Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalEmailObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import org.sleuthkit.datamodel.BlackboardArtifact;
22 import org.sleuthkit.datamodel.BlackboardAttribute;
23 import org.sleuthkit.datamodel.TskCoreException;
24 
25 import java.util.List;
26 import java.util.ArrayList;
27 
28 import org.mitre.cybox.objects.EmailMessage;
29 import org.mitre.cybox.objects.Address;
30 
34 class EvalEmailObj extends EvaluatableObject {
35 
36  private final EmailMessage obj;
37 
38  private List<BlackboardArtifact> finalHits;
39 
40  public EvalEmailObj(EmailMessage a_obj, String a_id, String a_spacing) {
41  obj = a_obj;
42  id = a_id;
43  spacing = a_spacing;
44 
45  finalHits = null;
46  }
47 
48  @Override
49  public synchronized ObservableResult evaluate() {
50 
51  setWarnings("");
52 
53  List<BlackboardArtifact> toHits = null;
54  boolean hadToFields = false;
55  List<BlackboardArtifact> ccHits = null;
56  boolean hadCcFields = false;
57  List<BlackboardArtifact> fromHits = null;
58  boolean hadFromField = false;
59  List<BlackboardArtifact> subjectHits = null;
60  boolean hadSubjectField = false;
61 
62  if (obj.getHeader() != null) {
63  if ((obj.getHeader().getTo() != null)
64  && (obj.getHeader().getTo().getRecipients() != null)
65  && (!obj.getHeader().getTo().getRecipients().isEmpty())) {
66  for (Address addr : obj.getHeader().getTo().getRecipients()) {
67  if (addr.getAddressValue() != null) {
68 
69  hadToFields = true;
70 
71  try {
72  toHits = findArtifactsBySubstring(addr.getAddressValue(),
73  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_TO);
74  } catch (TskCoreException ex) {
75  addWarning(ex.getLocalizedMessage());
76  }
77  }
78  }
79  }
80 
81  if ((obj.getHeader().getCC() != null)
82  && (obj.getHeader().getCC().getRecipients() != null)
83  && (!obj.getHeader().getCC().getRecipients().isEmpty())) {
84  for (Address addr : obj.getHeader().getCC().getRecipients()) {
85  if (addr.getAddressValue() != null) {
86 
87  hadCcFields = true;
88 
89  try {
90  ccHits = findArtifactsBySubstring(addr.getAddressValue(),
91  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_CC);
92  } catch (TskCoreException ex) {
93  addWarning(ex.getLocalizedMessage());
94  }
95  }
96  }
97  }
98 
99  if ((obj.getHeader().getFrom() != null)
100  && (obj.getHeader().getFrom().getAddressValue() != null)) {
101 
102  hadFromField = true;
103 
104  try {
105  fromHits = findArtifactsBySubstring(obj.getHeader().getFrom().getAddressValue(),
106  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_FROM);
107  } catch (TskCoreException ex) {
108  addWarning(ex.getLocalizedMessage());
109  }
110  }
111 
112  if ((obj.getHeader().getSubject() != null)
113  && (obj.getHeader().getSubject().getValue() != null)) {
114 
115  hadSubjectField = true;
116 
117  try {
118  subjectHits = findArtifactsBySubstring(obj.getHeader().getSubject(),
119  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT);
120  } catch (TskCoreException ex) {
121  addWarning(ex.getLocalizedMessage());
122  }
123  }
124  }
125 
126  // Make sure at least one test had some data
127  if ((!hadToFields) && (!hadFromField) && (!hadCcFields) && (!hadSubjectField)) {
128  return new ObservableResult(id, "EmailMessage: Could not find any parsable EmailMessage fields " //NON-NLS
129  + getPrintableWarnings(),
130  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
131  }
132 
133  // Check if there were more fields that aren't currently supported
134  String fieldNames = getListOfUnsupportedFields();
135  if (fieldNames.length() > 0) {
136  addWarning("Unsupported field(s) found: " + fieldNames); //NON-NLS
137  }
138 
139  // Find the artifacts that matched all of the fields
140  finalHits = null;
141  boolean finalHitsStarted = false;
142 
143  if (hadToFields) {
144  combineHits(toHits, finalHitsStarted);
145  finalHitsStarted = true;
146  }
147  if (hadCcFields) {
148  combineHits(ccHits, finalHitsStarted);
149  finalHitsStarted = true;
150  }
151  if (hadFromField) {
152  combineHits(fromHits, finalHitsStarted);
153  finalHitsStarted = true;
154  }
155  if (hadSubjectField) {
156  combineHits(subjectHits, finalHitsStarted);
157  finalHitsStarted = true;
158  }
159 
160  if (!finalHitsStarted) {
161  // We didn't find any fields that could be evaluated
162  return new ObservableResult(id, "EmailMessage: EmailObj parsing incomplete " + getPrintableWarnings(), //NON-NLS
163  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
164  }
165 
166  // If there are any artifacts left in finalHits, we have a match
167  if (finalHits.size() > 0) {
168  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
169  for (BlackboardArtifact a : finalHits) {
170  artData.add(new StixArtifactData(a.getObjectID(), id, "EmailMessage")); //NON-NLS
171  }
172  return new ObservableResult(id, "EmailMessage: " + finalHits.size() + " matching artifacts found " + getPrintableWarnings(), //NON-NLS
173  spacing, ObservableResult.ObservableState.TRUE, artData);
174  } else {
175  return new ObservableResult(id, "EmailMessage: No matching artifacts found " + getPrintableWarnings(), //NON-NLS
176  spacing, ObservableResult.ObservableState.FALSE, null);
177  }
178  }
179 
188  private void combineHits(List<BlackboardArtifact> newHits, boolean finalHitsStarted) {
189  if (finalHitsStarted && (finalHits != null)) {
190  finalHits.retainAll(newHits);
191  } else {
192  finalHits = newHits;
193  }
194  }
195 
202  private String getListOfUnsupportedFields() {
203  String fieldNames = "";
204  if (obj.getHeader() != null) {
205  if (obj.getHeader().getReceivedLines() != null) {
206  fieldNames += "Received_Lines "; //NON-NLS
207  }
208  if (obj.getHeader().getBCC() != null) {
209  fieldNames += "BCC "; //NON-NLS
210  }
211  if (obj.getHeader().getInReplyTo() != null) {
212  fieldNames += "In_Reply_To "; //NON-NLS
213  }
214  if (obj.getHeader().getDate() != null) {
215  fieldNames += "Date "; //NON-NLS
216  }
217  if (obj.getHeader().getMessageID() != null) {
218  fieldNames += "Message_ID "; //NON-NLS
219  }
220  if (obj.getHeader().getSender() != null) {
221  fieldNames += "Sender "; //NON-NLS
222  }
223  if (obj.getHeader().getReplyTo() != null) {
224  fieldNames += "Reply_To "; //NON-NLS
225  }
226  if (obj.getHeader().getErrorsTo() != null) {
227  fieldNames += "Errors_To "; //NON-NLS
228  }
229  if (obj.getHeader().getBoundary() != null) {
230  fieldNames += "Boundary "; //NON-NLS
231  }
232  if (obj.getHeader().getContentType() != null) {
233  fieldNames += "Content_Type "; //NON-NLS
234  }
235  if (obj.getHeader().getMIMEVersion() != null) {
236  fieldNames += "MIME_Version "; //NON-NLS
237  }
238  if (obj.getHeader().getPrecedence() != null) {
239  fieldNames += "Precedence "; //NON-NLS
240  }
241  if (obj.getHeader().getUserAgent() != null) {
242  fieldNames += "User_Agent "; //NON-NLS
243  }
244  if (obj.getHeader().getXMailer() != null) {
245  fieldNames += "X_Mailer "; //NON-NLS
246  }
247  if (obj.getHeader().getXOriginatingIP() != null) {
248  fieldNames += "X_Originiating_IP "; //NON-NLS
249  }
250  if (obj.getHeader().getXPriority() != null) {
251  fieldNames += "X_Priority "; //NON-NLS
252  }
253 
254  }
255  if (obj.getEmailServer() != null) {
256  fieldNames += "Email_Server "; //NON-NLS
257  }
258  if (obj.getRawBody() != null) {
259  fieldNames += "Raw_Body "; //NON-NLS
260  }
261  if (obj.getRawHeader() != null) {
262  fieldNames += "Raw_Header "; //NON-NLS
263  }
264  if (obj.getAttachments() != null) {
265  fieldNames += "Attachments "; //NON-NLS
266  }
267  if (obj.getLinks() != null) {
268  fieldNames += "Links "; //NON-NLS
269  }
270 
271  return fieldNames;
272  }
273 
274 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Jan 2 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.