updates for sha1 hashing

2025-07-06 21:00:22 +00:00 · 2023-07-27 17:32:54 -04:00 · 2023-07-27 17:32:54 -04:00 · 2dd82a21ea
commit 2dd82a21ea
parent 3e2bbc6421
1 changed files with 155 additions and 0 deletions
--- a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/UsernameAnonymizer.java
+++ b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/UsernameAnonymizer.java
@ -0,0 +1,155 @@
 /*
 * Autopsy Forensic Browser
 *
 * Copyright 2023 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package com.basistech.df.cybertriage.autopsy.malwarescan;
 import com.google.common.net.InetAddresses;
 import java.net.InetAddress;
 import java.util.HashSet;
 import java.util.Locale;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.apache.commons.lang3.StringUtils;
 import org.sleuthkit.autopsy.coreutils.Logger;
 /**
 * Utility class to anonymize username in paths also anonymizes hostname / ip
 * from UNC paths
 */
 public class UsernameAnonymizer {
    private static final Logger LOGGER = Logger.getLogger(UsernameAnonymizer.class.getName());
    private final String USER_PATH_FORWARD_SLASH_REGEX = "(?<!all )([/]{0,1}\\Qusers\\E/)(?!(public|Default|defaultAccount|All Users))([^/]+)(/){0,1}";
    private final String USER_PATH_BACK_SLASH_REGEX = "(?<!all )([\\\\]{0,1}\\Qusers\\E\\\\)(?!(public|Default|defaultAccount|All Users))([^\\\\]+)([\\\\]){0,1}";
    private final double WINDOWS_VERSION;
    private final double DEFAULT_WINDOWS_VERSION = 10.0;
    private final String USER_PATH_FORWARD_SLASH_REGEX_XP = "([/]{0,1}\\Qdocuments and settings\\E/)(?!(Default User|All Users))([^/]+)(/){0,1}";
    private final String USER_PATH_BACK_SLASH_REGEX_XP = "([\\\\]{0,1}\\Qdocuments and settings\\E\\\\)(?!(Default User|All Users))([^\\\\]+)(\\\\){0,1}";
    private final Pattern UNC_PATH_FORWARD_SLASH_PATTERN = Pattern.compile("(//)([^/]+)(/){0,1}");
    private final Pattern UNC_PATH_BACK_SLASH_PATTERN = Pattern.compile("(\\\\\\\\)([^\\\\]+)(\\\\){0,1}");
    public UsernameAnonymizer() {
        // This constructor was added for the unit tests
        // For most purposes, the other constructor should be used so we get the collection info such as users and windows version
        WINDOWS_VERSION = DEFAULT_WINDOWS_VERSION;
    }
    public String anonymousUsername(String inputString) {
        if (StringUtils.isBlank(inputString)) {
            return "";
        }
        String anonymousString = anonymizeUserFromPathsWithForwardSlashes(inputString);
        anonymousString = anonymizeUserFromPathsWithBackSlashes(anonymousString);
        anonymousString = anonymizeServerFromUNCPath(anonymousString);
        return anonymousString;
    }
    private String anonymizeUserFromPathsWithForwardSlashes(String stringWithUsername) {
        Pattern pattern = WINDOWS_VERSION < 6 ? Pattern.compile(USER_PATH_FORWARD_SLASH_REGEX_XP, Pattern.CASE_INSENSITIVE) : Pattern.compile(USER_PATH_FORWARD_SLASH_REGEX, Pattern.CASE_INSENSITIVE);
        Matcher matcher = pattern.matcher(stringWithUsername.toLowerCase(Locale.ENGLISH));
        String replacement = "";
        while (matcher.find()) {
            replacement = String.format("$1%s$4", "<user>");
        }
        String anonymousString = matcher.replaceAll(replacement);
        return anonymousString;
    }
    // Most paths in CyberTriage are normalized with forward slashes
    // but there can still be strings containing paths that are not normalized such paths contained in arguments or event log payloads
    private String anonymizeUserFromPathsWithBackSlashes(String stringWithUsername) {
        Pattern pattern = WINDOWS_VERSION < 6 ? Pattern.compile(USER_PATH_BACK_SLASH_REGEX_XP, Pattern.CASE_INSENSITIVE) : Pattern.compile(USER_PATH_BACK_SLASH_REGEX, Pattern.CASE_INSENSITIVE);
        Matcher matcher = pattern.matcher(stringWithUsername.toLowerCase(Locale.ENGLISH));
        String replacement = "";
        while (matcher.find()) {
            replacement = String.format("$1%s$4", "<user>");
        }
        String anonymousString = matcher.replaceAll(replacement);
        return anonymousString;
    }
    private String anonymizeServerFromUNCPath(String inputString) {
        Set<String> serverNames = new HashSet<>();
        String anonymousString = inputString.toLowerCase(Locale.ENGLISH);
        Matcher forwardSlashMatcher = UNC_PATH_FORWARD_SLASH_PATTERN.matcher(anonymousString);
        while (forwardSlashMatcher.find()) {
            String serverName = forwardSlashMatcher.group(2);
            serverNames.add(serverName);
        }
        Matcher backSlashMatcher = UNC_PATH_BACK_SLASH_PATTERN.matcher(anonymousString);
        while (backSlashMatcher.find()) {
            String serverName = backSlashMatcher.group(2);
            serverNames.add(serverName);
        }
        for (String serverName : serverNames) {
            if (StringUtils.isBlank(serverName)) {
                continue;
            }
            if (InetAddresses.isInetAddress(serverName)) {
                if (isLocalIP(serverName)) {
                    anonymousString = StringUtils.replace(anonymousString, "\\" + serverName + "\\", "\\<private_ip>\\");
                    anonymousString = StringUtils.replace(anonymousString, "/" + serverName + "/", "/<private_ip>/");
                }
            } else {
                anonymousString = StringUtils.replace(anonymousString, "\\" + serverName + "\\", "\\<hostname>\\");
                anonymousString = StringUtils.replace(anonymousString, "/" + serverName + "/", "/<hostname>/");
            }
        }
        return anonymousString;
    }
    /**
     * Returns true if IP Address is Any Local / Site Local / Link Local / Loop
     * back local. Sample list "0.0.0.0", wildcard addres
     * "10.1.1.1","10.10.10.10", site local address "127.0.0.0","127.2.2.2",
     * loopback address "169.254.0.0","169.254.10.10", Link local address
     * "172.16.0.0","172.31.245.245", site local address
     *
     * @param ipAddress
     * @return
     */
    public static boolean isLocalIP(String ipAddress) {
        try {
            InetAddress a = InetAddresses.forString(ipAddress);
            return a.isAnyLocalAddress() || a.isSiteLocalAddress()
                    || a.isLoopbackAddress() || a.isLinkLocalAddress();
        } catch (IllegalArgumentException ex) {
            LOGGER.log(Level.WARNING, "Invalid IP string", ex);
            return false;
        }
    }
 }