mimeTypeDirty = false;
private static final Logger LOGGER = Logger.getLogger(AbstractFile.class.getName());
private static final ResourceBundle BUNDLE = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle");
private long dataSourceObjectId;
private final String extension;
private final List<Attribute> fileAttributesCache = new ArrayList<Attribute>();
private boolean loadedAttributesCacheFromDb = false;
private final String ownerUid; // string owner uid, for example a Windows SID.
// different from the numeric uid which is more commonly found
// on Unix based file systems.
private final Long osAccountObjId; // obj id of the owner's OS account, may be null
private volatile String uniquePath;
private volatile FileSystem parentFileSystem;
private final boolean tryContentProviderStream;
private Object contentProviderStreamLock = new Object();
private SoftReference<ContentProviderStream> contentProviderStreamRef = null;
/**
* Initializes common fields used by AbstactFile implementations (objects in
* tsk_files table)
*
* @param db case / db handle where this file belongs to
* @param objId object id in tsk_objects table
* @param dataSourceObjectId The object id of the root data source of this
* file.
* @param fileSystemObjectId The object id of the file system. Can be null (or 0 representing null)
* @param attrType
* @param attrId
* @param name name field of the file
* @param fileType type of the file
* @param metaAddr
* @param metaSeq
* @param dirType
* @param metaType
* @param dirFlag
* @param metaFlags
* @param size
* @param ctime
* @param crtime
* @param atime
* @param mtime
* @param modes
* @param uid
* @param gid
* @param md5Hash md5sum of the file, or null if not present
* @param sha256Hash sha256 hash of the file, or null if not present
* @param sha1Hash SHA-1 hash of the file, or null if not present
* @param knownState knownState status of the file, or null if
* unknown (default)
* @param parentPath
* @param mimeType The MIME type of the file, can be null.
* @param extension The extension part of the file name (not
* including the '.'), can be null.
* @param ownerUid Owner uid/SID, can be null if not available.
* @param osAccountObjectId Object Id of the owner OsAccount, may be null.
* @param collected Collected status of file data
*
*/
AbstractFile(SleuthkitCase db,
long objId,
long dataSourceObjectId,
Long fileSystemObjectId,
TskData.TSK_FS_ATTR_TYPE_ENUM attrType, int attrId,
String name,
TskData.TSK_DB_FILES_TYPE_ENUM fileType,
long metaAddr, int metaSeq,
TSK_FS_NAME_TYPE_ENUM dirType, TSK_FS_META_TYPE_ENUM metaType,
TSK_FS_NAME_FLAG_ENUM dirFlag, short metaFlags,
long size,
long ctime, long crtime, long atime, long mtime,
short modes,
int uid, int gid,
String md5Hash, String sha256Hash, String sha1Hash,
FileKnown knownState,
String parentPath,
String mimeType,
String extension,
String ownerUid,
Long osAccountObjectId,
TskData.CollectedStatus collected,
List<Attribute> fileAttributes) {
super(db, objId, name);
this.dataSourceObjectId = dataSourceObjectId;
if (fileSystemObjectId != null) {
// When reading from the result set, nulls are converted to zeros.
// Switch it to null.
if (fileSystemObjectId > 0) {
this.fileSystemObjectId = fileSystemObjectId;
} else {
this.fileSystemObjectId = null;
}
} else {
this.fileSystemObjectId = null;
}
this.attrType = attrType;
this.attrId = attrId;
this.fileType = fileType;
this.metaAddr = metaAddr;
this.metaSeq = metaSeq;
this.dirType = dirType;
this.metaType = metaType;
this.dirFlag = dirFlag;
this.metaFlags = TSK_FS_META_FLAG_ENUM.valuesOf(metaFlags);
this.size = size;
this.ctime = ctime;
this.crtime = crtime;
this.atime = atime;
this.mtime = mtime;
this.uid = uid;
this.gid = gid;
this.modes = TskData.TSK_FS_META_MODE_ENUM.valuesOf(modes);
this.md5Hash = md5Hash;
this.sha256Hash = sha256Hash;
this.sha1Hash = sha1Hash;
if (knownState == null) {
this.knownState = FileKnown.UNKNOWN;
} else {
this.knownState = knownState;
}
this.parentPath = parentPath;
this.mimeType = mimeType;
this.extension = extension == null ? "" : extension;
this.encodingType = TskData.EncodingType.NONE;
this.ownerUid = ownerUid;
this.osAccountObjId = osAccountObjectId;
this.collected = collected;
// any item that is marked as YES_REPO and there is a custom content provider for the db will attempt to use the content provider to provide data
// this will be flipped to false if there is no content provider stream from the content provider for this file
this.tryContentProviderStream = collected == CollectedStatus.YES_REPO && db.getContentProvider() != null;
if (Objects.nonNull(fileAttributes) && !fileAttributes.isEmpty()) {
this.fileAttributesCache.addAll(fileAttributes);
loadedAttributesCacheFromDb = true;
}
}
/**
* Gets type of the abstract file as defined in TSK_DB_FILES_TYPE_ENUM
*
* @return the type of the abstract file
*/
public TskData.TSK_DB_FILES_TYPE_ENUM getType() {
return fileType;
}
/**
* Get the attribute type
*
* @return attribute type
*/
public TskData.TSK_FS_ATTR_TYPE_ENUM getAttrType() {
return attrType;
}
/**
* Get the attribute id
*
* @return attribute id
*/
public int getAttributeId() {
return attrId;
}
/**
* Get the change time
*
* @return change time
*/
public long getCtime() {
return ctime;
}
/**
* Get the change time as Date (in local timezone)
*
* @return change time as Date
*/
public String getCtimeAsDate() {
return epochToTime(ctime);
}
/**
* Get the creation time
*
* @return creation time
*/
public long getCrtime() {
return crtime;
}
/**
* Get the creation time as Date (in local timezone)
*
* @return creation time as Date
*/
public String getCrtimeAsDate() {
return epochToTime(crtime);
}
/**
* Get the access time
*
* @return access time
*/
public long getAtime() {
return atime;
}
/**
* Get the access time as Date (in local timezone)
*
* @return access time as Date
*/
public String getAtimeAsDate() {
return epochToTime(atime);
}
/**
* Get the modified time
*
* @return modified time
*/
public long getMtime() {
return mtime;
}
/**
* Get the modified time as Date (in local timezone)
*
* @return modified time as Date
*/
public String getMtimeAsDate() {
return epochToTime(mtime);
}
/**
* Get the user id
*
* @return user id
*/
public int getUid() {
return uid;
}
/**
* Get the group id
*
* @return group id
*/
public int getGid() {
return gid;
}
/**
* Get the file meta address
*
* @return Address of the meta data structure
*/
public long getMetaAddr() {
return metaAddr;
}
/**
* Get the file meta address sequence. Only useful with NTFS. Incremented
* each time a structure is re-allocated.
*
* @return Address of the meta data structure sequence.
*/
public long getMetaSeq() {
return metaSeq;
}
/**
* Get the file's mode as a user-displayable string
*
* @return formatted user-displayable string for mode
*/
public String getModesAsString() {
int mode = TskData.TSK_FS_META_MODE_ENUM.toInt(modes);
String result = "";
short isuid = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_ISUID.getMode();
short isgid = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_ISGID.getMode();
short isvtx = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_ISVTX.getMode();
short irusr = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IRUSR.getMode();
short iwusr = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IWUSR.getMode();
short ixusr = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IXUSR.getMode();
short irgrp = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IRGRP.getMode();
short iwgrp = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IWGRP.getMode();
short ixgrp = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IXGRP.getMode();
short iroth = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IROTH.getMode();
short iwoth = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IWOTH.getMode();
short ixoth = TskData.TSK_FS_META_MODE_ENUM.TSK_FS_META_MODE_IXOTH.getMode();
// first character = the Meta Type
result += metaType.toString();
// second and third characters = user permissions
if ((mode & irusr) == irusr) {
result += "r"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
if ((mode & iwusr) == iwusr) {
result += "w"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
// fourth character = set uid
if ((mode & isuid) == isuid) {
if ((mode & ixusr) == ixusr) {
result += "s"; //NON-NLS
} else {
result += "S"; //NON-NLS
}
} else {
if ((mode & ixusr) == ixusr) {
result += "x"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
}
// fifth and sixth characters = group permissions
if ((mode & irgrp) == irgrp) {
result += "r"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
if ((mode & iwgrp) == iwgrp) {
result += "w"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
// seventh character = set gid
if ((mode & isgid) == isgid) {
if ((mode & ixgrp) == ixgrp) {
result += "s"; //NON-NLS
} else {
result += "S"; //NON-NLS
}
} else {
if ((mode & ixgrp) == ixgrp) {
result += "x"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
}
// eighth and ninth character = other permissions
if ((mode & iroth) == iroth) {
result += "r"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
if ((mode & iwoth) == iwoth) {
result += "w"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
// tenth character = sticky bit
if ((mode & isvtx) == isvtx) {
if ((mode & ixoth) == ixoth) {
result += "t"; //NON-NLS
} else {
result += "T"; //NON-NLS
}
} else {
if ((mode & ixoth) == ixoth) {
result += "x"; //NON-NLS
} else {
result += "-"; //NON-NLS
}
}
// check the result
if (result.length() != 10) {
// throw error here
result = "ERROR"; //NON-NLS
}
return result;
}
/**
* Gets the MIME type of this file.
*
* @return The MIME type name or null if the MIME type has not been set.
*/
public String getMIMEType() {
return mimeType;
}
/**
* Sets the MIME type for this file.
*
* IMPORTANT: The MIME type is set for this AbstractFile object, but it is
* not saved to the case database until AbstractFile.save is called.
*
* @param mimeType The MIME type of this file.
*/
public void setMIMEType(String mimeType) {
this.mimeType = mimeType;
this.mimeTypeDirty = true;
}
public boolean isModeSet(TskData.TSK_FS_META_MODE_ENUM mode) {
return modes.contains(mode);
}
/**
* Sets the MD5 hash for this file.
*
* IMPORTANT: The MD5 hash is set for this AbstractFile object, but it is
* not saved to the case database until AbstractFile.save is called.
*
* @param md5Hash The MD5 hash of the file.
*/
public void setMd5Hash(String md5Hash) {
this.md5Hash = md5Hash;
this.md5HashDirty = true;
}
/**
* Get the md5 hash value as calculated, if present
*
* @return md5 hash string, if it is present or null if it is not
*/
public String getMd5Hash() {
return this.md5Hash;
}
/**
* Sets the SHA-256 hash for this file.
*
* IMPORTANT: The SHA-256 hash is set for this AbstractFile object, but it
* is not saved to the case database until AbstractFile.save is called.
*
* @param sha256Hash The SHA-256 hash of the file.
*/
public void setSha256Hash(String sha256Hash) {
this.sha256Hash = sha256Hash;
this.sha256HashDirty = true;
}
/**
* Get the SHA-256 hash value as calculated, if present
*
* @return SHA-256 hash string, if it is present or null if it is not
*/
public String getSha256Hash() {
return this.sha256Hash;
}
/**
* Sets the SHA-1 hash for this file.
*
* IMPORTANT: The SHA-1 hash is set for this AbstractFile object, but it
* is not saved to the case database until AbstractFile.save is called.
*
* @param sha1Hash The SHA-1 hash of the file.
*/
public void setSha1Hash(String sha1Hash) {
this.sha1Hash = sha1Hash;
this.sha1HashDirty = true;
}
/**
* Get the SHA-1 hash value as calculated, if present
*
* @return SHA-1 hash string, if it is present or null if it is not
*/
public String getSha1Hash() {
return this.sha1Hash;
}
/**
* Gets the attributes of this File
*
* @return
*
* @throws TskCoreException
*/
public List<Attribute> getAttributes() throws TskCoreException {
synchronized (this) {
if (!loadedAttributesCacheFromDb) {
ArrayList<Attribute> attributes = getSleuthkitCase().getBlackboard().getFileAttributes(this);
fileAttributesCache.clear();
fileAttributesCache.addAll(attributes);
loadedAttributesCacheFromDb = true;
}
return Collections.unmodifiableList(fileAttributesCache);
}
}
/**
* Adds a collection of attributes to this file in a single operation within
* a transaction supplied by the caller.
*
* @param attributes The collection of attributes.
* @param caseDbTransaction The transaction in the scope of which the
* operation is to be performed, managed by the
* caller. if Null is passed in a local transaction
* will be created and used.
*
* @throws TskCoreException If an error occurs and the attributes were not
* added to the artifact.
*/
public void addAttributes(Collection<Attribute> attributes, final SleuthkitCase.CaseDbTransaction caseDbTransaction) throws TskCoreException {
if (Objects.isNull(attributes) || attributes.isEmpty()) {
throw new TskCoreException("Illegal Argument passed to addAttributes: null or empty attributes passed to addAttributes");
}
boolean isLocalTransaction = Objects.isNull(caseDbTransaction);
SleuthkitCase.CaseDbTransaction localTransaction = isLocalTransaction ? getSleuthkitCase().beginTransaction() : null;
SleuthkitCase.CaseDbConnection connection = isLocalTransaction ? localTransaction.getConnection() : caseDbTransaction.getConnection();
try {
for (final Attribute attribute : attributes) {
attribute.setAttributeParentId(getId());
attribute.setCaseDatabase(getSleuthkitCase());
getSleuthkitCase().addFileAttribute(attribute, connection);
}
if (isLocalTransaction) {
localTransaction.commit();
localTransaction = null;
}
// append the new attributes if cache is already loaded.
synchronized (this) {
if (loadedAttributesCacheFromDb) {
fileAttributesCache.addAll(attributes);
}
}
} catch (SQLException ex) {
if (isLocalTransaction && null != localTransaction) {
try {
localTransaction.rollback();
} catch (TskCoreException ex2) {
LOGGER.log(Level.SEVERE, "Failed to rollback transaction after exception", ex2);
}
}
throw new TskCoreException("Error adding file attributes", ex);
}
}
/**
* Sets the known state for this file. Passed in value will be ignored if it
* is "less" than the current state. A NOTABLE file cannot be downgraded to
* KNOWN.
*
* IMPORTANT: The known state is set for this AbstractFile object, but it is
* not saved to the case database until AbstractFile.save is called.
*
* @param knownState The known state of the file.
*/
public void setKnown(TskData.FileKnown knownState) {
// don't allow them to downgrade the known state
if (this.knownState.compareTo(knownState) > 0) {
// ideally we'd return some kind of error, but
// the API doesn't allow it
return;
}
this.knownState = knownState;
this.knownStateDirty = true;
}
/**
* Get "knownState" file status - after running a HashDB ingest on it As
* marked by a knownState file database, such as NSRL
*
* @return file knownState status enum value
*/
public TskData.FileKnown getKnown() {
return knownState;
}
/**
* Get the extension part of the filename, if there is one. We assume that
* extensions only have ASCII alphanumeric chars
*
* @return The filename extension in lowercase (not including the period) or
* empty string if there is no extension
*/
public String getNameExtension() {
return extension;
}
/**
* Get size of the file
*
* @return file size in bytes
*/
@Override
public long getSize() {
return size;
}
/**
* Get path of the parent of this file
*
* @return path string of the parent
*/
public String getParentPath() {
return parentPath;
}
/**
* Gets the data source for this file.
*
* @return The data source.
*
* @throws TskCoreException if there was an error querying the case
* database.
*
* To obtain the data source as a DataSource object, use:
* getSleuthkitCase().getDataSource(getDataSourceObjectId());
*/
@Override
public Content getDataSource() throws TskCoreException {
return getSleuthkitCase().getContentById(this.dataSourceObjectId);
}
/**
* Gets the object id of the data source for this file.
*
* @return The object id of the data source.
*/
public long getDataSourceObjectId() {
return dataSourceObjectId;
}
/**
* Gets the collected status of the file data.
*
* @return The collected.
*/
public TskData.CollectedStatus getCollected() {
return collected;
}
/**
* Sets the collected status of the file data.
*
* @param collected The file data's collected status
*/
public void setCollected(TskData.CollectedStatus collected) {
this.collected = collected;
collectedDirty = true;
}
/**
* Gets file ranges associated with the file. File ranges are objects in
* tsk_file_layout table Any file type (especially unallocated) may have 1
* or more block ranges associated with it
*
* @return list of file layout ranges
*
* @throws TskCoreException exception thrown if critical error occurred
* within tsk core
*/
public List<TskFileRange> getRanges() throws TskCoreException {
if (ranges == null) {
ranges = getSleuthkitCase().getFileRanges(this.getId());
}
return ranges;
}
/**
* Convert an internal offset to an image offset
*
* @param fileOffset the byte offset in this layout file to map
*
* @return the corresponding byte offset in the image where the file offset
* is located, or -1 if the file has no range layout information or
* if the fileOffset is larger than file size
*
* @throws TskCoreException exception thrown if critical error occurred
* within tsk core and offset could not be
* converted
*/
public long convertToImgOffset(long fileOffset) throws TskCoreException {
long imgOffset = -1;
for (TskFileRange byteRange : getRanges()) {
// if fileOffset is within the current byteRange, calculate the image
// offset and break
long rangeLength = byteRange.getByteLen();
if (fileOffset < rangeLength) {
imgOffset = byteRange.getByteStart() + fileOffset;
break;
}
// otherwise, decrement fileOffset by the length of the current
// byte range and continue
fileOffset -= rangeLength;
}
return imgOffset;
}
/**
* Converts a file offset and length into a series of TskFileRange objects
* whose offsets are relative to the image. This method will only work on
* files with layout ranges.
*
* @param fileOffset The byte offset in this file to map.
* @param length The length of bytes starting at fileOffset requested.
*
* @return The TskFileRange objects whose offsets are relative to the image.
* The sum total of lengths in these ranges will equal the length
* requested or will run until the end of this file.
*
* @throws TskCoreException
*/
public List<TskFileRange> convertToImgRanges(long fileOffset, long length) throws TskCoreException {
if (fileOffset < 0 || length < 0) {
throw new TskCoreException("fileOffset and length must be non-negative");
}
List<TskFileRange> thisRanges = getRanges();
List<TskFileRange> toRet = new ArrayList<>();
long requestedEnd = fileOffset + length;
// the number of bytes counted from the beginning of this file
long bytesCounted = 0;
for (int curRangeIdx = 0; curRangeIdx < thisRanges.size(); curRangeIdx++) {
// if we exceeded length of requested, then we are done
if (bytesCounted >= requestedEnd) {
break;
}
TskFileRange curRange = thisRanges.get(curRangeIdx);
long curRangeLen = curRange.getByteLen();
// the bytes counted when we reach the end of this range
long curRangeEnd = bytesCounted + curRangeLen;
// if fileOffset is less than current range's end and we have not
// gone past the end we requested, then grab at least part of this
// range.
if (fileOffset < curRangeEnd) {
// offset into range to be returned to user (0 if fileOffset <= bytesCounted)
long rangeOffset = Math.max(0, fileOffset - bytesCounted);
// calculate the new TskFileRange start by adding on the offset into the current range
long newRangeStart = curRange.getByteStart() + rangeOffset;
// how much this current range exceeds the length requested (or 0 if within the length requested)
long rangeOvershoot = Math.max(0, curRangeEnd - requestedEnd);
long newRangeLen = curRangeLen - rangeOffset - rangeOvershoot;
toRet.add(new TskFileRange(newRangeStart, newRangeLen, toRet.size()));
}
bytesCounted = curRangeEnd;
}
return toRet;
}
/**
* is this a virtual file or directory that was created by The Sleuth Kit or
* Autopsy for general structure and organization.
*
* @return true if it's virtual, false otherwise
*/
public boolean isVirtual() {
return fileType.equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR)
|| dirType.equals(TskData.TSK_FS_NAME_TYPE_ENUM.VIRT)
|| metaType.equals(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_VIRT);
}
/**
* Is this object a file. Should return true for all types of files,
* including file system, logical, derived, layout, and slack space for
* files.
*
* @return true if a file, false otherwise
*/
public boolean isFile() {
return metaType.equals(TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG)
|| (metaType.equals(TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_UNDEF)
&& dirType.equals(TSK_FS_NAME_TYPE_ENUM.REG));
}
/**
* Is this object a directory. Should return true for file system folders
* and virtual folders.
*
* @return true if directory, false otherwise
*/
public boolean isDir() {
return (metaType.equals(TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR)
|| metaType.equals(TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_VIRT_DIR));
}
/**
* Is this a root of a file system
*
* @return true if root of a file system, false otherwise
*/
public abstract boolean isRoot();
/**
* @param uniquePath the unique path to an AbstractFile (or subclass)
* usually obtained by a call to
* AbstractFile.getUniquePath.
*
* @return the path to to an AbstractFile (or subclass) with the image and
* volume path segments removed.
*/
public static String createNonUniquePath(String uniquePath) {
// split the path into parts
String[] pathSegments = uniquePath.split("/");
// see if uniquePath had an image and/or volume name
int index = 0;
if (pathSegments[0].startsWith("img_")) { //NON-NLS
++index;
}
if (pathSegments[1].startsWith("vol_")) { //NON-NLS
++index;
}
// Assemble the non-unique path (skipping over the image and volume
// name, if they exist).
StringBuilder strbuf = new StringBuilder();
for (; index < pathSegments.length; ++index) {
if (!pathSegments[index].isEmpty()) {
strbuf.append("/").append(pathSegments[index]);
}
}
return strbuf.toString();
}
/**
* @return a list of AbstractFiles that are the children of this Directory.
* Only returns children of type TskData.TSK_DB_FILES_TYPE_ENUM.FS.
*
* @throws org.sleuthkit.datamodel.TskCoreException
*/
public List<AbstractFile> listFiles() throws TskCoreException {
// first, get all children
List<Content> children = getChildren();
// only keep those that are of type AbstractFile
List<AbstractFile> files = new ArrayList<AbstractFile>();
for (Content child : children) {
if (child instanceof AbstractFile) {
AbstractFile afChild = (AbstractFile) child;
files.add(afChild);
}
}
return files;
}
/**
* Get the meta data type
*
* @return meta data type
*/
public TSK_FS_META_TYPE_ENUM getMetaType() {
return metaType;
}
public String getMetaTypeAsString() {
return metaType.toString();
}
/**
* Get the directory type id
*
* @return directory type id
*/
public TSK_FS_NAME_TYPE_ENUM getDirType() {
return dirType;
}
public String getDirTypeAsString() {
return dirType.toString();
}
/**
* @param flag the TSK_FS_NAME_FLAG_ENUM to check
*
* @return true if the given flag is set in this FsContent object.
*/
public boolean isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM flag) {
return dirFlag == flag;
}
/**
* @return a string representation of the directory name flag (type
* TSK_FS_NAME_FLAG_ENUM)
*/
public String getDirFlagAsString() {
return dirFlag.toString();
}
/**
* Set the directory name flag.
*
* @param flag Flag to set to.
*/
void setDirFlag(TSK_FS_NAME_FLAG_ENUM flag) {
dirFlag = flag;
}
/**
* @return a string representation of the meta flags
*/
public String getMetaFlagsAsString() {
String str = "";
if (metaFlags.contains(TSK_FS_META_FLAG_ENUM.ALLOC)) {
str = TSK_FS_META_FLAG_ENUM.ALLOC.toString();
} else if (metaFlags.contains(TSK_FS_META_FLAG_ENUM.UNALLOC)) {
str = TSK_FS_META_FLAG_ENUM.UNALLOC.toString();
}
return str;
}
/**
* @param metaFlag the TSK_FS_META_FLAG_ENUM to check
*
* @return true if the given meta flag is set in this FsContent object.
*/
public boolean isMetaFlagSet(TSK_FS_META_FLAG_ENUM metaFlag) {
return metaFlags.contains(metaFlag);
}
/**
* Set the specified meta flag.
*
* @param metaFlag Meta flag to set
*/
void setMetaFlag(TSK_FS_META_FLAG_ENUM metaFlag) {
metaFlags.add(metaFlag);
}
/**
* Remove the specified meta flag.
*
* @param metaFlag Meta flag to remove.
*/
void removeMetaFlag(TSK_FS_META_FLAG_ENUM metaFlag) {
metaFlags.remove(metaFlag);
}
/**
* Get meta flags as an integer.
*
* @return Integer representation of the meta flags.
*/
short getMetaFlagsAsInt() {
return TSK_FS_META_FLAG_ENUM.toInt(metaFlags);
}
/**
* Attempts to get cached or load the content provider stream for this file.
* If none exists, returns null.
*
* NOTE: Does not check the value for tryContentProviderStream before
* attempting.
*
* @return The content stream for this file or null if none exists.
*
* @throws TskCoreException
*/
private ContentProviderStream getContentProviderStream() throws TskCoreException {
synchronized (contentProviderStreamLock) {
// try to get soft reference content provider stream
ContentProviderStream contentProviderStream = contentProviderStreamRef == null ? null : contentProviderStreamRef.get();
// load if not cached and then cache if present
if (contentProviderStream == null) {
ContentStreamProvider provider = getSleuthkitCase().getContentProvider();
contentProviderStream = provider == null ? null : provider.getContentStream(this).orElse(null);
if (contentProviderStream == null) {
throw new TskCoreException(MessageFormat.format("Could not get content provider string for file with obj id: {0}, path: {1}",
getId(),
getUniquePath()));
}
this.contentProviderStreamRef = new SoftReference<>(contentProviderStream);
}
return contentProviderStream;
}
}
@Override
public final int read(byte[] buf, long offset, long len) throws TskCoreException {
// try to use content provider stream if should use
if (tryContentProviderStream) {
ContentProviderStream contentProviderStream = getContentProviderStream();
return contentProviderStream.read(buf, offset, len);
} else if (localPathSet) {
//if localPath is set, use local, otherwise, use readCustom() supplied by derived class
return readLocal(buf, offset, len);
} else {
return readInt(buf, offset, len);
}
}
/**
* Internal custom read (non-local) method that child classes can implement
*
* @param buf buffer to read into
* @param offset start reading position in the file
* @param len number of bytes to read
*
* @return number of bytes read
*
* @throws TskCoreException exception thrown when file could not be read
*/
protected int readInt(byte[] buf, long offset, long len) throws TskCoreException {
return 0;
}
/**
* Local file path read support
*
* @param buf buffer to read into
* @param offset start reading position in the file
* @param len number of bytes to read
*
* @return number of bytes read
*
* @throws TskCoreException exception thrown when file could not be read
*/
protected final int readLocal(byte[] buf, long offset, long len) throws TskCoreException {
if (!localPathSet) {
throw new TskCoreException(
BUNDLE.getString("AbstractFile.readLocal.exception.msg1.text"));
}
if (isDir()) {
return 0;
}
// If the file is empty, just return that zero bytes were read.
if (getSize() == 0) {
return 0;
}
loadLocalFile();
int bytesRead = 0;
if (localFileHandle == null) {
synchronized (this) {
if (localFileHandle == null) {
try {
localFileHandle = new RandomAccessFile(localFile, "r");
} catch (FileNotFoundException ex) {
final String msg = MessageFormat.format(BUNDLE.getString(
"AbstractFile.readLocal.exception.msg4.text"),
localAbsPath);
LOGGER.log(Level.SEVERE, msg, ex);
//file could have been deleted or moved
throw new TskCoreException(msg, ex);
}
}
}
}
try {
if (!encodingType.equals(TskData.EncodingType.NONE)) {
// The file is encoded, so we need to alter the offset to read (since there's
// a header on the encoded file) and then decode each byte
long encodedOffset = offset + EncodedFileUtil.getHeaderLength();
//move to the user request offset in the stream
long curOffset = localFileHandle.getFilePointer();
if (curOffset != encodedOffset) {
localFileHandle.seek(encodedOffset);
}
bytesRead = localFileHandle.read(buf, 0, (int) len);
for (int i = 0; i < bytesRead; i++) {
buf[i] = EncodedFileUtil.decodeByte(buf[i], encodingType);
}
return bytesRead;
} else {
//move to the user request offset in the stream
long curOffset = localFileHandle.getFilePointer();
if (curOffset != offset) {
localFileHandle.seek(offset);
}
//note, we are always writing at 0 offset of user buffer
return localFileHandle.read(buf, 0, (int) len);
}
} catch (IOException ex) {
final String msg = MessageFormat.format(BUNDLE.getString("AbstractFile.readLocal.exception.msg5.text"), localAbsPath);
LOGGER.log(Level.SEVERE, msg, ex);
//local file could have been deleted / moved
throw new TskCoreException(msg, ex);
}
}
/**
* Set local path for the file, as stored in db tsk_files_path, relative to
* the case db path or an absolute path. When set, subsequent invocations of
* read() will read the file in the local path.
*
* @param localPath local path to be set
*/
void setLocalFilePath(String localPath) {
if (localPath == null || localPath.equals("")) {
this.localPath = "";
localAbsPath = null;
localPathSet = false;
} else {
// It should always be the case that absolute paths start with slashes or a windows drive letter
// and relative paths do not, but some older versions of modules created derived file paths
// starting with slashes. So we first check if this file is a DerivedFile before looking at the path.
this.localPath = localPath;
if (this instanceof DerivedFile) {
// DerivedFiles always have relative paths
this.localAbsPath = getSleuthkitCase().getDbDirPath() + java.io.File.separator + localPath;
} else {
// If a path starts with a slash or with a Windows drive letter, then it is
// absolute. Otherwise it is relative.
if (localPath.startsWith("/") || localPath.startsWith("\\")
|| localPath.matches("[A-Za-z]:[/\\\\].*")) {
this.localAbsPath = localPath;
} else {
this.localAbsPath = getSleuthkitCase().getDbDirPath() + java.io.File.separator + localPath;
}
}
this.localPathSet = true;
}
}
/**
* Get local relative to case db path of the file
*
* @return local file path if set
*/
public String getLocalPath() {
return localPath;
}
/**
* Get local absolute path of the file, if localPath has been set
*
* @return local absolute file path if local path has been set, or null
*/
public String getLocalAbsPath() {
return localAbsPath;
}
/**
* Set the type of encoding used on the file (for local/derived files only)
*
* @param encodingType
*/
final void setEncodingType(TskData.EncodingType encodingType) {
this.encodingType = encodingType;
}
/**
* Check if the file exists. If non-local or file is marked with YES_REPO
* and there is a content provider always true, if local, checks if actual
* local path exists
*
* @return true if the file exists, false otherwise
*/
public boolean exists() {
if (tryContentProviderStream || !localPathSet) {
return true;
} else {
try {
loadLocalFile();
return localFile.exists();
} catch (TskCoreException ex) {
LOGGER.log(Level.SEVERE, ex.getMessage());
return false;
}
}
}
/**
* Check if the file exists and is readable. If non-local (e.g. within an
* image) or file is marked with YES_REPO and there is a content provider,
* always true, if local, checks if actual local path exists and is readable
*
* @return true if the file is readable
*/
public boolean canRead() {
if (tryContentProviderStream || !localPathSet) {
return true;
} else {
try {
loadLocalFile();
return localFile.canRead();
} catch (TskCoreException ex) {
LOGGER.log(Level.SEVERE, ex.getMessage());
return false;
}
}
}
/**
* Lazy load local file handle
*
* @throws org.sleuthkit.datamodel.TskCoreException If the local path is not
* set.
*/
private void loadLocalFile() throws TskCoreException {
if (!localPathSet) {
throw new TskCoreException(
BUNDLE.getString("AbstractFile.readLocal.exception.msg1.text"));
}
// already been set
if (localFile != null) {
return;
}
synchronized (this) {
if (localFile == null) {
localFile = new java.io.File(localAbsPath);
}
}
}
@Override
public void close() {
//close local file handle if set
if (localFileHandle != null) {
synchronized (this) {
if (localFileHandle != null) {
try {
localFileHandle.close();
} catch (IOException ex) {
LOGGER.log(Level.SEVERE, "Could not close file handle for file: " + getParentPath() + getName(), ex); //NON-NLS
}
localFileHandle = null;
}
}
}
}
@SuppressWarnings("deprecation")
@Override
protected void finalize() throws Throwable {
try {
close();
} finally {
super.finalize();
}
}
@Override
public String toString(boolean preserveState) {
return super.toString(preserveState) + "AbstractFile [\t" //NON-NLS
+ "\t" + "fileType " + fileType //NON-NLS
+ "\tctime " + ctime //NON-NLS
+ "\tcrtime " + crtime //NON-NLS
+ "\t" + "mtime " + mtime + "\t" + "atime " + atime //NON-NLS
+ "\t" + "attrId " + attrId //NON-NLS
+ "\t" + "attrType " + attrType //NON-NLS
+ "\t" + "dirFlag " + dirFlag + "\t" + "dirType " + dirType //NON-NLS
+ "\t" + "uid " + uid //NON-NLS
+ "\t" + "gid " + gid //NON-NLS
+ "\t" + "metaAddr " + metaAddr + "\t" + "metaSeq " + metaSeq + "\t" + "metaFlags " + metaFlags //NON-NLS
+ "\t" + "metaType " + metaType + "\t" + "modes " + modes //NON-NLS
+ "\t" + "parentPath " + parentPath + "\t" + "size " + size //NON-NLS
+ "\t" + "knownState " + knownState + "\t" + "md5Hash " + md5Hash + "\t" + "sha256Hash " + sha256Hash + "\t" + "sha1Hash " + sha1Hash//NON-NLS
+ "\t" + "localPathSet " + localPathSet + "\t" + "localPath " + localPath //NON-NLS
+ "\t" + "localAbsPath " + localAbsPath + "\t" + "localFile " + localFile //NON-NLS
+ "]\t";
}
/**
* Possible return values for comparing a file to a list of mime types
*/
public enum MimeMatchEnum {
UNDEFINED, /// file does not have a defined mime time in blackboard
TRUE, /// file has a defined mime type and it is one of the given ones
FALSE /// file has a defined mime type and it is not one of the given ones.
}
/**
* Determines if this file's type is one of the ones passed in. Uses the
* blackboard attribute for file type.
*
* @param mimeTypes Set of file types to compare against
*
* @return
*/
public MimeMatchEnum isMimeType(SortedSet<String> mimeTypes) {
if (this.mimeType == null) {
return MimeMatchEnum.UNDEFINED;
}
if (mimeTypes.contains(this.mimeType)) {
return MimeMatchEnum.TRUE;
}
return MimeMatchEnum.FALSE;
}
/**
* Saves the editable properties of this file to the case database, e.g.,
* the MIME type, MD5 hash, and known state.
*
* @throws TskCoreException if there is an error saving the editable file
* properties to the case database.
*/
public void save() throws TskCoreException {
CaseDbTransaction transaction = null;
try {
transaction = getSleuthkitCase().beginTransaction();
save(transaction);
transaction.commit();
} catch (TskCoreException ex) {
if (transaction != null) {
transaction.rollback();
}
throw ex;
}
}
/**
* Saves the editable properties of this file to the case database, e.g.,
* the MIME type, MD5 hash, and known state, in the context of a given case
* database transaction.
*
* @param transaction The transaction.
*
* @throws TskCoreException if there is an error saving the editable file
* properties to the case database.
*/
public void save(CaseDbTransaction transaction) throws TskCoreException {
if (!(md5HashDirty || sha256HashDirty || sha1HashDirty || mimeTypeDirty || knownStateDirty || collectedDirty)) {
return;
}
String updateSql = "";
if (mimeTypeDirty) {
updateSql = "mime_type = '" + this.getMIMEType() + "'";
}
if (md5HashDirty) {
if (!updateSql.isEmpty()) {
updateSql += ", ";
}
updateSql += "md5 = '" + this.getMd5Hash() + "'";
}
if (sha256HashDirty) {
if (!updateSql.isEmpty()) {
updateSql += ", ";
}
updateSql += "sha256 = '" + this.getSha256Hash() + "'";
}
if (sha1HashDirty) {
if (!updateSql.isEmpty()) {
updateSql += ", ";
}
updateSql += "sha1 = '" + this.getSha1Hash() + "'";
}
if (knownStateDirty) {
if (!updateSql.isEmpty()) {
updateSql += ", ";
}
updateSql += "known = '" + this.getKnown().getFileKnownValue() + "'";
}
if (collectedDirty) {
if (!updateSql.isEmpty()) {
updateSql += ", ";
}
updateSql += "collected = '" + this.getCollected().getType() + "'";
}
updateSql = "UPDATE tsk_files SET " + updateSql + " WHERE obj_id = " + this.getId();
SleuthkitCase.CaseDbConnection connection = transaction.getConnection();
try (Statement statement = connection.createStatement()) {
connection.executeUpdate(statement, updateSql);
md5HashDirty = false;
sha256HashDirty = false;
sha1HashDirty = false;
mimeTypeDirty = false;
knownStateDirty = false;
collectedDirty = false;
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error updating properties of file %s (obj_id = %s)", getName(), getId()), ex);
}
}
/**
* Get the owner uid.
*
* Note this is a string uid, typically a Windows SID. This is different
* from the numeric uid commonly found on Unix based file systems.
*
* @return Optional with owner uid.
*/
public Optional<String> getOwnerUid() {
return Optional.ofNullable(ownerUid);
}
/**
* Get the Object Id of the owner account.
*
* @return Optional with Object Id of the OsAccount, or Optional.empty.
*/
public Optional<Long> getOsAccountObjectId() {
return Optional.ofNullable(osAccountObjId);
}
/**
* Sets the parent file system of this file or directory.
*
* @param parent The parent file system object.
*/
void setFileSystem(FileSystem parent) {
parentFileSystem = parent;
}
/**
* Get the object id of the parent file system of this file or directory if it exists.
*
* @return The parent file system id.
*/
public Optional<Long> getFileSystemObjectId() {
return Optional.ofNullable(fileSystemObjectId);
}
/**
* Check if this AbstractFile belongs to a file system.
*
* @return True if the file belongs to a file system, false otherwise.
*/
public boolean hasFileSystem() {
return fileSystemObjectId != null;
}
/**
* Gets the parent file system of this file or directory.
* If the AbstractFile object is not FsContent, hasFileSystem() should
* be called before this method to ensure the file belongs to a file
* system.
*
* @return The file system object of the parent.
*
* @throws org.sleuthkit.datamodel.TskCoreException If the file does not belong to a file system or
* another error occurs.
*/
public FileSystem getFileSystem() throws TskCoreException {
if (fileSystemObjectId == null) {
throw new TskCoreException("File with ID: " + this.getId() + " does not belong to a file system");
}
if (parentFileSystem == null) {
synchronized (this) {
if (parentFileSystem == null) {
parentFileSystem = getSleuthkitCase().getFileSystemById(fileSystemObjectId, AbstractContent.UNKNOWN_ID);
}
}
}
return parentFileSystem;
}
/**
* Get the full path to this file or directory, starting with a "/" and the
* data source name and then all the other segments in the path.
*
* @return A unique path for this object.
*
* @throws TskCoreException if there is an error querying the case database.
*/
@Override
public String getUniquePath() throws TskCoreException {
if (uniquePath == null) {
if (getFileSystemObjectId().isPresent()) {
// For file system files, construct the path using the path to
// the file system, the parent path, and the file name. FileSystem
// objects are cached so this is unlikely to perform any
// database operations.
StringBuilder sb = new StringBuilder();
sb.append(getFileSystem().getUniquePath());
if (! parentPath.isEmpty()) {
sb.append(parentPath);
} else {
// The parent path may not be set in older cases.
sb.append("/");
}
sb.append(getName());
uniquePath = sb.toString();
} else {
if ((this instanceof LayoutFile) && (parentPath.equals("/"))) {
// This may be the case where the layout file is a direct child of a
// volume. We want to make sure to include the volume information if present,
// so go up the directory structure instead of using the optimized code.
uniquePath = super.getUniquePath();
} else if (getName().equals(VirtualDirectory.NAME_CARVED) || getName().equals(VirtualDirectory.NAME_UNALLOC) ||
parentPath.startsWith("/" + VirtualDirectory.NAME_CARVED) || parentPath.startsWith("/" + VirtualDirectory.NAME_UNALLOC)) {
// We can make $Unalloc and $CarvedFiles under volumes without being part of a file system.
// As above, we want to make sure to include the volume information if present,
// so go up the directory structure instead of using the optimized code.
uniquePath = super.getUniquePath();
} else {
// Optimized code to use for most files. Construct the path
// using the data source name, the parent path, and the file name.
// DataSource objects are cached so this is unlikely to perform any
// database operations.
String dataSourceName = "";
Content dataSource = getDataSource();
if (dataSource != null) {
dataSourceName = dataSource.getUniquePath();
}
if (! parentPath.isEmpty()) {
uniquePath = dataSourceName + parentPath + getName();
} else {
// The parent path may not be set in older cases.
uniquePath = dataSourceName + "/" + getName();
}
}
}
}
return uniquePath;
}
@Deprecated
@SuppressWarnings("deprecation")
@Override
public BlackboardArtifact newArtifact(int artifactTypeID) throws TskCoreException {
return super.newArtifact(artifactTypeID);
}
/**
* Create and add a data artifact associated with this abstract file. This
* method creates the data artifact with the os account id associated with
* this abstract file if one exists.
*
* @param artifactType Type of data artifact to create.
* @param attributesList Additional attributes to attach to this data
* artifact.
*
* @return DataArtifact New data artifact.
*
* @throws TskCoreException If a critical error occurred within tsk core.
*/
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
return super.newDataArtifact(artifactType, attributesList, getOsAccountObjectId().orElse(null));
}
/**
* Get the attribute id
*
* @return attribute id
*
* @deprecated Use getAttributeId() method instead as it returns integer
* instead of short.
*/
@Deprecated
@SuppressWarnings("deprecation")
public short getAttrId() {
/*
* NOTE: previously attrId used to be stored in AbstractFile as (signed)
* short even though it is stored as uint16 in TSK. In extremely rare
* occurrences attrId can be larger than what a signed short can hold
* (2^15). Changes were made to AbstractFile to store attrId as integer.
* Therefore this method has been deprecated. For backwards
* compatibility, attribute ids that are larger than 32K are converted
* to a negative number.
*/
return (short) attrId; // casting to signed short converts values over 32K to negative values
}
/**
* Set local path for the file, as stored in db tsk_files_path, relative to
* the case db path or an absolute path. When set, subsequent invocations of
* read() will read the file in the local path.
*
* @param localPath local path to be set
* @param isAbsolute true if the path is absolute, false if relative to the
* case db
*
* @deprecated Do not make subclasses outside of this package.
*/
@Deprecated
protected void setLocalPath(String localPath, boolean isAbsolute) {
setLocalFilePath(localPath);
}
/*
* -------------------------------------------------------------------------
* Util methods to convert / map the data
* -------------------------------------------------------------------------
*/
/**
* Return the epoch into string in ISO 8601 dateTime format
*
* @param epoch time in seconds
*
* @return formatted date time string as "yyyy-MM-dd HH:mm:ss"
*
* @deprecated
*/
@Deprecated
public static String epochToTime(long epoch) {
return TimeUtilities.epochToTime(epoch);
}
/**
* Return the epoch into string in ISO 8601 dateTime format, in the given
* timezone
*
* @param epoch time in seconds
* @param tzone time zone
*
* @return formatted date time string as "yyyy-MM-dd HH:mm:ss"
*
* @deprecated
*/
@Deprecated
public static String epochToTime(long epoch, TimeZone tzone) {
return TimeUtilities.epochToTime(epoch, tzone);
}
/**
* Convert from ISO 8601 formatted date time string to epoch time in seconds
*
* @param time formatted date time string as "yyyy-MM-dd HH:mm:ss"
*
* @return epoch time in seconds
*/
@Deprecated
public static long timeToEpoch(String time) {
return TimeUtilities.timeToEpoch(time);
}
/**
* Initializes common fields used by AbstactFile implementations (objects in
* tsk_files table)
*
* @param db case / db handle where this file belongs to
* @param objId object id in tsk_objects table
* @param dataSourceObjectId The object id of the root data source of this
* file.
* @param fileSystemObjectId The object id of the file system. Can be null (or 0 representing null)
* @param attrType
* @param attrId
* @param name name field of the file
* @param fileType type of the file
* @param metaAddr
* @param metaSeq
* @param dirType
* @param metaType
* @param dirFlag
* @param metaFlags
* @param size
* @param ctime
* @param crtime
* @param atime
* @param mtime
* @param modes
* @param uid
* @param gid
* @param md5Hash md5sum of the file, or null if not present
* @param sha256Hash sha256 hash of the file, or null if not present
* @param sha1Hash SHA-1 hash of the file, or null if not present
* @param knownState knownState status of the file, or null if
* unknown (default)
* @param parentPath
* @param mimeType The MIME type of the file, can be null.
* @param extension The extension part of the file name (not
* including the '.'), can be null.
* @param ownerUid Owner uid/SID, can be null if not available.
* @param osAccountObjectId Object Id of the owner OsAccount, may be null.
*
* @deprecated
*/
@Deprecated
AbstractFile(SleuthkitCase db,
long objId,
long dataSourceObjectId,
Long fileSystemObjectId,
TskData.TSK_FS_ATTR_TYPE_ENUM attrType, int attrId,
String name,
TskData.TSK_DB_FILES_TYPE_ENUM fileType,
long metaAddr, int metaSeq,
TSK_FS_NAME_TYPE_ENUM dirType, TSK_FS_META_TYPE_ENUM metaType,
TSK_FS_NAME_FLAG_ENUM dirFlag, short metaFlags,
long size,
long ctime, long crtime, long atime, long mtime,
short modes,
int uid, int gid,
String md5Hash, String sha256Hash, String sha1Hash,
FileKnown knownState,
String parentPath,
String mimeType,
String extension,
String ownerUid,
Long osAccountObjectId,
List<Attribute> fileAttributes) {
this(db, objId, dataSourceObjectId, fileSystemObjectId, attrType, attrId, name, fileType, metaAddr, metaSeq,
dirType, metaType, dirFlag, metaFlags, size, ctime, crtime, atime, mtime, modes, uid, gid,
md5Hash, sha256Hash, sha1Hash, knownState, parentPath, mimeType, extension,
ownerUid, osAccountObjectId, TskData.CollectedStatus.UNKNOWN, fileAttributes);
}
}
bindings/java/src/org/sleuthkit/datamodel/Account.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2016-18 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import java.util.Arrays;
import java.util.List;
/**
* An entity that has a type and a unique (within that type) identifier .
* Example types include a Bank Account, Credit Card, Email address, Phone
* number, phone, Application, Web-site login, etc. Accounts are unique to the
* case.
*/
public final class Account {
/**
* primary key in the Accounts table, unique at the case-level
*/
private final long account_id;
private final Account.Type accountType;
/**
* id of the account, specific to the accounts type. For example: email
* address, phone number, or website user name.
*/
private final String typeSpecificID;
public static final class Type {
//JIRA-900:Should the display names of predefined types be internationalized?
public static final Account.Type CREDIT_CARD = new Type("CREDIT_CARD", "Credit Card");
public static final Account.Type DEVICE = new Type("DEVICE", "Device");
public static final Account.Type PHONE = new Type("PHONE", "Phone");
public static final Account.Type EMAIL = new Type("EMAIL", "Email");
public static final Account.Type FACEBOOK = new Type("FACEBOOK", "Facebook");
public static final Account.Type TWITTER = new Type("TWITTER", "Twitter");
public static final Account.Type INSTAGRAM = new Type("INSTAGRAM", "Instagram");
public static final Account.Type WHATSAPP = new Type("WHATSAPP", "WhatsApp");
public static final Account.Type MESSAGING_APP = new Type("MESSAGING_APP", "MessagingApp");
public static final Account.Type WEBSITE = new Type("WEBSITE", "Website");
public static final Account.Type IMO = new Type("IMO", "IMO");
public static final Account.Type LINE = new Type("LINE", "LINE");
public static final Account.Type SKYPE = new Type("SKYPE", "Skype");
public static final Account.Type TANGO = new Type("TANGO", "Tango");
public static final Account.Type TEXTNOW = new Type("TEXTNOW", "TextNow");
public static final Account.Type THREEMA = new Type("THREEMA", "ThreeMa");
public static final Account.Type VIBER = new Type("VIBER", "Viber");
public static final Account.Type XENDER = new Type("XENDER", "Xender");
public static final Account.Type ZAPYA = new Type("ZAPYA", "Zapya");
public static final Account.Type SHAREIT = new Type("SHAREIT", "ShareIt");
public static final List<Account.Type> PREDEFINED_ACCOUNT_TYPES = Arrays.asList(
CREDIT_CARD,
DEVICE,
PHONE,
EMAIL,
FACEBOOK,
TWITTER,
INSTAGRAM,
WHATSAPP,
MESSAGING_APP,
WEBSITE,
IMO,
LINE,
SKYPE,
TANGO,
TEXTNOW,
THREEMA,
VIBER,
XENDER,
ZAPYA,
SHAREIT
);
private final String typeName;
private final String displayName;
/**
* Constructs an Account type.
*
* @param typeName The type name.
* @param displayName The display name for the type.
*/
public Type(String typeName, String displayName) {
this.typeName = typeName;
this.displayName = displayName;
}
/**
* Gets the type name
*
* @return The type name.
*/
public String getTypeName() {
return this.typeName;
}
/**
* Gets the display name
*
* @return The display name.
*/
public String getDisplayName() {
return displayName;
}
@Override
public boolean equals(Object that) {
if (this == that) {
return true;
} else if (!(that instanceof Account.Type)) {
return false;
}
Account.Type thatType = (Account.Type) that;
// DB table enforces uniqueness for type name
return this.typeName.equals(thatType.getTypeName());
}
@Override
public int hashCode() {
int hash = 11;
hash = 83 * hash + (this.typeName != null ? this.typeName.hashCode() : 0);
hash = 83 * hash + (this.displayName != null ? this.displayName.hashCode() : 0);
return hash;
}
@Override
public String toString() {
return " displayName=" + this.displayName
+ ", typeName=" + this.typeName + ")";
}
}
Account(long account_id, Account.Type accountType, String typeSpecificId) throws TskCoreException {
this.account_id = account_id;
this.accountType = accountType;
this.typeSpecificID = typeSpecificId;
}
/**
* Gets unique identifier (assigned by a provider) for the account. Example
* includes an email address, a phone number, or a website username.
*
* @return type specific account id.
*/
public String getTypeSpecificID() {
return this.typeSpecificID;
}
/**
* Gets the account type
*
* @return account type
*/
public Account.Type getAccountType() {
return this.accountType;
}
/**
* Gets a case-specific unique identifier for this account (from the
* database)
*
* @return unique row id.
*/
public long getAccountID() {
return this.account_id;
}
@Override
public int hashCode() {
int hash = 5;
hash = 43 * hash + (int) (this.account_id ^ (this.account_id >>> 32));
hash = 43 * hash + (this.accountType != null ? this.accountType.hashCode() : 0);
hash = 43 * hash + (this.typeSpecificID != null ? this.typeSpecificID.hashCode() : 0);
return hash;
}
@Override
public boolean equals(Object obj) {
if (this == obj) {
return true;
}
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final Account other = (Account) obj;
if (this.account_id != other.account_id) {
return false;
}
if ((this.typeSpecificID == null) ? (other.typeSpecificID != null) : !this.typeSpecificID.equals(other.typeSpecificID)) {
return false;
}
if (this.accountType != other.accountType && (this.accountType == null || !this.accountType.equals(other.accountType))) {
return false;
}
return true;
}
}
bindings/java/src/org/sleuthkit/datamodel/AccountDeviceInstance.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2017-18 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
/**
* Encapsulates an Account existing on a specific device.
*
* There is a 1:M:N relationship between
* Account, AccountDeviceInstance & AccountFileInstance
*/
public final class AccountDeviceInstance {
private final Account account;
private final String deviceID;
AccountDeviceInstance(Account account, String deviceId) {
this.account = account;
this.deviceID = deviceId;
}
/**
* Returns the underlying Account
*
* @return account
*/
public Account getAccount(){
return this.account;
}
/**
* Returns the device Id the Account existed on
*
* @return device id
*/
public String getDeviceId(){
return this.deviceID;
}
@Override
public int hashCode() {
int hash = 5;
hash = 11 * hash + (this.account != null ? this.account.hashCode() : 0);
hash = 11 * hash + (this.deviceID != null ? this.deviceID.hashCode() : 0);
return hash;
}
@Override
public boolean equals(Object obj) {
if (this == obj) {
return true;
}
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final AccountDeviceInstance other = (AccountDeviceInstance) obj;
if ((this.deviceID == null) ? (other.deviceID != null) : !this.deviceID.equals(other.deviceID)) {
return false;
}
if (this.account != other.account && (this.account == null || !this.account.equals(other.account))) {
return false;
}
return true;
}
}
bindings/java/src/org/sleuthkit/datamodel/AccountFileInstance.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2017-18 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import java.util.Collection;
/**
* An instance of an Account in a specific file. An Account may be found in
* multiple Content objects (such as different databases) on a single device.
* There is a 1:N relationship between Account objects and AccountFileInstance
* objects. A TSK_ACCOUNT artifact is created for every account file instance.
*
* AccountFileInstances can optionally have BlackboardAttributes to store more
* details.
*/
public final class AccountFileInstance {
private final BlackboardArtifact artifact;
private final Account account;
AccountFileInstance(BlackboardArtifact artifact, Account account) throws TskCoreException {
this.artifact = artifact;
this.account = account;
}
/**
* Gets the first occurrence of an attribute by type.
*
* @param attrType The attribute type.
*
* @return The attribute, or null if no attribute of the given type exists.
*
* @throws TskCoreException if an there is an error getting the attribute.
*/
public BlackboardAttribute getAttribute(BlackboardAttribute.ATTRIBUTE_TYPE attrType) throws TskCoreException {
return this.artifact.getAttribute(new BlackboardAttribute.Type(attrType));
}
/**
* Adds an attribute. It is faster to add multiple attributes as a
* collection using addAttributes().
*
* @param bbatr The attribute to add.
*
* @throws TskCoreException if an there is an error adding the attribute.
*/
public void addAttribute(BlackboardAttribute bbatr) throws TskCoreException {
this.artifact.addAttribute(bbatr);
}
/**
* Adds a collection of attributes
*
* @param bbatrs The collection of attributes to add.
*
* @throws TskCoreException if an there is an error adding the attributes.
*/
public void addAttributes(Collection<BlackboardAttribute> bbatrs) throws TskCoreException {
this.artifact.addAttributes(bbatrs);
}
/**
* Gets the underlying Account for this instance.
*
* @return The account.
*
* @throws TskCoreException if an there is an error getting the account.
*/
public Account getAccount() throws TskCoreException {
return this.account;
}
/**
* Gets the source content (data source or file within a
* data source) of the underlying Account artifact for this instance.
*
* @return The source content.
*
* @throws TskCoreException
*/
public Content getFile() throws TskCoreException {
return artifact.getSleuthkitCase().getContentById(artifact.getObjectID());
}
/**
* Get the object ID of the artifact this account file instance maps to.
*
* @return A Data Source Object ID
*/
Long getDataSourceObjectID() {
return artifact.getDataSourceObjectID();
}
}
bindings/java/src/org/sleuthkit/datamodel/AccountPair.java 0 → 100644
View file @ a73ef106
/*
* SleuthKit Java Bindings
*
* Copyright 2018 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
/**
* Class representing an unordered pair of account device instances. <a,b> is
* same as <b,a>. First and second are used to distinguish the two accounts, but
* do not imply an order.
*/
public final class AccountPair {
private final AccountDeviceInstance account1;
private final AccountDeviceInstance account2;
/**
* Get the first AccountDeviceInstance. First doesn't imply order and is
* simply used to distinguish the two accounts.
*
* @return The first AccountDeviceInstance.
*/
public AccountDeviceInstance getFirst() {
return account1;
}
/**
* Get the second AccountDeviceInstance. Second doesn't imply order and is
* simply used to distinguish the two accounts.
*
* @return The second AccountDeviceInstance.
*/
public AccountDeviceInstance getSecond() {
return account2;
}
AccountPair(AccountDeviceInstance account1, AccountDeviceInstance account2) {
this.account1 = account1;
this.account2 = account2;
}
@Override
public int hashCode() {
return account1.hashCode() + account2.hashCode();
}
@Override
public boolean equals(Object other) {
if (other == this) {
return true;
}
if (!(other instanceof AccountPair)) {
return false;
}
AccountPair otherPair = (AccountPair) other;
return (account1.equals(otherPair.account1) && account2.equals(otherPair.account2))
|| (account1.equals(otherPair.account2) && account2.equals(otherPair.account1));
}
}
bindings/java/src/org/sleuthkit/datamodel/AddDataSourceCallbacks.java 0 → 100644
View file @ a73ef106
/*
* SleuthKit Java Bindings
*
* Copyright 2020 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import java.util.List;
/**
* Provides callbacks at key points during the process of adding a data source to a case database.
*/
public interface AddDataSourceCallbacks {
/**
* Call to add a set of file object IDs that have been added to the database.
*
* @param fileObjectIds List of file object IDs.
*/
void onFilesAdded(List<Long> fileObjectIds);
}
bindings/java/src/org/sleuthkit/datamodel/AnalysisResult.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2020-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
/**
* An AnalysisResult represents the outcome of some analysis technique that was
* applied to some data (i.e. Content) to determine the data's relevance. The
* result should have a conclusion and a relevance score. The score of the
* AnalysisResult will be used to calculate the aggregate score of the parent
* data. Additional metadata can be stored as BlackboardAttributes.
*/
public class AnalysisResult extends BlackboardArtifact {
private final String conclusion; // conclusion of analysis - may be an empty string
private final Score score; // relevance score based on the conclusion
private final String configuration; // Optional descriptor of configuration of analysis technique (such as a set name). Maybe empty string
private final String justification; // justification/explanation of the conclusion. Maybe empty string.
private boolean ignoreResult = false; // ignore this analysis result when computing score of the parent object.
/**
* Constructs an analysis result.
*
* @param sleuthkitCase The SleuthKit case (case database) that contains
* the artifact data.
* @param artifactID The unique id for this artifact.
* @param sourceObjId The unique id of the content with which this
* artifact is associated.
* @param artifactObjId The unique id this artifact, in tsk_objects.
* @param dataSourceObjId Object ID of the datasource where the artifact
* was found. May be null.
* @param artifactTypeID The type id of this artifact.
* @param artifactTypeName The type name of this artifact.
* @param displayName The display name of this artifact.
* @param reviewStatus The review status of this artifact.
* @param score The score assigned by the analysis.
* @param conclusion Conclusion arrived at by the analysis. May be
* null.
* @param configuration Configuration used for analysis. May be null.
* @param justification Justification for the analysis. May be null.
*/
AnalysisResult(SleuthkitCase sleuthkitCase, long artifactID, long sourceObjId, long artifactObjId, Long dataSourceObjId, int artifactTypeID, String artifactTypeName, String displayName, ReviewStatus reviewStatus, Score score, String conclusion, String configuration, String justification) {
super(sleuthkitCase, artifactID, sourceObjId, artifactObjId, dataSourceObjId, artifactTypeID, artifactTypeName, displayName, reviewStatus);
this.score = score;
this.conclusion = (conclusion != null) ? conclusion : "";
this.configuration = (configuration != null) ? configuration : "";
this.justification = (justification != null) ? justification : "";
}
/**
* Constructs an analysis result.
*
* @param sleuthkitCase The SleuthKit case (case database) that contains
* the artifact data.
* @param artifactID The unique id for this artifact.
* @param sourceObjId The unique id of the content with which this
* artifact is associated.
* @param artifactObjId The unique id this artifact, in tsk_objects.
* @param dataSourceObjId Object ID of the datasource where the artifact
* was found. May be null.
* @param artifactTypeID The type id of this artifact.
* @param artifactTypeName The type name of this artifact.
* @param displayName The display name of this artifact.
* @param reviewStatus The review status of this artifact.
* @param isNew If this analysis result is newly created.
* @param score The score assigned by the analysis.
* @param conclusion Conclusion arrived at by the analysis. May be
* null.
* @param configuration Configuration used for analysis. May be null.
* @param justification Justification for the analysis. May be null.
*/
AnalysisResult(SleuthkitCase sleuthkitCase, long artifactID, long sourceObjId, long artifactObjID, Long dataSourceObjID, int artifactTypeID, String artifactTypeName, String displayName, ReviewStatus reviewStatus, boolean isNew, Score score, String conclusion, String configuration, String justification) {
super(sleuthkitCase, artifactID, sourceObjId, artifactObjID, dataSourceObjID, artifactTypeID, artifactTypeName, displayName, reviewStatus, isNew);
this.score = score;
this.conclusion = (conclusion != null) ? conclusion : "";
this.configuration = (configuration != null) ? configuration : "";
this.justification = (justification != null) ? justification : "";
}
/**
* Returns analysis result conclusion.
*
* @return Conclusion, returns an empty string if not set.
*/
public String getConclusion() {
return conclusion;
}
/**
* Returns relevance score based on conclusion
*
* @return Score.
*/
public Score getScore() {
return score;
}
/**
* Returns configuration used in analysis.
*
* @return Configuration, returns an empty string if not set.
*/
public String getConfiguration() {
return configuration;
}
/**
* Returns justification for conclusion
*
* @return justification, returns an empty string if not set.
*/
public String getJustification() {
return justification;
}
/**
* Sets if this result is to be ignored when calculating the aggregate score
* of the parent object.
*
* @param ignore if the result should be ignored or not.
*/
public void setIgnoreResult(boolean ignore) {
ignoreResult = ignore;
}
/**
* Checks if this result is to be ignored.
*
* @return true is the result should should be ignored, false otherwise.
*/
public boolean ignoreResult() {
return ignoreResult;
}
}
bindings/java/src/org/sleuthkit/datamodel/AnalysisResultAdded.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2020-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
/**
* This class encapsulates an analysis result added to Content, and the
* content's aggregate score upon adding the analysis result.
*/
public class AnalysisResultAdded {
private final AnalysisResult analysisResult;
private final Score score;
AnalysisResultAdded(AnalysisResult analysisResult, Score score) {
this.analysisResult = analysisResult;
this.score = score;
}
public AnalysisResult getAnalysisResult() {
return analysisResult;
}
public Score getAggregateScore() {
return score;
}
}
bindings/java/src/org/sleuthkit/datamodel/Attribute.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import com.google.common.base.MoreObjects;
import java.util.Arrays;
import java.util.Objects;
/**
* This is a concrete implementation of a simple Attribute Type.
*/
public class Attribute extends AbstractAttribute{
/**
* The `parent` object of this Attribute.
*/
private long attributeParentId;
/**
* Primary key in the respective attribute table.
*/
private long id;
/**
* Constructs an attribute with an integer value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param valueInt The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER.
*/
public Attribute(BlackboardAttribute.Type attributeType, int valueInt) throws IllegalArgumentException {
super(attributeType, valueInt);
}
/**
* Constructs an attribute with a long/datetime value. The attribute should
* be added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param valueLong The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG
* or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME.
*/
public Attribute(BlackboardAttribute.Type attributeType, long valueLong) throws IllegalArgumentException {
super(attributeType, valueLong);
}
/**
* Constructs an attribute with a double value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param valueDouble The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE.
*/
public Attribute(BlackboardAttribute.Type attributeType, double valueDouble) throws IllegalArgumentException {
super(attributeType, valueDouble);
}
/**
* Constructs an attribute with a string value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param valueString The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING.
*/
public Attribute(BlackboardAttribute.Type attributeType, String valueString) throws IllegalArgumentException {
super(attributeType, valueString);
}
/**
* Constructs an attribute with a byte array value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param valueBytes The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE.
*/
public Attribute(BlackboardAttribute.Type attributeType, byte[] valueBytes) throws IllegalArgumentException {
super(attributeType, valueBytes);
}
/**
* Constructs an artifact attribute. To be used when creating an attribute
* based on a query of the blackboard _attributes table in the case
* database.
*
* @param attributeOwnerId The owner id for this attribute.
* @param attributeTypeID The attribute type id.
* @param valueType The attribute value type.
* @param valueInt The value from the the value_int32 column.
* @param valueLong The value from the the value_int64 column.
* @param valueDouble The value from the the value_double column.
* @param valueString The value from the the value_text column.
* @param valueBytes The value from the the value_byte column.
* @param sleuthkitCase A reference to the SleuthkitCase object
* representing the case database.
*/
Attribute(long id, long attributeOwnerId, BlackboardAttribute.Type attributeType,
int valueInt, long valueLong, double valueDouble, String valueString, byte[] valueBytes,
SleuthkitCase sleuthkitCase) {
super(attributeType, valueInt, valueLong, valueDouble, valueString, valueBytes, sleuthkitCase);
this.id = id;
}
/**
* Gets the parent Id of this attribute. A parent is defined as the Object
* to which this attribute is associated with. Eg: For a file Attribute the
* attribute parent id would be the file object id.
*
* @return
*/
final public long getAttributeParentId() {
return this.attributeParentId;
}
/**
* Set the parent id for this attribute. Parent is defined as the Object
* to which this attribute is associated with.
* @param attributeParentId
*/
final void setAttributeParentId(long attributeParentId) {
this.attributeParentId = attributeParentId;
}
/**
* Returns the Id of the Attribute.
* @return
*/
public long getId() {
return id;
}
/**
* Set the id of the attribute
* @param id
*/
void setId(long id) {
this.id = id;
}
@Override
public int hashCode() {
return Objects.hash(
this.getAttributeType(), this.getValueInt(), this.getValueLong(), this.getValueDouble(),
this.getValueString(), this.getValueBytes());
}
@Override
public boolean equals(Object that) {
if (this == that) {
return true;
} else if (that instanceof Attribute) {
return areValuesEqual(that);
} else {
return false;
}
}
@Override
public String toString() {
return MoreObjects.toStringHelper(this)
.add("attributeType", getAttributeType().toString())
.add("valueInt", getValueInt())
.add("valueLong", getValueLong())
.add("valueDouble", getValueDouble())
.add("valueString", getValueString())
.add("valueBytes", Arrays.toString(getValueBytes()) )
.add("Case", getCaseDatabase())
.toString();
}
}
\ No newline at end of file
bindings/java/src/org/sleuthkit/datamodel/Blackboard.java 0 → 100755
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2018-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import com.google.common.annotations.Beta;
import com.google.common.collect.ImmutableSet;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbConnection;
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
import static org.sleuthkit.datamodel.SleuthkitCase.closeConnection;
import static org.sleuthkit.datamodel.SleuthkitCase.closeResultSet;
import static org.sleuthkit.datamodel.SleuthkitCase.closeStatement;
/**
* A representation of the blackboard, a place where artifacts and their
* attributes are posted.
*/
public final class Blackboard {
private static final Logger LOGGER = Logger.getLogger(Blackboard.class.getName());
/*
* ConcurrentHashMap semantics are fine for these caches to which entries
* are added, but never removed. There is also no need to keep each pair of
* related caches strictly consistent with each other, because cache misses
* will be extremely rare (standard types are loaded when the case is
* opened), and the cost of a cache miss is low.
*/
private final Map<Integer, BlackboardArtifact.Type> typeIdToArtifactTypeMap = new ConcurrentHashMap<>();
private final Map<Integer, BlackboardAttribute.Type> typeIdToAttributeTypeMap = new ConcurrentHashMap<>();
private final Map<String, BlackboardArtifact.Type> typeNameToArtifactTypeMap = new ConcurrentHashMap<>();
private final Map<String, BlackboardAttribute.Type> typeNameToAttributeTypeMap = new ConcurrentHashMap<>();
static final int MIN_USER_DEFINED_TYPE_ID = 10000;
private final SleuthkitCase caseDb;
/**
* Constructs a representation of the blackboard, a place where artifacts
* and their attributes are posted.
*
* @param casedb The case database.
*/
Blackboard(SleuthkitCase casedb) {
this.caseDb = Objects.requireNonNull(casedb, "Cannot create Blackboard for null SleuthkitCase");
}
/**
* Posts an artifact to the blackboard. The artifact should be complete (all
* attributes have been added) before it is posted. Posting the artifact
* triggers the creation of appropriate timeline events, if any, and
* broadcast of a notification that the artifact is ready for further
* analysis.
*
* @param artifact The artifact.
* @param moduleName The display name of the module posting the artifact.
*
* @throws BlackboardException The exception is thrown if there is an issue
* posting the artifact.
* @deprecated Use postArtifact(BlackboardArtifact artifact, String
* moduleName, Long ingestJobId) instead.
*/
@Deprecated
public void postArtifact(BlackboardArtifact artifact, String moduleName) throws BlackboardException {
postArtifacts(Collections.singleton(artifact), moduleName, null);
}
/**
* Posts a collection of artifacts to the blackboard. The artifacts should
* be complete (all attributes have been added) before they are posted.
* Posting the artifacts triggers the creation of appropriate timeline
* events, if any, and broadcast of a notification that the artifacts are
* ready for further analysis.
*
* @param artifacts The artifacts.
* @param moduleName The display name of the module posting the artifacts.
*
* @throws BlackboardException The exception is thrown if there is an issue
* posting the artifact.
* @deprecated postArtifacts(Collection\<BlackboardArtifact\> artifacts,
* String moduleName, Long ingestJobId)
*/
@Deprecated
public void postArtifacts(Collection<BlackboardArtifact> artifacts, String moduleName) throws BlackboardException {
postArtifacts(artifacts, moduleName, null);
}
/**
* Posts an artifact to the blackboard. The artifact should be complete (all
* attributes have been added) before it is posted. Posting the artifact
* triggers the creation of appropriate timeline events, if any, and
* broadcast of a notification that the artifact is ready for further
* analysis.
*
* @param artifact The artifact.
* @param moduleName The display name of the module posting the artifact.
* @param ingestJobId The numeric identifier of the ingest job for which the
* artifact was posted, may be null.
*
* @throws BlackboardException The exception is thrown if there is an issue
* posting the artifact.
*/
public void postArtifact(BlackboardArtifact artifact, String moduleName, Long ingestJobId) throws BlackboardException {
postArtifacts(Collections.singleton(artifact), moduleName, ingestJobId);
}
/**
* Posts a collection of artifacts to the blackboard. The artifacts should
* be complete (all attributes have been added) before they are posted.
* Posting the artifacts triggers the creation of appropriate timeline
* events, if any, and broadcast of a notification that the artifacts are
* ready for further analysis.
*
* @param artifacts The artifacts.
* @param moduleName The display name of the module posting the artifacts.
* @param ingestJobId The numeric identifier of the ingest job for which the
* artifacts were posted, may be null.
*
* @throws BlackboardException The exception is thrown if there is an issue
* posting the artifact.
*/
public void postArtifacts(Collection<BlackboardArtifact> artifacts, String moduleName, Long ingestJobId) throws BlackboardException {
for (BlackboardArtifact artifact : artifacts) {
try {
caseDb.getTimelineManager().addArtifactEvents(artifact);
} catch (TskCoreException ex) {
throw new BlackboardException(String.format("Failed to add events to timeline for artifact '%s'", artifact), ex);
}
}
caseDb.fireTSKEvent(new ArtifactsPostedEvent(artifacts, moduleName, ingestJobId));
}
/**
* Gets an artifact type, creating it if it does not already exist. Use this
* method to define custom artifact types.
*
* This assumes that the artifact type is of category DATA_ARTIFACT.
*
* @param typeName The type name of the artifact type.
* @param displayName The display name of the artifact type.
*
* @return A type object representing the artifact type.
*
* @throws BlackboardException If there is a problem getting or adding the
* artifact type.
*/
public BlackboardArtifact.Type getOrAddArtifactType(String typeName, String displayName) throws BlackboardException {
return getOrAddArtifactType(typeName, displayName, BlackboardArtifact.Category.DATA_ARTIFACT);
}
/**
* Gets an artifact type, creating it if it does not already exist. Use this
* method to define custom artifact types.
*
* @param typeName The type name of the artifact type.
* @param displayName The display name of the artifact type.
* @param category The artifact type category.
*
* @return A type object representing the artifact type.
*
* @throws BlackboardException If there is a problem getting or adding the
* artifact type.
*/
public BlackboardArtifact.Type getOrAddArtifactType(String typeName, String displayName, BlackboardArtifact.Category category) throws BlackboardException {
if (category == null) {
throw new BlackboardException("Category provided must be non-null");
}
if (typeNameToArtifactTypeMap.containsKey(typeName)) {
return typeNameToArtifactTypeMap.get(typeName);
}
Statement s = null;
ResultSet rs = null;
CaseDbTransaction trans = null;
try {
trans = caseDb.beginTransaction();
CaseDbConnection connection = trans.getConnection();
s = connection.createStatement();
rs = connection.executeQuery(s, "SELECT artifact_type_id FROM blackboard_artifact_types WHERE type_name = '" + typeName + "'"); //NON-NLS
if (!rs.next()) {
rs.close();
rs = connection.executeQuery(s, "SELECT MAX(artifact_type_id) AS highest_id FROM blackboard_artifact_types");
int maxID = 0;
if (rs.next()) {
maxID = rs.getInt("highest_id");
if (maxID < MIN_USER_DEFINED_TYPE_ID) {
maxID = MIN_USER_DEFINED_TYPE_ID;
} else {
maxID++;
}
}
connection.executeUpdate(s, "INSERT INTO blackboard_artifact_types (artifact_type_id, type_name, display_name, category_type) VALUES ('" + maxID + "', '" + typeName + "', '" + displayName + "', " + category.getID() + " )"); //NON-NLS
BlackboardArtifact.Type type = new BlackboardArtifact.Type(maxID, typeName, displayName, category);
this.typeIdToArtifactTypeMap.put(type.getTypeID(), type);
this.typeNameToArtifactTypeMap.put(type.getTypeName(), type);
trans.commit();
trans = null;
return type;
} else {
trans.commit();
trans = null;
try {
return getArtifactType(typeName);
} catch (TskCoreException ex) {
throw new BlackboardException("Failed to get or add artifact type: " + typeName, ex);
}
}
} catch (SQLException | TskCoreException ex) {
try {
if (trans != null) {
trans.rollback();
trans = null;
}
} catch (TskCoreException ex2) {
LOGGER.log(Level.SEVERE, "Error rolling back transaction", ex2);
}
throw new BlackboardException("Error adding artifact type: " + typeName, ex);
} finally {
closeResultSet(rs);
closeStatement(s);
if (trans != null) {
try {
trans.rollback();
} catch (TskCoreException ex) {
throw new BlackboardException("Error rolling back transaction", ex);
}
}
}
}
/**
* Get the attribute type associated with an attribute type name.
*
* @param attrTypeName An attribute type name.
*
* @return An attribute type or null if the attribute type does not exist.
*
* @throws TskCoreException If an error occurs accessing the case database.
*
*/
public BlackboardAttribute.Type getAttributeType(String attrTypeName) throws TskCoreException {
if (this.typeNameToAttributeTypeMap.containsKey(attrTypeName)) {
return this.typeNameToAttributeTypeMap.get(attrTypeName);
}
CaseDbConnection connection = null;
Statement s = null;
ResultSet rs = null;
caseDb.acquireSingleUserCaseReadLock();
try {
connection = caseDb.getConnection();
s = connection.createStatement();
rs = connection.executeQuery(s, "SELECT attribute_type_id, type_name, display_name, value_type FROM blackboard_attribute_types WHERE type_name = '" + attrTypeName + "'"); //NON-NLS
BlackboardAttribute.Type type = null;
if (rs.next()) {
type = new BlackboardAttribute.Type(rs.getInt("attribute_type_id"), rs.getString("type_name"),
rs.getString("display_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(rs.getLong("value_type")));
this.typeIdToAttributeTypeMap.put(type.getTypeID(), type);
this.typeNameToAttributeTypeMap.put(attrTypeName, type);
}
return type;
} catch (SQLException ex) {
throw new TskCoreException("Error getting attribute type id", ex);
} finally {
closeResultSet(rs);
closeStatement(s);
closeConnection(connection);
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get the attribute type associated with an attribute type ID.
*
* @param typeID An attribute type ID.
*
* @return An attribute type or null if the attribute type does not exist.
*
* @throws TskCoreException If an error occurs accessing the case database.
*
*/
BlackboardAttribute.Type getAttributeType(int typeID) throws TskCoreException {
if (this.typeIdToAttributeTypeMap.containsKey(typeID)) {
return this.typeIdToAttributeTypeMap.get(typeID);
}
CaseDbConnection connection = null;
Statement s = null;
ResultSet rs = null;
caseDb.acquireSingleUserCaseReadLock();
try {
connection = caseDb.getConnection();
s = connection.createStatement();
rs = connection.executeQuery(s, "SELECT attribute_type_id, type_name, display_name, value_type FROM blackboard_attribute_types WHERE attribute_type_id = " + typeID + ""); //NON-NLS
BlackboardAttribute.Type type = null;
if (rs.next()) {
type = new BlackboardAttribute.Type(rs.getInt("attribute_type_id"), rs.getString("type_name"),
rs.getString("display_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(rs.getLong("value_type")));
this.typeIdToAttributeTypeMap.put(typeID, type);
this.typeNameToAttributeTypeMap.put(type.getTypeName(), type);
}
return type;
} catch (SQLException ex) {
throw new TskCoreException("Error getting attribute type id", ex);
} finally {
closeResultSet(rs);
closeStatement(s);
closeConnection(connection);
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get the artifact type associated with an artifact type name.
*
* @param artTypeName An artifact type name.
*
* @return An artifact type or null if the artifact type does not exist.
*
* @throws TskCoreException If an error occurs accessing the case database.
*
*/
public BlackboardArtifact.Type getArtifactType(String artTypeName) throws TskCoreException {
if (this.typeNameToArtifactTypeMap.containsKey(artTypeName)) {
return this.typeNameToArtifactTypeMap.get(artTypeName);
}
CaseDbConnection connection = null;
Statement s = null;
ResultSet rs = null;
caseDb.acquireSingleUserCaseReadLock();
try {
connection = caseDb.getConnection();
s = connection.createStatement();
rs = connection.executeQuery(s, "SELECT artifact_type_id, type_name, display_name, category_type FROM blackboard_artifact_types WHERE type_name = '" + artTypeName + "'"); //NON-NLS
BlackboardArtifact.Type type = null;
if (rs.next()) {
type = new BlackboardArtifact.Type(rs.getInt("artifact_type_id"),
rs.getString("type_name"), rs.getString("display_name"),
BlackboardArtifact.Category.fromID(rs.getInt("category_type")));
this.typeIdToArtifactTypeMap.put(type.getTypeID(), type);
this.typeNameToArtifactTypeMap.put(artTypeName, type);
}
return type;
} catch (SQLException ex) {
throw new TskCoreException("Error getting artifact type from the database", ex);
} finally {
closeResultSet(rs);
closeStatement(s);
closeConnection(connection);
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get the artifact type associated with an artifact type id.
*
* @param artTypeId An artifact type id.
*
* @return The artifact type.
*
* @throws TskCoreException If an error occurs accessing the case database
* or no value is found.
*
*/
public BlackboardArtifact.Type getArtifactType(int artTypeId) throws TskCoreException {
if (this.typeIdToArtifactTypeMap.containsKey(artTypeId)) {
return typeIdToArtifactTypeMap.get(artTypeId);
}
CaseDbConnection connection = null;
Statement s = null;
ResultSet rs = null;
caseDb.acquireSingleUserCaseReadLock();
try {
connection = caseDb.getConnection();
s = connection.createStatement();
rs = connection.executeQuery(s, "SELECT artifact_type_id, type_name, display_name, category_type FROM blackboard_artifact_types WHERE artifact_type_id = " + artTypeId + ""); //NON-NLS
BlackboardArtifact.Type type = null;
if (rs.next()) {
type = new BlackboardArtifact.Type(rs.getInt("artifact_type_id"),
rs.getString("type_name"), rs.getString("display_name"),
BlackboardArtifact.Category.fromID(rs.getInt("category_type")));
this.typeIdToArtifactTypeMap.put(artTypeId, type);
this.typeNameToArtifactTypeMap.put(type.getTypeName(), type);
return type;
} else {
throw new TskCoreException("No artifact type found matching id: " + artTypeId);
}
} catch (SQLException ex) {
throw new TskCoreException("Error getting artifact type from the database", ex);
} finally {
closeResultSet(rs);
closeStatement(s);
closeConnection(connection);
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get the list of attributes for the given artifact.
*
* @param artifact The artifact to load attributes for.
*
* @return The list of attributes.
*
* @throws TskCoreException
*/
public ArrayList<BlackboardAttribute> getBlackboardAttributes(final BlackboardArtifact artifact) throws TskCoreException {
CaseDbConnection connection = null;
Statement statement = null;
ResultSet rs = null;
String rowId;
switch (caseDb.getDatabaseType()) {
case POSTGRESQL:
rowId = "attrs.CTID";
break;
case SQLITE:
rowId = "attrs.ROWID";
break;
default:
throw new TskCoreException("Unknown database type: " + caseDb.getDatabaseType());
}
caseDb.acquireSingleUserCaseReadLock();
try {
connection = caseDb.getConnection();
statement = connection.createStatement();
rs = connection.executeQuery(statement, "SELECT attrs.artifact_id AS artifact_id, "
+ "attrs.source AS source, attrs.context AS context, attrs.attribute_type_id AS attribute_type_id, "
+ "attrs.value_type AS value_type, attrs.value_byte AS value_byte, "
+ "attrs.value_text AS value_text, attrs.value_int32 AS value_int32, "
+ "attrs.value_int64 AS value_int64, attrs.value_double AS value_double, "
+ "types.type_name AS type_name, types.display_name AS display_name "
+ "FROM blackboard_attributes AS attrs, blackboard_attribute_types AS types WHERE attrs.artifact_id = " + artifact.getArtifactID()
+ " AND attrs.attribute_type_id = types.attribute_type_id "
+ " ORDER BY " + rowId);
ArrayList<BlackboardAttribute> attributes = new ArrayList<>();
while (rs.next()) {
final BlackboardAttribute attr = createAttributeFromResultSet(rs);
attr.setParentDataSourceID(artifact.getDataSourceObjectID());
attributes.add(attr);
}
return attributes;
} catch (SQLException ex) {
throw new TskCoreException("Error getting attributes for artifact, artifact id = " + artifact.getArtifactID(), ex);
} finally {
closeResultSet(rs);
closeStatement(statement);
closeConnection(connection);
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Populate the attributes for all artifacts in the list. This is done using
* one database call as an efficient way to load many artifacts/attributes
* at once.
*
* @param arts The list of artifacts. When complete, each will have its
* attributes loaded.
*
* @throws org.sleuthkit.datamodel.TskCoreException
*/
@Beta
public <T extends BlackboardArtifact> void loadBlackboardAttributes(List<T> arts) throws TskCoreException {
if (arts.isEmpty()) {
return;
}
// Make a map of artifact ID to artifact
Map<Long, BlackboardArtifact> artifactMap = new HashMap<>();
for (BlackboardArtifact art : arts) {
artifactMap.put(art.getArtifactID(), art);
}
// Make a map of artifact ID to attribute list
Map<Long, List<BlackboardAttribute>> attributeMap = new HashMap<>();
// Get all artifact IDs as a comma-separated string
String idString = arts.stream().map(p -> Long.toString(p.getArtifactID())).collect(Collectors.joining(", "));
String rowId;
switch (caseDb.getDatabaseType()) {
case POSTGRESQL:
rowId = "attrs.CTID";
break;
case SQLITE:
rowId = "attrs.ROWID";
break;
default:
throw new TskCoreException("Unknown database type: " + caseDb.getDatabaseType());
}
// Get the attributes
CaseDbConnection connection = null;
Statement statement = null;
ResultSet rs = null;
caseDb.acquireSingleUserCaseReadLock();
try {
connection = caseDb.getConnection();
statement = connection.createStatement();
rs = connection.executeQuery(statement, "SELECT attrs.artifact_id AS artifact_id, "
+ "attrs.source AS source, attrs.context AS context, attrs.attribute_type_id AS attribute_type_id, "
+ "attrs.value_type AS value_type, attrs.value_byte AS value_byte, "
+ "attrs.value_text AS value_text, attrs.value_int32 AS value_int32, "
+ "attrs.value_int64 AS value_int64, attrs.value_double AS value_double, "
+ "types.type_name AS type_name, types.display_name AS display_name "
+ "FROM blackboard_attributes AS attrs, blackboard_attribute_types AS types WHERE attrs.artifact_id IN (" + idString + ") "
+ " AND attrs.attribute_type_id = types.attribute_type_id"
+ " ORDER BY " + rowId);
while (rs.next()) {
final BlackboardAttribute attr = createAttributeFromResultSet(rs);
attr.setParentDataSourceID(artifactMap.get(attr.getArtifactID()).getDataSourceObjectID());
// Collect the list of attributes for each artifact
if (!attributeMap.containsKey(attr.getArtifactID())) {
attributeMap.put(attr.getArtifactID(), new ArrayList<>());
}
attributeMap.get(attr.getArtifactID()).add(attr);
}
// Save the attributes to the artifacts
for (Long artifactID : attributeMap.keySet()) {
artifactMap.get(artifactID).setAttributes(attributeMap.get(artifactID));
}
} catch (SQLException ex) {
throw new TskCoreException("Error loading attributes", ex);
} finally {
closeResultSet(rs);
closeStatement(statement);
closeConnection(connection);
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Create a BlackboardAttribute artifact from the result set. Does not set
* the data source ID.
*
* @param rs The result set.
*
* @return The corresponding BlackboardAttribute object.
*/
private BlackboardAttribute createAttributeFromResultSet(ResultSet rs) throws SQLException {
int attributeTypeId = rs.getInt("attribute_type_id");
String attributeTypeName = rs.getString("type_name");
BlackboardAttribute.Type attributeType;
if (this.typeIdToAttributeTypeMap.containsKey(attributeTypeId)) {
attributeType = this.typeIdToAttributeTypeMap.get(attributeTypeId);
} else {
attributeType = new BlackboardAttribute.Type(attributeTypeId, attributeTypeName,
rs.getString("display_name"),
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(rs.getInt("value_type")));
this.typeIdToAttributeTypeMap.put(attributeTypeId, attributeType);
this.typeNameToAttributeTypeMap.put(attributeTypeName, attributeType);
}
return new BlackboardAttribute(
rs.getLong("artifact_id"),
attributeType,
rs.getString("source"),
rs.getString("context"),
rs.getInt("value_int32"),
rs.getLong("value_int64"),
rs.getDouble("value_double"),
rs.getString("value_text"),
rs.getBytes("value_byte"), caseDb
);
}
/**
* Get the attributes associated with the given file.
*
* @param file
*
* @return
*
* @throws TskCoreException
*/
ArrayList<Attribute> getFileAttributes(final AbstractFile file) throws TskCoreException {
CaseDbConnection connection = null;
Statement statement = null;
ResultSet rs = null;
caseDb.acquireSingleUserCaseReadLock();
try {
connection = caseDb.getConnection();
statement = connection.createStatement();
rs = connection.executeQuery(statement, "SELECT attrs.id as id, attrs.obj_id AS obj_id, "
+ "attrs.attribute_type_id AS attribute_type_id, "
+ "attrs.value_type AS value_type, attrs.value_byte AS value_byte, "
+ "attrs.value_text AS value_text, attrs.value_int32 AS value_int32, "
+ "attrs.value_int64 AS value_int64, attrs.value_double AS value_double, "
+ "types.type_name AS type_name, types.display_name AS display_name "
+ "FROM tsk_file_attributes AS attrs "
+ " INNER JOIN blackboard_attribute_types AS types "
+ " ON attrs.attribute_type_id = types.attribute_type_id "
+ " WHERE attrs.obj_id = " + file.getId());
ArrayList<Attribute> attributes = new ArrayList<Attribute>();
while (rs.next()) {
int attributeTypeId = rs.getInt("attribute_type_id");
String attributeTypeName = rs.getString("type_name");
BlackboardAttribute.Type attributeType;
if (this.typeIdToAttributeTypeMap.containsKey(attributeTypeId)) {
attributeType = this.typeIdToAttributeTypeMap.get(attributeTypeId);
} else {
attributeType = new BlackboardAttribute.Type(attributeTypeId, attributeTypeName,
rs.getString("display_name"),
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(rs.getInt("value_type")));
this.typeIdToAttributeTypeMap.put(attributeTypeId, attributeType);
this.typeNameToAttributeTypeMap.put(attributeTypeName, attributeType);
}
final Attribute attr = new Attribute(
rs.getLong("id"),
rs.getLong("obj_id"),
attributeType,
rs.getInt("value_int32"),
rs.getLong("value_int64"),
rs.getDouble("value_double"),
rs.getString("value_text"),
rs.getBytes("value_byte"), caseDb
);
attributes.add(attr);
}
return attributes;
} catch (SQLException ex) {
throw new TskCoreException("Error getting attributes for file, file id = " + file.getId(), ex);
} finally {
closeResultSet(rs);
closeStatement(statement);
closeConnection(connection);
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Adds the standard artifact types to the blackboard_artifact_types table
* and the artifact type caches.
*
* @param connection A connection to the case database.
*
* @throws SQLException Thrown if there is an error adding a type to the
* table.
*/
void initBlackboardArtifactTypes(CaseDbConnection connection) throws SQLException {
caseDb.acquireSingleUserCaseWriteLock();
try (Statement statement = connection.createStatement()) {
/*
* Determine which types, if any, have already been added to the
* case database, and load them into the type caches. For a case
* that is being reopened, this should reduce the number of separate
* INSERT staements that will be executed below.
*/
ResultSet resultSet = connection.executeQuery(statement, "SELECT artifact_type_id, type_name, display_name, category_type FROM blackboard_artifact_types"); //NON-NLS
while (resultSet.next()) {
BlackboardArtifact.Type type = new BlackboardArtifact.Type(resultSet.getInt("artifact_type_id"),
resultSet.getString("type_name"), resultSet.getString("display_name"),
BlackboardArtifact.Category.fromID(resultSet.getInt("category_type")));
typeIdToArtifactTypeMap.put(type.getTypeID(), type);
typeNameToArtifactTypeMap.put(type.getTypeName(), type);
}
/*
* INSERT any missing standard types. A conflict clause is used to
* avoid a potential race condition. It also eliminates the need to
* add schema update code when new types are added.
*
* The use here of the soon to be deprecated
* BlackboardArtifact.ARTIFACT_TYPE enum instead of the
* BlackboardArtifact.Type.STANDARD_TYPES collection currently
* ensures that the deprecated types in the former, and not in the
* latter, are added to the case database.
*/
for (BlackboardArtifact.ARTIFACT_TYPE type : BlackboardArtifact.ARTIFACT_TYPE.values()) {
if (typeIdToArtifactTypeMap.containsKey(type.getTypeID())) {
continue;
}
if (caseDb.getDatabaseType() == TskData.DbType.POSTGRESQL) {
statement.execute("INSERT INTO blackboard_artifact_types (artifact_type_id, type_name, display_name, category_type) VALUES (" + type.getTypeID() + " , '" + type.getLabel() + "', '" + type.getDisplayName() + "' , " + type.getCategory().getID() + ") ON CONFLICT DO NOTHING"); //NON-NLS
} else {
statement.execute("INSERT OR IGNORE INTO blackboard_artifact_types (artifact_type_id, type_name, display_name, category_type) VALUES (" + type.getTypeID() + " , '" + type.getLabel() + "', '" + type.getDisplayName() + "' , " + type.getCategory().getID() + ")"); //NON-NLS
}
typeIdToArtifactTypeMap.put(type.getTypeID(), new BlackboardArtifact.Type(type));
typeNameToArtifactTypeMap.put(type.getLabel(), new BlackboardArtifact.Type(type));
}
if (caseDb.getDatabaseType() == TskData.DbType.POSTGRESQL) {
int newPrimaryKeyIndex = Collections.max(Arrays.asList(BlackboardArtifact.ARTIFACT_TYPE.values())).getTypeID() + 1;
statement.execute("ALTER SEQUENCE blackboard_artifact_types_artifact_type_id_seq RESTART WITH " + newPrimaryKeyIndex); //NON-NLS
}
} finally {
caseDb.releaseSingleUserCaseWriteLock();
}
}
/**
* Adds the standard attribute types to the blackboard_attribute_types table
* and the attribute type caches.
*
* @param connection A connection to the case database.
*
* @throws SQLException Thrown if there is an error adding a type to the
* table.
*/
void initBlackboardAttributeTypes(CaseDbConnection connection) throws SQLException {
caseDb.acquireSingleUserCaseWriteLock();
try (Statement statement = connection.createStatement()) {
/*
* Determine which types, if any, have already been added to the
* case database, and load them into the type caches. For a case
* that is being reopened, this should reduce the number of separate
* INSERT staements that will be executed below.
*/
ResultSet resultSet = connection.executeQuery(statement, "SELECT attribute_type_id, type_name, display_name, value_type FROM blackboard_attribute_types"); //NON-NLS
while (resultSet.next()) {
BlackboardAttribute.Type type = new BlackboardAttribute.Type(resultSet.getInt("attribute_type_id"),
resultSet.getString("type_name"), resultSet.getString("display_name"),
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(resultSet.getLong("value_type")));
typeIdToAttributeTypeMap.put(type.getTypeID(), type);
typeNameToAttributeTypeMap.put(type.getTypeName(), type);
}
/*
* INSERT any missing standard types. A conflict clause is used to
* avoid a potential race condition. It also eliminates the need to
* add schema update code when new types are added.
*
* The use here of the soon to be deprecated
* BlackboardAttribute.ATTRIBUTE_TYPE enum instead of the
* BlackboardAttribute.Type.STANDARD_TYPES collection currently
* ensures that the deprecated types in the former, and not in the
* latter, are added to the case database.
*/
for (BlackboardAttribute.ATTRIBUTE_TYPE type : BlackboardAttribute.ATTRIBUTE_TYPE.values()) {
if (typeIdToAttributeTypeMap.containsKey(type.getTypeID())) {
continue;
}
if (caseDb.getDatabaseType() == TskData.DbType.POSTGRESQL) {
statement.execute("INSERT INTO blackboard_attribute_types (attribute_type_id, type_name, display_name, value_type) VALUES (" + type.getTypeID() + ", '" + type.getLabel() + "', '" + type.getDisplayName() + "', '" + type.getValueType().getType() + "') ON CONFLICT DO NOTHING"); //NON-NLS
} else {
statement.execute("INSERT OR IGNORE INTO blackboard_attribute_types (attribute_type_id, type_name, display_name, value_type) VALUES (" + type.getTypeID() + ", '" + type.getLabel() + "', '" + type.getDisplayName() + "', '" + type.getValueType().getType() + "')"); //NON-NLS
}
typeIdToAttributeTypeMap.put(type.getTypeID(), new BlackboardAttribute.Type(type));
typeNameToAttributeTypeMap.put(type.getLabel(), new BlackboardAttribute.Type(type));
}
if (caseDb.getDatabaseType() == TskData.DbType.POSTGRESQL) {
int newPrimaryKeyIndex = Collections.max(Arrays.asList(BlackboardAttribute.ATTRIBUTE_TYPE.values())).getTypeID() + 1;
statement.execute("ALTER SEQUENCE blackboard_attribute_types_attribute_type_id_seq RESTART WITH " + newPrimaryKeyIndex); //NON-NLS
}
} finally {
caseDb.releaseSingleUserCaseWriteLock();
}
}
/**
* Adds new analysis result artifact.
*
* @param artifactType Type of analysis result artifact to create.
* @param objId Object id of parent.
* @param dataSourceObjId Data source object id, may be null.
* @param score Score associated with this analysis result.
* @param conclusion Conclusion of the analysis, may be null or an
* empty string.
* @param configuration Configuration associated with this analysis, may
* be null or an empty string.
* @param justification Justification, may be null or an empty string.
* @param attributesList Attributes to be attached to this analysis result
* artifact.
*
* @return AnalysisResultAdded The analysis return added and the current
* aggregate score of content.
*
* @throws TskCoreException
* @throws BlackboardException exception thrown if a critical error occurs
* within TSK core
*/
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type artifactType, long objId, Long dataSourceObjId, Score score,
String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList)
throws BlackboardException, TskCoreException {
if (artifactType.getCategory() != BlackboardArtifact.Category.ANALYSIS_RESULT) {
throw new BlackboardException(String.format("Artifact type (name = %s) is not of Analysis Result category. ", artifactType.getTypeName()));
}
CaseDbTransaction transaction = caseDb.beginTransaction();
try {
AnalysisResultAdded analysisResult = newAnalysisResult(artifactType, objId, dataSourceObjId, score,
conclusion, configuration, justification, attributesList, transaction);
transaction.commit();
return analysisResult;
} catch (TskCoreException | BlackboardException ex) {
try {
transaction.rollback();
} catch (TskCoreException ex2) {
LOGGER.log(Level.SEVERE, "Failed to rollback transaction after exception. "
+ "Error invoking newAnalysisResult with dataSourceObjId: "
+ (dataSourceObjId == null ? "<null>" : dataSourceObjId)
+ ", sourceObjId: " + objId, ex2);
}
throw ex;
}
}
/**
* Adds new analysis result artifact.
*
* @param artifactType Type of analysis result artifact to create.
* @param objId Object id of parent.
* @param dataSourceObjId Data source object id, may be null.
* @param score Score associated with this analysis result.
* @param conclusion Conclusion of the analysis, may be null or an
* empty string.
* @param configuration Configuration associated with this analysis, may
* be null or an empty string.
* @param justification Justification, may be null or an empty string.
* @param attributesList Attributes to be attached to this analysis result
* artifact.
* @param transaction DB transaction to use.
*
* @return AnalysisResultAdded The analysis return added and the current
* aggregate score of content.
*
* @throws BlackboardException exception thrown if a critical error occurs
* within TSK core
*/
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type artifactType, long objId, Long dataSourceObjId, Score score,
String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList, CaseDbTransaction transaction) throws BlackboardException {
if (artifactType.getCategory() != BlackboardArtifact.Category.ANALYSIS_RESULT) {
throw new BlackboardException(String.format("Artifact type (name = %s) is not of Analysis Result category. ", artifactType.getTypeName()));
}
try {
// add analysis result
AnalysisResult analysisResult = caseDb.newAnalysisResult(artifactType, objId, dataSourceObjId, score, conclusion, configuration, justification, transaction.getConnection());
// add the given attributes
if (attributesList != null && !attributesList.isEmpty()) {
analysisResult.addAttributes(attributesList, transaction);
}
// update the final score for the object
Score aggregateScore = caseDb.getScoringManager().updateAggregateScoreAfterAddition(objId, dataSourceObjId, analysisResult.getScore(), transaction);
// return the analysis result and the current aggregate score.
return new AnalysisResultAdded(analysisResult, aggregateScore);
} catch (TskCoreException ex) {
throw new BlackboardException("Failed to add analysis result.", ex);
}
}
/**
* Delete the specified analysis result.
*
* Deletes the result from blackboard_artifacts and tsk_analysis_results,
* and recalculates and updates the aggregate score of the content. Fires an
* event to indicate that the analysis result has been deleted and that the
* score of the item has changed.
*
* @param analysisResult AnalysisResult to delete.
*
* @return New score of the content.
*
* @throws TskCoreException
*/
public Score deleteAnalysisResult(AnalysisResult analysisResult) throws TskCoreException {
CaseDbTransaction transaction = this.caseDb.beginTransaction();
try {
Score score = deleteAnalysisResult(analysisResult, transaction);
transaction.commit();
transaction = null;
return score;
} finally {
if (transaction != null) {
transaction.rollback();
}
}
}
/**
* Delete the specified analysis result.
*
* Deletes the result from blackboard_artifacts and tsk_analysis_results,
* and recalculates and updates the aggregate score of the content.
*
* @param artifactObjId Artifact Obj Id to be deleted
* @param transaction
*
* @return
*
* @throws TskCoreException
*/
public Score deleteAnalysisResult(long artifactObjId, CaseDbTransaction transaction) throws TskCoreException {
List<AnalysisResult> analysisResults = getAnalysisResultsWhere(" artifacts.artifact_obj_id = " + artifactObjId, transaction.getConnection());
if (analysisResults.isEmpty()) {
throw new TskCoreException(String.format("Analysis Result not found for artifact obj id %d", artifactObjId));
}
return deleteAnalysisResult(analysisResults.get(0), transaction);
}
/**
* Delete the specified analysis result.
*
* Deletes the result from blackboard_artifacts and tsk_analysis_results,
* and recalculates and updates the aggregate score of the content.
*
* @param analysisResult AnalysisResult to delete.
* @param transaction Transaction to use for database operations.
*
* @return New score of the content.
*
* @throws TskCoreException
*/
private Score deleteAnalysisResult(AnalysisResult analysisResult, CaseDbTransaction transaction) throws TskCoreException {
try {
CaseDbConnection connection = transaction.getConnection();
// delete the blackboard artifacts row. This will also delete the tsk_analysis_result row
String deleteSQL = "DELETE FROM blackboard_artifacts WHERE artifact_obj_id = ?";
PreparedStatement deleteStatement = connection.getPreparedStatement(deleteSQL, Statement.RETURN_GENERATED_KEYS);
deleteStatement.clearParameters();
deleteStatement.setLong(1, analysisResult.getId());
deleteStatement.executeUpdate();
// register the deleted result with the transaction so an event can be fired for it.
transaction.registerDeletedAnalysisResult(analysisResult.getObjectID());
return caseDb.getScoringManager().updateAggregateScoreAfterDeletion(analysisResult.getObjectID(), analysisResult.getDataSourceObjectID(), transaction);
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error deleting analysis result with artifact obj id %d", analysisResult.getId()), ex);
}
}
private final static String ANALYSIS_RESULT_QUERY_STRING_GENERIC = "SELECT DISTINCT artifacts.artifact_id AS artifact_id, " //NON-NLS
+ " artifacts.obj_id AS obj_id, artifacts.artifact_obj_id AS artifact_obj_id, artifacts.data_source_obj_id AS data_source_obj_id, artifacts.artifact_type_id AS artifact_type_id, "
+ " types.type_name AS type_name, types.display_name AS display_name, types.category_type as category_type,"//NON-NLS
+ " artifacts.review_status_id AS review_status_id, " //NON-NLS
+ " results.conclusion AS conclusion, results.significance AS significance, results.priority AS priority, "
+ " results.configuration AS configuration, results.justification AS justification "
+ " FROM blackboard_artifacts AS artifacts "
+ " JOIN blackboard_artifact_types AS types " //NON-NLS
+ " ON artifacts.artifact_type_id = types.artifact_type_id" //NON-NLS
+ " LEFT JOIN tsk_analysis_results AS results "
+ " ON artifacts.artifact_obj_id = results.artifact_obj_id "; //NON-NLS
private final static String ANALYSIS_RESULT_QUERY_STRING_WITH_ATTRIBUTES
= ANALYSIS_RESULT_QUERY_STRING_GENERIC
+ " JOIN blackboard_attributes AS attributes " //NON-NLS
+ " ON artifacts.artifact_id = attributes.artifact_id " //NON-NLS
+ " WHERE types.category_type = " + BlackboardArtifact.Category.ANALYSIS_RESULT.getID(); // NON-NLS
private final static String ANALYSIS_RESULT_QUERY_STRING_WHERE
= ANALYSIS_RESULT_QUERY_STRING_GENERIC
+ " WHERE artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID() //NON-NLS
+ " AND types.category_type = " + BlackboardArtifact.Category.ANALYSIS_RESULT.getID(); // NON-NLS
/**
* Get all analysis results of given artifact type.
*
* @param artifactTypeId The artifact type id for which to search.
*
* @return The list of analysis results.
*
* @throws TskCoreException Exception thrown if a critical error occurs
* within TSK core.
*/
public List<AnalysisResult> getAnalysisResultsByType(int artifactTypeId) throws TskCoreException {
return getAnalysisResultsWhere(" artifacts.artifact_type_id = " + artifactTypeId);
}
/**
* Get all analysis results of given artifact type.
*
* @param artifactTypeId The artifact type id for which to search.
* @param dataSourceObjId Object Id of the data source to look under.
*
* @return The list of analysis results.
*
* @throws TskCoreException Exception thrown if a critical error occurs
* within TSK core.
*/
public List<AnalysisResult> getAnalysisResultsByType(int artifactTypeId, long dataSourceObjId) throws TskCoreException {
return getAnalysisResultsWhere(" artifacts.artifact_type_id = " + artifactTypeId + " AND artifacts.data_source_obj_id = " + dataSourceObjId);
}
/**
* Gets all analysis results of a given type for a given data source. To get
* all the analysis results for the data source, pass null for the type ID.
*
* @param dataSourceObjId The object ID of the data source.
* @param artifactTypeID The type ID of the desired analysis results or
* null.
*
* @return A list of the analysis results, possibly empty.
*
* @throws TskCoreException This exception is thrown if there is an error
* querying the case database.
*/
public List<AnalysisResult> getAnalysisResults(long dataSourceObjId, Integer artifactTypeID) throws TskCoreException {
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
String whereClause = " artifacts.data_source_obj_id = " + dataSourceObjId;
if (artifactTypeID != null) {
whereClause += " AND artifacts.artifact_type_id = " + artifactTypeID;
}
return getAnalysisResultsWhere(whereClause, connection);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get all analysis results for a given object.
*
* @param sourceObjId Object id.
*
* @return list of analysis results.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
public List<AnalysisResult> getAnalysisResults(long sourceObjId) throws TskCoreException {
return getAnalysisResultsWhere(" artifacts.obj_id = " + sourceObjId);
}
/**
* Get all data artifacts for a given object.
*
* @param sourceObjId Object id.
*
* @return List of data artifacts.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
List<DataArtifact> getDataArtifactsBySource(long sourceObjId) throws TskCoreException {
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
return getDataArtifactsWhere(String.format(" artifacts.obj_id = %d", sourceObjId), connection);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Returns true if there are data artifacts belonging to the sourceObjId.
*
* @param sourceObjId The source content object id.
*
* @return True if there are data artifacts belonging to this source obj id.
*
* @throws TskCoreException
*/
public boolean hasDataArtifacts(long sourceObjId) throws TskCoreException {
return hasArtifactsOfCategory(BlackboardArtifact.Category.DATA_ARTIFACT, sourceObjId);
}
/**
* Returns true if there are analysis results belonging to the sourceObjId.
*
* @param sourceObjId The source content object id.
*
* @return True if there are analysis results belonging to this source obj
* id.
*
* @throws TskCoreException
*/
public boolean hasAnalysisResults(long sourceObjId) throws TskCoreException {
return hasArtifactsOfCategory(BlackboardArtifact.Category.ANALYSIS_RESULT, sourceObjId);
}
/**
* Returns true if there are artifacts of the given category belonging to
* the sourceObjId.
*
* @param category The category of the artifacts.
* @param sourceObjId The source content object id.
*
* @return True if there are artifacts of the given category belonging to
* this source obj id.
*
* @throws TskCoreException
*/
private boolean hasArtifactsOfCategory(BlackboardArtifact.Category category, long sourceObjId) throws TskCoreException {
String queryString = "SELECT COUNT(*) AS count " //NON-NLS
+ " FROM blackboard_artifacts AS arts "
+ " JOIN blackboard_artifact_types AS types " //NON-NLS
+ " ON arts.artifact_type_id = types.artifact_type_id" //NON-NLS
+ " WHERE types.category_type = " + category.getID()
+ " AND arts.obj_id = " + sourceObjId;
caseDb.acquireSingleUserCaseReadLock();
try (SleuthkitCase.CaseDbConnection connection = caseDb.getConnection();
Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, queryString);) {
if (resultSet.next()) {
return resultSet.getLong("count") > 0;
}
return false;
} catch (SQLException ex) {
throw new TskCoreException("Error getting artifact types is use for data source." + ex.getMessage(), ex);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get all analysis results for a given object.
*
* @param sourceObjId Object id.
* @param connection Database connection to use.
*
*
* @return list of analysis results.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
List<AnalysisResult> getAnalysisResults(long sourceObjId, CaseDbConnection connection) throws TskCoreException {
return getAnalysisResultsWhere(" artifacts.obj_id = " + sourceObjId, connection);
}
/**
* Get analysis results of the given type, for the given object.
*
* @param sourceObjId Object id.
* @param artifactTypeId Result type to get.
*
* @return list of analysis results.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
public List<AnalysisResult> getAnalysisResults(long sourceObjId, int artifactTypeId) throws TskCoreException {
// Get the artifact type to check that it in the analysis result category.
BlackboardArtifact.Type artifactType = getArtifactType(artifactTypeId);
if (artifactType.getCategory() != BlackboardArtifact.Category.ANALYSIS_RESULT) {
throw new TskCoreException(String.format("Artifact type id %d is not in analysis result catgeory.", artifactTypeId));
}
String whereClause = " types.artifact_type_id = " + artifactTypeId
+ " AND artifacts.obj_id = " + sourceObjId;
return getAnalysisResultsWhere(whereClause);
}
/**
* Get all analysis results matching the given where sub-clause.
*
*
* @param whereClause Where sub clause, specifies conditions to match.
*
* @return list of analysis results.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
public List<AnalysisResult> getAnalysisResultsWhere(String whereClause) throws TskCoreException {
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
return getAnalysisResultsWhere(whereClause, connection);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get all analysis results matching the given where sub-clause. Uses the
* given database connection to execute the query.
*
* @param whereClause Where sub clause, specifies conditions to match.
* @param connection Database connection to use.
*
* @return list of analysis results.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core
*/
List<AnalysisResult> getAnalysisResultsWhere(String whereClause, CaseDbConnection connection) throws TskCoreException {
final String queryString = ANALYSIS_RESULT_QUERY_STRING_WHERE
+ " AND " + whereClause;
try (Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, queryString);) {
List<AnalysisResult> analysisResults = resultSetToAnalysisResults(resultSet);
return analysisResults;
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error getting analysis results for WHERE clause = '%s'", whereClause), ex);
}
}
/**
* Get the analysis results by its artifact_obj_id.
*
* @param artifactObjId Artifact object id of the analysis result.
*
* @return AnalysisResult.
*
* @throws TskCoreException If a critical error occurred within TSK core.
*/
public AnalysisResult getAnalysisResultById(long artifactObjId) throws TskCoreException {
String whereClause = " artifacts.artifact_obj_id = " + artifactObjId;
List<AnalysisResult> results = getAnalysisResultsWhere(whereClause);
if (results.isEmpty()) { // throw an error if no analysis result found by id.
throw new TskCoreException(String.format("Error getting analysis result with id = '%d'", artifactObjId));
}
if (results.size() > 1) { // should not happen - throw an error
throw new TskCoreException(String.format("Multiple analysis results found with id = '%d'", artifactObjId));
}
return results.get(0);
}
/**
* Creates AnalysisResult objects for the result set of a table query of the
* form "SELECT * FROM blackboard_artifacts JOIN WHERE XYZ".
*
* @param rs A result set from a query of the blackboard_artifacts table of
* the form "SELECT * FROM blackboard_artifacts,
* tsk_analysis_results WHERE ...".
*
* @return A list of BlackboardArtifact objects.
*
* @throws SQLException Thrown if there is a problem iterating through
* the result set.
* @throws TskCoreException Thrown if there is an error looking up the
* artifact type id.
*/
private List<AnalysisResult> resultSetToAnalysisResults(ResultSet resultSet) throws SQLException, TskCoreException {
ArrayList<AnalysisResult> analysisResults = new ArrayList<>();
while (resultSet.next()) {
analysisResults.add(new AnalysisResult(caseDb, resultSet.getLong("artifact_id"), resultSet.getLong("obj_id"),
resultSet.getLong("artifact_obj_id"),
resultSet.getObject("data_source_obj_id") != null ? resultSet.getLong("data_source_obj_id") : null,
resultSet.getInt("artifact_type_id"), resultSet.getString("type_name"), resultSet.getString("display_name"),
BlackboardArtifact.ReviewStatus.withID(resultSet.getInt("review_status_id")),
new Score(Score.Significance.fromID(resultSet.getInt("significance")), Score.Priority.fromID(resultSet.getInt("priority"))),
resultSet.getString("conclusion"), resultSet.getString("configuration"), resultSet.getString("justification")));
} //end for each resultSet
return analysisResults;
}
private final static String DATA_ARTIFACT_QUERY_STRING_GENERIC = "SELECT DISTINCT artifacts.artifact_id AS artifact_id, " //NON-NLS
+ "artifacts.obj_id AS obj_id, artifacts.artifact_obj_id AS artifact_obj_id, artifacts.data_source_obj_id AS data_source_obj_id, artifacts.artifact_type_id AS artifact_type_id, " //NON-NLS
+ " types.type_name AS type_name, types.display_name AS display_name, types.category_type as category_type,"//NON-NLS
+ " artifacts.review_status_id AS review_status_id, " //NON-NLS
+ " data_artifacts.os_account_obj_id as os_account_obj_id " //NON-NLS
+ " FROM blackboard_artifacts AS artifacts " //NON-NLS
+ " JOIN blackboard_artifact_types AS types " //NON-NLS
+ " ON artifacts.artifact_type_id = types.artifact_type_id" //NON-NLS
+ " LEFT JOIN tsk_data_artifacts AS data_artifacts " //NON-NLS
+ " ON artifacts.artifact_obj_id = data_artifacts.artifact_obj_id "; //NON-NLS
private final static String DATA_ARTIFACT_QUERY_STRING_WITH_ATTRIBUTES
= DATA_ARTIFACT_QUERY_STRING_GENERIC
+ " JOIN blackboard_attributes AS attributes " //NON-NLS
+ " ON artifacts.artifact_id = attributes.artifact_id " //NON-NLS
+ " WHERE types.category_type = " + BlackboardArtifact.Category.DATA_ARTIFACT.getID(); // NON-NLS
private final static String DATA_ARTIFACT_QUERY_STRING_WHERE
= DATA_ARTIFACT_QUERY_STRING_GENERIC
+ " WHERE artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID() //NON-NLS
+ " AND types.category_type = " + BlackboardArtifact.Category.DATA_ARTIFACT.getID(); // NON-NLS
/**
* Gets all data artifacts of a given type for a given data source. To get
* all the data artifacts for the data source, pass null for the type ID.
*
* @param dataSourceObjId The object ID of the data source.
* @param artifactTypeID The type ID of the desired artifacts or null.
*
* @return A list of the data artifacts, possibly empty.
*
* @throws TskCoreException This exception is thrown if there is an error
* querying the case database.
*/
public List<DataArtifact> getDataArtifacts(long dataSourceObjId, Integer artifactTypeID) throws TskCoreException {
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
String whereClause = " artifacts.data_source_obj_id = " + dataSourceObjId;
if (artifactTypeID != null) {
whereClause += " AND artifacts.artifact_type_id = " + artifactTypeID;
}
return getDataArtifactsWhere(whereClause, connection);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get all data artifacts of a given type for a given data source.
*
* @param artifactTypeID Artifact type to get.
* @param dataSourceObjId Data source to look under.
*
* @return List of data artifacts. May be an empty list.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
public List<DataArtifact> getDataArtifacts(int artifactTypeID, long dataSourceObjId) throws TskCoreException {
// Get the artifact type to check that it in the data artifact category.
BlackboardArtifact.Type artifactType = getArtifactType(artifactTypeID);
if (artifactType.getCategory() != BlackboardArtifact.Category.DATA_ARTIFACT) {
throw new TskCoreException(String.format("Artifact type id %d is not in data artifact catgeory.", artifactTypeID));
}
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
String whereClause = "artifacts.data_source_obj_id = " + dataSourceObjId
+ " AND artifacts.artifact_type_id = " + artifactTypeID;
return getDataArtifactsWhere(whereClause, connection);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get all data artifacts of a given type.
*
* @param artifactTypeID Artifact type to get.
*
* @return List of data artifacts. May be an empty list.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
public List<DataArtifact> getDataArtifacts(int artifactTypeID) throws TskCoreException {
// Get the artifact type to check that it in the data artifact category.
BlackboardArtifact.Type artifactType = getArtifactType(artifactTypeID);
if (artifactType.getCategory() != BlackboardArtifact.Category.DATA_ARTIFACT) {
throw new TskCoreException(String.format("Artifact type id %d is not in data artifact catgeory.", artifactTypeID));
}
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
String whereClause = " artifacts.artifact_type_id = " + artifactTypeID;
return getDataArtifactsWhere(whereClause, connection);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get the data artifact with the given artifact obj id.
*
* @param artifactObjId Object id of the data artifact to get.
*
* @return Data artifact with given artifact object id.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
public DataArtifact getDataArtifactById(long artifactObjId) throws TskCoreException {
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
String whereClause = " artifacts.artifact_obj_id = " + artifactObjId;
List<DataArtifact> artifacts = getDataArtifactsWhere(whereClause, connection);
if (artifacts.isEmpty()) { // throw an error if no analysis result found by id.
throw new TskCoreException(String.format("Error getting data artifact with id = '%d'", artifactObjId));
}
if (artifacts.size() > 1) { // should not happen - throw an error
throw new TskCoreException(String.format("Multiple data artifacts found with id = '%d'", artifactObjId));
}
return artifacts.get(0);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get all data artifacts matching the given where sub-clause.
*
* @param whereClause SQL Where sub-clause, specifies conditions to match.
*
* @return List of data artifacts. May be an empty list.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
public List<DataArtifact> getDataArtifactsWhere(String whereClause) throws TskCoreException {
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
return getDataArtifactsWhere(whereClause, connection);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get all data artifacts matching the given where sub-clause. Uses the
* given database connection to execute the query.
*
* @param whereClause SQL Where sub-clause, specifies conditions to match.
* @param connection Database connection to use.
*
* @return List of data artifacts. May be an empty list.
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core.
*/
List<DataArtifact> getDataArtifactsWhere(String whereClause, CaseDbConnection connection) throws TskCoreException {
final String queryString = DATA_ARTIFACT_QUERY_STRING_WHERE
+ " AND " + whereClause + " ";
try (Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, queryString);) {
List<DataArtifact> dataArtifacts = resultSetToDataArtifacts(resultSet);
return dataArtifacts;
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error getting data artifacts with queryString = %s", queryString), ex);
}
}
/**
* Creates DataArtifacts objects for the resultset of a table query of the
* form "SELECT * FROM blackboard_artifacts JOIN data_artifacts WHERE ...".
*
* @param resultSet A result set from a query of the blackboard_artifacts
* table of the form "SELECT * FROM blackboard_artifacts,
* tsk_data_artifacts WHERE ...".
*
* @return A list of DataArtifact objects.
*
* @throws SQLException Thrown if there is a problem iterating through
* the result set.
* @throws TskCoreException Thrown if there is an error looking up the
* artifact type id.
*/
private List<DataArtifact> resultSetToDataArtifacts(ResultSet resultSet) throws SQLException, TskCoreException {
ArrayList<DataArtifact> dataArtifacts = new ArrayList<>();
while (resultSet.next()) {
Long osAccountObjId = resultSet.getLong("os_account_obj_id");
if (resultSet.wasNull()) {
osAccountObjId = null;
}
dataArtifacts.add(new DataArtifact(caseDb, resultSet.getLong("artifact_id"), resultSet.getLong("obj_id"),
resultSet.getLong("artifact_obj_id"),
resultSet.getObject("data_source_obj_id") != null ? resultSet.getLong("data_source_obj_id") : null,
resultSet.getInt("artifact_type_id"), resultSet.getString("type_name"), resultSet.getString("display_name"),
BlackboardArtifact.ReviewStatus.withID(resultSet.getInt("review_status_id")), osAccountObjId, false));
} //end for each resultSet
return dataArtifacts;
}
/**
* Gets an attribute type, creating it if it does not already exist. Use
* this method to define custom attribute types.
*
* NOTE: This method is synchronized to prevent simultaneous access from
* different threads, but there is still the possibility of concurrency
* issues from different clients.
*
* @param typeName The type name of the attribute type.
* @param valueType The value type of the attribute type.
* @param displayName The display name of the attribute type.
*
* @return A type object representing the attribute type.
*
* @throws BlackboardException If there is a problem getting or adding the
* attribute type.
*/
public synchronized BlackboardAttribute.Type getOrAddAttributeType(String typeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType, String displayName) throws BlackboardException {
// check local cache
if (typeNameToAttributeTypeMap.containsKey(typeName)) {
return typeNameToAttributeTypeMap.get(typeName);
}
CaseDbTransaction trans = null;
try {
trans = this.caseDb.beginTransaction();
String matchingAttrQuery = "SELECT attribute_type_id, type_name, display_name, value_type "
+ "FROM blackboard_attribute_types WHERE type_name = ?";
// find matching attribute name
PreparedStatement query = trans.getConnection().getPreparedStatement(matchingAttrQuery, Statement.RETURN_GENERATED_KEYS);
query.clearParameters();
query.setString(1, typeName);
try (ResultSet rs = query.executeQuery()) {
// if previously existing, commit the results and return the attribute type
if (rs.next()) {
trans.commit();
trans = null;
BlackboardAttribute.Type foundType = new BlackboardAttribute.Type(
rs.getInt("attribute_type_id"),
rs.getString("type_name"),
rs.getString("display_name"),
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.fromType(rs.getLong("value_type"))
);
this.typeIdToAttributeTypeMap.put(foundType.getTypeID(), foundType);
this.typeNameToAttributeTypeMap.put(foundType.getTypeName(), foundType);
return foundType;
}
}
// if not found in database, insert
String insertStatement = "INSERT INTO blackboard_attribute_types (attribute_type_id, type_name, display_name, value_type) VALUES (\n"
// get the maximum of the attribute type id's or the min user defined type id and add 1 to it for the new id
+ "(SELECT MAX(q.attribute_type_id) FROM (SELECT attribute_type_id FROM blackboard_attribute_types UNION SELECT " + (MIN_USER_DEFINED_TYPE_ID - 1) + ") q) + 1,\n"
// typeName, displayName, valueType
+ "?, ?, ?)";
PreparedStatement insertPreparedStatement = trans.getConnection().getPreparedStatement(insertStatement, Statement.RETURN_GENERATED_KEYS);
insertPreparedStatement.clearParameters();
insertPreparedStatement.setString(1, typeName);
insertPreparedStatement.setString(2, displayName);
insertPreparedStatement.setLong(3, valueType.getType());
int numUpdated = insertPreparedStatement.executeUpdate();
// get id for inserted to create new attribute.
Integer attrId = null;
if (numUpdated > 0) {
try (ResultSet insertResult = insertPreparedStatement.getGeneratedKeys()) {
if (insertResult.next()) {
attrId = insertResult.getInt(1);
}
}
}
if (attrId == null) {
throw new BlackboardException(MessageFormat.format(
"Error adding attribute type. Item with name {0} was not inserted successfully into the database.", typeName));
}
trans.commit();
trans = null;
BlackboardAttribute.Type type = new BlackboardAttribute.Type(attrId, typeName, displayName, valueType);
this.typeIdToAttributeTypeMap.put(type.getTypeID(), type);
this.typeNameToAttributeTypeMap.put(type.getTypeName(), type);
return type;
} catch (SQLException | TskCoreException ex) {
throw new BlackboardException("Error adding attribute type: " + typeName, ex);
} finally {
try {
if (trans != null) {
trans.rollback();
trans = null;
}
} catch (TskCoreException ex2) {
LOGGER.log(Level.SEVERE, "Error rolling back transaction", ex2);
}
}
}
/**
* Gets the list of all artifact types in use for the given data source.
* Gets both standard and custom types.
*
* @param dataSourceObjId data source object id
*
* @return The list of artifact types
*
* @throws TskCoreException exception thrown if a critical error occurred
* within tsk core
*/
public List<BlackboardArtifact.Type> getArtifactTypesInUse(long dataSourceObjId) throws TskCoreException {
final String queryString = "SELECT DISTINCT arts.artifact_type_id AS artifact_type_id, "
+ "types.type_name AS type_name, "
+ "types.display_name AS display_name, "
+ "types.category_type AS category_type "
+ "FROM blackboard_artifact_types AS types "
+ "INNER JOIN blackboard_artifacts AS arts "
+ "ON arts.artifact_type_id = types.artifact_type_id "
+ "WHERE arts.data_source_obj_id = " + dataSourceObjId;
caseDb.acquireSingleUserCaseReadLock();
try (SleuthkitCase.CaseDbConnection connection = caseDb.getConnection();
Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, queryString);) {
List<BlackboardArtifact.Type> uniqueArtifactTypes = new ArrayList<>();
while (resultSet.next()) {
uniqueArtifactTypes.add(new BlackboardArtifact.Type(resultSet.getInt("artifact_type_id"),
resultSet.getString("type_name"), resultSet.getString("display_name"),
BlackboardArtifact.Category.fromID(resultSet.getInt("category_type"))));
}
return uniqueArtifactTypes;
} catch (SQLException ex) {
throw new TskCoreException("Error getting artifact types is use for data source." + ex.getMessage(), ex);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Get count of all blackboard artifacts of a given type for the given data
* source. Does not include rejected artifacts.
*
* @param artifactTypeID artifact type id (must exist in database)
* @param dataSourceObjId data source object id
*
* @return count of blackboard artifacts
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core
*/
public long getArtifactsCount(int artifactTypeID, long dataSourceObjId) throws TskCoreException {
return getArtifactsCountHelper(artifactTypeID,
"blackboard_artifacts.data_source_obj_id = '" + dataSourceObjId + "';");
}
/**
* Get count of all blackboard artifacts of a given type. Does not include
* rejected artifacts.
*
* @param artifactTypeID artifact type id (must exist in database)
*
* @return count of blackboard artifacts
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core
*/
public long getArtifactsCount(int artifactTypeID) throws TskCoreException {
return getArtifactsCountHelper(artifactTypeID, null);
}
/**
* Get all blackboard artifacts of a given type. Does not included rejected
* artifacts.
*
* @param artifactTypeID artifact type to get
* @param dataSourceObjId data source to look under
*
* @return list of blackboard artifacts
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core
*/
public List<BlackboardArtifact> getArtifacts(int artifactTypeID, long dataSourceObjId) throws TskCoreException {
String whereClause = String.format("artifacts.data_source_obj_id = %d", dataSourceObjId);
return getArtifactsWhere(getArtifactType(artifactTypeID), whereClause);
}
/**
* Get all blackboard artifacts of the given type(s) for the given data
* source(s). Does not included rejected artifacts.
*
* @param artifactTypes list of artifact types to get
* @param dataSourceObjIds data sources to look under
*
* @return list of blackboard artifacts
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core
*/
public List<BlackboardArtifact> getArtifacts(Collection<BlackboardArtifact.Type> artifactTypes,
Collection<Long> dataSourceObjIds) throws TskCoreException {
if (artifactTypes.isEmpty() || dataSourceObjIds.isEmpty()) {
return new ArrayList<>();
}
String analysisResultQuery = "";
String dataArtifactQuery = "";
for (BlackboardArtifact.Type type : artifactTypes) {
if (type.getCategory() == BlackboardArtifact.Category.ANALYSIS_RESULT) {
if (!analysisResultQuery.isEmpty()) {
analysisResultQuery += " OR ";
}
analysisResultQuery += "types.artifact_type_id = " + type.getTypeID();
} else {
if (!dataArtifactQuery.isEmpty()) {
dataArtifactQuery += " OR ";
}
dataArtifactQuery += "types.artifact_type_id = " + type.getTypeID();
}
}
String dsQuery = "";
for (long dsId : dataSourceObjIds) {
if (!dsQuery.isEmpty()) {
dsQuery += " OR ";
}
dsQuery += "artifacts.data_source_obj_id = " + dsId;
}
List<BlackboardArtifact> artifacts = new ArrayList<>();
if (!analysisResultQuery.isEmpty()) {
String fullQuery = "( " + analysisResultQuery + " ) AND (" + dsQuery + ") ";
artifacts.addAll(this.getAnalysisResultsWhere(fullQuery));
}
if (!dataArtifactQuery.isEmpty()) {
String fullQuery = "( " + dataArtifactQuery + " ) AND (" + dsQuery + ") ";
artifacts.addAll(this.getDataArtifactsWhere(fullQuery));
}
return artifacts;
}
/**
* Get all blackboard artifacts of the given type that contain attribute of
* given type and value, for a given data source(s).
*
* @param artifactType artifact type to get
* @param attributeType attribute type to be included
* @param value attribute value to be included. can be empty.
* @param dataSourceObjId data source to look under. If Null, then search
* all data sources.
* @param showRejected a flag whether to display rejected artifacts
*
* @return list of blackboard artifacts
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core
*/
public List<BlackboardArtifact> getArtifacts(BlackboardArtifact.Type artifactType,
BlackboardAttribute.Type attributeType, String value, Long dataSourceObjId,
boolean showRejected) throws TskCoreException {
String query = " AND artifacts.artifact_type_id = " + artifactType.getTypeID() //NON-NLS
+ " AND attributes.attribute_type_id = " + attributeType.getTypeID() //NON-NLS
+ ((value == null || value.isEmpty()) ? "" : " AND attributes.value_text = '" + value + "'") //NON-NLS
+ (showRejected ? "" : " AND artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID()) //NON-NLS
+ (dataSourceObjId != null ? " AND artifacts.data_source_obj_id = " + dataSourceObjId : ""); //NON-NLS
List<BlackboardArtifact> artifacts = new ArrayList<>();
caseDb.acquireSingleUserCaseReadLock();
String finalQuery = (artifactType.getCategory() == BlackboardArtifact.Category.ANALYSIS_RESULT
? ANALYSIS_RESULT_QUERY_STRING_WITH_ATTRIBUTES + query
: DATA_ARTIFACT_QUERY_STRING_WITH_ATTRIBUTES + query);
try (CaseDbConnection connection = caseDb.getConnection()) {
try (Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, finalQuery);) {
if (artifactType.getCategory() == BlackboardArtifact.Category.ANALYSIS_RESULT) {
artifacts.addAll(resultSetToAnalysisResults(resultSet));
} else {
artifacts.addAll(resultSetToDataArtifacts(resultSet));
}
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error getting results with queryString = '%s'", finalQuery), ex);
}
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
return artifacts;
}
/**
* Returns a list of "Exact match / Literal" keyword hits blackboard
* artifacts according to the input conditions.
*
* @param keyword The keyword string to search for. This should always
* be populated unless you are trying to get all keyword
* hits of specific keyword search type or keyword list
* name.
* @param searchType Type of keyword search query.
* @param kwsListName (Optional) Name of the keyword list for which the
* search results are for. If not specified, then the
* results will be for ad-hoc keyword searches.
* @param dataSourceId (Optional) Data source id of the target data source.
* If null, then the results will be for all data
* sources.
*
* @return A list of keyword hits blackboard artifacts
*
* @throws TskCoreException If an exception is encountered while running
* database query to obtain the keyword hits.
*/
public List<BlackboardArtifact> getExactMatchKeywordSearchResults(String keyword, TskData.KeywordSearchQueryType searchType, String kwsListName, Long dataSourceId) throws TskCoreException {
return getKeywordSearchResults(keyword, "", searchType, kwsListName, dataSourceId);
}
/**
* Returns a list of keyword hits blackboard artifacts according to the
* input conditions.
*
* @param keyword The keyword string to search for. This should always
* be populated unless you are trying to get all keyword
* hits of specific keyword search type or keyword list
* name.
* @param regex For substring and regex keyword search types, the
* regex/substring query string should be specified as
* well as the keyword. It should be empty for literal
* exact match keyword search types.
* @param searchType Type of keyword search query.
* @param kwsListName (Optional) Name of the keyword list for which the
* search results are for. If not specified, then the
* results will be for ad-hoc keyword searches.
* @param dataSourceId (Optional) Data source id of the target data source.
* If null, then the results will be for all data
* sources.
*
* @return A list of keyword hits blackboard artifacts
*
* @throws TskCoreException If an exception is encountered while running
* database query to obtain the keyword hits.
*/
public List<BlackboardArtifact> getKeywordSearchResults(String keyword, String regex, TskData.KeywordSearchQueryType searchType, String kwsListName, Long dataSourceId) throws TskCoreException {
String dataSourceClause = dataSourceId == null
? ""
: " AND artifacts.data_source_obj_id = ? "; // dataSourceId
String kwsListClause = (kwsListName == null || kwsListName.isEmpty()
? " WHERE r.set_name IS NULL "
: " WHERE r.set_name = ? ");
String keywordClause = (keyword == null || keyword.isEmpty()
? ""
: " AND r.keyword = ? ");
String searchTypeClause = (searchType == null
? ""
: " AND r.search_type = ? ");
String regexClause = (regex == null || regex.isEmpty()
? ""
: " AND r.regexp_str = ? ");
String query = "SELECT r.* FROM ( "
+ " SELECT DISTINCT artifacts.artifact_id AS artifact_id, "
+ " artifacts.obj_id AS obj_id, "
+ " artifacts.artifact_obj_id AS artifact_obj_id, "
+ " artifacts.data_source_obj_id AS data_source_obj_id, "
+ " artifacts.artifact_type_id AS artifact_type_id, "
+ " types.type_name AS type_name, "
+ " types.display_name AS display_name, "
+ " types.category_type as category_type,"
+ " artifacts.review_status_id AS review_status_id, "
+ " results.conclusion AS conclusion, "
+ " results.significance AS significance, "
+ " results.priority AS priority, "
+ " results.configuration AS configuration, "
+ " results.justification AS justification, "
+ " (SELECT value_text FROM blackboard_attributes attr WHERE attr.artifact_id = artifacts.artifact_id AND attr.attribute_type_id = "
+ BlackboardAttribute.Type.TSK_SET_NAME.getTypeID() + " LIMIT 1) AS set_name, "
+ " (SELECT value_int32 FROM blackboard_attributes attr WHERE attr.artifact_id = artifacts.artifact_id AND attr.attribute_type_id = "
+ BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID() + " LIMIT 1) AS search_type, "
+ " (SELECT value_text FROM blackboard_attributes attr WHERE attr.artifact_id = artifacts.artifact_id AND attr.attribute_type_id = "
+ BlackboardAttribute.Type.TSK_KEYWORD_REGEXP.getTypeID() + " LIMIT 1) AS regexp_str, "
+ " (SELECT value_text FROM blackboard_attributes attr WHERE attr.artifact_id = artifacts.artifact_id AND attr.attribute_type_id = "
+ BlackboardAttribute.Type.TSK_KEYWORD.getTypeID() + " LIMIT 1) AS keyword "
+ " FROM blackboard_artifacts artifacts "
+ " JOIN blackboard_artifact_types AS types "
+ " ON artifacts.artifact_type_id = types.artifact_type_id "
+ " LEFT JOIN tsk_analysis_results AS results "
+ " ON artifacts.artifact_obj_id = results.artifact_obj_id "
+ " WHERE types.category_type = " + BlackboardArtifact.Category.ANALYSIS_RESULT.getID()
+ " AND artifacts.artifact_type_id = " + BlackboardArtifact.Type.TSK_KEYWORD_HIT.getTypeID() + " "
+ dataSourceClause + " ) r "
+ kwsListClause
+ keywordClause
+ searchTypeClause
+ regexClause;
List<BlackboardArtifact> artifacts = new ArrayList<>();
caseDb.acquireSingleUserCaseReadLock();
try (CaseDbConnection connection = caseDb.getConnection()) {
try {
PreparedStatement preparedStatement = connection.getPreparedStatement(query, Statement.RETURN_GENERATED_KEYS);
preparedStatement.clearParameters();
int paramIdx = 0;
if (dataSourceId != null) {
preparedStatement.setLong(++paramIdx, dataSourceId);
}
if (!(kwsListName == null || kwsListName.isEmpty())) {
preparedStatement.setString(++paramIdx, kwsListName);
}
if (!(keyword == null || keyword.isEmpty())) {
preparedStatement.setString(++paramIdx, keyword);
}
if (searchType != null) {
preparedStatement.setInt(++paramIdx, searchType.getType());
}
if (!(regex == null || regex.isEmpty())) {
preparedStatement.setString(++paramIdx, regex);
}
try (ResultSet resultSet = connection.executeQuery(preparedStatement)) {
artifacts.addAll(resultSetToAnalysisResults(resultSet));
}
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error getting keyword search results with queryString = '%s'", query), ex);
}
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
return artifacts;
}
/**
* Gets count of blackboard artifacts of given type that match a given WHERE
* clause. Uses a SELECT COUNT(*) FROM blackboard_artifacts statement
*
* @param artifactTypeID artifact type to count
* @param whereClause The WHERE clause to append to the SELECT statement
* (may be null).
*
* @return A count of matching BlackboardArtifact .
*
* @throws TskCoreException If there is a problem querying the case
* database.
*/
private long getArtifactsCountHelper(int artifactTypeID, String whereClause) throws TskCoreException {
String queryString = "SELECT COUNT(*) AS count FROM blackboard_artifacts "
+ "WHERE blackboard_artifacts.artifact_type_id = " + artifactTypeID
+ " AND blackboard_artifacts.review_status_id !=" + BlackboardArtifact.ReviewStatus.REJECTED.getID();
if (whereClause != null) {
queryString += " AND " + whereClause;
}
caseDb.acquireSingleUserCaseReadLock();
try (SleuthkitCase.CaseDbConnection connection = caseDb.getConnection();
Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, queryString);) {
long count = 0;
if (resultSet.next()) {
count = resultSet.getLong("count");
}
return count;
} catch (SQLException ex) {
throw new TskCoreException("Error getting artifact types is use for data source." + ex.getMessage(), ex);
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
}
/**
* Determines whether or not an artifact of a given type with a given set of
* attributes already exists for a given content.
*
* @param content The content.
* @param artifactType The artifact type.
* @param attributes The attributes.
*
* @return True or false
*
* @throws TskCoreException The exception is thrown if there is an issue
* querying the case database.
*/
public boolean artifactExists(Content content, BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributes) throws TskCoreException {
List<BlackboardArtifact> existingArtifacts = content.getArtifacts(artifactType.getTypeID());
for (BlackboardArtifact artifact : existingArtifacts) {
if (attributesMatch(artifact.getAttributes(), attributes)) {
return true;
}
}
return false;
}
/**
* Determines whether or not an artifact of a given type with a given set of
* attributes already exists for a given content.
*
* @param content The content.
* @param artifactType The artifact type.
* @param attributes The attributes.
*
* @return True or false
*
* @throws TskCoreException The exception is thrown if there is an issue
* querying the case database.
* @deprecated Use artifactExists(Content content, BlackboardArtifact.Type
* artifactType, Collection\<BlackboardAttribute\> attributes) instead.
*/
@Deprecated
public boolean artifactExists(Content content, BlackboardArtifact.ARTIFACT_TYPE artifactType, Collection<BlackboardAttribute> attributes) throws TskCoreException {
return artifactExists(content, getArtifactType(artifactType.getTypeID()), attributes);
}
/**
* Determine if the expected attributes can all be found in the supplied
* file attributes list.
*
* @param fileAttributesList The list of attributes to analyze.
* @param expectedAttributesList The list of attribute to check for.
*
* @return True if all attributes are found; otherwise false.
*/
private boolean attributesMatch(Collection<BlackboardAttribute> fileAttributesList, Collection<BlackboardAttribute> expectedAttributesList) {
for (BlackboardAttribute expectedAttribute : expectedAttributesList) {
boolean match = false;
for (BlackboardAttribute fileAttribute : fileAttributesList) {
BlackboardAttribute.Type attributeType = fileAttribute.getAttributeType();
if (attributeType.getTypeID() != expectedAttribute.getAttributeType().getTypeID()) {
continue;
}
Object fileAttributeValue;
Object expectedAttributeValue;
switch (attributeType.getValueType()) {
case BYTE:
fileAttributeValue = fileAttribute.getValueBytes();
expectedAttributeValue = expectedAttribute.getValueBytes();
break;
case DOUBLE:
fileAttributeValue = fileAttribute.getValueDouble();
expectedAttributeValue = expectedAttribute.getValueDouble();
break;
case INTEGER:
fileAttributeValue = fileAttribute.getValueInt();
expectedAttributeValue = expectedAttribute.getValueInt();
break;
case LONG: // Fall-thru
case DATETIME:
fileAttributeValue = fileAttribute.getValueLong();
expectedAttributeValue = expectedAttribute.getValueLong();
break;
case STRING: // Fall-thru
case JSON:
fileAttributeValue = fileAttribute.getValueString();
expectedAttributeValue = expectedAttribute.getValueString();
break;
default:
fileAttributeValue = fileAttribute.getDisplayString();
expectedAttributeValue = expectedAttribute.getDisplayString();
break;
}
/*
* If the exact attribute was found, mark it as a match to
* continue looping through the expected attributes list.
*/
if (fileAttributeValue instanceof byte[]) {
if (Arrays.equals((byte[]) fileAttributeValue, (byte[]) expectedAttributeValue)) {
match = true;
break;
}
} else if (fileAttributeValue.equals(expectedAttributeValue)) {
match = true;
break;
}
}
if (!match) {
/*
* The exact attribute type/value combination was not found.
*/
return false;
}
}
/*
* All attribute type/value combinations were found in the provided
* attributes list.
*/
return true;
}
/**
* A Blackboard exception.
*/
public static final class BlackboardException extends Exception {
private static final long serialVersionUID = 1L;
/**
* Constructs a blackboard exception with the specified message.
*
* @param message The message.
*/
BlackboardException(String message) {
super(message);
}
/**
* Constructs a blackboard exception with the specified message and
* cause.
*
* @param message The message.
* @param cause The cause.
*/
BlackboardException(String message, Throwable cause) {
super(message, cause);
}
}
/**
* Add a new data artifact with the given type.
*
* @param artifactType The type of the data artifact.
* @param sourceObjId The content that is the source of this artifact.
* @param dataSourceObjId The data source the artifact source content
* belongs to, may be the same as the sourceObjId.
* May be null.
* @param attributes The attributes. May be empty or null.
* @param osAccountId The OS account id associated with the artifact.
* May be null.
*
* @return DataArtifact A new data artifact.
*
* @throws TskCoreException If a critical error occurs within tsk core.
*/
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, long sourceObjId, Long dataSourceObjId,
Collection<BlackboardAttribute> attributes, Long osAccountId) throws TskCoreException {
if (artifactType.getCategory() != BlackboardArtifact.Category.DATA_ARTIFACT) {
throw new TskCoreException(String.format("Artifact type (name = %s) is not of Data Artifact category. ", artifactType.getTypeName()));
}
CaseDbTransaction transaction = caseDb.beginTransaction();
try {
DataArtifact dataArtifact = newDataArtifact(artifactType, sourceObjId, dataSourceObjId,
attributes, osAccountId, transaction);
transaction.commit();
return dataArtifact;
} catch (TskCoreException ex) {
try {
transaction.rollback();
} catch (TskCoreException ex2) {
LOGGER.log(Level.SEVERE, "Failed to rollback transaction after exception. "
+ "Error invoking newDataArtifact with dataSourceObjId: " + dataSourceObjId + ", sourceObjId: " + sourceObjId, ex2);
}
throw ex;
}
}
/**
* Add a new data artifact with the given type.
*
* This api executes in the context of the given transaction.
*
* @param artifactType The type of the data artifact.
* @param sourceObjId The content that is the source of this artifact.
* @param dataSourceObjId The data source the artifact source content
* belongs to, may be the same as the sourceObjId.
* May be null.
* @param attributes The attributes. May be empty or null.
* @param osAccountObjId The OS account associated with the artifact. May
* be null.
* @param transaction The transaction in the scope of which the
* operation is to be performed.
*
* @return DataArtifact New blackboard artifact
*
* @throws TskCoreException If a critical error occurs within tsk core.
*/
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, long sourceObjId, Long dataSourceObjId,
Collection<BlackboardAttribute> attributes, Long osAccountObjId, final CaseDbTransaction transaction) throws TskCoreException {
if (artifactType.getCategory() != BlackboardArtifact.Category.DATA_ARTIFACT) {
throw new TskCoreException(String.format("Artifact type (name = %s) is not of Data Artifact category. ", artifactType.getTypeName()));
}
try {
CaseDbConnection connection = transaction.getConnection();
long artifact_obj_id = caseDb.addObject(sourceObjId, TskData.ObjectType.ARTIFACT.getObjectType(), connection);
PreparedStatement statement = caseDb.createInsertArtifactStatement(artifactType.getTypeID(), sourceObjId, artifact_obj_id, dataSourceObjId, connection);
connection.executeUpdate(statement);
try (ResultSet resultSet = statement.getGeneratedKeys()) {
resultSet.next();
DataArtifact dataArtifact = new DataArtifact(caseDb, resultSet.getLong(1), //last_insert_rowid()
sourceObjId, artifact_obj_id, dataSourceObjId, artifactType.getTypeID(),
artifactType.getTypeName(), artifactType.getDisplayName(), BlackboardArtifact.ReviewStatus.UNDECIDED,
osAccountObjId, true);
// Add a row in tsk_data_artifact if the os account is present
if (osAccountObjId != null) {
String insertDataArtifactSQL = "INSERT INTO tsk_data_artifacts (artifact_obj_id, os_account_obj_id) VALUES (?, ?)";
statement = connection.getPreparedStatement(insertDataArtifactSQL, Statement.NO_GENERATED_KEYS);
statement.clearParameters();
statement.setLong(1, artifact_obj_id);
statement.setLong(2, osAccountObjId);
connection.executeUpdate(statement);
// Add an OS account instance
caseDb.getOsAccountManager().newOsAccountInstance(osAccountObjId, dataSourceObjId, OsAccountInstance.OsAccountInstanceType.ACCESSED, connection);
}
// if attributes are provided, add them to the artifact.
if (Objects.nonNull(attributes) && !attributes.isEmpty()) {
dataArtifact.addAttributes(attributes, transaction);
}
return dataArtifact;
}
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error creating a data artifact with type id = %d, objId = %d, and data source oj id = %d ", artifactType.getTypeID(), sourceObjId, dataSourceObjId), ex);
}
}
/**
* Returns a list of BlackboardArtifacts of the given artifact type and
* source object id.
*
* @param artifactType The artifact type.
* @param sourceObjId The artifact parent source id (obj_id)
*
* @return A list of BlackboardArtifacts for the given parameters.
*
* @throws TskCoreException
*/
List<BlackboardArtifact> getArtifactsBySourceId(BlackboardArtifact.Type artifactType, long sourceObjId) throws TskCoreException {
String whereClause = String.format("artifacts.obj_id = %d", sourceObjId);
return getArtifactsWhere(artifactType, whereClause);
}
/**
* Returns a list of artifacts of the given type.
*
* @param artifactType The type of artifacts to retrieve.
*
* @return A list of artifacts of the given type.
*
* @throws TskCoreException
*/
List<BlackboardArtifact> getArtifactsByType(BlackboardArtifact.Type artifactType) throws TskCoreException {
List<BlackboardArtifact> artifacts = new ArrayList<>();
if (artifactType.getCategory() == BlackboardArtifact.Category.ANALYSIS_RESULT) {
artifacts.addAll(getAnalysisResultsByType(artifactType.getTypeID()));
} else {
artifacts.addAll(getDataArtifacts(artifactType.getTypeID()));
}
return artifacts;
}
/**
* Returns a list of artifacts for the given artifact type with the given
* where clause.
*
* The Where clause will be added to the basic query for retrieving
* DataArtifacts or AnalysisResults from the DB. The where clause should not
* include the artifact type. This method will add the artifact type to the
* where clause.
*
* @param artifactType The artifact type.
* @param whereClause Additional where clause.
*
* @return A list of BlackboardArtifacts of the given type with the given
* conditional.
*
* @throws TskCoreException
*/
private List<BlackboardArtifact> getArtifactsWhere(BlackboardArtifact.Type artifactType, String whereClause) throws TskCoreException {
List<BlackboardArtifact> artifacts = new ArrayList<>();
String whereWithType = whereClause + " AND artifacts.artifact_type_id = " + artifactType.getTypeID();
if (artifactType.getCategory() == BlackboardArtifact.Category.ANALYSIS_RESULT) {
artifacts.addAll(getAnalysisResultsWhere(whereWithType));
} else {
artifacts.addAll(getDataArtifactsWhere(whereWithType));
}
return artifacts;
}
/**
* An event published by SleuthkitCase when one or more artifacts are
* posted. Posted artifacts should be complete (all attributes have been
* added) and ready for further analysis.
*/
final public class ArtifactsPostedEvent {
private final String moduleName;
private final ImmutableSet<BlackboardArtifact.Type> artifactTypes;
private final ImmutableSet<BlackboardArtifact> artifacts;
private final Long ingestJobId;
/**
* Constructs an event published by SleuthkitCase when one or more
* artifacts are posted. Posted artifacts should be complete (all
* attributes have been added) and ready for further analysis.
*
* @param artifacts The artifacts.
* @param moduleName The display name of the module posting the
* artifacts.
* @param ingestJobId The numeric identifier of the ingest job within
* which the artifacts were posted, may be null.
*/
private ArtifactsPostedEvent(Collection<BlackboardArtifact> artifacts, String moduleName, Long ingestJobId) throws BlackboardException {
Set<Integer> typeIDS = artifacts.stream()
.map(BlackboardArtifact::getArtifactTypeID)
.collect(Collectors.toSet());
Set<BlackboardArtifact.Type> types = new HashSet<>();
for (Integer typeID : typeIDS) {
try {
types.add(getArtifactType(typeID));
} catch (TskCoreException tskCoreException) {
throw new BlackboardException("Error getting artifact type by id.", tskCoreException);
}
}
artifactTypes = ImmutableSet.copyOf(types);
this.artifacts = ImmutableSet.copyOf(artifacts);
this.moduleName = moduleName;
this.ingestJobId = ingestJobId;
}
/**
* Gets the posted artifacts.
*
* @return The artifacts (data artifacts and/or analysis results).
*/
public Collection<BlackboardArtifact> getArtifacts() {
return ImmutableSet.copyOf(artifacts);
}
/**
* Gets the posted artifacts of a given type.
*
* @param artifactType The artifact type.
*
* @return The artifacts, if any.
*/
public Collection<BlackboardArtifact> getArtifacts(BlackboardArtifact.Type artifactType) {
Set<BlackboardArtifact> tempSet = artifacts.stream()
.filter(artifact -> artifact.getArtifactTypeID() == artifactType.getTypeID())
.collect(Collectors.toSet());
return ImmutableSet.copyOf(tempSet);
}
/**
* Gets the display name of the module that posted the artifacts.
*
* @return The display name.
*/
public String getModuleName() {
return moduleName;
}
/**
* Gets the types of artifacts that were posted.
*
* @return The types.
*/
public Collection<BlackboardArtifact.Type> getArtifactTypes() {
return ImmutableSet.copyOf(artifactTypes);
}
/**
* Gets the numeric identifier of the ingest job for which the artifacts
* were posted.
*
* @return The ingest job ID, may be null.
*/
public Optional<Long> getIngestJobId() {
return Optional.ofNullable(ingestJobId);
}
}
}
bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java 0 → 100644
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2011-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import com.google.common.annotations.Beta;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.sql.SQLException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.sleuthkit.datamodel.Blackboard.BlackboardException;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
/**
* An artifact that has been posted to the blackboard. Artifacts store analysis
* results (such as hash set hits) and extracted data (such as a web bookmark).
* An artifact is a typed collection of name value pairs (attributes) that is
* associated with its source content (A data source, a file, or another
* artifact). Both standard artifact types and custom artifact types are
* supported.
*
* IMPORTANT NOTE: No more than one attribute of a given type should be added to
* an artifact. It is undefined about which will be used.
*/
public abstract class BlackboardArtifact implements Content {
private static final ResourceBundle bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle");
private final long artifactId;
private final long sourceObjId; // refers to objID of parent/source object
private final long artifactObjId; // objId of the artifact in tsk_objects. TBD: replace artifactID with this
private final Long dataSourceObjId; // objId of the data source in tsk_objects.
private final int artifactTypeId;
private final String artifactTypeName;
private final String displayName;
private ReviewStatus reviewStatus;
private final SleuthkitCase sleuthkitCase;
private final List<BlackboardAttribute> attrsCache = new ArrayList<BlackboardAttribute>();
private boolean loadedCacheFromDb = false;
private volatile Content parent;
private volatile String uniquePath;
private byte[] contentBytes = null;
private volatile boolean checkedHasChildren;
private volatile boolean hasChildren;
private volatile int childrenCount;
/**
* Constructs an artifact that has been posted to the blackboard. An
* artifact is a typed collection of name value pairs (attributes) that is
* associated with its source content (either a data source, or file within
* a data source). Both standard artifact types and custom artifact types
* are supported.
*
* @param sleuthkitCase The SleuthKit case (case database) that contains
* the artifact data.
* @param artifactID The unique id for this artifact.
* @param sourceObjId The unique id of the content with which this
* artifact is associated.
* @param artifactObjId The unique id this artifact, in tsk_objects.
* @param dataSourceObjId Object ID of the datasource where the artifact
* was found. May be null.
* @param artifactTypeID The type id of this artifact.
* @param artifactTypeName The type name of this artifact.
* @param displayName The display name of this artifact.
* @param reviewStatus The review status of this artifact.
*/
BlackboardArtifact(SleuthkitCase sleuthkitCase, long artifactID, long sourceObjId, long artifactObjId, Long dataSourceObjId, int artifactTypeID, String artifactTypeName, String displayName, ReviewStatus reviewStatus) {
this.sleuthkitCase = sleuthkitCase;
this.artifactId = artifactID;
this.sourceObjId = sourceObjId;
this.artifactObjId = artifactObjId;
this.artifactTypeId = artifactTypeID;
this.dataSourceObjId = dataSourceObjId;
this.artifactTypeName = artifactTypeName;
this.displayName = displayName;
this.reviewStatus = reviewStatus;
this.checkedHasChildren = false;
this.hasChildren = false;
this.childrenCount = -1;
}
/**
* Constructs an artifact that has been posted to the blackboard. An
* artifact is a typed collection of name value pairs (attributes) that is
* associated with its source content (either a data source, or file within
* a data source). Both standard artifact types and custom artifact types
* are supported.
*
* @param sleuthkitCase The SleuthKit case (case database) that contains
* the artifact data.
* @param artifactID The unique id for this artifact.
* @param sourceObjId The unique id of the content with which this
* artifact is associated.
* @param artifactObjID The unique id this artifact. in tsk_objects
* @param dataSourceObjID Unique id of the data source.
* @param artifactTypeID The type id of this artifact.
* @param artifactTypeName The type name of this artifact.
* @param displayName The display name of this artifact.
* @param reviewStatus The review status of this artifact.
* @param isNew If the artifact is newly created.
*/
BlackboardArtifact(SleuthkitCase sleuthkitCase, long artifactID, long sourceObjId, long artifactObjID, Long dataSourceObjID, int artifactTypeID, String artifactTypeName, String displayName, ReviewStatus reviewStatus, boolean isNew) {
this(sleuthkitCase, artifactID, sourceObjId, artifactObjID, dataSourceObjID, artifactTypeID, artifactTypeName, displayName, reviewStatus);
if (isNew) {
/*
* If this object represents a newly created artifact, then its
* collection of attributes has already been populated and there is
* no need to fetch them form the case database.
*/
this.loadedCacheFromDb = true;
}
}
/**
* Gets the SleuthKit case (case database) that contains the data for this
* artifact.
*
* @return The SleuthKit case (case database) object.
*/
public SleuthkitCase getSleuthkitCase() {
return sleuthkitCase;
}
/**
* Gets the unique id for this artifact.
*
* @return The artifact id.
*/
public long getArtifactID() {
return this.artifactId;
}
/**
* Gets the object id of the source content (data source or file within a
* data source) of this artifact
*
* @return The object id.
*/
public long getObjectID() {
return this.sourceObjId;
}
/**
* Gets the object id of the data source for this artifact.
*
* @return The data source object id, may be null.
*/
@Beta
public Long getDataSourceObjectID() {
return this.dataSourceObjId;
}
/**
* Gets the artifact type id for this artifact.
*
* @return The artifact type id.
*/
public int getArtifactTypeID() {
return this.artifactTypeId;
}
/**
* Gets the artifact type for this artifact.
*
* @return The artifact type.
*
* @throws TskCoreException
*/
public BlackboardArtifact.Type getType() throws TskCoreException {
BlackboardArtifact.Type standardTypesValue = BlackboardArtifact.Type.STANDARD_TYPES.get(getArtifactTypeID());
if (standardTypesValue != null) {
return standardTypesValue;
} else {
return getSleuthkitCase().getBlackboard().getArtifactType(getArtifactTypeID());
}
}
/**
* Gets the artifact type name for this artifact.
*
* @return The artifact type name.
*/
public String getArtifactTypeName() {
return this.artifactTypeName;
}
/**
* Gets the artifact type display name for this artifact.
*
* @return The artifact type display name.
*/
public String getDisplayName() {
return this.displayName;
}
/**
* Gets a short description for this artifact.
*
* @return The description, may be the empty string.
*
* @throws TskCoreException if there is a problem creating the description.
*/
public String getShortDescription() throws TskCoreException {
BlackboardAttribute attr = null;
StringBuilder shortDescription = new StringBuilder("");
if (BlackboardArtifact.Type.STANDARD_TYPES.get(artifactTypeId) != null) {
switch (ARTIFACT_TYPE.fromID(artifactTypeId)) {
case TSK_WIFI_NETWORK_ADAPTER:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_MAC_ADDRESS));
break;
case TSK_WIFI_NETWORK:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_SSID));
break;
case TSK_REMOTE_DRIVE:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_REMOTE_PATH));
break;
case TSK_SERVICE_ACCOUNT:
case TSK_SCREEN_SHOTS:
case TSK_DELETED_PROG:
case TSK_METADATA:
case TSK_OS_INFO:
case TSK_PROG_NOTIFICATIONS:
case TSK_PROG_RUN:
case TSK_RECENT_OBJECT:
case TSK_USER_DEVICE_EVENT:
case TSK_WEB_SEARCH_QUERY:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_PROG_NAME));
break;
case TSK_BLUETOOTH_PAIRING:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DEVICE_NAME));
break;
case TSK_ACCOUNT:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_ID));
if (attr == null) {
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_CARD_NUMBER));
}
break;
case TSK_WEB_CATEGORIZATION:
case TSK_BLUETOOTH_ADAPTER:
case TSK_GPS_AREA:
case TSK_GPS_BOOKMARK:
case TSK_GPS_LAST_KNOWN_LOCATION:
case TSK_GPS_ROUTE:
case TSK_GPS_SEARCH:
case TSK_GPS_TRACK:
case TSK_WEB_FORM_AUTOFILL:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_NAME));
break;
case TSK_WEB_ACCOUNT_TYPE:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_TEXT));
break;
case TSK_HASHSET_HIT:
case TSK_INTERESTING_ARTIFACT_HIT:
case TSK_INTERESTING_FILE_HIT:
case TSK_INTERESTING_ITEM:
case TSK_YARA_HIT:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_SET_NAME));
break;
case TSK_ENCRYPTION_DETECTED:
case TSK_ENCRYPTION_SUSPECTED:
case TSK_OBJECT_DETECTED:
case TSK_USER_CONTENT_SUSPECTED:
case TSK_VERIFICATION_FAILED:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_COMMENT));
break;
case TSK_DATA_SOURCE_USAGE:
case TSK_CALENDAR_ENTRY:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DESCRIPTION));
break;
case TSK_WEB_BOOKMARK: //web_bookmark, web_cookie, web_download, and web_history are the same attribute for now
case TSK_WEB_COOKIE:
case TSK_WEB_DOWNLOAD:
case TSK_WEB_HISTORY:
case TSK_WEB_CACHE:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
break;
case TSK_KEYWORD_HIT:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW));
break;
case TSK_DEVICE_ATTACHED:
attr = getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DEVICE_ID));
break;
case TSK_CONTACT: //contact, message, and calllog are the same attributes for now
case TSK_MESSAGE:
case TSK_CALLLOG:
case TSK_SPEED_DIAL_ENTRY:
case TSK_WEB_FORM_ADDRESS:
//get the first of these attributes which exists and is non null
final ATTRIBUTE_TYPE[] typesThatCanHaveName = {ATTRIBUTE_TYPE.TSK_NAME,
ATTRIBUTE_TYPE.TSK_PHONE_NUMBER,
ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM,
ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO,
ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_HOME,
ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_MOBILE,
ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_OFFICE,
ATTRIBUTE_TYPE.TSK_EMAIL,
ATTRIBUTE_TYPE.TSK_EMAIL_FROM,
ATTRIBUTE_TYPE.TSK_EMAIL_TO,
ATTRIBUTE_TYPE.TSK_EMAIL_HOME,
ATTRIBUTE_TYPE.TSK_EMAIL_OFFICE,
ATTRIBUTE_TYPE.TSK_LOCATION}; //in the order we want to use them
for (ATTRIBUTE_TYPE t : typesThatCanHaveName) {
attr = getAttribute(new BlackboardAttribute.Type(t));
if (attr != null && !attr.getDisplayString().isEmpty()) {
break;
}
}
break;
default:
break;
}
}
if (attr != null) {
shortDescription.append(attr.getAttributeType().getDisplayName()).append(": ").append(attr.getDisplayString());
} else {
shortDescription.append(getDisplayName());
}
//get the first of these date attributes which exists and is non null
final ATTRIBUTE_TYPE[] typesThatCanHaveDate = {ATTRIBUTE_TYPE.TSK_DATETIME,
ATTRIBUTE_TYPE.TSK_DATETIME_SENT,
ATTRIBUTE_TYPE.TSK_DATETIME_RCVD,
ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED,
ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
ATTRIBUTE_TYPE.TSK_DATETIME_START,
ATTRIBUTE_TYPE.TSK_DATETIME_END}; //in the order we want to use them
BlackboardAttribute date;
for (ATTRIBUTE_TYPE t : typesThatCanHaveDate) {
date = getAttribute(new BlackboardAttribute.Type(t));
if (date != null && !date.getDisplayString().isEmpty()) {
shortDescription.append(" ");
shortDescription.append(MessageFormat.format(bundle.getString("BlackboardArtifact.shortDescriptionDate.text"), date.getDisplayString())); //NON-NLS
break;
}
}
return shortDescription.toString();
}
/**
* Gets the review status of this artifact, i.e., whether it has been
* approved, rejected, or is still waiting for a decision from the user.
*
* @return The review status.
*/
public ReviewStatus getReviewStatus() {
return reviewStatus;
}
/**
* Sets the review status of this artifact, i.e., whether it has been
* approved, rejected, or is still waiting for a decision from the user.
*
* @param newStatus new status of the artifact
*
* @throws TskCoreException If an error occurs
*/
public void setReviewStatus(ReviewStatus newStatus) throws TskCoreException {
getSleuthkitCase().setReviewStatus(this, newStatus);
reviewStatus = newStatus;
}
/**
* Adds an attribute to this artifact.
*
* IMPORTANT NOTE: No more than one attribute of a given type should be
* added to an artifact.
*
* @param attribute The attribute to add
*
* @throws TskCoreException If an error occurs and the attribute was not
* added to the artifact.
*/
public void addAttribute(BlackboardAttribute attribute) throws TskCoreException {
attribute.setArtifactId(artifactId);
attribute.setCaseDatabase(getSleuthkitCase());
getSleuthkitCase().addBlackboardAttribute(attribute, this.artifactTypeId);
attrsCache.add(attribute);
}
/**
* Gets the attributes of this artifact.
*
* @return The attributes.
*
* @throws TskCoreException If an error occurs and the attributes cannot be
* fetched.
*/
public List<BlackboardAttribute> getAttributes() throws TskCoreException {
ArrayList<BlackboardAttribute> attributes;
if (false == loadedCacheFromDb) {
attributes = getSleuthkitCase().getBlackboard().getBlackboardAttributes(this);
attrsCache.clear();
attrsCache.addAll(attributes);
loadedCacheFromDb = true;
} else {
attributes = new ArrayList<>(attrsCache);
}
return attributes;
}
/**
* Set all attributes at once.
* Will overwrite any already loaded attributes.
*
* @param attributes The set of attributes for this artifact.
*/
void setAttributes(List<BlackboardAttribute> attributes) {
attrsCache.clear();
attrsCache.addAll(attributes);
loadedCacheFromDb = true;
}
/**
* Gets the attribute of this artifact that matches a given type.
*
* IMPORTANT NOTE: No more than one attribute of a given type should be
* added to an artifact.
*
* @param attributeType The attribute type.
*
* @return The first attribute of the given type, or null if there are no
* attributes of that type.
*
* @throws TskCoreException If an error occurs and the attribute is not
* fetched.
*/
public BlackboardAttribute getAttribute(BlackboardAttribute.Type attributeType) throws TskCoreException {
List<BlackboardAttribute> attributes = this.getAttributes();
for (BlackboardAttribute attribute : attributes) {
if (attribute.getAttributeType().equals(attributeType)) {
return attribute;
}
}
return null;
}
/**
* Adds a collection of attributes to this artifact in a single operation
* (faster than adding each attribute individually).
*
* @param attributes The collection of attributes.
*
* @throws TskCoreException If an error occurs and the attributes were not
* added to the artifact.
*/
public void addAttributes(Collection<BlackboardAttribute> attributes) throws TskCoreException {
if (attributes.isEmpty()) {
return;
}
for (BlackboardAttribute attribute : attributes) {
attribute.setArtifactId(artifactId);
attribute.setCaseDatabase(getSleuthkitCase());
}
getSleuthkitCase().addBlackboardAttributes(attributes, artifactTypeId);
attrsCache.addAll(attributes);
}
/**
* Adds a collection of attributes to this artifact in a single operation
* (faster than adding each attribute individually) within a transaction
* supplied by the caller.
*
* @param attributes The collection of attributes.
* @param caseDbTransaction The transaction in the scope of which the
* operation is to be performed, managed by the
* caller. Null is not permitted.
*
* @throws TskCoreException If an error occurs and the attributes were not
* added to the artifact. If
* <code>caseDbTransaction</code> is null or if
* <code>attributes</code> is null or empty.
*/
public void addAttributes(Collection<BlackboardAttribute> attributes, final SleuthkitCase.CaseDbTransaction caseDbTransaction) throws TskCoreException {
if (Objects.isNull(attributes) || attributes.isEmpty()) {
throw new TskCoreException("Illegal argument passed to addAttributes: null or empty attributes passed to addAttributes");
}
if (Objects.isNull(caseDbTransaction)) {
throw new TskCoreException("Illegal argument passed to addAttributes: null caseDbTransaction passed to addAttributes");
}
try {
for (final BlackboardAttribute attribute : attributes) {
attribute.setArtifactId(artifactId);
attribute.setCaseDatabase(getSleuthkitCase());
getSleuthkitCase().addBlackBoardAttribute(attribute, artifactTypeId, caseDbTransaction.getConnection());
}
attrsCache.addAll(attributes);
} catch (SQLException ex) {
throw new TskCoreException("Error adding blackboard attributes", ex);
}
}
/**
* This overiding implementation returns the unique path of the parent. It
* does not include the Artifact name in the unique path.
*
* @throws org.sleuthkit.datamodel.TskCoreException
*/
@Override
public String getUniquePath() throws TskCoreException {
// Return the path of the parent file
// It is possible that multiple threads could be doing this calculation
// simultaneously, but it's worth the potential extra processing to prevent deadlocks.
if (uniquePath == null) {
String tempUniquePath = "";
Content myParent = getParent();
if (myParent != null) {
tempUniquePath = myParent.getUniquePath();
}
// Don't update uniquePath until it is complete.
uniquePath = tempUniquePath;
}
return uniquePath;
}
@Override
public Content getParent() throws TskCoreException {
if (parent == null) {
parent = getSleuthkitCase().getContentById(sourceObjId);
}
return parent;
}
/**
* Get all artifacts associated with this content
*
* @return a list of blackboard artifacts
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public ArrayList<BlackboardArtifact> getAllArtifacts() throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return new ArrayList<BlackboardArtifact>();
}
@Override
public List<AnalysisResult> getAllAnalysisResults() throws TskCoreException {
return sleuthkitCase.getBlackboard().getAnalysisResults(artifactObjId);
}
@Override
public List<DataArtifact> getAllDataArtifacts() throws TskCoreException {
return sleuthkitCase.getBlackboard().getDataArtifactsBySource(artifactObjId);
}
@Override
public Score getAggregateScore() throws TskCoreException {
return sleuthkitCase.getScoringManager().getAggregateScore(artifactObjId);
}
@Override
public List<AnalysisResult> getAnalysisResults(BlackboardArtifact.Type artifactType) throws TskCoreException {
return sleuthkitCase.getBlackboard().getAnalysisResults(artifactObjId, artifactType.getTypeID()); //NON-NLS
}
/**
* Get all artifacts associated with this content that have the given type
* name
*
* @param artifactTypeName name of the type to look up
*
* @return a list of blackboard artifacts matching the type
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public ArrayList<BlackboardArtifact> getArtifacts(String artifactTypeName) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return new ArrayList<BlackboardArtifact>();
}
/**
* Get all artifacts associated with this content that have the given type
* id
*
* @param artifactTypeID type id to look up
*
* @return a list of blackboard artifacts matching the type
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public ArrayList<BlackboardArtifact> getArtifacts(int artifactTypeID) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return new ArrayList<BlackboardArtifact>();
}
/**
* Get all artifacts associated with this content that have the given type
*
* @param type type to look up
*
* @return a list of blackboard artifacts matching the type
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public ArrayList<BlackboardArtifact> getArtifacts(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return new ArrayList<BlackboardArtifact>();
}
/**
* Get count of all artifacts associated with this content
*
* @return count of all blackboard artifacts for this content
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public long getAllArtifactsCount() throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return 0;
}
/**
* Get count of all artifacts associated with this content that have the
* given type name
*
* @param artifactTypeName name of the type to look up
*
* @return count of blackboard artifacts matching the type
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public long getArtifactsCount(String artifactTypeName) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return 0;
}
/**
* Get count of all artifacts associated with this content that have the
* given type id
*
* @param artifactTypeID type id to look up
*
* @return count of blackboard artifacts matching the type
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public long getArtifactsCount(int artifactTypeID) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return 0;
}
/**
* Get count of all artifacts associated with this content that have the
* given type
*
* @param type type to look up
*
* @return count of blackboard artifacts matching the type
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public long getArtifactsCount(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return 0;
}
/**
* Return the TSK_GEN_INFO artifact for the file so that individual
* attributes can be added to it. Creates one if it does not already exist.
*
* @return Instance of the TSK_GEN_INFO artifact
*
* @throws TskCoreException
*/
@Override
public BlackboardArtifact getGenInfoArtifact() throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return null;
}
/**
* Return the TSK_GEN_INFO artifact for the file so that individual
* attributes can be added to it. If one does not create, behavior depends
* on the create argument.
*
* @param create If true, an artifact will be created if it does not already
* exist.
*
* @return Instance of the TSK_GEN_INFO artifact or null if artifact does
* not already exist and create was set to false
*
* @throws TskCoreException
*/
@Override
public BlackboardArtifact getGenInfoArtifact(boolean create) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
if (create) {
throw new TskCoreException("Artifacts of artifacts are not supported.");
}
return null;
}
/**
* Return attributes of a given type from TSK_GEN_INFO.
*
* @param attr_type Attribute type to find inside of the TSK_GEN_INFO
* artifact.
*
* @return Attributes
*
* @throws org.sleuthkit.datamodel.TskCoreException
*/
@Override
public ArrayList<BlackboardAttribute> getGenInfoAttributes(BlackboardAttribute.ATTRIBUTE_TYPE attr_type) throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return new ArrayList<>();
}
/**
* Get the names of all the hashsets that this content is in.
*
* @return the names of the hashsets that this content is in
*
* @throws TskCoreException if critical error occurred within tsk core
*/
@Override
public Set<String> getHashSetNames() throws TskCoreException {
// Currently we don't have any artifacts derived from an artifact.
return new HashSet<String>();
}
/**
* Create and add an artifact associated with this content to the blackboard
*
* @param artifactTypeID id of the artifact type (if the id doesn't already
* exist an exception will be thrown)
*
* @return the blackboard artifact created (the artifact type id can be
* looked up from this)
*
* @throws TskCoreException if critical error occurred within tsk core
* @deprecated Use the Blackboard to create Data Artifacts and Analysis
* Results.
*/
@Deprecated
@Override
public BlackboardArtifact newArtifact(int artifactTypeID) throws TskCoreException {
throw new TskCoreException("Cannot create artifact of an artifact. Not supported.");
}
@Override
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type artifactType, Score score, String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
// Get the ID before starting the transaction
long dataSourceId = this.getDataSource().getId();
CaseDbTransaction trans = sleuthkitCase.beginTransaction();
try {
AnalysisResultAdded resultAdded = sleuthkitCase.getBlackboard().newAnalysisResult(artifactType, this.getId(), dataSourceId, score, conclusion, configuration, justification, attributesList, trans);
trans.commit();
return resultAdded;
} catch (BlackboardException ex) {
trans.rollback();
throw new TskCoreException("Error adding analysis result.", ex);
}
}
@Override
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type artifactType, Score score, String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList, long dataSourceId) throws TskCoreException {
CaseDbTransaction trans = sleuthkitCase.beginTransaction();
try {
AnalysisResultAdded resultAdded = sleuthkitCase.getBlackboard().newAnalysisResult(artifactType, this.getId(), dataSourceId, score, conclusion, configuration, justification, attributesList, trans);
trans.commit();
return resultAdded;
} catch (BlackboardException ex) {
trans.rollback();
throw new TskCoreException("Error adding analysis result.", ex);
}
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList, Long osAccountId) throws TskCoreException {
throw new TskCoreException("Cannot create data artifact of an artifact. Not supported.");
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList, Long osAccountId, long dataSourceId) throws TskCoreException {
throw new TskCoreException("Cannot create data artifact of an artifact. Not supported.");
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
return newDataArtifact(artifactType, attributesList, null);
}
/**
* Create and add an artifact associated with this content to the blackboard
*
* @param type artifact enum type
*
* @return the blackboard artifact created (the artifact type id can be
* looked up from this)
*
* @throws TskCoreException if critical error occurred within tsk core
* @deprecated Use the Blackboard to create Data Artifacts and Analysis
* Results.
*/
@Deprecated
@Override
public BlackboardArtifact newArtifact(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
throw new TskCoreException("Cannot create artifact of an artifact. Not supported.");
}
/**
* Accepts a Sleuthkit item visitor (Visitor design pattern).
*
* @param visitor A SleuthkitItemVisitor supplying an algorithm to run using
* this derived file as input.
*
* @return The output of the algorithm.
*/
@Override
public <T> T accept(ContentVisitor<T> visitor) {
return visitor.visit(this);
}
/**
* Tests this artifact for equality with another object.
*
* @param object The other object.
*
* @return True or false.
*/
@Override
public boolean equals(Object object) {
if (object == null) {
return false;
}
if (getClass() != object.getClass()) {
return false;
}
final BlackboardArtifact other = (BlackboardArtifact) object;
return artifactId == other.getArtifactID();
}
/**
* Gets the hash code for this artifact.
*
* @return The hash code.
*/
@Override
public int hashCode() {
int hash = 7;
hash = 41 * hash + (int) (this.artifactId ^ (this.artifactId >>> 32));
return hash;
}
/**
* Gets a string representation of this artifact.
*
* @return The string.
*/
@Override
public String toString() {
return "BlackboardArtifact{" + "artifactID=" + artifactId + ", objID=" + getObjectID() + ", artifactObjID=" + artifactObjId + ", artifactTypeID=" + artifactTypeId + ", artifactTypeName=" + artifactTypeName + ", displayName=" + displayName + ", Case=" + getSleuthkitCase() + '}'; //NON-NLS
}
/**
* Accepts a visitor SleuthkitItemVisitor that will perform an operation on
* this artifact type and return some object as the result of the operation.
*
* @param visitor The visitor, where the type parameter of the visitor is
* the type of the object that will be returned as the result
* of the visit operation.
*
* @return An object of type T.
*/
@Override
public <T> T accept(SleuthkitItemVisitor<T> visitor) {
return visitor.visit(this);
}
/**
* Get the (reported) size of the content object. Artifact content is a
* string dump of all its attributes.
*
* @return size of the content in bytes
*/
@Override
public long getSize() {
if (contentBytes == null) {
try {
loadArtifactContent();
} catch (TskCoreException ex) {
return 0;
}
}
return contentBytes.length;
}
/**
* Close the Content object.
*/
@Override
public void close() {
contentBytes = null;
}
/**
* Reads content data for this artifact Artifact content is a string dump of
* all its attributes.
*
* @param buf a character array of data (in bytes) to copy read data to
* @param offset byte offset in the content to start reading from
* @param len number of bytes to read into buf.
*
* @return num of bytes read, or -1 on error
*
* @throws TskCoreException if critical error occurred during read in the
* tsk core
*/
@Override
public final int read(byte[] buf, long offset, long len) throws TskCoreException {
if (contentBytes == null) {
loadArtifactContent();
}
if (0 == contentBytes.length) {
return 0;
}
// Copy bytes
long readLen = Math.min(contentBytes.length - offset, len);
System.arraycopy(contentBytes, 0, buf, 0, (int) readLen);
return (int) readLen;
}
@Override
public String getName() {
return this.displayName + getArtifactID();
}
@Override
public Content getDataSource() throws TskCoreException {
return dataSourceObjId != null ? getSleuthkitCase().getContentById(dataSourceObjId) : null;
}
/**
* Load and save the content for the artifact. Artifact content is a string
* dump of all its attributes.
*
* @throws TskCoreException if critical error occurred during read
*/
private void loadArtifactContent() throws TskCoreException {
StringBuilder artifactContents = new StringBuilder();
Content dataSource = null;
try {
dataSource = getDataSource();
} catch (TskCoreException ex) {
throw new TskCoreException("Unable to get datasource for artifact: " + this.toString(), ex);
}
if (dataSource == null) {
throw new TskCoreException("Datasource was null for artifact: " + this.toString());
}
try {
for (BlackboardAttribute attribute : getAttributes()) {
artifactContents.append(attribute.getAttributeType().getDisplayName());
artifactContents.append(" : ");
artifactContents.append(attribute.getDisplayString());
artifactContents.append(System.lineSeparator());
}
} catch (TskCoreException ex) {
throw new TskCoreException("Unable to get attributes for artifact: " + this.toString(), ex);
}
try {
contentBytes = artifactContents.toString().getBytes("UTF-8");
} catch (UnsupportedEncodingException ex) {
throw new TskCoreException("Failed to convert artifact string to bytes for artifact: " + this.toString(), ex);
}
}
/**
* An artifact type.
*/
public static final class Type implements Serializable {
private static final long serialVersionUID = 1L;
/**
* A generic information artifact.
*/
public static final Type TSK_GEN_INFO = new BlackboardArtifact.Type(1, "TSK_GEN_INFO", bundle.getString("BlackboardArtifact.tskGenInfo.text"), Category.DATA_ARTIFACT);
/**
* A Web bookmark. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create bookmark artifacts.
*/
public static final Type TSK_WEB_BOOKMARK = new BlackboardArtifact.Type(2, "TSK_WEB_BOOKMARK", bundle.getString("BlackboardArtifact.tskWebBookmark.text"), Category.DATA_ARTIFACT);
/**
* A Web cookie. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create cookie artifacts.
*/
public static final Type TSK_WEB_COOKIE = new BlackboardArtifact.Type(3, "TSK_WEB_COOKIE", bundle.getString("BlackboardArtifact.tskWebCookie.text"), Category.DATA_ARTIFACT);
/**
* A Web history. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create history artifacts.
*/
public static final Type TSK_WEB_HISTORY = new BlackboardArtifact.Type(4, "TSK_WEB_HISTORY", bundle.getString("BlackboardArtifact.tskWebHistory.text"), Category.DATA_ARTIFACT);
/**
* A Web download. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create download artifacts.
*/
public static final Type TSK_WEB_DOWNLOAD = new BlackboardArtifact.Type(5, "TSK_WEB_DOWNLOAD", bundle.getString("BlackboardArtifact.tskWebDownload.text"), Category.DATA_ARTIFACT);
/**
* A recent object.
*/
public static final Type TSK_RECENT_OBJECT = new BlackboardArtifact.Type(6, "TSK_RECENT_OBJ", bundle.getString("BlackboardArtifact.tsk.recentObject.text"), Category.DATA_ARTIFACT);
// 7 was used for deprecated TSK_GPS_TRACKPOINT.
/**
* An installed program.
*/
public static final Type TSK_INSTALLED_PROG = new BlackboardArtifact.Type(8, "TSK_INSTALLED_PROG", bundle.getString("BlackboardArtifact.tskInstalledProg.text"), Category.DATA_ARTIFACT);
/**
* A search hit for a keyword.
*/
public static final Type TSK_KEYWORD_HIT = new BlackboardArtifact.Type(9, "TSK_KEYWORD_HIT", bundle.getString("BlackboardArtifact.tskKeywordHits.text"), Category.ANALYSIS_RESULT);
/**
* A hit for a hash set (hash database).
*/
public static final Type TSK_HASHSET_HIT = new BlackboardArtifact.Type(10, "TSK_HASHSET_HIT", bundle.getString("BlackboardArtifact.tskHashsetHit.text"), Category.ANALYSIS_RESULT);
/**
* An attached device.
*/
public static final Type TSK_DEVICE_ATTACHED = new BlackboardArtifact.Type(11, "TSK_DEVICE_ATTACHED", bundle.getString("BlackboardArtifact.tskDeviceAttached.text"), Category.DATA_ARTIFACT);
/**
* An meta-artifact to call attention to a file deemed to be
* interesting.
*
* @deprecated Use TSK_INTERESTING_ITEM instead.
*/
@Deprecated
public static final Type TSK_INTERESTING_FILE_HIT = new BlackboardArtifact.Type(12, "TSK_INTERESTING_FILE_HIT", bundle.getString("BlackboardArtifact.tskInterestingFileHit.text"), Category.ANALYSIS_RESULT);
/**
* An email message.
*/
public static final Type TSK_EMAIL_MSG = new BlackboardArtifact.Type(13, "TSK_EMAIL_MSG", bundle.getString("BlackboardArtifact.tskEmailMsg.text"), Category.DATA_ARTIFACT);
/**
* Text extracted from the source content.
*/
public static final Type TSK_EXTRACTED_TEXT = new BlackboardArtifact.Type(14, "TSK_EXTRACTED_TEXT", bundle.getString("BlackboardArtifact.tskExtractedText.text"), Category.DATA_ARTIFACT);
/**
* A Web search engine query extracted from Web history.
*/
public static final Type TSK_WEB_SEARCH_QUERY = new BlackboardArtifact.Type(15, "TSK_WEB_SEARCH_QUERY", bundle.getString("BlackboardArtifact.tskWebSearchQuery.text"), Category.DATA_ARTIFACT);
/**
* EXIF metadata.
*/
public static final Type TSK_METADATA_EXIF = new BlackboardArtifact.Type(16, "TSK_METADATA_EXIF", bundle.getString("BlackboardArtifact.tskMetadataExif.text"), Category.ANALYSIS_RESULT);
// 17 was used for deprecated TSK_TAG_FILE.
// 18 was used for deprecated TSK_TAG_ARTIFACT.
/**
* Information pertaining to an operating system.
*/
public static final Type TSK_OS_INFO = new BlackboardArtifact.Type(19, "TSK_OS_INFO", bundle.getString("BlackboardArtifact.tskOsInfo.text"), Category.DATA_ARTIFACT);
// 20 was used for deprecated TSK_OS_ACCOUNT.
/**
* An application or Web service account.
*/
public static final Type TSK_SERVICE_ACCOUNT = new BlackboardArtifact.Type(21, "TSK_SERVICE_ACCOUNT", bundle.getString("BlackboardArtifact.tskServiceAccount.text"), Category.DATA_ARTIFACT);
// 22 was used for deprecated TSK_TOOL_OUTPUT.
/**
* A contact extracted from a phone, or from an address
* book/email/messaging application. Use methods in
* org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper
* to create contact artifacts.
*/
public static final Type TSK_CONTACT = new BlackboardArtifact.Type(23, "TSK_CONTACT", bundle.getString("BlackboardArtifact.tskContact.text"), Category.DATA_ARTIFACT);
/**
* An SMS/MMS message extracted from phone, or from another messaging
* application, like IM. Use methods in
* org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper
* to create message artifacts.
*/
public static final Type TSK_MESSAGE = new BlackboardArtifact.Type(24, "TSK_MESSAGE", bundle.getString("BlackboardArtifact.tskMessage.text"), Category.DATA_ARTIFACT);
/**
* A phone call log extracted from a phone or softphone application. Use
* methods in
* org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper
* to create call log artifacts.
*/
public static final Type TSK_CALLLOG = new BlackboardArtifact.Type(25, "TSK_CALLLOG", bundle.getString("BlackboardArtifact.tskCalllog.text"), Category.DATA_ARTIFACT);
/**
* A calendar entry from a phone, PIM, or a calendar application.
*/
public static final Type TSK_CALENDAR_ENTRY = new BlackboardArtifact.Type(26, "TSK_CALENDAR_ENTRY", bundle.getString("BlackboardArtifact.tskCalendarEntry.text"), Category.DATA_ARTIFACT);
/**
* A speed dial entry from a phone.
*/
public static final Type TSK_SPEED_DIAL_ENTRY = new BlackboardArtifact.Type(27, "TSK_SPEED_DIAL_ENTRY", bundle.getString("BlackboardArtifact.tskSpeedDialEntry.text"), Category.DATA_ARTIFACT);
/**
* A bluetooth pairing entry.
*/
public static final Type TSK_BLUETOOTH_PAIRING = new BlackboardArtifact.Type(28, "TSK_BLUETOOTH_PAIRING", bundle.getString("BlackboardArtifact.tskBluetoothPairing.text"), Category.DATA_ARTIFACT);
/**
* A GPS bookmark / way point that the user saved.
*/
public static final Type TSK_GPS_BOOKMARK = new BlackboardArtifact.Type(29, "TSK_GPS_BOOKMARK", bundle.getString("BlackboardArtifact.tskGpsBookmark.text"), Category.DATA_ARTIFACT);
/**
* A GPS last known location record.
*/
public static final Type TSK_GPS_LAST_KNOWN_LOCATION = new BlackboardArtifact.Type(30, "TSK_GPS_LAST_KNOWN_LOCATION", bundle.getString("BlackboardArtifact.tskGpsLastKnownLocation.text"), Category.DATA_ARTIFACT);
/**
* A GPS search record.
*/
public static final Type TSK_GPS_SEARCH = new BlackboardArtifact.Type(31, "TSK_GPS_SEARCH", bundle.getString("BlackboardArtifact.tskGpsSearch.text"), Category.DATA_ARTIFACT);
/**
* Application run information.
*/
public static final Type TSK_PROG_RUN = new BlackboardArtifact.Type(32, "TSK_PROG_RUN", bundle.getString("BlackboardArtifact.tskProgRun.text"), Category.DATA_ARTIFACT);
/**
* An encrypted file.
*/
public static final Type TSK_ENCRYPTION_DETECTED = new BlackboardArtifact.Type(33, "TSK_ENCRYPTION_DETECTED", bundle.getString("BlackboardArtifact.tskEncryptionDetected.text"), Category.ANALYSIS_RESULT);
/**
* A file with an extension that does not match its MIME type.
*/
public static final Type TSK_EXT_MISMATCH_DETECTED = new BlackboardArtifact.Type(34, "TSK_EXT_MISMATCH_DETECTED", bundle.getString("BlackboardArtifact.tskExtMismatchDetected.text"), Category.ANALYSIS_RESULT);
/**
* An meta-artifact to call attention to an artifact deemed to be
* interesting.
*
* @deprecated Use TSK_INTERESTING_ITEM instead.
*/
@Deprecated
public static final Type TSK_INTERESTING_ARTIFACT_HIT = new BlackboardArtifact.Type(35, "TSK_INTERESTING_ARTIFACT_HIT", bundle.getString("BlackboardArtifact.tskInterestingArtifactHit.text"), Category.ANALYSIS_RESULT);
/**
* A route based on GPS coordinates. Use
* org.sleuthkit.datamodel.blackboardutils.GeoArtifactsHelper.addRoute()
* to create route artifacts.
*/
public static final Type TSK_GPS_ROUTE = new BlackboardArtifact.Type(36, "TSK_GPS_ROUTE", bundle.getString("BlackboardArtifact.tskGpsRoute.text"), Category.DATA_ARTIFACT);
/**
* A remote drive.
*/
public static final Type TSK_REMOTE_DRIVE = new BlackboardArtifact.Type(37, "TSK_REMOTE_DRIVE", bundle.getString("BlackboardArtifact.tskRemoteDrive.text"), Category.DATA_ARTIFACT);
/**
* A human face was detected in a media file.
*/
public static final Type TSK_FACE_DETECTED = new BlackboardArtifact.Type(38, "TSK_FACE_DETECTED", bundle.getString("BlackboardArtifact.tskFaceDetected.text"), Category.ANALYSIS_RESULT);
/**
* An account.
*/
public static final Type TSK_ACCOUNT = new BlackboardArtifact.Type(39, "TSK_ACCOUNT", bundle.getString("BlackboardArtifact.tskAccount.text"), Category.DATA_ARTIFACT);
/**
* An encrypted file.
*/
public static final Type TSK_ENCRYPTION_SUSPECTED = new BlackboardArtifact.Type(40, "TSK_ENCRYPTION_SUSPECTED", bundle.getString("BlackboardArtifact.tskEncryptionSuspected.text"), Category.ANALYSIS_RESULT);
/*
* A classifier detected an object in a media file.
*/
public static final Type TSK_OBJECT_DETECTED = new BlackboardArtifact.Type(41, "TSK_OBJECT_DETECTED", bundle.getString("BlackboardArtifact.tskObjectDetected.text"), Category.ANALYSIS_RESULT);
/**
* A wireless network.
*/
public static final Type TSK_WIFI_NETWORK = new BlackboardArtifact.Type(42, "TSK_WIFI_NETWORK", bundle.getString("BlackboardArtifact.tskWIFINetwork.text"), Category.DATA_ARTIFACT);
/**
* Information related to a device.
*/
public static final Type TSK_DEVICE_INFO = new BlackboardArtifact.Type(43, "TSK_DEVICE_INFO", bundle.getString("BlackboardArtifact.tskDeviceInfo.text"), Category.DATA_ARTIFACT);
/**
* A SIM card.
*/
public static final Type TSK_SIM_ATTACHED = new BlackboardArtifact.Type(44, "TSK_SIM_ATTACHED", bundle.getString("BlackboardArtifact.tskSimAttached.text"), Category.DATA_ARTIFACT);
/**
* A bluetooth adapter.
*/
public static final Type TSK_BLUETOOTH_ADAPTER = new BlackboardArtifact.Type(45, "TSK_BLUETOOTH_ADAPTER", bundle.getString("BlackboardArtifact.tskBluetoothAdapter.text"), Category.DATA_ARTIFACT);
/**
* A wireless network adapter.
*/
public static final Type TSK_WIFI_NETWORK_ADAPTER = new BlackboardArtifact.Type(46, "TSK_WIFI_NETWORK_ADAPTER", bundle.getString("BlackboardArtifact.tskWIFINetworkAdapter.text"), Category.DATA_ARTIFACT);
/**
* Indicates a verification failure
*/
public static final Type TSK_VERIFICATION_FAILED = new BlackboardArtifact.Type(47, "TSK_VERIFICATION_FAILED", bundle.getString("BlackboardArtifact.tskVerificationFailed.text"), Category.ANALYSIS_RESULT);
/**
* Categorization information for a data source.
*/
public static final Type TSK_DATA_SOURCE_USAGE = new BlackboardArtifact.Type(48, "TSK_DATA_SOURCE_USAGE", bundle.getString("BlackboardArtifact.tskDataSourceUsage.text"), Category.ANALYSIS_RESULT);
/**
* Indicates auto fill data from a Web form. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create web form autofill artifacts.
*/
public static final Type TSK_WEB_FORM_AUTOFILL = new BlackboardArtifact.Type(49, "TSK_WEB_FORM_AUTOFILL", bundle.getString("BlackboardArtifact.tskWebFormAutofill.text"), Category.DATA_ARTIFACT);
/**
* Indicates an person's address filled in a web form. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create web form address artifacts.
*/
public static final Type TSK_WEB_FORM_ADDRESS = new BlackboardArtifact.Type(50, "TSK_WEB_FORM_ADDRESSES ", bundle.getString("BlackboardArtifact.tskWebFormAddresses.text"), Category.DATA_ARTIFACT);
// 51 was used for deprecated TSK_DOWNLOAD_SOURCE
/**
* Indicates web cache data
*/
public static final Type TSK_WEB_CACHE = new BlackboardArtifact.Type(52, "TSK_WEB_CACHE", bundle.getString("BlackboardArtifact.tskWebCache.text"), Category.DATA_ARTIFACT);
/**
* A generic (timeline) event.
*/
public static final Type TSK_TL_EVENT = new BlackboardArtifact.Type(53, "TSK_TL_EVENT", bundle.getString("BlackboardArtifact.tskTLEvent.text"), Category.DATA_ARTIFACT);
/**
* Indicates clipboard content
*/
public static final Type TSK_CLIPBOARD_CONTENT = new BlackboardArtifact.Type(54, "TSK_CLIPBOARD_CONTENT", bundle.getString("BlackboardArtifact.tskClipboardContent.text"), Category.DATA_ARTIFACT);
/**
* An associated object.
*/
public static final Type TSK_ASSOCIATED_OBJECT = new BlackboardArtifact.Type(55, "TSK_ASSOCIATED_OBJECT", bundle.getString("BlackboardArtifact.tskAssociatedObject.text"), Category.DATA_ARTIFACT);
/**
* Indicates file may have been created by the user.
*/
public static final Type TSK_USER_CONTENT_SUSPECTED = new BlackboardArtifact.Type(56, "TSK_USER_CONTENT_SUSPECTED", bundle.getString("BlackboardArtifact.tskUserContentSuspected.text"), Category.ANALYSIS_RESULT);
/**
* Stores metadata about an object.
*/
public static final Type TSK_METADATA = new BlackboardArtifact.Type(57, "TSK_METADATA", bundle.getString("BlackboardArtifact.tskMetadata.text"), Category.DATA_ARTIFACT);
/**
* Stores a GPS track log. Use
* org.sleuthkit.datamodel.blackboardutils.GeoArtifactsHelper.addTrack()
* to create track artifacts.
*/
public static final Type TSK_GPS_TRACK = new BlackboardArtifact.Type(58, "TSK_GPS_TRACK", bundle.getString("BlackboardArtifact.tskTrack.text"), Category.DATA_ARTIFACT);
/**
* Stores a role on a given domain.
*/
public static final Type TSK_WEB_ACCOUNT_TYPE = new BlackboardArtifact.Type(59, "TSK_WEB_ACCOUNT_TYPE", bundle.getString("BlackboardArtifact.tskWebAccountType.text"), Category.ANALYSIS_RESULT);
/**
* Screen shots from device or Application.
*/
public static final Type TSK_SCREEN_SHOTS = new BlackboardArtifact.Type(60, "TSK_SCREEN_SHOTS", bundle.getString("BlackboardArtifact.tskScreenShots.text"), Category.DATA_ARTIFACT);
/**
* Notifications Sent to User.
*/
public static final Type TSK_PROG_NOTIFICATIONS = new BlackboardArtifact.Type(62, "TSK_PROG_NOTIFICATIONS", bundle.getString("BlackboardArtifact.tskProgNotifications.text"), Category.DATA_ARTIFACT);
/**
* System/Application/File backup.
*/
public static final Type TSK_BACKUP_EVENT = new BlackboardArtifact.Type(63, "TSK_BACKUP_EVENT", bundle.getString("BlackboardArtifact.tskBackupEvent.text"), Category.DATA_ARTIFACT);
/**
* Programs that have been deleted.
*/
public static final Type TSK_DELETED_PROG = new BlackboardArtifact.Type(64, "TSK_DELETED_PROG", bundle.getString("BlackboardArtifact.tskDeletedProg.text"), Category.DATA_ARTIFACT);
/**
* Activity on the System/Application.
*/
public static final Type TSK_USER_DEVICE_EVENT = new BlackboardArtifact.Type(65, "TSK_USER_DEVICE_EVENT", bundle.getString("BlackboardArtifact.tskUserDeviceEvent.text"), Category.DATA_ARTIFACT);
/**
* Indicates that the file had a yara pattern match hit.
*/
public static final Type TSK_YARA_HIT = new BlackboardArtifact.Type(66, "TSK_YARA_HIT", bundle.getString("BlackboardArtifact.tskYaraHit.text"), Category.ANALYSIS_RESULT);
/**
* Stores the outline of an area using GPS coordinates.
*/
public static final Type TSK_GPS_AREA = new BlackboardArtifact.Type(67, "TSK_GPS_AREA", bundle.getString("BlackboardArtifact.tskGPSArea.text"), Category.DATA_ARTIFACT);
/**
* Defines a category for a particular domain.
*/
public static final Type TSK_WEB_CATEGORIZATION = new BlackboardArtifact.Type(68, "TSK_WEB_CATEGORIZATION", bundle.getString("BlackboardArtifact.tskWebCategorization.text"), Category.ANALYSIS_RESULT);
/**
* Indicates that the file or artifact was previously seen in another
* Autopsy case.
*/
public static final Type TSK_PREVIOUSLY_SEEN = new BlackboardArtifact.Type(69, "TSK_PREVIOUSLY_SEEN", bundle.getString("BlackboardArtifact.tskPreviouslySeen.text"), Category.ANALYSIS_RESULT);
/**
* Indicates that the file or artifact was previously unseen in another
* Autopsy case.
*/
public static final Type TSK_PREVIOUSLY_UNSEEN = new BlackboardArtifact.Type(70, "TSK_PREVIOUSLY_UNSEEN", bundle.getString("BlackboardArtifact.tskPreviouslyUnseen.text"), Category.ANALYSIS_RESULT);
/**
* Indicates that the file or artifact was previously tagged as
* "Notable" in another Autopsy case.
*/
public static final Type TSK_PREVIOUSLY_NOTABLE = new BlackboardArtifact.Type(71, "TSK_PREVIOUSLY_NOTABLE", bundle.getString("BlackboardArtifact.tskPreviouslyNotable.text"), Category.ANALYSIS_RESULT);
/**
* An meta-artifact to call attention to an item deemed to be
* interesting.
*/
public static final Type TSK_INTERESTING_ITEM = new BlackboardArtifact.Type(72, "TSK_INTERESTING_ITEM", bundle.getString("BlackboardArtifact.tskInterestingItem.text"), Category.ANALYSIS_RESULT);
/**
* Malware artifact.
*/
public static final Type TSK_MALWARE = new BlackboardArtifact.Type(73, "TSK_MALWARE", bundle.getString("BlackboardArtifact.tskMalware.text"), Category.ANALYSIS_RESULT);
/*
* IMPORTANT!
*
* Until BlackboardArtifact.ARTIFACT_TYPE is deprecated and/or removed,
* new standard artifact types need to be added to both
* BlackboardArtifact.ARTIFACT_TYPE and
* BlackboardArtifact.Type.STANDARD_TYPES.
*
* Also, ensure that new types have a one line JavaDoc description and
* are added to the standard artifacts catalog (artifact_catalog.dox).
*
*/
/**
* All standard artifact types with ids mapped to the type.
*/
static final Map<Integer, Type> STANDARD_TYPES = Collections.unmodifiableMap(Stream.of(
TSK_GEN_INFO,
TSK_WEB_BOOKMARK,
TSK_WEB_COOKIE,
TSK_WEB_HISTORY,
TSK_WEB_DOWNLOAD,
TSK_RECENT_OBJECT,
TSK_INSTALLED_PROG,
TSK_KEYWORD_HIT,
TSK_HASHSET_HIT,
TSK_DEVICE_ATTACHED,
TSK_EMAIL_MSG,
TSK_EXTRACTED_TEXT,
TSK_WEB_SEARCH_QUERY,
TSK_METADATA_EXIF,
TSK_OS_INFO,
TSK_SERVICE_ACCOUNT,
TSK_CONTACT,
TSK_MESSAGE,
TSK_CALLLOG,
TSK_CALENDAR_ENTRY,
TSK_SPEED_DIAL_ENTRY,
TSK_BLUETOOTH_PAIRING,
TSK_GPS_BOOKMARK,
TSK_GPS_LAST_KNOWN_LOCATION,
TSK_GPS_SEARCH,
TSK_PROG_RUN,
TSK_ENCRYPTION_DETECTED,
TSK_EXT_MISMATCH_DETECTED,
TSK_GPS_ROUTE,
TSK_REMOTE_DRIVE,
TSK_FACE_DETECTED,
TSK_ACCOUNT,
TSK_ENCRYPTION_SUSPECTED,
TSK_OBJECT_DETECTED,
TSK_WIFI_NETWORK,
TSK_DEVICE_INFO,
TSK_SIM_ATTACHED,
TSK_BLUETOOTH_ADAPTER,
TSK_WIFI_NETWORK_ADAPTER,
TSK_VERIFICATION_FAILED,
TSK_DATA_SOURCE_USAGE,
TSK_WEB_FORM_AUTOFILL,
TSK_WEB_FORM_ADDRESS,
TSK_WEB_CACHE,
TSK_TL_EVENT,
TSK_CLIPBOARD_CONTENT,
TSK_ASSOCIATED_OBJECT,
TSK_USER_CONTENT_SUSPECTED,
TSK_METADATA,
TSK_GPS_TRACK,
TSK_WEB_ACCOUNT_TYPE,
TSK_SCREEN_SHOTS,
TSK_PROG_NOTIFICATIONS,
TSK_BACKUP_EVENT,
TSK_DELETED_PROG,
TSK_USER_DEVICE_EVENT,
TSK_YARA_HIT,
TSK_GPS_AREA,
TSK_WEB_CATEGORIZATION,
TSK_PREVIOUSLY_SEEN,
TSK_PREVIOUSLY_UNSEEN,
TSK_PREVIOUSLY_NOTABLE,
TSK_INTERESTING_ITEM,
TSK_MALWARE
).collect(Collectors.toMap(type -> type.getTypeID(), type -> type)));
private final String typeName;
private final int typeID;
private final String displayName;
private final Category category;
/**
* Constructs a custom artifact type.
*
* @param typeName The name of the type.
* @param typeID The id of the type.
* @param displayName The display name of the type.
* @param category The artifact type category.
*/
Type(int typeID, String typeName, String displayName, Category category) {
this.typeID = typeID;
this.typeName = typeName;
this.displayName = displayName;
this.category = category;
}
/**
* Constructs a standard artifact type.
*
* @param type An element of the ARTIFACT_TYPE enum.
*/
public Type(ARTIFACT_TYPE type) {
this(type.getTypeID(), type.getLabel(), type.getDisplayName(), type.getCategory());
}
/**
* Gets the type for this artifact type.
*
* @return The type name.
*/
public String getTypeName() {
return this.typeName;
}
/**
* Gets the type id for this artifact type.
*
* @return The type id.
*/
public int getTypeID() {
return this.typeID;
}
/**
* Gets display name of this artifact type.
*
* @return The display name.
*/
public String getDisplayName() {
return this.displayName;
}
/**
* Gets category of this artifact type.
*
* @return The artifact type category.
*/
public Category getCategory() {
return category;
}
/**
* Tests this artifact type for equality with another object.
*
* @param that The other object.
*
* @return True or false.
*/
@Override
public boolean equals(Object that) {
if (this == that) {
return true;
} else if (!(that instanceof Type)) {
return false;
} else {
return ((Type) that).sameType(this);
}
}
/**
* Compares two artifact types to see if they are the same type.
*
* @param that The other type.
*
* @return True or false.
*/
private boolean sameType(Type that) {
return this.typeName.equals(that.getTypeName())
&& this.displayName.equals(that.getDisplayName())
&& this.typeID == that.getTypeID();
}
/**
* Gets the hash code for this artifact type.
*
* @return The hash code.
*/
@Override
public int hashCode() {
int hash = 11;
hash = 83 * hash + Objects.hashCode(this.typeID);
hash = 83 * hash + Objects.hashCode(this.displayName);
hash = 83 * hash + Objects.hashCode(this.typeName);
return hash;
}
}
/**
* Enum for the standard artifact types. Refer to
* http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html
* for details on the standard attributes for each artifact type.
*/
public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
/**
* A generic information artifact.
*/
TSK_GEN_INFO(1, "TSK_GEN_INFO", //NON-NLS
bundle.getString("BlackboardArtifact.tskGenInfo.text"), Category.DATA_ARTIFACT),
/**
* A Web bookmark. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create bookmark artifacts.
*/
TSK_WEB_BOOKMARK(2, "TSK_WEB_BOOKMARK", //NON-NLS
bundle.getString("BlackboardArtifact.tskWebBookmark.text"), Category.DATA_ARTIFACT),
/**
* A Web cookie. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create cookie artifacts.
*/
TSK_WEB_COOKIE(3, "TSK_WEB_COOKIE",
bundle.getString("BlackboardArtifact.tskWebCookie.text"), Category.DATA_ARTIFACT), //NON-NLS
/**
* A Web history. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create history artifacts.
*/
TSK_WEB_HISTORY(4, "TSK_WEB_HISTORY", //NON-NLS
bundle.getString("BlackboardArtifact.tskWebHistory.text"), Category.DATA_ARTIFACT),
/**
* A Web download. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create download artifacts.
*/
TSK_WEB_DOWNLOAD(5, "TSK_WEB_DOWNLOAD", //NON-NLS
bundle.getString("BlackboardArtifact.tskWebDownload.text"), Category.DATA_ARTIFACT),
/**
* A recent object.
*/
TSK_RECENT_OBJECT(6, "TSK_RECENT_OBJ", //NON-NLS
bundle.getString("BlackboardArtifact.tsk.recentObject.text"), Category.DATA_ARTIFACT),
/**
* A GPS track point (geolocation data).
*
* @deprecated Use TSK_GPS_TRACK instead
*/
@Deprecated
TSK_GPS_TRACKPOINT(7, "TSK_GPS_TRACKPOINT", //NON-NLS
bundle.getString("BlackboardArtifact.tskGpsTrackpoint.text"), Category.DATA_ARTIFACT),
/**
* An installed program.
*/
TSK_INSTALLED_PROG(8, "TSK_INSTALLED_PROG", //NON-NLS
bundle.getString("BlackboardArtifact.tskInstalledProg.text"), Category.DATA_ARTIFACT),
/**
* A search hit for a keyword.
*/
TSK_KEYWORD_HIT(9, "TSK_KEYWORD_HIT",
bundle.getString("BlackboardArtifact.tskKeywordHits.text"), Category.ANALYSIS_RESULT),
/**
* A hit for a hash set (hash database).
*/
TSK_HASHSET_HIT(10, "TSK_HASHSET_HIT", //NON-NLS
bundle.getString("BlackboardArtifact.tskHashsetHit.text"), Category.ANALYSIS_RESULT),
/**
* An attached device.
*/
TSK_DEVICE_ATTACHED(11, "TSK_DEVICE_ATTACHED", //NON-NLS
bundle.getString("BlackboardArtifact.tskDeviceAttached.text"), Category.DATA_ARTIFACT),
/**
* An meta-artifact to call attention to a file deemed to be
* interesting.
*
* @deprecated Use TSK_INTERESTING_ITEM instead.
*/
@Deprecated
TSK_INTERESTING_FILE_HIT(12, "TSK_INTERESTING_FILE_HIT", //NON-NLS
bundle.getString("BlackboardArtifact.tskInterestingFileHit.text"), Category.ANALYSIS_RESULT), ///< an interesting/notable file hit
/**
* An email message.
*/
TSK_EMAIL_MSG(13, "TSK_EMAIL_MSG", //NON-NLS
bundle.getString("BlackboardArtifact.tskEmailMsg.text"), Category.DATA_ARTIFACT),
/**
* Text extracted from the source content.
*/
TSK_EXTRACTED_TEXT(14, "TSK_EXTRACTED_TEXT", //NON-NLS
bundle.getString("BlackboardArtifact.tskExtractedText.text"), Category.DATA_ARTIFACT),
/**
* A Web search engine query extracted from Web history.
*/
TSK_WEB_SEARCH_QUERY(15, "TSK_WEB_SEARCH_QUERY", //NON-NLS
bundle.getString("BlackboardArtifact.tskWebSearchQuery.text"), Category.DATA_ARTIFACT),
/**
* EXIF metadata.
*/
TSK_METADATA_EXIF(16, "TSK_METADATA_EXIF", //NON-NLS
bundle.getString("BlackboardArtifact.tskMetadataExif.text"), Category.ANALYSIS_RESULT),
/**
* A tag applied to a file.
*
* @deprecated Tags are no longer treated as artifacts.
*/
@Deprecated
TSK_TAG_FILE(17, "TSK_TAG_FILE", //NON-NLS
bundle.getString("BlackboardArtifact.tagFile.text"), Category.ANALYSIS_RESULT),
/**
* A tag applied to an artifact.
*
* @deprecated Tags are no longer treated as artifacts.
*/
@Deprecated
TSK_TAG_ARTIFACT(18, "TSK_TAG_ARTIFACT", //NON-NLS
bundle.getString("BlackboardArtifact.tskTagArtifact.text"), Category.ANALYSIS_RESULT),
/**
* Information pertaining to an operating system.
*/
TSK_OS_INFO(19, "TSK_OS_INFO", //NON-NLS
bundle.getString("BlackboardArtifact.tskOsInfo.text"), Category.DATA_ARTIFACT),
/**
* An operating system user account.
*/
@Deprecated
TSK_OS_ACCOUNT(20, "TSK_OS_ACCOUNT", //NON-NLS
bundle.getString("BlackboardArtifact.tskOsAccount.text"), Category.DATA_ARTIFACT),
/**
* An application or Web service account.
*/
TSK_SERVICE_ACCOUNT(21, "TSK_SERVICE_ACCOUNT", //NON-NLS
bundle.getString("BlackboardArtifact.tskServiceAccount.text"), Category.DATA_ARTIFACT),
/**
* Output from an external tool or module (raw text).
*
* @deprecated Tool output should be saved as a report.
*/
@Deprecated
TSK_TOOL_OUTPUT(22, "TSK_TOOL_OUTPUT", //NON-NLS
bundle.getString("BlackboardArtifact.tskToolOutput.text"), Category.DATA_ARTIFACT),
/**
* A contact extracted from a phone, or from an address
* book/email/messaging application. Use methods in
* org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper
* to create contact artifacts.
*/
TSK_CONTACT(23, "TSK_CONTACT", //NON-NLS
bundle.getString("BlackboardArtifact.tskContact.text"), Category.DATA_ARTIFACT),
/**
* An SMS/MMS message extracted from phone, or from another messaging
* application, like IM. Use methods in
* org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper
* to create message artifacts.
*/
TSK_MESSAGE(24, "TSK_MESSAGE", //NON-NLS
bundle.getString("BlackboardArtifact.tskMessage.text"), Category.DATA_ARTIFACT),
/**
* A phone call log extracted from a phone or softphone application. Use
* methods in
* org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper
* to create call log artifacts.
*/
TSK_CALLLOG(25, "TSK_CALLLOG", //NON-NLS
bundle.getString("BlackboardArtifact.tskCalllog.text"), Category.DATA_ARTIFACT),
/**
* A calendar entry from a phone, PIM, or a calendar application.
*/
TSK_CALENDAR_ENTRY(26, "TSK_CALENDAR_ENTRY", //NON-NLS
bundle.getString("BlackboardArtifact.tskCalendarEntry.text"), Category.DATA_ARTIFACT),
/**
* A speed dial entry from a phone.
*/
TSK_SPEED_DIAL_ENTRY(27, "TSK_SPEED_DIAL_ENTRY", //NON-NLS
bundle.getString("BlackboardArtifact.tskSpeedDialEntry.text"), Category.DATA_ARTIFACT),
/**
* A bluetooth pairing entry.
*/
TSK_BLUETOOTH_PAIRING(28, "TSK_BLUETOOTH_PAIRING", //NON-NLS
bundle.getString("BlackboardArtifact.tskBluetoothPairing.text"), Category.DATA_ARTIFACT),
/**
* A GPS bookmark / way point that the user saved.
*/
TSK_GPS_BOOKMARK(29, "TSK_GPS_BOOKMARK", //NON-NLS
bundle.getString("BlackboardArtifact.tskGpsBookmark.text"), Category.DATA_ARTIFACT),
/**
* A GPS last known location record.
*/
TSK_GPS_LAST_KNOWN_LOCATION(30, "TSK_GPS_LAST_KNOWN_LOCATION", //NON-NLS
bundle.getString("BlackboardArtifact.tskGpsLastKnownLocation.text"), Category.DATA_ARTIFACT),
/**
* A GPS search record.
*/
TSK_GPS_SEARCH(31, "TSK_GPS_SEARCH", //NON-NLS
bundle.getString("BlackboardArtifact.tskGpsSearch.text"), Category.DATA_ARTIFACT),
/**
* Application run information.
*/
TSK_PROG_RUN(32, "TSK_PROG_RUN", //NON-NLS
bundle.getString("BlackboardArtifact.tskProgRun.text"), Category.DATA_ARTIFACT),
/**
* An encrypted file.
*/
TSK_ENCRYPTION_DETECTED(33, "TSK_ENCRYPTION_DETECTED", //NON-NLS
bundle.getString("BlackboardArtifact.tskEncryptionDetected.text"), Category.ANALYSIS_RESULT),
/**
* A file with an extension that does not match its MIME type.
*/
TSK_EXT_MISMATCH_DETECTED(34, "TSK_EXT_MISMATCH_DETECTED", //NON-NLS
bundle.getString("BlackboardArtifact.tskExtMismatchDetected.text"), Category.ANALYSIS_RESULT),
/**
* An meta-artifact to call attention to an artifact deemed to be
* interesting.
*
* @deprecated Use TSK_INTERESTING_ITEM instead.
*/
@Deprecated
TSK_INTERESTING_ARTIFACT_HIT(35, "TSK_INTERESTING_ARTIFACT_HIT", //NON-NLS
bundle.getString("BlackboardArtifact.tskInterestingArtifactHit.text"), Category.ANALYSIS_RESULT),
/**
* A route based on GPS coordinates. Use
* org.sleuthkit.datamodel.blackboardutils.GeoArtifactsHelper.addRoute()
* to create route artifacts.
*/
TSK_GPS_ROUTE(36, "TSK_GPS_ROUTE", //NON-NLS
bundle.getString("BlackboardArtifact.tskGpsRoute.text"), Category.DATA_ARTIFACT),
/**
* A remote drive.
*/
TSK_REMOTE_DRIVE(37, "TSK_REMOTE_DRIVE", //NON-NLS
bundle.getString("BlackboardArtifact.tskRemoteDrive.text"), Category.DATA_ARTIFACT),
/**
* A human face was detected in a media file.
*/
TSK_FACE_DETECTED(38, "TSK_FACE_DETECTED", //NON-NLS
bundle.getString("BlackboardArtifact.tskFaceDetected.text"), Category.ANALYSIS_RESULT),
/**
* An account.
*/
TSK_ACCOUNT(39, "TSK_ACCOUNT", //NON-NLS
bundle.getString("BlackboardArtifact.tskAccount.text"), Category.DATA_ARTIFACT),
/**
* An encrypted file.
*/
TSK_ENCRYPTION_SUSPECTED(40, "TSK_ENCRYPTION_SUSPECTED", //NON-NLS
bundle.getString("BlackboardArtifact.tskEncryptionSuspected.text"), Category.ANALYSIS_RESULT),
/*
* A classifier detected an object in a media file.
*/
TSK_OBJECT_DETECTED(41, "TSK_OBJECT_DETECTED", //NON-NLS
bundle.getString("BlackboardArtifact.tskObjectDetected.text"), Category.ANALYSIS_RESULT),
/**
* A wireless network.
*/
TSK_WIFI_NETWORK(42, "TSK_WIFI_NETWORK", //NON-NLS
bundle.getString("BlackboardArtifact.tskWIFINetwork.text"), Category.DATA_ARTIFACT),
/**
* Information related to a device.
*/
TSK_DEVICE_INFO(43, "TSK_DEVICE_INFO", //NON-NLS
bundle.getString("BlackboardArtifact.tskDeviceInfo.text"), Category.DATA_ARTIFACT),
/**
* A SIM card.
*/
TSK_SIM_ATTACHED(44, "TSK_SIM_ATTACHED", //NON-NLS
bundle.getString("BlackboardArtifact.tskSimAttached.text"), Category.DATA_ARTIFACT),
/**
* A bluetooth adapter.
*/
TSK_BLUETOOTH_ADAPTER(45, "TSK_BLUETOOTH_ADAPTER", //NON-NLS
bundle.getString("BlackboardArtifact.tskBluetoothAdapter.text"), Category.DATA_ARTIFACT),
/**
* A wireless network adapter.
*/
TSK_WIFI_NETWORK_ADAPTER(46, "TSK_WIFI_NETWORK_ADAPTER", //NON-NLS
bundle.getString("BlackboardArtifact.tskWIFINetworkAdapter.text"), Category.DATA_ARTIFACT),
/**
* Indicates a verification failure
*/
TSK_VERIFICATION_FAILED(47, "TSK_VERIFICATION_FAILED", //NON-NLS
bundle.getString("BlackboardArtifact.tskVerificationFailed.text"), Category.ANALYSIS_RESULT),
/**
* Categorization information for a data source.
*/
TSK_DATA_SOURCE_USAGE(48, "TSK_DATA_SOURCE_USAGE", //NON-NLS
bundle.getString("BlackboardArtifact.tskDataSourceUsage.text"), Category.ANALYSIS_RESULT),
/**
* Indicates auto fill data from a Web form. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create web form autofill artifacts.
*/
TSK_WEB_FORM_AUTOFILL(49, "TSK_WEB_FORM_AUTOFILL", //NON-NLS
bundle.getString("BlackboardArtifact.tskWebFormAutofill.text"), Category.DATA_ARTIFACT),
/**
* Indicates an person's address filled in a web form. Use methods in
* org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper to
* create web form address artifacts.
*/
TSK_WEB_FORM_ADDRESS(50, "TSK_WEB_FORM_ADDRESSES ", //NON-NLS
bundle.getString("BlackboardArtifact.tskWebFormAddresses.text"), Category.DATA_ARTIFACT),
/**
* Indicates source of a file/object
*
* @deprecated TSK_ASSOCIATED_OBJECT should be used instead to associate
* the file/object with its source artifact/object..
*/
@Deprecated
TSK_DOWNLOAD_SOURCE(51, "TSK_DOWNLOAD_SOURCE", //NON-NLS
bundle.getString("BlackboardArtifact.tskDownloadSource.text"), Category.DATA_ARTIFACT),
/**
* Indicates web cache data
*/
TSK_WEB_CACHE(52, "TSK_WEB_CACHE", //NON-NLS
bundle.getString("BlackboardArtifact.tskWebCache.text"), Category.DATA_ARTIFACT),
/**
* A generic (timeline) event.
*/
TSK_TL_EVENT(53, "TSK_TL_EVENT", //NON-NLS
bundle.getString("BlackboardArtifact.tskTLEvent.text"), Category.DATA_ARTIFACT),
/**
* Indicates clipboard content
*/
TSK_CLIPBOARD_CONTENT(54, "TSK_CLIPBOARD_CONTENT", //NON-NLS
bundle.getString("BlackboardArtifact.tskClipboardContent.text"), Category.DATA_ARTIFACT),
/**
* An associated object.
*/
TSK_ASSOCIATED_OBJECT(55, "TSK_ASSOCIATED_OBJECT", //NON-NLS
bundle.getString("BlackboardArtifact.tskAssociatedObject.text"), Category.DATA_ARTIFACT),
/**
* Indicates file may have been created by the user.
*/
TSK_USER_CONTENT_SUSPECTED(56, "TSK_USER_CONTENT_SUSPECTED", //NON-NLS
bundle.getString("BlackboardArtifact.tskUserContentSuspected.text"), Category.ANALYSIS_RESULT),
/**
* Stores metadata about an object.
*/
TSK_METADATA(57, "TSK_METADATA", //NON-NLS
bundle.getString("BlackboardArtifact.tskMetadata.text"), Category.DATA_ARTIFACT),
/**
* Stores a GPS track log. Use
* org.sleuthkit.datamodel.blackboardutils.GeoArtifactsHelper.addTrack()
* to create track artifacts.
*/
TSK_GPS_TRACK(58, "TSK_GPS_TRACK",
bundle.getString("BlackboardArtifact.tskTrack.text"), Category.DATA_ARTIFACT),
/**
* Stores a role on a given domain.
*/
TSK_WEB_ACCOUNT_TYPE(59, "TSK_WEB_ACCOUNT_TYPE",
bundle.getString("BlackboardArtifact.tskWebAccountType.text"), Category.ANALYSIS_RESULT),
/**
* Screen shots from device or Application.
*/
TSK_SCREEN_SHOTS(60, "TSK_SCREEN_SHOTS",
bundle.getString("BlackboardArtifact.tskScreenShots.text"), Category.DATA_ARTIFACT),
/**
* Notifications Sent to User.
*/
TSK_PROG_NOTIFICATIONS(62, "TSK_PROG_NOTIFICATIONS",
bundle.getString("BlackboardArtifact.tskProgNotifications.text"), Category.DATA_ARTIFACT),
/**
* System/Application/File backup.
*/
TSK_BACKUP_EVENT(63, "TSK_BACKUP_EVENT",
bundle.getString("BlackboardArtifact.tskBackupEvent.text"), Category.DATA_ARTIFACT),
/**
* Programs that have been deleted.
*/
TSK_DELETED_PROG(64, "TSK_DELETED_PROG",
bundle.getString("BlackboardArtifact.tskDeletedProg.text"), Category.DATA_ARTIFACT),
/**
* Activity on the System/Application.
*/
TSK_USER_DEVICE_EVENT(65, "TSK_USER_DEVICE_EVENT",
bundle.getString("BlackboardArtifact.tskUserDeviceEvent.text"), Category.DATA_ARTIFACT),
/**
* Indicates that the file had a yara pattern match hit.
*/
TSK_YARA_HIT(66, "TSK_YARA_HIT",
bundle.getString("BlackboardArtifact.tskYaraHit.text"), Category.ANALYSIS_RESULT),
/**
* Stores the outline of an area using GPS coordinates.
*/
TSK_GPS_AREA(67, "TSK_GPS_AREA",
bundle.getString("BlackboardArtifact.tskGPSArea.text"), Category.DATA_ARTIFACT),
TSK_WEB_CATEGORIZATION(68, "TSK_WEB_CATEGORIZATION",
bundle.getString("BlackboardArtifact.tskWebCategorization.text"), Category.ANALYSIS_RESULT),
/**
* Indicates that the file or artifact was previously seen in another
* Autopsy case.
*/
TSK_PREVIOUSLY_SEEN(69, "TSK_PREVIOUSLY_SEEN",
bundle.getString("BlackboardArtifact.tskPreviouslySeen.text"), Category.ANALYSIS_RESULT),
/**
* Indicates that the file or artifact was previously unseen in another
* Autopsy case.
*/
TSK_PREVIOUSLY_UNSEEN(70, "TSK_PREVIOUSLY_UNSEEN",
bundle.getString("BlackboardArtifact.tskPreviouslyUnseen.text"), Category.ANALYSIS_RESULT),
/**
* Indicates that the file or artifact was previously tagged as
* "Notable" in another Autopsy case.
*/
TSK_PREVIOUSLY_NOTABLE(71, "TSK_PREVIOUSLY_NOTABLE",
bundle.getString("BlackboardArtifact.tskPreviouslyNotable.text"), Category.ANALYSIS_RESULT),
/**
* An meta-artifact to call attention to an item deemed to be
* interesting.
*/
TSK_INTERESTING_ITEM(72, "TSK_INTERESTING_ITEM", //NON-NLS
bundle.getString("BlackboardArtifact.tskInterestingItem.text"), Category.ANALYSIS_RESULT),
/**
* Malware artifact.
*/
TSK_MALWARE(73, "TSK_MALWARE", //NON-NLS
bundle.getString("BlackboardArtifact.tskMalware.text"), Category.ANALYSIS_RESULT);
/*
* IMPORTANT!
*
* Until BlackboardArtifact.ARTIFACT_TYPE is deprecated and/or removed,
* new standard artifact types need to be added to both
* BlackboardArtifact.ARTIFACT_TYPE and
* BlackboardArtifact.Type.STANDARD_TYPES.
*
* Also, ensure that new types have a one line JavaDoc description and
* are added to the standard artifacts catalog (artifact_catalog.dox).
*/
private final String label;
private final int typeId;
private final String displayName;
private final Category category;
/**
* Constructs a value for the standard artifact types enum.
*
* @param typeId The type id.
* @param label The type name.
* @param displayName The type display name.
*/
private ARTIFACT_TYPE(int typeId, String label, String displayName) {
this(typeId, label, displayName, Category.DATA_ARTIFACT);
}
/**
* Constructs a value for the standard artifact types enum.
*
* @param typeId The type id.
* @param label The type name.
* @param displayName The type display name.
* @param category The type category.
*/
private ARTIFACT_TYPE(int typeId, String label, String displayName, Category category) {
this.typeId = typeId;
this.label = label;
this.displayName = displayName;
this.category = category;
}
/**
* Gets the type id for this standard artifact type.
*
* @return type id
*/
public int getTypeID() {
return this.typeId;
}
/**
* Gets the type name (label) for this standard artifact type.
*
* @return The type name.
*/
public String getLabel() {
return this.label;
}
/**
* Gets the type category for this standard artifact type.
*
* @return The type category.
*/
public Category getCategory() {
return this.category;
}
/**
* Gets the standard artifact type enum value that corresponds to a
* given type name (label).
*
* @param label The type name
*
* @return The enum element.
*/
static public ARTIFACT_TYPE fromLabel(String label) {
for (ARTIFACT_TYPE value : ARTIFACT_TYPE.values()) {
if (value.getLabel().equals(label)) {
return value;
}
}
throw new IllegalArgumentException("No ARTIFACT_TYPE matching type: " + label);
}
/**
* Gets the artifact type enum value that corresponds to a given type
* id. This method should only be used when the id is known to be one of
* the built-in types - otherwise use getArtifactType() in
* SleuthkitCase.
*
* @param id The type id.
*
* @return the corresponding enum
*/
static public ARTIFACT_TYPE fromID(int id) {
for (ARTIFACT_TYPE value : ARTIFACT_TYPE.values()) {
if (value.getTypeID() == id) {
return value;
}
}
throw new IllegalArgumentException("No ARTIFACT_TYPE matching type: " + id);
}
/**
* Gets the display name of this standard artifact type.
*
* @return The display name.
*/
public String getDisplayName() {
return displayName;
}
/**
* Accepts a visitor SleuthkitItemVisitor that will perform an operation
* on this artifact type and return some object as the result of the
* operation.
*
* @param visitor The visitor, where the type parameter of the visitor
* is the type of the object that will be returned as the
* result of the visit operation.
*
* @return An object of type T.
*/
@Override
public <T> T accept(SleuthkitItemVisitor<T> visitor) {
return visitor.visit(this);
}
}
/**
* Enumeration to encapsulate categories of artifact.
*
* Some artifact types represent data directly extracted from a data source,
* while others may be the result of some analysis done on the extracted
* data.
*/
public enum Category {
// NOTE: The schema code defaults to '0', so that code must be updated too if DATA_ARTIFACT changes from being 0
DATA_ARTIFACT(0, "DATA_ARTIFACT", ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle").getString("CategoryType.DataArtifact")), // artifact is data that is directly/indirectly extracted from a data source.
ANALYSIS_RESULT(1, "ANALYSIS_RESULT", ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle").getString("CategoryType.AnalysisResult")); // artifacts represents outcome of analysis of data.
private final Integer id;
private final String name;
private final String displayName;
private final static Map<Integer, Category> idToCategory = new HashMap<Integer, Category>();
static {
for (Category status : values()) {
idToCategory.put(status.getID(), status);
}
}
/**
* Constructs a value for the category enum.
*
* @param id The category id.
* @param name The category name
* @param displayNameKey Category display name.
*/
private Category(Integer id, String name, String displayName) {
this.id = id;
this.name = name;
this.displayName = displayName;
}
/**
* Gets the category value with the given id, if one exists.
*
* @param id A category id.
*
* @return The category with the given id, or null if none exists.
*/
public static Category fromID(int id) {
return idToCategory.get(id);
}
/**
* Gets the id of this review status.
*
* @return The id of this review status.
*/
public Integer getID() {
return id;
}
/**
* Gets the name of this category.
*
* @return The name of this category.
*/
String getName() {
return name;
}
/**
* Gets the display name of this category.
*
* @return The display name of this category.
*/
public String getDisplayName() {
return displayName;
}
}
/**
* Enum to represent the review status of an artifact.
*/
public enum ReviewStatus {
APPROVED(1, "APPROVED", "ReviewStatus.Approved"), //approved by human user
REJECTED(2, "REJECTED", "ReviewStatus.Rejected"), //rejected by humna user
UNDECIDED(3, "UNDECIDED", "ReviewStatus.Undecided"); // not yet reviewed by human user
private final Integer id;
private final String name;
private final String displayName;
private final static Map<Integer, ReviewStatus> idToStatus = new HashMap<Integer, ReviewStatus>();
static {
for (ReviewStatus status : values()) {
idToStatus.put(status.getID(), status);
}
}
/**
* Constructs a value for the review status enum.
*
* @param id The status id.
* @param name The status name
* @param displayNameKey The bundle.properties key for the status
* display name.
*/
private ReviewStatus(Integer id, String name, String displayNameKey) {
this.id = id;
this.name = name;
this.displayName = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle").getString(displayNameKey);
}
/**
* Gets the review status value with the given id, if one exists.
*
* @param id A review status id.
*
* @return The review status with the given id, or null if none exists.
*/
public static ReviewStatus withID(int id) {
return idToStatus.get(id);
}
/**
* Gets the id of this review status.
*
* @return The id of this review status.
*/
public Integer getID() {
return id;
}
/**
* Gets the name of this review status.
*
* @return The name of this review status.
*/
String getName() {
return name;
}
/**
* Gets the display name of this review status.
*
* @return The display name of this review status.
*/
public String getDisplayName() {
return displayName;
}
}
/**
* Constructs an artifact that has been posted to the blackboard. An
* artifact is a typed collection of name value pairs (attributes) that is
* associated with its source content (either a data source, or file within
* a data source). Both standard artifact types and custom artifact types
* are supported.
*
* @param sleuthkitCase The SleuthKit case (case database) that contains
* the artifact data.
* @param artifactID The unique id for this artifact.
* @param objID The unique id of the content with which this
* artifact is associated.
* @param artifactObjID The unique id of the artifact, in tsk_objects
* @param dataSourceObjId The id of the data source
* @param artifactTypeID The type id of this artifact.
* @param artifactTypeName The type name of this artifact.
* @param displayName The display name of this artifact.
*
* @deprecated Use new BlackboardArtifact(SleuthkitCase, long, long, int,
* String, String, ReviewStatus) instead.
*/
@Deprecated
protected BlackboardArtifact(SleuthkitCase sleuthkitCase, long artifactID, long objID, long artifactObjID, long dataSourceObjId, int artifactTypeID, String artifactTypeName, String displayName) {
this(sleuthkitCase, artifactID, objID, artifactObjID, dataSourceObjId, artifactTypeID, artifactTypeName, displayName, ReviewStatus.UNDECIDED);
}
/**
* Gets all attributes associated with this artifact that are of the given
* attribute type.
*
* @param attributeType the type of attributes to get
*
* @return a list of attributes of the given type
*
* @throws TskCoreException if a critical error occurs and the attributes
* are not fetched
*
* @deprecated An artifact should not have multiple attributes of the same
* type. Use getAttribute(BlackboardAttribute.Type) instead.
*/
@Deprecated
public List<BlackboardAttribute> getAttributes(final BlackboardAttribute.ATTRIBUTE_TYPE attributeType) throws TskCoreException {
if (loadedCacheFromDb == false) {
List<BlackboardAttribute> attrs = getSleuthkitCase().getBlackboardAttributes(this);
attrsCache.clear();
attrsCache.addAll(attrs);
loadedCacheFromDb = true;
}
ArrayList<BlackboardAttribute> filteredAttributes = new ArrayList<BlackboardAttribute>();
for (BlackboardAttribute attr : attrsCache) {
if (attr.getAttributeType().getTypeID() == attributeType.getTypeID()) {
filteredAttributes.add(attr);
}
}
return filteredAttributes;
}
@Override
public long getId() {
return this.artifactObjId;
}
/**
* Gets the object ids of children of this artifact, if any
*
* @return A list of the object ids of children.
*
* @throws TskCoreException if there was an error querying the case
* database.
*/
@Override
public List<Long> getChildrenIds() throws TskCoreException {
List<Long> childrenIDs = new ArrayList<Long>();
childrenIDs.addAll(getSleuthkitCase().getAbstractFileChildrenIds(this));
childrenIDs.addAll(getSleuthkitCase().getBlackboardArtifactChildrenIds(this));
return childrenIDs;
}
@Override
public int getChildrenCount() throws TskCoreException {
if (childrenCount != -1) {
return childrenCount;
}
childrenCount = this.getSleuthkitCase().getContentChildrenCount(this);
hasChildren = childrenCount > 0;
checkedHasChildren = true;
return childrenCount;
}
@Override
public boolean hasChildren() throws TskCoreException {
if (checkedHasChildren == true) {
return hasChildren;
}
childrenCount = this.getSleuthkitCase().getContentChildrenCount(this);
hasChildren = childrenCount > 0;
checkedHasChildren = true;
return hasChildren;
}
/**
* Get all children of this artifact, if any.
*
* @return A list of the children.
*
* @throws TskCoreException if there was an error querying the case
* database.
*/
@Override
public List<Content> getChildren() throws TskCoreException {
List<Content> children = new ArrayList<>();
children.addAll(getSleuthkitCase().getAbstractFileChildren(this));
children.addAll(getSleuthkitCase().getBlackboardArtifactChildren(this));
return children;
}
}
bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifactTag.java 0 → 100755
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2013-2018 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
/**
* Instances of this class are data transfer objects (DTOs) that represent tags
* a user can apply to blackboard artifacts.
*/
public class BlackboardArtifactTag extends Tag {
private final BlackboardArtifact artifact;
private final Content content;
// Clients of the org.sleuthkit.datamodel package should not directly create these objects.
BlackboardArtifactTag(long id, BlackboardArtifact artifact, Content content, TagName name, String comment, String userName) {
super(id, name, comment, userName);
this.artifact = artifact;
this.content = content;
}
/**
* Returns the tagged artifact
*
* @return tagged artifact
*/
public BlackboardArtifact getArtifact() {
return artifact;
}
/**
* Returns source content of the tagged artifact
*
* @return source content of the tagged artifact
*/
public Content getContent() {
return content;
}
}
bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java 0 → 100755
View file @ a73ef106
/*
* Sleuth Kit Data Model
*
* Copyright 2011-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.datamodel;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.ResourceBundle;
import java.util.TimeZone;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
* Represents an attribute of an artifact posted to the blackboard. Instances
* should be constructed and then added to an instance of the BlackboardArtifact
* class.
*
* Attributes are a name-value pairs. The name is the type of the attribute, as
* represented by the BlackboardAttribute.Type class. Standard attribute types
* are specified by the ATTRIBUTE_TYPE enumeration. Custom attribute types may
* be created by constructing a BlackboardAttribute.Type object and calling the
* SleuthkitCase.addArtifactAttributeType method. The BlackboardAttribute.Type
* object that is returned can then be used to create instances of the custom
* attribute by calling the appropriate BlackboardAttribute constructor. It can
* also be used to do blackboard queries involving the custom type.
*/
public class BlackboardAttribute extends AbstractAttribute {
private static final Logger LOGGER = Logger.getLogger(BlackboardAttribute.class.getName());
private static final ResourceBundle bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle");
private String context;
private String sources;
private long artifactID;
// Cached parent artifact. This field is populated lazily upon the first
// call to getParentArtifact().
private BlackboardArtifact parentArtifact;
// The parent data source is defined as being
// the data source of the parent artifact.
private Long parentDataSourceID;
/**
* Constructs a standard attribute with an integer value. The attribute
* should be added to an appropriate artifact.
*
* @param attributeType The standard attribute type.
* @param source The source of this attribute.
* @param valueInt The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER.
*/
public BlackboardAttribute(ATTRIBUTE_TYPE attributeType, String source, int valueInt) throws IllegalArgumentException {
super(new BlackboardAttribute.Type(attributeType), valueInt);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs an attribute with an integer value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param source The source of this attribute.
* @param valueInt The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER.
*/
public BlackboardAttribute(Type attributeType, String source, int valueInt) throws IllegalArgumentException {
super(attributeType, valueInt);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs a standard attribute with a long/datetime value. If the value
* is a datetime, it should be seconds from January 1, 1970. The attribute
* should be added to an appropriate artifact.
*
* @param attributeType The standard attribute type.
* @param source The source of this attribute.
* @param valueLong The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG
* or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME.
*/
public BlackboardAttribute(ATTRIBUTE_TYPE attributeType, String source, long valueLong) throws IllegalArgumentException {
super(new BlackboardAttribute.Type(attributeType), valueLong);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs an attribute with a long/datetime value. The attribute should
* be added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param source The source of this attribute.
* @param valueLong The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG
* or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME.
*/
public BlackboardAttribute(Type attributeType, String source, long valueLong) throws IllegalArgumentException {
super(attributeType, valueLong);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs a standard attribute with a double value. The attribute should
* be added to an appropriate artifact.
*
* @param attributeType The standard attribute type.
* @param source The source of this attribute.
* @param valueDouble The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE.
*/
public BlackboardAttribute(ATTRIBUTE_TYPE attributeType, String source, double valueDouble) throws IllegalArgumentException {
super(new BlackboardAttribute.Type(attributeType), valueDouble);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs an attribute with a double value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param source The source of this attribute.
* @param valueDouble The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE.
*/
public BlackboardAttribute(Type attributeType, String source, double valueDouble) throws IllegalArgumentException {
super(attributeType, valueDouble);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs a standard attribute with an string value. The attribute
* should be added to an appropriate artifact.
*
* @param attributeType The standard attribute type.
* @param source The source of this attribute.
* @param valueString The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING
* or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON
*/
public BlackboardAttribute(ATTRIBUTE_TYPE attributeType, String source, String valueString) throws IllegalArgumentException {
super(new BlackboardAttribute.Type(attributeType), valueString);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs an attribute with a string value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param source The source of this attribute.
* @param valueString The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING.
*/
public BlackboardAttribute(Type attributeType, String source, String valueString) throws IllegalArgumentException {
super(attributeType, valueString);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs a standard attribute with a byte array value. The attribute
* should be added to an appropriate artifact.
*
* @param attributeType The standard attribute type.
* @param source The source of this attribute.
* @param valueBytes The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE.
*/
public BlackboardAttribute(ATTRIBUTE_TYPE attributeType, String source, byte[] valueBytes) throws IllegalArgumentException {
super(new BlackboardAttribute.Type(attributeType), valueBytes);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Constructs an attribute with a byte array value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeType The attribute type.
* @param source The source of this attribute.
* @param valueBytes The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE.
*/
public BlackboardAttribute(Type attributeType, String source, byte[] valueBytes) throws IllegalArgumentException {
super(attributeType, valueBytes);
this.sources = replaceNulls(source);
this.context = "";
}
/**
* Gets the id of the artifact associated with this attribute, if the
* attribute was added to an artifact. Attributes should always be added to
* artifacts after they are constructed.
*
* @return The artifact id or zero if the artifact id has not been set.
*/
public long getArtifactID() {
return artifactID;
}
/**
* Sets the artifact id.
*
* @param artifactID The artifact id.
*/
void setArtifactId(long artifactID) {
this.artifactID = artifactID;
}
/**
* Gets the sources of this attribute.
*
* @return A list of sources, may be empty.
*/
public List<String> getSources() {
if (null != sources && !this.sources.isEmpty()) {
List<String> modules = Arrays.asList(sources.split(","));
return modules;
} else {
return Collections.emptyList();
}
}
/**
* Adds a source to the sources of this attribute.
*
* @param source The source name.
*
* @throws org.sleuthkit.datamodel.TskCoreException
*/
public void addSource(String source) throws TskCoreException {
this.sources = getCaseDatabase().addSourceToArtifactAttribute(this, source);
}
/**
* Gets the artifact associated with this attribute. The artifact can be
* used to get the source content for the artifact as well as any other
* attributes associated with the artifact.
*
* @return The artifact.
*
* @throws TskCoreException If there is no artifact associated with this
* attribute or there is an error reading from the
* case database.
*/
public BlackboardArtifact getParentArtifact() throws TskCoreException {
if (parentArtifact == null) {
parentArtifact = getCaseDatabase().getBlackboardArtifact(getArtifactID());
}
return parentArtifact;
}
@Override
public int hashCode() {
return Objects.hash(
this.getAttributeType(), this.getValueInt(), this.getValueLong(), this.getValueDouble(),
this.getValueString(), this.getValueBytes(), this.getSources(), getContext());
}
@Override
public boolean equals(Object that) {
if (this == that) {
return true;
} else if (that instanceof BlackboardAttribute) {
BlackboardAttribute other = (BlackboardAttribute) that;
Object[] thisObject = new Object[]{this.getSources(), this.getContext()};
Object[] otherObject = new Object[]{other.getSources(), other.getContext()};
return areValuesEqual(that) && Objects.deepEquals(thisObject, otherObject);
} else {
return false;
}
}
@Override
public String toString() {
return "BlackboardAttribute{" + "artifactID=" + getArtifactID() + ", attributeType=" + getAttributeType().toString() + ", moduleName=" + getSources() + ", context=" + context + ", valueInt=" + getValueInt() + ", valueLong=" + getValueLong() + ", valueDouble=" + getValueDouble() + ", valueString=" + getValueString() + ", valueBytes=" + Arrays.toString(getValueBytes()) + ", Case=" + getCaseDatabase() + '}'; //NON-NLS
}
/**
* Gets the attribute value as a string, formatted as required.
*
* @return The value as a string.
*/
@Override
public String getDisplayString() {
switch (getAttributeType().getValueType()) {
case DATETIME: {
try {
if (parentDataSourceID == null) {
BlackboardArtifact parent = getParentArtifact();
parentDataSourceID = parent.getDataSourceObjectID();
}
final Content dataSource = parentDataSourceID != null ? getCaseDatabase().getContentById(parentDataSourceID) : null;
if ((dataSource != null) && (dataSource instanceof Image)) {
// return the date/time string in the timezone associated with the datasource,
Image image = (Image) dataSource;
TimeZone tzone = TimeZone.getTimeZone(image.getTimeZone());
return TimeUtilities.epochToTime(getValueLong(), tzone);
}
} catch (TskException ex) {
LOGGER.log(Level.WARNING, "Could not get timezone for image", ex); //NON-NLS
}
// return time string in default timezone
return TimeUtilities.epochToTime(getValueLong());
}
default: {
return super.getDisplayString();
}
}
}
/**
* Constructs an artifact attribute. To be used when creating an attribute
* based on a query of the blackboard _attributes table in the case
* database.
*
* @param artifactID The artifact id for this attribute
* @param attributeTypeID The attribute type id.
* @param source The source of this attribute.
* @param context Contextual information about this attribute.
* @param valueType The attribute value type.
* @param valueInt The value from the the value_int32 column.
* @param valueLong The value from the the value_int64 column.
* @param valueDouble The value from the the value_double column.
* @param valueString The value from the the value_text column.
* @param valueBytes The value from the the value_byte column.
* @param sleuthkitCase A reference to the SleuthkitCase object
* representing the case database.
*/
BlackboardAttribute(long artifactID, BlackboardAttribute.Type attributeType, String source, String context,
int valueInt, long valueLong, double valueDouble, String valueString, byte[] valueBytes,
SleuthkitCase sleuthkitCase) {
super(attributeType, valueInt, valueLong, valueDouble, valueString, valueBytes, sleuthkitCase);
this.artifactID = artifactID;
this.sources = replaceNulls(source);
this.context = replaceNulls(context);
}
/**
* Sets the parent data source id. The parent data source is defined as
* being the data source of the parent artifact.
*
* @param parentDataSourceID The parent data source id.
*/
void setParentDataSourceID(Long parentDataSourceID) {
this.parentDataSourceID = parentDataSourceID;
}
/**
* Gets the sources of this attribute.
*
* @return A comma-separated-values list of sources, may be empty. The CSV
* is due to a deliberate denormalization of the source field in the
* case database and this method is a helper method for the
* SleuthkitCase class.
*/
String getSourcesCSV() {
return sources;
}
/**
* Represents the type of an attribute.
*/
public static final class Type implements Serializable {
public static final Type TSK_URL = new Type(1, "TSK_URL", bundle.getString("BlackboardAttribute.tskUrl.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DATETIME = new Type(2, "TSK_DATETIME", bundle.getString("BlackboardAttribute.tskDatetime.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_NAME = new Type(3, "TSK_NAME", bundle.getString("BlackboardAttribute.tskName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PROG_NAME = new Type(4, "TSK_PROG_NAME", bundle.getString("BlackboardAttribute.tskProgName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_VALUE = new Type(6, "TSK_VALUE", bundle.getString("BlackboardAttribute.tskValue.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_FLAG = new Type(7, "TSK_FLAG", bundle.getString("BlackboardAttribute.tskFlag.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PATH = new Type(8, "TSK_PATH", bundle.getString("BlackboardAttribute.tskPath.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_KEYWORD = new Type(10, "TSK_KEYWORD", bundle.getString("BlackboardAttribute.tskKeyword.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_KEYWORD_REGEXP = new Type(11, "TSK_KEYWORD_REGEXP", bundle.getString("BlackboardAttribute.tskKeywordRegexp.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_KEYWORD_PREVIEW = new Type(12, "TSK_KEYWORD_PREVIEW", bundle.getString("BlackboardAttribute.tskKeywordPreview.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
// TSK_KEYWORD_SET (id: 13) has been deprecated. Please use TSK_SET_NAME instead.
public static final Type TSK_USER_NAME = new Type(14, "TSK_USER_NAME", bundle.getString("BlackboardAttribute.tskUserName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DOMAIN = new Type(15, "TSK_DOMAIN", bundle.getString("BlackboardAttribute.tskDomain.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PASSWORD = new Type(16, "TSK_PASSWORD", bundle.getString("BlackboardAttribute.tskPassword.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_NAME_PERSON = new Type(17, "TSK_NAME_PERSON", bundle.getString("BlackboardAttribute.tskNamePerson.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DEVICE_MODEL = new Type(18, "TSK_DEVICE_MODEL", bundle.getString("BlackboardAttribute.tskDeviceModel.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DEVICE_MAKE = new Type(19, "TSK_DEVICE_MAKE", bundle.getString("BlackboardAttribute.tskDeviceMake.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DEVICE_ID = new Type(20, "TSK_DEVICE_ID", bundle.getString("BlackboardAttribute.tskDeviceId.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL = new Type(21, "TSK_EMAIL", bundle.getString("BlackboardAttribute.tskEmail.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_HASH_MD5 = new Type(22, "TSK_HASH_MD5", bundle.getString("BlackboardAttribute.tskHashMd5.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_HASH_SHA1 = new Type(23, "TSK_HASH_SHA1", bundle.getString("BlackboardAttribute.tskHashSha1.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_HASH_SHA2_256 = new Type(24, "TSK_HASH_SHA2_256", bundle.getString("BlackboardAttribute.tskHashSha225.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_HASH_SHA2_512 = new Type(25, "TSK_HASH_SHA2_512", bundle.getString("BlackboardAttribute.tskHashSha2512.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_TEXT = new Type(26, "TSK_TEXT", bundle.getString("BlackboardAttribute.tskText.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_TEXT_FILE = new Type(27, "TSK_TEXT_FILE", bundle.getString("BlackboardAttribute.tskTextFile.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_TEXT_LANGUAGE = new Type(28, "TSK_TEXT_LANGUAGE", bundle.getString("BlackboardAttribute.tskTextLanguage.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_ENTROPY = new Type(29, "TSK_ENTROPY", bundle.getString("BlackboardAttribute.tskEntropy.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
// TSK_HASHSET_NAME (id: 30) has been deprecated. Please use TSK_SET_NAME instead.
// TSK_INTERESTING_FILE (id: 31) has been deprecated. Please use TSK_INTERESTING_ITEM analysis result instead.
public static final Type TSK_REFERRER = new Type(32, "TSK_REFERRER", bundle.getString("BlackboardAttribute.tskReferrer.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DATETIME_ACCESSED = new Type(33, "TSK_DATETIME_ACCESSED", bundle.getString("BlackboardAttribute.tskDateTimeAccessed.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_IP_ADDRESS = new Type(34, "TSK_IP_ADDRESS", bundle.getString("BlackboardAttribute.tskIpAddress.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PHONE_NUMBER = new Type(35, "TSK_PHONE_NUMBER", bundle.getString("BlackboardAttribute.tskPhoneNumber.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PATH_ID = new Type(36, "TSK_PATH_ID", bundle.getString("BlackboardAttribute.tskPathId.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG);
public static final Type TSK_SET_NAME = new Type(37, "TSK_SET_NAME", bundle.getString("BlackboardAttribute.tskSetName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
// TSK_ENCRYPTION_DETECTED (id: 38) has been deprecated. Please use TSK_ENCRYPTION_DETECTED as an artifact.
public static final Type TSK_MALWARE_DETECTED = new Type(39, "TSK_MALWARE_DETECTED", bundle.getString("BlackboardAttribute.tskMalwareDetected.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER);
public static final Type TSK_STEG_DETECTED = new Type(40, "TSK_STEG_DETECTED", bundle.getString("BlackboardAttribute.tskStegDetected.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER);
public static final Type TSK_EMAIL_TO = new Type(41, "TSK_EMAIL_TO", bundle.getString("BlackboardAttribute.tskEmailTo.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL_CC = new Type(42, "TSK_EMAIL_CC", bundle.getString("BlackboardAttribute.tskEmailCc.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL_BCC = new Type(43, "TSK_EMAIL_BCC", bundle.getString("BlackboardAttribute.tskEmailBcc.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL_FROM = new Type(44, "TSK_EMAIL_FROM", bundle.getString("BlackboardAttribute.tskEmailFrom.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL_CONTENT_PLAIN = new Type(45, "TSK_EMAIL_CONTENT_PLAIN", bundle.getString("BlackboardAttribute.tskEmailContentPlain.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL_CONTENT_HTML = new Type(46, "TSK_EMAIL_CONTENT_HTML", bundle.getString("BlackboardAttribute.tskEmailContentHtml.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL_CONTENT_RTF = new Type(47, "TSK_EMAIL_CONTENT_RTF", bundle.getString("BlackboardAttribute.tskEmailContentRtf.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_MSG_ID = new Type(48, "TSK_MSG_ID", bundle.getString("BlackboardAttribute.tskMsgId.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_MSG_REPLY_ID = new Type(49, "TSK_MSG_REPLY_ID", bundle.getString("BlackboardAttribute.tskMsgReplyId.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DATETIME_RCVD = new Type(50, "TSK_DATETIME_RCVD", bundle.getString("BlackboardAttribute.tskDateTimeRcvd.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_DATETIME_SENT = new Type(51, "TSK_DATETIME_SENT", bundle.getString("BlackboardAttribute.tskDateTimeSent.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_SUBJECT = new Type(52, "TSK_SUBJECT", bundle.getString("BlackboardAttribute.tskSubject.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_TITLE = new Type(53, "TSK_TITLE", bundle.getString("BlackboardAttribute.tskTitle.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_GEO_LATITUDE = new Type(54, "TSK_GEO_LATITUDE", bundle.getString("BlackboardAttribute.tskGeoLatitude.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_GEO_LONGITUDE = new Type(55, "TSK_GEO_LONGITUDE", bundle.getString("BlackboardAttribute.tskGeoLongitude.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_GEO_VELOCITY = new Type(56, "TSK_GEO_VELOCITY", bundle.getString("BlackboardAttribute.tskGeoVelocity.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_GEO_ALTITUDE = new Type(57, "TSK_GEO_ALTITUDE", bundle.getString("BlackboardAttribute.tskGeoAltitude.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_GEO_BEARING = new Type(58, "TSK_GEO_BEARING", bundle.getString("BlackboardAttribute.tskGeoBearing.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_GEO_HPRECISION = new Type(59, "TSK_GEO_HPRECISION", bundle.getString("BlackboardAttribute.tskGeoHPrecision.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_GEO_VPRECISION = new Type(60, "TSK_GEO_VPRECISION", bundle.getString("BlackboardAttribute.tskGeoVPrecision.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_GEO_MAPDATUM = new Type(61, "TSK_GEO_MAPDATUM", bundle.getString("BlackboardAttribute.tskGeoMapDatum.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
// TSK_FILE_TYPE_SIG (id: 62) has been deprecated. Please use the mime type field of the AbstractFile object instead.
public static final Type TSK_FILE_TYPE_EXT = new Type(63, "TSK_FILE_TYPE_EXT", bundle.getString("BlackboardAttribute.tskFileTypeExt.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
// TSK_TAGGED_ARTIFACT (id: 64) has been deprected. Please create a tag as an artifact.
// TSK_TAG_NAME (id: 65) has been deprecated. Please create a tag as an artifact.
public static final Type TSK_COMMENT = new Type(66, "TSK_COMMENT", bundle.getString("BlackboardAttribute.tskComment.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_URL_DECODED = new Type(67, "TSK_URL_DECODED", bundle.getString("BlackboardAttribute.tskUrlDecoded.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DATETIME_CREATED = new Type(68, "TSK_DATETIME_CREATED", bundle.getString("BlackboardAttribute.tskDateTimeCreated.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_DATETIME_MODIFIED = new Type(69, "TSK_DATETIME_MODIFIED", bundle.getString("BlackboardAttribute.tskDateTimeModified.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_PROCESSOR_ARCHITECTURE = new Type(70, "TSK_PROCESSOR_ARCHITECTURE", bundle.getString("BlackboardAttribute.tskProcessorArchitecture.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_VERSION = new Type(71, "TSK_VERSION", bundle.getString("BlackboardAttribute.tskVersion.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_USER_ID = new Type(72, "TSK_USER_ID", bundle.getString("BlackboardAttribute.tskUserId.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DESCRIPTION = new Type(73, "TSK_DESCRIPTION", bundle.getString("BlackboardAttribute.tskDescription.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_MESSAGE_TYPE = new Type(74, "TSK_MESSAGE_TYPE", bundle.getString("BlackboardAttribute.tskMessageType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // SMS or MMS or IM ...
public static final Type TSK_PHONE_NUMBER_HOME = new Type(75, "TSK_PHONE_NUMBER_HOME", bundle.getString("BlackboardAttribute.tskPhoneNumberHome.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PHONE_NUMBER_OFFICE = new Type(76, "TSK_PHONE_NUMBER_OFFICE", bundle.getString("BlackboardAttribute.tskPhoneNumberOffice.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PHONE_NUMBER_MOBILE = new Type(77, "TSK_PHONE_NUMBER_MOBILE", bundle.getString("BlackboardAttribute.tskPhoneNumberMobile.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PHONE_NUMBER_FROM = new Type(78, "TSK_PHONE_NUMBER_FROM", bundle.getString("BlackboardAttribute.tskPhoneNumberFrom.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PHONE_NUMBER_TO = new Type(79, "TSK_PHONE_NUMBER_TO", bundle.getString("BlackboardAttribute.tskPhoneNumberTo.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DIRECTION = new Type(80, "TSK_DIRECTION", bundle.getString("BlackboardAttribute.tskDirection.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Msg/Call direction: incoming, outgoing
public static final Type TSK_EMAIL_HOME = new Type(81, "TSK_EMAIL_HOME", bundle.getString("BlackboardAttribute.tskEmailHome.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_EMAIL_OFFICE = new Type(82, "TSK_EMAIL_OFFICE", bundle.getString("BlackboardAttribute.tskEmailOffice.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_DATETIME_START = new Type(83, "TSK_DATETIME_START", bundle.getString("BlackboardAttribute.tskDateTimeStart.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME); // start time of an event - call log, Calendar entry
public static final Type TSK_DATETIME_END = new Type(84, "TSK_DATETIME_END", bundle.getString("BlackboardAttribute.tskDateTimeEnd.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME); // end time of an event - call log, Calendar entry
public static final Type TSK_CALENDAR_ENTRY_TYPE = new Type(85, "TSK_CALENDAR_ENTRY_TYPE", bundle.getString("BlackboardAttribute.tskCalendarEntryType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // meeting, task,
public static final Type TSK_LOCATION = new Type(86, "TSK_LOCATION", bundle.getString("BlackboardAttribute.tskLocation.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Location string associated with an event - Conf Room Name, Address ....
public static final Type TSK_SHORTCUT = new Type(87, "TSK_SHORTCUT", bundle.getString("BlackboardAttribute.tskShortcut.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Short Cut string - short code or dial string for Speed dial, a URL short cut - e.g. bitly string, Windows Desktop Short cut name etc.
public static final Type TSK_DEVICE_NAME = new Type(88, "TSK_DEVICE_NAME", bundle.getString("BlackboardAttribute.tskDeviceName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // device name - a user assigned (usually) device name - such as "Joe's computer", "bob_win8", "BT Headset"
public static final Type TSK_CATEGORY = new Type(89, "TSK_CATEGORY", bundle.getString("BlackboardAttribute.tskCategory.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // category/type, possible value set varies by the artifact
public static final Type TSK_EMAIL_REPLYTO = new Type(90, "TSK_EMAIL_REPLYTO", bundle.getString("BlackboardAttribute.tskEmailReplyTo.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // ReplyTo address
public static final Type TSK_SERVER_NAME = new Type(91, "TSK_SERVER_NAME", bundle.getString("BlackboardAttribute.tskServerName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // server name, e.g. a mail server name - "smtp.google.com", a DNS server name...
public static final Type TSK_COUNT = new Type(92, "TSK_COUNT", bundle.getString("BlackboardAttribute.tskCount.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER); // Count related to the artifact
public static final Type TSK_MIN_COUNT = new Type(93, "TSK_MIN_COUNT", bundle.getString("BlackboardAttribute.tskMinCount.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER); // Minimum number/count
public static final Type TSK_PATH_SOURCE = new Type(94, "TSK_PATH_SOURCE", bundle.getString("BlackboardAttribute.tskPathSource.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Path to a source file related to the artifact
public static final Type TSK_PERMISSIONS = new Type(95, "TSK_PERMISSIONS", bundle.getString("BlackboardAttribute.tskPermissions.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Permissions
public static final Type TSK_ASSOCIATED_ARTIFACT = new Type(96, "TSK_ASSOCIATED_ARTIFACT", bundle.getString("BlackboardAttribute.tskAssociatedArtifact.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG); // Artifact ID of a related artifact
public static final Type TSK_ISDELETED = new Type(97, "TSK_ISDELETED", bundle.getString("BlackboardAttribute.tskIsDeleted.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // boolean to indicate that the artifact is recovered fom deleted content
public static final Type TSK_GEO_LATITUDE_START = new Type(98, "TSK_GEO_LATITUDE_START", bundle.getString("BlackboardAttribute.tskGeoLatitudeStart.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE); // Starting location lattitude
public static final Type TSK_GEO_LATITUDE_END = new Type(99, "TSK_GEO_LATITUDE_END", bundle.getString("BlackboardAttribute.tskGeoLatitudeEnd.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE); // Ending location lattitude
public static final Type TSK_GEO_LONGITUDE_START = new Type(100, "TSK_GEO_LONGITUDE_START", bundle.getString("BlackboardAttribute.tskGeoLongitudeStart.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE); // Starting location longitude
public static final Type TSK_GEO_LONGITUDE_END = new Type(101, "TSK_GEO_LONGITUDE_END", bundle.getString("BlackboardAttribute.tskGeoLongitudeEnd.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE); //Ending Location longitude
public static final Type TSK_READ_STATUS = new Type(102, "TSK_READ_STATUS", bundle.getString("BlackboardAttribute.tskReadStatus.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER); // Message read status: 1 if read, 0 if unread
public static final Type TSK_LOCAL_PATH = new Type(103, "TSK_LOCAL_PATH", bundle.getString("BlackboardAttribute.tskLocalPath.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Local path to a network drive
public static final Type TSK_REMOTE_PATH = new Type(104, "TSK_REMOTE_PATH", bundle.getString("BlackboardAttribute.tskRemotePath.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Remote path of a network drive
public static final Type TSK_TEMP_DIR = new Type(105, "TSK_TEMP_DIR", bundle.getString("BlackboardAttribute.tskTempDir.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Default temporary files directory
public static final Type TSK_PRODUCT_ID = new Type(106, "TSK_PRODUCT_ID", bundle.getString("BlackboardAttribute.tskProductId.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Product ID
public static final Type TSK_OWNER = new Type(107, "TSK_OWNER", bundle.getString("BlackboardAttribute.tskOwner.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Registered owner of a piece of software
public static final Type TSK_ORGANIZATION = new Type(108, "TSK_ORGANIZATION", bundle.getString("BlackboardAttribute.tskOrganization.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING); // Registered Organization for a piece of software
public static final Type TSK_CARD_NUMBER = new Type(109, "TSK_CARD_NUMBER", bundle.getString("BlackboardAttribute.tskCardNumber.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CARD_EXPIRATION = new Type(110, "TSK_CARD_EXPIRATION", bundle.getString("BlackboardAttribute.tskCardExpiration.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CARD_SERVICE_CODE = new Type(111, "TSK_CARD_SERVICE_CODE", bundle.getString("BlackboardAttribute.tskCardServiceCode.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CARD_DISCRETIONARY = new Type(112, "TSK_CARD_DISCRETIONARY", bundle.getString("BlackboardAttribute.tskCardDiscretionary.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CARD_LRC = new Type(113, "TSK_CARD_LRC", bundle.getString("BlackboardAttribute.tskCardLRC.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_KEYWORD_SEARCH_DOCUMENT_ID = new Type(114, "TSK_KEYWORD_SEARCH_DOCUMENT_ID", bundle.getString("BlackboardAttribute.tskKeywordSearchDocumentID.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CARD_SCHEME = new Type(115, "TSK_CARD_SCHEME", bundle.getString("BlackboardAttribute.tskCardScheme.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CARD_TYPE = new Type(116, "TSK_CARD_TYPE", bundle.getString("BlackboardAttribute.tskCardType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_BRAND_NAME = new Type(117, "TSK_BRAND_NAME", bundle.getString("BlackboardAttribute.tskBrandName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_BANK_NAME = new Type(118, "TSK_BANK_NAME", bundle.getString("BlackboardAttribute.tskBankName.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_COUNTRY = new Type(119, "TSK_COUNTRY", bundle.getString("BlackboardAttribute.tskCountry.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CITY = new Type(120, "TSK_CITY", bundle.getString("BlackboardAttribute.tskCity.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_ACCOUNT_TYPE = new Type(121, "TSK_ACCOUNT_TYPE", bundle.getString("BlackboardAttribute.tskAccountType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
/**
* Keyword search type: exact match, sub-string, or regex.
*/
public static final Type TSK_KEYWORD_SEARCH_TYPE = new Type(122, "TSK_KEYWORD_SEARCH_TYPE", bundle.getString("BlackboardAttribute.tskKeywordSearchType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER);
public static final Type TSK_HEADERS = new Type(123, "TSK_HEADERS", bundle.getString("BlackboardAttribute.tskHeaders.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_ID = new Type(124, "TSK_ID", bundle.getString("BlackboardAttribute.tskId.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_SSID = new Type(125, "TSK_SSID", bundle.getString("BlackboardAttribute.tskSsid.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_BSSID = new Type(126, "TSK_BSSID", bundle.getString("BlackboardAttribute.tskBssid.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_MAC_ADDRESS = new Type(127, "TSK_MAC_ADDRESS", bundle.getString("BlackboardAttribute.tskMacAddress.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_IMEI = new Type(128, "TSK_IMEI", bundle.getString("BlackboardAttribute.tskImei.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_IMSI = new Type(129, "TSK_IMSI", bundle.getString("BlackboardAttribute.tskImsi.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_ICCID = new Type(130, "TSK_ICCID", bundle.getString("BlackboardAttribute.tskIccid.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_THREAD_ID = new Type(131, "TSK_THREAD_ID", bundle.getString("BlackboardAttribute.tskthreadid.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
/**
* The event type of a TSK_TL_EVENT artifact. The value should be the id
* of the EventType in the tsk_event_types table.
*/
public static final Type TSK_TL_EVENT_TYPE = new Type(132, "TSK_TL_EVENT_TYPE", bundle.getString("BlackboardAttribute.tskTLEventType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG);
public static final Type TSK_DATETIME_DELETED = new Type(133, "TSK_DATETIME_DELETED", bundle.getString("BlackboardAttribute.tskdatetimedeleted.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_DATETIME_PASSWORD_RESET = new Type(134, "TSK_DATETIME_PASSWORD_RESET", bundle.getString("BlackboardAttribute.tskdatetimepwdreset.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_DATETIME_PASSWORD_FAIL = new Type(135, "TSK_DATETIME_PWD_FAIL", bundle.getString("BlackboardAttribute.tskdatetimepwdfail.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_DISPLAY_NAME = new Type(136, "TSK_DISPLAY_NAME", bundle.getString("BlackboardAttribute.tskdisplayname.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PASSWORD_SETTINGS = new Type(137, "TSK_PASSWORD_SETTINGS", bundle.getString("BlackboardAttribute.tskpasswordsettings.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_ACCOUNT_SETTINGS = new Type(138, "TSK_ACCOUNT_SETTINGS", bundle.getString("BlackboardAttribute.tskaccountsettings.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_PASSWORD_HINT = new Type(139, "TSK_PASSWORD_HINT", bundle.getString("BlackboardAttribute.tskpasswordhint.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_GROUPS = new Type(140, "TSK_GROUPS", bundle.getString("BlackboardAttribute.tskgroups.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
/*
* Use
* org.sleuthkit.datamodel.blackboardutils.attributes.MessageAttachments
* to create and process TSK_ATTACHMENTS attributes.
*/
public static final Type TSK_ATTACHMENTS = new Type(141, "TSK_ATTACHMENTS", bundle.getString("BlackboardAttribute.tskattachments.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON);
/*
* Use org.sleuthkit.datamodel.blackboardutils.attributes.GeoTrackPoints
* to create and process TSK_GEO_TRACKPOINTS attributes.
*/
public static final Type TSK_GEO_TRACKPOINTS = new Type(142, "TSK_GEO_TRACKPOINTS", bundle.getString("BlackboardAttribute.tskgeopath.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON);
/*
* Use org.sleuthkit.datamodel.blackboardutils.attributes.GeoWaypoints
* to create and process TSK_GEO_WAYPOINTS attributes.
*/
public static final Type TSK_GEO_WAYPOINTS = new Type(143, "TSK_GEO_WAYPOINTS", bundle.getString("BlackboardAttribute.tskgeowaypoints.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON);
public static final Type TSK_DISTANCE_TRAVELED = new Type(144, "TSK_DISTANCE_TRAVELED", bundle.getString("BlackboardAttribute.tskdistancetraveled.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_DISTANCE_FROM_HOMEPOINT = new Type(145, "TSK_DISTANCE_FROM_HOMEPOINT", bundle.getString("BlackboardAttribute.tskdistancefromhome.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE);
public static final Type TSK_HASH_PHOTODNA = new Type(146, "TSK_HASH_PHOTODNA", bundle.getString("BlackboardAttribute.tskhashphotodna.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_BYTES_SENT = new Type(147, "TSK_BYTES_SENT", bundle.getString("BlackboardAttribute.tskbytessent.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG);
public static final Type TSK_BYTES_RECEIVED = new Type(148, "TSK_BYTES_RECEIVED", bundle.getString("BlackboardAttribute.tskbytesreceived.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG);
public static final Type TSK_LAST_PRINTED_DATETIME = new Type(149, "TSK_LAST_PRINTED_DATETIME", bundle.getString("BlackboardAttribute.tsklastprinteddatetime.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME);
public static final Type TSK_RULE = new Type(150, "TSK_RULE", bundle.getString("BlackboardAttribute.tskrule.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_ACTIVITY_TYPE = new Type(151, "TSK_ACTIVITY_TYPE", bundle.getString("BlackboardAttribute.tskActivityType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
/*
* Use org.sleuthkit.datamodel.blackboardutils.attributes.GeoAreaPoints
* to create and process TSK_GEO_AREAPOINTS attributes.
*/
public static final Type TSK_GEO_AREAPOINTS = new Type(152, "TSK_GEO_AREAPOINTS", bundle.getString("BlackboardAttribute.tskgeoareapoints.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON);
public static final Type TSK_REALM = new Type(153, "TSK_REALM", bundle.getString("BlackboardAttribute.tskRealm.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_HOST = new Type(154, "TSK_HOST", bundle.getString("BlackboardAttribute.tskHost.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_HOME_DIR = new Type(155, "TSK_HOME_DIR", bundle.getString("BlackboardAttribute.tskHomeDir.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_IS_ADMIN = new Type(156, "TSK_IS_ADMIN", bundle.getString("BlackboardAttribute.tskIsAdmin.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER);
public static final Type TSK_CORRELATION_TYPE = new Type(157, "TSK_CORRELATION_TYPE", bundle.getString("BlackboardAttribute.tskCorrelationType.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_CORRELATION_VALUE = new Type(158, "TSK_CORRELATION_VALUE", bundle.getString("BlackboardAttribute.tskCorrelationValue.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
public static final Type TSK_OTHER_CASES = new Type(159, "TSK_OTHER_CASES", bundle.getString("BlackboardAttribute.tskOtherCases.text"), TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING);
// NOTE: When adding a new standard BlackboardAttribute.Type, add the instance and then add to the STANDARD_TYPES list.
/**
* A list of all the standard attribute types.
*/
static final List<Type> STANDARD_TYPES = Collections.unmodifiableList(Arrays.asList(
TSK_URL,
TSK_DATETIME,
TSK_NAME,
TSK_PROG_NAME,
TSK_VALUE,
TSK_FLAG,
TSK_PATH,
TSK_KEYWORD,
TSK_KEYWORD_REGEXP,
TSK_KEYWORD_PREVIEW,
TSK_USER_NAME,
TSK_DOMAIN,
TSK_PASSWORD,
TSK_NAME_PERSON,
TSK_DEVICE_MODEL,
TSK_DEVICE_MAKE,
TSK_DEVICE_ID,
TSK_EMAIL,
TSK_HASH_MD5,
TSK_HASH_SHA1,
TSK_HASH_SHA2_256,
TSK_HASH_SHA2_512,
TSK_TEXT,
TSK_TEXT_FILE,
TSK_TEXT_LANGUAGE,
TSK_ENTROPY,
TSK_REFERRER,
TSK_DATETIME_ACCESSED,
TSK_IP_ADDRESS,
TSK_PHONE_NUMBER,
TSK_PATH_ID,
TSK_SET_NAME,
TSK_MALWARE_DETECTED,
TSK_STEG_DETECTED,
TSK_EMAIL_TO,
TSK_EMAIL_CC,
TSK_EMAIL_BCC,
TSK_EMAIL_FROM,
TSK_EMAIL_CONTENT_PLAIN,
TSK_EMAIL_CONTENT_HTML,
TSK_EMAIL_CONTENT_RTF,
TSK_MSG_ID,
TSK_MSG_REPLY_ID,
TSK_DATETIME_RCVD,
TSK_DATETIME_SENT,
TSK_SUBJECT,
TSK_TITLE,
TSK_GEO_LATITUDE,
TSK_GEO_LONGITUDE,
TSK_GEO_VELOCITY,
TSK_GEO_ALTITUDE,
TSK_GEO_BEARING,
TSK_GEO_HPRECISION,
TSK_GEO_VPRECISION,
TSK_GEO_MAPDATUM,
TSK_FILE_TYPE_EXT,
TSK_COMMENT,
TSK_URL_DECODED,
TSK_DATETIME_CREATED,
TSK_DATETIME_MODIFIED,
TSK_PROCESSOR_ARCHITECTURE,
TSK_VERSION,
TSK_USER_ID,
TSK_DESCRIPTION,
TSK_MESSAGE_TYPE,
TSK_PHONE_NUMBER_HOME,
TSK_PHONE_NUMBER_OFFICE,
TSK_PHONE_NUMBER_MOBILE,
TSK_PHONE_NUMBER_FROM,
TSK_PHONE_NUMBER_TO,
TSK_DIRECTION,
TSK_EMAIL_HOME,
TSK_EMAIL_OFFICE,
TSK_DATETIME_START,
TSK_DATETIME_END,
TSK_CALENDAR_ENTRY_TYPE,
TSK_LOCATION,
TSK_SHORTCUT,
TSK_DEVICE_NAME,
TSK_CATEGORY,
TSK_EMAIL_REPLYTO,
TSK_SERVER_NAME,
TSK_COUNT,
TSK_MIN_COUNT,
TSK_PATH_SOURCE,
TSK_PERMISSIONS,
TSK_ASSOCIATED_ARTIFACT,
TSK_ISDELETED,
TSK_GEO_LATITUDE_START,
TSK_GEO_LATITUDE_END,
TSK_GEO_LONGITUDE_START,
TSK_GEO_LONGITUDE_END,
TSK_READ_STATUS,
TSK_LOCAL_PATH,
TSK_REMOTE_PATH,
TSK_TEMP_DIR,
TSK_PRODUCT_ID,
TSK_OWNER,
TSK_ORGANIZATION,
TSK_CARD_NUMBER,
TSK_CARD_EXPIRATION,
TSK_CARD_SERVICE_CODE,
TSK_CARD_DISCRETIONARY,
TSK_CARD_LRC,
TSK_KEYWORD_SEARCH_DOCUMENT_ID,
TSK_CARD_SCHEME,
TSK_CARD_TYPE,
TSK_BRAND_NAME,
TSK_BANK_NAME,
TSK_COUNTRY,
TSK_CITY,
TSK_ACCOUNT_TYPE,
TSK_KEYWORD_SEARCH_TYPE,
TSK_HEADERS,
TSK_ID,
TSK_SSID,
TSK_BSSID,
TSK_MAC_ADDRESS,
TSK_IMEI,
TSK_IMSI,
TSK_ICCID,
TSK_THREAD_ID,
TSK_TL_EVENT_TYPE,
TSK_DATETIME_DELETED,
TSK_DATETIME_PASSWORD_RESET,
TSK_DATETIME_PASSWORD_FAIL,
TSK_DISPLAY_NAME,
TSK_PASSWORD_SETTINGS,
TSK_ACCOUNT_SETTINGS,
TSK_PASSWORD_HINT,
TSK_GROUPS,
TSK_ATTACHMENTS,
TSK_GEO_TRACKPOINTS,
TSK_GEO_WAYPOINTS,
TSK_DISTANCE_TRAVELED,
TSK_DISTANCE_FROM_HOMEPOINT,
TSK_HASH_PHOTODNA,
TSK_BYTES_SENT,
TSK_BYTES_RECEIVED,
TSK_LAST_PRINTED_DATETIME,
TSK_RULE,
TSK_ACTIVITY_TYPE,
TSK_GEO_AREAPOINTS,
TSK_REALM,
TSK_HOST,
TSK_HOME_DIR,
TSK_IS_ADMIN,
TSK_CORRELATION_TYPE,
TSK_CORRELATION_VALUE,
TSK_OTHER_CASES
));
private static final long serialVersionUID = 1L;
private final String typeName;
private final int typeID;
private final String displayName;
private final TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType;
/**
* Constructs an attribute type.
*
* @param typeID The type id.
* @param typeName The type name.
* @param displayName The display name for the type.
* @param valueType The type of the value.
*/
public Type(int typeID, String typeName, String displayName, TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType) {
this.typeID = typeID;
this.typeName = typeName;
this.displayName = displayName;
this.valueType = valueType;
}
/**
* Constructs a standard attribute type.
*
* @param type The specification of the type provided by the
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE enumeration.
*/
public Type(BlackboardAttribute.ATTRIBUTE_TYPE type) {
this.typeID = type.getTypeID();
this.typeName = type.getLabel();
this.displayName = type.getDisplayName();
this.valueType = type.getValueType();
}
/**
* Gets the value type of this attribute type.
*
* @return The value type.
*/
public TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE getValueType() {
return this.valueType;
}
/**
* Gets the type name of this attribute type.
*
* @return The type name.
*/
public String getTypeName() {
return this.typeName;
}
/**
* Gets the type id of this attribute type.
*
* @return The type id.
*/
public int getTypeID() {
return this.typeID;
}
/**
* Gets the display name of this attribute type.
*
* @return The display name.
*/
public String getDisplayName() {
return this.displayName;
}
@Override
public boolean equals(Object that) {
if (this == that) {
return true;
} else if (!(that instanceof BlackboardAttribute.Type)) {
return false;
} else {
return ((BlackboardAttribute.Type) that).sameType(this);
}
}
/**
* Determines if this attribute type object is equivalent to another
* attribute type object.
*
* @param that the other type
*
* @return true if it is the same type
*/
private boolean sameType(BlackboardAttribute.Type that) {
return this.typeName.equals(that.getTypeName())
&& this.displayName.equals(that.getDisplayName())
&& this.typeID == that.getTypeID()
&& this.valueType == that.getValueType();
}
@Override
public int hashCode() {
int hash = 7;
hash = 63 * hash + Objects.hashCode(this.typeID);
hash = 63 * hash + Objects.hashCode(this.displayName);
hash = 63 * hash + Objects.hashCode(this.typeName);
hash = 63 * hash + Objects.hashCode(this.valueType);
return hash;
}
@Override
public String toString() {
return "(typeID= " + this.typeID
+ ", displayName=" + this.displayName
+ ", typeName=" + this.typeName
+ ", valueType=" + this.valueType + ")";
}
}
/**
* Specifies the type ids and display names of the supported attribute value
* types.
*/
public enum TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE {
/**
* The value type of the attribute is a string.
*/
STRING(0, "String"), //NON-NLS
/**
* The value type of the attribute is an int.
*/
INTEGER(1, "Integer"), //NON-NLS
/**
* The value type of the attribute is a long.
*/
LONG(2, "Long"), //NON-NLS
/**
* The value type of the attribute is a double.
*/
DOUBLE(3, "Double"), //NON-NLS
/**
* The value type of the attribute is a byte array.
*/
BYTE(4, "Byte"), //NON-NLS
/**
* The value type of the attribute is a long representing seconds from
* January 1, 1970.
*/
DATETIME(5, "DateTime"),
/**
* The value type of the attribute is a JSON string.
*/
JSON(6, "Json");
private final long typeId;
private final String typeName;
/*
* TODO (AUT-2070): Add a localized displayName field and a
* getDisplayName method for API consistency.
*/
/**
* Constructs an attribute value type object.
*
* @param type The type id of the value type.
* @param typeName The type name of the value type.
*/
private TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE(long type, String typeName) {
this.typeId = type;
this.typeName = typeName;
}
/**
* Gets the type id for this attribute value type.
*
* TODO (AUT-2070): Deprecate and provide a getTypeId method instead for
* API consistency.
*
* @return attribute value type id
*/
public long getType() {
return typeId;
}
/**
* Gets the type name for this attribute value type.
*
* TODO (AUT-2070): Deprecate and provide a getTypeName method instead
* for API consistency.
*
* @return attribute value type name
*/
public String getLabel() {
return this.typeName;
}
/**
* Gets the attribute value type for a given value type id.
*
* @param typeId A value type id.
*
* @return A BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE
* object.
*
* @throws IllegalArgumentException If the given type id does not map to
* a supported value type.
*
* TODO (AUT-2070): Deprecate and provide a fromTypeId method instead
* for API consistency.
*/
static public TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE fromType(long typeId) {
for (TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType : TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.values()) {
if (valueType.getType() == typeId) {
return valueType;
}
}
throw new IllegalArgumentException("No TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE matching type: " + typeId);
}
/**
* Gets the attribute value type for a given value type name.
*
* @param typeName A type name.
*
* @return A BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE
* object.
*
* @throws IllegalArgumentException If the given type name does not map
* to a supported value type.
*
* TODO (AUT-2070): Deprecate and provide a fromTypeName method instead
* for API consistency.
*/
static public TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE fromLabel(String typeName) {
for (TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType : TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.values()) {
if (valueType.getLabel().equals(typeName)) {
return valueType;
}
}
throw new IllegalArgumentException("No TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE matching type: " + typeName);
}
}
/**
* Specifies the type ids, type names, display names, and value types of the
* standard attribute types. See
* http://wiki.sleuthkit.org/index.php?title=Artifact_Examples for more
* information.
*/
public enum ATTRIBUTE_TYPE {
TSK_URL(1, "TSK_URL", //NON-NLS
bundle.getString("BlackboardAttribute.tskUrl.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DATETIME(2, "TSK_DATETIME", //NON-NLS
bundle.getString("BlackboardAttribute.tskDatetime.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_NAME(3, "TSK_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PROG_NAME(4, "TSK_PROG_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskProgName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_VALUE(6, "TSK_VALUE", //NON-NLS
bundle.getString("BlackboardAttribute.tskValue.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_FLAG(7, "TSK_FLAG", //NON-NLS
bundle.getString("BlackboardAttribute.tskFlag.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PATH(8, "TSK_PATH", //NON-NLS
bundle.getString("BlackboardAttribute.tskPath.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_KEYWORD(10, "TSK_KEYWORD", //NON-NLS
bundle.getString("BlackboardAttribute.tskKeyword.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_KEYWORD_REGEXP(11, "TSK_KEYWORD_REGEXP", //NON-NLS
bundle.getString("BlackboardAttribute.tskKeywordRegexp.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_KEYWORD_PREVIEW(12, "TSK_KEYWORD_PREVIEW", //NON-NLS
bundle.getString("BlackboardAttribute.tskKeywordPreview.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
* @deprecated Use a TSK_SET_NAME attribute instead.
*/
@Deprecated
TSK_KEYWORD_SET(13, "TSK_KEYWORD_SET", //NON-NLS
bundle.getString("BlackboardAttribute.tskKeywordSet.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_USER_NAME(14, "TSK_USER_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskUserName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DOMAIN(15, "TSK_DOMAIN", //NON-NLS
bundle.getString("BlackboardAttribute.tskDomain.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PASSWORD(16, "TSK_PASSWORD", //NON-NLS
bundle.getString("BlackboardAttribute.tskPassword.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_NAME_PERSON(17, "TSK_NAME_PERSON", //NON-NLS
bundle.getString("BlackboardAttribute.tskNamePerson.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DEVICE_MODEL(18, "TSK_DEVICE_MODEL", //NON-NLS
bundle.getString("BlackboardAttribute.tskDeviceModel.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DEVICE_MAKE(19, "TSK_DEVICE_MAKE", //NON-NLS
bundle.getString("BlackboardAttribute.tskDeviceMake.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DEVICE_ID(20, "TSK_DEVICE_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskDeviceId.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL(21, "TSK_EMAIL", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmail.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_HASH_MD5(22, "TSK_HASH_MD5", //NON-NLS
bundle.getString("BlackboardAttribute.tskHashMd5.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_HASH_SHA1(23, "TSK_HASH_SHA1", //NON-NLS
bundle.getString("BlackboardAttribute.tskHashSha1.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_HASH_SHA2_256(24, "TSK_HASH_SHA2_256", //NON-NLS
bundle.getString("BlackboardAttribute.tskHashSha225.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_HASH_SHA2_512(25, "TSK_HASH_SHA2_512", //NON-NLS
bundle.getString("BlackboardAttribute.tskHashSha2512.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_TEXT(26, "TSK_TEXT", //NON-NLS
bundle.getString("BlackboardAttribute.tskText.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_TEXT_FILE(27, "TSK_TEXT_FILE", //NON-NLS
bundle.getString("BlackboardAttribute.tskTextFile.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_TEXT_LANGUAGE(28, "TSK_TEXT_LANGUAGE", //NON-NLS
bundle.getString("BlackboardAttribute.tskTextLanguage.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_ENTROPY(29, "TSK_ENTROPY", //NON-NLS
bundle.getString("BlackboardAttribute.tskEntropy.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
/**
* @deprecated Use a TSK_SET_NAME attribute instead.
*/
@Deprecated
TSK_HASHSET_NAME(30, "TSK_HASHSET_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskHashsetName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
* @deprecated Use a TSK_INTERESTING_ITEM artifact instead.
*/
@Deprecated
TSK_INTERESTING_FILE(31, "TSK_INTERESTING_FILE", //NON-NLS
bundle.getString("BlackboardAttribute.tskInterestingFile.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG),
TSK_REFERRER(32, "TSK_REFERRER", //NON-NLS
bundle.getString("BlackboardAttribute.tskReferrer.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DATETIME_ACCESSED(33, "TSK_DATETIME_ACCESSED", //NON-NLS
bundle.getString("BlackboardAttribute.tskDateTimeAccessed.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_IP_ADDRESS(34, "TSK_IP_ADDRESS", //NON-NLS
bundle.getString("BlackboardAttribute.tskIpAddress.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PHONE_NUMBER(35, "TSK_PHONE_NUMBER", //NON-NLS
bundle.getString("BlackboardAttribute.tskPhoneNumber.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PATH_ID(36, "TSK_PATH_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskPathId.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG),
TSK_SET_NAME(37, "TSK_SET_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskSetName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
* @deprecated Use a TSK_ENCRYPTION_DETECTED artifact instead.
*/
@Deprecated
TSK_ENCRYPTION_DETECTED(38, "TSK_ENCRYPTION_DETECTED", //NON-NLS
bundle.getString("BlackboardAttribute.tskEncryptionDetected.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER),
TSK_MALWARE_DETECTED(39, "TSK_MALWARE_DETECTED", //NON-NLS
bundle.getString("BlackboardAttribute.tskMalwareDetected.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER),
TSK_STEG_DETECTED(40, "TSK_STEG_DETECTED", //NON-NLS
bundle.getString("BlackboardAttribute.tskStegDetected.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER),
TSK_EMAIL_TO(41, "TSK_EMAIL_TO", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailTo.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL_CC(42, "TSK_EMAIL_CC", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailCc.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL_BCC(43, "TSK_EMAIL_BCC", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailBcc.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL_FROM(44, "TSK_EMAIL_FROM", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailFrom.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL_CONTENT_PLAIN(45, "TSK_EMAIL_CONTENT_PLAIN", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailContentPlain.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL_CONTENT_HTML(46, "TSK_EMAIL_CONTENT_HTML", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailContentHtml.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL_CONTENT_RTF(47, "TSK_EMAIL_CONTENT_RTF", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailContentRtf.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_MSG_ID(48, "TSK_MSG_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskMsgId.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_MSG_REPLY_ID(49, "TSK_MSG_REPLY_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskMsgReplyId.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DATETIME_RCVD(50, "TSK_DATETIME_RCVD", //NON-NLS
bundle.getString("BlackboardAttribute.tskDateTimeRcvd.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_DATETIME_SENT(51, "TSK_DATETIME_SENT", //NON-NLS
bundle.getString("BlackboardAttribute.tskDateTimeSent.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_SUBJECT(52, "TSK_SUBJECT", //NON-NLS
bundle.getString("BlackboardAttribute.tskSubject.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_TITLE(53, "TSK_TITLE", //NON-NLS
bundle.getString("BlackboardAttribute.tskTitle.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_GEO_LATITUDE(54, "TSK_GEO_LATITUDE", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoLatitude.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_GEO_LONGITUDE(55, "TSK_GEO_LONGITUDE", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoLongitude.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_GEO_VELOCITY(56, "TSK_GEO_VELOCITY", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoVelocity.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_GEO_ALTITUDE(57, "TSK_GEO_ALTITUDE", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoAltitude.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_GEO_BEARING(58, "TSK_GEO_BEARING", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoBearing.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_GEO_HPRECISION(59, "TSK_GEO_HPRECISION", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoHPrecision.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_GEO_VPRECISION(60, "TSK_GEO_VPRECISION", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoVPrecision.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_GEO_MAPDATUM(61, "TSK_GEO_MAPDATUM", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoMapDatum.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
* @deprecated Use the mime type field of the AbstractFile object
* instead.
*/
@Deprecated
TSK_FILE_TYPE_SIG(62, "TSK_FILE_TYPE_SIG", //NON-NLS
bundle.getString("BlackboardAttribute.tskFileTypeSig.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_FILE_TYPE_EXT(63, "TSK_FILE_TYPE_EXT", //NON-NLS
bundle.getString("BlackboardAttribute.tskFileTypeExt.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
* @deprecated Do not use. Tags are no longer implemented as artifact
* attributes.
*/
@Deprecated
TSK_TAGGED_ARTIFACT(64, "TSK_TAGGED_ARTIFACT", //NON-NLS
bundle.getString("BlackboardAttribute.tskTaggedArtifact.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG),
/**
* @deprecated Do not use. Tags are no longer implemented as artifact
* attributes.
*/
@Deprecated
TSK_TAG_NAME(65, "TSK_TAG_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskTagName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_COMMENT(66, "TSK_COMMENT", //NON-NLS
bundle.getString("BlackboardAttribute.tskComment.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_URL_DECODED(67, "TSK_URL_DECODED", //NON-NLS
bundle.getString("BlackboardAttribute.tskUrlDecoded.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DATETIME_CREATED(68, "TSK_DATETIME_CREATED", //NON-NLS
bundle.getString("BlackboardAttribute.tskDateTimeCreated.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_DATETIME_MODIFIED(69, "TSK_DATETIME_MODIFIED", //NON-NLS
bundle.getString("BlackboardAttribute.tskDateTimeModified.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_PROCESSOR_ARCHITECTURE(70, "TSK_PROCESSOR_ARCHITECTURE", //NON-NLS
bundle.getString("BlackboardAttribute.tskProcessorArchitecture.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_VERSION(71, "TSK_VERSION", //NON-NLS
bundle.getString("BlackboardAttribute.tskVersion.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_USER_ID(72, "TSK_USER_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskUserId.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DESCRIPTION(73, "TSK_DESCRIPTION", //NON-NLS
bundle.getString("BlackboardAttribute.tskDescription.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_MESSAGE_TYPE(74, "TSK_MESSAGE_TYPE", //NON-NLS
bundle.getString("BlackboardAttribute.tskMessageType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // SMS or MMS or IM ...
TSK_PHONE_NUMBER_HOME(75, "TSK_PHONE_NUMBER_HOME", //NON-NLS
bundle.getString("BlackboardAttribute.tskPhoneNumberHome.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PHONE_NUMBER_OFFICE(76, "TSK_PHONE_NUMBER_OFFICE", //NON-NLS
bundle.getString("BlackboardAttribute.tskPhoneNumberOffice.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PHONE_NUMBER_MOBILE(77, "TSK_PHONE_NUMBER_MOBILE", //NON-NLS
bundle.getString("BlackboardAttribute.tskPhoneNumberMobile.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PHONE_NUMBER_FROM(78, "TSK_PHONE_NUMBER_FROM", //NON-NLS
bundle.getString("BlackboardAttribute.tskPhoneNumberFrom.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PHONE_NUMBER_TO(79, "TSK_PHONE_NUMBER_TO", //NON-NLS
bundle.getString("BlackboardAttribute.tskPhoneNumberTo.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DIRECTION(80, "TSK_DIRECTION", //NON-NLS
bundle.getString("BlackboardAttribute.tskDirection.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Msg/Call direction: incoming, outgoing
TSK_EMAIL_HOME(81, "TSK_EMAIL_HOME", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailHome.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_EMAIL_OFFICE(82, "TSK_EMAIL_OFFICE", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailOffice.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_DATETIME_START(83, "TSK_DATETIME_START", //NON-NLS
bundle.getString("BlackboardAttribute.tskDateTimeStart.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME), // start time of an event - call log, Calendar entry
TSK_DATETIME_END(84, "TSK_DATETIME_END", //NON-NLS
bundle.getString("BlackboardAttribute.tskDateTimeEnd.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME), // end time of an event - call log, Calendar entry
TSK_CALENDAR_ENTRY_TYPE(85, "TSK_CALENDAR_ENTRY_TYPE", //NON-NLS
bundle.getString("BlackboardAttribute.tskCalendarEntryType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // meeting, task,
TSK_LOCATION(86, "TSK_LOCATION", //NON-NLS
bundle.getString("BlackboardAttribute.tskLocation.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Location string associated with an event - Conf Room Name, Address ....
TSK_SHORTCUT(87, "TSK_SHORTCUT", //NON-NLS
bundle.getString("BlackboardAttribute.tskShortcut.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Short Cut string - short code or dial string for Speed dial, a URL short cut - e.g. bitly string, Windows Desktop Short cut name etc.
TSK_DEVICE_NAME(88, "TSK_DEVICE_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskDeviceName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // device name - a user assigned (usually) device name - such as "Joe's computer", "bob_win8", "BT Headset"
TSK_CATEGORY(89, "TSK_CATEGORY", //NON-NLS
bundle.getString("BlackboardAttribute.tskCategory.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // category/type, possible value set varies by the artifact
TSK_EMAIL_REPLYTO(90, "TSK_EMAIL_REPLYTO", //NON-NLS
bundle.getString("BlackboardAttribute.tskEmailReplyTo.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // ReplyTo address
TSK_SERVER_NAME(91, "TSK_SERVER_NAME", //NON-NLS
bundle.getString("BlackboardAttribute.tskServerName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // server name, e.g. a mail server name - "smtp.google.com", a DNS server name...
TSK_COUNT(92, "TSK_COUNT", //NON-NLS
bundle.getString("BlackboardAttribute.tskCount.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER), // Count related to the artifact
TSK_MIN_COUNT(93, "TSK_MIN_COUNT", //NON-NLS
bundle.getString("BlackboardAttribute.tskMinCount.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER), // Minimum number/count
TSK_PATH_SOURCE(94, "TSK_PATH_SOURCE", //NON-NLS
bundle.getString("BlackboardAttribute.tskPathSource.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Path to a source file related to the artifact
TSK_PERMISSIONS(95, "TSK_PERMISSIONS", //NON-NLS
bundle.getString("BlackboardAttribute.tskPermissions.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Permissions
TSK_ASSOCIATED_ARTIFACT(96, "TSK_ASSOCIATED_ARTIFACT", //NON-NLS
bundle.getString("BlackboardAttribute.tskAssociatedArtifact.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG), // Artifact ID of a related artifact
TSK_ISDELETED(97, "TSK_ISDELETED", //NON-NLS
bundle.getString("BlackboardAttribute.tskIsDeleted.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // boolean to indicate that the artifact is recovered fom deleted content
TSK_GEO_LATITUDE_START(98, "TSK_GEO_LATITUDE_START", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoLatitudeStart.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE), // Starting location lattitude
TSK_GEO_LATITUDE_END(99, "TSK_GEO_LATITUDE_END", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoLatitudeEnd.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE), // Ending location lattitude
TSK_GEO_LONGITUDE_START(100, "TSK_GEO_LONGITUDE_START", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoLongitudeStart.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE), // Starting location longitude
TSK_GEO_LONGITUDE_END(101, "TSK_GEO_LONGITUDE_END", //NON-NLS
bundle.getString("BlackboardAttribute.tskGeoLongitudeEnd.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE), //Ending Location longitude
TSK_READ_STATUS(102, "TSK_READ_STATUS", //NON-NLS
bundle.getString("BlackboardAttribute.tskReadStatus.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER), // Message read status: 1 if read, 0 if unread
TSK_LOCAL_PATH(103, "TSK_LOCAL_PATH", //NON-NLS
bundle.getString("BlackboardAttribute.tskLocalPath.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Local path to a network drive
TSK_REMOTE_PATH(104, "TSK_REMOTE_PATH", //NON-NLS
bundle.getString("BlackboardAttribute.tskRemotePath.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Remote path of a network drive
TSK_TEMP_DIR(105, "TSK_TEMP_DIR", //NON-NLS
bundle.getString("BlackboardAttribute.tskTempDir.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Default temporary files directory
TSK_PRODUCT_ID(106, "TSK_PRODUCT_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskProductId.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Product ID
TSK_OWNER(107, "TSK_OWNER", //NON-NLS
bundle.getString("BlackboardAttribute.tskOwner.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Registered owner of a piece of software
TSK_ORGANIZATION(108, "TSK_ORGANIZATION", //NON-NLS
bundle.getString("BlackboardAttribute.tskOrganization.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING), // Registered Organization for a piece of software
TSK_CARD_NUMBER(109, "TSK_CARD_NUMBER", //NON-NLS
bundle.getString("BlackboardAttribute.tskCardNumber.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CARD_EXPIRATION(110, "TSK_CARD_EXPIRATION", //for card as 4 digits MMYY //NON-NLS
bundle.getString("BlackboardAttribute.tskCardExpiration.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CARD_SERVICE_CODE(111, "TSK_CARD_SERVICE_CODE", // 3 digits //NON-NLS
bundle.getString("BlackboardAttribute.tskCardServiceCode.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CARD_DISCRETIONARY(112, "TSK_CARD_DISCRETIONARY", //data used at the discretion of the issuer //NON-NLS
bundle.getString("BlackboardAttribute.tskCardDiscretionary.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CARD_LRC(113, "TSK_CARD_LRC", //NON-NLS //Longitudunal Redundancy Check character //NON-NLS
bundle.getString("BlackboardAttribute.tskCardLRC.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_KEYWORD_SEARCH_DOCUMENT_ID(114, "TSK_KEYWORD_SEARCH_DOCUMENT_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskKeywordSearchDocumentID.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CARD_SCHEME(115, "TSK_CARD_SCHEME", //amex, visa, mastercard, discover, etc //NON-NLS
bundle.getString("BlackboardAttribute.tskCardScheme.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CARD_TYPE(116, "TSK_CARD_TYPE", // debit vs credit //NON-NLS
bundle.getString("BlackboardAttribute.tskCardType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_BRAND_NAME(117, "TSK_BRAND_NAME",
bundle.getString("BlackboardAttribute.tskBrandName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_BANK_NAME(118, "TSK_BANK_NAME",
bundle.getString("BlackboardAttribute.tskBankName.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_COUNTRY(119, "TSK_COUNTRY",
bundle.getString("BlackboardAttribute.tskCountry.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CITY(120, "TSK_CITY",
bundle.getString("BlackboardAttribute.tskCity.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_ACCOUNT_TYPE(121, "TSK_ACCOUNT_TYPE",
bundle.getString("BlackboardAttribute.tskAccountType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
* Keyword search type: exact match, sub-string, or regex.
*/
TSK_KEYWORD_SEARCH_TYPE(122, "TSK_KEYWORD_SEARCH_TYPE", //NON-NLS
bundle.getString("BlackboardAttribute.tskKeywordSearchType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER),
TSK_HEADERS(123, "TSK_HEADERS", //NON-NLS
bundle.getString("BlackboardAttribute.tskHeaders.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_ID(124, "TSK_ID", //NON-NLS
bundle.getString("BlackboardAttribute.tskId.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_SSID(125, "TSK_SSID", //NON-NLS
bundle.getString("BlackboardAttribute.tskSsid.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_BSSID(126, "TSK_BSSID", //NON-NLS
bundle.getString("BlackboardAttribute.tskBssid.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_MAC_ADDRESS(127, "TSK_MAC_ADDRESS", //NON-NLS
bundle.getString("BlackboardAttribute.tskMacAddress.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_IMEI(128, "TSK_IMEI", //NON-NLS
bundle.getString("BlackboardAttribute.tskImei.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_IMSI(129, "TSK_IMSI", //NON-NLS
bundle.getString("BlackboardAttribute.tskImsi.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_ICCID(130, "TSK_ICCID", //NON-NLS
bundle.getString("BlackboardAttribute.tskIccid.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_THREAD_ID(131, "TSK_THREAD_ID",
bundle.getString("BlackboardAttribute.tskthreadid.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/**
* The event type of a TSK_TL_EVENT artifact. The value should be the id
* of the EventType in the tsk_event_types table.
*/
TSK_TL_EVENT_TYPE(132, "TSK_TL_EVENT_TYPE", //NON-NLS
bundle.getString("BlackboardAttribute.tskTLEventType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG),
TSK_DATETIME_DELETED(133, "TSK_DATETIME_DELETED", //NON-NLS
bundle.getString("BlackboardAttribute.tskdatetimedeleted.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_DATETIME_PASSWORD_RESET(134, "TSK_DATETIME_PASSWORD_RESET",
bundle.getString("BlackboardAttribute.tskdatetimepwdreset.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_DATETIME_PASSWORD_FAIL(135, "TSK_DATETIME_PWD_FAIL",
bundle.getString("BlackboardAttribute.tskdatetimepwdfail.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_DISPLAY_NAME(136, "TSK_DISPLAY_NAME",
bundle.getString("BlackboardAttribute.tskdisplayname.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PASSWORD_SETTINGS(137, "TSK_PASSWORD_SETTINGS",
bundle.getString("BlackboardAttribute.tskpasswordsettings.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_ACCOUNT_SETTINGS(138, "TSK_ACCOUNT_SETTINGS",
bundle.getString("BlackboardAttribute.tskaccountsettings.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_PASSWORD_HINT(139, "TSK_PASSWORD_HINT",
bundle.getString("BlackboardAttribute.tskpasswordhint.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_GROUPS(140, "TSK_GROUPS",
bundle.getString("BlackboardAttribute.tskgroups.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/*
* Use
* org.sleuthkit.datamodel.blackboardutils.attributes.MessageAttachments
* to create and process TSK_ATTACHMENTS attributes.
*/
TSK_ATTACHMENTS(141, "TSK_ATTACHMENTS",
bundle.getString("BlackboardAttribute.tskattachments.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON),
/*
* Use org.sleuthkit.datamodel.blackboardutils.attributes.GeoTrackPoints
* to create and process TSK_GEO_TRACKPOINTS attributes.
*/
TSK_GEO_TRACKPOINTS(142, "TSK_GEO_TRACKPOINTS",
bundle.getString("BlackboardAttribute.tskgeopath.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON),
/*
* Use org.sleuthkit.datamodel.blackboardutils.attributes.GeoWaypoints
* to create and process TSK_GEO_WAYPOINTS attributes.
*/
TSK_GEO_WAYPOINTS(143, "TSK_GEO_WAYPOINTS",
bundle.getString("BlackboardAttribute.tskgeowaypoints.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON),
TSK_DISTANCE_TRAVELED(144, "TSK_DISTANCE_TRAVELED",
bundle.getString("BlackboardAttribute.tskdistancetraveled.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_DISTANCE_FROM_HOMEPOINT(145, "TSK_DISTANCE_FROM_HOMEPOINT",
bundle.getString("BlackboardAttribute.tskdistancefromhome.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE),
TSK_HASH_PHOTODNA(146, "TSK_HASH_PHOTODNA",
bundle.getString("BlackboardAttribute.tskhashphotodna.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_BYTES_SENT(147, "TSK_BYTES_SENT",
bundle.getString("BlackboardAttribute.tskbytessent.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG),
TSK_BYTES_RECEIVED(148, "TSK_BYTES_RECEIVED",
bundle.getString("BlackboardAttribute.tskbytesreceived.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG),
TSK_LAST_PRINTED_DATETIME(149, "TSK_LAST_PRINTED_DATETIME",
bundle.getString("BlackboardAttribute.tsklastprinteddatetime.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME),
TSK_RULE(150, "TSK_RULE",
bundle.getString("BlackboardAttribute.tskrule.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_ACTIVITY_TYPE(151, "TSK_ACTIVITY_TYPE",
bundle.getString("BlackboardAttribute.tskActivityType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
/*
* Use org.sleuthkit.datamodel.blackboardutils.attributes.GeoAreaPoints
* to create and process TSK_GEO_AREAPOINTS attributes.
*/
TSK_GEO_AREAPOINTS(152, "TSK_GEO_AREAPOINTS",
bundle.getString("BlackboardAttribute.tskgeoareapoints.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON),
TSK_REALM(153, "TSK_REALM",
bundle.getString("BlackboardAttribute.tskRealm.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_HOST(154, "TSK_HOST",
bundle.getString("BlackboardAttribute.tskHost.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_HOME_DIR(155, "TSK_HOME_DIR",
bundle.getString("BlackboardAttribute.tskHomeDir.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_IS_ADMIN(156, "TSK_IS_ADMIN",
bundle.getString("BlackboardAttribute.tskIsAdmin.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER),
TSK_CORRELATION_TYPE(157, "TSK_CORRELATION_TYPE",
bundle.getString("BlackboardAttribute.tskCorrelationType.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_CORRELATION_VALUE(158, "TSK_CORRELATION_VALUE",
bundle.getString("BlackboardAttribute.tskCorrelationValue.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),
TSK_OTHER_CASES(159, "TSK_OTHER_CASES",
bundle.getString("BlackboardAttribute.tskOtherCases.text"),
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING),;
private final int typeID;
private final String typeName;
private final String displayName;
private final TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType;
/**
* Constructs a standard attribute type.
*
* @param typeID The id of the type.
* @param typeName The name of the type.
* @param displayName The display name of the type
* @param valueType The value type of the type.
*/
private ATTRIBUTE_TYPE(int typeID, String typeName, String displayName, TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType) {
this.typeID = typeID;
this.typeName = typeName;
this.displayName = displayName;
this.valueType = valueType;
}
/**
* Gets the type id of this standard attribute type.
*
* @return The type id.
*/
public int getTypeID() {
return this.typeID;
}
/**
* Gets the type name of this standard attribute type.
*
* @return The type name.
*
* TODO (AUT-2070): Deprecate and provide a getTypeName method instead
* for API consistency.
*/
public String getLabel() {
return this.typeName;
}
/**
* Gets the display name of this standard attribute type.
*
* @return The display name.
*/
public String getDisplayName() {
return this.displayName;
}
/**
* Gets the value type of this standard attribute type.
*
* @return the value type
*/
public TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE getValueType() {
return this.valueType;
}
/**
* Gets the standard attribute type for a given type id.
*
* @param typeID A standard attribute type id.
*
* @return A BlackboardAttribute.ATTRIBUTE_TYPE object.
*
* @throws IllegalArgumentException If the given type id does not map to
* a standard attribute type.
*
* TODO (AUT-2070): Deprecate and provide a fromTypeId method instead
* for API consistency.
*/
static public ATTRIBUTE_TYPE fromID(int typeID) {
for (ATTRIBUTE_TYPE attrType : ATTRIBUTE_TYPE.values()) {
if (attrType.getTypeID() == typeID) {
return attrType;
}
}
throw new IllegalArgumentException("No ATTRIBUTE_TYPE matching type: " + typeID);
}
/**
* Gets the standard attribute type for a given type name.
*
* @param typeName A standard attribute type name.
*
* @return A BlackboardAttribute.ATTRIBUTE_TYPE object.
*
* @throws IllegalArgumentException If the given type name does not map
* to a standard attribute type.
*
* TODO (AUT-2070): Deprecate and provide a fromTypeName method instead
* for API consistency.
*/
static public ATTRIBUTE_TYPE fromLabel(String typeName) {
for (ATTRIBUTE_TYPE attrType : ATTRIBUTE_TYPE.values()) {
if (attrType.getLabel().equals(typeName)) {
return attrType;
}
}
throw new IllegalArgumentException("No ATTRIBUTE_TYPE matching type: " + typeName);
}
}
/**
* Creates a standard attribute with an integer value. The attribute should
* be added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param valueInt The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, int valueInt) throws IllegalArgumentException {
this(ATTRIBUTE_TYPE.fromID(attributeTypeID), moduleName, valueInt);
}
/**
* Creates a standard attribute with an integer value. The attribute should
* be added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param context Extra information about the attribute.
* @param valueInt The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, String context,
int valueInt) {
this(attributeTypeID, moduleName, valueInt);
this.context = replaceNulls(context);
}
/**
* Creates a standard attribute with a long/datetime value. The attribute
* should be added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module that creating this
* attribute.
* @param valueLong The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG
* or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName,
long valueLong) throws IllegalArgumentException {
this(ATTRIBUTE_TYPE.fromID(attributeTypeID), moduleName, valueLong);
}
/**
* Creates a standard attribute with a long/datetime value. The attribute
* should be added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module that creating this
* attribute.
* @param context Extra information about the attribute.
* @param valueLong The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG
* or
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, String context,
long valueLong) {
this(attributeTypeID, moduleName, valueLong);
this.context = replaceNulls(context);
}
/**
* Creates a standard attribute with a double value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param valueDouble The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName,
double valueDouble) throws IllegalArgumentException {
this(ATTRIBUTE_TYPE.fromID(attributeTypeID), moduleName, valueDouble);
}
/**
* Creates a standard attribute with a double value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param context Extra information about the attribute.
* @param valueDouble The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, String context,
double valueDouble) {
this(attributeTypeID, moduleName, valueDouble);
this.context = replaceNulls(context);
}
/**
* Creates a standard attribute with a string value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param valueString The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, String valueString) throws IllegalArgumentException {
this(ATTRIBUTE_TYPE.fromID(attributeTypeID), moduleName, valueString);
}
/**
* Creates a standard attribute with a string value. The attribute should be
* added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param context Extra information about the attribute.
* @param valueString The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, String context,
String valueString) {
this(attributeTypeID, moduleName, valueString);
this.context = replaceNulls(context);
}
/**
* Creates a standard attribute with a byte array value. The attribute
* should be added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param valueBytes The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, byte[] valueBytes) throws IllegalArgumentException {
this(ATTRIBUTE_TYPE.fromID(attributeTypeID), moduleName, valueBytes);
}
/**
* Creates a standard attribute with a byte array value. The attribute
* should be added to an appropriate artifact.
*
* @param attributeTypeID The standard attribute type id.
* @param moduleName The display name of the module creating this
* attribute.
* @param context Extra information about the attribute.
* @param valueBytes The attribute value.
*
* @throws IllegalArgumentException If the value type of the specified
* standard attribute type is not
* TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE
* or the type id is not for a standard
* type.
* @deprecated
*/
@Deprecated
public BlackboardAttribute(int attributeTypeID, String moduleName, String context,
byte[] valueBytes) {
this(attributeTypeID, moduleName, valueBytes);
this.context = replaceNulls(context);
}
/**
* Sets the artifact id.
*
* @param artifactID The artifact id.
*
* @deprecated The preferred method for doing this is to add the attribute
* to a BlackboardArtifact object by calling BlackboardArtifact.addAttribute
* or BlackboardArtifact.addAttributes, both of which post the attributes to
* the blackboard.
*/
@Deprecated
protected void setArtifactID(long artifactID) {
setArtifactId(artifactID);
}
/**
* Sets the reference to the SleuthkitCase object that represents the case
* database.
*
* @param sleuthkitCase A reference to a SleuthkitCase object.
*
* @deprecated The preferred method for doing this is to add the attribute
* to a BlackboardArtifact object by calling BlackboardArtifact.addAttribute
* or BlackboardArtifact.addAttributes, both of which post the attributes to
* the blackboard.
*/
@Deprecated
protected void setCase(SleuthkitCase sleuthkitCase) {
setCaseDatabase(sleuthkitCase);
}
/**
* Gets the context of this attribute.
*
* @return The context, may be the empty string.
*
* @deprecated Setting context for an attribute is deprecated.
*/
@Deprecated
public String getContext() {
return context;
}
/**
* Gets the context of this attribute.
*
* @return The context, may be the empty string.
*
* @deprecated Setting context for an attribute is deprecated.
*/
@Deprecated
String getContextString() {
return context;
}
/**
* Gets the attribute type id.
*
* @return The type id.
*
* @deprecated Use BlackboardAttribute.getAttributeType.getTypeID instead.
*/
@Deprecated
public int getAttributeTypeID() {
return getAttributeType().getTypeID();
}
/**
* Gets the attribute type name.
*
* @return The type name.
*
* @throws org.sleuthkit.datamodel.TskCoreException
*
* @deprecated Use BlackboardAttribute.getAttributeType.getTypeName instead.
*/
@Deprecated
public String getAttributeTypeName() throws TskCoreException {
return getAttributeType().getTypeName();
}
/**
* Gets the attribute type display name.
*
* @return type The display name.
*
* @throws org.sleuthkit.datamodel.TskCoreException
*
* @deprecated Use BlackboardAttribute.getAttributeType.getDisplayName
* instead.
*/
@Deprecated
public String getAttributeTypeDisplayName() throws TskCoreException {
return getAttributeType().getDisplayName();
}
/**
* Gets the name of the first module identified as a sources of this
* attribute.
*
* @return A comma-separated-values list of module names, may be empty.
*
* @deprecated Use getSources instead.
*/
@Deprecated
public String getModuleName() {
return getSourcesCSV();
}
}
bindings/java/src/org/sleuthkit/datamodel/Bundle.properties 0 → 100644
View file @ a73ef106
BlackboardArtifact.tskGenInfo.text=General Info
BlackboardArtifact.tskWebBookmark.text=Web Bookmarks
BlackboardArtifact.tskWebCookie.text=Web Cookies
BlackboardArtifact.tskWebHistory.text=Web History
BlackboardArtifact.tskWebDownload.text=Web Downloads
BlackboardArtifact.tsk.recentObject.text=Recent Documents
BlackboardArtifact.tskGpsTrackpoint.text=GPS Trackpoints
BlackboardArtifact.tskInstalledProg.text=Installed Programs
BlackboardArtifact.tskKeywordHits.text=Keyword Hits
BlackboardArtifact.tskHashsetHit.text=Hashset Hits
BlackboardArtifact.tskDeviceAttached.text=USB Device Attached
BlackboardArtifact.tskInterestingFileHit.text=Interesting Files
BlackboardArtifact.tskEmailMsg.text=E-Mail Messages
BlackboardArtifact.tskExtractedText.text=Extracted Text
BlackboardArtifact.tskWebSearchQuery.text=Web Search
BlackboardArtifact.tskMetadataExif.text=EXIF Metadata
BlackboardArtifact.tagFile.text=Tagged Files
BlackboardArtifact.tskTagArtifact.text=Tagged Results
BlackboardArtifact.tskOsInfo.text=Operating System Information
BlackboardArtifact.tskOsAccount.text=Operating System User Account
BlackboardArtifact.tskServiceAccount.text=Web Accounts
BlackboardArtifact.tskToolOutput.text=Raw Tool Output
BlackboardArtifact.tskContact.text=Contacts
BlackboardArtifact.tskMessage.text=Messages
BlackboardArtifact.tskCalllog.text=Call Logs
BlackboardArtifact.tskCalendarEntry.text=Calendar Entries
BlackboardArtifact.tskSpeedDialEntry.text=Speed Dial Entries
BlackboardArtifact.tskBluetoothPairing.text=BlueTooth Pairings
BlackboardArtifact.tskGpsBookmark.text=GPS Bookmarks
BlackboardArtifact.tskGpsLastKnownLocation.text=GPS Last Known Location
BlackboardArtifact.tskGpsSearch.text=GPS Searches
BlackboardArtifact.tskProgRun.text=Run Programs
BlackboardArtifact.tskEncryptionDetected.text=Encryption Detected
BlackboardArtifact.tskEncryptionSuspected.text=Encryption Suspected
BlackboardArtifact.tskExtMismatchDetected.text=Extension Mismatch Detected
BlackboardArtifact.tskInterestingArtifactHit.text=Interesting Results
BlackboardArtifact.tskRemoteDrive.text=Remote Drive
BlackboardArtifact.tskFaceDetected.text=Face Detected
BlackboardArtifact.tskAccount.text=Accounts
BlackboardArtifact.tskTLEvent.text=TL Events
BlackboardArtifact.tskObjectDetected.text=Object Detected
BlackboardArtifact.tskWIFINetwork.text=Wireless Networks
BlackboardArtifact.tskDeviceInfo.text=Device Info
BlackboardArtifact.tskSimAttached.text=SIM Attached
BlackboardArtifact.tskBluetoothAdapter.text=Bluetooth Adapter
BlackboardArtifact.tskWIFINetworkAdapter.text=Wireless Network Adapters
BlackboardArtifact.tskVerificationFailed.text=Verification Failure
BlackboardArtifact.tskDataSourceUsage.text=Data Source Usage
BlackboardArtifact.tskWebFormAutofill.text=Web Form Autofill
BlackboardArtifact.tskWebFormAddresses.text=Web Form Addresses
BlackboardArtifact.tskDownloadSource.text=Download Source
BlackboardArtifact.tskWebCache.text=Web Cache
BlackboardArtifact.tskClipboardContent.text=Clipboard Content
BlackboardArtifact.tskUserContentSuspected.text=User Content Suspected
BlackboardArtifact.tskMetadata.text=Metadata
BlackboardArtifact.tskTrack.text=GPS Track
BlackboardArtifact.tskWebAccountType.text=Web Account Type
BlackboardArtifact.tskScreenShots.text=Screenshots
BlackboardArtifact.tskDhcpInfo.text=DHCP Information
BlackboardArtifact.tskProgNotifications.text=Program Notifications
BlackboardArtifact.tskBackupEvent.text=Backup Events
BlackboardArtifact.tskDeletedProg.text=Deleted Programs
BlackboardArtifact.tskUserDeviceEvent.text=User Device Events
BlackboardArtifact.shortDescriptionDate.text=at {0}
BlackboardArtifact.tskAssociatedObject.text=Associated Object
BlackboardArtifact.tskWebCategorization.text=Web Categories
BlackboardArtifact.tskPreviouslySeen.text=Previously Seen
BlackboardArtifact.tskPreviouslyUnseen.text=Previously Unseen
BlackboardArtifact.tskPreviouslyNotable.text=Previously Notable
BlackboardArtifact.tskInterestingItem.text=Interesting Items
BlackboardArtifact.tskMalware.text=Malware
BlackboardArtifact.tskYaraHit.text=YARA Hit
BlackboardArtifact.tskGPSArea.text=GPS Area
BlackboardAttribute.tskAccountType.text=Account Type
BlackboardAttribute.tskUrl.text=URL
BlackboardAttribute.tskDatetime.text=Date/Time
BlackboardAttribute.tskName.text=Name
BlackboardAttribute.tskProgName.text=Program Name
BlackboardAttribute.tskValue.text=Value
BlackboardAttribute.tskFlag.text=Flag
BlackboardAttribute.tskPath.text=Path
BlackboardAttribute.tskKeyword.text=Keyword
BlackboardAttribute.tskKeywordRegexp.text=Keyword Regular Expression
BlackboardAttribute.tskKeywordPreview.text=Keyword Preview
BlackboardAttribute.tskKeywordSet.text=Keyword Set
BlackboardAttribute.tskUserName.text=Username
BlackboardAttribute.tskDomain.text=Domain
BlackboardAttribute.tskPassword.text=Password
BlackboardAttribute.tskNamePerson.text=Person Name
BlackboardAttribute.tskDeviceModel.text=Device Model
BlackboardAttribute.tskDeviceMake.text=Device Make
BlackboardAttribute.tskDeviceId.text=Device ID
BlackboardAttribute.tskEmail.text=Email
BlackboardAttribute.tskHashMd5.text=MD5 Hash
BlackboardAttribute.tskHashSha1.text=SHA1 Hash
BlackboardAttribute.tskHashSha225.text=SHA2-256 Hash
BlackboardAttribute.tskHashSha2512.text=SHA2-512 Hash
BlackboardAttribute.tskText.text=Text
BlackboardAttribute.tskTextFile.text=Text File
BlackboardAttribute.tskTextLanguage.text=Text Language
BlackboardAttribute.tskEntropy.text=Entropy
BlackboardAttribute.tskHashsetName.text=Hashset Name
BlackboardAttribute.tskInterestingFile.text=Interesting File
BlackboardAttribute.tskReferrer.text=Referrer URL
BlackboardAttribute.tskDateTimeAccessed.text=Date Accessed
BlackboardAttribute.tskIpAddress.text=IP Address
BlackboardAttribute.tskPhoneNumber.text=Phone Number
BlackboardAttribute.tskPathId.text=Path ID
BlackboardAttribute.tskSetName.text=Set Name
BlackboardAttribute.tskEncryptionDetected.text=Encryption Detected
BlackboardAttribute.tskMalwareDetected.text=Malware Detected
BlackboardAttribute.tskStegDetected.text=Steganography Detected
BlackboardAttribute.tskEmailTo.text=E-Mail To
BlackboardAttribute.tskEmailCc.text=E-Mail CC
BlackboardAttribute.tskEmailBcc.text=E-Mail BCC
BlackboardAttribute.tskEmailFrom.text=E-Mail From
BlackboardAttribute.tskEmailContentPlain.text=Message (Plaintext)
BlackboardAttribute.tskEmailContentHtml.text=Message (HTML)
BlackboardAttribute.tskEmailContentRtf.text=Message (RTF)
BlackboardAttribute.tskMsgId.text=Message ID
BlackboardAttribute.tskMsgReplyId.text=Message Reply ID
BlackboardAttribute.tskDateTimeRcvd.text=Date Received
BlackboardAttribute.tskDateTimeSent.text=Date Sent
BlackboardAttribute.tskSubject.text=Subject
BlackboardAttribute.tskTitle.text=Title
BlackboardAttribute.tskGeoLatitude.text=Latitude
BlackboardAttribute.tskGeoLongitude.text=Longitude
BlackboardAttribute.tskGeoVelocity.text=Velocity
BlackboardAttribute.tskGeoAltitude.text=Altitude
BlackboardAttribute.tskGeoBearing.text=Bearing
BlackboardAttribute.tskGeoHPrecision.text=Horizontal Precision
BlackboardAttribute.tskGeoVPrecision.text=Vertical Precision
BlackboardAttribute.tskGeoMapDatum.text=Map Datum
BlackboardAttribute.tskFileTypeSig.text=File Type (signature)
BlackboardAttribute.tskFileTypeExt.text=File Type (extension)
BlackboardAttribute.tskTaggedArtifact.text=Tagged Result
BlackboardAttribute.tskTagName.text=Tag Name
BlackboardAttribute.tskComment.text=Comment
BlackboardAttribute.tskUrlDecoded.text=Decoded URL
BlackboardAttribute.tskDateTimeCreated.text=Date Created
BlackboardAttribute.tskDateTimeModified.text=Date Modified
BlackboardAttribute.tskProcessorArchitecture.text=Processor Architecture
BlackboardAttribute.tskVersion.text=Version
BlackboardAttribute.tskUserId.text=User ID
BlackboardAttribute.tskDescription.text=Description
BlackboardAttribute.tskMessageType.text=Message Type
BlackboardAttribute.tskPhoneNumberHome.text=Phone Number (Home)
BlackboardAttribute.tskPhoneNumberOffice.text=Phone Number (Office)
BlackboardAttribute.tskPhoneNumberMobile.text=Phone Number (Mobile)
BlackboardAttribute.tskPhoneNumberFrom.text=From Phone Number
BlackboardAttribute.tskPhoneNumberTo.text=To Phone Number
BlackboardAttribute.tskDirection.text=Direction
BlackboardAttribute.tskEmailHome.text=Email (Home)
BlackboardAttribute.tskEmailOffice.text=Email (Office)
BlackboardAttribute.tskDateTimeStart.text=Start Date/Time
BlackboardAttribute.tskDateTimeEnd.text=End Date/Time
BlackboardAttribute.tskCalendarEntryType.text=Calendar Entry Type
BlackboardAttribute.tskLocation.text=Location
BlackboardAttribute.tskShortcut.text=Short Cut
BlackboardAttribute.tskDeviceName.text=Device Name
BlackboardAttribute.tskCategory.text=Category
BlackboardAttribute.tskEmailReplyTo.text=ReplyTo Address
BlackboardAttribute.tskServerName.text=Server Name
BlackboardAttribute.tskCount.text=Count
BlackboardAttribute.tskMinCount.text=Minimum Count
BlackboardAttribute.tskPathSource.text=Path Source
BlackboardAttribute.tskPermissions.text=Permissions
BlackboardAttribute.tskAssociatedArtifact.text=Associated Artifact
BlackboardAttribute.tskIsDeleted.text=Is Deleted
BlackboardAttribute.tskLocalPath.text=Local Path
BlackboardAttribute.tskRemotePath.text=Remote Path
BlackboardAttribute.tskProcessorName.text=Processor Name
BlackboardAttribute.tskTempDir.text=Temporary Files Directory
BlackboardAttribute.tskProductId.text=Product ID
BlackboardAttribute.tskOwner.text=Owner
BlackboardAttribute.tskOrganization.text=Organization
BlackboardAttribute.tskCardNumber.text=Card Number
BlackboardAttribute.tskCardExpiration.text=Card Expiration (YYMM)
BlackboardAttribute.tskCardServiceCode.text=Card Service Code
BlackboardAttribute.tskCardDiscretionary.text=Card Discretionary Data
BlackboardAttribute.tskCardLRC.text=Card Longitudinal Redundancy Check
BlackboardAttribute.tskKeywordSearchDocumentID.text=Keyword Search Document ID
BlackboardAttribute.tskCardScheme.text=Card Scheme
BlackboardAttribute.tskCardType.text=Card Type
BlackboardAttribute.tskBrandName.text=Brand Name
BlackboardAttribute.tskBankName.text=Bank Name
BlackboardAttribute.tskCountry.text=Country
BlackboardAttribute.tskCity.text=City
BlackboardAttribute.tskKeywordSearchType.text=Keyword Search Type
BlackboardAttribute.tskHeaders.text=Headers
BlackboardAttribute.tskId.text=ID
BlackboardAttribute.tskTLEventType.text=Event Type
BlackboardAttribute.tskSsid.text=SSID
BlackboardAttribute.tskBssid.text=BSSID
BlackboardAttribute.tskMacAddress.text=MAC Address
BlackboardAttribute.tskImei.text=IMEI
BlackboardAttribute.tskImsi.text=IMSI
BlackboardAttribute.tskIccid.text=ICCID
BlackboardAttribute.tskthreadid.text=Thread ID
BlackboardAttribute.tskdatetimedeleted.text=Time Deleted
BlackboardAttribute.tskdatetimepwdreset.text=Password Reset Date
BlackboardAttribute.tskdatetimepwdfail.text=Password Fail Date
BlackboardAttribute.tskdisplayname.text=Display Name
BlackboardAttribute.tskpasswordsettings.text=Password Settings
BlackboardAttribute.tskaccountsettings.text=Account Settings
BlackboardAttribute.tskpasswordhint.text=Password Hint
BlackboardAttribute.tskgroups.text=Groups
BlackboardAttribute.tskattachments.text=Message Attachments
BlackboardAttribute.tskgeopath.text=List of Track Points
BlackboardAttribute.tskgeowaypoints.text=List of Waypoints
BlackboardAttribute.tskdistancetraveled.text=Distance Traveled
BlackboardAttribute.tskdistancefromhome.text=Distance from Homepoint
BlackboardAttribute.tskhashphotodna.text=PhotoDNA Hash
BlackboardAttribute.tskbytessent.text=Bytes Sent
BlackboardAttribute.tskbytesreceived.text=Bytes Received
BlackboardAttribute.tsklastprinteddatetime.text=Last Printed Date
BlackboardAttribute.tskgeoareapoints.text=List of points making up the outline of an area
BlackboardAttribute.tskrule.text = Rule
BlackboardAttribute.tskActivityType.text=Activity Type
BlackboardAttribute.tskRealm.text=Realm
BlackboardAttribute.tskHost.text=Host
BlackboardAttribute.tskHomeDir.text=Home Directory
BlackboardAttribute.tskIsAdmin.text=Is Administrator
BlackboardAttribute.tskCorrelationType.text=Correlation Type
BlackboardAttribute.tskCorrelationValue.text=Correlation Value
BlackboardAttribute.tskOtherCases.text=Other Cases
AbstractFile.readLocal.exception.msg4.text=Error reading local file\: {0}
AbstractFile.readLocal.exception.msg1.text=Error reading local file, local path is not set
AbstractFile.readLocal.exception.msg2.text=Error reading local file, it does not exist at local path\: {0}
AbstractFile.readLocal.exception.msg3.text=Error reading local file, file not readable at local path\: {0}
AbstractFile.readLocal.exception.msg5.text=Cannot read local file\: {0}
DerviedFile.derivedMethod.exception.msg1.text=Error getting derived method for file id\: {0}
FsContent.readInt.err.msg.text=Image file does not exist or is inaccessible.
Image.verifyImageSize.errStr1.text=\nPossible Incomplete Image\: Error reading volume at offset {0}
Image.verifyImageSize.errStr2.text=\nPossible Incomplete Image\: Error reading volume at offset {0}
Image.verifyImageSize.errStr3.text=\nPossible Incomplete Image\: Error reading file system at offset {0}
Image.verifyImageSize.errStr4.text=\nPossible Incomplete Image\: Error reading file system at offset {0}
SlackFile.readInt.err.msg.text=Image file does not exist or is inaccessible.
SleuthkitCase.isFileFromSource.exception.msg.text=Error, data source should be parent-less (images, file-sets), got\: {0}
SleuthkitCase.isFileFromSource.exception.msg2.text=Error, data source should be Image or VirtualDirectory, got\: {0}
SleuthkitCase.SchemaVersionMismatch=Schema version does not match
SleuthkitCase.findFiles.exception.msg1.text=Error, data source should be parent-less (images, file-sets), got\: {0}
SleuthkitCase.findFiles.exception.msg2.text=Error, data source should be Image or VirtualDirectory, got\: {0}
SleuthkitCase.findFiles.exception.msg3.text=Error finding files in the data source by name,
SleuthkitCase.findFiles3.exception.msg1.text=Error, data source should be parent-less (images, file-sets), got\: {0}
SleuthkitCase.findFiles3.exception.msg2.text=Error, data source should be Image or VirtualDirectory, got\: {0}
SleuthkitCase.findFiles3.exception.msg3.text=Error finding files in the data source by name,
SleuthkitCase.addDerivedFile.exception.msg1.text=Error creating a derived file, cannot get new id of the object, file name\: {0}
SleuthkitCase.addDerivedFile.exception.msg2.text=Error creating a derived file, file name\: {0}
SleuthkitCase.addLocalFile.exception.msg1.text=Error adding local file\: {0}, parent to add to is null
SleuthkitCase.addLocalFile.exception.msg2.text=Error creating a local file, cannot get new id of the object, file name\: {0}
SleuthkitCase.addLocalFile.exception.msg3.text=Error creating a derived file, file name\: {0}
SleuthkitCase.getLastObjectId.exception.msg.text=Error closing result set after getting last object id.
TskData.tskFsNameFlagEnum.unknown=Unknown
TskData.tskFsNameFlagEnum.allocated=Allocated
TskData.tskFsNameFlagEnum.unallocated=Unallocated
TskData.tskFsMetaFlagEnum.unknown=Unknown
TskData.tskFsMetaFlagEnum.allocated=Allocated
TskData.tskFsMetaFlagEnum.unallocated=Unallocated
TskData.tskFsMetaFlagEnum.used=Used
TskData.tskFsMetaFlagEnum.unused=Unused
TskData.tskFsMetaFlagEnum.compressed=Compressed
TskData.tskFsMetaFlagEnum.orphan=Orphan
TskData.tskFsTypeEnum.autoDetect=Auto Detect
TskData.tskFsTypeEnum.NTFSautoDetect=NTFS (Auto Detection)
TskData.tskFsTypeEnum.FATautoDetect=FAT (Auto Detection)
TskData.tskFsTypeEnum.ExtXautoDetect=ExtX (Auto Detection)
TskData.tskFsTypeEnum.SWAPautoDetect=SWAP (Auto Detection)
TskData.tskFsTypeEnum.RAWautoDetect=RAW (Auto Detection)
TskData.tskFsTypeEnum.ISO9660autoDetect=ISO9660 (Auto Detection)
TskData.tskFsTypeEnum.HFSautoDetect=HFS (Auto Detection)
TskData.tskFsTypeEnum.YAFFS2autoDetect=YAFFS2 (Auto Detection)
TskData.tskFsTypeEnum.APFSautoDetect=APFS (Auto Detection)
TskData.tskFsTypeEnum.unsupported=Unsupported File System
TskData.tskImgTypeEnum.autoDetect=Auto Detect
TskData.tskImgTypeEnum.rawSingle=Raw Single
TskData.tskImgTypeEnum.rawSplit=Raw Split
TskData.tskImgTypeEnum.unknown=Unknown
TskData.tskVSTypeEnum.autoDetect=Auto Detect
TskData.tskVSTypeEnum.fake=Fake
TskData.tskVSTypeEnum.unsupported=Unsupported
TskData.tskVSTypeEnum.exception.msg1.text=No TSK_VS_TYPE_ENUM of value\: {0}
TskData.fileKnown.unknown=unknown
TskData.fileKnown.known=known
TskData.fileKnown.knownBad=notable
TskData.fileKnown.exception.msg1.text=No FileKnown of value\: {0}
TskData.encodingType.exception.msg1.text=No EncodingType of value\: {0}
TskData.collectedStatus.exception.msg1.text=No CollectedStatus of value\: {0}
TskData.keywordSearchQueryType.exception.msg1.text=No KeywordSearchQueryType of value\: {0}
TskData.tskDbFilesTypeEnum.exception.msg1.text=No TSK_FILE_TYPE_ENUM of value\: {0}
TskData.objectTypeEnum.exception.msg1.text=No ObjectType of value\: {0}
TskData.tskImgTypeEnum.exception.msg1.text=No TSK_IMG_TYPE_ENUM of value\: {0}
TskData.tskFsTypeEnum.exception.msg1.text=No TSK_FS_TYPE_ENUM of value\: {0}
TskData.tskFsAttrTypeEnum.exception.msg1.text=No TSK_FS_ATTR_TYPE_ENUM of value\: {0}
TskData.tskFsNameFlagEnum.exception.msg1.text=No TSK_FS_NAME_FLAG_ENUM of value\: {0}
TskData.tskFsMetaTypeEnum.exception.msg1.text=No TSK_FS_META_TYPE_ENUM of value\: {0}
TskData.tskFsNameTypeEnum.exception.msg1.text=No TSK_FS_NAME_TYPE_ENUM matching type\: {0}
Volume.desc.text=Unknown
Volume.read.exception.msg1.text=This volume's parent should be a VolumeSystem, but it's not.
Volume.vsFlagToString.allocated=Allocated
Volume.vsFlagToString.unallocated=Unallocated
BlackboardArtifact.tskGpsRoute.text=GPS Route
BlackboardAttribute.tskGeoLatitudeStart.text=Starting Latitude
BlackboardAttribute.tskGeoLatitudeEnd.text=Ending Latitude
BlackboardAttribute.tskGeoLongitudeStart.text=Starting Longitude
BlackboardAttribute.tskGeoLongitudeEnd.text=Ending Longitude
BlackboardAttribute.tskReadStatus.text=Read
DatabaseConnectionCheck.Everything=Invalid hostname, port number, username, password, and firewall settings.
DatabaseConnectionCheck.Port=Verify that PostgreSQL server is running, it's port number, and firewall settings.
DatabaseConnectionCheck.HostnameOrPort=Invalid hostname and/or port number.
DatabaseConnectionCheck.Authentication=Invalid username and/or password.
DatabaseConnectionCheck.Access=Invalid username and/or password.
DatabaseConnectionCheck.ServerDiskSpace=PostgreSQL server issue. Check disk space and memory availabilty on the PostgreSQL server.
DatabaseConnectionCheck.ServerRestart="PostgreSQL server issue. PostgreSQL server may need to be restarted.
DatabaseConnectionCheck.InternalServerIssue=Internal PostgreSQL issue. Database may be corrupted.
DatabaseConnectionCheck.Connection=Invalid hostname, port, username, and/or password. Check firewall settings.
DatabaseConnectionCheck.Installation=Issue with installation. JDBC driver not found.
DatabaseConnectionCheck.MissingHostname=Missing hostname.
DatabaseConnectionCheck.MissingPort=Missing port number.
DatabaseConnectionCheck.MissingUsername=Missing username.
DatabaseConnectionCheck.MissingPassword=Missing password.
IngestJobInfo.IngestJobStatusType.Started.displayName=Started
IngestJobInfo.IngestJobStatusType.Cancelled.displayName=Cancelled
IngestJobInfo.IngestJobStatusType.Completed.displayName=Completed
IngestModuleInfo.IngestModuleType.FileLevel.displayName=File Level
IngestModuleInfo.IngestModuleType.DataArtifact.displayName=Data Artifact
IngestModuleInfo.IngestModuleType.AnalysisResult.displayName=Analysis Result
IngestModuleInfo.IngestModuleType.DataSourceLevel.displayName=Data Source Level
IngestModuleInfo.IngestModuleType.Multiple.displayName=Multiple
ReviewStatus.Approved=Approved
ReviewStatus.Rejected=Rejected
ReviewStatus.Undecided=Undecided
CategoryType.DataArtifact=Data Artifact
CategoryType.AnalysisResult=Analysis Result
TimelineLevelOfDetail.low=Low
TimelineLevelOfDetail.medium=Medium
TimelineLevelOfDetail.high=High
BaseTypes.fileSystem.name=File System
BaseTypes.webActivity.name=Web Activity
BaseTypes.miscTypes.name=Other
FileSystemTypes.fileModified.name=File Modified
FileSystemTypes.fileAccessed.name=File Accessed
FileSystemTypes.fileCreated.name=File Created
FileSystemTypes.fileChanged.name=File Changed
MiscTypes.message.name=Messages
MiscTypes.GPSRoutes.name=GPS Routes
MiscTypes.GPSTrackpoint.name=GPS Trackpoint
MiscTypes.Calls.name=Call Begin
MiscTypes.CallsEnd.name=Call End
MiscTypes.Email.name=Email Sent
MiscTypes.EmailRcvd.name=Email Received
MiscTypes.recentDocuments.name=Recent Documents
MiscTypes.installedPrograms.name=Program Installed
MiscTypes.exif.name=Exif
MiscTypes.devicesAttached.name=Devices Attached
MiscTypes.LogEntry.name=Log Entry
MiscTypes.Registry.name=Registry
MiscTypes.GPSBookmark.name=GPS Bookmark
MiscTypes.GPSLastknown.name=GPS Last Known Location
MiscTypes.GPSearch.name=GPS Search
MiscTypes.GPSTrack.name=GPS Track
MiscTypes.metadataLastPrinted.name=Document Last Printed
MiscTypes.metadataLastSaved.name=Document Last Saved
MiscTypes.metadataCreated.name=Document Created
MiscTypes.programexecuted.name=Program Run
RootEventType.eventTypes.name=Event Types
WebTypes.webDownloads.name=Web Downloads
WebTypes.webCookies.name=Web Cookies Create
WebTypes.webCookiesAccessed.name=Web Cookies Accessed
WebTypes.webCookiesStart.name=Web Cookies Start
WebTypes.webCookiesEnd.name=Web Cookies End
WebTypes.webBookmarks.name=Web Bookmarks
WebTypes.webHistory.name=Web History Accessed
WebTypes.webHistoryCreated.name=Web History Created
WebTypes.webSearch.name=Web Searches
WebTypes.webFormAutoFill.name=Web Form Autofill Created
WebTypes.webFormAddress.name=Web Form Address Created
WebTypes.webFormAddressModified.name=Web Form Address Modified
WebTypes.webFormAutofillAccessed.name=Web Form Autofill Accessed
CustomTypes.other.name=Standard Artifact Event
CustomTypes.userCreated.name=Manually Created Event
CustomTypes.customArtifact.name=Custom Artifact Event
EventTypeHierarchyLevel.root=Root
EventTypeHierarchyLevel.category=Category
EventTypeHierarchyLevel.event=Event
DataSourcesFilter.displayName.text=Limit data sources to
DescriptionFilter.mode.exclude=Exclude
DescriptionFilter.mode.include=Include
hashHitsFilter.displayName.text=Must have hash hit
hideKnownFilter.displayName.text=Hide Known Files
IntersectionFilter.displayName.text=Intersection
tagsFilter.displayName.text=Must be tagged
TextFilter.displayName.text=Must include text:
TypeFilter.displayName.text=Limit event types to
FileTypesFilter.displayName.text=Limit file types to
OsAccountStatus.Unknown.text=Unknown
OsAccountStatus.Active.text=Active
OsAccountStatus.Disabled.text=Disabled
OsAccountStatus.Deleted.text=Deleted
OsAccountStatus.NonExistent.text=Non Existent
OsAccountType.Unknown.text=Unknown
OsAccountType.Service.text=Service
OsAccountType.Interactive.text=Interactive
OsAccountInstanceType.Launched.text=Launched
OsAccountInstanceType.Accessed.text=Accessed
OsAccountInstanceType.Referenced.text=Referenced
OsAccountInstanceType.Launched.descr.text=User launched a program or had an interactive session on the host.
OsAccountInstanceType.Accessed.descr.text=User accessed resources on the host via a service or created a file on the host.
OsAccountInstanceType.Referenced.descr.text=User was referenced on the host and it is unclear if they had any access. For example, if they are mentioned in a log file.
OsAccountRealm.Known.text=Known
OsAccountRealm.Inferred.text=Inferred
OsAccountRealm.Unknown.text=Unknown
OsAccountRealm.Local.text=Local
OsAccountRealm.Domain.text=Domain
Score.Priority.Normal.displayName.text=Normal
Score.Priority.Override.displayName.text=Override
Significance.Unknown.displayName.text=Unknown
Significance.LikelyNone.displayName.text=Likely Not Notable
Significance.LikelyNotable.displayName.text=Likely Notable
Significance.None.displayName.text=Not Notable
Significance.Notable.displayName.text=Notable
TimelineEventType.BackupEventStart.txt=Backup Begin
TimelineEventType.BackupEventEnd.txt=Backup End
TimelineEventType.BackupEvent.description.start=Backup Begin
TimelineEventType.BackupEvent.description.end=Backup End
TimelineEventType.BluetoothPairingLastConnection.txt=Bluetooth Pairing Last Connection
TimelineEventType.BluetoothPairing.txt=Bluetooth Pairing
TimelineEventType.CalendarEntryStart.txt=Calendar Entry Begin
TimelineEventType.CalendarEntryEnd.txt=Calendar Entry End
TimelineEventType.DeletedProgram.txt=Program Deleted
TimelineEventType.DeletedProgramDeleted.txt=Application Deleted
TimelineEventType.OSAccountAccessed.txt=Operating System Account Accessed
TimelineEventType.OSAccountCreated.txt=Operating System Account Created
TimelineEventType.OSAccountPwdFail.txt=Operating System Account Password Fail
TimelineEventType.OSAccountPwdReset.txt=Operating System Account Password Reset
TimelineEventType.OSInfo.txt=Operating System Information
TimelineEventType.ProgramNotification.txt=Program Notification
TimelineEventType.ScreenShot.txt=Screen Shot
TimelineEventType.UserDeviceEventStart.txt=User Activity Begin
TimelineEventType.UserDeviceEventEnd.txt=User Activity End
TimelineEventType.ServiceAccount.txt=Service Account
TimelineEventType.WIFINetwork.txt=Wifi Network
TimelineEventType.WebCache.text=Web Cache
TimelineEventType.BluetoothAdapter.txt=Bluetooth Adapter
BaseTypes.geolocation.name=Geolocation
BaseTypes.communication.name=Communication
TskData.ObjectType.IMG.name=Disk Image
TskData.ObjectType.VS.name=Volume System
TskData.ObjectType.VOL.name=Volume
TskData.ObjectType.FS.name=File System
TskData.ObjectType.AbstractFile.name=File
TskData.ObjectType.Artifact.name=Artifact
TskData.ObjectType.Report.name=Report
TskData.ObjectType.Pool.name=Pool
TskData.ObjectType.OsAccount.name=OS Account
TskData.ObjectType.HostAddress.name=Host Address
TskData.ObjectType.Unsupported.name=Unsupported
bindings/java/src/org/sleuthkit/datamodel/Bundle.properties-MERGED 0 → 100644
View file @ a73ef106
BlackboardArtifact.tskGenInfo.text=General Info
BlackboardArtifact.tskWebBookmark.text=Web Bookmarks
BlackboardArtifact.tskWebCookie.text=Web Cookies
BlackboardArtifact.tskWebHistory.text=Web History
BlackboardArtifact.tskWebDownload.text=Web Downloads
BlackboardArtifact.tsk.recentObject.text=Recent Documents
BlackboardArtifact.tskGpsTrackpoint.text=GPS Trackpoints
BlackboardArtifact.tskInstalledProg.text=Installed Programs
BlackboardArtifact.tskKeywordHits.text=Keyword Hits
BlackboardArtifact.tskHashsetHit.text=Hashset Hits
BlackboardArtifact.tskDeviceAttached.text=USB Device Attached
BlackboardArtifact.tskInterestingFileHit.text=Interesting Files
BlackboardArtifact.tskEmailMsg.text=E-Mail Messages
BlackboardArtifact.tskExtractedText.text=Extracted Text
BlackboardArtifact.tskWebSearchQuery.text=Web Search
BlackboardArtifact.tskMetadataExif.text=EXIF Metadata
BlackboardArtifact.tagFile.text=Tagged Files
BlackboardArtifact.tskTagArtifact.text=Tagged Results
BlackboardArtifact.tskOsInfo.text=Operating System Information
BlackboardArtifact.tskOsAccount.text=Operating System User Account
BlackboardArtifact.tskServiceAccount.text=Web Accounts
BlackboardArtifact.tskToolOutput.text=Raw Tool Output
BlackboardArtifact.tskContact.text=Contacts
BlackboardArtifact.tskMessage.text=Messages
BlackboardArtifact.tskCalllog.text=Call Logs
BlackboardArtifact.tskCalendarEntry.text=Calendar Entries
BlackboardArtifact.tskSpeedDialEntry.text=Speed Dial Entries
BlackboardArtifact.tskBluetoothPairing.text=BlueTooth Pairings
BlackboardArtifact.tskGpsBookmark.text=GPS Bookmarks
BlackboardArtifact.tskGpsLastKnownLocation.text=GPS Last Known Location
BlackboardArtifact.tskGpsSearch.text=GPS Searches
BlackboardArtifact.tskProgRun.text=Run Programs
BlackboardArtifact.tskEncryptionDetected.text=Encryption Detected
BlackboardArtifact.tskEncryptionSuspected.text=Encryption Suspected
BlackboardArtifact.tskExtMismatchDetected.text=Extension Mismatch Detected
BlackboardArtifact.tskInterestingArtifactHit.text=Interesting Results
BlackboardArtifact.tskRemoteDrive.text=Remote Drive
BlackboardArtifact.tskFaceDetected.text=Face Detected
BlackboardArtifact.tskAccount.text=Accounts
BlackboardArtifact.tskTLEvent.text=TL Events
BlackboardArtifact.tskObjectDetected.text=Object Detected
BlackboardArtifact.tskWIFINetwork.text=Wireless Networks
BlackboardArtifact.tskDeviceInfo.text=Device Info
BlackboardArtifact.tskSimAttached.text=SIM Attached
BlackboardArtifact.tskBluetoothAdapter.text=Bluetooth Adapter
BlackboardArtifact.tskWIFINetworkAdapter.text=Wireless Network Adapters
BlackboardArtifact.tskVerificationFailed.text=Verification Failure
BlackboardArtifact.tskDataSourceUsage.text=Data Source Usage
BlackboardArtifact.tskWebFormAutofill.text=Web Form Autofill
BlackboardArtifact.tskWebFormAddresses.text=Web Form Addresses
BlackboardArtifact.tskDownloadSource.text=Download Source
BlackboardArtifact.tskWebCache.text=Web Cache
BlackboardArtifact.tskClipboardContent.text=Clipboard Content
BlackboardArtifact.tskUserContentSuspected.text=User Content Suspected
BlackboardArtifact.tskMetadata.text=Metadata
BlackboardArtifact.tskTrack.text=GPS Track
BlackboardArtifact.tskWebAccountType.text=Web Account Type
BlackboardArtifact.tskScreenShots.text=Screenshots
BlackboardArtifact.tskDhcpInfo.text=DHCP Information
BlackboardArtifact.tskProgNotifications.text=Program Notifications
BlackboardArtifact.tskBackupEvent.text=Backup Events
BlackboardArtifact.tskDeletedProg.text=Deleted Programs
BlackboardArtifact.tskUserDeviceEvent.text=User Device Events
BlackboardArtifact.shortDescriptionDate.text=at {0}
BlackboardArtifact.tskAssociatedObject.text=Associated Object
BlackboardArtifact.tskWebCategorization.text=Web Categories
BlackboardArtifact.tskPreviouslySeen.text=Previously Seen
BlackboardArtifact.tskPreviouslyUnseen.text=Previously Unseen
BlackboardArtifact.tskPreviouslyNotable.text=Previously Notable
BlackboardArtifact.tskInterestingItem.text=Interesting Items
BlackboardArtifact.tskMalware.text=Malware
BlackboardArtifact.tskYaraHit.text=YARA Hit
BlackboardArtifact.tskGPSArea.text=GPS Area
BlackboardAttribute.tskAccountType.text=Account Type
BlackboardAttribute.tskUrl.text=URL
BlackboardAttribute.tskDatetime.text=Date/Time
BlackboardAttribute.tskName.text=Name
BlackboardAttribute.tskProgName.text=Program Name
BlackboardAttribute.tskValue.text=Value
BlackboardAttribute.tskFlag.text=Flag
BlackboardAttribute.tskPath.text=Path
BlackboardAttribute.tskKeyword.text=Keyword
BlackboardAttribute.tskKeywordRegexp.text=Keyword Regular Expression
BlackboardAttribute.tskKeywordPreview.text=Keyword Preview
BlackboardAttribute.tskKeywordSet.text=Keyword Set
BlackboardAttribute.tskUserName.text=Username
BlackboardAttribute.tskDomain.text=Domain
BlackboardAttribute.tskPassword.text=Password
BlackboardAttribute.tskNamePerson.text=Person Name
BlackboardAttribute.tskDeviceModel.text=Device Model
BlackboardAttribute.tskDeviceMake.text=Device Make
BlackboardAttribute.tskDeviceId.text=Device ID
BlackboardAttribute.tskEmail.text=Email
BlackboardAttribute.tskHashMd5.text=MD5 Hash
BlackboardAttribute.tskHashSha1.text=SHA1 Hash
BlackboardAttribute.tskHashSha225.text=SHA2-256 Hash
BlackboardAttribute.tskHashSha2512.text=SHA2-512 Hash
BlackboardAttribute.tskText.text=Text
BlackboardAttribute.tskTextFile.text=Text File
BlackboardAttribute.tskTextLanguage.text=Text Language
BlackboardAttribute.tskEntropy.text=Entropy
BlackboardAttribute.tskHashsetName.text=Hashset Name
BlackboardAttribute.tskInterestingFile.text=Interesting File
BlackboardAttribute.tskReferrer.text=Referrer URL
BlackboardAttribute.tskDateTimeAccessed.text=Date Accessed
BlackboardAttribute.tskIpAddress.text=IP Address
BlackboardAttribute.tskPhoneNumber.text=Phone Number
BlackboardAttribute.tskPathId.text=Path ID
BlackboardAttribute.tskSetName.text=Set Name
BlackboardAttribute.tskEncryptionDetected.text=Encryption Detected
BlackboardAttribute.tskMalwareDetected.text=Malware Detected
BlackboardAttribute.tskStegDetected.text=Steganography Detected
BlackboardAttribute.tskEmailTo.text=E-Mail To
BlackboardAttribute.tskEmailCc.text=E-Mail CC
BlackboardAttribute.tskEmailBcc.text=E-Mail BCC
BlackboardAttribute.tskEmailFrom.text=E-Mail From
BlackboardAttribute.tskEmailContentPlain.text=Message (Plaintext)
BlackboardAttribute.tskEmailContentHtml.text=Message (HTML)
BlackboardAttribute.tskEmailContentRtf.text=Message (RTF)
BlackboardAttribute.tskMsgId.text=Message ID
BlackboardAttribute.tskMsgReplyId.text=Message Reply ID
BlackboardAttribute.tskDateTimeRcvd.text=Date Received
BlackboardAttribute.tskDateTimeSent.text=Date Sent
BlackboardAttribute.tskSubject.text=Subject
BlackboardAttribute.tskTitle.text=Title
BlackboardAttribute.tskGeoLatitude.text=Latitude
BlackboardAttribute.tskGeoLongitude.text=Longitude
BlackboardAttribute.tskGeoVelocity.text=Velocity
BlackboardAttribute.tskGeoAltitude.text=Altitude
BlackboardAttribute.tskGeoBearing.text=Bearing
BlackboardAttribute.tskGeoHPrecision.text=Horizontal Precision
BlackboardAttribute.tskGeoVPrecision.text=Vertical Precision
BlackboardAttribute.tskGeoMapDatum.text=Map Datum
BlackboardAttribute.tskFileTypeSig.text=File Type (signature)
BlackboardAttribute.tskFileTypeExt.text=File Type (extension)
BlackboardAttribute.tskTaggedArtifact.text=Tagged Result
BlackboardAttribute.tskTagName.text=Tag Name
BlackboardAttribute.tskComment.text=Comment
BlackboardAttribute.tskUrlDecoded.text=Decoded URL
BlackboardAttribute.tskDateTimeCreated.text=Date Created
BlackboardAttribute.tskDateTimeModified.text=Date Modified
BlackboardAttribute.tskProcessorArchitecture.text=Processor Architecture
BlackboardAttribute.tskVersion.text=Version
BlackboardAttribute.tskUserId.text=User ID
BlackboardAttribute.tskDescription.text=Description
BlackboardAttribute.tskMessageType.text=Message Type
BlackboardAttribute.tskPhoneNumberHome.text=Phone Number (Home)
BlackboardAttribute.tskPhoneNumberOffice.text=Phone Number (Office)
BlackboardAttribute.tskPhoneNumberMobile.text=Phone Number (Mobile)
BlackboardAttribute.tskPhoneNumberFrom.text=From Phone Number
BlackboardAttribute.tskPhoneNumberTo.text=To Phone Number
BlackboardAttribute.tskDirection.text=Direction
BlackboardAttribute.tskEmailHome.text=Email (Home)
BlackboardAttribute.tskEmailOffice.text=Email (Office)
BlackboardAttribute.tskDateTimeStart.text=Start Date/Time
BlackboardAttribute.tskDateTimeEnd.text=End Date/Time
BlackboardAttribute.tskCalendarEntryType.text=Calendar Entry Type
BlackboardAttribute.tskLocation.text=Location
BlackboardAttribute.tskShortcut.text=Short Cut
BlackboardAttribute.tskDeviceName.text=Device Name
BlackboardAttribute.tskCategory.text=Category
BlackboardAttribute.tskEmailReplyTo.text=ReplyTo Address
BlackboardAttribute.tskServerName.text=Server Name
BlackboardAttribute.tskCount.text=Count
BlackboardAttribute.tskMinCount.text=Minimum Count
BlackboardAttribute.tskPathSource.text=Path Source
BlackboardAttribute.tskPermissions.text=Permissions
BlackboardAttribute.tskAssociatedArtifact.text=Associated Artifact
BlackboardAttribute.tskIsDeleted.text=Is Deleted
BlackboardAttribute.tskLocalPath.text=Local Path
BlackboardAttribute.tskRemotePath.text=Remote Path
BlackboardAttribute.tskProcessorName.text=Processor Name
BlackboardAttribute.tskTempDir.text=Temporary Files Directory
BlackboardAttribute.tskProductId.text=Product ID
BlackboardAttribute.tskOwner.text=Owner
BlackboardAttribute.tskOrganization.text=Organization
BlackboardAttribute.tskCardNumber.text=Card Number
BlackboardAttribute.tskCardExpiration.text=Card Expiration (YYMM)
BlackboardAttribute.tskCardServiceCode.text=Card Service Code
BlackboardAttribute.tskCardDiscretionary.text=Card Discretionary Data
BlackboardAttribute.tskCardLRC.text=Card Longitudinal Redundancy Check
BlackboardAttribute.tskKeywordSearchDocumentID.text=Keyword Search Document ID
BlackboardAttribute.tskCardScheme.text=Card Scheme
BlackboardAttribute.tskCardType.text=Card Type
BlackboardAttribute.tskBrandName.text=Brand Name
BlackboardAttribute.tskBankName.text=Bank Name
BlackboardAttribute.tskCountry.text=Country
BlackboardAttribute.tskCity.text=City
BlackboardAttribute.tskKeywordSearchType.text=Keyword Search Type
BlackboardAttribute.tskHeaders.text=Headers
BlackboardAttribute.tskId.text=ID
BlackboardAttribute.tskTLEventType.text=Event Type
BlackboardAttribute.tskSsid.text=SSID
BlackboardAttribute.tskBssid.text=BSSID
BlackboardAttribute.tskMacAddress.text=MAC Address
BlackboardAttribute.tskImei.text=IMEI
BlackboardAttribute.tskImsi.text=IMSI
BlackboardAttribute.tskIccid.text=ICCID
BlackboardAttribute.tskthreadid.text=Thread ID
BlackboardAttribute.tskdatetimedeleted.text=Time Deleted
BlackboardAttribute.tskdatetimepwdreset.text=Password Reset Date
BlackboardAttribute.tskdatetimepwdfail.text=Password Fail Date
BlackboardAttribute.tskdisplayname.text=Display Name
BlackboardAttribute.tskpasswordsettings.text=Password Settings
BlackboardAttribute.tskaccountsettings.text=Account Settings
BlackboardAttribute.tskpasswordhint.text=Password Hint
BlackboardAttribute.tskgroups.text=Groups
BlackboardAttribute.tskattachments.text=Message Attachments
BlackboardAttribute.tskgeopath.text=List of Track Points
BlackboardAttribute.tskgeowaypoints.text=List of Waypoints
BlackboardAttribute.tskdistancetraveled.text=Distance Traveled
BlackboardAttribute.tskdistancefromhome.text=Distance from Homepoint
BlackboardAttribute.tskhashphotodna.text=PhotoDNA Hash
BlackboardAttribute.tskbytessent.text=Bytes Sent
BlackboardAttribute.tskbytesreceived.text=Bytes Received
BlackboardAttribute.tsklastprinteddatetime.text=Last Printed Date
BlackboardAttribute.tskgeoareapoints.text=List of points making up the outline of an area
BlackboardAttribute.tskrule.text = Rule
BlackboardAttribute.tskActivityType.text=Activity Type
BlackboardAttribute.tskRealm.text=Realm
BlackboardAttribute.tskHost.text=Host
BlackboardAttribute.tskHomeDir.text=Home Directory
BlackboardAttribute.tskIsAdmin.text=Is Administrator
BlackboardAttribute.tskCorrelationType.text=Correlation Type
BlackboardAttribute.tskCorrelationValue.text=Correlation Value
BlackboardAttribute.tskOtherCases.text=Other Cases
AbstractFile.readLocal.exception.msg4.text=Error reading local file\: {0}
AbstractFile.readLocal.exception.msg1.text=Error reading local file, local path is not set
AbstractFile.readLocal.exception.msg2.text=Error reading local file, it does not exist at local path\: {0}
AbstractFile.readLocal.exception.msg3.text=Error reading local file, file not readable at local path\: {0}
AbstractFile.readLocal.exception.msg5.text=Cannot read local file\: {0}
DerviedFile.derivedMethod.exception.msg1.text=Error getting derived method for file id\: {0}
FsContent.readInt.err.msg.text=Image file does not exist or is inaccessible.
Image.verifyImageSize.errStr1.text=\nPossible Incomplete Image\: Error reading volume at offset {0}
Image.verifyImageSize.errStr2.text=\nPossible Incomplete Image\: Error reading volume at offset {0}
Image.verifyImageSize.errStr3.text=\nPossible Incomplete Image\: Error reading file system at offset {0}
Image.verifyImageSize.errStr4.text=\nPossible Incomplete Image\: Error reading file system at offset {0}
SlackFile.readInt.err.msg.text=Image file does not exist or is inaccessible.
SleuthkitCase.isFileFromSource.exception.msg.text=Error, data source should be parent-less (images, file-sets), got\: {0}
SleuthkitCase.isFileFromSource.exception.msg2.text=Error, data source should be Image or VirtualDirectory, got\: {0}
SleuthkitCase.SchemaVersionMismatch=Schema version does not match
SleuthkitCase.findFiles.exception.msg1.text=Error, data source should be parent-less (images, file-sets), got\: {0}
SleuthkitCase.findFiles.exception.msg2.text=Error, data source should be Image or VirtualDirectory, got\: {0}
SleuthkitCase.findFiles.exception.msg3.text=Error finding files in the data source by name,
SleuthkitCase.findFiles3.exception.msg1.text=Error, data source should be parent-less (images, file-sets), got\: {0}
SleuthkitCase.findFiles3.exception.msg2.text=Error, data source should be Image or VirtualDirectory, got\: {0}
SleuthkitCase.findFiles3.exception.msg3.text=Error finding files in the data source by name,
SleuthkitCase.addDerivedFile.exception.msg1.text=Error creating a derived file, cannot get new id of the object, file name\: {0}
SleuthkitCase.addDerivedFile.exception.msg2.text=Error creating a derived file, file name\: {0}
SleuthkitCase.addLocalFile.exception.msg1.text=Error adding local file\: {0}, parent to add to is null
SleuthkitCase.addLocalFile.exception.msg2.text=Error creating a local file, cannot get new id of the object, file name\: {0}
SleuthkitCase.addLocalFile.exception.msg3.text=Error creating a derived file, file name\: {0}
SleuthkitCase.getLastObjectId.exception.msg.text=Error closing result set after getting last object id.
TskData.tskFsNameFlagEnum.unknown=Unknown
TskData.tskFsNameFlagEnum.allocated=Allocated
TskData.tskFsNameFlagEnum.unallocated=Unallocated
TskData.tskFsMetaFlagEnum.unknown=Unknown
TskData.tskFsMetaFlagEnum.allocated=Allocated
TskData.tskFsMetaFlagEnum.unallocated=Unallocated
TskData.tskFsMetaFlagEnum.used=Used
TskData.tskFsMetaFlagEnum.unused=Unused
TskData.tskFsMetaFlagEnum.compressed=Compressed
TskData.tskFsMetaFlagEnum.orphan=Orphan
TskData.tskFsTypeEnum.autoDetect=Auto Detect
TskData.tskFsTypeEnum.NTFSautoDetect=NTFS (Auto Detection)
TskData.tskFsTypeEnum.FATautoDetect=FAT (Auto Detection)
TskData.tskFsTypeEnum.ExtXautoDetect=ExtX (Auto Detection)
TskData.tskFsTypeEnum.SWAPautoDetect=SWAP (Auto Detection)
TskData.tskFsTypeEnum.RAWautoDetect=RAW (Auto Detection)
TskData.tskFsTypeEnum.ISO9660autoDetect=ISO9660 (Auto Detection)
TskData.tskFsTypeEnum.HFSautoDetect=HFS (Auto Detection)
TskData.tskFsTypeEnum.YAFFS2autoDetect=YAFFS2 (Auto Detection)
TskData.tskFsTypeEnum.APFSautoDetect=APFS (Auto Detection)
TskData.tskFsTypeEnum.unsupported=Unsupported File System
TskData.tskImgTypeEnum.autoDetect=Auto Detect
TskData.tskImgTypeEnum.rawSingle=Raw Single
TskData.tskImgTypeEnum.rawSplit=Raw Split
TskData.tskImgTypeEnum.unknown=Unknown
TskData.tskVSTypeEnum.autoDetect=Auto Detect
TskData.tskVSTypeEnum.fake=Fake
TskData.tskVSTypeEnum.unsupported=Unsupported
TskData.tskVSTypeEnum.exception.msg1.text=No TSK_VS_TYPE_ENUM of value\: {0}
TskData.fileKnown.unknown=unknown
TskData.fileKnown.known=known
TskData.fileKnown.knownBad=notable
TskData.fileKnown.exception.msg1.text=No FileKnown of value\: {0}
TskData.encodingType.exception.msg1.text=No EncodingType of value\: {0}
TskData.collectedStatus.exception.msg1.text=No CollectedStatus of value\: {0}
TskData.keywordSearchQueryType.exception.msg1.text=No KeywordSearchQueryType of value\: {0}
TskData.tskDbFilesTypeEnum.exception.msg1.text=No TSK_FILE_TYPE_ENUM of value\: {0}
TskData.objectTypeEnum.exception.msg1.text=No ObjectType of value\: {0}
TskData.tskImgTypeEnum.exception.msg1.text=No TSK_IMG_TYPE_ENUM of value\: {0}
TskData.tskFsTypeEnum.exception.msg1.text=No TSK_FS_TYPE_ENUM of value\: {0}
TskData.tskFsAttrTypeEnum.exception.msg1.text=No TSK_FS_ATTR_TYPE_ENUM of value\: {0}
TskData.tskFsNameFlagEnum.exception.msg1.text=No TSK_FS_NAME_FLAG_ENUM of value\: {0}
TskData.tskFsMetaTypeEnum.exception.msg1.text=No TSK_FS_META_TYPE_ENUM of value\: {0}
TskData.tskFsNameTypeEnum.exception.msg1.text=No TSK_FS_NAME_TYPE_ENUM matching type\: {0}
Volume.desc.text=Unknown
Volume.read.exception.msg1.text=This volume's parent should be a VolumeSystem, but it's not.
Volume.vsFlagToString.allocated=Allocated
Volume.vsFlagToString.unallocated=Unallocated
BlackboardArtifact.tskGpsRoute.text=GPS Route
BlackboardAttribute.tskGeoLatitudeStart.text=Starting Latitude
BlackboardAttribute.tskGeoLatitudeEnd.text=Ending Latitude
BlackboardAttribute.tskGeoLongitudeStart.text=Starting Longitude
BlackboardAttribute.tskGeoLongitudeEnd.text=Ending Longitude
BlackboardAttribute.tskReadStatus.text=Read
DatabaseConnectionCheck.Everything=Invalid hostname, port number, username, password, and firewall settings.
DatabaseConnectionCheck.Port=Verify that PostgreSQL server is running, it's port number, and firewall settings.
DatabaseConnectionCheck.HostnameOrPort=Invalid hostname and/or port number.
DatabaseConnectionCheck.Authentication=Invalid username and/or password.
DatabaseConnectionCheck.Access=Invalid username and/or password.
DatabaseConnectionCheck.ServerDiskSpace=PostgreSQL server issue. Check disk space and memory availabilty on the PostgreSQL server.
DatabaseConnectionCheck.ServerRestart="PostgreSQL server issue. PostgreSQL server may need to be restarted.
DatabaseConnectionCheck.InternalServerIssue=Internal PostgreSQL issue. Database may be corrupted.
DatabaseConnectionCheck.Connection=Invalid hostname, port, username, and/or password. Check firewall settings.
DatabaseConnectionCheck.Installation=Issue with installation. JDBC driver not found.
DatabaseConnectionCheck.MissingHostname=Missing hostname.
DatabaseConnectionCheck.MissingPort=Missing port number.
DatabaseConnectionCheck.MissingUsername=Missing username.
DatabaseConnectionCheck.MissingPassword=Missing password.
IngestJobInfo.IngestJobStatusType.Started.displayName=Started
IngestJobInfo.IngestJobStatusType.Cancelled.displayName=Cancelled
IngestJobInfo.IngestJobStatusType.Completed.displayName=Completed
IngestModuleInfo.IngestModuleType.FileLevel.displayName=File Level
IngestModuleInfo.IngestModuleType.DataArtifact.displayName=Data Artifact
IngestModuleInfo.IngestModuleType.AnalysisResult.displayName=Analysis Result
IngestModuleInfo.IngestModuleType.DataSourceLevel.displayName=Data Source Level
IngestModuleInfo.IngestModuleType.Multiple.displayName=Multiple
ReviewStatus.Approved=Approved
ReviewStatus.Rejected=Rejected
ReviewStatus.Undecided=Undecided
CategoryType.DataArtifact=Data Artifact
CategoryType.AnalysisResult=Analysis Result
TimelineLevelOfDetail.low=Low
TimelineLevelOfDetail.medium=Medium
TimelineLevelOfDetail.high=High
BaseTypes.fileSystem.name=File System
BaseTypes.webActivity.name=Web Activity
BaseTypes.miscTypes.name=Other
FileSystemTypes.fileModified.name=File Modified
FileSystemTypes.fileAccessed.name=File Accessed
FileSystemTypes.fileCreated.name=File Created
FileSystemTypes.fileChanged.name=File Changed
MiscTypes.message.name=Messages
MiscTypes.GPSRoutes.name=GPS Routes
MiscTypes.GPSTrackpoint.name=GPS Trackpoint
MiscTypes.Calls.name=Call Begin
MiscTypes.CallsEnd.name=Call End
MiscTypes.Email.name=Email Sent
MiscTypes.EmailRcvd.name=Email Received
MiscTypes.recentDocuments.name=Recent Documents
MiscTypes.installedPrograms.name=Program Installed
MiscTypes.exif.name=Exif
MiscTypes.devicesAttached.name=Devices Attached
MiscTypes.LogEntry.name=Log Entry
MiscTypes.Registry.name=Registry
MiscTypes.GPSBookmark.name=GPS Bookmark
MiscTypes.GPSLastknown.name=GPS Last Known Location
MiscTypes.GPSearch.name=GPS Search
MiscTypes.GPSTrack.name=GPS Track
MiscTypes.metadataLastPrinted.name=Document Last Printed
MiscTypes.metadataLastSaved.name=Document Last Saved
MiscTypes.metadataCreated.name=Document Created
MiscTypes.programexecuted.name=Program Run
RootEventType.eventTypes.name=Event Types
WebTypes.webDownloads.name=Web Downloads
WebTypes.webCookies.name=Web Cookies Create
WebTypes.webCookiesAccessed.name=Web Cookies Accessed
WebTypes.webCookiesStart.name=Web Cookies Start
WebTypes.webCookiesEnd.name=Web Cookies End
WebTypes.webBookmarks.name=Web Bookmarks
WebTypes.webHistory.name=Web History Accessed
WebTypes.webHistoryCreated.name=Web History Created
WebTypes.webSearch.name=Web Searches
WebTypes.webFormAutoFill.name=Web Form Autofill Created
WebTypes.webFormAddress.name=Web Form Address Created
WebTypes.webFormAddressModified.name=Web Form Address Modified
WebTypes.webFormAutofillAccessed.name=Web Form Autofill Accessed
CustomTypes.other.name=Standard Artifact Event
CustomTypes.userCreated.name=Manually Created Event
CustomTypes.customArtifact.name=Custom Artifact Event
EventTypeHierarchyLevel.root=Root
EventTypeHierarchyLevel.category=Category
EventTypeHierarchyLevel.event=Event
DataSourcesFilter.displayName.text=Limit data sources to
DescriptionFilter.mode.exclude=Exclude
DescriptionFilter.mode.include=Include
hashHitsFilter.displayName.text=Must have hash hit
hideKnownFilter.displayName.text=Hide Known Files
IntersectionFilter.displayName.text=Intersection
tagsFilter.displayName.text=Must be tagged
TextFilter.displayName.text=Must include text:
TypeFilter.displayName.text=Limit event types to
FileTypesFilter.displayName.text=Limit file types to
OsAccountStatus.Unknown.text=Unknown
OsAccountStatus.Active.text=Active
OsAccountStatus.Disabled.text=Disabled
OsAccountStatus.Deleted.text=Deleted
OsAccountStatus.NonExistent.text=Non Existent
OsAccountType.Unknown.text=Unknown
OsAccountType.Service.text=Service
OsAccountType.Interactive.text=Interactive
OsAccountInstanceType.Launched.text=Launched
OsAccountInstanceType.Accessed.text=Accessed
OsAccountInstanceType.Referenced.text=Referenced
OsAccountInstanceType.Launched.descr.text=User launched a program or had an interactive session on the host.
OsAccountInstanceType.Accessed.descr.text=User accessed resources on the host via a service or created a file on the host.
OsAccountInstanceType.Referenced.descr.text=User was referenced on the host and it is unclear if they had any access. For example, if they are mentioned in a log file.
OsAccountRealm.Known.text=Known
OsAccountRealm.Inferred.text=Inferred
OsAccountRealm.Unknown.text=Unknown
OsAccountRealm.Local.text=Local
OsAccountRealm.Domain.text=Domain
Score.Priority.Normal.displayName.text=Normal
Score.Priority.Override.displayName.text=Override
Significance.Unknown.displayName.text=Unknown
Significance.LikelyNone.displayName.text=Likely Not Notable
Significance.LikelyNotable.displayName.text=Likely Notable
Significance.None.displayName.text=Not Notable
Significance.Notable.displayName.text=Notable
TimelineEventType.BackupEventStart.txt=Backup Begin
TimelineEventType.BackupEventEnd.txt=Backup End
TimelineEventType.BackupEvent.description.start=Backup Begin
TimelineEventType.BackupEvent.description.end=Backup End
TimelineEventType.BluetoothPairingLastConnection.txt=Bluetooth Pairing Last Connection
TimelineEventType.BluetoothPairing.txt=Bluetooth Pairing
TimelineEventType.CalendarEntryStart.txt=Calendar Entry Begin
TimelineEventType.CalendarEntryEnd.txt=Calendar Entry End
TimelineEventType.DeletedProgram.txt=Program Deleted
TimelineEventType.DeletedProgramDeleted.txt=Application Deleted
TimelineEventType.OSAccountAccessed.txt=Operating System Account Accessed
TimelineEventType.OSAccountCreated.txt=Operating System Account Created
TimelineEventType.OSAccountPwdFail.txt=Operating System Account Password Fail
TimelineEventType.OSAccountPwdReset.txt=Operating System Account Password Reset
TimelineEventType.OSInfo.txt=Operating System Information
TimelineEventType.ProgramNotification.txt=Program Notification
TimelineEventType.ScreenShot.txt=Screen Shot
TimelineEventType.UserDeviceEventStart.txt=User Activity Begin
TimelineEventType.UserDeviceEventEnd.txt=User Activity End
TimelineEventType.ServiceAccount.txt=Service Account
TimelineEventType.WIFINetwork.txt=Wifi Network
TimelineEventType.WebCache.text=Web Cache
TimelineEventType.BluetoothAdapter.txt=Bluetooth Adapter
BaseTypes.geolocation.name=Geolocation
BaseTypes.communication.name=Communication
TskData.ObjectType.IMG.name=Disk Image
TskData.ObjectType.VS.name=Volume System
TskData.ObjectType.VOL.name=Volume
TskData.ObjectType.FS.name=File System
TskData.ObjectType.AbstractFile.name=File
TskData.ObjectType.Artifact.name=Artifact
TskData.ObjectType.Report.name=Report
TskData.ObjectType.Pool.name=Pool
TskData.ObjectType.OsAccount.name=OS Account
TskData.ObjectType.HostAddress.name=Host Address
TskData.ObjectType.Unsupported.name=Unsupported