19 package org.sleuthkit.autopsy.modules.stix;
27 import java.util.List;
28 import java.util.ArrayList;
30 import org.mitre.cybox.objects.AccountObjectType;
31 import org.mitre.cybox.objects.UserAccountObjectType;
32 import org.mitre.cybox.objects.WindowsUserAccount;
38 class EvalAccountObj
extends EvaluatableObject {
40 private AccountObjectType obj;
42 public EvalAccountObj(AccountObjectType a_obj, String a_id, String a_spacing) {
49 public synchronized ObservableResult evaluate() {
56 if (!(obj instanceof UserAccountObjectType)) {
57 return new ObservableResult(
id,
"AccountObject: Can not process \"Account\" - need a User_Account or Windows_User_Account",
58 spacing, ObservableResult.ObservableState.INDETERMINATE, null);
62 String searchString =
"";
65 boolean haveHomeDir =
false;
66 boolean haveUsername =
false;
67 boolean haveSID =
false;
69 UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
70 if (userAccountObj.getHomeDirectory() != null) {
72 searchString =
"HomeDir \"" + userAccountObj.getHomeDirectory().getValue().toString() +
"\"";
74 if (userAccountObj.getUsername() != null) {
76 if (!searchString.isEmpty()) {
77 searchString +=
" and ";
79 searchString +=
"Username \"" + userAccountObj.getUsername().getValue().toString() +
"\"";
82 WindowsUserAccount winUserObj = null;
83 if (obj instanceof WindowsUserAccount) {
84 winUserObj = (WindowsUserAccount) obj;
86 if (winUserObj.getSecurityID() != null) {
88 if (!searchString.isEmpty()) {
89 searchString +=
" and ";
91 searchString +=
"SID \"" + winUserObj.getSecurityID().getValue().toString() +
"\"";
95 if (!(haveHomeDir || haveUsername || haveSID)) {
96 return new ObservableResult(
id,
"AccountObject: No evaluatable fields found",
97 spacing, ObservableResult.ObservableState.INDETERMINATE, null);
101 setUnsupportedFieldWarnings();
106 List<BlackboardArtifact> finalHits =
new ArrayList<BlackboardArtifact>();
110 List<BlackboardArtifact> artList
111 = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT);
113 for (BlackboardArtifact art : artList) {
114 boolean foundHomeDirMatch =
false;
115 boolean foundUsernameMatch =
false;
116 boolean foundSIDMatch =
false;
118 for (BlackboardAttribute attr : art.getAttributes()) {
119 if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH.getTypeID())
121 foundHomeDirMatch = compareStringObject(userAccountObj.getHomeDirectory(), attr.getValueString());
123 if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID())
125 foundUsernameMatch = compareStringObject(userAccountObj.getUsername(), attr.getValueString());
127 if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID())
128 && (haveSID) && (winUserObj != null)) {
129 foundSIDMatch = compareStringObject(winUserObj.getSecurityID(), attr.getValueString());
133 if (((!haveHomeDir) || foundHomeDirMatch)
134 && ((!haveUsername) || foundUsernameMatch)
135 && ((!haveSID) || foundSIDMatch)) {
142 if (!finalHits.isEmpty()) {
143 List<StixArtifactData> artData =
new ArrayList<StixArtifactData>();
144 for (BlackboardArtifact a : finalHits) {
145 artData.add(
new StixArtifactData(a.getObjectID(), id,
"Account"));
147 return new ObservableResult(
id,
"AccountObject: Found a match for " + searchString,
148 spacing, ObservableResult.ObservableState.TRUE, artData);
152 return new ObservableResult(
id,
"AccountObject: No matches found for " + searchString,
153 spacing, ObservableResult.ObservableState.FALSE, null);
155 return new ObservableResult(
id,
"AccountObject: Exception during evaluation: " + ex.getLocalizedMessage(),
156 spacing, ObservableResult.ObservableState.INDETERMINATE, null);
164 private void setUnsupportedFieldWarnings() {
165 List<String> fieldNames =
new ArrayList<String>();
167 if (obj.getDescription() != null) {
168 fieldNames.add(
"Description");
170 if (obj.getDomain() != null) {
171 fieldNames.add(
"Domain");
173 if (obj.getAuthentications() != null) {
174 fieldNames.add(
"Authentication");
176 if (obj.getCreationDate() != null) {
177 fieldNames.add(
"Creation_Date");
179 if (obj.getModifiedDate() != null) {
180 fieldNames.add(
"Modified_Date");
182 if (obj.getLastAccessedTime() != null) {
183 fieldNames.add(
"Last_Accessed_Time");
186 if (obj instanceof UserAccountObjectType) {
187 UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
188 if (userAccountObj.getFullName() != null) {
189 fieldNames.add(
"Full_Name");
191 if (userAccountObj.getGroupList() != null) {
192 fieldNames.add(
"Group_List");
194 if (userAccountObj.getLastLogin() != null) {
195 fieldNames.add(
"Last_Login");
197 if (userAccountObj.getPrivilegeList() != null) {
198 fieldNames.add(
"Privilege_List");
200 if (userAccountObj.getScriptPath() != null) {
201 fieldNames.add(
"Script_Path");
203 if (userAccountObj.getUserPasswordAge() != null) {
204 fieldNames.add(
"User_Password_Age");
208 if (obj instanceof WindowsUserAccount) {
209 WindowsUserAccount winUserObj = (WindowsUserAccount) obj;
211 if (winUserObj.getSecurityType() != null) {
212 fieldNames.add(
"Security_Type");
216 String warningStr =
"";
217 for (String name : fieldNames) {
218 if (!warningStr.isEmpty()) {
224 addWarning(
"Unsupported field(s): " + warningStr);
SleuthkitCase getSleuthkitCase()
static Case getCurrentCaseThrows()