Autopsy  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EncryptionDetectionTools.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.encryptiondetection;
20 
21 import java.io.BufferedInputStream;
22 import java.io.IOException;
23 import java.io.InputStream;
24 import org.openide.util.NbBundle;
27 import org.sleuthkit.datamodel.ReadContentInputStream;
28 import org.sleuthkit.datamodel.Content;
29 
33 final class EncryptionDetectionTools {
34 
35  private static final double ONE_OVER_LOG2 = 1.4426950408889634073599246810019; // (1 / log(2))
36  private static final int BYTE_OCCURENCES_BUFFER_SIZE = 256;
37  static final double MINIMUM_ENTROPY_INPUT_RANGE_MIN = 6.0;
38  static final double MINIMUM_ENTROPY_INPUT_RANGE_MAX = 8.0;
39  static final int MINIMUM_FILE_SIZE_INPUT_RANGE_MIN = 1;
40 
41  @NbBundle.Messages({
42  "EncryptionDetectionTools.errorMessage.minimumEntropyInput=Minimum entropy input must be a number between 6.0 and 8.0."
43  })
48  static void validateMinEntropyValue(double minimumEntropy) throws IngestModule.IngestModuleException {
49  if (minimumEntropy < MINIMUM_ENTROPY_INPUT_RANGE_MIN || minimumEntropy > MINIMUM_ENTROPY_INPUT_RANGE_MAX) {
50  throw new IngestModule.IngestModuleException(Bundle.EncryptionDetectionTools_errorMessage_minimumEntropyInput());
51  }
52  }
53 
54  @NbBundle.Messages({
55  "EncryptionDetectionTools.errorMessage.minimumFileSizeInput=Minimum file size input must be an integer (in megabytes) of 1 or greater."
56  })
61  static void validateMinFileSizeValue(int minimumFileSize) throws IngestModule.IngestModuleException {
62  if (minimumFileSize < MINIMUM_FILE_SIZE_INPUT_RANGE_MIN) {
63  throw new IngestModule.IngestModuleException(Bundle.EncryptionDetectionTools_errorMessage_minimumFileSizeInput());
64  }
65  }
66 
67 
82  static double calculateEntropy(Content content, IngestJobContext context) throws ReadContentInputStream.ReadContentInputStreamException, IOException {
83  /*
84  * Logic in this method is based on
85  * https://github.com/willjasen/entropy/blob/master/entropy.java
86  */
87 
88  InputStream in = null;
89  BufferedInputStream bin = null;
90 
91  try {
92  in = new ReadContentInputStream(content);
93  bin = new BufferedInputStream(in);
94 
95  /*
96  * Determine the number of times each byte value appears.
97  */
98  int[] byteOccurences = new int[BYTE_OCCURENCES_BUFFER_SIZE];
99  int readByte;
100  long bytesRead = 0;
101  while ((readByte = bin.read()) != -1) {
102  byteOccurences[readByte]++;
103 
104  // Do a cancellation check every 10,000 bytes
105  bytesRead++;
106  if (bytesRead % 10000 == 0) {
107  if (context.dataSourceIngestIsCancelled() || context.fileIngestIsCancelled()) {
108  return 0;
109  }
110  }
111  }
112 
113  /*
114  * Calculate the entropy based on the byte occurence counts.
115  */
116  long dataLength = content.getSize() - 1;
117  double entropyAccumulator = 0;
118  for (int i = 0; i < BYTE_OCCURENCES_BUFFER_SIZE; i++) {
119  if (byteOccurences[i] > 0) {
120  double byteProbability = (double) byteOccurences[i] / (double) dataLength;
121  entropyAccumulator += (byteProbability * Math.log(byteProbability) * ONE_OVER_LOG2);
122  }
123  }
124 
125  return -entropyAccumulator;
126 
127  } finally {
128  if (in != null) {
129  in.close();
130  }
131  if (bin != null) {
132  bin.close();
133  }
134  }
135  }
136 
140  private EncryptionDetectionTools() {
141  }
142 }

Copyright © 2012-2019 Basis Technology. Generated on: Tue Jan 7 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.