From 3bde2744aa5f8fc9c1b46f5b079f79f66ff0d708 Mon Sep 17 00:00:00 2001 From: Andrew Ziehl Date: Tue, 28 Aug 2018 09:52:34 -0700 Subject: [PATCH] Fix for non-file correlation types. Also fies bug where last instance of CR search matches was not added to results. --- .../AllInterCaseCommonAttributeSearcher.java | 4 +- .../CentralRepoCommonAttributeInstance.java | 4 +- .../InterCaseSearchResultsProcessor.java | 83 ++++++++++++++----- ...ingleInterCaseCommonAttributeSearcher.java | 4 +- 4 files changed, 66 insertions(+), 29 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java index 284d25510e..3be6808d85 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java @@ -48,8 +48,8 @@ public class AllInterCaseCommonAttributeSearcher extends InterCaseCommonAttribut @Override public CommonAttributeSearchResults findFiles() throws TskCoreException, NoCurrentCaseException, SQLException, EamDbException { - InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(this.getDataSourceIdToNameMap()); - Map> interCaseCommonFiles = eamDbAttrInst.findInterCaseCommonAttributeValues(Case.getCurrentCase(), corAttrType); + InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(this.getDataSourceIdToNameMap(), corAttrType); + Map> interCaseCommonFiles = eamDbAttrInst.findInterCaseCommonAttributeValues(Case.getCurrentCase()); return new CommonAttributeSearchResults(interCaseCommonFiles, this.frequencyPercentageThreshold); } diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java index 9f50b6a868..64ff2a5377 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java @@ -108,8 +108,8 @@ final public class CentralRepoCommonAttributeInstance extends AbstractCommonAttr public DisplayableItemNode[] generateNodes() { // @@@ We should be doing more of this work in teh generateKeys method. We want to do as little as possible in generateNodes - InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(); - CorrelationAttributeInstance corrAttr = eamDbAttrInst.findSingleCorrelationAttribute(crFileId, correlationType); + InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(correlationType); + CorrelationAttributeInstance corrAttr = eamDbAttrInst.findSingleCorrelationAttribute(crFileId); List attrInstNodeList = new ArrayList<>(0); String currCaseDbName = Case.getCurrentCase().getDisplayName(); diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java index 6546b846a9..0193dd8050 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java @@ -33,6 +33,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException; +import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbUtil; import org.sleuthkit.autopsy.centralrepository.datamodel.InstanceTableCallback; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.datamodel.TskData; @@ -45,36 +46,70 @@ import org.sleuthkit.datamodel.HashUtility; final class InterCaseSearchResultsProcessor { private Map dataSources; - private static Type correlationType; + + /** + * The CorrelationAttributeInstance.Type this Processor will query on + */ + private final Type correlationType; private static final Logger LOGGER = Logger.getLogger(CommonAttributePanel.class.getName()); - private final String interCaseWhereClause = "value IN (SELECT value FROM file_instances" - + " WHERE value IN (SELECT value FROM file_instances" - + " WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value)" - + " GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value"; + /** + * The initial CorrelationAttributeInstance ids lookup query. + */ + private final String interCaseWhereClause; - private final String singleInterCaseWhereClause = "value IN (SELECT value FROM file_instances " - + "WHERE value IN (SELECT value FROM file_instances " - + "WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value) " - + "AND (case_id=%s OR case_id=%s) GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value"; + /** + * The single CorrelationAttributeInstance object retrieval query + */ + private final String singleInterCaseWhereClause; /** * Used in the InterCaseCommonAttributeSearchers to find common attribute * instances and generate nodes at the UI level. * - * @param dataSources + * @param dataSources the cases to filter and correlate on + * @param theType the type of CR data to search */ - InterCaseSearchResultsProcessor(Map dataSources) { + InterCaseSearchResultsProcessor(Map dataSources, CorrelationAttributeInstance.Type theType) { + this.correlationType = theType; this.dataSources = dataSources; + interCaseWhereClause = getInterCaseWhereClause(); + singleInterCaseWhereClause = getSingleInterCaseWhereClause(); + } + + private String getInterCaseWhereClause() { + String tableName = EamDbUtil.correlationTypeToInstanceTableName(correlationType); + StringBuilder sqlString = new StringBuilder(6); + sqlString.append("value IN (SELECT value FROM ") + .append(tableName) + .append(" WHERE value IN (SELECT value FROM ") + .append(tableName) + .append(" WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value)") + .append(" GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value"); + return sqlString.toString(); + } + private String getSingleInterCaseWhereClause() { + String tableName = EamDbUtil.correlationTypeToInstanceTableName(correlationType); + StringBuilder sqlString = new StringBuilder(6); + sqlString.append("value IN (SELECT value FROM ") + .append(tableName) + .append("WHERE value IN (SELECT value FROM ") + .append(tableName) + .append(" WHERE case_id=%s AND (known_status !=%s OR known_status IS NULL) GROUP BY value)") + .append(" AND (case_id=%s OR case_id=%s) GROUP BY value HAVING COUNT(DISTINCT case_id) > 1) ORDER BY value"); + return sqlString.toString(); } - /** * Used in the CentralRepoCommonAttributeInstance to find common attribute * instances and generate nodes at the UI level. + * + * @param theType the type of CR data to search */ - InterCaseSearchResultsProcessor() { - //intentionally emtpy - we need a constructor which does not set the data sources field + InterCaseSearchResultsProcessor(CorrelationAttributeInstance.Type theType) { + this.correlationType = theType; + interCaseWhereClause = getInterCaseWhereClause(); + singleInterCaseWhereClause = getSingleInterCaseWhereClause(); } /** @@ -83,12 +118,12 @@ final class InterCaseSearchResultsProcessor { * @param attrbuteId Row of CorrelationAttribute to retrieve from the EamDb * @return CorrelationAttribute object representation of retrieved match */ - CorrelationAttributeInstance findSingleCorrelationAttribute(int attrbuteId, CorrelationAttributeInstance.Type theType) { + CorrelationAttributeInstance findSingleCorrelationAttribute(int attrbuteId) { try { - correlationType = theType; + InterCaseCommonAttributeRowCallback instancetableCallback = new InterCaseCommonAttributeRowCallback(); EamDb DbManager = EamDb.getInstance(); - DbManager.processInstanceTableWhere(theType, String.format("id = %s", attrbuteId), instancetableCallback); + DbManager.processInstanceTableWhere(correlationType, String.format("id = %s", attrbuteId), instancetableCallback); return instancetableCallback.getCorrelationAttribute(); @@ -105,15 +140,14 @@ final class InterCaseSearchResultsProcessor { * * @param currentCase The current TSK Case. */ - Map> findInterCaseCommonAttributeValues(Case currentCase, CorrelationAttributeInstance.Type theType) { + Map> findInterCaseCommonAttributeValues(Case currentCase) { try { - correlationType = theType; InterCaseCommonAttributesCallback instancetableCallback = new InterCaseCommonAttributesCallback(); EamDb DbManager = EamDb.getInstance(); int caseId = DbManager.getCase(currentCase).getID(); - DbManager.processInstanceTableWhere(theType, String.format(interCaseWhereClause, caseId, + DbManager.processInstanceTableWhere(correlationType, String.format(interCaseWhereClause, caseId, TskData.FileKnown.KNOWN.getFileKnownValue()), instancetableCallback); @@ -133,14 +167,13 @@ final class InterCaseSearchResultsProcessor { * @param currentCase The current TSK Case. * @param singleCase The case of interest. Matches must exist in this case. */ - Map> findSingleInterCaseCommonAttributeValues(Case currentCase, CorrelationCase singleCase, CorrelationAttributeInstance.Type theType) { + Map> findSingleInterCaseCommonAttributeValues(Case currentCase, CorrelationCase singleCase) { try { - correlationType = theType; InterCaseCommonAttributesCallback instancetableCallback = new InterCaseCommonAttributesCallback(); EamDb DbManager = EamDb.getInstance(); int caseId = DbManager.getCase(currentCase).getID(); int targetCaseId = singleCase.getID(); - DbManager.processInstanceTableWhere(theType, String.format(singleInterCaseWhereClause, caseId, + DbManager.processInstanceTableWhere(correlationType, String.format(singleInterCaseWhereClause, caseId, TskData.FileKnown.KNOWN.getFileKnownValue(), caseId, targetCaseId), instancetableCallback); return instancetableCallback.getInstanceCollatedCommonFiles(); } catch (EamDbException ex) { @@ -177,6 +210,10 @@ final class InterCaseSearchResultsProcessor { countAndAddCommonAttributes(corValue, resultId); } + //Add the final instances + ArrayList value = new ArrayList<>(); + value.add(commonAttributeValue); + instanceCollatedCommonFiles.put(commonAttributeValue.getInstanceCount(), value); } catch (SQLException ex) { LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS } diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java index f67bc4afe7..3c5dde5e2d 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java @@ -74,8 +74,8 @@ public class SingleInterCaseCommonAttributeSearcher extends InterCaseCommonAttri } CommonAttributeSearchResults findFiles(CorrelationCase correlationCase) throws TskCoreException, NoCurrentCaseException, SQLException, EamDbException { - InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(this.getDataSourceIdToNameMap()); - Map> interCaseCommonFiles = eamDbAttrInst.findSingleInterCaseCommonAttributeValues(Case.getCurrentCase(), correlationCase, corAttrType); + InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(this.getDataSourceIdToNameMap(), corAttrType); + Map> interCaseCommonFiles = eamDbAttrInst.findSingleInterCaseCommonAttributeValues(Case.getCurrentCase(), correlationCase); return new CommonAttributeSearchResults(interCaseCommonFiles, this.frequencyPercentageThreshold); }