api-docs/4.22.1/_path_normalizer_8java_source.html

/*

 * Autopsy Forensic Browser

 *

 * Copyright 2023 Basis Technology Corp.

 * Contact: carrier <at> sleuthkit <dot> org

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.basistech.df.cybertriage.autopsy.malwarescan;


import com.google.common.net.InetAddresses;

import java.net.InetAddress;

import java.util.Collections;

import java.util.HashSet;

import java.util.List;

import java.util.Locale;

import java.util.Set;

import java.util.logging.Level;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

import java.util.stream.Collectors;

import org.apache.commons.lang3.StringUtils;

import org.sleuthkit.autopsy.coreutils.Logger;

import org.sleuthkit.datamodel.SleuthkitCase;

import org.sleuthkit.datamodel.TskCoreException;


class PathNormalizer {


    private static final Logger LOGGER = Logger.getLogger(PathNormalizer.class.getName());


    private static final String ANONYMIZED_USERNAME = "<user>";

    private static final String ANONYMIZED_IP = "<private_ip>";

    private static final String ANONYMIZED_HOSTNAME = "<hostname>";

    private static final String FORWARD_SLASH = "/";

    private static final String BACK_SLASH = "\\";


    private static final Pattern USER_PATH_FORWARD_SLASH_REGEX = Pattern.compile("(?<!all )([/]{0,1}\\Qusers\\E/)(?!(public|Default|defaultAccount|All Users))([^/]+)(/){0,1}", Pattern.CASE_INSENSITIVE);

    private static final Pattern USER_PATH_BACK_SLASH_REGEX = Pattern.compile("(?<!all )([\\\\]{0,1}\\Qusers\\E\\\\)(?!(public|Default|defaultAccount|All Users))([^\\\\]+)([\\\\]){0,1}", Pattern.CASE_INSENSITIVE);


    private static final Pattern USER_PATH_FORWARD_SLASH_REGEX_XP = Pattern.compile("([/]{0,1}\\Qdocuments and settings\\E/)(?!(Default User|All Users))([^/]+)(/){0,1}", Pattern.CASE_INSENSITIVE);

    private static final Pattern USER_PATH_BACK_SLASH_REGEX_XP = Pattern.compile("([\\\\]{0,1}\\Qdocuments and settings\\E\\\\)(?!(Default User|All Users))([^\\\\]+)(\\\\){0,1}", Pattern.CASE_INSENSITIVE);


    private static final Pattern UNC_PATH_FORWARD_SLASH_PATTERN = Pattern.compile("(//)([^/]+)(/){0,1}");

    private static final Pattern UNC_PATH_BACK_SLASH_PATTERN = Pattern.compile("(\\\\\\\\)([^\\\\]+)(\\\\){0,1}");


    private static final String USERNAME_REGEX_REPLACEMENT = "$1" + ANONYMIZED_USERNAME + "$4";


    private final SleuthkitCase skCase;


    PathNormalizer(SleuthkitCase skCase) {

        this.skCase = skCase;

    }


    protected List<String> getUsernames() {

        try {

            return this.skCase.getOsAccountManager().getOsAccounts().stream()

                    .filter(acct -> acct != null)

                    .map(acct -> acct.getLoginName().orElse(null))

                    .filter(StringUtils::isNotBlank)

                    .collect(Collectors.toList());

        } catch (TskCoreException ex) {

            LOGGER.log(Level.WARNING, "There was an error getting current os accounts", ex);

            return Collections.emptyList();

        }

    }


    public String normalizePath(String inputString) {

        if (StringUtils.isBlank(inputString)) {

            return "";

        }


        String anonymousString = anonymizeUserFromPathsWithForwardSlashes(inputString);

        anonymousString = anonymizeUserFromPathsWithBackSlashes(anonymousString);

        anonymousString = anonymizeServerFromUNCPath(anonymousString);


        return anonymousString;

    }


    private String anonymizeUserFromPathsWithForwardSlashes(String stringWithUsername) {

        String anonymousString = stringWithUsername;

        anonymousString = regexReplace(anonymousString, USER_PATH_FORWARD_SLASH_REGEX_XP, USERNAME_REGEX_REPLACEMENT);

        anonymousString = regexReplace(anonymousString, USER_PATH_FORWARD_SLASH_REGEX, USERNAME_REGEX_REPLACEMENT);

        anonymousString = replaceFolder(anonymousString, getUsernames(), ANONYMIZED_USERNAME, FORWARD_SLASH);

        return anonymousString;

    }


    // Most paths in CyberTriage are normalized with forward slashes

    // but there can still be strings containing paths that are not normalized such paths contained in arguments or event log payloads

    private String anonymizeUserFromPathsWithBackSlashes(String stringWithUsername) {

        String anonymousString = stringWithUsername;

        anonymousString = regexReplace(anonymousString, USER_PATH_BACK_SLASH_REGEX_XP, USERNAME_REGEX_REPLACEMENT);

        anonymousString = regexReplace(anonymousString, USER_PATH_BACK_SLASH_REGEX, USERNAME_REGEX_REPLACEMENT);

        anonymousString = replaceFolder(anonymousString, getUsernames(), ANONYMIZED_USERNAME, BACK_SLASH);


        return anonymousString;

    }


    private String anonymizeServerFromUNCPath(String inputString) {


        Set<String> serverNames = new HashSet<>();

        String anonymousString = inputString.toLowerCase(Locale.ENGLISH);


        Matcher forwardSlashMatcher = UNC_PATH_FORWARD_SLASH_PATTERN.matcher(anonymousString);

        while (forwardSlashMatcher.find()) {

            String serverName = forwardSlashMatcher.group(2);

            serverNames.add(serverName);

        }


        Matcher backSlashMatcher = UNC_PATH_BACK_SLASH_PATTERN.matcher(anonymousString);

        while (backSlashMatcher.find()) {

            String serverName = backSlashMatcher.group(2);

            serverNames.add(serverName);

        }


        for (String serverName : serverNames) {


            if (StringUtils.isBlank(serverName)) {

                continue;

            }


            if (InetAddresses.isInetAddress(serverName) && isLocalIP(serverName)) {

                anonymousString = replaceFolder(anonymousString, Collections.singletonList(serverName), ANONYMIZED_IP);

            } else {

                anonymousString = replaceFolder(anonymousString, Collections.singletonList(serverName), ANONYMIZED_HOSTNAME);

            }


        }


        return anonymousString;

    }


    private static String regexReplace(String orig, Pattern pattern, String regexReplacement) {

        Matcher matcher = pattern.matcher(orig);

        return matcher.replaceAll(regexReplacement);

    }


    private static String replaceFolder(String orig, List<String> valuesToReplace, String replacementValue) {

        String anonymized = orig;

        anonymized = replaceFolder(anonymized, valuesToReplace, replacementValue, FORWARD_SLASH);

        anonymized = replaceFolder(anonymized, valuesToReplace, replacementValue, BACK_SLASH);

        return anonymized;

    }


    private static String replaceFolder(String orig, List<String> valuesToReplace, String replacementValue, String folderDelimiter) {

        if (orig == null || valuesToReplace == null) {

            return orig;

        }


        String anonymousString = orig;


        // ensure non-null

        folderDelimiter = StringUtils.defaultString(folderDelimiter);

        replacementValue = StringUtils.defaultString(replacementValue);


        // replace

        for (String valueToReplace : valuesToReplace) {

            if (StringUtils.isNotEmpty(valueToReplace)) {

                anonymousString = anonymousString.replace(

                        folderDelimiter + valueToReplace + folderDelimiter,

                        folderDelimiter + replacementValue + folderDelimiter);

            }

        }


        return anonymousString;

    }


    public static boolean isLocalIP(String ipAddress) {

        try {

            InetAddress a = InetAddresses.forString(ipAddress);

            return a.isAnyLocalAddress() || a.isSiteLocalAddress()

                    || a.isLoopbackAddress() || a.isLinkLocalAddress();

        } catch (IllegalArgumentException ex) {

            LOGGER.log(Level.WARNING, "Invalid IP string", ex);

            return false;

        }

    }


}