Skip to content
Snippets Groups Projects
Commit 536f3a9a authored by Greg DiCristofaro's avatar Greg DiCristofaro
Browse files

Merge branch 'develop' of github.com:sleuthkit/sleuthkit into 8160-dataArtifactEvents

parents 5ba94309 2142ca1c
Branches
Tags
No related merge requests found
...@@ -948,7 +948,7 @@ private Score deleteAnalysisResult(AnalysisResult analysisResult, CaseDbTransact ...@@ -948,7 +948,7 @@ private Score deleteAnalysisResult(AnalysisResult analysisResult, CaseDbTransact
} }
} }
private final static String ANALYSIS_RESULT_QUERY_STRING = "SELECT DISTINCT artifacts.artifact_id AS artifact_id, " //NON-NLS private final static String ANALYSIS_RESULT_QUERY_STRING_GENERIC = "SELECT DISTINCT artifacts.artifact_id AS artifact_id, " //NON-NLS
+ " artifacts.obj_id AS obj_id, artifacts.artifact_obj_id AS artifact_obj_id, artifacts.data_source_obj_id AS data_source_obj_id, artifacts.artifact_type_id AS artifact_type_id, " + " artifacts.obj_id AS obj_id, artifacts.artifact_obj_id AS artifact_obj_id, artifacts.data_source_obj_id AS data_source_obj_id, artifacts.artifact_type_id AS artifact_type_id, "
+ " types.type_name AS type_name, types.display_name AS display_name, types.category_type as category_type,"//NON-NLS + " types.type_name AS type_name, types.display_name AS display_name, types.category_type as category_type,"//NON-NLS
+ " artifacts.review_status_id AS review_status_id, " //NON-NLS + " artifacts.review_status_id AS review_status_id, " //NON-NLS
...@@ -958,7 +958,16 @@ private Score deleteAnalysisResult(AnalysisResult analysisResult, CaseDbTransact ...@@ -958,7 +958,16 @@ private Score deleteAnalysisResult(AnalysisResult analysisResult, CaseDbTransact
+ " JOIN blackboard_artifact_types AS types " //NON-NLS + " JOIN blackboard_artifact_types AS types " //NON-NLS
+ " ON artifacts.artifact_type_id = types.artifact_type_id" //NON-NLS + " ON artifacts.artifact_type_id = types.artifact_type_id" //NON-NLS
+ " LEFT JOIN tsk_analysis_results AS results " + " LEFT JOIN tsk_analysis_results AS results "
+ " ON artifacts.artifact_obj_id = results.artifact_obj_id " //NON-NLS + " ON artifacts.artifact_obj_id = results.artifact_obj_id "; //NON-NLS
private final static String ANALYSIS_RESULT_QUERY_STRING_WITH_ATTRIBUTES =
ANALYSIS_RESULT_QUERY_STRING_GENERIC
+ " JOIN blackboard_attributes AS attributes " //NON-NLS
+ " ON artifacts.artifact_id = attributes.artifact_id " //NON-NLS
+ " WHERE types.category_type = " + BlackboardArtifact.Category.ANALYSIS_RESULT.getID(); // NON-NLS
private final static String ANALYSIS_RESULT_QUERY_STRING_WHERE =
ANALYSIS_RESULT_QUERY_STRING_GENERIC
+ " WHERE artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID() //NON-NLS + " WHERE artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID() //NON-NLS
+ " AND types.category_type = " + BlackboardArtifact.Category.ANALYSIS_RESULT.getID(); // NON-NLS + " AND types.category_type = " + BlackboardArtifact.Category.ANALYSIS_RESULT.getID(); // NON-NLS
...@@ -1159,7 +1168,7 @@ public List<AnalysisResult> getAnalysisResultsWhere(String whereClause) throws T ...@@ -1159,7 +1168,7 @@ public List<AnalysisResult> getAnalysisResultsWhere(String whereClause) throws T
*/ */
List<AnalysisResult> getAnalysisResultsWhere(String whereClause, CaseDbConnection connection) throws TskCoreException { List<AnalysisResult> getAnalysisResultsWhere(String whereClause, CaseDbConnection connection) throws TskCoreException {
final String queryString = ANALYSIS_RESULT_QUERY_STRING final String queryString = ANALYSIS_RESULT_QUERY_STRING_WHERE
+ " AND " + whereClause; + " AND " + whereClause;
try (Statement statement = connection.createStatement(); try (Statement statement = connection.createStatement();
...@@ -1226,17 +1235,26 @@ private List<AnalysisResult> resultSetToAnalysisResults(ResultSet resultSet) thr ...@@ -1226,17 +1235,26 @@ private List<AnalysisResult> resultSetToAnalysisResults(ResultSet resultSet) thr
return analysisResults; return analysisResults;
} }
private final static String DATA_ARTIFACT_QUERY_STRING = "SELECT DISTINCT artifacts.artifact_id AS artifact_id, " //NON-NLS private final static String DATA_ARTIFACT_QUERY_STRING_GENERIC = "SELECT DISTINCT artifacts.artifact_id AS artifact_id, " //NON-NLS
+ "artifacts.obj_id AS obj_id, artifacts.artifact_obj_id AS artifact_obj_id, artifacts.data_source_obj_id AS data_source_obj_id, artifacts.artifact_type_id AS artifact_type_id, " //NON-NLS + "artifacts.obj_id AS obj_id, artifacts.artifact_obj_id AS artifact_obj_id, artifacts.data_source_obj_id AS data_source_obj_id, artifacts.artifact_type_id AS artifact_type_id, " //NON-NLS
+ " types.type_name AS type_name, types.display_name AS display_name, types.category_type as category_type,"//NON-NLS + " types.type_name AS type_name, types.display_name AS display_name, types.category_type as category_type,"//NON-NLS
+ " artifacts.review_status_id AS review_status_id, " //NON-NLS + " artifacts.review_status_id AS review_status_id, " //NON-NLS
+ " data_artifacts.os_account_obj_id as os_account_obj_id " //NON-NLS + " data_artifacts.os_account_obj_id as os_account_obj_id " //NON-NLS
+ " FROM blackboard_artifacts AS artifacts " + " FROM blackboard_artifacts AS artifacts " //NON-NLS
+ " JOIN blackboard_artifact_types AS types " //NON-NLS + " JOIN blackboard_artifact_types AS types " //NON-NLS
+ " ON artifacts.artifact_type_id = types.artifact_type_id" //NON-NLS + " ON artifacts.artifact_type_id = types.artifact_type_id" //NON-NLS
+ " LEFT JOIN tsk_data_artifacts AS data_artifacts " + " LEFT JOIN tsk_data_artifacts AS data_artifacts " //NON-NLS
+ " ON artifacts.artifact_obj_id = data_artifacts.artifact_obj_id " //NON-NLS + " ON artifacts.artifact_obj_id = data_artifacts.artifact_obj_id "; //NON-NLS
private final static String DATA_ARTIFACT_QUERY_STRING_WITH_ATTRIBUTES =
DATA_ARTIFACT_QUERY_STRING_GENERIC
+ " JOIN blackboard_attributes AS attributes " //NON-NLS
+ " ON artifacts.artifact_id = attributes.artifact_id " //NON-NLS
+ " WHERE types.category_type = " + BlackboardArtifact.Category.DATA_ARTIFACT.getID(); // NON-NLS
private final static String DATA_ARTIFACT_QUERY_STRING_WHERE =
DATA_ARTIFACT_QUERY_STRING_GENERIC
+ " WHERE artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID() //NON-NLS + " WHERE artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID() //NON-NLS
+ " AND types.category_type = " + BlackboardArtifact.Category.DATA_ARTIFACT.getID(); // NON-NLS + " AND types.category_type = " + BlackboardArtifact.Category.DATA_ARTIFACT.getID(); // NON-NLS
...@@ -1384,13 +1402,13 @@ public List<DataArtifact> getDataArtifactsWhere(String whereClause) throws TskCo ...@@ -1384,13 +1402,13 @@ public List<DataArtifact> getDataArtifactsWhere(String whereClause) throws TskCo
*/ */
List<DataArtifact> getDataArtifactsWhere(String whereClause, CaseDbConnection connection) throws TskCoreException { List<DataArtifact> getDataArtifactsWhere(String whereClause, CaseDbConnection connection) throws TskCoreException {
final String queryString = DATA_ARTIFACT_QUERY_STRING final String queryString = DATA_ARTIFACT_QUERY_STRING_WHERE
+ " AND " + whereClause + " "; + " AND " + whereClause + " ";
try (Statement statement = connection.createStatement(); try (Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, queryString);) { ResultSet resultSet = connection.executeQuery(statement, queryString);) {
List<DataArtifact> dataArtifacts = resultSetToDataArtifacts(resultSet, connection); List<DataArtifact> dataArtifacts = resultSetToDataArtifacts(resultSet);
return dataArtifacts; return dataArtifacts;
} catch (SQLException ex) { } catch (SQLException ex) {
throw new TskCoreException(String.format("Error getting data artifacts with queryString = %s", queryString), ex); throw new TskCoreException(String.format("Error getting data artifacts with queryString = %s", queryString), ex);
...@@ -1404,7 +1422,6 @@ List<DataArtifact> getDataArtifactsWhere(String whereClause, CaseDbConnection co ...@@ -1404,7 +1422,6 @@ List<DataArtifact> getDataArtifactsWhere(String whereClause, CaseDbConnection co
* @param resultSet A result set from a query of the blackboard_artifacts * @param resultSet A result set from a query of the blackboard_artifacts
* table of the form "SELECT * FROM blackboard_artifacts, * table of the form "SELECT * FROM blackboard_artifacts,
* tsk_data_artifacts WHERE ...". * tsk_data_artifacts WHERE ...".
* @param connection Database connection.
* *
* @return A list of DataArtifact objects. * @return A list of DataArtifact objects.
* *
...@@ -1413,7 +1430,7 @@ List<DataArtifact> getDataArtifactsWhere(String whereClause, CaseDbConnection co ...@@ -1413,7 +1430,7 @@ List<DataArtifact> getDataArtifactsWhere(String whereClause, CaseDbConnection co
* @throws TskCoreException Thrown if there is an error looking up the * @throws TskCoreException Thrown if there is an error looking up the
* artifact type id. * artifact type id.
*/ */
private List<DataArtifact> resultSetToDataArtifacts(ResultSet resultSet, CaseDbConnection connection) throws SQLException, TskCoreException { private List<DataArtifact> resultSetToDataArtifacts(ResultSet resultSet) throws SQLException, TskCoreException {
ArrayList<DataArtifact> dataArtifacts = new ArrayList<>(); ArrayList<DataArtifact> dataArtifacts = new ArrayList<>();
while (resultSet.next()) { while (resultSet.next()) {
...@@ -1661,6 +1678,57 @@ public List<BlackboardArtifact> getArtifacts(Collection<BlackboardArtifact.Type> ...@@ -1661,6 +1678,57 @@ public List<BlackboardArtifact> getArtifacts(Collection<BlackboardArtifact.Type>
return artifacts; return artifacts;
} }
/**
* Get all blackboard artifacts of the given type that contain attribute of
* given type and value, for a given data source(s).
*
* @param artifactType artifact type to get
* @param attributeType attribute type to be included
* @param value attribute value to be included. can be empty.
* @param dataSourceObjId data source to look under. If Null, then search
* all data sources.
* @param showRejected a flag whether to display rejected artifacts
*
* @return list of blackboard artifacts
*
* @throws TskCoreException exception thrown if a critical error occurs
* within TSK core
*/
public List<BlackboardArtifact> getArtifacts(BlackboardArtifact.Type artifactType,
BlackboardAttribute.Type attributeType, String value, Long dataSourceObjId,
boolean showRejected) throws TskCoreException {
String query = " AND artifacts.artifact_type_id = " + artifactType.getTypeID() //NON-NLS
+ " AND attributes.attribute_type_id = " + attributeType.getTypeID() //NON-NLS
+ ((value == null || value.isEmpty()) ? "" : " AND attributes.value_text = '" + value + "'") //NON-NLS
+ (showRejected ? "" : " AND artifacts.review_status_id != " + BlackboardArtifact.ReviewStatus.REJECTED.getID()) //NON-NLS
+ (dataSourceObjId != null ? " AND artifacts.data_source_obj_id = " + dataSourceObjId : ""); //NON-NLS
List<BlackboardArtifact> artifacts = new ArrayList<>();
caseDb.acquireSingleUserCaseReadLock();
String finalQuery = (artifactType.getCategory() == BlackboardArtifact.Category.ANALYSIS_RESULT
? ANALYSIS_RESULT_QUERY_STRING_WITH_ATTRIBUTES + query
: DATA_ARTIFACT_QUERY_STRING_WITH_ATTRIBUTES + query);
try (CaseDbConnection connection = caseDb.getConnection()) {
try (Statement statement = connection.createStatement();
ResultSet resultSet = connection.executeQuery(statement, finalQuery);) {
if (artifactType.getCategory() == BlackboardArtifact.Category.ANALYSIS_RESULT) {
artifacts.addAll(resultSetToAnalysisResults(resultSet));
} else {
artifacts.addAll(resultSetToDataArtifacts(resultSet));
}
} catch (SQLException ex) {
throw new TskCoreException(String.format("Error getting results with queryString = '%s'", finalQuery), ex);
}
} finally {
caseDb.releaseSingleUserCaseReadLock();
}
return artifacts;
}
/** /**
* Gets count of blackboard artifacts of given type that match a given WHERE * Gets count of blackboard artifacts of given type that match a given WHERE
* clause. Uses a SELECT COUNT(*) FROM blackboard_artifacts statement * clause. Uses a SELECT COUNT(*) FROM blackboard_artifacts statement
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment