From db2a4979cec69b480da5bd75d2b1c80f1fe956ac Mon Sep 17 00:00:00 2001 From: "eugene.livis" Date: Tue, 29 Aug 2023 11:57:47 -0400 Subject: [PATCH] Using TSK_MALWARE standard Autopsy artifact --- .../malwarescan/MalwareScanIngestModule.java | 10 ++---- .../autopsy/datamodel/Artifacts.java | 18 ++--------- .../autopsy/datamodel/MalwareHits.java | 32 ++++++------------- 3 files changed, 14 insertions(+), 46 deletions(-) diff --git a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java index ba8bd556b10..fee67fdff2d 100644 --- a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java +++ b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java @@ -134,8 +134,7 @@ private static class SharedProcessing { "application/x-msdos-program"//NON-NLS ).collect(Collectors.toSet()); - private static final String MALWARE_TYPE_NAME = "TSK_MALWARE"; - private static final String MALWARE_CONFIG = "Cyber Triage Cloud"; + private static final String MALWARE_CONFIG = ""; // NOTE: Adding a configuration complicates NTL branch UI private static final Logger logger = Logger.getLogger(MalwareScanIngestModule.class.getName()); @@ -235,18 +234,13 @@ private IngestJobState getNewJobState(IngestJobContext context, boolean uploadFi // setup necessary variables for processing SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase(); - BlackboardArtifact.Type malwareType = tskCase.getBlackboard().getOrAddArtifactType( - MALWARE_TYPE_NAME, - Bundle.MalwareScanIngestModule_malwareTypeDisplayName(), - BlackboardArtifact.Category.ANALYSIS_RESULT); - return new IngestJobState( context, tskCase, new PathNormalizer(tskCase), new FileTypeDetector(), licenseInfoOpt.get(), - malwareType, + BlackboardArtifact.Type.TSK_MALWARE, uploadFiles, true ); diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java index a38383c1830..4475b682c5a 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java @@ -64,6 +64,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_TL_EVENT; import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_ASSOCIATED_OBJECT; import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_KEYWORD_HIT; +import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE; /** * Classes for creating nodes for BlackboardArtifacts. @@ -73,10 +74,6 @@ public class Artifacts { private static final Set INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED); - // this is currently a custom TSK artifact type, created in MalwareScanIngestModule - private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null; - private static final String MALWARE_HITS = "TSK_MALWARE"; - /** * Base class for a parent node of artifacts. */ @@ -247,15 +244,6 @@ static class TypeFactory extends ChildFactory.Detachable implements @SuppressWarnings("deprecation") private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCase skCase, long dsObjId) { - // Get the custom TSK_MALWARE artifact type from case database - if (MALWARE_ARTIFACT_TYPE == null) { - try { - MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS); - } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS - } - } - int typeId = type.getTypeID(); if (TSK_EMAIL_MSG.getTypeID() == typeId) { EmailExtracted.RootNode emailNode = new EmailExtracted(skCase, dsObjId).new RootNode(); @@ -281,9 +269,9 @@ private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCas } else if (TSK_HASHSET_HIT.getTypeID() == typeId) { HashsetHits.RootNode hashsetHits = new HashsetHits(skCase, dsObjId).new RootNode(); return new TypeNodeKey(hashsetHits, TSK_HASHSET_HIT); - } else if (MALWARE_ARTIFACT_TYPE != null && MALWARE_ARTIFACT_TYPE.getTypeID() == typeId) { + } else if (TSK_MALWARE.getTypeID() == typeId) { MalwareHits.RootNode malwareHits = new MalwareHits(skCase, dsObjId).new RootNode(); - return new TypeNodeKey(malwareHits, MALWARE_ARTIFACT_TYPE); + return new TypeNodeKey(malwareHits, TSK_MALWARE); } else { return new TypeNodeKey(type, dsObjId); } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java b/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java index c1761a7ad57..2524650178c 100755 --- a/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java @@ -44,12 +44,12 @@ import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.autopsy.ingest.ModuleDataEvent; -import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode; import org.sleuthkit.datamodel.AnalysisResult; +import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE; import org.sleuthkit.datamodel.Score; /** @@ -57,9 +57,6 @@ */ public class MalwareHits implements AutopsyVisitableItem { - private static final String MALWARE_HITS = "TSK_MALWARE"; // this is currently a custom TSK artifact type, created in MalwareScanIngestModule - private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null; - private static String DISPLAY_NAME; private static final Logger logger = Logger.getLogger(MalwareHits.class.getName()); private static final Set INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED); private static final Set INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestModuleEvent.DATA_ADDED); @@ -126,20 +123,9 @@ final void update() { return; } - // Get the custom TSK_MALWARE artifact type from case database - if (MALWARE_ARTIFACT_TYPE == null) { - try { - MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS); - DISPLAY_NAME = MALWARE_ARTIFACT_TYPE.getDisplayName(); - } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS - return; - } - } - String query = "SELECT blackboard_artifacts.artifact_obj_id " //NON-NLS + "FROM blackboard_artifacts,tsk_analysis_results WHERE " //NON-NLS - + "blackboard_artifacts.artifact_type_id=" + MALWARE_ARTIFACT_TYPE.getTypeID() //NON-NLS + + "blackboard_artifacts.artifact_type_id=" + TSK_MALWARE.getTypeID() //NON-NLS + " AND tsk_analysis_results.artifact_obj_id=blackboard_artifacts.artifact_obj_id" //NON-NLS + " AND (tsk_analysis_results.significance=" + Score.Significance.NOTABLE.getId() //NON-NLS + " OR tsk_analysis_results.significance=" + Score.Significance.LIKELY_NOTABLE.getId() + " )"; //NON-NLS @@ -182,7 +168,7 @@ public void propertyChange(PropertyChangeEvent evt) { * oldValue if the event is a remote event. */ ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue(); - if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == MALWARE_ARTIFACT_TYPE.getTypeID()) { + if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == TSK_MALWARE.getTypeID()) { malwareResults.update(); } } catch (NoCurrentCaseException notUsed) { @@ -248,13 +234,13 @@ public void update(Observable o, Object arg) { public class RootNode extends UpdatableCountTypeNode { public RootNode() { - super(Children.create(new HitFactory(DISPLAY_NAME), true), - Lookups.singleton(DISPLAY_NAME), - DISPLAY_NAME, + super(Children.create(new HitFactory(TSK_MALWARE.getDisplayName()), true), + Lookups.singleton(TSK_MALWARE.getDisplayName()), + TSK_MALWARE.getDisplayName(), filteringDSObjId, - MALWARE_ARTIFACT_TYPE); + TSK_MALWARE); - super.setName(MALWARE_HITS); + super.setName(TSK_MALWARE.getTypeName()); // TODO make an icon this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/artifact-icon.png"); } @@ -297,7 +283,7 @@ public String getItemType() { */ @Override void updateDisplayName() { - super.setDisplayName(DISPLAY_NAME + " (" + malwareResults.getArtifactIds().size() + ")"); + super.setDisplayName(TSK_MALWARE.getDisplayName() + " (" + malwareResults.getArtifactIds().size() + ")"); } }