Autopsy  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
XRYDeviceGenInfoFileParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datasourceprocessors.xry;
20 
21 import java.util.ArrayList;
22 import java.util.HashMap;
23 import java.util.List;
24 import java.util.Map;
25 import java.util.Optional;
26 import java.util.logging.Level;
28 import org.sleuthkit.datamodel.BlackboardArtifact;
29 import org.sleuthkit.datamodel.BlackboardAttribute;
30 import org.sleuthkit.datamodel.Content;
31 import org.sleuthkit.datamodel.TskCoreException;
32 
36 final class XRYDeviceGenInfoFileParser extends AbstractSingleEntityParser {
37 
38  private static final Logger logger = Logger.getLogger(XRYDeviceGenInfoFileParser.class.getName());
39 
40  //All known XRY keys for Device Gen Info reports.
41  private static final String ATTRIBUTE_KEY = "attribute";
42  private static final String DATA_KEY = "data";
43 
44  //All of the known XRY Attribute values for device gen info. The value of the
45  //attribute keys are actionable for this parser.
46  //Ex:
47  // Data: Nokia
48  // Attribute: Device Type
49  private static final Map<String, BlackboardAttribute.ATTRIBUTE_TYPE> XRY_ATTRIBUTE_VALUES
50  = new HashMap<String, BlackboardAttribute.ATTRIBUTE_TYPE>() {
51  {
52  put("device name", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_NAME);
53  put("device type", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MAKE);
54  put("mobile id (imei)", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI);
55  put("security code", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PASSWORD);
56  put("unlock code", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PASSWORD);
57  put("imei/meid", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI);
58  put("model", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MODEL);
59  put("wifi address", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS);
60  put("subscriber id (imsi)", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI);
61 
62  //There could be two of these on an artifact, not aware of a way
63  //to distinguish between two DATE_TIMEs such as the ones below.
64  put("device clock", null);
65  put("pc clock", null);
66 
67  //Ignore these for now, need more data or time to finish implementation.
68  put("device family", null);
69  put("advertising id", null);
70  put("device status", null);
71  put("baseband version", null);
72  put("sim status", null);
73  put("manufacturer", null);
74  put("revision", null);
75  }
76  };
77 
78 
79  @Override
80  boolean canProcess(XRYKeyValuePair pair) {
81  String key = pair.getKey().trim().toLowerCase();
82  return key.equals(DATA_KEY) || key.equals(ATTRIBUTE_KEY);
83  }
84 
85  @Override
86  boolean isNamespace(String nameSpace) {
87  //No known namespaces
88  return false;
89  }
90 
91  @Override
92  void makeArtifact(List<XRYKeyValuePair> keyValuePairs, Content parent) throws TskCoreException {
93  List<BlackboardAttribute> attributes = new ArrayList<>();
94  for(int i = 0; i < keyValuePairs.size(); i+=2) {
95  Optional<BlackboardAttribute> attribute;
96  if(i + 1 == keyValuePairs.size()) {
97  attribute = getBlackboardAttribute(keyValuePairs.get(i));
98  } else {
99  attribute = getBlackboardAttribute(keyValuePairs.get(i), keyValuePairs.get(i+1));
100  }
101  if(attribute.isPresent()) {
102  attributes.add(attribute.get());
103  }
104  }
105  if(!attributes.isEmpty()) {
106  BlackboardArtifact artifact = parent.newArtifact(
107  BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO);
108  artifact.addAttributes(attributes);
109  }
110  }
111 
117  private Optional<BlackboardAttribute> getBlackboardAttribute(XRYKeyValuePair pair) {
118  if (pair.hasKey(DATA_KEY)) {
119  return Optional.of(new BlackboardAttribute(
120  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH,
121  PARSER_NAME, pair.getValue()));
122  }
123 
124  logger.log(Level.WARNING, "Expected a 'Data' key value pair, but [ %s ] "
125  + "was found.", pair);
126 
127  return Optional.empty();
128  }
129 
136  private Optional<BlackboardAttribute> getBlackboardAttribute(XRYKeyValuePair firstPair, XRYKeyValuePair secondPair) {
137  String attributeValue;
138  String dataValue;
139  if (firstPair.hasKey(DATA_KEY) && secondPair.hasKey(ATTRIBUTE_KEY)) {
140  dataValue = firstPair.getValue();
141  attributeValue = secondPair.getValue();
142  } else if (firstPair.hasKey(ATTRIBUTE_KEY) && secondPair.hasKey(DATA_KEY)) {
143  dataValue = secondPair.getValue();
144  attributeValue = firstPair.getValue();
145  } else {
146  logger.log(Level.WARNING, String.format("[XRY DSP] Expected these key value"
147  + " pairs (in brackets) [ %s ], [ %s ] to be an 'Attribute' and 'Data' "
148  + "pair.", firstPair, secondPair));
149  return Optional.empty();
150  }
151 
152  String normalizedAttributeValue = attributeValue.toLowerCase();
153  if (!XRY_ATTRIBUTE_VALUES.containsKey(normalizedAttributeValue)) {
154  logger.log(Level.WARNING, String.format("[XRY DSP] Key value pair "
155  + "(in brackets) [ %s : %s ] was not recognized. Discarding... ",
156  attributeValue, dataValue));
157  return Optional.empty();
158  }
159 
160  BlackboardAttribute.ATTRIBUTE_TYPE attrType = XRY_ATTRIBUTE_VALUES.get(normalizedAttributeValue);
161  if (attrType == null) {
162  logger.log(Level.WARNING, String.format("[XRY DSP] Key value pair "
163  + "(in brackets) [ %s : %s ] was recognized but we need "
164  + "more data or time to finish implementation. Discarding... ",
165  attributeValue, dataValue));
166  return Optional.empty();
167  }
168 
169  return Optional.of(new BlackboardAttribute(attrType, PARSER_NAME, dataValue));
170  }
171 }

Copyright © 2012-2019 Basis Technology. Generated on: Tue Jan 7 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.