Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalDomainObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import java.util.ArrayList;
22 import java.util.List;
23 import org.mitre.cybox.common_2.ConditionApplicationEnum;
24 import org.mitre.cybox.common_2.ConditionTypeEnum;
25 import org.mitre.cybox.objects.DomainName;
26 import org.sleuthkit.datamodel.BlackboardArtifact;
27 import org.sleuthkit.datamodel.BlackboardAttribute;
28 import org.sleuthkit.datamodel.TskCoreException;
31 import org.sleuthkit.datamodel.SleuthkitCase;
32 
36 class EvalDomainObj extends EvaluatableObject {
37 
38  private final DomainName obj;
39 
40  public EvalDomainObj(DomainName a_obj, String a_id, String a_spacing) {
41  obj = a_obj;
42  id = a_id;
43  spacing = a_spacing;
44  }
45 
46  @Override
47  public synchronized ObservableResult evaluate() {
48 
49  setWarnings("");
50 
51  if (obj.getValue() == null) {
52  return new ObservableResult(id, "DomainObject: No domain value field found", //NON-NLS
53  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
54  }
55 
56  Case case1;
57  try {
58  case1 = Case.getCurrentCaseThrows();
59  } catch (NoCurrentCaseException ex) {
60  return new ObservableResult(id, "Exception while getting open case.", //NON-NLS
61  spacing, ObservableResult.ObservableState.FALSE, null);
62  }
63  // Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test
64  if (!((obj.getValue().getApplyCondition() == null)
65  || (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) {
66  return new ObservableResult(id, "DomainObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString() //NON-NLS
67  + " on Domain object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
68  }
69 
70  // If the condition is not "CONTAINS", add a warning that it's being ignored
71  if ((obj.getValue().getCondition() != null)
72  && (obj.getValue().getCondition() != ConditionTypeEnum.CONTAINS)) {
73  addWarning("Warning: Ignoring condition " + obj.getValue().getCondition().toString() //NON-NLS
74  + " on DomainName - using substring comparison"); //NON-NLS
75  }
76 
77  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
78 
79  try {
80  // Set up the list of matching artifacts
81  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
82 
83  // Get all the URL artifacts
84  List<BlackboardArtifact> artList
85  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
86 
87  for (BlackboardArtifact art : artList) {
88 
89  for (BlackboardAttribute attr : art.getAttributes()) {
90  if (attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
91  String url = attr.getValueString();
92 
93  // Check whether the domain name is a substring of the URL (regardless
94  // of the condition on the domain name object)
95  if (compareStringObject(obj.getValue().getValue().toString(), ConditionTypeEnum.CONTAINS,
96  obj.getValue().getApplyCondition(), url)) {
97  finalHits.add(art);
98  }
99  }
100  }
101  }
102 
103  if (!finalHits.isEmpty()) {
104  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
105  for (BlackboardArtifact a : finalHits) {
106  artData.add(new StixArtifactData(a.getObjectID(), id, "DomainNameObject")); //NON-NLS
107  }
108  return new ObservableResult(id, "DomainNameObject: Found a match for " + obj.getValue().getValue().toString() //NON-NLS
109  + " " + getPrintableWarnings(),
110  spacing, ObservableResult.ObservableState.TRUE, artData);
111  }
112 
113  return new ObservableResult(id, "DomainNameObject: Found no matches for " + obj.getValue().getValue().toString() //NON-NLS
114  + " " + getPrintableWarnings(),
115  spacing, ObservableResult.ObservableState.FALSE, null);
116  } catch (TskCoreException ex) {
117  return new ObservableResult(id, "DomainNameObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
118  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
119  }
120 
121  }
122 
123 }

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.