Autopsy  4.14.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalAccountObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.report.modules.stix;
20 
22 import org.sleuthkit.datamodel.SleuthkitCase;
23 import org.sleuthkit.datamodel.BlackboardArtifact;
24 import org.sleuthkit.datamodel.BlackboardAttribute;
25 import org.sleuthkit.datamodel.TskCoreException;
26 
27 import java.util.List;
28 import java.util.ArrayList;
29 
30 import org.mitre.cybox.objects.AccountObjectType;
31 import org.mitre.cybox.objects.UserAccountObjectType;
32 import org.mitre.cybox.objects.WindowsUserAccount;
34 
38 class EvalAccountObj extends EvaluatableObject {
39 
40  private AccountObjectType obj;
41 
42  public EvalAccountObj(AccountObjectType a_obj, String a_id, String a_spacing) {
43  obj = a_obj;
44  id = a_id;
45  spacing = a_spacing;
46  }
47 
48  @Override
49  public synchronized ObservableResult evaluate() {
50 
51  setWarnings("");
52 
53  // Fields we can search for:
54  // UserAccount: Home_Directory, Username
55  // WinUserAccount: SID
56  if (!(obj instanceof UserAccountObjectType)) {
57  return new ObservableResult(id, "AccountObject: Can not process \"Account\" - need a User_Account or Windows_User_Account", //NON-NLS
58  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
59  }
60 
61  // For displaying what we were looking for in the results
62  String searchString = "";
63 
64  // Check which fields are present and record them
65  boolean haveHomeDir = false;
66  boolean haveUsername = false;
67  boolean haveSID = false;
68 
69  UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
70  if (userAccountObj.getHomeDirectory() != null) {
71  haveHomeDir = true;
72  searchString = "HomeDir \"" + userAccountObj.getHomeDirectory().getValue().toString() + "\""; //NON-NLS
73  }
74  if (userAccountObj.getUsername() != null) {
75  haveUsername = true;
76  if (!searchString.isEmpty()) {
77  searchString += " and "; //NON-NLS
78  }
79  searchString += "Username \"" + userAccountObj.getUsername().getValue().toString() + "\""; //NON-NLS
80  }
81 
82  WindowsUserAccount winUserObj = null;
83  if (obj instanceof WindowsUserAccount) {
84  winUserObj = (WindowsUserAccount) obj;
85 
86  if (winUserObj.getSecurityID() != null) {
87  haveSID = true;
88  if (!searchString.isEmpty()) {
89  searchString += " and "; //NON-NLS
90  }
91  searchString += "SID \"" + winUserObj.getSecurityID().getValue().toString() + "\""; //NON-NLS
92  }
93  }
94 
95  if (!(haveHomeDir || haveUsername || haveSID)) {
96  return new ObservableResult(id, "AccountObject: No evaluatable fields found", //NON-NLS
97  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
98  }
99 
100  // Set warnings for any unsupported fields
101  setUnsupportedFieldWarnings();
102 
103  // The assumption here is that there aren't going to be too many network shares, so we
104  // can cycle through all of them.
105  try {
106  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
107 
108  Case case1 = Case.getCurrentCaseThrows();
109  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
110  List<BlackboardArtifact> artList
111  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT);
112 
113  for (BlackboardArtifact art : artList) {
114  boolean foundHomeDirMatch = false;
115  boolean foundUsernameMatch = false;
116  boolean foundSIDMatch = false;
117 
118  for (BlackboardAttribute attr : art.getAttributes()) {
119  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH.getTypeID())
120  && (haveHomeDir)) {
121  foundHomeDirMatch = compareStringObject(userAccountObj.getHomeDirectory(), attr.getValueString());
122  }
123  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID())
124  && (haveUsername)) {
125  foundUsernameMatch = compareStringObject(userAccountObj.getUsername(), attr.getValueString());
126  }
127  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID())
128  && (haveSID) && (winUserObj != null)) {
129  foundSIDMatch = compareStringObject(winUserObj.getSecurityID(), attr.getValueString());
130  }
131  }
132 
133  if (((!haveHomeDir) || foundHomeDirMatch)
134  && ((!haveUsername) || foundUsernameMatch)
135  && ((!haveSID) || foundSIDMatch)) {
136  finalHits.add(art);
137  }
138 
139  }
140 
141  // Check if we found any matches
142  if (!finalHits.isEmpty()) {
143  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
144  for (BlackboardArtifact a : finalHits) {
145  artData.add(new StixArtifactData(a.getObjectID(), id, "Account")); //NON-NLS
146  }
147  return new ObservableResult(id, "AccountObject: Found a match for " + searchString, //NON-NLS
148  spacing, ObservableResult.ObservableState.TRUE, artData);
149  }
150 
151  // Didn't find any matches
152  return new ObservableResult(id, "AccountObject: No matches found for " + searchString, //NON-NLS
153  spacing, ObservableResult.ObservableState.FALSE, null);
154  } catch (TskCoreException | NoCurrentCaseException ex) {
155  return new ObservableResult(id, "AccountObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
156  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
157  }
158 
159  }
160 
164  private void setUnsupportedFieldWarnings() {
165  List<String> fieldNames = new ArrayList<String>();
166 
167  if (obj.getDescription() != null) {
168  fieldNames.add("Description"); //NON-NLS
169  }
170  if (obj.getDomain() != null) {
171  fieldNames.add("Domain"); //NON-NLS
172  }
173  if (obj.getAuthentications() != null) {
174  fieldNames.add("Authentication"); //NON-NLS
175  }
176  if (obj.getCreationDate() != null) {
177  fieldNames.add("Creation_Date"); //NON-NLS
178  }
179  if (obj.getModifiedDate() != null) {
180  fieldNames.add("Modified_Date"); //NON-NLS
181  }
182  if (obj.getLastAccessedTime() != null) {
183  fieldNames.add("Last_Accessed_Time"); //NON-NLS
184  }
185 
186  if (obj instanceof UserAccountObjectType) {
187  UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
188  if (userAccountObj.getFullName() != null) {
189  fieldNames.add("Full_Name"); //NON-NLS
190  }
191  if (userAccountObj.getGroupList() != null) {
192  fieldNames.add("Group_List"); //NON-NLS
193  }
194  if (userAccountObj.getLastLogin() != null) {
195  fieldNames.add("Last_Login"); //NON-NLS
196  }
197  if (userAccountObj.getPrivilegeList() != null) {
198  fieldNames.add("Privilege_List"); //NON-NLS
199  }
200  if (userAccountObj.getScriptPath() != null) {
201  fieldNames.add("Script_Path"); //NON-NLS
202  }
203  if (userAccountObj.getUserPasswordAge() != null) {
204  fieldNames.add("User_Password_Age"); //NON-NLS
205  }
206  }
207 
208  if (obj instanceof WindowsUserAccount) {
209  WindowsUserAccount winUserObj = (WindowsUserAccount) obj;
210 
211  if (winUserObj.getSecurityType() != null) {
212  fieldNames.add("Security_Type"); //NON-NLS
213  }
214  }
215 
216  String warningStr = "";
217  for (String name : fieldNames) {
218  if (!warningStr.isEmpty()) {
219  warningStr += ", ";
220  }
221  warningStr += name;
222  }
223 
224  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
225  }
226 
227 }

Copyright © 2012-2020 Basis Technology. Generated on: Wed Apr 8 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.