19 package org.sleuthkit.autopsy.modules.stix;
21 import java.util.ArrayList;
22 import java.util.List;
23 import org.mitre.cybox.common_2.ConditionApplicationEnum;
24 import org.mitre.cybox.common_2.ConditionTypeEnum;
25 import org.mitre.cybox.objects.DomainName;
36 class EvalDomainObj
extends EvaluatableObject {
38 private final DomainName obj;
40 public EvalDomainObj(DomainName a_obj, String a_id, String a_spacing) {
47 public synchronized ObservableResult evaluate() {
51 if (obj.getValue() == null) {
52 return new ObservableResult(
id,
"DomainObject: No domain value field found",
53 spacing, ObservableResult.ObservableState.INDETERMINATE, null);
58 case1 = Case.getCurrentCaseThrows();
59 }
catch (NoCurrentCaseException ex) {
60 return new ObservableResult(
id,
"Exception while getting open case.",
61 spacing, ObservableResult.ObservableState.FALSE, null);
64 if (!((obj.getValue().getApplyCondition() == null)
65 || (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) {
66 return new ObservableResult(
id,
"DomainObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString()
67 +
" on Domain object", spacing, ObservableResult.ObservableState.INDETERMINATE, null);
71 if ((obj.getValue().getCondition() != null)
72 && (obj.getValue().getCondition() != ConditionTypeEnum.CONTAINS)) {
73 addWarning(
"Warning: Ignoring condition " + obj.getValue().getCondition().toString()
74 +
" on DomainName - using substring comparison");
77 SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
81 List<BlackboardArtifact> finalHits =
new ArrayList<BlackboardArtifact>();
84 List<BlackboardArtifact> artList
85 = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
87 for (BlackboardArtifact art : artList) {
89 for (BlackboardAttribute attr : art.getAttributes()) {
90 if (attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
91 String url = attr.getValueString();
95 if (compareStringObject(obj.getValue().getValue().toString(), ConditionTypeEnum.CONTAINS,
96 obj.getValue().getApplyCondition(), url)) {
103 if (!finalHits.isEmpty()) {
104 List<StixArtifactData> artData =
new ArrayList<StixArtifactData>();
105 for (BlackboardArtifact a : finalHits) {
106 artData.add(
new StixArtifactData(a.getObjectID(), id,
"DomainNameObject"));
108 return new ObservableResult(
id,
"DomainNameObject: Found a match for " + obj.getValue().getValue().toString()
109 +
" " + getPrintableWarnings(),
110 spacing, ObservableResult.ObservableState.TRUE, artData);
113 return new ObservableResult(
id,
"DomainNameObject: Found no matches for " + obj.getValue().getValue().toString()
114 +
" " + getPrintableWarnings(),
115 spacing, ObservableResult.ObservableState.FALSE, null);
116 }
catch (TskCoreException ex) {
117 return new ObservableResult(
id,
"DomainNameObject: Exception during evaluation: " + ex.getLocalizedMessage(),
118 spacing, ObservableResult.ObservableState.INDETERMINATE, null);