Autopsy  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CommonAttributeCaseSearchResults.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2018-2019 Basis Technology Corp.
6  * Contact: carrier <at> sleuthkit <dot> org
7  *
8  * Licensed under the Apache License, Version 2.0 (the "License");
9  * you may not use this file except in compliance with the License.
10  * You may obtain a copy of the License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing, software
15  * distributed under the License is distributed on an "AS IS" BASIS,
16  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  * See the License for the specific language governing permissions and
18  * limitations under the License.
19  */
20 package org.sleuthkit.autopsy.commonpropertiessearch;
21 
22 import java.util.Collections;
23 import java.util.HashMap;
24 import java.util.HashSet;
25 import java.util.Map;
26 import java.util.Map.Entry;
27 import java.util.Set;
28 import java.util.logging.Level;
29 import org.sleuthkit.autopsy.casemodule.Case;
30 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
31 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
32 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
33 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb;
34 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException;
35 import org.sleuthkit.autopsy.coreutils.Logger;
36 
41 final public class CommonAttributeCaseSearchResults {
42 
43  private static final Logger LOGGER = Logger.getLogger(CommonAttributeCaseSearchResults.class.getName());
44 
45  // maps instance count to list of attribute values.
46  private final Map<String, Map<String, CommonAttributeValueList>> caseNameToDataSources;
47 
58  CommonAttributeCaseSearchResults(Map<String, Map<String, CommonAttributeValueList>> metadata, int percentageThreshold, CorrelationAttributeInstance.Type resultType) {
59  this.caseNameToDataSources = filterMetadata(metadata, percentageThreshold, resultType.getId());
60  }
61 
70  CommonAttributeCaseSearchResults(Map<String, Map<String, CommonAttributeValueList>> metadata, int percentageThreshold) {
71  this.caseNameToDataSources = filterMetadata(metadata, percentageThreshold, CorrelationAttributeInstance.FILES_TYPE_ID);
72  }
73 
84  Map<String, CommonAttributeValueList> getAttributeValuesForCaseName(String caseName) {
85  return this.caseNameToDataSources.get(caseName);
86  }
87 
94  public Map<String, Map<String, CommonAttributeValueList>> getMetadata() {
95  return Collections.unmodifiableMap(this.caseNameToDataSources);
96  }
97 
113  private Map<String, Map<String, CommonAttributeValueList>> filterMetadata(Map<String, Map<String, CommonAttributeValueList>> metadata, int percentageThreshold, int resultTypeId) {
114  try {
115  final String currentCaseName;
116  try {
117  currentCaseName = Case.getCurrentCaseThrows().getDisplayName();
118  } catch (NoCurrentCaseException ex) {
119  throw new EamDbException("Unable to get current case while performing filtering", ex);
120  }
121  Map<String, CommonAttributeValueList> currentCaseDataSourceMap = metadata.get(currentCaseName);
122  Map<String, Map<String, CommonAttributeValueList>> filteredCaseNameToDataSourcesTree = new HashMap<>();
123  if (currentCaseDataSourceMap == null) { //there are no results
124  return filteredCaseNameToDataSourcesTree;
125  }
126  CorrelationAttributeInstance.Type attributeType = CorrelationAttributeInstance
127  .getDefaultCorrelationTypes()
128  .stream()
129  .filter(filterType -> filterType.getId() == resultTypeId)
130  .findFirst().get();
131  //Call countUniqueDataSources once to reduce the number of DB queries needed to get the frequencyPercentage
132  Double uniqueCaseDataSourceTuples = EamDb.getInstance().getCountUniqueDataSources().doubleValue();
133  Map<String, CommonAttributeValue> valuesToKeepCurrentCase = getValuesToKeepFromCurrentCase(currentCaseDataSourceMap, attributeType, percentageThreshold, uniqueCaseDataSourceTuples);
134  for (Entry<String, Map<String, CommonAttributeValueList>> mapOfDataSources : Collections.unmodifiableMap(metadata).entrySet()) {
135  if (!mapOfDataSources.getKey().equals(currentCaseName)) {
136  //rebuild the metadata structure with items from the current case substituted for their matches in other cases results we want to filter out removed
137  Map<String, CommonAttributeValueList> newTreeForCase = createTreeForCase(valuesToKeepCurrentCase, mapOfDataSources.getValue());
138  if (!newTreeForCase.isEmpty()) {
139  filteredCaseNameToDataSourcesTree.put(mapOfDataSources.getKey(), newTreeForCase);
140  }
141  }
142  }
143  return filteredCaseNameToDataSourcesTree;
144  } catch (EamDbException ex) {
145  LOGGER.log(Level.INFO, "Unable to perform filtering returning unfiltered result set", ex);
146  return metadata;
147  }
148 
149  }
150 
169  private Map<String, CommonAttributeValue> getValuesToKeepFromCurrentCase(Map<String, CommonAttributeValueList> dataSourceToValueList, CorrelationAttributeInstance.Type attributeType, int maximumPercentageThreshold, Double uniqueCaseDataSourceTuples) throws EamDbException {
170  Map<String, CommonAttributeValue> valuesToKeep = new HashMap<>();
171  Set<String> valuesToRemove = new HashSet<>();
172  for (Entry<String, CommonAttributeValueList> mapOfValueLists : Collections.unmodifiableMap(dataSourceToValueList).entrySet()) {
173  for (CommonAttributeValue value : mapOfValueLists.getValue().getDelayedMetadataSet()) {
174  if (valuesToRemove.contains(value.getValue())) {
175  //do nothing this value will not be added
176  } else if (filterValue(attributeType, value, maximumPercentageThreshold, uniqueCaseDataSourceTuples)) {
177  valuesToRemove.add(value.getValue());
178  } else {
179  valuesToKeep.put(value.getValue(), value);
180  }
181  }
182  }
183  return valuesToKeep;
184  }
185 
199  private Map<String, CommonAttributeValueList> createTreeForCase(Map<String, CommonAttributeValue> valuesToKeepCurrentCase, Map<String, CommonAttributeValueList> dataSourceToValueList) throws EamDbException {
200  Map<String, CommonAttributeValueList> treeForCase = new HashMap<>();
201  for (Entry<String, CommonAttributeValueList> mapOfValueLists : Collections.unmodifiableMap(dataSourceToValueList).entrySet()) {
202  for (CommonAttributeValue value : mapOfValueLists.getValue().getDelayedMetadataSet()) {
203  if (valuesToKeepCurrentCase.containsKey(value.getValue())) {
204  if (!treeForCase.containsKey(mapOfValueLists.getKey())) {
205  treeForCase.put(mapOfValueLists.getKey(), new CommonAttributeValueList());
206  }
207  treeForCase.get(mapOfValueLists.getKey()).addMetadataToList(valuesToKeepCurrentCase.get(value.getValue()));
208  }
209  }
210  }
211  return treeForCase;
212  }
213 
233  private boolean filterValue(CorrelationAttributeInstance.Type attributeType, CommonAttributeValue value, int maximumPercentageThreshold, Double uniqueCaseDataSourceTuples) throws EamDbException {
234  if (maximumPercentageThreshold != 0) { //only do the frequency filtering when a max % was set
235  try {
236  Double uniqueTypeValueTuples = EamDb.getInstance().getCountUniqueCaseDataSourceTuplesHavingTypeValue(
237  attributeType, value.getValue()).doubleValue();
238  Double commonalityPercentage = uniqueTypeValueTuples / uniqueCaseDataSourceTuples * 100;
239  int frequencyPercentage = commonalityPercentage.intValue();
240  if (frequencyPercentage > maximumPercentageThreshold) {
241  return true;
242  }
243  } catch (CorrelationAttributeNormalizationException ex) {
244  LOGGER.log(Level.WARNING, "Unable to determine frequency percentage attribute - frequency filter may not be accurate for these results.", ex);
245  }
246  }
247  return false;
248  }
249 }
org.sleuthkit.autopsy.commonpropertiessearch.CommonAttributeCaseSearchResults.filterValue
boolean filterValue(CorrelationAttributeInstance.Type attributeType, CommonAttributeValue value, int maximumPercentageThreshold, Double uniqueCaseDataSourceTuples)
Definition: CommonAttributeCaseSearchResults.java:233
org.sleuthkit.autopsy.commonpropertiessearch.CommonAttributeCaseSearchResults.getValuesToKeepFromCurrentCase
Map< String, CommonAttributeValue > getValuesToKeepFromCurrentCase(Map< String, CommonAttributeValueList > dataSourceToValueList, CorrelationAttributeInstance.Type attributeType, int maximumPercentageThreshold, Double uniqueCaseDataSourceTuples)
Definition: CommonAttributeCaseSearchResults.java:169
org.sleuthkit.autopsy.commonpropertiessearch.CommonAttributeCaseSearchResults.caseNameToDataSources
final Map< String, Map< String, CommonAttributeValueList > > caseNameToDataSources
Definition: CommonAttributeCaseSearchResults.java:46
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getCountUniqueCaseDataSourceTuplesHavingTypeValue
Long getCountUniqueCaseDataSourceTuplesHavingTypeValue(CorrelationAttributeInstance.Type aType, String value)
org.sleuthkit.autopsy.commonpropertiessearch.CommonAttributeCaseSearchResults.filterMetadata
Map< String, Map< String, CommonAttributeValueList > > filterMetadata(Map< String, Map< String, CommonAttributeValueList >> metadata, int percentageThreshold, int resultTypeId)
Definition: CommonAttributeCaseSearchResults.java:113
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.commonpropertiessearch.CommonAttributeCaseSearchResults.createTreeForCase
Map< String, CommonAttributeValueList > createTreeForCase(Map< String, CommonAttributeValue > valuesToKeepCurrentCase, Map< String, CommonAttributeValueList > dataSourceToValueList)
Definition: CommonAttributeCaseSearchResults.java:199

Copyright © 2012-2019 Basis Technology. Generated on: Tue Jan 7 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.