first pass at intra case correlation

2025-07-14 17:06:16 +00:00 · 2018-04-23 09:19:09 -06:00 · 2018-04-23 09:19:09 -06:00 · d85475a4f8
commit d85475a4f8
parent dd33c16662
1 changed files with 55 additions and 13 deletions
--- a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java
+++ b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java
@ -43,6 +43,7 @@ import javax.swing.filechooser.FileNameExtensionFilter;
 import javax.swing.table.TableCellRenderer;
 import javax.swing.table.TableColumn;
 import org.openide.nodes.Node;
+import org.openide.util.Exceptions;
 import org.openide.util.NbBundle.Messages;
 import org.openide.util.lookup.ServiceProvider;
 import org.sleuthkit.autopsy.casemodule.Case;
@ -52,6 +53,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttribute;
 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
 import org.sleuthkit.autopsy.centralrepository.datamodel.EamArtifactUtil;
 import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;
+import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource;
 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDbException;
 import org.sleuthkit.autopsy.centralrepository.datamodel.EamGlobalFileInstance;
 import org.sleuthkit.datamodel.AbstractFile;
@ -62,6 +64,8 @@ import org.sleuthkit.datamodel.ContentTag;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskException;
 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb;
+import org.sleuthkit.datamodel.SleuthkitCase;
+import org.sleuthkit.datamodel.TskData;

 /**
 * View correlation results from other cases
@ -75,6 +79,10 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D

    private final DataContentViewerOtherCasesTableModel tableModel;
    private final Collection<CorrelationAttribute> correlationAttributes;
+    /**
+     * Could be null.
+     */
+    private AbstractFile file;

    /**
     * Creates new form DataContentViewerOtherCases
@ -398,11 +406,11 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
        }
        
        // we can correlate based on the MD5 if it is enabled
-        AbstractFile abstractFile = getAbstractFileFromNode(node);
-        if (abstractFile != null) {
+        
+        if (this.file != null) {
            try {
                List<CorrelationAttribute.Type> artifactTypes = EamDb.getInstance().getDefinedCorrelationTypes();
-                String md5 = abstractFile.getMd5Hash();
+                String md5 = this.file.getMd5Hash();
                if (md5 != null && !md5.isEmpty() && null != artifactTypes && !artifactTypes.isEmpty()) {
                    for (CorrelationAttribute.Type aType : artifactTypes) {
                        if (aType.getId() == CorrelationAttribute.FILES_TYPE_ID) {
@ -414,6 +422,8 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
            } catch (EamDbException ex) {
                LOGGER.log(Level.SEVERE, "Error connecting to DB", ex); // NON-NLS
            }
+            
+            //TODO add intra case stuff here
        }

        return ret;
@ -441,11 +451,39 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
                    || !artifactInstance.getCorrelationDataSource().getName().equals(dataSourceName)
                    || !artifactInstance.getCorrelationDataSource().getDeviceID().equals(deviceId))
                    .collect(Collectors.toList());
+            
+            if(corAttr.getCorrelationType().getDisplayName().equals("Files")){
+                String md5 = corAttr.getCorrelationValue();
+                final Case openCase = Case.getOpenCase();
+                SleuthkitCase tsk = openCase.getSleuthkitCase();
+                List<AbstractFile> matches = tsk.findAllFilesWhere(String.format("md5 = '%s'", new Object[]{md5}));
+                
+                CorrelationCase caze = new CorrelationCase(openCase.getNumber(), openCase.getDisplayName());
+                                
+                for(AbstractFile file : matches){
+                    
+                    if(this.file.equals(file)){
+                        continue;
+                    }
+                    
+                    CorrelationDataSource dataSource = CorrelationDataSource.fromTSKDataSource(caze, file.getDataSource());
+                    String filePath = file.getParentPath();
+                    String comment = String.format("File Name: %s", new Object[]{file.getName()});
+                    TskData.FileKnown knownStatus = file.getKnown();
+                    CorrelationAttributeInstance inst = new CorrelationAttributeInstance(caze, dataSource, filePath, comment, knownStatus);
+                    
+                    artifactInstances.add(inst);
+                }                
+            }
+            
            return artifactInstances;
        } catch (EamDbException ex) {
            LOGGER.log(Level.SEVERE, "Error getting artifact instances from database.", ex); // NON-NLS
        } catch (NoCurrentCaseException ex) {
            LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS
+        } catch (TskCoreException ex) {
+            //TODO error handling
+            Exceptions.printStackTrace(ex);
        }

        return Collections.emptyList();
@ -453,10 +491,12 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D

    @Override
    public boolean isSupported(Node node) {
-        if (!EamDb.isEnabled()) {
-            return false;
-        }
+        //TODO for testing...
+//        if (!EamDb.isEnabled()) {
+//            return false;
+//        }

+        this.file = this.getAbstractFileFromNode(node);
        // Is supported if this node has correlatable content (File, BlackboardArtifact)
        return !getCorrelationAttributesFromNode(node).isEmpty();
    }
@ -464,14 +504,16 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
    @Override
    @Messages({"DataContentViewerOtherCases.table.nodbconnection=Cannot connect to central repository database."})
    public void setNode(Node node) {
-        if (!EamDb.isEnabled()) {
-            return;
-        }
+//        if (!EamDb.isEnabled()) {
+//            return;
+//        }

        reset(); // reset the table to empty.
        if (node == null) {
            return;
        }
+        //could be null
+        this.file = this.getAbstractFileFromNode(node);
        populateTable(node);
    }

@ -484,12 +526,11 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
    @Messages({"DataContentViewerOtherCases.table.isempty=There are no associated artifacts or files from other occurrences to display.",
        "DataContentViewerOtherCases.table.noArtifacts=Correlation cannot be performed on the selected file."})
    private void populateTable(Node node) {
-        AbstractFile af = getAbstractFileFromNode(node);
        String dataSourceName = "";
        String deviceId = "";
        try {
-            if (af != null) {
-                Content dataSource = af.getDataSource();
+            if (this.file != null) {
+                Content dataSource = this.file.getDataSource();
                dataSourceName = dataSource.getName();
                deviceId = Case.getOpenCase().getSleuthkitCase().getDataSource(dataSource.getId()).getDeviceId();
            }
@ -684,4 +725,5 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
    private javax.swing.JPanel tableStatusPanel;
    private javax.swing.JLabel tableStatusPanelLabel;
    // End of variables declaration//GEN-END:variables
+
 }