Autopsy  4.8.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
InterCaseSearchResultsProcessor.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.commonfilesearch;
20 
21 import java.sql.ResultSet;
22 import java.sql.SQLException;
23 import java.util.Collections;
24 import java.util.HashMap;
25 import java.util.Map;
26 import java.util.logging.Level;
27 import org.sleuthkit.autopsy.casemodule.Case;
28 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
29 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.Type;
30 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
31 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;
32 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource;
33 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb;
34 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException;
35 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbUtil;
36 import org.sleuthkit.autopsy.centralrepository.datamodel.InstanceTableCallback;
37 import org.sleuthkit.autopsy.coreutils.Logger;
38 import org.sleuthkit.datamodel.TskData;
39 import org.sleuthkit.datamodel.HashUtility;
40 
45 final class InterCaseSearchResultsProcessor {
46 
50  private final Type correlationType;
51 
52  private static final Logger LOGGER = Logger.getLogger(CommonAttributePanel.class.getName());
53 
57  private final String interCaseWhereClause;
58 
62  private final String singleInterCaseWhereClause;
63 
71  InterCaseSearchResultsProcessor(CorrelationAttributeInstance.Type theType) {
72  this.correlationType = theType;
73  interCaseWhereClause = getInterCaseWhereClause();
74  singleInterCaseWhereClause = getSingleInterCaseWhereClause();
75  }
76 
77  private String getInterCaseWhereClause() {
78  String tableName = EamDbUtil.correlationTypeToInstanceTableName(correlationType);
79  StringBuilder sqlString = new StringBuilder(250);
80  sqlString.append("value IN (SELECT value FROM ")
81  .append(tableName)
82  .append(" WHERE value IN (SELECT value FROM ")
83  .append(tableName)
84  .append(" WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value)")
85  .append(" GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value");
86  return sqlString.toString();
87  }
88 
89  private String getSingleInterCaseWhereClause() {
90  String tableName = EamDbUtil.correlationTypeToInstanceTableName(correlationType);
91  StringBuilder sqlString = new StringBuilder(250);
92  sqlString.append("value IN (SELECT value FROM ")
93  .append(tableName)
94  .append(" WHERE value IN (SELECT value FROM ")
95  .append(tableName)
96  .append(" WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value)")
97  .append(" AND (case_id=%s OR case_id=%s) GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value");
98  return sqlString.toString();
99  }
100 
108  CorrelationAttributeInstance findSingleCorrelationAttribute(int attrbuteId) {
109  try {
110 
111  InterCaseCommonAttributeRowCallback instancetableCallback = new InterCaseCommonAttributeRowCallback();
112  EamDb DbManager = EamDb.getInstance();
113  DbManager.processInstanceTableWhere(correlationType, String.format("id = %s", attrbuteId), instancetableCallback);
114 
115  return instancetableCallback.getCorrelationAttribute();
116 
117  } catch (EamDbException ex) {
118  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing InstanceTable row.", ex);
119  }
120 
121  return null;
122  }
123 
130  Map<Integer, CommonAttributeValueList> findInterCaseCommonAttributeValues(Case currentCase) {
131  try {
132  InterCaseCommonAttributesCallback instancetableCallback = new InterCaseCommonAttributesCallback();
133  EamDb DbManager = EamDb.getInstance();
134 
135  int caseId = DbManager.getCase(currentCase).getID();
136 
137  DbManager.processInstanceTableWhere(correlationType, String.format(interCaseWhereClause, caseId,
138  TskData.FileKnown.KNOWN.getFileKnownValue()),
139  instancetableCallback);
140 
141  return instancetableCallback.getInstanceCollatedCommonFiles();
142 
143  } catch (EamDbException ex) {
144  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex);
145  }
146  return new HashMap<>();
147  }
148 
157  Map<Integer, CommonAttributeValueList> findSingleInterCaseCommonAttributeValues(Case currentCase, CorrelationCase singleCase) {
158  try {
159  InterCaseCommonAttributesCallback instancetableCallback = new InterCaseCommonAttributesCallback();
160  EamDb DbManager = EamDb.getInstance();
161  int caseId = DbManager.getCase(currentCase).getID();
162  int targetCaseId = singleCase.getID();
163  DbManager.processInstanceTableWhere(correlationType, String.format(singleInterCaseWhereClause, caseId,
164  TskData.FileKnown.KNOWN.getFileKnownValue(), caseId, targetCaseId), instancetableCallback);
165  return instancetableCallback.getInstanceCollatedCommonFiles();
166  } catch (EamDbException ex) {
167  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex);
168  }
169  return new HashMap<>();
170  }
171 
176  private class InterCaseCommonAttributesCallback implements InstanceTableCallback {
177 
178  final Map<Integer, CommonAttributeValueList> instanceCollatedCommonFiles = new HashMap<>();
179 
180  private CommonAttributeValue commonAttributeValue = null;
181  private String previousRowMd5 = "";
182 
183  @Override
184  public void process(ResultSet resultSet) {
185  try {
186  while (resultSet.next()) {
187 
188  int resultId = InstanceTableCallback.getId(resultSet);
189  String corValue = InstanceTableCallback.getValue(resultSet);
190  if (previousRowMd5.isEmpty()) {
191  previousRowMd5 = corValue;
192  }
193  if (corValue == null || HashUtility.isNoDataMd5(corValue)) {
194  continue;
195  }
196 
197  countAndAddCommonAttributes(corValue, resultId);
198 
199  }
200  //Add the final instance(s)
201  if (commonAttributeValue != null) {
202  int size = commonAttributeValue.getInstanceCount();
203  if (instanceCollatedCommonFiles.containsKey(size)) {
204  instanceCollatedCommonFiles.get(size).addMetadataToList(commonAttributeValue);
205  } else {
206  CommonAttributeValueList value = new CommonAttributeValueList();
207  value.addMetadataToList(commonAttributeValue);
208  instanceCollatedCommonFiles.put(size, value);
209  }
210  }
211  } catch (SQLException ex) {
212  LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS
213  }
214  }
215 
225  private void countAndAddCommonAttributes(String corValue, int resultId) {
226  if (commonAttributeValue == null) {
227  commonAttributeValue = new CommonAttributeValue(corValue);
228  }
229  if (!corValue.equals(previousRowMd5)) {
230  int size = commonAttributeValue.getInstanceCount();
231  if (instanceCollatedCommonFiles.containsKey(size)) {
232  instanceCollatedCommonFiles.get(size).addMetadataToList(commonAttributeValue);
233  } else {
234  CommonAttributeValueList value = new CommonAttributeValueList();
235  value.addMetadataToList(commonAttributeValue);
236  instanceCollatedCommonFiles.put(size, value);
237  }
238 
239  commonAttributeValue = new CommonAttributeValue(corValue);
240  previousRowMd5 = corValue;
241  }
242  // we don't *have* all the information for the rows in the CR,
243  // so we need to consult the present case via the SleuthkitCase object
244  // Later, when the FileInstanceNode is built. Therefore, build node generators for now.
245  AbstractCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(resultId, correlationType);
246  commonAttributeValue.addInstance(searchResult);
247  }
248 
249  Map<Integer, CommonAttributeValueList> getInstanceCollatedCommonFiles() {
250  return Collections.unmodifiableMap(instanceCollatedCommonFiles);
251  }
252  }
253 
258  private class InterCaseCommonAttributeRowCallback implements InstanceTableCallback {
259 
260  CorrelationAttributeInstance correlationAttributeInstance = null;
261 
262  @Override
263  public void process(ResultSet resultSet) {
264  try {
265  EamDb DbManager = EamDb.getInstance();
266 
267  while (resultSet.next()) {
268  CorrelationCase correlationCase = DbManager.getCaseById(InstanceTableCallback.getCaseId(resultSet));
269  CorrelationDataSource dataSource = DbManager.getDataSourceById(correlationCase, InstanceTableCallback.getDataSourceId(resultSet));
270  try {
271  correlationAttributeInstance = DbManager.getCorrelationAttributeInstance(correlationType,
272  correlationCase,
273  dataSource,
274  InstanceTableCallback.getValue(resultSet),
275  InstanceTableCallback.getFilePath(resultSet));
276  } catch (CorrelationAttributeNormalizationException ex) {
277  LOGGER.log(Level.INFO, "Unable to get CorrelationAttributeInstance.", ex); // NON-NLS
278  }
279 
280  }
281  } catch (SQLException | EamDbException ex) {
282  LOGGER.log(Level.WARNING, "Error getting single correlation artifact instance from database.", ex); // NON-NLS
283  }
284  }
285 
286  CorrelationAttributeInstance getCorrelationAttribute() {
287  return correlationAttributeInstance;
288  }
289  }
290 }
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getDataSourceById
CorrelationDataSource getDataSourceById(CorrelationCase correlationCase, int dataSourceId)
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getCorrelationAttributeInstance
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)

Copyright © 2012-2018 Basis Technology. Generated on: Thu Oct 4 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.