api-docs/4.22.0/_path_normalizer_8java_source.html

 /*

  * Autopsy Forensic Browser

  *

  * Copyright 2023 Basis Technology Corp.

  * Contact: carrier <at> sleuthkit <dot> org

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package com.basistech.df.cybertriage.autopsy.malwarescan;


 import com.google.common.net.InetAddresses;

 import java.net.InetAddress;

 import java.util.Collections;

 import java.util.HashSet;

 import java.util.List;

 import java.util.Locale;

 import java.util.Set;

 import java.util.logging.Level;

 import java.util.regex.Matcher;

 import java.util.regex.Pattern;

 import java.util.stream.Collectors;

 import org.apache.commons.lang3.StringUtils;

 import org.sleuthkit.autopsy.coreutils.Logger;

 import org.sleuthkit.datamodel.SleuthkitCase;

 import org.sleuthkit.datamodel.TskCoreException;


 class PathNormalizer {


     private static final Logger LOGGER = Logger.getLogger(PathNormalizer.class.getName());


     private static final String ANONYMIZED_USERNAME = "<user>";

     private static final String ANONYMIZED_IP = "<private_ip>";

     private static final String ANONYMIZED_HOSTNAME = "<hostname>";

     private static final String FORWARD_SLASH = "/";

     private static final String BACK_SLASH = "\\";


     private static final Pattern USER_PATH_FORWARD_SLASH_REGEX = Pattern.compile("(?<!all )([/]{0,1}\\Qusers\\E/)(?!(public|Default|defaultAccount|All Users))([^/]+)(/){0,1}", Pattern.CASE_INSENSITIVE);

     private static final Pattern USER_PATH_BACK_SLASH_REGEX = Pattern.compile("(?<!all )([\\\\]{0,1}\\Qusers\\E\\\\)(?!(public|Default|defaultAccount|All Users))([^\\\\]+)([\\\\]){0,1}", Pattern.CASE_INSENSITIVE);


     private static final Pattern USER_PATH_FORWARD_SLASH_REGEX_XP = Pattern.compile("([/]{0,1}\\Qdocuments and settings\\E/)(?!(Default User|All Users))([^/]+)(/){0,1}", Pattern.CASE_INSENSITIVE);

     private static final Pattern USER_PATH_BACK_SLASH_REGEX_XP = Pattern.compile("([\\\\]{0,1}\\Qdocuments and settings\\E\\\\)(?!(Default User|All Users))([^\\\\]+)(\\\\){0,1}", Pattern.CASE_INSENSITIVE);


     private static final Pattern UNC_PATH_FORWARD_SLASH_PATTERN = Pattern.compile("(//)([^/]+)(/){0,1}");

     private static final Pattern UNC_PATH_BACK_SLASH_PATTERN = Pattern.compile("(\\\\\\\\)([^\\\\]+)(\\\\){0,1}");


     private static final String USERNAME_REGEX_REPLACEMENT = "$1" + ANONYMIZED_USERNAME + "$4";


     private final SleuthkitCase skCase;


     PathNormalizer(SleuthkitCase skCase) {

         this.skCase = skCase;

     }


     protected List<String> getUsernames() {

         try {

             return this.skCase.getOsAccountManager().getOsAccounts().stream()

                     .filter(acct -> acct != null)

                     .map(acct -> acct.getLoginName().orElse(null))

                     .filter(StringUtils::isNotBlank)

                     .collect(Collectors.toList());

         } catch (TskCoreException ex) {

             LOGGER.log(Level.WARNING, "There was an error getting current os accounts", ex);

             return Collections.emptyList();

         }

     }


     public String normalizePath(String inputString) {

         if (StringUtils.isBlank(inputString)) {

             return "";

         }


         String anonymousString = anonymizeUserFromPathsWithForwardSlashes(inputString);

         anonymousString = anonymizeUserFromPathsWithBackSlashes(anonymousString);

         anonymousString = anonymizeServerFromUNCPath(anonymousString);


         return anonymousString;

     }


     private String anonymizeUserFromPathsWithForwardSlashes(String stringWithUsername) {

         String anonymousString = stringWithUsername;

         anonymousString = regexReplace(anonymousString, USER_PATH_FORWARD_SLASH_REGEX_XP, USERNAME_REGEX_REPLACEMENT);

         anonymousString = regexReplace(anonymousString, USER_PATH_FORWARD_SLASH_REGEX, USERNAME_REGEX_REPLACEMENT);

         anonymousString = replaceFolder(anonymousString, getUsernames(), ANONYMIZED_USERNAME, FORWARD_SLASH);

         return anonymousString;

     }


     // Most paths in CyberTriage are normalized with forward slashes

     // but there can still be strings containing paths that are not normalized such paths contained in arguments or event log payloads

     private String anonymizeUserFromPathsWithBackSlashes(String stringWithUsername) {

         String anonymousString = stringWithUsername;

         anonymousString = regexReplace(anonymousString, USER_PATH_BACK_SLASH_REGEX_XP, USERNAME_REGEX_REPLACEMENT);

         anonymousString = regexReplace(anonymousString, USER_PATH_BACK_SLASH_REGEX, USERNAME_REGEX_REPLACEMENT);

         anonymousString = replaceFolder(anonymousString, getUsernames(), ANONYMIZED_USERNAME, BACK_SLASH);


         return anonymousString;

     }


     private String anonymizeServerFromUNCPath(String inputString) {


         Set<String> serverNames = new HashSet<>();

         String anonymousString = inputString.toLowerCase(Locale.ENGLISH);


         Matcher forwardSlashMatcher = UNC_PATH_FORWARD_SLASH_PATTERN.matcher(anonymousString);

         while (forwardSlashMatcher.find()) {

             String serverName = forwardSlashMatcher.group(2);

             serverNames.add(serverName);

         }


         Matcher backSlashMatcher = UNC_PATH_BACK_SLASH_PATTERN.matcher(anonymousString);

         while (backSlashMatcher.find()) {

             String serverName = backSlashMatcher.group(2);

             serverNames.add(serverName);

         }


         for (String serverName : serverNames) {


             if (StringUtils.isBlank(serverName)) {

                 continue;

             }


             if (InetAddresses.isInetAddress(serverName) && isLocalIP(serverName)) {

                 anonymousString = replaceFolder(anonymousString, Collections.singletonList(serverName), ANONYMIZED_IP);

             } else {

                 anonymousString = replaceFolder(anonymousString, Collections.singletonList(serverName), ANONYMIZED_HOSTNAME);

             }


         }


         return anonymousString;

     }


     private static String regexReplace(String orig, Pattern pattern, String regexReplacement) {

         Matcher matcher = pattern.matcher(orig);

         return matcher.replaceAll(regexReplacement);

     }


     private static String replaceFolder(String orig, List<String> valuesToReplace, String replacementValue) {

         String anonymized = orig;

         anonymized = replaceFolder(anonymized, valuesToReplace, replacementValue, FORWARD_SLASH);

         anonymized = replaceFolder(anonymized, valuesToReplace, replacementValue, BACK_SLASH);

         return anonymized;

     }


     private static String replaceFolder(String orig, List<String> valuesToReplace, String replacementValue, String folderDelimiter) {

         if (orig == null || valuesToReplace == null) {

             return orig;

         }


         String anonymousString = orig;


         // ensure non-null

         folderDelimiter = StringUtils.defaultString(folderDelimiter);

         replacementValue = StringUtils.defaultString(replacementValue);


         // replace

         for (String valueToReplace : valuesToReplace) {

             if (StringUtils.isNotEmpty(valueToReplace)) {

                 anonymousString = StringUtils.replace(anonymousString,

                         folderDelimiter + valueToReplace + folderDelimiter,

                         folderDelimiter + replacementValue + folderDelimiter);

             }

         }


         return anonymousString;

     }


     public static boolean isLocalIP(String ipAddress) {

         try {

             InetAddress a = InetAddresses.forString(ipAddress);

             return a.isAnyLocalAddress() || a.isSiteLocalAddress()

                     || a.isLoopbackAddress() || a.isLinkLocalAddress();

         } catch (IllegalArgumentException ex) {

             LOGGER.log(Level.WARNING, "Invalid IP string", ex);

             return false;

         }

     }


 }

org::sleuthkit

org

com

org::sleuthkit.autopsy.coreutils
Definition: AppSQLiteDB.java:19

org::sleuthkit.autopsy.coreutils.Logger
Definition: Logger.java:36

org::sleuthkit::datamodel::TskCoreException

org::sleuthkit::datamodel::SleuthkitCase

org::sleuthkit::datamodel

org::sleuthkit.autopsy