OsAccountInstance.java

Go to the documentation of this file.

/*
 * Sleuth Kit Data Model
 *
 * Copyright 2021 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.datamodel;
 
import java.util.Arrays;
import java.util.Objects;
import java.util.ResourceBundle;

public class OsAccountInstance implements Comparable<OsAccountInstance> {
 
        private static final ResourceBundle bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle");
 
        private final SleuthkitCase skCase;
        private final long instanceId;
        private final long accountId;
        private final long dataSourceId;
        private final OsAccountInstanceType instanceType;
 
        private OsAccount account;
        private DataSource dataSource;

        OsAccountInstance(SleuthkitCase skCase, long instanceId, OsAccount account, long dataSourceId, OsAccountInstanceType instanceType) {
                this(skCase, instanceId, account.getId(), dataSourceId, instanceType);
                this.account = account;
        }

        OsAccountInstance(SleuthkitCase skCase, long instanceId, long accountObjId, long dataSourceObjId, OsAccountInstanceType instanceType) {
                this.skCase = skCase;
                this.instanceId = instanceId;
                this.accountId = accountObjId;
                this.dataSourceId = dataSourceObjId;
                this.instanceType = instanceType;
        }

        public long getInstanceId() {
                return instanceId;
        }

        public OsAccount getOsAccount() throws TskCoreException {
                if (account == null) {
                        try {
                                account = skCase.getOsAccountManager().getOsAccountByObjectId(accountId);
                        } catch (TskCoreException ex) {
                                throw new TskCoreException(String.format("Failed to get OsAccount for id %d", accountId), ex);
                        }
                }
 
                return account;
        }

        public DataSource getDataSource() throws TskCoreException {
                if (dataSource == null) {
                        try {
                                dataSource = skCase.getDataSource(dataSourceId);
                        } catch (TskDataException ex) {
                                throw new TskCoreException(String.format("Failed to get DataSource for id %d", dataSourceId), ex);
                        }
                }
 
                return dataSource;
        }

        public OsAccountInstanceType getInstanceType() {
                return instanceType;
        }

        private long getDataSourceId() {
                return dataSourceId;
        }
 
        @Override
        public int compareTo(OsAccountInstance other) {
                if (equals(other)) {
                        return 0;
                }
 
                if (dataSourceId != other.getDataSourceId()) {
                        return Long.compare(dataSourceId, other.getDataSourceId());
                }
 
                return Long.compare(accountId, other.accountId);
        }
 
        @Override
        public boolean equals(Object obj) {
                if (this == obj) {
                        return true;
                }
                if (obj == null) {
                        return false;
                }
                if (getClass() != obj.getClass()) {
                        return false;
                }
                final OsAccountInstance other = (OsAccountInstance) obj;
                
                if(this.instanceId != other.instanceId) {
                        return false;
                }
                
                if (this.accountId != other.accountId) {
                        return false;
                }
                
                if(this.instanceType != other.instanceType) {
                        return false;
                }
                
                return this.dataSourceId == other.getDataSourceId();
        }
 
        @Override
        public int hashCode() {
                int hash = 7;
                hash = 67 * hash + Objects.hashCode(this.instanceId);
                hash = 67 * hash + Objects.hashCode(this.dataSourceId);
                hash = 67 * hash + Objects.hashCode(this.accountId);
                hash = 67 * hash + Objects.hashCode(this.instanceType);
                return hash;
        }

        public enum OsAccountInstanceType {
                LAUNCHED(0, bundle.getString("OsAccountInstanceType.Launched.text"), bundle.getString("OsAccountInstanceType.Launched.descr.text")), // user had an interactive session or launched a program on the host
                ACCESSED(1, bundle.getString("OsAccountInstanceType.Accessed.text"), bundle.getString("OsAccountInstanceType.Accessed.descr.text")), // user accesed a resource/file for read/write. Could have been via a service (such as a file share) or a SID on a random file from an unknown location.  NOTE: Because Windows event logs do not show if an authentication was for an interactive login or accessing a service, we mark a user as ACCESSED based on authentication. They become LAUNCHED if we have proof of them starting a program or getting an interactive login. 
                REFERENCED(2, bundle.getString("OsAccountInstanceType.Referenced.text"), bundle.getString("OsAccountInstanceType.Referenced.descr.text"));      // user was referenced in a log file (e.g. in a event log) or registry, but there was no evidence of activity or ownership on the host. Examples include an account that was never used and entries on a log server. 
        
 
                private final int id;
                private final String name;
                private final String description;
 
                OsAccountInstanceType(int id, String name, String description) {
                        this.id = id;
                        this.name = name;
                        this.description = description;
                }

                public int getId() {
                        return id;
                }

                public String getName() {
                        return name;
                }

                public String getDescription() {
                        return description;
                }

                public static OsAccountInstanceType fromID(int typeId) {
                        for (OsAccountInstanceType statusType : OsAccountInstanceType.values()) {
                                if (statusType.ordinal() == typeId) {
                                        return statusType;
                                }
                        }
                        return null;
                }
                
                public static OsAccountInstanceType fromString(String name) {
                        return Arrays.stream(values())
                                        .filter(val -> val.getName().equals(name))
                                        .findFirst().orElse(null);
                }
        }
}