Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalNetworkShareObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import java.util.ArrayList;
27 
28 import java.util.List;
29 import org.mitre.cybox.common_2.ConditionApplicationEnum;
30 
31 import org.mitre.cybox.objects.WindowsNetworkShare;
32 
36 class EvalNetworkShareObj extends EvaluatableObject {
37 
38  private final WindowsNetworkShare obj;
39 
40  public EvalNetworkShareObj(WindowsNetworkShare a_obj, String a_id, String a_spacing) {
41  obj = a_obj;
42  id = a_id;
43  spacing = a_spacing;
44  }
45 
46  @Override
47  public synchronized ObservableResult evaluate() {
48 
49  setWarnings("");
50 
51  if ((obj.getNetname() == null) && (obj.getLocalPath() == null)) {
52  return new ObservableResult(id, "NetworkShareObjet: No remote name or local path found", //NON-NLS
53  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
54  }
55 
56  // For displaying what we were looking for in the results
57  String searchString = "";
58  if (obj.getNetname() != null) {
59  searchString += "Netname \"" + obj.getNetname().getValue() + "\""; //NON-NLS
60 
61  // The apply conditions ALL or NONE probably won't work correctly. Neither seems
62  // all that likely to come up in practice, so just give a warning.
63  if ((obj.getNetname().getApplyCondition() != null)
64  && (obj.getNetname().getApplyCondition() != ConditionApplicationEnum.ANY)) {
65  addWarning("Apply condition " + obj.getNetname().getApplyCondition().value() //NON-NLS
66  + " may not work correctly"); //NON-NLS
67  }
68  }
69  if (obj.getLocalPath() != null) {
70  if (!searchString.isEmpty()) {
71  searchString += " and "; //NON-NLS
72  }
73  searchString += "LocalPath \"" + obj.getLocalPath().getValue() + "\""; //NON-NLS
74 
75  // Same as above - the apply conditions ALL or NONE probably won't work correctly. Neither seems
76  // all that likely to come up in practice, so just give a warning.
77  if ((obj.getLocalPath().getApplyCondition() != null)
78  && (obj.getLocalPath().getApplyCondition() != ConditionApplicationEnum.ANY)) {
79  addWarning("Apply condition " + obj.getLocalPath().getApplyCondition().value() //NON-NLS
80  + " may not work correctly"); //NON-NLS
81  }
82  }
83 
84  setUnsupportedFieldWarnings();
85 
86  // The assumption here is that there aren't going to be too many network shares, so we
87  // can cycle through all of them.
88  try {
89  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
90 
91  Case case1 = Case.getCurrentCase();
92  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
93  List<BlackboardArtifact> artList
94  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
95 
96  for (BlackboardArtifact art : artList) {
97  boolean foundRemotePathMatch = false;
98  boolean foundLocalPathMatch = false;
99 
100  for (BlackboardAttribute attr : art.getAttributes()) {
101  if ((attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REMOTE_PATH.getTypeID())
102  && (obj.getNetname() != null)) {
103  foundRemotePathMatch = compareStringObject(obj.getNetname(), attr.getValueString());
104  }
105  if ((attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCAL_PATH.getTypeID())
106  && (obj.getLocalPath() != null)) {
107  foundLocalPathMatch = compareStringObject(obj.getLocalPath(), attr.getValueString());
108  }
109  }
110 
111  // Check whether we found everything we were looking for
112  if (((foundRemotePathMatch) || (obj.getNetname() == null))
113  && ((foundLocalPathMatch) || (obj.getLocalPath() == null))) {
114  finalHits.add(art);
115  }
116  }
117 
118  // Check if we found any matches
119  if (!finalHits.isEmpty()) {
120  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
121  for (BlackboardArtifact a : finalHits) {
122  artData.add(new StixArtifactData(a.getObjectID(), id, "NetworkShare")); //NON-NLS
123  }
124  return new ObservableResult(id, "NetworkShareObject: Found a match for " + searchString, //NON-NLS
125  spacing, ObservableResult.ObservableState.TRUE, artData);
126  }
127 
128  // Didn't find any matches
129  return new ObservableResult(id, "NetworkObject: No matches found for " + searchString, //NON-NLS
130  spacing, ObservableResult.ObservableState.FALSE, null);
131  } catch (TskCoreException ex) {
132  return new ObservableResult(id, "NetworkObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
133  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
134  }
135  }
136 
137  private void setUnsupportedFieldWarnings() {
138  List<String> fieldNames = new ArrayList<String>();
139 
140  if (obj.getCurrentUses() != null) {
141  fieldNames.add("Current_Uses"); //NON-NLS
142  }
143  if (obj.getMaxUses() != null) {
144  fieldNames.add("Max_Uses"); //NON-NLS
145  }
146  if (obj.getType() != null) {
147  fieldNames.add("Type"); //NON-NLS
148  }
149 
150  String warningStr = "";
151  for (String name : fieldNames) {
152  if (!warningStr.isEmpty()) {
153  warningStr += ", ";
154  }
155  warningStr += name;
156  }
157 
158  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
159  }
160 
161 }

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.