Autopsy  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
XRYDeviceGenInfoFileParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datasourceprocessors.xry;
20 
21 import java.util.ArrayList;
22 import java.util.HashMap;
23 import java.util.List;
24 import java.util.Map;
25 import java.util.Optional;
26 import java.util.logging.Level;
28 import org.sleuthkit.datamodel.AbstractFile;
29 import org.sleuthkit.datamodel.Blackboard;
30 import org.sleuthkit.datamodel.BlackboardArtifact;
31 import org.sleuthkit.datamodel.BlackboardAttribute;
32 import org.sleuthkit.datamodel.Content;
33 import org.sleuthkit.datamodel.SleuthkitCase;
34 import org.sleuthkit.datamodel.TskCoreException;
35 
39 final class XRYDeviceGenInfoFileParser extends AbstractSingleEntityParser {
40 
41  private static final Logger logger = Logger.getLogger(XRYDeviceGenInfoFileParser.class.getName());
42 
43  //All known XRY keys for Device Gen Info reports.
44  private static final String ATTRIBUTE_KEY = "attribute";
45  private static final String DATA_KEY = "data";
46 
47  //All of the known XRY Attribute values for device gen info. The value of the
48  //attribute keys are actionable for this parser.
49  //Ex:
50  // Data: Nokia
51  // Attribute: Device Type
52  private static final Map<String, BlackboardAttribute.ATTRIBUTE_TYPE> XRY_ATTRIBUTE_VALUES
53  = new HashMap<String, BlackboardAttribute.ATTRIBUTE_TYPE>() {
54  {
55  put("device name", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_NAME);
56  put("device type", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MAKE);
57  put("mobile id (imei)", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI);
58  put("security code", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PASSWORD);
59  put("unlock code", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PASSWORD);
60  put("imei/meid", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI);
61  put("model", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MODEL);
62  put("wifi address", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS);
63  put("subscriber id (imsi)", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI);
64 
65  //There could be two of these on an artifact, not aware of a way
66  //to distinguish between two DATE_TIMEs such as the ones below.
67  put("device clock", null);
68  put("pc clock", null);
69 
70  //Ignore these for now, need more data or time to finish implementation.
71  put("device family", null);
72  put("advertising id", null);
73  put("device status", null);
74  put("baseband version", null);
75  put("sim status", null);
76  put("manufacturer", null);
77  put("revision", null);
78  }
79  };
80 
81 
82  @Override
83  boolean canProcess(XRYKeyValuePair pair) {
84  String key = pair.getKey().trim().toLowerCase();
85  return key.equals(DATA_KEY) || key.equals(ATTRIBUTE_KEY);
86  }
87 
88  @Override
89  boolean isNamespace(String nameSpace) {
90  //No known namespaces
91  return false;
92  }
93 
94  @Override
95  void makeArtifact(List<XRYKeyValuePair> keyValuePairs, Content parent, SleuthkitCase currentCase) throws TskCoreException, Blackboard.BlackboardException {
96  List<BlackboardAttribute> attributes = new ArrayList<>();
97  for(int i = 0; i < keyValuePairs.size(); i+=2) {
98  Optional<BlackboardAttribute> attribute;
99  if(i + 1 == keyValuePairs.size()) {
100  attribute = getBlackboardAttribute(keyValuePairs.get(i));
101  } else {
102  attribute = getBlackboardAttribute(keyValuePairs.get(i), keyValuePairs.get(i+1));
103  }
104  if(attribute.isPresent()) {
105  attributes.add(attribute.get());
106  }
107  }
108  if(!attributes.isEmpty()) {
109  parent.newDataArtifact(BlackboardArtifact.Type.TSK_DEVICE_INFO, attributes);
110  }
111  }
112 
118  private Optional<BlackboardAttribute> getBlackboardAttribute(XRYKeyValuePair pair) {
119  if (pair.hasKey(DATA_KEY)) {
120  return Optional.of(new BlackboardAttribute(
121  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH,
122  PARSER_NAME, pair.getValue()));
123  }
124 
125  logger.log(Level.WARNING, "Expected a 'Data' key value pair, but [ %s ] "
126  + "was found.", pair);
127 
128  return Optional.empty();
129  }
130 
137  private Optional<BlackboardAttribute> getBlackboardAttribute(XRYKeyValuePair firstPair, XRYKeyValuePair secondPair) {
138  String attributeValue;
139  String dataValue;
140  if (firstPair.hasKey(DATA_KEY) && secondPair.hasKey(ATTRIBUTE_KEY)) {
141  dataValue = firstPair.getValue();
142  attributeValue = secondPair.getValue();
143  } else if (firstPair.hasKey(ATTRIBUTE_KEY) && secondPair.hasKey(DATA_KEY)) {
144  dataValue = secondPair.getValue();
145  attributeValue = firstPair.getValue();
146  } else {
147  logger.log(Level.WARNING, String.format("[XRY DSP] Expected these key value"
148  + " pairs (in brackets) [ %s ], [ %s ] to be an 'Attribute' and 'Data' "
149  + "pair.", firstPair, secondPair));
150  return Optional.empty();
151  }
152 
153  String normalizedAttributeValue = attributeValue.toLowerCase();
154  if (!XRY_ATTRIBUTE_VALUES.containsKey(normalizedAttributeValue)) {
155  logger.log(Level.WARNING, String.format("[XRY DSP] Key value pair "
156  + "(in brackets) [ %s : %s ] was not recognized. Discarding... ",
157  attributeValue, dataValue));
158  return Optional.empty();
159  }
160 
161  BlackboardAttribute.ATTRIBUTE_TYPE attrType = XRY_ATTRIBUTE_VALUES.get(normalizedAttributeValue);
162  if (attrType == null) {
163  logger.log(Level.WARNING, String.format("[XRY DSP] Key value pair "
164  + "(in brackets) [ %s : %s ] was recognized but we need "
165  + "more data or time to finish implementation. Discarding... ",
166  attributeValue, dataValue));
167  return Optional.empty();
168  }
169 
170  return Optional.of(new BlackboardAttribute(attrType, PARSER_NAME, dataValue));
171  }
172 }

Copyright © 2012-2021 Basis Technology. Generated on: Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.