19 package org.sleuthkit.autopsy.modules.stix;
21 import java.util.ArrayList;
22 import java.util.List;
23 import org.mitre.cybox.common_2.ConditionApplicationEnum;
24 import org.mitre.cybox.common_2.ConditionTypeEnum;
25 import org.mitre.cybox.common_2.StringObjectPropertyType;
36 abstract class EvaluatableObject {
38 private String warnings;
40 protected String spacing;
42 abstract public ObservableResult evaluate();
49 public void setWarnings(String a_warnings) {
50 warnings = a_warnings;
59 public String getWarnings() {
68 public void addWarning(String a_newWarning) {
69 if ((warnings == null) || warnings.isEmpty()) {
70 warnings = a_newWarning;
73 warnings = warnings +
", " + a_newWarning;
88 public List<BlackboardArtifact> findArtifactsBySubstring(StringObjectPropertyType item,
89 BlackboardAttribute.ATTRIBUTE_TYPE attrType) throws TskCoreException {
91 if (item.getValue() == null) {
92 throw new TskCoreException(
"Error: Value field is null");
95 if (item.getCondition() == null) {
96 addWarning(
"Warning: No condition given for " + attrType.getDisplayName() +
" field, using substring comparison");
97 }
else if (item.getCondition() != ConditionTypeEnum.CONTAINS) {
98 addWarning(
"Warning: Ignoring condition " + item.getCondition() +
" for "
99 + attrType.getDisplayName() +
" field and doing substring comparison");
102 List<BlackboardArtifact> hits = null;
104 Case case1 = Case.getCurrentCaseThrows();
105 SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
107 String[] parts = item.getValue().toString().split(
"##comma##");
109 if ((item.getApplyCondition() == null)
110 || (item.getApplyCondition() == ConditionApplicationEnum.ANY)) {
112 for (String part : parts) {
115 hits = sleuthkitCase.getBlackboardArtifacts(
119 hits.addAll(sleuthkitCase.getBlackboardArtifacts(
124 }
else if ((item.getApplyCondition() != null)
125 || (item.getApplyCondition() == ConditionApplicationEnum.ALL)) {
127 boolean firstRound =
true;
128 for (String part : parts) {
130 hits = sleuthkitCase.getBlackboardArtifacts(
134 }
else if (hits != null) {
135 hits.retainAll(sleuthkitCase.getBlackboardArtifacts(
141 return new ArrayList<BlackboardArtifact>();
145 throw new TskCoreException(
"Error: Can not apply NONE condition in search");
147 }
catch (TskCoreException | NoCurrentCaseException ex) {
148 addWarning(ex.getLocalizedMessage());
164 public static boolean compareStringObject(StringObjectPropertyType stringObj, String strField)
165 throws TskCoreException {
166 if (stringObj.getValue() == null) {
167 throw new TskCoreException(
"Error: Value field is null");
170 String valueStr = stringObj.getValue().toString();
171 ConditionTypeEnum condition = stringObj.getCondition();
172 ConditionApplicationEnum applyCondition = stringObj.getApplyCondition();
174 return compareStringObject(valueStr, condition, applyCondition, strField);
189 public static boolean compareStringObject(String valueStr, ConditionTypeEnum condition,
190 ConditionApplicationEnum applyCondition, String strField)
191 throws TskCoreException {
193 if (valueStr == null) {
194 throw new TskCoreException(
"Error: Value field is null");
197 String[] parts = valueStr.split(
"##comma##");
198 String lowerFieldName = strField.toLowerCase();
200 for (String value : parts) {
201 boolean partialResult;
202 if ((condition == null)
203 || (condition == ConditionTypeEnum.EQUALS)) {
204 partialResult = value.equalsIgnoreCase(strField);
205 }
else if (condition == ConditionTypeEnum.DOES_NOT_EQUAL) {
206 partialResult = !value.equalsIgnoreCase(strField);
207 }
else if (condition == ConditionTypeEnum.CONTAINS) {
208 partialResult = lowerFieldName.contains(value.toLowerCase());
209 }
else if (condition == ConditionTypeEnum.DOES_NOT_CONTAIN) {
210 partialResult = !lowerFieldName.contains(value.toLowerCase());
211 }
else if (condition == ConditionTypeEnum.STARTS_WITH) {
212 partialResult = lowerFieldName.startsWith(value.toLowerCase());
213 }
else if (condition == ConditionTypeEnum.ENDS_WITH) {
214 partialResult = lowerFieldName.endsWith(value.toLowerCase());
216 throw new TskCoreException(
"Could not process condition " + condition.value() +
" on " + value);
220 if (applyCondition == ConditionApplicationEnum.NONE) {
221 if (partialResult ==
true) {
225 }
else if (applyCondition == ConditionApplicationEnum.ALL) {
226 if (partialResult ==
false) {
232 if (partialResult ==
true) {
240 if ((applyCondition == ConditionApplicationEnum.NONE)
241 || (applyCondition == ConditionApplicationEnum.ALL)) {
253 public String getPrintableWarnings() {
254 String warningsToPrint =
"";
255 if ((getWarnings() != null)
256 && (!getWarnings().isEmpty())) {
257 warningsToPrint =
" (" + getWarnings() +
")";
259 return warningsToPrint;