mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 10:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added tsk_comment and SSID to seen artifacts

Browse Source 
Added tsk_comment to artifacts that have been see prior cases can be identified easier.  Also added SSID TYPE to be seen as well.
This commit is contained in:
Mark McKinnon 2019-09-27 14:33:07 -04:00
parent c36620e876
commit a46db0f7ff
3 changed files with 75 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java
View File

@ -1942,6 +1942,58 @@ abstract class AbstractSqlEamDb implements EamDb {
return caseNames.stream().collect(Collectors.toList());
}
/**
* Gets list of distinct case display names, where each case has 1+ Artifact
* Instance matching eamArtifact.
*
* @param aType EamArtifact.Type to search for
* @param value Value to search for
*
* @return List of cases containing this artifact with instances marked as
* bad
*
* @throws EamDbException
*/
@Override
public List<String> getListCasesHavingArtifactInstances(CorrelationAttributeInstance.Type aType, String value) throws EamDbException, CorrelationAttributeNormalizationException {
String normalizedValue = CorrelationAttributeNormalizer.normalize(aType, value);
Connection conn = connect();
Collection<String> caseNames = new LinkedHashSet<>();
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
String tableName = EamDbUtil.correlationTypeToInstanceTableName(aType);
String sql
= "SELECT DISTINCT case_name FROM "
+ tableName
+ " INNER JOIN cases ON "
+ tableName
+ ".case_id=cases.id WHERE "
+ tableName
+ ".value=? ";
try {
preparedStatement = conn.prepareStatement(sql);
preparedStatement.setString(1, normalizedValue);
resultSet = preparedStatement.executeQuery();
while (resultSet.next()) {
caseNames.add(resultSet.getString("case_name"));
}
} catch (SQLException ex) {
throw new EamDbException("Error getting notable artifact instances.", ex); // NON-NLS
} finally {
EamDbUtil.closeStatement(preparedStatement);
EamDbUtil.closeResultSet(resultSet);
EamDbUtil.closeConnection(conn);
}
return caseNames.stream().collect(Collectors.toList());
}
/**
* Remove a reference set and all entries contained in it.
*

14
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java
View File

@ -475,6 +475,20 @@ public interface EamDb {
*/
List<String> getListCasesHavingArtifactInstancesKnownBad(CorrelationAttributeInstance.Type aType, String value) throws EamDbException, CorrelationAttributeNormalizationException;
/**
* Gets list of distinct case display names, where each case has 1+ Artifact
* Instance matching eamArtifact.
*
* @param aType EamArtifact.Type to search for
* @param value Value to search for
*
* @return List of cases containing this artifact with instances marked as
* bad
*
* @throws EamDbException
*/
List<String> getListCasesHavingArtifactInstances(CorrelationAttributeInstance.Type aType, String value) throws EamDbException, CorrelationAttributeNormalizationException;
/**
* Remove a reference set and all values contained in it.
*

12
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java
View File

@ -229,10 +229,13 @@ public class IngestEventsListener {
"# {0} - typeName",
"# {1} - count",
"IngestEventsListener.prevCount.text=Number of previous {0}: {1}"})
static private void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact) {
static private void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact, List<String> caseDisplayNames) {
Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(new BlackboardAttribute(
TSK_SET_NAME, MODULE_NAME,
Bundle.IngestEventsListener_prevExists_text()),
new BlackboardAttribute(
TSK_COMMENT, MODULE_NAME,
Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(","))),
new BlackboardAttribute(
TSK_ASSOCIATED_ARTIFACT, MODULE_NAME,
originalArtifact.getArtifactID()));
@ -478,13 +481,16 @@ public class IngestEventsListener {
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID)) {
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.SSID_TYPE_ID)) {
try {
//only alert to previous instances when they were in another case
List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());
List<String> caseDisplayNames;
for (CorrelationAttributeInstance instance : previousOccurences) {
if (!instance.getCorrelationCase().getCaseUUID().equals(eamArtifact.getCorrelationCase().getCaseUUID())) {
makeAndPostPreviousSeenArtifact(bbArtifact);
caseDisplayNames = dbManager.getListCasesHavingArtifactInstances(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());
makeAndPostPreviousSeenArtifact(bbArtifact, caseDisplayNames);
break;
}
}