Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalSystemObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import org.sleuthkit.autopsy.casemodule.Case;
22 import org.sleuthkit.datamodel.SleuthkitCase;
23 import org.sleuthkit.datamodel.BlackboardArtifact;
24 import org.sleuthkit.datamodel.BlackboardAttribute;
25 import org.sleuthkit.datamodel.TskCoreException;
26 import org.sleuthkit.datamodel.OSInfo;
27 import org.sleuthkit.datamodel.OSUtility;
28 
29 import java.util.List;
30 import java.util.ArrayList;
31 
32 import org.mitre.cybox.objects.SystemObjectType;
33 import org.mitre.cybox.objects.WindowsSystem;
34 
38 class EvalSystemObj extends EvaluatableObject {
39 
40  private final SystemObjectType obj;
41 
42  public EvalSystemObj(SystemObjectType a_obj, String a_id, String a_spacing) {
43  obj = a_obj;
44  id = a_id;
45  spacing = a_spacing;
46  }
47 
48  @Override
49  public synchronized ObservableResult evaluate() {
50 
51  setWarnings("");
52 
53  // For displaying what we were looking for in the results
54  String searchString = "";
55 
56  // Check which fields are present and record them
57  boolean haveHostname = false;
58  // boolean haveDomain = false;
59  boolean haveProcArch = false;
60  boolean haveTempDir = false;
61  boolean haveProductName = false;
62  boolean haveSystemRoot = false;
63  boolean haveProductID = false;
64  boolean haveOwner = false;
65  boolean haveOrganization = false;
66 
67  if (obj.getHostname() != null) {
68  haveHostname = true;
69  searchString = "Hostname \"" + obj.getHostname().getValue().toString() + "\""; //NON-NLS
70  }
71  if (obj.getProcessorArchitecture() != null) {
72  haveProcArch = true;
73  if (!searchString.isEmpty()) {
74  searchString += " and "; //NON-NLS
75  }
76  searchString += "Processor architecture \"" + obj.getProcessorArchitecture().getValue().toString() + "\""; //NON-NLS
77  }
78 
79  WindowsSystem winSysObj = null;
80  if (obj instanceof WindowsSystem) {
81  winSysObj = (WindowsSystem) obj;
82 
83  if (winSysObj.getProductID() != null) {
84  haveProductID = true;
85  if (!searchString.isEmpty()) {
86  searchString += " and "; //NON-NLS
87  }
88  searchString += "Product ID \"" + winSysObj.getProductID().getValue().toString() + "\""; //NON-NLS
89  }
90  if (winSysObj.getProductName() != null) {
91  haveProductName = true;
92  if (!searchString.isEmpty()) {
93  searchString += " and "; //NON-NLS
94  }
95  searchString += "Product Name \"" + winSysObj.getProductName().getValue().toString() + "\""; //NON-NLS
96  }
97  if (winSysObj.getRegisteredOrganization() != null) {
98  haveOrganization = true;
99  if (!searchString.isEmpty()) {
100  searchString += " and "; //NON-NLS
101  }
102  searchString += "Registered Org \"" + winSysObj.getRegisteredOrganization().getValue().toString() + "\""; //NON-NLS
103  }
104  if (winSysObj.getRegisteredOwner() != null) {
105  haveOwner = true;
106  if (!searchString.isEmpty()) {
107  searchString += " and "; //NON-NLS
108  }
109  searchString += "Registered Owner \"" + winSysObj.getRegisteredOwner().getValue().toString() + "\""; //NON-NLS
110  }
111  if (winSysObj.getWindowsSystemDirectory() != null) {
112  haveSystemRoot = true;
113  if (!searchString.isEmpty()) {
114  searchString += " and "; //NON-NLS
115  }
116  searchString += "System root \"" + winSysObj.getWindowsSystemDirectory().getValue().toString() + "\""; //NON-NLS
117  }
118  if (winSysObj.getWindowsTempDirectory() != null) {
119  haveTempDir = true;
120  if (!searchString.isEmpty()) {
121  searchString += " and "; //NON-NLS
122  }
123  searchString += "Temp dir \"" + winSysObj.getWindowsTempDirectory().getValue().toString() + "\""; //NON-NLS
124  }
125  }
126 
127  // Return if we have nothing to search for
128  if (!(haveHostname || haveProcArch
129  || haveTempDir || haveProductName || haveSystemRoot || haveProductID
130  || haveOwner || haveOrganization)) {
131  return new ObservableResult(id, "SystemObject: No evaluatable fields found", //NON-NLS
132  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
133  }
134 
135  setUnsupportedFieldWarnings();
136 
137  try {
138  Case case1 = Case.getCurrentCase();
139  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
140  List<OSInfo> osInfoList = OSUtility.getOSInfo(sleuthkitCase);
141 
142  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
143 
144  if (!osInfoList.isEmpty()) {
145  for (OSInfo info : osInfoList) {
146 
147  boolean foundHostnameMatch = false;
148  //boolean foundDomainMatch = false;
149  boolean foundProcArchMatch = false;
150  boolean foundTempDirMatch = false;
151  boolean foundProductNameMatch = false;
152  boolean foundSystemRootMatch = false;
153  boolean foundProductIDMatch = false;
154  boolean foundOwnerMatch = false;
155  boolean foundOrganizationMatch = false;
156 
157  if (haveHostname) {
158  foundHostnameMatch = compareStringObject(obj.getHostname(), info.getCompName());
159  }
160  if (haveProcArch) {
161  foundProcArchMatch = compareStringObject(obj.getProcessorArchitecture().getValue().toString(),
162  obj.getProcessorArchitecture().getCondition(),
163  obj.getProcessorArchitecture().getApplyCondition(),
164  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE));
165  }
166  if (haveTempDir && (winSysObj != null)) {
167  foundTempDirMatch = compareStringObject(winSysObj.getWindowsTempDirectory(),
168  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEMP_DIR));
169  }
170  if (haveProductName && (winSysObj != null)) {
171  foundProductNameMatch = compareStringObject(winSysObj.getProductName(),
172  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME));
173  }
174  if (haveSystemRoot && (winSysObj != null)) {
175  foundSystemRootMatch = compareStringObject(winSysObj.getWindowsSystemDirectory(),
176  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
177  }
178  if (haveProductID && (winSysObj != null)) {
179  foundProductIDMatch = compareStringObject(winSysObj.getProductID(),
180  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PRODUCT_ID));
181  }
182  if (haveOwner && (winSysObj != null)) {
183  foundOwnerMatch = compareStringObject(winSysObj.getRegisteredOwner(),
184  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_OWNER));
185  }
186  if (haveOrganization && (winSysObj != null)) {
187  foundOrganizationMatch = compareStringObject(winSysObj.getRegisteredOrganization(),
188  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ORGANIZATION));
189  }
190 
191  if (((!haveHostname) || foundHostnameMatch)
192  && ((!haveProcArch) || foundProcArchMatch)
193  && ((!haveTempDir) || foundTempDirMatch)
194  && ((!haveProductName) || foundProductNameMatch)
195  && ((!haveSystemRoot) || foundSystemRootMatch)
196  && ((!haveProductID) || foundProductIDMatch)
197  && ((!haveOwner) || foundOwnerMatch)
198  && ((!haveOrganization) || foundOrganizationMatch)) {
199 
200  finalHits.addAll(info.getArtifacts());
201  }
202  }
203 
204  if (!finalHits.isEmpty()) {
205  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
206  for (BlackboardArtifact a : finalHits) {
207  artData.add(new StixArtifactData(a.getObjectID(), id, "System")); //NON-NLS
208  }
209  return new ObservableResult(id, "SystemObject: Found a match for " + searchString, //NON-NLS
210  spacing, ObservableResult.ObservableState.TRUE, artData);
211  }
212 
213  // Didn't find any matches
214  return new ObservableResult(id, "SystemObject: No matches found for " + searchString, //NON-NLS
215  spacing, ObservableResult.ObservableState.FALSE, null);
216  } else {
217  return new ObservableResult(id, "SystemObject: No OS artifacts found", //NON-NLS
218  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
219  }
220  } catch (TskCoreException ex) {
221  return new ObservableResult(id, "SystemObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
222  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
223  }
224  }
225 
229  private void setUnsupportedFieldWarnings() {
230  List<String> fieldNames = new ArrayList<String>();
231 
232  if (obj.getAvailablePhysicalMemory() != null) {
233  fieldNames.add("Available_Physical_Memory"); //NON-NLS
234  }
235  if (obj.getBIOSInfo() != null) {
236  fieldNames.add("BIOS_Info"); //NON-NLS
237  }
238  if (obj.getDate() != null) {
239  fieldNames.add("Date"); //NON-NLS
240  }
241  if (obj.getLocalTime() != null) {
242  fieldNames.add("Local_Time"); //NON-NLS
243  }
244  if (obj.getNetworkInterfaceList() != null) {
245  fieldNames.add("Network_Interface_List"); //NON-NLS
246  }
247  if (obj.getOS() != null) {
248  fieldNames.add("OS"); //NON-NLS
249  }
250  if (obj.getProcessor() != null) {
251  fieldNames.add("Processor"); //NON-NLS
252  }
253  if (obj.getSystemTime() != null) {
254  fieldNames.add("System_Time"); //NON-NLS
255  }
256  if (obj.getTimezoneDST() != null) {
257  fieldNames.add("Timezone_DST"); //NON-NLS
258  }
259  if (obj.getTimezoneStandard() != null) {
260  fieldNames.add("Timezone_Standard"); //NON-NLS
261  }
262  if (obj.getTotalPhysicalMemory() != null) {
263  fieldNames.add("Total_Physical_Memory"); //NON-NLS
264  }
265  if (obj.getUptime() != null) {
266  fieldNames.add("Uptime"); //NON-NLS
267  }
268  if (obj.getUsername() != null) {
269  fieldNames.add("Username"); //NON-NLS
270  }
271 
272  if (obj instanceof WindowsSystem) {
273  WindowsSystem winSysObj = (WindowsSystem) obj;
274 
275  if (winSysObj.getDomains() != null) {
276  fieldNames.add("Domain"); //NON-NLS
277  }
278  if (winSysObj.getGlobalFlagList() != null) {
279  fieldNames.add("Global_Flag_List"); //NON-NLS
280  }
281  if (winSysObj.getNetBIOSName() != null) {
282  fieldNames.add("NetBIOS_Name"); //NON-NLS
283  }
284  if (winSysObj.getOpenHandleList() != null) {
285  fieldNames.add("Open_Handle_List"); //NON-NLS
286  }
287  if (winSysObj.getWindowsDirectory() != null) {
288  fieldNames.add("Windows_Directory"); //NON-NLS
289  }
290  }
291 
292  String warningStr = "";
293  for (String name : fieldNames) {
294  if (!warningStr.isEmpty()) {
295  warningStr += ", ";
296  }
297  warningStr += name;
298  }
299 
300  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
301  }
302 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Apr 24 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.