From d85475a4f82b06718d16fb415f8d78285e5de13f Mon Sep 17 00:00:00 2001 From: Brian Sweeney Date: Mon, 23 Apr 2018 09:19:09 -0600 Subject: [PATCH] first pass at intra case correlation --- .../DataContentViewerOtherCases.java | 68 +++++++++++++++---- 1 file changed, 55 insertions(+), 13 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java index c16d16d70c..d6a5f6abb0 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java @@ -43,6 +43,7 @@ import javax.swing.filechooser.FileNameExtensionFilter; import javax.swing.table.TableCellRenderer; import javax.swing.table.TableColumn; import org.openide.nodes.Node; +import org.openide.util.Exceptions; import org.openide.util.NbBundle.Messages; import org.openide.util.lookup.ServiceProvider; import org.sleuthkit.autopsy.casemodule.Case; @@ -52,6 +53,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttribute; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance; import org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase; +import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException; import org.sleuthkit.autopsy.centralrepository.datamodel.EamGlobalFileInstance; import org.sleuthkit.datamodel.AbstractFile; @@ -62,6 +64,8 @@ import org.sleuthkit.datamodel.ContentTag; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskException; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb; +import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskData; /** * View correlation results from other cases @@ -75,6 +79,10 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D private final DataContentViewerOtherCasesTableModel tableModel; private final Collection correlationAttributes; + /** + * Could be null. + */ + private AbstractFile file; /** * Creates new form DataContentViewerOtherCases @@ -398,11 +406,11 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D } // we can correlate based on the MD5 if it is enabled - AbstractFile abstractFile = getAbstractFileFromNode(node); - if (abstractFile != null) { + + if (this.file != null) { try { List artifactTypes = EamDb.getInstance().getDefinedCorrelationTypes(); - String md5 = abstractFile.getMd5Hash(); + String md5 = this.file.getMd5Hash(); if (md5 != null && !md5.isEmpty() && null != artifactTypes && !artifactTypes.isEmpty()) { for (CorrelationAttribute.Type aType : artifactTypes) { if (aType.getId() == CorrelationAttribute.FILES_TYPE_ID) { @@ -414,6 +422,8 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D } catch (EamDbException ex) { LOGGER.log(Level.SEVERE, "Error connecting to DB", ex); // NON-NLS } + + //TODO add intra case stuff here } return ret; @@ -441,11 +451,39 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D || !artifactInstance.getCorrelationDataSource().getName().equals(dataSourceName) || !artifactInstance.getCorrelationDataSource().getDeviceID().equals(deviceId)) .collect(Collectors.toList()); + + if(corAttr.getCorrelationType().getDisplayName().equals("Files")){ + String md5 = corAttr.getCorrelationValue(); + final Case openCase = Case.getOpenCase(); + SleuthkitCase tsk = openCase.getSleuthkitCase(); + List matches = tsk.findAllFilesWhere(String.format("md5 = '%s'", new Object[]{md5})); + + CorrelationCase caze = new CorrelationCase(openCase.getNumber(), openCase.getDisplayName()); + + for(AbstractFile file : matches){ + + if(this.file.equals(file)){ + continue; + } + + CorrelationDataSource dataSource = CorrelationDataSource.fromTSKDataSource(caze, file.getDataSource()); + String filePath = file.getParentPath(); + String comment = String.format("File Name: %s", new Object[]{file.getName()}); + TskData.FileKnown knownStatus = file.getKnown(); + CorrelationAttributeInstance inst = new CorrelationAttributeInstance(caze, dataSource, filePath, comment, knownStatus); + + artifactInstances.add(inst); + } + } + return artifactInstances; } catch (EamDbException ex) { LOGGER.log(Level.SEVERE, "Error getting artifact instances from database.", ex); // NON-NLS } catch (NoCurrentCaseException ex) { LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS + } catch (TskCoreException ex) { + //TODO error handling + Exceptions.printStackTrace(ex); } return Collections.emptyList(); @@ -453,10 +491,12 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D @Override public boolean isSupported(Node node) { - if (!EamDb.isEnabled()) { - return false; - } + //TODO for testing... +// if (!EamDb.isEnabled()) { +// return false; +// } + this.file = this.getAbstractFileFromNode(node); // Is supported if this node has correlatable content (File, BlackboardArtifact) return !getCorrelationAttributesFromNode(node).isEmpty(); } @@ -464,14 +504,16 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D @Override @Messages({"DataContentViewerOtherCases.table.nodbconnection=Cannot connect to central repository database."}) public void setNode(Node node) { - if (!EamDb.isEnabled()) { - return; - } +// if (!EamDb.isEnabled()) { +// return; +// } reset(); // reset the table to empty. if (node == null) { return; } + //could be null + this.file = this.getAbstractFileFromNode(node); populateTable(node); } @@ -484,12 +526,11 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D @Messages({"DataContentViewerOtherCases.table.isempty=There are no associated artifacts or files from other occurrences to display.", "DataContentViewerOtherCases.table.noArtifacts=Correlation cannot be performed on the selected file."}) private void populateTable(Node node) { - AbstractFile af = getAbstractFileFromNode(node); String dataSourceName = ""; String deviceId = ""; try { - if (af != null) { - Content dataSource = af.getDataSource(); + if (this.file != null) { + Content dataSource = this.file.getDataSource(); dataSourceName = dataSource.getName(); deviceId = Case.getOpenCase().getSleuthkitCase().getDataSource(dataSource.getId()).getDeviceId(); } @@ -497,7 +538,7 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D // do nothing. // @@@ Review this behavior } - + // get the attributes we can correlate on correlationAttributes.addAll(getCorrelationAttributesFromNode(node)); for (CorrelationAttribute corAttr : correlationAttributes) { @@ -684,4 +725,5 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D private javax.swing.JPanel tableStatusPanel; private javax.swing.JLabel tableStatusPanelLabel; // End of variables declaration//GEN-END:variables + }