Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
InterCaseSearchResultsProcessor.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.commonfilesearch;
20 
21 import java.sql.ResultSet;
22 import java.sql.SQLException;
23 import java.util.Collections;
24 import java.util.HashMap;
25 import java.util.Map;
26 import java.util.logging.Level;
27 import org.sleuthkit.autopsy.casemodule.Case;
28 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
29 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance.Type;
30 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
31 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;
32 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource;
33 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb;
34 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException;
35 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbUtil;
36 import org.sleuthkit.autopsy.centralrepository.datamodel.InstanceTableCallback;
37 import org.sleuthkit.autopsy.commonfilesearch.AbstractCommonAttributeInstance.NODE_TYPE;
38 import org.sleuthkit.autopsy.coreutils.Logger;
39 import org.sleuthkit.datamodel.TskData;
40 import org.sleuthkit.datamodel.HashUtility;
41 
46 final class InterCaseSearchResultsProcessor {
47 
51  private final Type correlationType;
52 
53  private static final Logger LOGGER = Logger.getLogger(CommonAttributePanel.class.getName());
54 
58  private final String interCaseWhereClause;
59 
63  private final String singleInterCaseWhereClause;
64 
72  InterCaseSearchResultsProcessor(CorrelationAttributeInstance.Type theType) {
73  this.correlationType = theType;
74  interCaseWhereClause = getInterCaseWhereClause();
75  singleInterCaseWhereClause = getSingleInterCaseWhereClause();
76  }
77 
78  private String getInterCaseWhereClause() {
79  String tableName = EamDbUtil.correlationTypeToInstanceTableName(correlationType);
80  StringBuilder sqlString = new StringBuilder(250);
81  sqlString.append("value IN (SELECT value FROM ")
82  .append(tableName)
83  .append(" WHERE value IN (SELECT value FROM ")
84  .append(tableName)
85  .append(" WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value)")
86  .append(" GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value");
87  return sqlString.toString();
88  }
89 
90  private String getSingleInterCaseWhereClause() {
91  String tableName = EamDbUtil.correlationTypeToInstanceTableName(correlationType);
92  StringBuilder sqlString = new StringBuilder(250);
93  sqlString.append("value IN (SELECT value FROM ")
94  .append(tableName)
95  .append(" WHERE value IN (SELECT value FROM ")
96  .append(tableName)
97  .append(" WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value)")
98  .append(" AND (case_id=%s OR case_id=%s) GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value");
99  return sqlString.toString();
100  }
101 
109  CorrelationAttributeInstance findSingleCorrelationAttribute(int attrbuteId) {
110  try {
111 
112  InterCaseCommonAttributeRowCallback instancetableCallback = new InterCaseCommonAttributeRowCallback();
113  EamDb dbManager = EamDb.getInstance();
114  dbManager.processInstanceTableWhere(correlationType, String.format("id = %s", attrbuteId), instancetableCallback);
115 
116  return instancetableCallback.getCorrelationAttribute();
117 
118  } catch (EamDbException ex) {
119  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing InstanceTable row.", ex);
120  }
121 
122  return null;
123  }
124 
135  Map<String, Map<String, CommonAttributeValueList>> findInterCaseValuesByCase(Case currentCase) {
136  try {
137  InterCaseByCaseCallback instancetableCallback = new InterCaseByCaseCallback();
138  EamDb dbManager = EamDb.getInstance();
139 
140  int caseId = dbManager.getCase(currentCase).getID();
141 
142  dbManager.processInstanceTableWhere(correlationType, String.format(interCaseWhereClause, caseId,
143  TskData.FileKnown.KNOWN.getFileKnownValue()),
144  instancetableCallback);
145 
146  return instancetableCallback.getInstanceCollatedCommonFiles();
147 
148  } catch (EamDbException ex) {
149  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex);
150  }
151  return new HashMap<>();
152  }
153 
160  Map<Integer, CommonAttributeValueList> findInterCaseValuesByCount(Case currentCase) {
161  try {
162  InterCaseByCountCallback instancetableCallback = new InterCaseByCountCallback();
163  EamDb dbManager = EamDb.getInstance();
164 
165  int caseId = dbManager.getCase(currentCase).getID();
166 
167  dbManager.processInstanceTableWhere(correlationType, String.format(interCaseWhereClause, caseId,
168  TskData.FileKnown.KNOWN.getFileKnownValue()),
169  instancetableCallback);
170 
171  return instancetableCallback.getInstanceCollatedCommonFiles();
172 
173  } catch (EamDbException ex) {
174  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex);
175  }
176  return new HashMap<>();
177  }
178 
187  Map<Integer, CommonAttributeValueList> findSingleInterCaseValuesByCount(Case currentCase, CorrelationCase singleCase) {
188  try {
189  InterCaseByCountCallback instancetableCallback = new InterCaseByCountCallback();
190  EamDb dbManager = EamDb.getInstance();
191  int caseId = dbManager.getCase(currentCase).getID();
192  int targetCaseId = singleCase.getID();
193  dbManager.processInstanceTableWhere(correlationType, String.format(singleInterCaseWhereClause, caseId,
194  TskData.FileKnown.KNOWN.getFileKnownValue(), caseId, targetCaseId), instancetableCallback);
195  return instancetableCallback.getInstanceCollatedCommonFiles();
196  } catch (EamDbException ex) {
197  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex);
198  }
199  return new HashMap<>();
200  }
201 
215  Map<String, Map<String, CommonAttributeValueList>> findSingleInterCaseValuesByCase(Case currentCase, CorrelationCase singleCase) {
216  try {
217  InterCaseByCaseCallback instancetableCallback = new InterCaseByCaseCallback();
218  EamDb dbManager = EamDb.getInstance();
219  int caseId = dbManager.getCase(currentCase).getID();
220  int targetCaseId = singleCase.getID();
221  dbManager.processInstanceTableWhere(correlationType, String.format(singleInterCaseWhereClause, caseId,
222  TskData.FileKnown.KNOWN.getFileKnownValue(), caseId, targetCaseId), instancetableCallback);
223  return instancetableCallback.getInstanceCollatedCommonFiles();
224  } catch (EamDbException ex) {
225  LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex);
226  }
227  return new HashMap<>();
228  }
229 
234  private class InterCaseByCountCallback implements InstanceTableCallback {
235 
236  final Map<Integer, CommonAttributeValueList> instanceCollatedCommonFiles = new HashMap<>();
237 
238  private CommonAttributeValue commonAttributeValue = null;
239  private String previousRowMd5 = "";
240 
241  @Override
242  public void process(ResultSet resultSet) {
243  try {
244  while (resultSet.next()) {
245 
246  int resultId = InstanceTableCallback.getId(resultSet);
247  String corValue = InstanceTableCallback.getValue(resultSet);
248  if (previousRowMd5.isEmpty()) {
249  previousRowMd5 = corValue;
250  }
251  if (corValue == null || HashUtility.isNoDataMd5(corValue)) {
252  continue;
253  }
254 
255  countAndAddCommonAttributes(corValue, resultId);
256 
257  }
258  //Add the final instance(s)
259  if (commonAttributeValue != null) {
260  int size = commonAttributeValue.getInstanceCount();
261  if (instanceCollatedCommonFiles.containsKey(size)) {
262  instanceCollatedCommonFiles.get(size).addMetadataToList(commonAttributeValue);
263  } else {
264  CommonAttributeValueList value = new CommonAttributeValueList();
265  value.addMetadataToList(commonAttributeValue);
266  instanceCollatedCommonFiles.put(size, value);
267  }
268  }
269  } catch (SQLException ex) {
270  LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS
271  }
272  }
273 
283  private void countAndAddCommonAttributes(String corValue, int resultId) {
284  if (commonAttributeValue == null) {
285  commonAttributeValue = new CommonAttributeValue(corValue);
286  }
287  if (!corValue.equals(previousRowMd5)) {
288  int size = commonAttributeValue.getInstanceCount();
289  if (instanceCollatedCommonFiles.containsKey(size)) {
290  instanceCollatedCommonFiles.get(size).addMetadataToList(commonAttributeValue);
291  } else {
292  CommonAttributeValueList value = new CommonAttributeValueList();
293  value.addMetadataToList(commonAttributeValue);
294  instanceCollatedCommonFiles.put(size, value);
295  }
296 
297  commonAttributeValue = new CommonAttributeValue(corValue);
298  previousRowMd5 = corValue;
299  }
300  // we don't *have* all the information for the rows in the CR,
301  // so we need to consult the present case via the SleuthkitCase object
302  // Later, when the FileInstanceNode is built. Therefore, build node generators for now.
303  CentralRepoCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(resultId, correlationType, NODE_TYPE.COUNT_NODE);
304  CorrelationAttributeInstance corrAttr = findSingleCorrelationAttribute(resultId);
305  searchResult.setCurrentAttributeInst(corrAttr);
306  commonAttributeValue.addInstance(searchResult);
307  }
308 
309  Map<Integer, CommonAttributeValueList> getInstanceCollatedCommonFiles() {
310  return Collections.unmodifiableMap(instanceCollatedCommonFiles);
311  }
312  }
313 
318  private class InterCaseByCaseCallback implements InstanceTableCallback {
319 
320  final Map<String, Map<String, CommonAttributeValueList>> caseCollatedDataSourceCollections = new HashMap<>();
321 
322  @Override
323  public void process(ResultSet resultSet) {
324  try {
325  while (resultSet.next()) {
326  int resultId = InstanceTableCallback.getId(resultSet);
327  String corValue = InstanceTableCallback.getValue(resultSet);
328  if (corValue == null || HashUtility.isNoDataMd5(corValue)) {
329  continue;
330  }
331  CorrelationCase correlationCase = EamDb.getInstance().getCaseById(InstanceTableCallback.getCaseId(resultSet));
332  String caseName = correlationCase.getDisplayName();
333  CorrelationDataSource correlationDatasource = EamDb.getInstance().getDataSourceById(correlationCase, InstanceTableCallback.getDataSourceId(resultSet));
334  //label datasource with it's id for uniqueness done in same manner as ImageGallery does in the DataSourceCell class
335  String dataSourceNameKey = correlationDatasource.getName() + " (Id: " + correlationDatasource.getDataSourceObjectID() + ")";
336  if (!caseCollatedDataSourceCollections.containsKey(caseName)) {
337  caseCollatedDataSourceCollections.put(caseName, new HashMap<String, CommonAttributeValueList>());
338  }
339  Map<String, CommonAttributeValueList> dataSourceToFile = caseCollatedDataSourceCollections.get(caseName);
340  if (!dataSourceToFile.containsKey(dataSourceNameKey)) {
341  dataSourceToFile.put(dataSourceNameKey, new CommonAttributeValueList());
342  }
343  CommonAttributeValueList valueList = dataSourceToFile.get(dataSourceNameKey);
344  CentralRepoCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(resultId, correlationType, NODE_TYPE.CASE_NODE);
345  CorrelationAttributeInstance corrAttr = findSingleCorrelationAttribute(resultId);
346  searchResult.setCurrentAttributeInst(corrAttr);
347  CommonAttributeValue commonAttributeValue = new CommonAttributeValue(corValue);
348  commonAttributeValue.addInstance(searchResult);
349  valueList.addMetadataToList(commonAttributeValue);
350  dataSourceToFile.put(dataSourceNameKey, valueList);
351  caseCollatedDataSourceCollections.put(caseName, dataSourceToFile);
352  }
353  } catch (EamDbException | SQLException ex) {
354  LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS
355  }
356  }
357 
358  Map<String, Map<String, CommonAttributeValueList>> getInstanceCollatedCommonFiles() {
359  return Collections.unmodifiableMap(caseCollatedDataSourceCollections);
360  }
361  }
362 
367  private class InterCaseCommonAttributeRowCallback implements InstanceTableCallback {
368 
369  CorrelationAttributeInstance correlationAttributeInstance = null;
370 
371  @Override
372  public void process(ResultSet resultSet) {
373  try {
374  EamDb dbManager = EamDb.getInstance();
375 
376  while (resultSet.next()) {
377  CorrelationCase correlationCase = dbManager.getCaseById(InstanceTableCallback.getCaseId(resultSet));
378  CorrelationDataSource dataSource = dbManager.getDataSourceById(correlationCase, InstanceTableCallback.getDataSourceId(resultSet));
379  try {
380  correlationAttributeInstance = dbManager.getCorrelationAttributeInstance(correlationType,
381  correlationCase,
382  dataSource,
383  InstanceTableCallback.getValue(resultSet),
384  InstanceTableCallback.getFilePath(resultSet));
385  } catch (CorrelationAttributeNormalizationException ex) {
386  LOGGER.log(Level.INFO, "Unable to get CorrelationAttributeInstance.", ex); // NON-NLS
387  }
388 
389  }
390  } catch (SQLException | EamDbException ex) {
391  LOGGER.log(Level.WARNING, "Error getting single correlation artifact instance from database.", ex); // NON-NLS
392  }
393  }
394 
395  CorrelationAttributeInstance getCorrelationAttribute() {
396  return correlationAttributeInstance;
397  }
398  }
399 }
org.sleuthkit.autopsy.commonfilesearch.AbstractCommonAttributeInstance.NODE_TYPE.CASE_NODE
CASE_NODE
Definition: AbstractCommonAttributeInstance.java:180
org.sleuthkit.autopsy.commonfilesearch.AbstractCommonAttributeInstance.NODE_TYPE.COUNT_NODE
Definition: AbstractCommonAttributeInstance.java:181
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getDataSourceById
CorrelationDataSource getDataSourceById(CorrelationCase correlationCase, int dataSourceId)
org.sleuthkit.autopsy.centralrepository.datamodel.EamDb.getCorrelationAttributeInstance
CorrelationAttributeInstance getCorrelationAttributeInstance(CorrelationAttributeInstance.Type type, CorrelationCase correlationCase, CorrelationDataSource correlationDataSource, String value, String filePath)
org.sleuthkit.autopsy.commonfilesearch.AbstractCommonAttributeInstance.NODE_TYPE
Definition: AbstractCommonAttributeInstance.java:178

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.