mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-14 17:06:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial work on osaccount CR

Browse Source 
Initial work on osaccount cr
This commit is contained in:
Mark McKinnon 2021-06-21 13:51:54 -04:00
parent 3e05c44679
commit 8a405ac977
3 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java
View File

@ -41,7 +41,8 @@ public class CentralRepoDbUpgrader15To16 implements CentralRepoDbUpgrader {
for (CorrelationAttributeInstance.Type type : CorrelationAttributeInstance.getDefaultCorrelationTypes()) { for (CorrelationAttributeInstance.Type type : CorrelationAttributeInstance.getDefaultCorrelationTypes()) {
String instance_type_dbname = CentralRepoDbUtil.correlationTypeToInstanceTableName(type); String instance_type_dbname = CentralRepoDbUtil.correlationTypeToInstanceTableName(type);
if (type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) { if ((type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) ||
(type.getId() == CorrelationAttributeInstance.OSACCOUNT_TYPE_ID)){
// these are new Correlation types - new tables need to be created // these are new Correlation types - new tables need to be created
statement.execute(String.format(RdbmsCentralRepoFactory.getCreateAccountInstancesTableTemplate(selectedPlatform), instance_type_dbname, instance_type_dbname)); statement.execute(String.format(RdbmsCentralRepoFactory.getCreateAccountInstancesTableTemplate(selectedPlatform), instance_type_dbname, instance_type_dbname));

1
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java
View File

@ -258,6 +258,7 @@ public class CorrelationAttributeInstance implements Serializable {
public static final int IMSI_TYPE_ID = 8; public static final int IMSI_TYPE_ID = 8;
public static final int ICCID_TYPE_ID = 9; public static final int ICCID_TYPE_ID = 9;
public static final int INSTALLED_PROGS_TYPE_ID = 10; public static final int INSTALLED_PROGS_TYPE_ID = 10;
public static final int OSACCOUNT_TYPE_ID = 11;
// An offset to assign Ids for additional correlation types. // An offset to assign Ids for additional correlation types.
public static final int ADDITIONAL_TYPES_BASE_ID = 1000; public static final int ADDITIONAL_TYPES_BASE_ID = 1000;

60
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
View File

@ -23,6 +23,7 @@ import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener; import java.beans.PropertyChangeListener;
import java.util.EnumSet; import java.util.EnumSet;
import java.util.List; import java.util.List;
import java.util.Optional;
import java.util.Set; import java.util.Set;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors; import java.util.concurrent.Executors;
@ -37,6 +38,7 @@ import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent;
import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent; import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent;
import org.sleuthkit.autopsy.casemodule.events.DataSourceAddedEvent; import org.sleuthkit.autopsy.casemodule.events.DataSourceAddedEvent;
import org.sleuthkit.autopsy.casemodule.events.DataSourceNameChangedEvent; import org.sleuthkit.autopsy.casemodule.events.DataSourceNameChangedEvent;
import org.sleuthkit.autopsy.casemodule.events.OsAccountsAddedEvent;
import org.sleuthkit.autopsy.casemodule.services.TagsManager; import org.sleuthkit.autopsy.casemodule.services.TagsManager;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
@ -56,6 +58,7 @@ import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
import org.sleuthkit.datamodel.Tag; import org.sleuthkit.datamodel.Tag;
import org.sleuthkit.autopsy.events.AutopsyEvent; import org.sleuthkit.autopsy.events.AutopsyEvent;
import org.sleuthkit.datamodel.OsAccount;
/** /**
* Listen for case events and update entries in the Central Repository database * Listen for case events and update entries in the Central Repository database
@ -75,7 +78,7 @@ public final class CaseEventListener implements PropertyChangeListener {
Case.Events.DATA_SOURCE_ADDED, Case.Events.DATA_SOURCE_ADDED,
Case.Events.TAG_DEFINITION_CHANGED, Case.Events.TAG_DEFINITION_CHANGED,
Case.Events.CURRENT_CASE, Case.Events.CURRENT_CASE,
Case.Events.DATA_SOURCE_NAME_CHANGED); Case.Events.DATA_SOURCE_NAME_CHANGED, Case.Events.OS_ACCOUNTS_ADDED);
public CaseEventListener() { public CaseEventListener() {
jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build()); jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build());
@ -130,6 +133,9 @@ public final class CaseEventListener implements PropertyChangeListener {
jobProcessingExecutor.submit(new DataSourceNameChangedTask(dbManager, evt)); jobProcessingExecutor.submit(new DataSourceNameChangedTask(dbManager, evt));
} }
break; break;
case OS_ACCOUNTS_ADDED: {
jobProcessingExecutor.submit(new OsAccountAddedTask(dbManager, evt));
}
} }
} }
@ -635,6 +641,58 @@ public final class CaseEventListener implements PropertyChangeListener {
} // CURRENT_CASE } // CURRENT_CASE
} }
private final class OsAccountAddedTask implements Runnable {
private final CentralRepository dbManager;
private final PropertyChangeEvent event;
private OsAccountAddedTask(CentralRepository db, PropertyChangeEvent evt) {
dbManager = db;
event = evt;
}
@Override
public void run() {
if (!CentralRepository.isEnabled()) {
return;
}
final OsAccountsAddedEvent osAccountsAddedEvent = (OsAccountsAddedEvent) event;
List<OsAccount> addedOsAccountNew = osAccountsAddedEvent.getNewValue();
for (OsAccount osAccount: addedOsAccountNew) {
Optional<String> accountAddr = osAccount.getAddr();
// Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system
// and they are not unique
if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) {
return;
}
try {
CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
// Type correlationType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID);
// CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
// CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID),
// accountAddr.get(),
// correlationCase,
// CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource),
// "",
// "",
// "",
// "",
// TskData.FileKnown,
// osAccount.getId());
// dbManager.addArtifactInstance(correlationAttributeInstance);
} catch (CentralRepoException ex) {
LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); //NON-NLS
} catch (NoCurrentCaseException ex) {
LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
}
}
LOGGER.log(Level.INFO, "Error connecting to Central Repository database."); //NON-NLS
}
}
private final class DataSourceNameChangedTask implements Runnable { private final class DataSourceNameChangedTask implements Runnable {
private final CentralRepository dbManager; private final CentralRepository dbManager;