Autopsy  4.15.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
XRYDeviceGenInfoFileParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datasourceprocessors.xry;
20 
21 import java.util.ArrayList;
22 import java.util.HashMap;
23 import java.util.List;
24 import java.util.Map;
25 import java.util.Optional;
26 import java.util.logging.Level;
28 import org.sleuthkit.datamodel.Blackboard;
29 import org.sleuthkit.datamodel.BlackboardArtifact;
30 import org.sleuthkit.datamodel.BlackboardAttribute;
31 import org.sleuthkit.datamodel.Content;
32 import org.sleuthkit.datamodel.SleuthkitCase;
33 import org.sleuthkit.datamodel.TskCoreException;
34 
38 final class XRYDeviceGenInfoFileParser extends AbstractSingleEntityParser {
39 
40  private static final Logger logger = Logger.getLogger(XRYDeviceGenInfoFileParser.class.getName());
41 
42  //All known XRY keys for Device Gen Info reports.
43  private static final String ATTRIBUTE_KEY = "attribute";
44  private static final String DATA_KEY = "data";
45 
46  //All of the known XRY Attribute values for device gen info. The value of the
47  //attribute keys are actionable for this parser.
48  //Ex:
49  // Data: Nokia
50  // Attribute: Device Type
51  private static final Map<String, BlackboardAttribute.ATTRIBUTE_TYPE> XRY_ATTRIBUTE_VALUES
52  = new HashMap<String, BlackboardAttribute.ATTRIBUTE_TYPE>() {
53  {
54  put("device name", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_NAME);
55  put("device type", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MAKE);
56  put("mobile id (imei)", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI);
57  put("security code", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PASSWORD);
58  put("unlock code", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PASSWORD);
59  put("imei/meid", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI);
60  put("model", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MODEL);
61  put("wifi address", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS);
62  put("subscriber id (imsi)", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI);
63 
64  //There could be two of these on an artifact, not aware of a way
65  //to distinguish between two DATE_TIMEs such as the ones below.
66  put("device clock", null);
67  put("pc clock", null);
68 
69  //Ignore these for now, need more data or time to finish implementation.
70  put("device family", null);
71  put("advertising id", null);
72  put("device status", null);
73  put("baseband version", null);
74  put("sim status", null);
75  put("manufacturer", null);
76  put("revision", null);
77  }
78  };
79 
80 
81  @Override
82  boolean canProcess(XRYKeyValuePair pair) {
83  String key = pair.getKey().trim().toLowerCase();
84  return key.equals(DATA_KEY) || key.equals(ATTRIBUTE_KEY);
85  }
86 
87  @Override
88  boolean isNamespace(String nameSpace) {
89  //No known namespaces
90  return false;
91  }
92 
93  @Override
94  void makeArtifact(List<XRYKeyValuePair> keyValuePairs, Content parent, SleuthkitCase currentCase) throws TskCoreException, Blackboard.BlackboardException {
95  List<BlackboardAttribute> attributes = new ArrayList<>();
96  for(int i = 0; i < keyValuePairs.size(); i+=2) {
97  Optional<BlackboardAttribute> attribute;
98  if(i + 1 == keyValuePairs.size()) {
99  attribute = getBlackboardAttribute(keyValuePairs.get(i));
100  } else {
101  attribute = getBlackboardAttribute(keyValuePairs.get(i), keyValuePairs.get(i+1));
102  }
103  if(attribute.isPresent()) {
104  attributes.add(attribute.get());
105  }
106  }
107  if(!attributes.isEmpty()) {
108  BlackboardArtifact artifact = parent.newArtifact(
109  BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO);
110  artifact.addAttributes(attributes);
111  }
112  }
113 
119  private Optional<BlackboardAttribute> getBlackboardAttribute(XRYKeyValuePair pair) {
120  if (pair.hasKey(DATA_KEY)) {
121  return Optional.of(new BlackboardAttribute(
122  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH,
123  PARSER_NAME, pair.getValue()));
124  }
125 
126  logger.log(Level.WARNING, "Expected a 'Data' key value pair, but [ %s ] "
127  + "was found.", pair);
128 
129  return Optional.empty();
130  }
131 
138  private Optional<BlackboardAttribute> getBlackboardAttribute(XRYKeyValuePair firstPair, XRYKeyValuePair secondPair) {
139  String attributeValue;
140  String dataValue;
141  if (firstPair.hasKey(DATA_KEY) && secondPair.hasKey(ATTRIBUTE_KEY)) {
142  dataValue = firstPair.getValue();
143  attributeValue = secondPair.getValue();
144  } else if (firstPair.hasKey(ATTRIBUTE_KEY) && secondPair.hasKey(DATA_KEY)) {
145  dataValue = secondPair.getValue();
146  attributeValue = firstPair.getValue();
147  } else {
148  logger.log(Level.WARNING, String.format("[XRY DSP] Expected these key value"
149  + " pairs (in brackets) [ %s ], [ %s ] to be an 'Attribute' and 'Data' "
150  + "pair.", firstPair, secondPair));
151  return Optional.empty();
152  }
153 
154  String normalizedAttributeValue = attributeValue.toLowerCase();
155  if (!XRY_ATTRIBUTE_VALUES.containsKey(normalizedAttributeValue)) {
156  logger.log(Level.WARNING, String.format("[XRY DSP] Key value pair "
157  + "(in brackets) [ %s : %s ] was not recognized. Discarding... ",
158  attributeValue, dataValue));
159  return Optional.empty();
160  }
161 
162  BlackboardAttribute.ATTRIBUTE_TYPE attrType = XRY_ATTRIBUTE_VALUES.get(normalizedAttributeValue);
163  if (attrType == null) {
164  logger.log(Level.WARNING, String.format("[XRY DSP] Key value pair "
165  + "(in brackets) [ %s : %s ] was recognized but we need "
166  + "more data or time to finish implementation. Discarding... ",
167  attributeValue, dataValue));
168  return Optional.empty();
169  }
170 
171  return Optional.of(new BlackboardAttribute(attrType, PARSER_NAME, dataValue));
172  }
173 }

Copyright © 2012-2020 Basis Technology. Generated on: Mon Jul 6 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.