Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalURIObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import org.sleuthkit.autopsy.casemodule.Case;
22 import org.sleuthkit.datamodel.SleuthkitCase;
23 import org.sleuthkit.datamodel.BlackboardArtifact;
24 import org.sleuthkit.datamodel.BlackboardAttribute;
25 import org.sleuthkit.datamodel.TskCoreException;
26 
27 import java.util.List;
28 import java.util.ArrayList;
29 import org.mitre.cybox.common_2.ConditionApplicationEnum;
30 
31 import org.mitre.cybox.objects.URIObjectType;
32 
36 class EvalURIObj extends EvaluatableObject {
37 
38  private final URIObjectType obj;
39 
40  public EvalURIObj(URIObjectType a_obj, String a_id, String a_spacing) {
41  obj = a_obj;
42  id = a_id;
43  spacing = a_spacing;
44  }
45 
46  @Override
47  public synchronized ObservableResult evaluate() {
48 
49  setWarnings("");
50 
51  if (obj.getValue() == null) {
52  return new ObservableResult(id, "URIObject: No URI value field found", //NON-NLS
53  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
54  }
55  String addressStr = obj.getValue().getValue().toString();
56 
57  // Strip off http:// or https://
58  String modifiedAddressStr = addressStr.toLowerCase();
59  modifiedAddressStr = modifiedAddressStr.replaceAll("http(s)?://", ""); //NON-NLS
60 
61  // Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test
62  if (!((obj.getValue().getApplyCondition() == null)
63  || (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) {
64  return new ObservableResult(id, "URIObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString() //NON-NLS
65  + " on URI object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
66  }
67 
68  Case case1 = Case.getCurrentCase();
69  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
70 
71  try {
72  /*
73  if ((obj.getValue().getCondition() == null)
74  || (obj.getValue().getCondition() == ConditionTypeEnum.EQUALS)) {
75 
76  // Old version - uses a database query but only works on full strings.
77  // It will be faster to use this in the "equals" case
78  String[] parts = addressStr.split("##comma##");
79  List<BlackboardArtifact> arts = new ArrayList<BlackboardArtifact>();
80  for (String part : parts) {
81  arts.addAll(sleuthkitCase.getBlackboardArtifacts(
82  BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT,
83  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD,
84  part));
85  }
86 
87  if (!arts.isEmpty()) {
88 
89  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
90  for (BlackboardArtifact a : arts) {
91  artData.add(new StixArtifactData(a.getObjectID(), id, "URIObject"));
92  }
93 
94  return new ObservableResult(id, "URIObject: Found " + arts.size() + " matches for address = \"" + addressStr + "\"",
95  spacing, ObservableResult.ObservableState.TRUE, artData);
96 
97  } else {
98  return new ObservableResult(id, "URIObject: Found no matches for address = \"" + addressStr + "\"",
99  spacing, ObservableResult.ObservableState.FALSE, null);
100  }
101  } else {*/
102 
103  // This is inefficient, but the easiest way to do it.
104  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
105 
106  // Get all the URL artifacts
107  List<BlackboardArtifact> artList
108  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
109 
110  for (BlackboardArtifact art : artList) {
111 
112  for (BlackboardAttribute attr : art.getAttributes()) {
113  if (attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
114 
115  String modifiedAttrString = attr.getValueString();
116  if (modifiedAttrString != null) {
117  modifiedAttrString = modifiedAttrString.toLowerCase();
118  modifiedAttrString = modifiedAttrString.replaceAll("http(s)?://", ""); //NON-NLS
119  }
120 
121  if (compareStringObject(modifiedAddressStr, obj.getValue().getCondition(),
122  obj.getValue().getApplyCondition(), modifiedAttrString)) {
123  finalHits.add(art);
124  }
125  }
126  }
127  }
128 
129  if (!finalHits.isEmpty()) {
130  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
131  for (BlackboardArtifact a : finalHits) {
132  artData.add(new StixArtifactData(a.getObjectID(), id, "UriObject")); //NON-NLS
133  }
134  return new ObservableResult(id, "UriObject: Found a match for " + addressStr, //NON-NLS
135  spacing, ObservableResult.ObservableState.TRUE, artData);
136  }
137 
138  return new ObservableResult(id, "URIObject: Found no matches for " + addressStr, //NON-NLS
139  spacing, ObservableResult.ObservableState.FALSE, null);
140  /*}*/
141 
142  } catch (TskCoreException ex) {
143  return new ObservableResult(id, "URIObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
144  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
145  }
146 
147  }
148 
149 }

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.