Autopsy  4.15.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalAddressObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.report.modules.stix;
20 
22 import org.sleuthkit.datamodel.SleuthkitCase;
23 import org.sleuthkit.datamodel.BlackboardArtifact;
24 import org.sleuthkit.datamodel.BlackboardAttribute;
25 import org.sleuthkit.datamodel.TskCoreException;
26 
27 import java.util.List;
28 import java.util.ArrayList;
29 import org.mitre.cybox.common_2.ConditionApplicationEnum;
30 import org.mitre.cybox.common_2.ConditionTypeEnum;
31 
32 import org.mitre.cybox.objects.Address;
34 
38 class EvalAddressObj extends EvaluatableObject {
39 
40  private final Address obj;
41 
42  public EvalAddressObj(Address a_obj, String a_id, String a_spacing) {
43  obj = a_obj;
44  id = a_id;
45  spacing = a_spacing;
46  }
47 
48  @Override
49  public synchronized ObservableResult evaluate() {
50 
51  setWarnings("");
52 
53  if (obj.getAddressValue() == null) {
54  return new ObservableResult(id, "AddressObject: No address value field found", //NON-NLS
55  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
56  }
57 
58  Case case1;
59  try {
60  case1 = Case.getCurrentCaseThrows();
61  } catch (NoCurrentCaseException ex) {
62  return new ObservableResult(id, "Exception while getting open case.", //NON-NLS
63  spacing, ObservableResult.ObservableState.FALSE, null);
64  }
65 
66  String origAddressStr = obj.getAddressValue().getValue().toString();
67 
68  // For now, we don't support "NONE" because it honestly doesn't seem like it
69  // would ever appear in practice.
70  if (((obj.getAddressValue().getApplyCondition() != null)
71  && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.NONE))) {
72  return new ObservableResult(id, "AddressObject: Can not process apply condition " + obj.getAddressValue().getApplyCondition().toString() //NON-NLS
73  + " on Address object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
74  }
75 
76  // Set warnings for any unsupported fields
77  setUnsupportedFieldWarnings();
78 
79  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
80 
81  try {
82  // Need to check that every part of the string had at least one match
83  // in the AND case
84  boolean everyPartMatched = true;
85  List<BlackboardArtifact> combinedArts = new ArrayList<BlackboardArtifact>();
86  String searchString = "";
87  String[] parts = origAddressStr.split("##comma##"); //NON-NLS
88 
89  for (String addressStr : parts) {
90 
91  // Update the string to show in the results
92  if (!searchString.isEmpty()) {
93 
94  if ((obj.getAddressValue().getApplyCondition() != null)
95  && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)) {
96  searchString += " AND "; //NON-NLS
97  } else {
98  searchString += " OR "; //NON-NLS
99  }
100  }
101  searchString += addressStr;
102 
103  if ((obj.getAddressValue().getCondition() == null)
104  || (obj.getAddressValue().getCondition() == ConditionTypeEnum.EQUALS)) {
105  List<BlackboardArtifact> arts = sleuthkitCase.getBlackboardArtifacts(
106  BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT,
107  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD,
108  addressStr);
109 
110  if (arts.isEmpty()) {
111  everyPartMatched = false;
112  } else {
113  combinedArts.addAll(arts);
114  }
115 
116  } else {
117  // This is inefficient, but the easiest way to do it.
118 
119  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
120 
121  // Get all the URL artifacts
122  List<BlackboardArtifact> artList
123  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
124 
125  for (BlackboardArtifact art : artList) {
126 
127  for (BlackboardAttribute attr : art.getAttributes()) {
128  if (attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
129  if (compareStringObject(addressStr, obj.getAddressValue().getCondition(),
130  obj.getAddressValue().getApplyCondition(), attr.getValueString())) {
131  finalHits.add(art);
132  }
133  }
134  }
135  }
136 
137  if (finalHits.isEmpty()) {
138  everyPartMatched = false;
139  } else {
140  combinedArts.addAll(finalHits);
141  }
142  }
143  }
144 
145  // If we're in the ALL case, make sure every piece matched
146  if ((obj.getAddressValue().getApplyCondition() != null)
147  && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)
148  && (!everyPartMatched)) {
149  return new ObservableResult(id, "AddressObject: No matches for " + searchString, //NON-NLS
150  spacing, ObservableResult.ObservableState.FALSE, null);
151  }
152 
153  if (!combinedArts.isEmpty()) {
154  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
155  for (BlackboardArtifact a : combinedArts) {
156  artData.add(new StixArtifactData(a.getObjectID(), id, "AddressObject")); //NON-NLS
157  }
158  return new ObservableResult(id, "AddressObject: Found a match for " + searchString, //NON-NLS
159  spacing, ObservableResult.ObservableState.TRUE, artData);
160  }
161 
162  return new ObservableResult(id, "AddressObject: Found no matches for " + searchString, //NON-NLS
163  spacing, ObservableResult.ObservableState.FALSE, null);
164 
165  } catch (TskCoreException ex) {
166  return new ObservableResult(id, "AddressObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
167  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
168  }
169  }
170 
174  private void setUnsupportedFieldWarnings() {
175  List<String> fieldNames = new ArrayList<String>();
176 
177  if (obj.getVLANName() != null) {
178  fieldNames.add("VLAN_Name"); //NON-NLS
179  }
180  if (obj.getVLANName() != null) {
181  fieldNames.add("VLAN_Num"); //NON-NLS
182  }
183 
184  String warningStr = "";
185  for (String name : fieldNames) {
186  if (!warningStr.isEmpty()) {
187  warningStr += ", ";
188  }
189  warningStr += name;
190  }
191 
192  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
193  }
194 }

Copyright © 2012-2020 Basis Technology. Generated on: Mon Jul 6 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.