From c78662885c64fd9240cb067ec5c862e766a5df19 Mon Sep 17 00:00:00 2001 From: Andrew Ziehl Date: Fri, 1 Jun 2018 10:01:33 -0700 Subject: [PATCH] Add or clause to CR query to include current case results so that result will have count > 1. Move values check so that query will return empty. --- .../datamodel/AbstractSqlEamDb.java | 116 +++++++++--------- .../centralrepository/datamodel/EamDb.java | 2 +- .../datamodel/SqliteEamDb.java | 5 +- .../EamDbCommonFilesAlgorithm.java | 11 +- 4 files changed, 70 insertions(+), 64 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java index 151c729acd..195a1ce547 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java @@ -653,18 +653,18 @@ public abstract class AbstractSqlEamDb implements EamDb { * Retrieves eamArtiifact instances from the database that match the given * list of MD5 values and optionally filters by given case. * - * Warning: Does not benefit from PreparedStatement caching to since values will - * be variable in length - * + * Warning: Does not benefit from PreparedStatement caching to since values + * will be variable in length + * * @param correlationCase Case id to search on, if null, searches all cases * @param values List of ArtifactInstance MD5 values to find matches of. * * @return List of artifact instances for a given list of MD5 values - * + * * @throws EamDbException if EamDb is inaccessible. */ @Override - public List getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection values) throws EamDbException { + public List getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection values, int currentCaseId) throws EamDbException { CorrelationAttribute.Type aType = CorrelationAttribute.getDefaultCorrelationTypes().get(0); // Files type if (aType == null) { throw new EamDbException("Correlation Type is null"); @@ -673,69 +673,73 @@ public abstract class AbstractSqlEamDb implements EamDb { if (correlationCase != null) { singleCase = true; } + if (values != null) { + values = new ArrayList(); + } Connection conn = connect(); List artifactInstances = new ArrayList<>(); // SELECT cases.case_name, cases.case_uid, data_sources.name, device_id, file_path, known_status, comment, data_sources.case_id, value FROM file_instances LEFT JOIN cases ON file_instances.case_id=cases.id LEFT JOIN data_sources ON file_instances.data_source_id=data_sources.id WHERE value IN (SELECT value FROM file_instances WHERE value IN ("59029becd7f830c0478aeb5e67cc3b20","d2b949c51cf3d5721699a6ea500eeba7","b90c8c8fb1c4687780002704b59585fe") GROUP BY value HAVING COUNT(*) > 1) ORDER BY value - CorrelationAttributeCommonInstance artifactInstance; PreparedStatement preparedStatement = null; ResultSet resultSet = null; - if (values != null) { - String tableName = EamDbUtil.correlationTypeToInstanceTableName(aType); - StringBuilder sql = new StringBuilder(10); - sql.append("SELECT cases.case_name, cases.case_uid, data_sources.name, device_id, file_path, known_status, comment, data_sources.case_id, value FROM "); - sql.append(tableName); - sql.append(" LEFT JOIN cases ON "); - sql.append(tableName); - sql.append(".case_id=cases.id"); - sql.append(" LEFT JOIN data_sources ON "); - sql.append(tableName); - sql.append(".data_source_id=data_sources.id"); - sql.append(" WHERE value IN (SELECT value FROM "); - sql.append(tableName); - sql.append(" WHERE value IN ("); - - // Note: PreparedStatement has a limit on ? variable replacement so instead query is built with values appended directly into the string - for (String value : values) { - sql.append("'"); - sql.append(value); - sql.append("',"); - } - - sql.deleteCharAt(sql.length() - 1); - sql.append(") GROUP BY value HAVING COUNT(*) > 1)"); + String tableName = EamDbUtil.correlationTypeToInstanceTableName(aType); + StringBuilder sql = new StringBuilder(10); + sql.append("SELECT cases.case_name, cases.case_uid, data_sources.name, device_id, file_path, known_status, comment, data_sources.case_id, value FROM "); + sql.append(tableName); + sql.append(" LEFT JOIN cases ON "); + sql.append(tableName); + sql.append(".case_id=cases.id"); + sql.append(" LEFT JOIN data_sources ON "); + sql.append(tableName); + sql.append(".data_source_id=data_sources.id"); + sql.append(" WHERE value IN (SELECT value FROM "); + sql.append(tableName); + sql.append(" WHERE value IN ("); + // Note: PreparedStatement has a limit on ? variable replacement so instead query is built with values appended directly into the string + for (String value : values) { + sql.append("'"); + sql.append(value); + sql.append("',"); + } + + sql.deleteCharAt(sql.length() - 1); + sql.append(") GROUP BY value HAVING COUNT(*) > 1)"); // + + if (singleCase && correlationCase != null) { + sql.append(" AND "); + sql.append(tableName); + sql.append(".case_id=?"); + sql.append(" OR "); + sql.append(tableName); + sql.append(".case_id=?"); + + } + + sql.append(" ORDER BY value, cases.case_name, file_path"); + + try { + preparedStatement = conn.prepareStatement(sql.toString()); if (singleCase && correlationCase != null) { - sql.append(" AND "); - sql.append(tableName); - sql.append(".case_id=?"); + preparedStatement.setInt(1, correlationCase.getID()); + preparedStatement.setInt(2, currentCaseId); } - - sql.append(" ORDER BY value, cases.case_name, file_path"); - try { - preparedStatement = conn.prepareStatement(sql.toString()); - int i = 1; - if (singleCase && correlationCase != null) { - preparedStatement.setString(i, String.valueOf(correlationCase.getID())); - } - - resultSet = preparedStatement.executeQuery(); - while (resultSet.next()) { - artifactInstance = getCommonEamArtifactInstanceFromResultSet(resultSet); - artifactInstances.add(artifactInstance); - } - - } catch (SQLException ex) { - throw new EamDbException("Error getting artifact instances by artifactType and artifactValue.", ex); // NON-NLS - } finally { - EamDbUtil.closePreparedStatement(preparedStatement); - EamDbUtil.closeResultSet(resultSet); - EamDbUtil.closeConnection(conn); + resultSet = preparedStatement.executeQuery(); + while (resultSet.next()) { + artifactInstance = getCommonEamArtifactInstanceFromResultSet(resultSet); + artifactInstances.add(artifactInstance); } + + } catch (SQLException ex) { + throw new EamDbException("Error getting artifact instances by artifactType and artifactValue.", ex); // NON-NLS + } finally { + EamDbUtil.closePreparedStatement(preparedStatement); + EamDbUtil.closeResultSet(resultSet); + EamDbUtil.closeConnection(conn); } return artifactInstances; @@ -1032,7 +1036,7 @@ public abstract class AbstractSqlEamDb implements EamDb { if (bulkArtifactsCount == 0) { return; } - + TimingMetric timingMetric = EnterpriseHealthMonitor.getTimingMetric("Correlation Engine: Bulk insert"); for (CorrelationAttribute.Type type : artifactTypes) { @@ -1084,7 +1088,7 @@ public abstract class AbstractSqlEamDb implements EamDb { bulkPs.executeBatch(); bulkArtifacts.get(type.getDbTableName()).clear(); } - + EnterpriseHealthMonitor.submitTimingMetric(timingMetric); // Reset state diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java index 15b234fc47..5984e4d074 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java @@ -233,7 +233,7 @@ public interface EamDb { * * @return List of artifact instances for a given list of MD5 values */ - List getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection values) throws EamDbException; + List getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection values, int currentCaseId) throws EamDbException; /** * Retrieves eamArtifact instances from the database that are associated diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/SqliteEamDb.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/SqliteEamDb.java index a1b8aaec1d..2d181b4be3 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/SqliteEamDb.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/SqliteEamDb.java @@ -18,7 +18,6 @@ */ package org.sleuthkit.autopsy.centralrepository.datamodel; -import java.io.File; import java.sql.Connection; import java.sql.SQLException; import java.sql.Statement; @@ -431,10 +430,10 @@ public class SqliteEamDb extends AbstractSqlEamDb { * @return List of artifact instances for a given list of MD5 values */ @Override - public List getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection values) throws EamDbException { + public List getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection values, int currentCaseId) throws EamDbException { try { acquireSharedLock(); - return super.getArtifactInstancesByCaseValues(correlationCase, values); + return super.getArtifactInstancesByCaseValues(correlationCase, values, currentCaseId); } finally { releaseSharedLock(); } diff --git a/Core/src/org/sleuthkit/autopsy/commonfilesearch/EamDbCommonFilesAlgorithm.java b/Core/src/org/sleuthkit/autopsy/commonfilesearch/EamDbCommonFilesAlgorithm.java index 898da0c9ed..b137e15c30 100644 --- a/Core/src/org/sleuthkit/autopsy/commonfilesearch/EamDbCommonFilesAlgorithm.java +++ b/Core/src/org/sleuthkit/autopsy/commonfilesearch/EamDbCommonFilesAlgorithm.java @@ -27,6 +27,7 @@ import java.util.List; import java.util.Map; import java.util.logging.Level; import java.util.stream.Collectors; +import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeCommonInstance; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase; @@ -73,11 +74,13 @@ public abstract class EamDbCommonFilesAlgorithm extends CommonFilesMetadataBuild protected CommonFilesMetadata findFiles(CorrelationCase correlationCase) throws TskCoreException, NoCurrentCaseException, SQLException, EamDbException, Exception { Map currentCaseMetadata = getMetadataForCurrentCase(); Collection values = currentCaseMetadata.keySet(); - + int currentCaseId; Map interCaseCommonFiles = new HashMap<>(); try { - - Collection artifactInstances = dbManager.getArtifactInstancesByCaseValues(correlationCase, values).stream() + // Need to include current Cases results for specific case comparison + currentCaseId = dbManager.getCase(Case.getCurrentCase()).getID(); + + Collection artifactInstances = dbManager.getArtifactInstancesByCaseValues(correlationCase, values, currentCaseId).stream() .collect(Collectors.toList()); interCaseCommonFiles = gatherIntercaseResults(artifactInstances, currentCaseMetadata); @@ -97,7 +100,7 @@ public abstract class EamDbCommonFilesAlgorithm extends CommonFilesMetadataBuild private Map gatherIntercaseResults(Collection artifactInstances, Map commonFiles) { - Map interCaseCommonFiles = new HashMap(); + Map interCaseCommonFiles = new HashMap<>(); for (CorrelationAttributeCommonInstance instance : artifactInstances) {