Autopsy  4.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvaluatableObject.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import java.util.ArrayList;
22 import java.util.List;
23 import org.mitre.cybox.common_2.ConditionApplicationEnum;
24 import org.mitre.cybox.common_2.ConditionTypeEnum;
25 import org.mitre.cybox.common_2.StringObjectPropertyType;
27 import org.sleuthkit.datamodel.BlackboardArtifact;
28 import org.sleuthkit.datamodel.BlackboardAttribute;
29 import org.sleuthkit.datamodel.SleuthkitCase;
30 import org.sleuthkit.datamodel.TskCoreException;
31 
35 abstract class EvaluatableObject {
36 
37  private String warnings;
38  protected String id;
39  protected String spacing;
40 
41  abstract public ObservableResult evaluate();
42 
48  public void setWarnings(String a_warnings) {
49  warnings = a_warnings;
50  }
51 
58  public String getWarnings() {
59  return warnings;
60  }
61 
67  public void addWarning(String a_newWarning) {
68  if ((warnings == null) || warnings.isEmpty()) {
69  warnings = a_newWarning;
70  return;
71  }
72  warnings = warnings + ", " + a_newWarning;
73  }
74 
87  public List<BlackboardArtifact> findArtifactsBySubstring(StringObjectPropertyType item,
88  BlackboardAttribute.ATTRIBUTE_TYPE attrType) throws TskCoreException {
89 
90  if (item.getValue() == null) {
91  throw new TskCoreException("Error: Value field is null"); //NON-NLS
92  }
93 
94  if (item.getCondition() == null) {
95  addWarning("Warning: No condition given for " + attrType.getDisplayName() + " field, using substring comparison"); //NON-NLS
96  } else if (item.getCondition() != ConditionTypeEnum.CONTAINS) {
97  addWarning("Warning: Ignoring condition " + item.getCondition() + " for " //NON-NLS
98  + attrType.getDisplayName() + " field and doing substring comparison"); //NON-NLS
99  }
100 
101  List<BlackboardArtifact> hits = null;
102  try {
103  Case case1 = Case.getCurrentCase();
104  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
105 
106  String[] parts = item.getValue().toString().split("##comma##"); //NON-NLS
107 
108  if ((item.getApplyCondition() == null)
109  || (item.getApplyCondition() == ConditionApplicationEnum.ANY)) {
110 
111  for (String part : parts) {
112  if (hits == null) {
113  // Note that this searches for artifacts with "part" as a substring
114  hits = sleuthkitCase.getBlackboardArtifacts(
115  attrType,
116  part, false);
117  } else {
118  hits.addAll(sleuthkitCase.getBlackboardArtifacts(
119  attrType,
120  part, false));
121  }
122  }
123  } else if ((item.getApplyCondition() != null)
124  || (item.getApplyCondition() == ConditionApplicationEnum.ALL)) {
125 
126  boolean firstRound = true;
127  for (String part : parts) {
128  if (firstRound) {
129  hits = sleuthkitCase.getBlackboardArtifacts(
130  attrType,
131  part, false);
132  firstRound = false;
133  } else if (hits != null) {
134  hits.retainAll(sleuthkitCase.getBlackboardArtifacts(
135  attrType,
136  part, false));
137  } else {
138  // After first round; hits is still null
139  // I don't think this should happen but if it does we're done
140  return new ArrayList<BlackboardArtifact>();
141  }
142  }
143  } else {
144  throw new TskCoreException("Error: Can not apply NONE condition in search"); //NON-NLS
145  }
146  } catch (TskCoreException ex) {
147  addWarning(ex.getLocalizedMessage());
148  }
149 
150  return hits;
151  }
152 
163  public static boolean compareStringObject(StringObjectPropertyType stringObj, String strField)
164  throws TskCoreException {
165  if (stringObj.getValue() == null) {
166  throw new TskCoreException("Error: Value field is null"); //NON-NLS
167  }
168 
169  String valueStr = stringObj.getValue().toString();
170  ConditionTypeEnum condition = stringObj.getCondition();
171  ConditionApplicationEnum applyCondition = stringObj.getApplyCondition();
172 
173  return compareStringObject(valueStr, condition, applyCondition, strField);
174  }
175 
188  public static boolean compareStringObject(String valueStr, ConditionTypeEnum condition,
189  ConditionApplicationEnum applyCondition, String strField)
190  throws TskCoreException {
191 
192  if (valueStr == null) {
193  throw new TskCoreException("Error: Value field is null"); //NON-NLS
194  }
195 
196  String[] parts = valueStr.split("##comma##"); //NON-NLS
197  String lowerFieldName = strField.toLowerCase();
198 
199  for (String value : parts) {
200  boolean partialResult;
201  if ((condition == null)
202  || (condition == ConditionTypeEnum.EQUALS)) {
203  partialResult = value.equalsIgnoreCase(strField);
204  } else if (condition == ConditionTypeEnum.DOES_NOT_EQUAL) {
205  partialResult = !value.equalsIgnoreCase(strField);
206  } else if (condition == ConditionTypeEnum.CONTAINS) {
207  partialResult = lowerFieldName.contains(value.toLowerCase());
208  } else if (condition == ConditionTypeEnum.DOES_NOT_CONTAIN) {
209  partialResult = !lowerFieldName.contains(value.toLowerCase());
210  } else if (condition == ConditionTypeEnum.STARTS_WITH) {
211  partialResult = lowerFieldName.startsWith(value.toLowerCase());
212  } else if (condition == ConditionTypeEnum.ENDS_WITH) {
213  partialResult = lowerFieldName.endsWith(value.toLowerCase());
214  } else {
215  throw new TskCoreException("Could not process condition " + condition.value() + " on " + value); //NON-NLS
216  }
217 
218  // Do all the short-circuiting
219  if (applyCondition == ConditionApplicationEnum.NONE) {
220  if (partialResult == true) {
221  // Failed
222  return false;
223  }
224  } else if (applyCondition == ConditionApplicationEnum.ALL) {
225  if (partialResult == false) {
226  // Failed
227  return false;
228  }
229  } else {
230  // Default is "any"
231  if (partialResult == true) {
232  return true;
233  }
234  }
235  }
236 
237  // At this point we're done and didn't short-circuit, so ALL or NONE conditions were true,
238  // and ANY was false
239  if ((applyCondition == ConditionApplicationEnum.NONE)
240  || (applyCondition == ConditionApplicationEnum.ALL)) {
241  return true;
242  }
243  return false;
244  }
245 
252  public String getPrintableWarnings() {
253  String warningsToPrint = "";
254  if ((getWarnings() != null)
255  && (!getWarnings().isEmpty())) {
256  warningsToPrint = " (" + getWarnings() + ")";
257  }
258  return warningsToPrint;
259  }
260 }

Copyright © 2012-2015 Basis Technology. Generated on: Wed Apr 6 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.