From 075b76e8bf6d0b274b35da38678c172d06a04d0c Mon Sep 17 00:00:00 2001 From: Andrew Ziehl Date: Tue, 31 Jul 2018 11:46:44 -0700 Subject: [PATCH 1/4] logic overhaul to reduce manipulation and building of hashmaps. --- .../AbstractCommonAttributeInstance.java | 5 ++- .../CentralRepoCommonAttributeInstance.java | 4 +- .../InterCaseSearchResultsProcessor.java | 45 ++++++++++++++++++- 3 files changed, 48 insertions(+), 6 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/AbstractCommonAttributeInstance.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/AbstractCommonAttributeInstance.java index 6f445ca0a3..96741efc0d 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/AbstractCommonAttributeInstance.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/AbstractCommonAttributeInstance.java @@ -19,6 +19,7 @@ */ package org.sleuthkit.autopsy.commonfilesearch; +import java.util.HashMap; import java.util.Map; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance; import org.sleuthkit.autopsy.datamodel.DisplayableItemNode; @@ -70,9 +71,9 @@ public abstract class AbstractCommonAttributeInstance { * @param cachedFiles storage for abstract files which have been used * already so we can avoid extra roundtrips to the case db */ - AbstractCommonAttributeInstance(Map cachedFiles) { + AbstractCommonAttributeInstance() { this.abstractFileObjectId = -1L; - this.cachedFiles = cachedFiles; + this.cachedFiles = new HashMap<>(); this.caseName = ""; this.dataSource = ""; } diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java index e720cef635..dd2ff9e2b7 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/CentralRepoCommonAttributeInstance.java @@ -45,8 +45,8 @@ final public class CentralRepoCommonAttributeInstance extends AbstractCommonAttr private final Integer crFileId; private CorrelationAttributeInstance currentAttributeInstance; - CentralRepoCommonAttributeInstance(Integer attrInstId, Map cachedFiles) { - super(cachedFiles); + CentralRepoCommonAttributeInstance(Integer attrInstId) { + super(); this.crFileId = attrInstId; } diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java index 8416bbd856..8298089d4e 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java @@ -20,8 +20,10 @@ package org.sleuthkit.autopsy.commonfilesearch; import java.sql.ResultSet; import java.sql.SQLException; +import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.logging.Level; import org.openide.util.Exceptions; @@ -32,7 +34,11 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException; import org.sleuthkit.autopsy.centralrepository.datamodel.InstanceTableCallback; +import static org.sleuthkit.autopsy.commonfilesearch.AbstractCommonAttributeSearcher.collateMatchesByNumberOfInstances; import org.sleuthkit.autopsy.coreutils.Logger; +import static org.sleuthkit.autopsy.timeline.datamodel.eventtype.ArtifactEventType.LOGGER; +import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.HashUtility; /** * Used to process and return CorrelationCase md5s from the EamDB for @@ -123,14 +129,49 @@ final class InterCaseSearchResultsProcessor { @Override public void process(ResultSet resultSet) { + Map> instanceCollatedCommonFiles = new HashMap<>(); + try { + String previousRowMd5 = ""; + EamDb dbManager = EamDb.getInstance(); + CommonAttributeValue commonAttributeValue = null; while (resultSet.next()) { int resultId = InstanceTableCallback.getId(resultSet); - intercaseCommonValuesMap.put(resultId, InstanceTableCallback.getValue(resultSet)); - intercaseCommonCasesMap.put(resultId, InstanceTableCallback.getCaseId(resultSet)); + String md5Value = InstanceTableCallback.getValue(resultSet); + if (md5Value == null || HashUtility.isNoDataMd5(md5Value)) { + continue; + } + int caseId = InstanceTableCallback.getCaseId(resultSet); + CorrelationCase autopsyCrCase = dbManager.getCaseById(caseId); + final String correlationCaseDisplayName = autopsyCrCase.getDisplayName(); + + if(commonAttributeValue == null) { + commonAttributeValue = new CommonAttributeValue(md5Value); + } + // we don't *have* all the information for the rows in the CR, + // so we need to consult the present case via the SleuthkitCase object + // Later, when the FileInstanceNodde is built. Therefore, build node generators for now. + if (!md5Value.equals(previousRowMd5)) { + int size = commonAttributeValue.getInstanceCount(); + if (instanceCollatedCommonFiles.containsKey(size)) { + instanceCollatedCommonFiles.get(size).add(commonAttributeValue); + } else { + ArrayList value = new ArrayList<>(); + value.add(commonAttributeValue); + instanceCollatedCommonFiles.put(size, value); + } + + commonAttributeValue = new CommonAttributeValue(md5Value); + previousRowMd5 = md5Value; + } + AbstractCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(resultId); + commonAttributeValue.addFileInstanceMetadata(searchResult, correlationCaseDisplayName); + } } catch (SQLException ex) { Exceptions.printStackTrace(ex); + } catch (EamDbException ex) { + LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS } } From 6ee9ed54bd30c5c2b244b291f8789fe46a16ed3c Mon Sep 17 00:00:00 2001 From: Andrew Ziehl Date: Tue, 31 Jul 2018 15:20:35 -0700 Subject: [PATCH 2/4] cleanup logic, functionally complete --- .../AllInterCaseCommonAttributeSearcher.java | 4 +- .../InterCaseCommonAttributeSearcher.java | 52 ------------------- .../InterCaseSearchResultsProcessor.java | 26 +++++++--- .../commonfilesearch/IntraCasePanel.java | 4 +- ...ingleInterCaseCommonAttributeSearcher.java | 6 +-- 5 files changed, 24 insertions(+), 68 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java index 74e3aabb2a..f1ae2781f1 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/AllInterCaseCommonAttributeSearcher.java @@ -40,9 +40,7 @@ public class AllInterCaseCommonAttributeSearcher extends InterCaseCommonAttribut @Override public CommonAttributeSearchResults findFiles() throws TskCoreException, NoCurrentCaseException, SQLException, EamDbException { InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(); - eamDbAttrInst.findInterCaseCommonAttributeValues(Case.getCurrentCase()); - Map> interCaseCommonFiles = gatherIntercaseResults(eamDbAttrInst.getIntercaseCommonValuesMap(), eamDbAttrInst.getIntercaseCommonCasesMap()); - + Map> interCaseCommonFiles = eamDbAttrInst.findInterCaseCommonAttributeValues(Case.getCurrentCase()); return new CommonAttributeSearchResults(interCaseCommonFiles); } diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseCommonAttributeSearcher.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseCommonAttributeSearcher.java index a5c5f642b7..f6307c0158 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseCommonAttributeSearcher.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseCommonAttributeSearcher.java @@ -54,58 +54,6 @@ abstract class InterCaseCommonAttributeSearcher extends AbstractCommonAttributeS dbManager = EamDb.getInstance(); } - /** - * @param artifactInstances all 'common files' in central repo - * @param commonValues matches must ultimately have appeared in this - * collection - * @return collated map of instance counts to lists of matches - */ - Map> gatherIntercaseResults(Map commonValues, Map commonFileCases) { - - // keyis string of value - Map interCaseCommonFiles = new HashMap<>(); - - for (int commonAttrId : commonValues.keySet()) { - - String md5 = commonValues.get(commonAttrId); - if (md5 == null || HashUtility.isNoDataMd5(md5)) { - continue; - } - Map fileCache = new HashMap<>(); - - try { - int caseId = commonFileCases.get(commonAttrId); - CorrelationCase autopsyCrCase = dbManager.getCaseById(caseId); - final String correlationCaseDisplayName = autopsyCrCase.getDisplayName(); - // we don't *have* all the information for the rows in the CR, - // so we need to consult the present case via the SleuthkitCase object - // Later, when the FileInstanceNodde is built. Therefore, build node generators for now. - - if (interCaseCommonFiles.containsKey(md5)) { - //Add to intercase metaData - final CommonAttributeValue commonAttributeValue = interCaseCommonFiles.get(md5); - - AbstractCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(commonAttrId, fileCache); - commonAttributeValue.addFileInstanceMetadata(searchResult, correlationCaseDisplayName); - - } else { - CommonAttributeValue commonAttributeValue = new CommonAttributeValue(md5); - interCaseCommonFiles.put(md5, commonAttributeValue); - - AbstractCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(commonAttrId, fileCache); - commonAttributeValue.addFileInstanceMetadata(searchResult, correlationCaseDisplayName); - - } - } catch (Exception ex) { - LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS - } - } - - Map> instanceCollatedCommonFiles = collateMatchesByNumberOfInstances(interCaseCommonFiles); - - return instanceCollatedCommonFiles; - } - protected CorrelationCase getCorrelationCaseFromId(int correlationCaseId) throws EamDbException { for (CorrelationCase cCase : this.dbManager.getCases()) { if (cCase.getID() == correlationCaseId) { diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java index 8298089d4e..b12b4b1b57 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java @@ -34,10 +34,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException; import org.sleuthkit.autopsy.centralrepository.datamodel.InstanceTableCallback; -import static org.sleuthkit.autopsy.commonfilesearch.AbstractCommonAttributeSearcher.collateMatchesByNumberOfInstances; import org.sleuthkit.autopsy.coreutils.Logger; -import static org.sleuthkit.autopsy.timeline.datamodel.eventtype.ArtifactEventType.LOGGER; -import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.HashUtility; /** @@ -81,17 +78,17 @@ final class InterCaseSearchResultsProcessor { * * @param currentCase The current TSK Case. */ - void findInterCaseCommonAttributeValues(Case currentCase) { + Map> findInterCaseCommonAttributeValues(Case currentCase) { try { InterCaseCommonAttributesCallback instancetableCallback = new InterCaseCommonAttributesCallback(); EamDb DbManager = EamDb.getInstance(); CorrelationAttribute.Type fileType = DbManager.getCorrelationTypeById(CorrelationAttribute.FILES_TYPE_ID); DbManager.processCaseInstancesTable(fileType, DbManager.getCase(currentCase), instancetableCallback); - + return instancetableCallback.getInstanceCollatedCommonFiles(); } catch (EamDbException ex) { LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex); } - + return new HashMap<>(); } /** @@ -102,15 +99,17 @@ final class InterCaseSearchResultsProcessor { * @param currentCase The current TSK Case. * @param singleCase The case of interest. Matches must exist in this case. */ - void findSingleInterCaseCommonAttributeValues(Case currentCase, CorrelationCase singleCase) { + Map> findSingleInterCaseCommonAttributeValues(Case currentCase, CorrelationCase singleCase) { try { InterCaseCommonAttributesCallback instancetableCallback = new InterCaseCommonAttributesCallback(); EamDb DbManager = EamDb.getInstance(); CorrelationAttribute.Type fileType = DbManager.getCorrelationTypeById(CorrelationAttribute.FILES_TYPE_ID); DbManager.processSingleCaseInstancesTable(fileType, DbManager.getCase(currentCase), singleCase, instancetableCallback); + return instancetableCallback.getInstanceCollatedCommonFiles(); } catch (EamDbException ex) { LOGGER.log(Level.SEVERE, "Error accessing EamDb processing CaseInstancesTable.", ex); } + return new HashMap<>(); } Map getIntercaseCommonValuesMap() { @@ -127,17 +126,23 @@ final class InterCaseSearchResultsProcessor { */ private class InterCaseCommonAttributesCallback implements InstanceTableCallback { + final Map> instanceCollatedCommonFiles = new HashMap<>(); + @Override public void process(ResultSet resultSet) { - Map> instanceCollatedCommonFiles = new HashMap<>(); + try { String previousRowMd5 = ""; EamDb dbManager = EamDb.getInstance(); CommonAttributeValue commonAttributeValue = null; while (resultSet.next()) { + int resultId = InstanceTableCallback.getId(resultSet); String md5Value = InstanceTableCallback.getValue(resultSet); + if(previousRowMd5.isEmpty()) { + previousRowMd5 = md5Value; + } if (md5Value == null || HashUtility.isNoDataMd5(md5Value)) { continue; } @@ -173,6 +178,11 @@ final class InterCaseSearchResultsProcessor { } catch (EamDbException ex) { LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS } + + } + + Map> getInstanceCollatedCommonFiles() { + return Collections.unmodifiableMap(instanceCollatedCommonFiles); } } diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/IntraCasePanel.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/IntraCasePanel.java index c88537cb17..9b243445ca 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/IntraCasePanel.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/IntraCasePanel.java @@ -20,6 +20,7 @@ package org.sleuthkit.autopsy.commonfilesearch; import java.util.Collections; +import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; import javax.swing.ComboBoxModel; @@ -40,7 +41,7 @@ public class IntraCasePanel extends javax.swing.JPanel { private boolean singleDataSource; private String selectedDataSource; private ComboBoxModel dataSourcesList = new DataSourceComboBoxModel(); - private Map dataSourceMap; + private final Map dataSourceMap; private CommonAttributePanel parent; private String errorMessage; @@ -51,6 +52,7 @@ public class IntraCasePanel extends javax.swing.JPanel { public IntraCasePanel() { initComponents(); this.errorMessage = ""; + dataSourceMap = new HashMap<>(); } public void setParent(CommonAttributePanel parent){ diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java index 9486a9e43c..5c5954d431 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/SingleInterCaseCommonAttributeSearcher.java @@ -70,11 +70,9 @@ public class SingleInterCaseCommonAttributeSearcher extends InterCaseCommonAttri return this.findFiles(cCase); } - protected CommonAttributeSearchResults findFiles(CorrelationCase correlationCase) throws TskCoreException, NoCurrentCaseException, SQLException, EamDbException { - + CommonAttributeSearchResults findFiles(CorrelationCase correlationCase) throws TskCoreException, NoCurrentCaseException, SQLException, EamDbException { InterCaseSearchResultsProcessor eamDbAttrInst = new InterCaseSearchResultsProcessor(); - eamDbAttrInst.findSingleInterCaseCommonAttributeValues(Case.getCurrentCase(), correlationCase); - Map> interCaseCommonFiles = gatherIntercaseResults(eamDbAttrInst.getIntercaseCommonValuesMap(), eamDbAttrInst.getIntercaseCommonCasesMap()); + Map> interCaseCommonFiles = eamDbAttrInst.findSingleInterCaseCommonAttributeValues(Case.getCurrentCase(), correlationCase); return new CommonAttributeSearchResults(interCaseCommonFiles); } From 35d5df5ebc7940ca0cf81cd48f9ed2dce833ad57 Mon Sep 17 00:00:00 2001 From: Andrew Ziehl Date: Tue, 31 Jul 2018 15:32:32 -0700 Subject: [PATCH 3/4] Cleanup excess fields. --- .../InterCaseSearchResultsProcessor.java | 40 +++++-------------- 1 file changed, 11 insertions(+), 29 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java index b12b4b1b57..31dccb80ef 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java @@ -26,7 +26,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.logging.Level; -import org.openide.util.Exceptions; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttribute; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase; @@ -45,11 +44,6 @@ final class InterCaseSearchResultsProcessor { private static final Logger LOGGER = Logger.getLogger(CommonAttributePanel.class.getName()); - // maps row ID to value - private final Map intercaseCommonValuesMap = new HashMap<>(); - // maps row ID to case ID - private final Map intercaseCommonCasesMap = new HashMap<>(); - /** * Finds a single CorrelationAttribute given an id. * @@ -112,14 +106,6 @@ final class InterCaseSearchResultsProcessor { return new HashMap<>(); } - Map getIntercaseCommonValuesMap() { - return Collections.unmodifiableMap(intercaseCommonValuesMap); - } - - Map getIntercaseCommonCasesMap() { - return Collections.unmodifiableMap(intercaseCommonCasesMap); - } - /** * Callback to use with findInterCaseCommonAttributeValues which generates a * list of md5s for common files search @@ -127,11 +113,9 @@ final class InterCaseSearchResultsProcessor { private class InterCaseCommonAttributesCallback implements InstanceTableCallback { final Map> instanceCollatedCommonFiles = new HashMap<>(); - + @Override public void process(ResultSet resultSet) { - - try { String previousRowMd5 = ""; EamDb dbManager = EamDb.getInstance(); @@ -140,7 +124,7 @@ final class InterCaseSearchResultsProcessor { int resultId = InstanceTableCallback.getId(resultSet); String md5Value = InstanceTableCallback.getValue(resultSet); - if(previousRowMd5.isEmpty()) { + if (previousRowMd5.isEmpty()) { previousRowMd5 = md5Value; } if (md5Value == null || HashUtility.isNoDataMd5(md5Value)) { @@ -149,13 +133,10 @@ final class InterCaseSearchResultsProcessor { int caseId = InstanceTableCallback.getCaseId(resultSet); CorrelationCase autopsyCrCase = dbManager.getCaseById(caseId); final String correlationCaseDisplayName = autopsyCrCase.getDisplayName(); - - if(commonAttributeValue == null) { + + if (commonAttributeValue == null) { commonAttributeValue = new CommonAttributeValue(md5Value); } - // we don't *have* all the information for the rows in the CR, - // so we need to consult the present case via the SleuthkitCase object - // Later, when the FileInstanceNodde is built. Therefore, build node generators for now. if (!md5Value.equals(previousRowMd5)) { int size = commonAttributeValue.getInstanceCount(); if (instanceCollatedCommonFiles.containsKey(size)) { @@ -169,18 +150,19 @@ final class InterCaseSearchResultsProcessor { commonAttributeValue = new CommonAttributeValue(md5Value); previousRowMd5 = md5Value; } + // we don't *have* all the information for the rows in the CR, + // so we need to consult the present case via the SleuthkitCase object + // Later, when the FileInstanceNode is built. Therefore, build node generators for now. AbstractCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(resultId); commonAttributeValue.addFileInstanceMetadata(searchResult, correlationCaseDisplayName); } - } catch (SQLException ex) { - Exceptions.printStackTrace(ex); - } catch (EamDbException ex) { + } catch (SQLException | EamDbException ex) { LOGGER.log(Level.WARNING, "Error getting artifact instances from database.", ex); // NON-NLS } - + } - + Map> getInstanceCollatedCommonFiles() { return Collections.unmodifiableMap(instanceCollatedCommonFiles); } @@ -212,7 +194,7 @@ final class InterCaseSearchResultsProcessor { } } catch (SQLException | EamDbException ex) { - Exceptions.printStackTrace(ex); + LOGGER.log(Level.WARNING, "Error getting single correlation artifact instance from database.", ex); // NON-NLS } } From 9163256cd33769532ed06ae2b8754139ba2fd652 Mon Sep 17 00:00:00 2001 From: Andrew Ziehl Date: Tue, 31 Jul 2018 15:54:33 -0700 Subject: [PATCH 4/4] Refactoring --- .../InterCaseSearchResultsProcessor.java | 53 +++++++++++-------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java index 31dccb80ef..2a1845a36a 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/InterCaseSearchResultsProcessor.java @@ -114,12 +114,15 @@ final class InterCaseSearchResultsProcessor { final Map> instanceCollatedCommonFiles = new HashMap<>(); + private CommonAttributeValue commonAttributeValue = null; + private String previousRowMd5 = ""; + @Override public void process(ResultSet resultSet) { try { - String previousRowMd5 = ""; + EamDb dbManager = EamDb.getInstance(); - CommonAttributeValue commonAttributeValue = null; + while (resultSet.next()) { int resultId = InstanceTableCallback.getId(resultSet); @@ -134,27 +137,7 @@ final class InterCaseSearchResultsProcessor { CorrelationCase autopsyCrCase = dbManager.getCaseById(caseId); final String correlationCaseDisplayName = autopsyCrCase.getDisplayName(); - if (commonAttributeValue == null) { - commonAttributeValue = new CommonAttributeValue(md5Value); - } - if (!md5Value.equals(previousRowMd5)) { - int size = commonAttributeValue.getInstanceCount(); - if (instanceCollatedCommonFiles.containsKey(size)) { - instanceCollatedCommonFiles.get(size).add(commonAttributeValue); - } else { - ArrayList value = new ArrayList<>(); - value.add(commonAttributeValue); - instanceCollatedCommonFiles.put(size, value); - } - - commonAttributeValue = new CommonAttributeValue(md5Value); - previousRowMd5 = md5Value; - } - // we don't *have* all the information for the rows in the CR, - // so we need to consult the present case via the SleuthkitCase object - // Later, when the FileInstanceNode is built. Therefore, build node generators for now. - AbstractCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(resultId); - commonAttributeValue.addFileInstanceMetadata(searchResult, correlationCaseDisplayName); + countAndAddCommonAttributes(md5Value, resultId, correlationCaseDisplayName); } } catch (SQLException | EamDbException ex) { @@ -163,6 +146,30 @@ final class InterCaseSearchResultsProcessor { } + private void countAndAddCommonAttributes(String md5Value, int resultId, String correlationCaseDisplayName) { + if (commonAttributeValue == null) { + commonAttributeValue = new CommonAttributeValue(md5Value); + } + if (!md5Value.equals(previousRowMd5)) { + int size = commonAttributeValue.getInstanceCount(); + if (instanceCollatedCommonFiles.containsKey(size)) { + instanceCollatedCommonFiles.get(size).add(commonAttributeValue); + } else { + ArrayList value = new ArrayList<>(); + value.add(commonAttributeValue); + instanceCollatedCommonFiles.put(size, value); + } + + commonAttributeValue = new CommonAttributeValue(md5Value); + previousRowMd5 = md5Value; + } + // we don't *have* all the information for the rows in the CR, + // so we need to consult the present case via the SleuthkitCase object + // Later, when the FileInstanceNode is built. Therefore, build node generators for now. + AbstractCommonAttributeInstance searchResult = new CentralRepoCommonAttributeInstance(resultId); + commonAttributeValue.addFileInstanceMetadata(searchResult, correlationCaseDisplayName); + } + Map> getInstanceCollatedCommonFiles() { return Collections.unmodifiableMap(instanceCollatedCommonFiles); }