mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 18:17:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add or clause to CR query to include current case results so that result will have count > 1. Move values check so that query will return empty.

Browse Source
This commit is contained in:
Andrew Ziehl 2018-06-01 10:01:33 -07:00
parent 4c529e2973
commit c78662885c
4 changed files with 70 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/AbstractSqlEamDb.java
View File

@ -653,8 +653,8 @@ public abstract class AbstractSqlEamDb implements EamDb {
* Retrieves eamArtiifact instances from the database that match the given
* list of MD5 values and optionally filters by given case.
*
* Warning: Does not benefit from PreparedStatement caching to since values will
* be variable in length
* Warning: Does not benefit from PreparedStatement caching to since values
* will be variable in length
*
* @param correlationCase Case id to search on, if null, searches all cases
* @param values List of ArtifactInstance MD5 values to find matches of.
@ -664,7 +664,7 @@ public abstract class AbstractSqlEamDb implements EamDb {
* @throws EamDbException if EamDb is inaccessible.
*/
@Override
public List<CorrelationAttributeCommonInstance> getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection<String> values) throws EamDbException {
public List<CorrelationAttributeCommonInstance> getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection<String> values, int currentCaseId) throws EamDbException {
CorrelationAttribute.Type aType = CorrelationAttribute.getDefaultCorrelationTypes().get(0); // Files type
if (aType == null) {
throw new EamDbException("Correlation Type is null");
@ -673,16 +673,18 @@ public abstract class AbstractSqlEamDb implements EamDb {
if (correlationCase != null) {
singleCase = true;
}
if (values != null) {
values = new ArrayList<String>();
}
Connection conn = connect();
List<CorrelationAttributeCommonInstance> artifactInstances = new ArrayList<>();
// SELECT cases.case_name, cases.case_uid, data_sources.name, device_id, file_path, known_status, comment, data_sources.case_id, value FROM file_instances LEFT JOIN cases ON file_instances.case_id=cases.id LEFT JOIN data_sources ON file_instances.data_source_id=data_sources.id WHERE value IN (SELECT value FROM file_instances WHERE value IN ("59029becd7f830c0478aeb5e67cc3b20","d2b949c51cf3d5721699a6ea500eeba7","b90c8c8fb1c4687780002704b59585fe") GROUP BY value HAVING COUNT(*) > 1) ORDER BY value
CorrelationAttributeCommonInstance artifactInstance;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
if (values != null) {
String tableName = EamDbUtil.correlationTypeToInstanceTableName(aType);
StringBuilder sql = new StringBuilder(10);
sql.append("SELECT cases.case_name, cases.case_uid, data_sources.name, device_id, file_path, known_status, comment, data_sources.case_id, value FROM ");
@ -704,23 +706,26 @@ public abstract class AbstractSqlEamDb implements EamDb {
sql.append("',");
}
sql.deleteCharAt(sql.length() - 1);
sql.append(") GROUP BY value HAVING COUNT(*) > 1)");
sql.append(") GROUP BY value HAVING COUNT(*) > 1)"); //
if (singleCase && correlationCase != null) {
sql.append(" AND ");
sql.append(tableName);
sql.append(".case_id=?");
sql.append(" OR ");
sql.append(tableName);
sql.append(".case_id=?");
}
sql.append(" ORDER BY value, cases.case_name, file_path");
try {
preparedStatement = conn.prepareStatement(sql.toString());
int i = 1;
if (singleCase && correlationCase != null) {
preparedStatement.setString(i, String.valueOf(correlationCase.getID()));
preparedStatement.setInt(1, correlationCase.getID());
preparedStatement.setInt(2, currentCaseId);
}
resultSet = preparedStatement.executeQuery();
@ -736,7 +741,6 @@ public abstract class AbstractSqlEamDb implements EamDb {
EamDbUtil.closeResultSet(resultSet);
EamDbUtil.closeConnection(conn);
}
}
return artifactInstances;
}

2
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamDb.java
View File

@ -233,7 +233,7 @@ public interface EamDb {
*
* @return List of artifact instances for a given list of MD5 values
*/
List<CorrelationAttributeCommonInstance> getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection<String> values) throws EamDbException;
List<CorrelationAttributeCommonInstance> getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection<String> values, int currentCaseId) throws EamDbException;
/**
* Retrieves eamArtifact instances from the database that are associated

5
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/SqliteEamDb.java
View File

@ -18,7 +18,6 @@
*/
package org.sleuthkit.autopsy.centralrepository.datamodel;
import java.io.File;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
@ -431,10 +430,10 @@ public class SqliteEamDb extends AbstractSqlEamDb {
* @return List of artifact instances for a given list of MD5 values
*/
@Override
public List<CorrelationAttributeCommonInstance> getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection<String> values) throws EamDbException {
public List<CorrelationAttributeCommonInstance> getArtifactInstancesByCaseValues(CorrelationCase correlationCase, Collection<String> values, int currentCaseId) throws EamDbException {
try {
acquireSharedLock();
return super.getArtifactInstancesByCaseValues(correlationCase, values);
return super.getArtifactInstancesByCaseValues(correlationCase, values, currentCaseId);
} finally {
releaseSharedLock();
}

9
Core/src/org/sleuthkit/autopsy/commonfilesearch/EamDbCommonFilesAlgorithm.java
View File

@ -27,6 +27,7 @@ import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.stream.Collectors;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeCommonInstance;
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;
@ -73,11 +74,13 @@ public abstract class EamDbCommonFilesAlgorithm extends CommonFilesMetadataBuild
protected CommonFilesMetadata findFiles(CorrelationCase correlationCase) throws TskCoreException, NoCurrentCaseException, SQLException, EamDbException, Exception {
Map<String, Md5Metadata> currentCaseMetadata = getMetadataForCurrentCase();
Collection<String> values = currentCaseMetadata.keySet();
int currentCaseId;
Map<String, Md5Metadata> interCaseCommonFiles = new HashMap<>();
try {
// Need to include current Cases results for specific case comparison
currentCaseId = dbManager.getCase(Case.getCurrentCase()).getID();
Collection<CorrelationAttributeCommonInstance> artifactInstances = dbManager.getArtifactInstancesByCaseValues(correlationCase, values).stream()
Collection<CorrelationAttributeCommonInstance> artifactInstances = dbManager.getArtifactInstancesByCaseValues(correlationCase, values, currentCaseId).stream()
.collect(Collectors.toList());
interCaseCommonFiles = gatherIntercaseResults(artifactInstances, currentCaseMetadata);
@ -97,7 +100,7 @@ public abstract class EamDbCommonFilesAlgorithm extends CommonFilesMetadataBuild
private Map<String, Md5Metadata> gatherIntercaseResults(Collection<CorrelationAttributeCommonInstance> artifactInstances, Map<String, Md5Metadata> commonFiles) {
Map<String, Md5Metadata> interCaseCommonFiles = new HashMap<String, Md5Metadata>();
Map<String, Md5Metadata> interCaseCommonFiles = new HashMap<>();
for (CorrelationAttributeCommonInstance instance : artifactInstances) {