Autopsy  4.6.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalSystemObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import org.sleuthkit.autopsy.casemodule.Case;
22 import org.sleuthkit.datamodel.SleuthkitCase;
23 import org.sleuthkit.datamodel.BlackboardArtifact;
24 import org.sleuthkit.datamodel.BlackboardAttribute;
25 import org.sleuthkit.datamodel.TskCoreException;
26 import org.sleuthkit.datamodel.OSInfo;
27 import org.sleuthkit.datamodel.OSUtility;
28 
29 import java.util.List;
30 import java.util.ArrayList;
31 
32 import org.mitre.cybox.objects.SystemObjectType;
33 import org.mitre.cybox.objects.WindowsSystem;
34 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
35 
39 class EvalSystemObj extends EvaluatableObject {
40 
41  private final SystemObjectType obj;
42 
43  public EvalSystemObj(SystemObjectType a_obj, String a_id, String a_spacing) {
44  obj = a_obj;
45  id = a_id;
46  spacing = a_spacing;
47  }
48 
49  @Override
50  public synchronized ObservableResult evaluate() {
51 
52  setWarnings("");
53 
54  // For displaying what we were looking for in the results
55  String searchString = "";
56 
57  // Check which fields are present and record them
58  boolean haveHostname = false;
59  // boolean haveDomain = false;
60  boolean haveProcArch = false;
61  boolean haveTempDir = false;
62  boolean haveProductName = false;
63  boolean haveSystemRoot = false;
64  boolean haveProductID = false;
65  boolean haveOwner = false;
66  boolean haveOrganization = false;
67 
68  if (obj.getHostname() != null) {
69  haveHostname = true;
70  searchString = "Hostname \"" + obj.getHostname().getValue().toString() + "\""; //NON-NLS
71  }
72  if (obj.getProcessorArchitecture() != null) {
73  haveProcArch = true;
74  if (!searchString.isEmpty()) {
75  searchString += " and "; //NON-NLS
76  }
77  searchString += "Processor architecture \"" + obj.getProcessorArchitecture().getValue().toString() + "\""; //NON-NLS
78  }
79 
80  WindowsSystem winSysObj = null;
81  if (obj instanceof WindowsSystem) {
82  winSysObj = (WindowsSystem) obj;
83 
84  if (winSysObj.getProductID() != null) {
85  haveProductID = true;
86  if (!searchString.isEmpty()) {
87  searchString += " and "; //NON-NLS
88  }
89  searchString += "Product ID \"" + winSysObj.getProductID().getValue().toString() + "\""; //NON-NLS
90  }
91  if (winSysObj.getProductName() != null) {
92  haveProductName = true;
93  if (!searchString.isEmpty()) {
94  searchString += " and "; //NON-NLS
95  }
96  searchString += "Product Name \"" + winSysObj.getProductName().getValue().toString() + "\""; //NON-NLS
97  }
98  if (winSysObj.getRegisteredOrganization() != null) {
99  haveOrganization = true;
100  if (!searchString.isEmpty()) {
101  searchString += " and "; //NON-NLS
102  }
103  searchString += "Registered Org \"" + winSysObj.getRegisteredOrganization().getValue().toString() + "\""; //NON-NLS
104  }
105  if (winSysObj.getRegisteredOwner() != null) {
106  haveOwner = true;
107  if (!searchString.isEmpty()) {
108  searchString += " and "; //NON-NLS
109  }
110  searchString += "Registered Owner \"" + winSysObj.getRegisteredOwner().getValue().toString() + "\""; //NON-NLS
111  }
112  if (winSysObj.getWindowsSystemDirectory() != null) {
113  haveSystemRoot = true;
114  if (!searchString.isEmpty()) {
115  searchString += " and "; //NON-NLS
116  }
117  searchString += "System root \"" + winSysObj.getWindowsSystemDirectory().getValue().toString() + "\""; //NON-NLS
118  }
119  if (winSysObj.getWindowsTempDirectory() != null) {
120  haveTempDir = true;
121  if (!searchString.isEmpty()) {
122  searchString += " and "; //NON-NLS
123  }
124  searchString += "Temp dir \"" + winSysObj.getWindowsTempDirectory().getValue().toString() + "\""; //NON-NLS
125  }
126  }
127 
128  // Return if we have nothing to search for
129  if (!(haveHostname || haveProcArch
130  || haveTempDir || haveProductName || haveSystemRoot || haveProductID
131  || haveOwner || haveOrganization)) {
132  return new ObservableResult(id, "SystemObject: No evaluatable fields found", //NON-NLS
133  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
134  }
135 
136  setUnsupportedFieldWarnings();
137 
138  try {
139  Case case1 = Case.getOpenCase();
140  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
141  List<OSInfo> osInfoList = OSUtility.getOSInfo(sleuthkitCase);
142 
143  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
144 
145  if (!osInfoList.isEmpty()) {
146  for (OSInfo info : osInfoList) {
147 
148  boolean foundHostnameMatch = false;
149  //boolean foundDomainMatch = false;
150  boolean foundProcArchMatch = false;
151  boolean foundTempDirMatch = false;
152  boolean foundProductNameMatch = false;
153  boolean foundSystemRootMatch = false;
154  boolean foundProductIDMatch = false;
155  boolean foundOwnerMatch = false;
156  boolean foundOrganizationMatch = false;
157 
158  if (haveHostname) {
159  foundHostnameMatch = compareStringObject(obj.getHostname(), info.getCompName());
160  }
161  if (haveProcArch) {
162  foundProcArchMatch = compareStringObject(obj.getProcessorArchitecture().getValue().toString(),
163  obj.getProcessorArchitecture().getCondition(),
164  obj.getProcessorArchitecture().getApplyCondition(),
165  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE));
166  }
167  if (haveTempDir && (winSysObj != null)) {
168  foundTempDirMatch = compareStringObject(winSysObj.getWindowsTempDirectory(),
169  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEMP_DIR));
170  }
171  if (haveProductName && (winSysObj != null)) {
172  foundProductNameMatch = compareStringObject(winSysObj.getProductName(),
173  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME));
174  }
175  if (haveSystemRoot && (winSysObj != null)) {
176  foundSystemRootMatch = compareStringObject(winSysObj.getWindowsSystemDirectory(),
177  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
178  }
179  if (haveProductID && (winSysObj != null)) {
180  foundProductIDMatch = compareStringObject(winSysObj.getProductID(),
181  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PRODUCT_ID));
182  }
183  if (haveOwner && (winSysObj != null)) {
184  foundOwnerMatch = compareStringObject(winSysObj.getRegisteredOwner(),
185  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_OWNER));
186  }
187  if (haveOrganization && (winSysObj != null)) {
188  foundOrganizationMatch = compareStringObject(winSysObj.getRegisteredOrganization(),
189  info.getAttributeValue(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ORGANIZATION));
190  }
191 
192  if (((!haveHostname) || foundHostnameMatch)
193  && ((!haveProcArch) || foundProcArchMatch)
194  && ((!haveTempDir) || foundTempDirMatch)
195  && ((!haveProductName) || foundProductNameMatch)
196  && ((!haveSystemRoot) || foundSystemRootMatch)
197  && ((!haveProductID) || foundProductIDMatch)
198  && ((!haveOwner) || foundOwnerMatch)
199  && ((!haveOrganization) || foundOrganizationMatch)) {
200 
201  finalHits.addAll(info.getArtifacts());
202  }
203  }
204 
205  if (!finalHits.isEmpty()) {
206  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
207  for (BlackboardArtifact a : finalHits) {
208  artData.add(new StixArtifactData(a.getObjectID(), id, "System")); //NON-NLS
209  }
210  return new ObservableResult(id, "SystemObject: Found a match for " + searchString, //NON-NLS
211  spacing, ObservableResult.ObservableState.TRUE, artData);
212  }
213 
214  // Didn't find any matches
215  return new ObservableResult(id, "SystemObject: No matches found for " + searchString, //NON-NLS
216  spacing, ObservableResult.ObservableState.FALSE, null);
217  } else {
218  return new ObservableResult(id, "SystemObject: No OS artifacts found", //NON-NLS
219  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
220  }
221  } catch (TskCoreException | NoCurrentCaseException ex) {
222  return new ObservableResult(id, "SystemObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
223  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
224  }
225  }
226 
230  private void setUnsupportedFieldWarnings() {
231  List<String> fieldNames = new ArrayList<String>();
232 
233  if (obj.getAvailablePhysicalMemory() != null) {
234  fieldNames.add("Available_Physical_Memory"); //NON-NLS
235  }
236  if (obj.getBIOSInfo() != null) {
237  fieldNames.add("BIOS_Info"); //NON-NLS
238  }
239  if (obj.getDate() != null) {
240  fieldNames.add("Date"); //NON-NLS
241  }
242  if (obj.getLocalTime() != null) {
243  fieldNames.add("Local_Time"); //NON-NLS
244  }
245  if (obj.getNetworkInterfaceList() != null) {
246  fieldNames.add("Network_Interface_List"); //NON-NLS
247  }
248  if (obj.getOS() != null) {
249  fieldNames.add("OS"); //NON-NLS
250  }
251  if (obj.getProcessor() != null) {
252  fieldNames.add("Processor"); //NON-NLS
253  }
254  if (obj.getSystemTime() != null) {
255  fieldNames.add("System_Time"); //NON-NLS
256  }
257  if (obj.getTimezoneDST() != null) {
258  fieldNames.add("Timezone_DST"); //NON-NLS
259  }
260  if (obj.getTimezoneStandard() != null) {
261  fieldNames.add("Timezone_Standard"); //NON-NLS
262  }
263  if (obj.getTotalPhysicalMemory() != null) {
264  fieldNames.add("Total_Physical_Memory"); //NON-NLS
265  }
266  if (obj.getUptime() != null) {
267  fieldNames.add("Uptime"); //NON-NLS
268  }
269  if (obj.getUsername() != null) {
270  fieldNames.add("Username"); //NON-NLS
271  }
272 
273  if (obj instanceof WindowsSystem) {
274  WindowsSystem winSysObj = (WindowsSystem) obj;
275 
276  if (winSysObj.getDomains() != null) {
277  fieldNames.add("Domain"); //NON-NLS
278  }
279  if (winSysObj.getGlobalFlagList() != null) {
280  fieldNames.add("Global_Flag_List"); //NON-NLS
281  }
282  if (winSysObj.getNetBIOSName() != null) {
283  fieldNames.add("NetBIOS_Name"); //NON-NLS
284  }
285  if (winSysObj.getOpenHandleList() != null) {
286  fieldNames.add("Open_Handle_List"); //NON-NLS
287  }
288  if (winSysObj.getWindowsDirectory() != null) {
289  fieldNames.add("Windows_Directory"); //NON-NLS
290  }
291  }
292 
293  String warningStr = "";
294  for (String name : fieldNames) {
295  if (!warningStr.isEmpty()) {
296  warningStr += ", ";
297  }
298  warningStr += name;
299  }
300 
301  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
302  }
303 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon May 7 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.