Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EvalNetworkShareObj.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.stix;
20 
21 import java.util.ArrayList;
23 import org.sleuthkit.datamodel.SleuthkitCase;
24 import org.sleuthkit.datamodel.BlackboardArtifact;
25 import org.sleuthkit.datamodel.BlackboardAttribute;
26 import org.sleuthkit.datamodel.TskCoreException;
27 
28 import java.util.List;
29 import org.mitre.cybox.common_2.ConditionApplicationEnum;
30 
31 import org.mitre.cybox.objects.WindowsNetworkShare;
33 
37 class EvalNetworkShareObj extends EvaluatableObject {
38 
39  private final WindowsNetworkShare obj;
40 
41  public EvalNetworkShareObj(WindowsNetworkShare a_obj, String a_id, String a_spacing) {
42  obj = a_obj;
43  id = a_id;
44  spacing = a_spacing;
45  }
46 
47  @Override
48  public synchronized ObservableResult evaluate() {
49 
50  setWarnings("");
51 
52  if ((obj.getNetname() == null) && (obj.getLocalPath() == null)) {
53  return new ObservableResult(id, "NetworkShareObjet: No remote name or local path found", //NON-NLS
54  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
55  }
56 
57  // For displaying what we were looking for in the results
58  String searchString = "";
59  if (obj.getNetname() != null) {
60  searchString += "Netname \"" + obj.getNetname().getValue() + "\""; //NON-NLS
61 
62  // The apply conditions ALL or NONE probably won't work correctly. Neither seems
63  // all that likely to come up in practice, so just give a warning.
64  if ((obj.getNetname().getApplyCondition() != null)
65  && (obj.getNetname().getApplyCondition() != ConditionApplicationEnum.ANY)) {
66  addWarning("Apply condition " + obj.getNetname().getApplyCondition().value() //NON-NLS
67  + " may not work correctly"); //NON-NLS
68  }
69  }
70  if (obj.getLocalPath() != null) {
71  if (!searchString.isEmpty()) {
72  searchString += " and "; //NON-NLS
73  }
74  searchString += "LocalPath \"" + obj.getLocalPath().getValue() + "\""; //NON-NLS
75 
76  // Same as above - the apply conditions ALL or NONE probably won't work correctly. Neither seems
77  // all that likely to come up in practice, so just give a warning.
78  if ((obj.getLocalPath().getApplyCondition() != null)
79  && (obj.getLocalPath().getApplyCondition() != ConditionApplicationEnum.ANY)) {
80  addWarning("Apply condition " + obj.getLocalPath().getApplyCondition().value() //NON-NLS
81  + " may not work correctly"); //NON-NLS
82  }
83  }
84 
85  setUnsupportedFieldWarnings();
86 
87  // The assumption here is that there aren't going to be too many network shares, so we
88  // can cycle through all of them.
89  try {
90  List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
91 
92  Case case1 = Case.getCurrentCaseThrows();
93  SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
94  List<BlackboardArtifact> artList
95  = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
96 
97  for (BlackboardArtifact art : artList) {
98  boolean foundRemotePathMatch = false;
99  boolean foundLocalPathMatch = false;
100 
101  for (BlackboardAttribute attr : art.getAttributes()) {
102  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REMOTE_PATH.getTypeID())
103  && (obj.getNetname() != null)) {
104  foundRemotePathMatch = compareStringObject(obj.getNetname(), attr.getValueString());
105  }
106  if ((attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCAL_PATH.getTypeID())
107  && (obj.getLocalPath() != null)) {
108  foundLocalPathMatch = compareStringObject(obj.getLocalPath(), attr.getValueString());
109  }
110  }
111 
112  // Check whether we found everything we were looking for
113  if (((foundRemotePathMatch) || (obj.getNetname() == null))
114  && ((foundLocalPathMatch) || (obj.getLocalPath() == null))) {
115  finalHits.add(art);
116  }
117  }
118 
119  // Check if we found any matches
120  if (!finalHits.isEmpty()) {
121  List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
122  for (BlackboardArtifact a : finalHits) {
123  artData.add(new StixArtifactData(a.getObjectID(), id, "NetworkShare")); //NON-NLS
124  }
125  return new ObservableResult(id, "NetworkShareObject: Found a match for " + searchString, //NON-NLS
126  spacing, ObservableResult.ObservableState.TRUE, artData);
127  }
128 
129  // Didn't find any matches
130  return new ObservableResult(id, "NetworkObject: No matches found for " + searchString, //NON-NLS
131  spacing, ObservableResult.ObservableState.FALSE, null);
132  } catch (TskCoreException | NoCurrentCaseException ex) {
133  return new ObservableResult(id, "NetworkObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
134  spacing, ObservableResult.ObservableState.INDETERMINATE, null);
135  }
136  }
137 
138  private void setUnsupportedFieldWarnings() {
139  List<String> fieldNames = new ArrayList<String>();
140 
141  if (obj.getCurrentUses() != null) {
142  fieldNames.add("Current_Uses"); //NON-NLS
143  }
144  if (obj.getMaxUses() != null) {
145  fieldNames.add("Max_Uses"); //NON-NLS
146  }
147  if (obj.getType() != null) {
148  fieldNames.add("Type"); //NON-NLS
149  }
150 
151  String warningStr = "";
152  for (String name : fieldNames) {
153  if (!warningStr.isEmpty()) {
154  warningStr += ", ";
155  }
156  warningStr += name;
157  }
158 
159  addWarning("Unsupported field(s): " + warningStr); //NON-NLS
160  }
161 
162 }

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.