19 package org.sleuthkit.autopsy.modules.stix;
21 import java.util.ArrayList;
22 import java.util.List;
23 import org.mitre.cybox.common_2.ConditionApplicationEnum;
24 import org.mitre.cybox.common_2.ConditionTypeEnum;
25 import org.mitre.cybox.common_2.StringObjectPropertyType;
35 abstract class EvaluatableObject {
37 private String warnings;
39 protected String spacing;
41 abstract public ObservableResult evaluate();
48 public void setWarnings(String a_warnings) {
49 warnings = a_warnings;
58 public String getWarnings() {
67 public void addWarning(String a_newWarning) {
68 if ((warnings == null) || warnings.isEmpty()) {
69 warnings = a_newWarning;
72 warnings = warnings +
", " + a_newWarning;
85 public List<BlackboardArtifact> findArtifactsBySubstring(StringObjectPropertyType item,
86 BlackboardAttribute.ATTRIBUTE_TYPE attrType) throws TskCoreException {
88 if (item.getValue() == null) {
89 throw new TskCoreException(
"Error: Value field is null");
92 if (item.getCondition() == null) {
93 addWarning(
"Warning: No condition given for " + attrType.getDisplayName() +
" field, using substring comparison");
94 }
else if (item.getCondition() != ConditionTypeEnum.CONTAINS) {
95 addWarning(
"Warning: Ignoring condition " + item.getCondition() +
" for "
96 + attrType.getDisplayName() +
" field and doing substring comparison");
99 List<BlackboardArtifact> hits = null;
101 Case case1 = Case.getCurrentCase();
102 SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
104 String[] parts = item.getValue().toString().split(
"##comma##");
106 if ((item.getApplyCondition() == null)
107 || (item.getApplyCondition() == ConditionApplicationEnum.ANY)) {
109 for (String part : parts) {
112 hits = sleuthkitCase.getBlackboardArtifacts(
116 hits.addAll(sleuthkitCase.getBlackboardArtifacts(
121 }
else if ((item.getApplyCondition() != null)
122 || (item.getApplyCondition() == ConditionApplicationEnum.ALL)) {
124 boolean firstRound =
true;
125 for (String part : parts) {
127 hits = sleuthkitCase.getBlackboardArtifacts(
131 }
else if (hits != null) {
132 hits.retainAll(sleuthkitCase.getBlackboardArtifacts(
138 return new ArrayList<BlackboardArtifact>();
142 throw new TskCoreException(
"Error: Can not apply NONE condition in search");
144 }
catch (TskCoreException ex) {
145 addWarning(ex.getLocalizedMessage());
159 public static boolean compareStringObject(StringObjectPropertyType stringObj, String strField)
160 throws TskCoreException {
161 if (stringObj.getValue() == null) {
162 throw new TskCoreException(
"Error: Value field is null");
165 String valueStr = stringObj.getValue().toString();
166 ConditionTypeEnum condition = stringObj.getCondition();
167 ConditionApplicationEnum applyCondition = stringObj.getApplyCondition();
169 return compareStringObject(valueStr, condition, applyCondition, strField);
182 public static boolean compareStringObject(String valueStr, ConditionTypeEnum condition,
183 ConditionApplicationEnum applyCondition, String strField)
184 throws TskCoreException {
186 if (valueStr == null) {
187 throw new TskCoreException(
"Error: Value field is null");
190 String[] parts = valueStr.split(
"##comma##");
191 String lowerFieldName = strField.toLowerCase();
193 for (String value : parts) {
194 boolean partialResult;
195 if ((condition == null)
196 || (condition == ConditionTypeEnum.EQUALS)) {
197 partialResult = value.equalsIgnoreCase(strField);
198 }
else if (condition == ConditionTypeEnum.DOES_NOT_EQUAL) {
199 partialResult = !value.equalsIgnoreCase(strField);
200 }
else if (condition == ConditionTypeEnum.CONTAINS) {
201 partialResult = lowerFieldName.contains(value.toLowerCase());
202 }
else if (condition == ConditionTypeEnum.DOES_NOT_CONTAIN) {
203 partialResult = !lowerFieldName.contains(value.toLowerCase());
204 }
else if (condition == ConditionTypeEnum.STARTS_WITH) {
205 partialResult = lowerFieldName.startsWith(value.toLowerCase());
206 }
else if (condition == ConditionTypeEnum.ENDS_WITH) {
207 partialResult = lowerFieldName.endsWith(value.toLowerCase());
209 throw new TskCoreException(
"Could not process condition " + condition.value() +
" on " + value);
213 if (applyCondition == ConditionApplicationEnum.NONE) {
214 if (partialResult ==
true) {
218 }
else if (applyCondition == ConditionApplicationEnum.ALL) {
219 if (partialResult ==
false) {
225 if (partialResult ==
true) {
233 if ((applyCondition == ConditionApplicationEnum.NONE)
234 || (applyCondition == ConditionApplicationEnum.ALL)) {
246 public String getPrintableWarnings() {
247 String warningsToPrint =
"";
248 if ((getWarnings() != null)
249 && (!getWarnings().isEmpty())) {
250 warningsToPrint =
" (" + getWarnings() +
")";
252 return warningsToPrint;