Merge pull request #7849 from eugene7646/release-4.21.0

Using TSK_MALWARE standard Autopsy artifact (AUT-2471)
sleuthkit · Aug 29, 2023 · c23b4fd · c23b4fd
2 parents c1c19db + db2a497
commit c23b4fd
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 46 deletions.
diff --git a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
@@ -134,8 +134,7 @@ private static class SharedProcessing {
                 "application/x-msdos-program"//NON-NLS
         ).collect(Collectors.toSet());
 
-        private static final String MALWARE_TYPE_NAME = "TSK_MALWARE";
-        private static final String MALWARE_CONFIG = "Cyber Triage Cloud";
+        private static final String MALWARE_CONFIG = ""; // NOTE: Adding a configuration complicates NTL branch UI
 
         private static final Logger logger = Logger.getLogger(MalwareScanIngestModule.class.getName());
 
@@ -235,18 +234,13 @@ private IngestJobState getNewJobState(IngestJobContext context, boolean uploadFi
 
             // setup necessary variables for processing
             SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
-            BlackboardArtifact.Type malwareType = tskCase.getBlackboard().getOrAddArtifactType(
-                    MALWARE_TYPE_NAME,
-                    Bundle.MalwareScanIngestModule_malwareTypeDisplayName(),
-                    BlackboardArtifact.Category.ANALYSIS_RESULT);
-
             return new IngestJobState(
                     context,
                     tskCase,
                     new PathNormalizer(tskCase),
                     new FileTypeDetector(),
                     licenseInfoOpt.get(),
-                    malwareType,
+                    BlackboardArtifact.Type.TSK_MALWARE,
                     uploadFiles,
                     true
             );

diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java
@@ -64,6 +64,7 @@
 import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_TL_EVENT;
 import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_ASSOCIATED_OBJECT;
 import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_KEYWORD_HIT;
+import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE;
 
 /**
  * Classes for creating nodes for BlackboardArtifacts.
@@ -73,10 +74,6 @@ public class Artifacts {
     private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST
             = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
 
-    // this is currently a custom TSK artifact type, created in MalwareScanIngestModule
-    private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null;
-    private static final String MALWARE_HITS = "TSK_MALWARE";
-
     /**
      * Base class for a parent node of artifacts.
      */
@@ -247,15 +244,6 @@ static class TypeFactory extends ChildFactory.Detachable<TypeNodeKey> implements
         @SuppressWarnings("deprecation")
         private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCase skCase, long dsObjId) {
 
-            // Get the custom TSK_MALWARE artifact type from case database
-            if (MALWARE_ARTIFACT_TYPE == null) {
-                try {
-                    MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS);
-                } catch (TskCoreException ex) {
-                    logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS
-                }
-            }
-
             int typeId = type.getTypeID();
             if (TSK_EMAIL_MSG.getTypeID() == typeId) {
                 EmailExtracted.RootNode emailNode = new EmailExtracted(skCase, dsObjId).new RootNode();
@@ -281,9 +269,9 @@ private static TypeNodeKey getTypeKey(BlackboardArtifact.Type type, SleuthkitCas
             } else if (TSK_HASHSET_HIT.getTypeID() == typeId) {
                 HashsetHits.RootNode hashsetHits = new HashsetHits(skCase, dsObjId).new RootNode();
                 return new TypeNodeKey(hashsetHits, TSK_HASHSET_HIT);
-            } else if (MALWARE_ARTIFACT_TYPE != null && MALWARE_ARTIFACT_TYPE.getTypeID() == typeId) {
+            } else if (TSK_MALWARE.getTypeID() == typeId) {
                 MalwareHits.RootNode malwareHits = new MalwareHits(skCase, dsObjId).new RootNode();
-                return new TypeNodeKey(malwareHits, MALWARE_ARTIFACT_TYPE);
+                return new TypeNodeKey(malwareHits, TSK_MALWARE);
             } else {
                 return new TypeNodeKey(type, dsObjId);
             }

diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java b/Core/src/org/sleuthkit/autopsy/datamodel/MalwareHits.java
@@ -44,22 +44,19 @@
 import org.sleuthkit.autopsy.coreutils.Logger;
 import org.sleuthkit.autopsy.ingest.IngestManager;
 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
-import org.sleuthkit.datamodel.BlackboardArtifact;
 import org.sleuthkit.datamodel.SleuthkitCase;
 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode;
 import org.sleuthkit.datamodel.AnalysisResult;
+import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_MALWARE;
 import org.sleuthkit.datamodel.Score;
 
 /**
  * Malware hits node support. Inner classes have all of the nodes in the tree.
  */
 public class MalwareHits implements AutopsyVisitableItem {
 
-    private static final String MALWARE_HITS = "TSK_MALWARE"; // this is currently a custom TSK artifact type, created in MalwareScanIngestModule
-    private static BlackboardArtifact.Type MALWARE_ARTIFACT_TYPE = null;
-    private static String DISPLAY_NAME;
     private static final Logger logger = Logger.getLogger(MalwareHits.class.getName());
     private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
     private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestModuleEvent.DATA_ADDED);
@@ -126,20 +123,9 @@ final void update() {
                 return;
             }
 
-            // Get the custom TSK_MALWARE artifact type from case database
-            if (MALWARE_ARTIFACT_TYPE == null) {
-                try {
-                    MALWARE_ARTIFACT_TYPE = skCase.getArtifactType(MALWARE_HITS);
-                    DISPLAY_NAME = MALWARE_ARTIFACT_TYPE.getDisplayName();
-                } catch (TskCoreException ex) {
-                    logger.log(Level.WARNING, "Unable to get TSK_MALWARE artifact type from database : ", ex); //NON-NLS
-                    return;
-                }
-            }
-
             String query = "SELECT blackboard_artifacts.artifact_obj_id " //NON-NLS
                     + "FROM blackboard_artifacts,tsk_analysis_results WHERE " //NON-NLS
-                    + "blackboard_artifacts.artifact_type_id=" + MALWARE_ARTIFACT_TYPE.getTypeID() //NON-NLS
+                    + "blackboard_artifacts.artifact_type_id=" + TSK_MALWARE.getTypeID() //NON-NLS
                     + " AND tsk_analysis_results.artifact_obj_id=blackboard_artifacts.artifact_obj_id" //NON-NLS
                     + " AND (tsk_analysis_results.significance=" + Score.Significance.NOTABLE.getId() //NON-NLS
                     + " OR tsk_analysis_results.significance=" + Score.Significance.LIKELY_NOTABLE.getId() + " )"; //NON-NLS
@@ -182,7 +168,7 @@ public void propertyChange(PropertyChangeEvent evt) {
                          * oldValue if the event is a remote event.
                          */
                         ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();
-                        if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == MALWARE_ARTIFACT_TYPE.getTypeID()) {
+                        if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == TSK_MALWARE.getTypeID()) {
                             malwareResults.update();
                         }
                     } catch (NoCurrentCaseException notUsed) {
@@ -248,13 +234,13 @@ public void update(Observable o, Object arg) {
     public class RootNode extends UpdatableCountTypeNode {
 
         public RootNode() {
-            super(Children.create(new HitFactory(DISPLAY_NAME), true),
-                    Lookups.singleton(DISPLAY_NAME),
-                    DISPLAY_NAME,
+            super(Children.create(new HitFactory(TSK_MALWARE.getDisplayName()), true),
+                    Lookups.singleton(TSK_MALWARE.getDisplayName()),
+                    TSK_MALWARE.getDisplayName(),
                     filteringDSObjId,
-                    MALWARE_ARTIFACT_TYPE);
+                    TSK_MALWARE);
 
-            super.setName(MALWARE_HITS);
+            super.setName(TSK_MALWARE.getTypeName());
             // TODO make an icon
             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/artifact-icon.png");
         }
@@ -297,7 +283,7 @@ public String getItemType() {
          */
         @Override
         void updateDisplayName() {
-            super.setDisplayName(DISPLAY_NAME + " (" + malwareResults.getArtifactIds().size() + ")");
+            super.setDisplayName(TSK_MALWARE.getDisplayName() + " (" + malwareResults.getArtifactIds().size() + ")");
         }
     }