Autopsy  4.7.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvaluatableObject.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import java.util.ArrayList;
22 import java.util.List;
23 import org.mitre.cybox.common_2.ConditionApplicationEnum;
24 import org.mitre.cybox.common_2.ConditionTypeEnum;
25 import org.mitre.cybox.common_2.StringObjectPropertyType;
26 import org.sleuthkit.autopsy.casemodule.Case;
27 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
28 import org.sleuthkit.datamodel.BlackboardArtifact;
29 import org.sleuthkit.datamodel.BlackboardAttribute;
30 import org.sleuthkit.datamodel.SleuthkitCase;
31 import org.sleuthkit.datamodel.TskCoreException;
32 
36 abstract class EvaluatableObject {
37 
38  private String warnings;
39  protected String id;
40  protected String spacing;
41 
42  abstract public ObservableResult evaluate();
43 
49  public void setWarnings(String a_warnings) {
50  warnings = a_warnings;
51  }
52 
59  public String getWarnings() {
60  return warnings;
61  }
62 
68  public void addWarning(String a_newWarning) {
69  if ((warnings == null) || warnings.isEmpty()) {
70  warnings = a_newWarning;
71  return;
72  }
73  warnings = warnings + ", " + a_newWarning;
74  }
75 
88  public List<BlackboardArtifact> findArtifactsBySubstring(StringObjectPropertyType item,
89  BlackboardAttribute.ATTRIBUTE_TYPE attrType) throws TskCoreException {
90 
91  if (item.getValue() == null) {
92  throw new TskCoreException("Error: Value field is null"); //NON-NLS
93  }
94 
95  if (item.getCondition() == null) {
96  addWarning("Warning: No condition given for " + attrType.getDisplayName() + " field, using substring comparison"); //NON-NLS
97  } else if (item.getCondition() != ConditionTypeEnum.CONTAINS) {
98  addWarning("Warning: Ignoring condition " + item.getCondition() + " for " //NON-NLS
99  + attrType.getDisplayName() + " field and doing substring comparison"); //NON-NLS
100  }
101 
102  List<BlackboardArtifact> hits = null;
103  try {
104  Case case1 = Case.getCurrentCaseThrows();
105  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
106 
107  String[] parts = item.getValue().toString().split("##comma##"); //NON-NLS
108 
109  if ((item.getApplyCondition() == null)
110  || (item.getApplyCondition() == ConditionApplicationEnum.ANY)) {
111 
112  for (String part : parts) {
113  if (hits == null) {
114  // Note that this searches for artifacts with "part" as a substring
115  hits = sleuthkitCase.getBlackboardArtifacts(
116  attrType,
117  part, false);
118  } else {
119  hits.addAll(sleuthkitCase.getBlackboardArtifacts(
120  attrType,
121  part, false));
122  }
123  }
124  } else if ((item.getApplyCondition() != null)
125  || (item.getApplyCondition() == ConditionApplicationEnum.ALL)) {
126 
127  boolean firstRound = true;
128  for (String part : parts) {
129  if (firstRound) {
130  hits = sleuthkitCase.getBlackboardArtifacts(
131  attrType,
132  part, false);
133  firstRound = false;
134  } else if (hits != null) {
135  hits.retainAll(sleuthkitCase.getBlackboardArtifacts(
136  attrType,
137  part, false));
138  } else {
139  // After first round; hits is still null
140  // I don't think this should happen but if it does we're done
141  return new ArrayList<BlackboardArtifact>();
142  }
143  }
144  } else {
145  throw new TskCoreException("Error: Can not apply NONE condition in search"); //NON-NLS
146  }
147  } catch (TskCoreException | NoCurrentCaseException ex) {
148  addWarning(ex.getLocalizedMessage());
149  }
150 
151  return hits;
152  }
153 
164  public static boolean compareStringObject(StringObjectPropertyType stringObj, String strField)
165  throws TskCoreException {
166  if (stringObj.getValue() == null) {
167  throw new TskCoreException("Error: Value field is null"); //NON-NLS
168  }
169 
170  String valueStr = stringObj.getValue().toString();
171  ConditionTypeEnum condition = stringObj.getCondition();
172  ConditionApplicationEnum applyCondition = stringObj.getApplyCondition();
173 
174  return compareStringObject(valueStr, condition, applyCondition, strField);
175  }
176 
189  public static boolean compareStringObject(String valueStr, ConditionTypeEnum condition,
190  ConditionApplicationEnum applyCondition, String strField)
191  throws TskCoreException {
192 
193  if (valueStr == null) {
194  throw new TskCoreException("Error: Value field is null"); //NON-NLS
195  }
196 
197  String[] parts = valueStr.split("##comma##"); //NON-NLS
198  String lowerFieldName = strField.toLowerCase();
199 
200  for (String value : parts) {
201  boolean partialResult;
202  if ((condition == null)
203  || (condition == ConditionTypeEnum.EQUALS)) {
204  partialResult = value.equalsIgnoreCase(strField);
205  } else if (condition == ConditionTypeEnum.DOES_NOT_EQUAL) {
206  partialResult = !value.equalsIgnoreCase(strField);
207  } else if (condition == ConditionTypeEnum.CONTAINS) {
208  partialResult = lowerFieldName.contains(value.toLowerCase());
209  } else if (condition == ConditionTypeEnum.DOES_NOT_CONTAIN) {
210  partialResult = !lowerFieldName.contains(value.toLowerCase());
211  } else if (condition == ConditionTypeEnum.STARTS_WITH) {
212  partialResult = lowerFieldName.startsWith(value.toLowerCase());
213  } else if (condition == ConditionTypeEnum.ENDS_WITH) {
214  partialResult = lowerFieldName.endsWith(value.toLowerCase());
215  } else {
216  throw new TskCoreException("Could not process condition " + condition.value() + " on " + value); //NON-NLS
217  }
218 
219  // Do all the short-circuiting
220  if (applyCondition == ConditionApplicationEnum.NONE) {
221  if (partialResult == true) {
222  // Failed
223  return false;
224  }
225  } else if (applyCondition == ConditionApplicationEnum.ALL) {
226  if (partialResult == false) {
227  // Failed
228  return false;
229  }
230  } else {
231  // Default is "any"
232  if (partialResult == true) {
233  return true;
234  }
235  }
236  }
237 
238  // At this point we're done and didn't short-circuit, so ALL or NONE conditions were true,
239  // and ANY was false
240  if ((applyCondition == ConditionApplicationEnum.NONE)
241  || (applyCondition == ConditionApplicationEnum.ALL)) {
242  return true;
243  }
244  return false;
245  }
246 
253  public String getPrintableWarnings() {
254  String warningsToPrint = "";
255  if ((getWarnings() != null)
256  && (!getWarnings().isEmpty())) {
257  warningsToPrint = " (" + getWarnings() + ")";
258  }
259  return warningsToPrint;
260  }
261 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Jun 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.