Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalAccountObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
26 
27 import java.util.List;
28 import java.util.ArrayList;
29 
30 import org.mitre.cybox.objects.AccountObjectType;
31 import org.mitre.cybox.objects.UserAccountObjectType;
32 import org.mitre.cybox.objects.WindowsUserAccount;
33 
37 class EvalAccountObj extends EvaluatableObject {
38 
39  private AccountObjectType obj;
40 
41  public EvalAccountObj(AccountObjectType a_obj, String a_id, String a_spacing) {
42  obj = a_obj;
43  id = a_id;
44  spacing = a_spacing;
45  }
46 
47  @Override
48  public synchronized ObservableResult evaluate() {
49 
50  setWarnings("");
51 
52  // Fields we can search for:
53  // UserAccount: Home_Directory, Username
54  // WinUserAccount: SID
55  if (!(obj instanceof UserAccountObjectType)) {
56  return new ObservableResult(id, "AccountObject: Can not process \"Account\" - need a User_Account or Windows_User_Account", //NON-NLS
57  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
58  }
59 
60  // For displaying what we were looking for in the results
61  String searchString = "";
62 
63  // Check which fields are present and record them
64  boolean haveHomeDir = false;
65  boolean haveUsername = false;
66  boolean haveSID = false;
67 
68  UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
69  if (userAccountObj.getHomeDirectory() != null) {
70  haveHomeDir = true;
71  searchString = "HomeDir \"" + userAccountObj.getHomeDirectory().getValue().toString() + "\""; //NON-NLS
72  }
73  if (userAccountObj.getUsername() != null) {
74  haveUsername = true;
75  if (!searchString.isEmpty()) {
76  searchString += " and "; //NON-NLS
77  }
78  searchString += "Username \"" + userAccountObj.getUsername().getValue().toString() + "\""; //NON-NLS
79  }
80 
81  WindowsUserAccount winUserObj = null;
82  if (obj instanceof WindowsUserAccount) {
83  winUserObj = (WindowsUserAccount) obj;
84 
85  if (winUserObj.getSecurityID() != null) {
86  haveSID = true;
87  if (!searchString.isEmpty()) {
88  searchString += " and "; //NON-NLS
89  }
90  searchString += "SID \"" + winUserObj.getSecurityID().getValue().toString() + "\""; //NON-NLS
91  }
92  }
93 
94  if (!(haveHomeDir || haveUsername || haveSID)) {
95  return new ObservableResult(id, "AccountObject: No evaluatable fields found", //NON-NLS
96  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
97  }
98 
99  // Set warnings for any unsupported fields
100  setUnsupportedFieldWarnings();
101 
102  // The assumption here is that there aren't going to be too many network shares, so we
103  // can cycle through all of them.
104  try {
105  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
106 
107  Case case1 = Case.getCurrentCase();
108  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
109  List<BlackboardArtifact> artList
111 
112  for (BlackboardArtifact art : artList) {
113  boolean foundHomeDirMatch = false;
114  boolean foundUsernameMatch = false;
115  boolean foundSIDMatch = false;
116 
117  for (BlackboardAttribute attr : art.getAttributes()) {
118  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH.getTypeID())
119  && (haveHomeDir)) {
120  foundHomeDirMatch = compareStringObject(userAccountObj.getHomeDirectory(), attr.getValueString());
121  }
122  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID())
123  && (haveUsername)) {
124  foundUsernameMatch = compareStringObject(userAccountObj.getUsername(), attr.getValueString());
125  }
126  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID())
127  && (haveSID) && (winUserObj != null)) {
128  foundSIDMatch = compareStringObject(winUserObj.getSecurityID(), attr.getValueString());
129  }
130  }
131 
132  if (((!haveHomeDir) || foundHomeDirMatch)
133  && ((!haveUsername) || foundUsernameMatch)
134  && ((!haveSID) || foundSIDMatch)) {
135  finalHits.add(art);
136  }
137 
138  }
139 
140  // Check if we found any matches
141  if (!finalHits.isEmpty()) {
142  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
143  for (BlackboardArtifact a : finalHits) {
144  artData.add(new StixArtifactData(a.getObjectID(), id, "Account")); //NON-NLS
145  }
146  return new ObservableResult(id, "AccountObject: Found a match for " + searchString, //NON-NLS
147  spacing, ObservableResult.ObservableState.TRUE, artData);
148  }
149 
150  // Didn't find any matches
151  return new ObservableResult(id, "AccountObject: No matches found for " + searchString, //NON-NLS
152  spacing, ObservableResult.ObservableState.FALSE, null);
153  } catch (TskCoreException ex) {
154  return new ObservableResult(id, "AccountObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
155  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
156  }
157 
158  }
159 
163  private void setUnsupportedFieldWarnings() {
164  List<String> fieldNames = new ArrayList<String>();
165 
166  if (obj.getDescription() != null) {
167  fieldNames.add("Description"); //NON-NLS
168  }
169  if (obj.getDomain() != null) {
170  fieldNames.add("Domain"); //NON-NLS
171  }
172  if (obj.getAuthentications() != null) {
173  fieldNames.add("Authentication"); //NON-NLS
174  }
175  if (obj.getCreationDate() != null) {
176  fieldNames.add("Creation_Date"); //NON-NLS
177  }
178  if (obj.getModifiedDate() != null) {
179  fieldNames.add("Modified_Date"); //NON-NLS
180  }
181  if (obj.getLastAccessedTime() != null) {
182  fieldNames.add("Last_Accessed_Time"); //NON-NLS
183  }
184 
185  if (obj instanceof UserAccountObjectType) {
186  UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
187  if (userAccountObj.getFullName() != null) {
188  fieldNames.add("Full_Name"); //NON-NLS
189  }
190  if (userAccountObj.getGroupList() != null) {
191  fieldNames.add("Group_List"); //NON-NLS
192  }
193  if (userAccountObj.getLastLogin() != null) {
194  fieldNames.add("Last_Login"); //NON-NLS
195  }
196  if (userAccountObj.getPrivilegeList() != null) {
197  fieldNames.add("Privilege_List"); //NON-NLS
198  }
199  if (userAccountObj.getScriptPath() != null) {
200  fieldNames.add("Script_Path"); //NON-NLS
201  }
202  if (userAccountObj.getUserPasswordAge() != null) {
203  fieldNames.add("User_Password_Age"); //NON-NLS
204  }
205  }
206 
207  if (obj instanceof WindowsUserAccount) {
208  WindowsUserAccount winUserObj = (WindowsUserAccount) obj;
209 
210  if (winUserObj.getSecurityType() != null) {
211  fieldNames.add("Security_Type"); //NON-NLS
212  }
213  }
214 
215  String warningStr = "";
216  for (String name : fieldNames) {
217  if (!warningStr.isEmpty()) {
218  warningStr += ", ";
219  }
220  warningStr += name;
221  }
222 
223  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
224  }
225 
226 }
ArrayList< BlackboardArtifact > getBlackboardArtifacts(int artifactTypeID)

Copyright © 2012-2016 Basis Technology. Generated on: Mon Apr 24 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.