Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalAddressObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
26 
27 import java.util.List;
28 import java.util.ArrayList;
29 import org.mitre.cybox.common_2.ConditionApplicationEnum;
30 import org.mitre.cybox.common_2.ConditionTypeEnum;
31 
32 import org.mitre.cybox.objects.Address;
33 
37 class EvalAddressObj extends EvaluatableObject {
38 
39  private final Address obj;
40 
41  public EvalAddressObj(Address a_obj, String a_id, String a_spacing) {
42  obj = a_obj;
43  id = a_id;
44  spacing = a_spacing;
45  }
46 
47  @Override
48  public synchronized ObservableResult evaluate() {
49 
50  setWarnings("");
51 
52  if (obj.getAddressValue() == null) {
53  return new ObservableResult(id, "AddressObject: No address value field found", //NON-NLS
54  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
55  }
56 
57  String origAddressStr = obj.getAddressValue().getValue().toString();
58 
59  // For now, we don't support "NONE" because it honestly doesn't seem like it
60  // would ever appear in practice.
61  if (((obj.getAddressValue().getApplyCondition() != null)
62  && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.NONE))) {
63  return new ObservableResult(id, "AddressObject: Can not process apply condition " + obj.getAddressValue().getApplyCondition().toString() //NON-NLS
64  + " on Address object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
65  }
66 
67  // Set warnings for any unsupported fields
68  setUnsupportedFieldWarnings();
69 
70  Case case1 = Case.getCurrentCase();
71  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
72 
73  try {
74  // Need to check that every part of the string had at least one match
75  // in the AND case
76  boolean everyPartMatched = true;
77  List<BlackboardArtifact> combinedArts = new ArrayList<BlackboardArtifact>();
78  String searchString = "";
79  String[] parts = origAddressStr.split("##comma##"); //NON-NLS
80 
81  for (String addressStr : parts) {
82 
83  // Update the string to show in the results
84  if (!searchString.isEmpty()) {
85 
86  if ((obj.getAddressValue().getApplyCondition() != null)
87  && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)) {
88  searchString += " AND "; //NON-NLS
89  } else {
90  searchString += " OR "; //NON-NLS
91  }
92  }
93  searchString += addressStr;
94 
95  if ((obj.getAddressValue().getCondition() == null)
96  || (obj.getAddressValue().getCondition() == ConditionTypeEnum.EQUALS)) {
97  List<BlackboardArtifact> arts = sleuthkitCase.getBlackboardArtifacts(
98  BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT,
99  BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD,
100  addressStr);
101 
102  if (arts.isEmpty()) {
103  everyPartMatched = false;
104  } else {
105  combinedArts.addAll(arts);
106  }
107 
108  } else {
109  // This is inefficient, but the easiest way to do it.
110 
111  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
112 
113  // Get all the URL artifacts
114  List<BlackboardArtifact> artList
115  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
116 
117  for (BlackboardArtifact art : artList) {
118 
119  for (BlackboardAttribute attr : art.getAttributes()) {
120  if (attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
121  if (compareStringObject(addressStr, obj.getAddressValue().getCondition(),
122  obj.getAddressValue().getApplyCondition(), attr.getValueString())) {
123  finalHits.add(art);
124  }
125  }
126  }
127  }
128 
129  if (finalHits.isEmpty()) {
130  everyPartMatched = false;
131  } else {
132  combinedArts.addAll(finalHits);
133  }
134  }
135  }
136 
137  // If we're in the ALL case, make sure every piece matched
138  if ((obj.getAddressValue().getApplyCondition() != null)
139  && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)
140  && (!everyPartMatched)) {
141  return new ObservableResult(id, "AddressObject: No matches for " + searchString, //NON-NLS
142  spacing, ObservableResult.ObservableState.FALSE, null);
143  }
144 
145  if (!combinedArts.isEmpty()) {
146  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
147  for (BlackboardArtifact a : combinedArts) {
148  artData.add(new StixArtifactData(a.getObjectID(), id, "AddressObject")); //NON-NLS
149  }
150  return new ObservableResult(id, "AddressObject: Found a match for " + searchString, //NON-NLS
151  spacing, ObservableResult.ObservableState.TRUE, artData);
152  }
153 
154  return new ObservableResult(id, "AddressObject: Found no matches for " + searchString, //NON-NLS
155  spacing, ObservableResult.ObservableState.FALSE, null);
156 
157  } catch (TskCoreException ex) {
158  return new ObservableResult(id, "AddressObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
159  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
160  }
161  }
162 
166  private void setUnsupportedFieldWarnings() {
167  List<String> fieldNames = new ArrayList<String>();
168 
169  if (obj.getVLANName() != null) {
170  fieldNames.add("VLAN_Name"); //NON-NLS
171  }
172  if (obj.getVLANName() != null) {
173  fieldNames.add("VLAN_Num"); //NON-NLS
174  }
175 
176  String warningStr = "";
177  for (String name : fieldNames) {
178  if (!warningStr.isEmpty()) {
179  warningStr += ", ";
180  }
181  warningStr += name;
182  }
183 
184  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
185  }
186 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Apr 24 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.