Autopsy  4.15.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalURIObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.report.modules.stix;
20 
22 import org.sleuthkit.datamodel.SleuthkitCase;
23 import org.sleuthkit.datamodel.BlackboardArtifact;
24 import org.sleuthkit.datamodel.BlackboardAttribute;
25 import org.sleuthkit.datamodel.TskCoreException;
26 
27 import java.util.List;
28 import java.util.ArrayList;
29 import org.mitre.cybox.common_2.ConditionApplicationEnum;
30 
31 import org.mitre.cybox.objects.URIObjectType;
33 
37 class EvalURIObj extends EvaluatableObject {
38 
39  private final URIObjectType obj;
40 
41  public EvalURIObj(URIObjectType a_obj, String a_id, String a_spacing) {
42  obj = a_obj;
43  id = a_id;
44  spacing = a_spacing;
45  }
46 
47  @Override
48  public synchronized ObservableResult evaluate() {
49 
50  setWarnings("");
51 
52  if (obj.getValue() == null) {
53  return new ObservableResult(id, "URIObject: No URI value field found", //NON-NLS
54  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
55  }
56 
57  Case case1;
58  try {
59  case1 = Case.getCurrentCaseThrows();
60  } catch (NoCurrentCaseException ex) {
61  return new ObservableResult(id, "Exception while getting open case: " + ex.getLocalizedMessage(), //NON-NLS
62  spacing, ObservableResult.ObservableState.FALSE, null);
63  }
64 
65  String addressStr = obj.getValue().getValue().toString();
66 
67  // Strip off http:// or https://
68  String modifiedAddressStr = addressStr.toLowerCase();
69  modifiedAddressStr = modifiedAddressStr.replaceAll("http(s)?://", ""); //NON-NLS
70 
71  // Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test
72  if (!((obj.getValue().getApplyCondition() == null)
73  || (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) {
74  return new ObservableResult(id, "URIObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString() //NON-NLS
75  + " on URI object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
76  }
77 
78  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
79 
80  try {
81  /*
82  * if ((obj.getValue().getCondition() == null) ||
83  * (obj.getValue().getCondition() == ConditionTypeEnum.EQUALS)) {
84  *
85  * // Old version - uses a database query but only works on full
86  * strings. // It will be faster to use this in the "equals" case
87  * String[] parts = addressStr.split("##comma##");
88  * List<BlackboardArtifact> arts = new
89  * ArrayList<BlackboardArtifact>(); for (String part : parts) {
90  * arts.addAll(sleuthkitCase.getBlackboardArtifacts(
91  * BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT,
92  * BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, part)); }
93  *
94  * if (!arts.isEmpty()) {
95  *
96  * List<StixArtifactData> artData = new
97  * ArrayList<StixArtifactData>(); for (BlackboardArtifact a : arts)
98  * { artData.add(new StixArtifactData(a.getObjectID(), id,
99  * "URIObject")); }
100  *
101  * return new ObservableResult(id, "URIObject: Found " + arts.size()
102  * + " matches for address = \"" + addressStr + "\"", spacing,
103  * ObservableResult.ObservableState.TRUE, artData);
104  *
105  * } else { return new ObservableResult(id, "URIObject: Found no
106  * matches for address = \"" + addressStr + "\"", spacing,
107  * ObservableResult.ObservableState.FALSE, null); } } else {
108  */
109 
110  // This is inefficient, but the easiest way to do it.
111  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
112 
113  // Get all the URL artifacts
114  List<BlackboardArtifact> artList
115  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
116 
117  for (BlackboardArtifact art : artList) {
118 
119  for (BlackboardAttribute attr : art.getAttributes()) {
120  if (attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
121 
122  String modifiedAttrString = attr.getValueString();
123  if (modifiedAttrString != null) {
124  modifiedAttrString = modifiedAttrString.toLowerCase();
125  modifiedAttrString = modifiedAttrString.replaceAll("http(s)?://", ""); //NON-NLS
126  }
127 
128  if (compareStringObject(modifiedAddressStr, obj.getValue().getCondition(),
129  obj.getValue().getApplyCondition(), modifiedAttrString)) {
130  finalHits.add(art);
131  }
132  }
133  }
134  }
135 
136  if (!finalHits.isEmpty()) {
137  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
138  for (BlackboardArtifact a : finalHits) {
139  artData.add(new StixArtifactData(a.getObjectID(), id, "UriObject")); //NON-NLS
140  }
141  return new ObservableResult(id, "UriObject: Found a match for " + addressStr, //NON-NLS
142  spacing, ObservableResult.ObservableState.TRUE, artData);
143  }
144 
145  return new ObservableResult(id, "URIObject: Found no matches for " + addressStr, //NON-NLS
146  spacing, ObservableResult.ObservableState.FALSE, null);
147  /*
148  * }
149  */
150 
151  } catch (TskCoreException ex) {
152  return new ObservableResult(id, "URIObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
153  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
154  }
155 
156  }
157 
158 }

Copyright © 2012-2020 Basis Technology. Generated on: Mon Jul 6 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.