mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added a SAMId list to extractRegistry

Browse Source
This commit is contained in:
Kelly Kelly 2021-10-14 13:44:22 -04:00
parent d1ee46645a
commit 89da42a27b
1 changed files with 43 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -178,6 +178,7 @@ class ExtractRegistry extends Extract {
private Content dataSource; private Content dataSource;
private IngestJobContext context; private IngestJobContext context;
private Map<String, String> userNameMap; private Map<String, String> userNameMap;
private final List<String> samDomainIDsList = new ArrayList<>();
private String compName = ""; private String compName = "";
private String domainName = ""; private String domainName = "";
@ -869,7 +870,7 @@ class ExtractRegistry extends Extract {
// accounts in profileList can be either domain or local // accounts in profileList can be either domain or local
// Assume domain unless the SID was seen before in the SAM (which is only local). // Assume domain unless the SID was seen before in the SAM (which is only local).
OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN; OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN;
if(knownMachineSID(sid)) { if(isDomainIdInSAMList(sid)) {
domName = null; domName = null;
scope = OsAccountRealm.RealmScope.LOCAL; scope = OsAccountRealm.RealmScope.LOCAL;
} }
@ -1098,7 +1099,9 @@ class ExtractRegistry extends Extract {
Map<String, Map<String, String>> userInfoMap = new HashMap<>(); Map<String, Map<String, String>> userInfoMap = new HashMap<>();
//load all the user info which was read into a map //load all the user info which was read into a map
for (Map<String, String> userInfo : userSet) { for (Map<String, String> userInfo : userSet) {
userInfoMap.put(userInfo.get(SID_KEY), userInfo); String sid = userInfo.get(SID_KEY);
userInfoMap.put(sid, userInfo);
addSIDToSAMList(sid);
} }
// New OsAccount Code // New OsAccount Code
@ -1731,8 +1734,10 @@ class ExtractRegistry extends Extract {
for(OsAccount account: tskCase.getOsAccountManager().getOsAccounts(((DataSource)dataSource).getHost())) { for(OsAccount account: tskCase.getOsAccountManager().getOsAccounts(((DataSource)dataSource).getHost())) {
Optional<String> userName = account.getLoginName(); Optional<String> userName = account.getLoginName();
// @@@ BC: Seems like this should be calling account.getAddr() to get the SID. String address = account.getAddr().orElse("");
map.put(account.getName(), userName.isPresent() ? userName.get() : ""); if(!address.isEmpty()) {
map.put(address, userName.isPresent() ? userName.get() : "");
}
} }
return map; return map;
@ -1742,40 +1747,21 @@ class ExtractRegistry extends Extract {
* Strip the machine sid off of the osAccountSID. The returned string will * Strip the machine sid off of the osAccountSID. The returned string will
* include everything in the osAccountSID up to the last -. * include everything in the osAccountSID up to the last -.
* *
* There must be at least three dashes in the SID for it to be useful.
*
* @param osAccountSID The SID of the os account. * @param osAccountSID The SID of the os account.
* *
* @return The Machine SID * @return The Machine SID
*/ */
private String getMachineSID(String osAccountSID) { private String stripRelativeIdentifierFromSID(String osAccountSID) {
// @@@ We should add checks about mininum number of dashes. if(osAccountSID.split("-").length >= 4) {
// and we should really call this stripRelativeIdentifierFromSID(). int index = osAccountSID.lastIndexOf('-');
int index = osAccountSID.lastIndexOf("-"); return index > 1 ? osAccountSID.substring(0, index) : "";
return osAccountSID.substring(0, index); }
return "";
} }
private final List<String> machineSIDs = new ArrayList<>(); private final List<String> machineSIDs = new ArrayList<>();
/**
* Returns true if the machine part of the SID was seen prior
* to ExtractRegistry running.
*
* @param osAccountSID
*
* @return
*/
// @@@ BC: This is probably more accurately called 'knownDomainIdSID'
private boolean knownMachineSID(String osAccountSID) {
if (machineSIDs.isEmpty()) {
Map<String, String> userMap = getUserNameMap();
for (String str : userMap.keySet()) {
String temp = getMachineSID(str);
if (!machineSIDs.contains(temp)) {
machineSIDs.add(temp);
}
}
}
String machineSID = getMachineSID(osAccountSID);
return machineSIDs.contains(machineSID);
}
/** /**
* Returns a mapping of user sids to user names. * Returns a mapping of user sids to user names.
@ -2336,4 +2322,30 @@ class ExtractRegistry extends Extract {
private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException { private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException {
accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
} }
/**
* Add the domainId of the given account sid to the sam domain id list.
*
* @param sid OS account sid
*/
private void addSIDToSAMList(String sid) {
String relativeID = stripRelativeIdentifierFromSID(sid);
if(!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) {
samDomainIDsList.add(relativeID);
}
}
/**
* Returns true if the domain id of the os account sid is in the list
* of domain ids seen when parsing the sam file.
*
* @param osAccountSID
*
* @return If the domainID is in the same file list.
*/
private boolean isDomainIdInSAMList(String osAccountSID) {
String relativeID = stripRelativeIdentifierFromSID(osAccountSID);
return samDomainIDsList.contains(relativeID);
}
} }