diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java index f1be6fab1f..6e77c317a7 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java @@ -1942,6 +1942,58 @@ abstract class AbstractSqlEamDb implements EamDb { return caseNames.stream().collect(Collectors.toList()); } + /** + * Gets list of distinct case display names, where each case has 1+ Artifact + * Instance matching eamArtifact. + * + * @param aType EamArtifact.Type to search for + * @param value Value to search for + * + * @return List of cases containing this artifact with instances marked as + * bad + * + * @throws EamDbException + */ + @Override + public List getListCasesHavingArtifactInstances(CorrelationAttributeInstance.Type aType, String value) throws EamDbException, CorrelationAttributeNormalizationException { + + String normalizedValue = CorrelationAttributeNormalizer.normalize(aType, value); + + Connection conn = connect(); + + Collection caseNames = new LinkedHashSet<>(); + + PreparedStatement preparedStatement = null; + ResultSet resultSet = null; + + String tableName = EamDbUtil.correlationTypeToInstanceTableName(aType); + String sql + = "SELECT DISTINCT case_name FROM " + + tableName + + " INNER JOIN cases ON " + + tableName + + ".case_id=cases.id WHERE " + + tableName + + ".value=? "; + + try { + preparedStatement = conn.prepareStatement(sql); + preparedStatement.setString(1, normalizedValue); + resultSet = preparedStatement.executeQuery(); + while (resultSet.next()) { + caseNames.add(resultSet.getString("case_name")); + } + } catch (SQLException ex) { + throw new EamDbException("Error getting notable artifact instances.", ex); // NON-NLS + } finally { + EamDbUtil.closeStatement(preparedStatement); + EamDbUtil.closeResultSet(resultSet); + EamDbUtil.closeConnection(conn); + } + + return caseNames.stream().collect(Collectors.toList()); + } + /** * Remove a reference set and all entries contained in it. * diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java index 6aa511edb4..5317fcffe8 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java @@ -475,6 +475,20 @@ public interface EamDb { */ List getListCasesHavingArtifactInstancesKnownBad(CorrelationAttributeInstance.Type aType, String value) throws EamDbException, CorrelationAttributeNormalizationException; + /** + * Gets list of distinct case display names, where each case has 1+ Artifact + * Instance matching eamArtifact. + * + * @param aType EamArtifact.Type to search for + * @param value Value to search for + * + * @return List of cases containing this artifact with instances marked as + * bad + * + * @throws EamDbException + */ + List getListCasesHavingArtifactInstances(CorrelationAttributeInstance.Type aType, String value) throws EamDbException, CorrelationAttributeNormalizationException; + /** * Remove a reference set and all values contained in it. * diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java index 60c2ef98ab..f8c7f4541d 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java @@ -229,10 +229,13 @@ public class IngestEventsListener { "# {0} - typeName", "# {1} - count", "IngestEventsListener.prevCount.text=Number of previous {0}: {1}"}) - static private void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact) { + static private void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact, List caseDisplayNames) { Collection attributesForNewArtifact = Arrays.asList(new BlackboardAttribute( TSK_SET_NAME, MODULE_NAME, Bundle.IngestEventsListener_prevExists_text()), + new BlackboardAttribute( + TSK_COMMENT, MODULE_NAME, + Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(","))), new BlackboardAttribute( TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, originalArtifact.getArtifactID())); @@ -478,13 +481,16 @@ public class IngestEventsListener { || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID - || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID)) { + || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID + || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.SSID_TYPE_ID)) { try { //only alert to previous instances when they were in another case List previousOccurences = dbManager.getArtifactInstancesByTypeValue(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue()); + List caseDisplayNames; for (CorrelationAttributeInstance instance : previousOccurences) { if (!instance.getCorrelationCase().getCaseUUID().equals(eamArtifact.getCorrelationCase().getCaseUUID())) { - makeAndPostPreviousSeenArtifact(bbArtifact); + caseDisplayNames = dbManager.getListCasesHavingArtifactInstances(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue()); + makeAndPostPreviousSeenArtifact(bbArtifact, caseDisplayNames); break; } }