mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implemented new logic to determine if an account is in a domain realm

Browse Source
This commit is contained in:
Kelly Kelly 2021-09-28 18:46:10 -04:00
parent b9dc03094e
commit 2906ce2401
1 changed files with 46 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -751,7 +751,7 @@ class ExtractRegistry extends Extract {
try{ try{
sid = userMap.getKey(); sid = userMap.getKey();
String userName = userMap.getValue(); String userName = userMap.getValue();
createOrUpdateOsAccount(regFile, sid, userName, null, null); createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL);
} catch(TskCoreException | TskDataException | NotUserSIDException ex) { } catch(TskCoreException | TskDataException | NotUserSIDException ex) {
logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex); logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex);
} }
@ -864,12 +864,14 @@ class ExtractRegistry extends Extract {
String sid = artnode.getAttribute("sid"); //NON-NLS String sid = artnode.getAttribute("sid"); //NON-NLS
String username = artnode.getAttribute("username"); //NON-NLS String username = artnode.getAttribute("username"); //NON-NLS
String domName = domainName; String domName = domainName;
Map<String, String> userMap = getUserNameMap(); OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN;
if(userMap.containsKey(sid)) { if(knownMachineSID(sid)) {
domName = null; domName = null;
scope = OsAccountRealm.RealmScope.LOCAL;
} }
try{ try{
createOrUpdateOsAccount(regFile, sid, username, homeDir, domName); createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope);
} catch(TskCoreException | TskDataException | NotUserSIDException ex) { } catch(TskCoreException | TskDataException | NotUserSIDException ex) {
logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex); logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex);
} }
@ -1117,7 +1119,7 @@ class ExtractRegistry extends Extract {
//add remaining userinfos as accounts; //add remaining userinfos as accounts;
for (Map<String, String> userInfo : userInfoMap.values()) { for (Map<String, String> userInfo : userInfoMap.values()) {
OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null && !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile);
} }
@ -1730,6 +1732,42 @@ class ExtractRegistry extends Extract {
return map; return map;
} }
/**
* Strip the machine sid off of the osAccountSID. The returned string will
* include everything in the osAccountSID up to the last -.
*
* @param osAccountSID The SID of the os account.
*
* @return The Machine SID
*/
private String getMachineSID(String osAccountSID) {
int index = osAccountSID.lastIndexOf("-");
return osAccountSID.substring(0, index);
}
private final List<String> machineSIDs = new ArrayList<>();
/**
* Returns true if the machine part of the SID was seen prior
* to ExtractRegistry running.
*
* @param osAccountSID
*
* @return
*/
private boolean knownMachineSID(String osAccountSID) {
if (machineSIDs.isEmpty()) {
Map<String, String> userMap = getUserNameMap();
for (String str : userMap.keySet()) {
String temp = getMachineSID(str);
if (!machineSIDs.contains(temp)) {
machineSIDs.add(temp);
}
}
}
String machineSID = getMachineSID(osAccountSID);
return machineSIDs.contains(machineSID);
}
/** /**
* Returns a mapping of user sids to user names. * Returns a mapping of user sids to user names.
* *
@ -1993,7 +2031,7 @@ class ExtractRegistry extends Extract {
* @throws TskDataException * @throws TskDataException
* @throws OsAccountManager.NotUserSIDException * @throws OsAccountManager.NotUserSIDException
*/ */
private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName1) throws TskCoreException, TskDataException, NotUserSIDException { private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException {
OsAccountManager accountMgr = tskCase.getOsAccountManager(); OsAccountManager accountMgr = tskCase.getOsAccountManager();
HostManager hostMrg = tskCase.getHostManager(); HostManager hostMrg = tskCase.getHostManager();
Host host = hostMrg.getHostByDataSource((DataSource)dataSource); Host host = hostMrg.getHostByDataSource((DataSource)dataSource);
@ -2001,16 +2039,13 @@ class ExtractRegistry extends Extract {
Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host); Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host);
OsAccount osAccount; OsAccount osAccount;
if (!optional.isPresent()) { if (!optional.isPresent()) {
if(sid.endsWith("20") || sid.endsWith("19")) { osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope);
domainName1 = null;
}
osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName1, host, domainName1 != null && !domainName1.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
} else { } else {
osAccount = optional.get(); osAccount = optional.get();
addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); addAccountInstance(accountMgr, osAccount, (DataSource)dataSource);
if (userName != null && !userName.isEmpty()) { if (userName != null && !userName.isEmpty()) {
OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName1 == null || domainName1.isEmpty()) ? null : domainName1, host); OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host);
osAccount = updateResult.getUpdatedAccount().orElse(osAccount); osAccount = updateResult.getUpdatedAccount().orElse(osAccount);
} }
} }