mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 01:07:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1079 from mrtizmo/r312-stix.ja

Browse Source 
stix ja localization and translation
This commit is contained in:
Richard Cordovano 2015-02-23 09:10:38 -05:00
commit af6b47479a
19 changed files with 390 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Core/src/org/sleuthkit/autopsy/modules/stix/Bundle.properties
View File

@ -6,3 +6,10 @@ STIXReportModuleConfigPanel.jLabel2.text=Select a STIX file or directory of STIX
STIXReportModuleConfigPanel.jTextField1.text= STIXReportModuleConfigPanel.jTextField1.text=
STIXReportModuleConfigPanel.jButton1.text=Choose file STIXReportModuleConfigPanel.jButton1.text=Choose file
STIXReportModuleConfigPanel.jCheckBox1.text=Include results for false indicators in output file STIXReportModuleConfigPanel.jCheckBox1.text=Include results for false indicators in output file
STIXReportModule.notifyMsg.unableToOpenReportFile=Unable to open STIX report file {0}
STIXReportModule.progress.completedWithErrors=Completed with errors
STIXReportModule.notifyMsg.unableToOpenFileDir=Unable to open STIX file/directory {0}
STIXReportModule.progress.couldNotOpenFileDir=Could not open file/directory {0}
STIXReportModule.notifyMsg.tooManyArtifactsgt1000=Too many STIX-related artifacts generated for "{0}". Only saving first 1000.
STIXReportModule.notifyErr.noFildDirProvided=No STIX file/directory provided
STIXReportModule.progress.noFildDirProvided=No STIX file/directory provided

14
Core/src/org/sleuthkit/autopsy/modules/stix/Bundle_ja.properties Normal file
View File

@ -0,0 +1,14 @@
OpenIDE-Module-Name=stix\u30E2\u30B8\u30E5\u30FC\u30EB
STIXReportModule.getDesc.text=\u30C7\u30FC\u30BF\u30BD\u30FC\u30B9\u306B\u5BFE\u3057\u3066\u5E7E\u3064\u304B\u306ESTIX\uFF08Structured Threat Information eXpression\uFF1B\u8105\u5A01\u60C5\u5831\u69CB\u9020\u5316\u8A18\u8FF0\u5F62\u5F0F\uFF09\u30D5\u30A1\u30A4\u30EB\u3092\u5B9F\u884C\u3057\u3001\u30EC\u30DD\u30FC\u30C8\u3092\u751F\u6210\u3057\u307E\u3059\u3002\u307E\u305F\u3001\u7591\u308F\u3057\u3044\u30D5\u30A1\u30A4\u30EB\u5185\u306B\u30A2\u30FC\u30C6\u30A3\u30D5\u30A1\u30AF\u30C8\u3092\u4F5C\u6210\u3002
STIXReportModule.getName.text=STIX
STIXReportModule.notifyMsg.tooManyArtifactsgt1000="{0}"\u7528\u306B\u751F\u6210\u3055\u308C\u305FSTIX\u95A2\u9023\u306E\u30A2\u30FC\u30C6\u30A3\u30D5\u30A1\u30AF\u30C8\u304C\u591A\u3059\u304E\u307E\u3059\u3002\u6700\u521D\u306E1000\u306E\u307F\u4FDD\u5B58\u3002
STIXReportModule.notifyMsg.unableToOpenFileDir=STIX\u30D5\u30A1\u30A4\u30EB\uFF0F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA{0}\u3092\u958B\u3051\u307E\u305B\u3093\u3067\u3057\u305F
STIXReportModule.notifyMsg.unableToOpenReportFile=STIX\u30EC\u30DD\u30FC\u30C8\u30D5\u30A1\u30A4\u30EB{0}\u3092\u958B\u3051\u307E\u305B\u3093\u3067\u3057\u305F
STIXReportModule.progress.completedWithErrors=\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F\u304C\u3001\u5B8C\u4E86\u3057\u307E\u3057\u305F
STIXReportModule.progress.couldNotOpenFileDir=\u30D5\u30A1\u30A4\u30EB\uFF0F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA{0}\u3092\u958B\u3051\u307E\u305B\u3093\u3067\u3057\u305F
STIXReportModule.progress.readSTIX=STIX\u30D5\u30A1\u30A4\u30EB\u3092\u30D1\u30FC\u30B9\u4E2D
STIXReportModuleConfigPanel.jButton1.text=\u30D5\u30A1\u30A4\u30EB\u9078\u629E
STIXReportModuleConfigPanel.jCheckBox1.text=\u30A2\u30A6\u30C8\u30D7\u30C3\u30C8\u30D5\u30A1\u30A4\u30EB\u306E\u8AA4\u3063\u305F\u30A4\u30F3\u30B8\u30B1\u30FC\u30BF\u30FC\u306E\u7D50\u679C\u3082\u542B\u3080
STIXReportModuleConfigPanel.jLabel2.text=STIX\u30D5\u30A1\u30A4\u30EB\u307E\u305F\u306FSTIX\u30D5\u30A1\u30A4\u30EB\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u3092\u9078\u629E
STIXReportModule.notifyErr.noFildDirProvided=STIX\u30D5\u30A1\u30A4\u30EB\uFF0F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304C\u63D0\u4F9B\u3055\u308C\u3066\u3044\u307E\u305B\u3093
STIXReportModule.progress.noFildDirProvided=STIX\u30D5\u30A1\u30A4\u30EB\uFF0F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304C\u63D0\u4F9B\u3055\u308C\u3066\u3044\u307E\u305B\u3093

50
Core/src/org/sleuthkit/autopsy/modules/stix/EvalAccountObj.java
View File

@ -53,7 +53,7 @@ class EvalAccountObj extends EvaluatableObject {
// UserAccount: Home_Directory, Username // UserAccount: Home_Directory, Username
// WinUserAccount: SID // WinUserAccount: SID
if (!(obj instanceof UserAccountObjectType)) { if (!(obj instanceof UserAccountObjectType)) {
return new ObservableResult(id, "AccountObject: Can not process \"Account\" - need a User_Account or Windows_User_Account", return new ObservableResult(id, "AccountObject: Can not process \"Account\" - need a User_Account or Windows_User_Account", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -68,14 +68,14 @@ class EvalAccountObj extends EvaluatableObject {
UserAccountObjectType userAccountObj = (UserAccountObjectType) obj; UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
if (userAccountObj.getHomeDirectory() != null) { if (userAccountObj.getHomeDirectory() != null) {
haveHomeDir = true; haveHomeDir = true;
searchString = "HomeDir \"" + userAccountObj.getHomeDirectory().getValue().toString() + "\""; searchString = "HomeDir \"" + userAccountObj.getHomeDirectory().getValue().toString() + "\""; //NON-NLS
} }
if (userAccountObj.getUsername() != null) { if (userAccountObj.getUsername() != null) {
haveUsername = true; haveUsername = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Username \"" + userAccountObj.getUsername().getValue().toString() + "\""; searchString += "Username \"" + userAccountObj.getUsername().getValue().toString() + "\""; //NON-NLS
} }
WindowsUserAccount winUserObj = null; WindowsUserAccount winUserObj = null;
@ -85,14 +85,14 @@ class EvalAccountObj extends EvaluatableObject {
if (winUserObj.getSecurityID() != null) { if (winUserObj.getSecurityID() != null) {
haveSID = true; haveSID = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "SID \"" + winUserObj.getSecurityID().getValue().toString() + "\""; searchString += "SID \"" + winUserObj.getSecurityID().getValue().toString() + "\""; //NON-NLS
} }
} }
if (!(haveHomeDir || haveUsername || haveSID)) { if (!(haveHomeDir || haveUsername || haveSID)) {
return new ObservableResult(id, "AccountObject: No evaluatable fields found", return new ObservableResult(id, "AccountObject: No evaluatable fields found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -141,17 +141,17 @@ class EvalAccountObj extends EvaluatableObject {
if (!finalHits.isEmpty()) { if (!finalHits.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "Account")); artData.add(new StixArtifactData(a.getObjectID(), id, "Account")); //NON-NLS
} }
return new ObservableResult(id, "AccountObject: Found a match for " + searchString, return new ObservableResult(id, "AccountObject: Found a match for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
// Didn't find any matches // Didn't find any matches
return new ObservableResult(id, "AccountObject: No matches found for " + searchString, return new ObservableResult(id, "AccountObject: No matches found for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "AccountObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "AccountObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -164,43 +164,43 @@ class EvalAccountObj extends EvaluatableObject {
List<String> fieldNames = new ArrayList<String>(); List<String> fieldNames = new ArrayList<String>();
if (obj.getDescription() != null) { if (obj.getDescription() != null) {
fieldNames.add("Description"); fieldNames.add("Description"); //NON-NLS
} }
if (obj.getDomain() != null) { if (obj.getDomain() != null) {
fieldNames.add("Domain"); fieldNames.add("Domain"); //NON-NLS
} }
if (obj.getAuthentications() != null) { if (obj.getAuthentications() != null) {
fieldNames.add("Authentication"); fieldNames.add("Authentication"); //NON-NLS
} }
if (obj.getCreationDate() != null) { if (obj.getCreationDate() != null) {
fieldNames.add("Creation_Date"); fieldNames.add("Creation_Date"); //NON-NLS
} }
if (obj.getModifiedDate() != null) { if (obj.getModifiedDate() != null) {
fieldNames.add("Modified_Date"); fieldNames.add("Modified_Date"); //NON-NLS
} }
if (obj.getLastAccessedTime() != null) { if (obj.getLastAccessedTime() != null) {
fieldNames.add("Last_Accessed_Time"); fieldNames.add("Last_Accessed_Time"); //NON-NLS
} }
if (obj instanceof UserAccountObjectType) { if (obj instanceof UserAccountObjectType) {
UserAccountObjectType userAccountObj = (UserAccountObjectType) obj; UserAccountObjectType userAccountObj = (UserAccountObjectType) obj;
if (userAccountObj.getFullName() != null) { if (userAccountObj.getFullName() != null) {
fieldNames.add("Full_Name"); fieldNames.add("Full_Name"); //NON-NLS
} }
if (userAccountObj.getGroupList() != null) { if (userAccountObj.getGroupList() != null) {
fieldNames.add("Group_List"); fieldNames.add("Group_List"); //NON-NLS
} }
if (userAccountObj.getLastLogin() != null) { if (userAccountObj.getLastLogin() != null) {
fieldNames.add("Last_Login"); fieldNames.add("Last_Login"); //NON-NLS
} }
if (userAccountObj.getPrivilegeList() != null) { if (userAccountObj.getPrivilegeList() != null) {
fieldNames.add("Privilege_List"); fieldNames.add("Privilege_List"); //NON-NLS
} }
if (userAccountObj.getScriptPath() != null) { if (userAccountObj.getScriptPath() != null) {
fieldNames.add("Script_Path"); fieldNames.add("Script_Path"); //NON-NLS
} }
if (userAccountObj.getUserPasswordAge() != null) { if (userAccountObj.getUserPasswordAge() != null) {
fieldNames.add("User_Password_Age"); fieldNames.add("User_Password_Age"); //NON-NLS
} }
} }
@ -208,7 +208,7 @@ class EvalAccountObj extends EvaluatableObject {
WindowsUserAccount winUserObj = (WindowsUserAccount) obj; WindowsUserAccount winUserObj = (WindowsUserAccount) obj;
if (winUserObj.getSecurityType() != null) { if (winUserObj.getSecurityType() != null) {
fieldNames.add("Security_Type"); fieldNames.add("Security_Type"); //NON-NLS
} }
} }
@ -220,7 +220,7 @@ class EvalAccountObj extends EvaluatableObject {
warningStr += name; warningStr += name;
} }
addWarning("Unsupported field(s): " + warningStr); addWarning("Unsupported field(s): " + warningStr); //NON-NLS
} }
} }

28
Core/src/org/sleuthkit/autopsy/modules/stix/EvalAddressObj.java
View File

@ -50,7 +50,7 @@ class EvalAddressObj extends EvaluatableObject {
setWarnings(""); setWarnings("");
if (obj.getAddressValue() == null) { if (obj.getAddressValue() == null) {
return new ObservableResult(id, "AddressObject: No address value field found", return new ObservableResult(id, "AddressObject: No address value field found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -60,8 +60,8 @@ class EvalAddressObj extends EvaluatableObject {
// would ever appear in practice. // would ever appear in practice.
if (((obj.getAddressValue().getApplyCondition() != null) if (((obj.getAddressValue().getApplyCondition() != null)
&& (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.NONE))) { && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.NONE))) {
return new ObservableResult(id, "AddressObject: Can not process apply condition " + obj.getAddressValue().getApplyCondition().toString() return new ObservableResult(id, "AddressObject: Can not process apply condition " + obj.getAddressValue().getApplyCondition().toString() //NON-NLS
+ " on Address object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); + " on Address object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
} }
// Set warnings for any unsupported fields // Set warnings for any unsupported fields
@ -76,7 +76,7 @@ class EvalAddressObj extends EvaluatableObject {
boolean everyPartMatched = true; boolean everyPartMatched = true;
List<BlackboardArtifact> combinedArts = new ArrayList<BlackboardArtifact>(); List<BlackboardArtifact> combinedArts = new ArrayList<BlackboardArtifact>();
String searchString = ""; String searchString = "";
String[] parts = origAddressStr.split("##comma##"); String[] parts = origAddressStr.split("##comma##"); //NON-NLS
for (String addressStr : parts) { for (String addressStr : parts) {
@ -85,9 +85,9 @@ class EvalAddressObj extends EvaluatableObject {
if ((obj.getAddressValue().getApplyCondition() != null) if ((obj.getAddressValue().getApplyCondition() != null)
&& (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)) { && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)) {
searchString += " AND "; searchString += " AND "; //NON-NLS
} else { } else {
searchString += " OR "; searchString += " OR "; //NON-NLS
} }
} }
searchString += addressStr; searchString += addressStr;
@ -138,24 +138,24 @@ class EvalAddressObj extends EvaluatableObject {
if ((obj.getAddressValue().getApplyCondition() != null) if ((obj.getAddressValue().getApplyCondition() != null)
&& (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL) && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)
&& (!everyPartMatched)) { && (!everyPartMatched)) {
return new ObservableResult(id, "AddressObject: No matches for " + searchString, return new ObservableResult(id, "AddressObject: No matches for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} }
if (!combinedArts.isEmpty()) { if (!combinedArts.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : combinedArts) { for (BlackboardArtifact a : combinedArts) {
artData.add(new StixArtifactData(a.getObjectID(), id, "AddressObject")); artData.add(new StixArtifactData(a.getObjectID(), id, "AddressObject")); //NON-NLS
} }
return new ObservableResult(id, "AddressObject: Found a match for " + searchString, return new ObservableResult(id, "AddressObject: Found a match for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
return new ObservableResult(id, "AddressObject: Found no matches for " + searchString, return new ObservableResult(id, "AddressObject: Found no matches for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "AddressObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "AddressObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
} }
@ -167,10 +167,10 @@ class EvalAddressObj extends EvaluatableObject {
List<String> fieldNames = new ArrayList<String>(); List<String> fieldNames = new ArrayList<String>();
if (obj.getVLANName() != null) { if (obj.getVLANName() != null) {
fieldNames.add("VLAN_Name"); fieldNames.add("VLAN_Name"); //NON-NLS
} }
if (obj.getVLANName() != null) { if (obj.getVLANName() != null) {
fieldNames.add("VLAN_Num"); fieldNames.add("VLAN_Num"); //NON-NLS
} }
String warningStr = ""; String warningStr = "";
@ -181,6 +181,6 @@ class EvalAddressObj extends EvaluatableObject {
warningStr += name; warningStr += name;
} }
addWarning("Unsupported field(s): " + warningStr); addWarning("Unsupported field(s): " + warningStr); //NON-NLS
} }
} }

18
Core/src/org/sleuthkit/autopsy/modules/stix/EvalDomainObj.java
View File

@ -48,22 +48,22 @@ class EvalDomainObj extends EvaluatableObject {
setWarnings(""); setWarnings("");
if (obj.getValue() == null) { if (obj.getValue() == null) {
return new ObservableResult(id, "DomainObject: No domain value field found", return new ObservableResult(id, "DomainObject: No domain value field found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
// Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test // Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test
if (!((obj.getValue().getApplyCondition() == null) if (!((obj.getValue().getApplyCondition() == null)
|| (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) { || (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) {
return new ObservableResult(id, "URIObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString() return new ObservableResult(id, "URIObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString() //NON-NLS
+ " on URI object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); + " on URI object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
} }
// If the condition is not "CONTAINS", add a warning that it's being ignored // If the condition is not "CONTAINS", add a warning that it's being ignored
if ((obj.getValue().getCondition() != null) if ((obj.getValue().getCondition() != null)
&& (obj.getValue().getCondition() != ConditionTypeEnum.CONTAINS)) { && (obj.getValue().getCondition() != ConditionTypeEnum.CONTAINS)) {
addWarning("Warning: Ignoring condition " + obj.getValue().getCondition().toString() addWarning("Warning: Ignoring condition " + obj.getValue().getCondition().toString() //NON-NLS
+ " on DomainName - using substring comparison"); + " on DomainName - using substring comparison"); //NON-NLS
} }
Case case1 = Case.getCurrentCase(); Case case1 = Case.getCurrentCase();
@ -96,18 +96,18 @@ class EvalDomainObj extends EvaluatableObject {
if (!finalHits.isEmpty()) { if (!finalHits.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "DomainNameObject")); artData.add(new StixArtifactData(a.getObjectID(), id, "DomainNameObject")); //NON-NLS
} }
return new ObservableResult(id, "DomainNameObject: Found a match for " + obj.getValue().getValue().toString() return new ObservableResult(id, "DomainNameObject: Found a match for " + obj.getValue().getValue().toString() //NON-NLS
+ " " + getPrintableWarnings(), + " " + getPrintableWarnings(),
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
return new ObservableResult(id, "DomainNameObject: Found no matches for " + obj.getValue().getValue().toString() return new ObservableResult(id, "DomainNameObject: Found no matches for " + obj.getValue().getValue().toString() //NON-NLS
+ " " + getPrintableWarnings(), + " " + getPrintableWarnings(),
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "DomainNameObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "DomainNameObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }

54
Core/src/org/sleuthkit/autopsy/modules/stix/EvalEmailObj.java
View File

@ -125,7 +125,7 @@ class EvalEmailObj extends EvaluatableObject {
// Make sure at least one test had some data // Make sure at least one test had some data
if ((!hadToFields) && (!hadFromField) && (!hadCcFields) && (!hadSubjectField)) { if ((!hadToFields) && (!hadFromField) && (!hadCcFields) && (!hadSubjectField)) {
return new ObservableResult(id, "EmailMessage: Could not find any parsable EmailMessage fields " return new ObservableResult(id, "EmailMessage: Could not find any parsable EmailMessage fields " //NON-NLS
+ getPrintableWarnings(), + getPrintableWarnings(),
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -133,7 +133,7 @@ class EvalEmailObj extends EvaluatableObject {
// Check if there were more fields that aren't currently supported // Check if there were more fields that aren't currently supported
String fieldNames = getListOfUnsupportedFields(); String fieldNames = getListOfUnsupportedFields();
if (fieldNames.length() > 0) { if (fieldNames.length() > 0) {
addWarning("Unsupported field(s) found: " + fieldNames); addWarning("Unsupported field(s) found: " + fieldNames); //NON-NLS
} }
// Find the artifacts that matched all of the fields // Find the artifacts that matched all of the fields
@ -159,7 +159,7 @@ class EvalEmailObj extends EvaluatableObject {
if (!finalHitsStarted) { if (!finalHitsStarted) {
// We didn't find any fields that could be evaluated // We didn't find any fields that could be evaluated
return new ObservableResult(id, "EmailMessage: EmailObj parsing incomplete " + getPrintableWarnings(), return new ObservableResult(id, "EmailMessage: EmailObj parsing incomplete " + getPrintableWarnings(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -167,12 +167,12 @@ class EvalEmailObj extends EvaluatableObject {
if (finalHits.size() > 0) { if (finalHits.size() > 0) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "EmailMessage")); artData.add(new StixArtifactData(a.getObjectID(), id, "EmailMessage")); //NON-NLS
} }
return new ObservableResult(id, "EmailMessage: " + finalHits.size() + " matching artifacts found " + getPrintableWarnings(), return new ObservableResult(id, "EmailMessage: " + finalHits.size() + " matching artifacts found " + getPrintableWarnings(), //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} else { } else {
return new ObservableResult(id, "EmailMessage: No matching artifacts found " + getPrintableWarnings(), return new ObservableResult(id, "EmailMessage: No matching artifacts found " + getPrintableWarnings(), //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} }
} }
@ -203,69 +203,69 @@ class EvalEmailObj extends EvaluatableObject {
String fieldNames = ""; String fieldNames = "";
if (obj.getHeader() != null) { if (obj.getHeader() != null) {
if (obj.getHeader().getReceivedLines() != null) { if (obj.getHeader().getReceivedLines() != null) {
fieldNames += "Received_Lines "; fieldNames += "Received_Lines "; //NON-NLS
} }
if (obj.getHeader().getBCC() != null) { if (obj.getHeader().getBCC() != null) {
fieldNames += "BCC "; fieldNames += "BCC "; //NON-NLS
} }
if (obj.getHeader().getInReplyTo() != null) { if (obj.getHeader().getInReplyTo() != null) {
fieldNames += "In_Reply_To "; fieldNames += "In_Reply_To "; //NON-NLS
} }
if (obj.getHeader().getDate() != null) { if (obj.getHeader().getDate() != null) {
fieldNames += "Date "; fieldNames += "Date "; //NON-NLS
} }
if (obj.getHeader().getMessageID() != null) { if (obj.getHeader().getMessageID() != null) {
fieldNames += "Message_ID "; fieldNames += "Message_ID "; //NON-NLS
} }
if (obj.getHeader().getSender() != null) { if (obj.getHeader().getSender() != null) {
fieldNames += "Sender "; fieldNames += "Sender "; //NON-NLS
} }
if (obj.getHeader().getReplyTo() != null) { if (obj.getHeader().getReplyTo() != null) {
fieldNames += "Reply_To "; fieldNames += "Reply_To "; //NON-NLS
} }
if (obj.getHeader().getErrorsTo() != null) { if (obj.getHeader().getErrorsTo() != null) {
fieldNames += "Errors_To "; fieldNames += "Errors_To "; //NON-NLS
} }
if (obj.getHeader().getBoundary() != null) { if (obj.getHeader().getBoundary() != null) {
fieldNames += "Boundary "; fieldNames += "Boundary "; //NON-NLS
} }
if (obj.getHeader().getContentType() != null) { if (obj.getHeader().getContentType() != null) {
fieldNames += "Content_Type "; fieldNames += "Content_Type "; //NON-NLS
} }
if (obj.getHeader().getMIMEVersion() != null) { if (obj.getHeader().getMIMEVersion() != null) {
fieldNames += "MIME_Version "; fieldNames += "MIME_Version "; //NON-NLS
} }
if (obj.getHeader().getPrecedence() != null) { if (obj.getHeader().getPrecedence() != null) {
fieldNames += "Precedence "; fieldNames += "Precedence "; //NON-NLS
} }
if (obj.getHeader().getUserAgent() != null) { if (obj.getHeader().getUserAgent() != null) {
fieldNames += "User_Agent "; fieldNames += "User_Agent "; //NON-NLS
} }
if (obj.getHeader().getXMailer() != null) { if (obj.getHeader().getXMailer() != null) {
fieldNames += "X_Mailer "; fieldNames += "X_Mailer "; //NON-NLS
} }
if (obj.getHeader().getXOriginatingIP() != null) { if (obj.getHeader().getXOriginatingIP() != null) {
fieldNames += "X_Originiating_IP "; fieldNames += "X_Originiating_IP "; //NON-NLS
} }
if (obj.getHeader().getXPriority() != null) { if (obj.getHeader().getXPriority() != null) {
fieldNames += "X_Priority "; fieldNames += "X_Priority "; //NON-NLS
} }
} }
if (obj.getEmailServer() != null) { if (obj.getEmailServer() != null) {
fieldNames += "Email_Server "; fieldNames += "Email_Server "; //NON-NLS
} }
if (obj.getRawBody() != null) { if (obj.getRawBody() != null) {
fieldNames += "Raw_Body "; fieldNames += "Raw_Body "; //NON-NLS
} }
if (obj.getRawHeader() != null) { if (obj.getRawHeader() != null) {
fieldNames += "Raw_Header "; fieldNames += "Raw_Header "; //NON-NLS
} }
if (obj.getAttachments() != null) { if (obj.getAttachments() != null) {
fieldNames += "Attachments "; fieldNames += "Attachments "; //NON-NLS
} }
if (obj.getLinks() != null) { if (obj.getLinks() != null) {
fieldNames += "Links "; fieldNames += "Links "; //NON-NLS
} }
return fieldNames; return fieldNames;

164
Core/src/org/sleuthkit/autopsy/modules/stix/EvalFileObj.java
View File

@ -66,7 +66,7 @@ class EvalFileObj extends EvaluatableObject {
if (obj.getSizeInBytes() != null) { if (obj.getSizeInBytes() != null) {
try { try {
String newClause = processULongObject(obj.getSizeInBytes(), "size"); String newClause = processULongObject(obj.getSizeInBytes(), "size"); //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
addWarning(ex.getLocalizedMessage()); addWarning(ex.getLocalizedMessage());
@ -75,7 +75,7 @@ class EvalFileObj extends EvaluatableObject {
if (obj.getFileName() != null) { if (obj.getFileName() != null) {
try { try {
String newClause = processStringObject(obj.getFileName(), "name"); String newClause = processStringObject(obj.getFileName(), "name"); //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
addWarning(ex.getLocalizedMessage()); addWarning(ex.getLocalizedMessage());
@ -85,18 +85,18 @@ class EvalFileObj extends EvaluatableObject {
if (obj.getFileExtension() != null) { if (obj.getFileExtension() != null) {
if ((obj.getFileExtension().getCondition() == null) if ((obj.getFileExtension().getCondition() == null)
|| (obj.getFileExtension().getCondition() == ConditionTypeEnum.EQUALS)) { || (obj.getFileExtension().getCondition() == ConditionTypeEnum.EQUALS)) {
String newClause = "name LIKE \'%" + obj.getFileExtension().getValue() + "\'"; String newClause = "name LIKE \'%" + obj.getFileExtension().getValue() + "\'"; //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} else { } else {
addWarning( addWarning(
"Could not process condition " + obj.getFileExtension().getCondition().value() + " on file extension"); "Could not process condition " + obj.getFileExtension().getCondition().value() + " on file extension"); //NON-NLS
} }
} }
if (obj.getFilePath() != null) { if (obj.getFilePath() != null) {
try { try {
String[] parts = obj.getFilePath().getValue().toString().split("##comma##"); String[] parts = obj.getFilePath().getValue().toString().split("##comma##"); //NON-NLS
String finalPathStr = ""; String finalPathStr = "";
for (String filePath : parts) { for (String filePath : parts) {
@ -126,13 +126,13 @@ class EvalFileObj extends EvaluatableObject {
// Reconstruct the path string (which may be multi-part) // Reconstruct the path string (which may be multi-part)
if (!finalPathStr.isEmpty()) { if (!finalPathStr.isEmpty()) {
finalPathStr += "##comma##"; finalPathStr += "##comma##"; //NON-NLS
} }
finalPathStr += currentFilePath; finalPathStr += currentFilePath;
} }
String newClause = processStringObject(finalPathStr, obj.getFilePath().getCondition(), String newClause = processStringObject(finalPathStr, obj.getFilePath().getCondition(),
obj.getFilePath().getApplyCondition(), "parent_path"); obj.getFilePath().getApplyCondition(), "parent_path"); //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
@ -142,7 +142,7 @@ class EvalFileObj extends EvaluatableObject {
if (obj.getCreatedTime() != null) { if (obj.getCreatedTime() != null) {
try { try {
String newClause = processTimestampObject(obj.getCreatedTime(), "crtime"); String newClause = processTimestampObject(obj.getCreatedTime(), "crtime"); //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
addWarning(ex.getLocalizedMessage()); addWarning(ex.getLocalizedMessage());
@ -151,7 +151,7 @@ class EvalFileObj extends EvaluatableObject {
if (obj.getModifiedTime() != null) { if (obj.getModifiedTime() != null) {
try { try {
String newClause = processTimestampObject(obj.getModifiedTime(), "mtime"); String newClause = processTimestampObject(obj.getModifiedTime(), "mtime"); //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
addWarning(ex.getLocalizedMessage()); addWarning(ex.getLocalizedMessage());
@ -160,7 +160,7 @@ class EvalFileObj extends EvaluatableObject {
if (obj.getAccessedTime() != null) { if (obj.getAccessedTime() != null) {
try { try {
String newClause = processTimestampObject(obj.getAccessedTime(), "atime"); String newClause = processTimestampObject(obj.getAccessedTime(), "atime"); //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
addWarning(ex.getLocalizedMessage()); addWarning(ex.getLocalizedMessage());
@ -170,14 +170,14 @@ class EvalFileObj extends EvaluatableObject {
if (obj.getHashes() != null) { if (obj.getHashes() != null) {
for (HashType h : obj.getHashes().getHashes()) { for (HashType h : obj.getHashes().getHashes()) {
if (h.getSimpleHashValue() != null) { if (h.getSimpleHashValue() != null) {
if (h.getType().getValue().equals("MD5")) { if (h.getType().getValue().equals("MD5")) { //NON-NLS
String newClause = "md5=\'" + h.getSimpleHashValue().getValue() + "\'"; String newClause = "md5=\'" + h.getSimpleHashValue().getValue() + "\'"; //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} else { } else {
addWarning("Could not process hash type " + h.getType().getValue().toString()); addWarning("Could not process hash type " + h.getType().getValue().toString()); //NON-NLS
} }
} else { } else {
addWarning("Could not process non-simple hash value"); addWarning("Could not process non-simple hash value"); //NON-NLS
} }
} }
} }
@ -192,7 +192,7 @@ class EvalFileObj extends EvaluatableObject {
String newClause = processNumericFields(result, String newClause = processNumericFields(result,
winExe.getHeaders().getFileHeader().getTimeDateStamp().getCondition(), winExe.getHeaders().getFileHeader().getTimeDateStamp().getCondition(),
winExe.getHeaders().getFileHeader().getTimeDateStamp().getApplyCondition(), winExe.getHeaders().getFileHeader().getTimeDateStamp().getApplyCondition(),
"crtime"); "crtime"); //NON-NLS
whereClause = addClause(whereClause, newClause); whereClause = addClause(whereClause, newClause);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
addWarning(ex.getLocalizedMessage()); addWarning(ex.getLocalizedMessage());
@ -204,7 +204,7 @@ class EvalFileObj extends EvaluatableObject {
String unsupportedFields = listUnsupportedFields(); String unsupportedFields = listUnsupportedFields();
if (!unsupportedFields.isEmpty()) { if (!unsupportedFields.isEmpty()) {
addWarning("Unsupported fields: " + unsupportedFields); addWarning("Unsupported fields: " + unsupportedFields); //NON-NLS
} }
if (whereClause.length() > 0) { if (whereClause.length() > 0) {
@ -217,10 +217,10 @@ class EvalFileObj extends EvaluatableObject {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (AbstractFile a : matchingFiles) { for (AbstractFile a : matchingFiles) {
artData.add(new StixArtifactData(a, id, "FileObject")); artData.add(new StixArtifactData(a, id, "FileObject")); //NON-NLS
} }
return new ObservableResult(id, "FileObject: Found " + matchingFiles.size() + " matches for " + whereClause + getPrintableWarnings(), return new ObservableResult(id, "FileObject: Found " + matchingFiles.size() + " matches for " + whereClause + getPrintableWarnings(), //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} else { } else {
@ -277,12 +277,12 @@ class EvalFileObj extends EvaluatableObject {
// passedTests = false; // passedTests = false;
//} //}
if (formatsFound.isEmpty()) { if (formatsFound.isEmpty()) {
addWarning("Warning: Did not match File_Format field " + obj.getFileFormat().getValue().toString() addWarning("Warning: Did not match File_Format field " + obj.getFileFormat().getValue().toString() //NON-NLS
+ " (no file formats found)"); + " (no file formats found)"); //NON-NLS
} else { } else {
if (!foundMatch) { if (!foundMatch) {
addWarning("Warning: Did not match File_Format field " + obj.getFileFormat().getValue().toString() addWarning("Warning: Did not match File_Format field " + obj.getFileFormat().getValue().toString() //NON-NLS
+ " against " + formatsFound); + " against " + formatsFound); //NON-NLS
} }
} }
} }
@ -294,32 +294,32 @@ class EvalFileObj extends EvaluatableObject {
if (secondaryHits.isEmpty()) { if (secondaryHits.isEmpty()) {
return new ObservableResult(id, "FileObject: Found " + matchingFiles.size() + " matches for " + whereClause return new ObservableResult(id, "FileObject: Found " + matchingFiles.size() + " matches for " + whereClause //NON-NLS
+ " but none for secondary tests on " + listSecondaryFields() + getPrintableWarnings(), + " but none for secondary tests on " + listSecondaryFields() + getPrintableWarnings(), //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} else { } else {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (AbstractFile a : secondaryHits) { for (AbstractFile a : secondaryHits) {
artData.add(new StixArtifactData(a, id, "FileObject")); artData.add(new StixArtifactData(a, id, "FileObject")); //NON-NLS
} }
return new ObservableResult(id, "FileObject: Found " + secondaryHits.size() + " matches for " + whereClause return new ObservableResult(id, "FileObject: Found " + secondaryHits.size() + " matches for " + whereClause //NON-NLS
+ " and secondary tests on " + listSecondaryFields() + getPrintableWarnings(), + " and secondary tests on " + listSecondaryFields() + getPrintableWarnings(), //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
} }
} else { } else {
return new ObservableResult(id, "FileObject: Found no matches for " + whereClause + getPrintableWarnings(), return new ObservableResult(id, "FileObject: Found no matches for " + whereClause + getPrintableWarnings(), //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} }
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "FileObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "FileObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
} else { } else {
} }
return new ObservableResult(id, "FileObject: No evaluatable fields " + getPrintableWarnings(), spacing, return new ObservableResult(id, "FileObject: No evaluatable fields " + getPrintableWarnings(), spacing, //NON-NLS
ObservableResult.ObservableState.INDETERMINATE, null); ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -333,11 +333,11 @@ class EvalFileObj extends EvaluatableObject {
String secondaryFields = ""; String secondaryFields = "";
if (obj.isIsMasqueraded() != null) { if (obj.isIsMasqueraded() != null) {
secondaryFields += "is_masqueraded "; secondaryFields += "is_masqueraded "; //NON-NLS
} }
if (obj.getFileFormat() != null) { if (obj.getFileFormat() != null) {
secondaryFields += "File_Format "; secondaryFields += "File_Format "; //NON-NLS
} }
return secondaryFields; return secondaryFields;
@ -352,58 +352,58 @@ class EvalFileObj extends EvaluatableObject {
String unsupportedFields = ""; String unsupportedFields = "";
if (obj.isIsPacked() != null) { if (obj.isIsPacked() != null) {
unsupportedFields += "is_packed "; unsupportedFields += "is_packed "; //NON-NLS
} }
if (obj.getDevicePath() != null) { if (obj.getDevicePath() != null) {
unsupportedFields += "Device_Path "; unsupportedFields += "Device_Path "; //NON-NLS
} }
if (obj.getFullPath() != null) { if (obj.getFullPath() != null) {
unsupportedFields += "Full_Path "; unsupportedFields += "Full_Path "; //NON-NLS
} }
if (obj.getMagicNumber() != null) { if (obj.getMagicNumber() != null) {
unsupportedFields += "Magic_Number "; unsupportedFields += "Magic_Number "; //NON-NLS
} }
if (obj.getDigitalSignatures() != null) { if (obj.getDigitalSignatures() != null) {
unsupportedFields += "Digital_Signatures "; unsupportedFields += "Digital_Signatures "; //NON-NLS
} }
if (obj.getFileAttributesList() != null) { if (obj.getFileAttributesList() != null) {
unsupportedFields += "File_Attributes_List "; unsupportedFields += "File_Attributes_List "; //NON-NLS
} }
if (obj.getPermissions() != null) { if (obj.getPermissions() != null) {
unsupportedFields += "Permissions "; unsupportedFields += "Permissions "; //NON-NLS
} }
if (obj.getUserOwner() != null) { if (obj.getUserOwner() != null) {
unsupportedFields += "User_Owner "; unsupportedFields += "User_Owner "; //NON-NLS
} }
if (obj.getPackerList() != null) { if (obj.getPackerList() != null) {
unsupportedFields += "Packer_List "; unsupportedFields += "Packer_List "; //NON-NLS
} }
if (obj.getPeakEntropy() != null) { if (obj.getPeakEntropy() != null) {
unsupportedFields += "Peak_Entropy "; unsupportedFields += "Peak_Entropy "; //NON-NLS
} }
if (obj.getSymLinks() != null) { if (obj.getSymLinks() != null) {
unsupportedFields += "Sym_Links "; unsupportedFields += "Sym_Links "; //NON-NLS
} }
if (obj.getByteRuns() != null) { if (obj.getByteRuns() != null) {
unsupportedFields += "Bytes_Runs "; unsupportedFields += "Bytes_Runs "; //NON-NLS
} }
if (obj.getExtractedFeatures() != null) { if (obj.getExtractedFeatures() != null) {
unsupportedFields += "Extracted_Features "; unsupportedFields += "Extracted_Features "; //NON-NLS
} }
if (obj.getEncryptionAlgorithm() != null) { if (obj.getEncryptionAlgorithm() != null) {
unsupportedFields += "Encryption_Algorithm "; unsupportedFields += "Encryption_Algorithm "; //NON-NLS
} }
if (obj.getDecryptionKey() != null) { if (obj.getDecryptionKey() != null) {
unsupportedFields += "Decryption_Key "; unsupportedFields += "Decryption_Key "; //NON-NLS
} }
if (obj.getCompressionMethod() != null) { if (obj.getCompressionMethod() != null) {
unsupportedFields += "Compression_Method "; unsupportedFields += "Compression_Method "; //NON-NLS
} }
if (obj.getCompressionVersion() != null) { if (obj.getCompressionVersion() != null) {
unsupportedFields += "Compression_Version "; unsupportedFields += "Compression_Version "; //NON-NLS
} }
if (obj.getCompressionComment() != null) { if (obj.getCompressionComment() != null) {
unsupportedFields += "Compression_Comment "; unsupportedFields += "Compression_Comment "; //NON-NLS
} }
return unsupportedFields; return unsupportedFields;
@ -417,8 +417,8 @@ class EvalFileObj extends EvaluatableObject {
* @throws ParseException * @throws ParseException
*/ */
private static long convertTimestamp(String timeStr) throws ParseException { private static long convertTimestamp(String timeStr) throws ParseException {
SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); //NON-NLS
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); dateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); //NON-NLS
Date parsedDate = dateFormat.parse(timeStr); Date parsedDate = dateFormat.parse(timeStr);
Long unixTime = parsedDate.getTime() / 1000; Long unixTime = parsedDate.getTime() / 1000;
@ -463,10 +463,10 @@ class EvalFileObj extends EvaluatableObject {
String fullClause = ""; String fullClause = "";
if (valueStr.isEmpty()) { if (valueStr.isEmpty()) {
throw new TskCoreException("Empty value field"); throw new TskCoreException("Empty value field"); //NON-NLS
} }
String[] parts = valueStr.split("##comma##"); String[] parts = valueStr.split("##comma##"); //NON-NLS
for (String valuePart : parts) { for (String valuePart : parts) {
String partialClause; String partialClause;
@ -486,7 +486,7 @@ class EvalFileObj extends EvaluatableObject {
} else if (typeCondition == ConditionTypeEnum.LESS_THAN_OR_EQUAL) { } else if (typeCondition == ConditionTypeEnum.LESS_THAN_OR_EQUAL) {
partialClause = fieldName + "<=" + valuePart; partialClause = fieldName + "<=" + valuePart;
} else { } else {
throw new TskCoreException("Could not process condition " + typeCondition.value() + " on " + fieldName); throw new TskCoreException("Could not process condition " + typeCondition.value() + " on " + fieldName); //NON-NLS
} }
if (fullClause.isEmpty()) { if (fullClause.isEmpty()) {
@ -495,16 +495,16 @@ class EvalFileObj extends EvaluatableObject {
fullClause += "( "; fullClause += "( ";
} }
if (applyCondition == ConditionApplicationEnum.NONE) { if (applyCondition == ConditionApplicationEnum.NONE) {
fullClause += " NOT "; fullClause += " NOT "; //NON-NLS
} }
fullClause += partialClause; fullClause += partialClause;
} else { } else {
if (applyCondition == ConditionApplicationEnum.ALL) { if (applyCondition == ConditionApplicationEnum.ALL) {
fullClause += " AND " + partialClause; fullClause += " AND " + partialClause; //NON-NLS
} else if (applyCondition == ConditionApplicationEnum.NONE) { } else if (applyCondition == ConditionApplicationEnum.NONE) {
fullClause += " AND NOT " + partialClause; fullClause += " AND NOT " + partialClause; //NON-NLS
} else { } else {
fullClause += " OR " + partialClause; fullClause += " OR " + partialClause; //NON-NLS
} }
} }
} }
@ -517,19 +517,19 @@ class EvalFileObj extends EvaluatableObject {
} else { } else {
// I don't think apply conditions make sense for these two. // I don't think apply conditions make sense for these two.
if (typeCondition == ConditionTypeEnum.INCLUSIVE_BETWEEN) { if (typeCondition == ConditionTypeEnum.INCLUSIVE_BETWEEN) {
String[] parts = valueStr.split("##comma##"); String[] parts = valueStr.split("##comma##"); //NON-NLS
if (parts.length != 2) { if (parts.length != 2) {
throw new TskCoreException("Unexpected number of arguments in INCLUSIVE_BETWEEN on " + fieldName throw new TskCoreException("Unexpected number of arguments in INCLUSIVE_BETWEEN on " + fieldName //NON-NLS
+ "(" + valueStr + ")"); + "(" + valueStr + ")");
} }
return (fieldName + ">=" + parts[0] + " AND " + fieldName + "<=" + parts[1]); return (fieldName + ">=" + parts[0] + " AND " + fieldName + "<=" + parts[1]); //NON-NLS
} else { } else {
String[] parts = valueStr.split("##comma##"); String[] parts = valueStr.split("##comma##"); //NON-NLS
if (parts.length != 2) { if (parts.length != 2) {
throw new TskCoreException("Unexpected number of arguments in EXCLUSIVE_BETWEEN on " + fieldName throw new TskCoreException("Unexpected number of arguments in EXCLUSIVE_BETWEEN on " + fieldName //NON-NLS
+ "(" + valueStr + ")"); + "(" + valueStr + ")");
} }
return (fieldName + ">" + parts[0] + " AND " + fieldName + "<" + parts[1]); return (fieldName + ">" + parts[0] + " AND " + fieldName + "<" + parts[1]); //NON-NLS
} }
} }
} }
@ -564,13 +564,13 @@ class EvalFileObj extends EvaluatableObject {
throws TskCoreException { throws TskCoreException {
String fullClause = ""; String fullClause = "";
String lowerFieldName = "lower(" + fieldName + ")"; String lowerFieldName = "lower(" + fieldName + ")"; //NON-NLS
if (valueStr.isEmpty()) { if (valueStr.isEmpty()) {
throw new TskCoreException("Empty value field"); throw new TskCoreException("Empty value field"); //NON-NLS
} }
String[] parts = valueStr.split("##comma##"); String[] parts = valueStr.split("##comma##"); //NON-NLS
for (String value : parts) { for (String value : parts) {
String lowerValue = value.toLowerCase(); String lowerValue = value.toLowerCase();
@ -581,15 +581,15 @@ class EvalFileObj extends EvaluatableObject {
} else if (condition == ConditionTypeEnum.DOES_NOT_EQUAL) { } else if (condition == ConditionTypeEnum.DOES_NOT_EQUAL) {
partialClause = lowerFieldName + " !=\'%" + lowerValue + "%\'"; partialClause = lowerFieldName + " !=\'%" + lowerValue + "%\'";
} else if (condition == ConditionTypeEnum.CONTAINS) { } else if (condition == ConditionTypeEnum.CONTAINS) {
partialClause = lowerFieldName + " LIKE \'%" + lowerValue + "%\'"; partialClause = lowerFieldName + " LIKE \'%" + lowerValue + "%\'"; //NON-NLS
} else if (condition == ConditionTypeEnum.DOES_NOT_CONTAIN) { } else if (condition == ConditionTypeEnum.DOES_NOT_CONTAIN) {
partialClause = lowerFieldName + " NOT LIKE \'%" + lowerValue + "%\'"; partialClause = lowerFieldName + " NOT LIKE \'%" + lowerValue + "%\'"; //NON-NLS
} else if (condition == ConditionTypeEnum.STARTS_WITH) { } else if (condition == ConditionTypeEnum.STARTS_WITH) {
partialClause = lowerFieldName + " LIKE \'" + lowerValue + "%\'"; partialClause = lowerFieldName + " LIKE \'" + lowerValue + "%\'"; //NON-NLS
} else if (condition == ConditionTypeEnum.ENDS_WITH) { } else if (condition == ConditionTypeEnum.ENDS_WITH) {
partialClause = lowerFieldName + " LIKE \'%" + lowerValue + "\'"; partialClause = lowerFieldName + " LIKE \'%" + lowerValue + "\'"; //NON-NLS
} else { } else {
throw new TskCoreException("Could not process condition " + condition.value() + " on " + fieldName); throw new TskCoreException("Could not process condition " + condition.value() + " on " + fieldName); //NON-NLS
} }
if (fullClause.isEmpty()) { if (fullClause.isEmpty()) {
@ -598,16 +598,16 @@ class EvalFileObj extends EvaluatableObject {
fullClause += "( "; fullClause += "( ";
} }
if (applyCondition == ConditionApplicationEnum.NONE) { if (applyCondition == ConditionApplicationEnum.NONE) {
fullClause += " NOT "; fullClause += " NOT "; //NON-NLS
} }
fullClause += partialClause; fullClause += partialClause;
} else { } else {
if (applyCondition == ConditionApplicationEnum.ALL) { if (applyCondition == ConditionApplicationEnum.ALL) {
fullClause += " AND " + partialClause; fullClause += " AND " + partialClause; //NON-NLS
} else if (applyCondition == ConditionApplicationEnum.NONE) { } else if (applyCondition == ConditionApplicationEnum.NONE) {
fullClause += " AND NOT " + partialClause; fullClause += " AND NOT " + partialClause; //NON-NLS
} else { } else {
fullClause += " OR " + partialClause; fullClause += " OR " + partialClause; //NON-NLS
} }
} }
} }
@ -638,7 +638,7 @@ class EvalFileObj extends EvaluatableObject {
return processNumericFields(result, dateObj.getCondition(), dateObj.getApplyCondition(), fieldName); return processNumericFields(result, dateObj.getCondition(), dateObj.getApplyCondition(), fieldName);
} else { } else {
throw new TskCoreException("Found non DATE_TIME field on " + fieldName); throw new TskCoreException("Found non DATE_TIME field on " + fieldName); //NON-NLS
} }
} }
@ -655,17 +655,17 @@ class EvalFileObj extends EvaluatableObject {
try { try {
String result = ""; String result = "";
if (timestampStr.length() > 0) { if (timestampStr.length() > 0) {
String[] parts = timestampStr.split("##comma##"); String[] parts = timestampStr.split("##comma##"); //NON-NLS
for (int i = 0; i < parts.length - 1; i++) { for (int i = 0; i < parts.length - 1; i++) {
long unixTime = convertTimestamp(parts[i]); long unixTime = convertTimestamp(parts[i]);
result += unixTime + "##comma##"; result += unixTime + "##comma##"; //NON-NLS
} }
result += convertTimestamp(parts[parts.length - 1]); result += convertTimestamp(parts[parts.length - 1]);
} }
return result; return result;
} catch (java.text.ParseException ex) { } catch (java.text.ParseException ex) {
throw new TskCoreException("Error parsing timestamp string " + timestampStr); throw new TskCoreException("Error parsing timestamp string " + timestampStr); //NON-NLS
} }
} }
@ -683,7 +683,7 @@ class EvalFileObj extends EvaluatableObject {
return a_newClause; return a_newClause;
} }
return (a_clause + " AND " + a_newClause); return (a_clause + " AND " + a_newClause); //NON-NLS
} }
} }

32
Core/src/org/sleuthkit/autopsy/modules/stix/EvalNetworkShareObj.java
View File

@ -49,35 +49,35 @@ class EvalNetworkShareObj extends EvaluatableObject {
setWarnings(""); setWarnings("");
if ((obj.getNetname() == null) && (obj.getLocalPath() == null)) { if ((obj.getNetname() == null) && (obj.getLocalPath() == null)) {
return new ObservableResult(id, "NetworkShareObjet: No remote name or local path found", return new ObservableResult(id, "NetworkShareObjet: No remote name or local path found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
// For displaying what we were looking for in the results // For displaying what we were looking for in the results
String searchString = ""; String searchString = "";
if (obj.getNetname() != null) { if (obj.getNetname() != null) {
searchString += "Netname \"" + obj.getNetname().getValue() + "\""; searchString += "Netname \"" + obj.getNetname().getValue() + "\""; //NON-NLS
// The apply conditions ALL or NONE probably won't work correctly. Neither seems // The apply conditions ALL or NONE probably won't work correctly. Neither seems
// all that likely to come up in practice, so just give a warning. // all that likely to come up in practice, so just give a warning.
if ((obj.getNetname().getApplyCondition() != null) if ((obj.getNetname().getApplyCondition() != null)
&& (obj.getNetname().getApplyCondition() != ConditionApplicationEnum.ANY)) { && (obj.getNetname().getApplyCondition() != ConditionApplicationEnum.ANY)) {
addWarning("Apply condition " + obj.getNetname().getApplyCondition().value() addWarning("Apply condition " + obj.getNetname().getApplyCondition().value() //NON-NLS
+ " may not work correctly"); + " may not work correctly"); //NON-NLS
} }
} }
if (obj.getLocalPath() != null) { if (obj.getLocalPath() != null) {
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "LocalPath \"" + obj.getLocalPath().getValue() + "\""; searchString += "LocalPath \"" + obj.getLocalPath().getValue() + "\""; //NON-NLS
// Same as above - the apply conditions ALL or NONE probably won't work correctly. Neither seems // Same as above - the apply conditions ALL or NONE probably won't work correctly. Neither seems
// all that likely to come up in practice, so just give a warning. // all that likely to come up in practice, so just give a warning.
if ((obj.getLocalPath().getApplyCondition() != null) if ((obj.getLocalPath().getApplyCondition() != null)
&& (obj.getLocalPath().getApplyCondition() != ConditionApplicationEnum.ANY)) { && (obj.getLocalPath().getApplyCondition() != ConditionApplicationEnum.ANY)) {
addWarning("Apply condition " + obj.getLocalPath().getApplyCondition().value() addWarning("Apply condition " + obj.getLocalPath().getApplyCondition().value() //NON-NLS
+ " may not work correctly"); + " may not work correctly"); //NON-NLS
} }
} }
@ -119,17 +119,17 @@ class EvalNetworkShareObj extends EvaluatableObject {
if (!finalHits.isEmpty()) { if (!finalHits.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "NetworkShare")); artData.add(new StixArtifactData(a.getObjectID(), id, "NetworkShare")); //NON-NLS
} }
return new ObservableResult(id, "NetworkShareObject: Found a match for " + searchString, return new ObservableResult(id, "NetworkShareObject: Found a match for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
// Didn't find any matches // Didn't find any matches
return new ObservableResult(id, "NetworkObject: No matches found for " + searchString, return new ObservableResult(id, "NetworkObject: No matches found for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "NetworkObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "NetworkObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
} }
@ -138,13 +138,13 @@ class EvalNetworkShareObj extends EvaluatableObject {
List<String> fieldNames = new ArrayList<String>(); List<String> fieldNames = new ArrayList<String>();
if (obj.getCurrentUses() != null) { if (obj.getCurrentUses() != null) {
fieldNames.add("Current_Uses"); fieldNames.add("Current_Uses"); //NON-NLS
} }
if (obj.getMaxUses() != null) { if (obj.getMaxUses() != null) {
fieldNames.add("Max_Uses"); fieldNames.add("Max_Uses"); //NON-NLS
} }
if (obj.getType() != null) { if (obj.getType() != null) {
fieldNames.add("Type"); fieldNames.add("Type"); //NON-NLS
} }
String warningStr = ""; String warningStr = "";
@ -155,7 +155,7 @@ class EvalNetworkShareObj extends EvaluatableObject {
warningStr += name; warningStr += name;
} }
addWarning("Unsupported field(s): " + warningStr); addWarning("Unsupported field(s): " + warningStr); //NON-NLS
} }
} }

66
Core/src/org/sleuthkit/autopsy/modules/stix/EvalRegistryObj.java
View File

@ -64,15 +64,15 @@ class EvalRegistryObj extends EvaluatableObject {
// Key name is required // Key name is required
if (obj.getKey() == null) { if (obj.getKey() == null) {
return new ObservableResult(id, "RegistryObject: No key found", return new ObservableResult(id, "RegistryObject: No key found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
// For now, only support a full string match // For now, only support a full string match
if (!((obj.getKey().getCondition() == null) if (!((obj.getKey().getCondition() == null)
|| (obj.getKey().getCondition() == ConditionTypeEnum.EQUALS))) { || (obj.getKey().getCondition() == ConditionTypeEnum.EQUALS))) {
return new ObservableResult(id, "RegistryObject: Can not support condition " + obj.getKey().getCondition() return new ObservableResult(id, "RegistryObject: Can not support condition " + obj.getKey().getCondition() //NON-NLS
+ " on Key field", + " on Key field", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -83,7 +83,7 @@ class EvalRegistryObj extends EvaluatableObject {
if (obj.getHive() == null) { if (obj.getHive() == null) {
// If the hive field is missing, add everything // If the hive field is missing, add everything
hiveList.addAll(regFiles); hiveList.addAll(regFiles);
} else if (obj.getHive().getValue().toString().startsWith("HKEY")) { } else if (obj.getHive().getValue().toString().startsWith("HKEY")) { //NON-NLS
// If the hive name is HKEY_LOCAL_MACHINE, add the ones from the config directory. // If the hive name is HKEY_LOCAL_MACHINE, add the ones from the config directory.
// Otherwise, add the others // Otherwise, add the others
for (RegistryFileInfo regFile : regFiles) { for (RegistryFileInfo regFile : regFiles) {
@ -92,12 +92,12 @@ class EvalRegistryObj extends EvaluatableObject {
Matcher matcher = pattern.matcher(regFile.abstractFile.getParentPath()); Matcher matcher = pattern.matcher(regFile.abstractFile.getParentPath());
if (matcher.find()) { if (matcher.find()) {
// Looking for system files and found one, so add it to the list // Looking for system files and found one, so add it to the list
if (obj.getHive().getValue().toString().equalsIgnoreCase("HKEY_LOCAL_MACHINE")) { if (obj.getHive().getValue().toString().equalsIgnoreCase("HKEY_LOCAL_MACHINE")) { //NON-NLS
hiveList.add(regFile); hiveList.add(regFile);
} }
} else { } else {
// Looking for non-system files and found one, so add it to the list // Looking for non-system files and found one, so add it to the list
if (!obj.getHive().getValue().toString().equalsIgnoreCase("HKEY_LOCAL_MACHINE")) { if (!obj.getHive().getValue().toString().equalsIgnoreCase("HKEY_LOCAL_MACHINE")) { //NON-NLS
hiveList.add(regFile); hiveList.add(regFile);
} }
} }
@ -125,7 +125,7 @@ class EvalRegistryObj extends EvaluatableObject {
// This is unlikely to happen unless we have no registry files to test against // This is unlikely to happen unless we have no registry files to test against
if (hiveList.isEmpty()) { if (hiveList.isEmpty()) {
return new ObservableResult(id, "RegistryObject: No matching registry hives found", return new ObservableResult(id, "RegistryObject: No matching registry hives found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -139,16 +139,16 @@ class EvalRegistryObj extends EvaluatableObject {
// The registry parser seems to throw lots of different types of exceptions, // The registry parser seems to throw lots of different types of exceptions,
// so make sure to catch them all by this point. Malformed registry files // so make sure to catch them all by this point. Malformed registry files
// in particular cause problems. // in particular cause problems.
addWarning("Error processing registry file " + hive); addWarning("Error processing registry file " + hive); //NON-NLS
} }
} }
if (obj.getHive() == null) { if (obj.getHive() == null) {
return new ObservableResult(id, "RegistryObject: Could not find key " + obj.getKey().getValue(), return new ObservableResult(id, "RegistryObject: Could not find key " + obj.getKey().getValue(), //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} }
return new ObservableResult(id, "RegistryObject: Could not find key " + obj.getKey().getValue() return new ObservableResult(id, "RegistryObject: Could not find key " + obj.getKey().getValue() //NON-NLS
+ " in hive " + obj.getHive().getValue(), + " in hive " + obj.getHive().getValue(), //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} }
@ -170,7 +170,7 @@ class EvalRegistryObj extends EvaluatableObject {
// hive file name is here). This should only happen if the hive name started // hive file name is here). This should only happen if the hive name started
// with "HKEY" // with "HKEY"
if((obj.getHive() != null) if((obj.getHive() != null)
&& obj.getHive().getValue().toString().startsWith("HKEY")){ && obj.getHive().getValue().toString().startsWith("HKEY")){ //NON-NLS
String[] parts = obj.getKey().getValue().toString().split("\\\\"); String[] parts = obj.getKey().getValue().toString().split("\\\\");
String newKey = ""; String newKey = "";
for (int i = 1; i < parts.length; i++) { for (int i = 1; i < parts.length; i++) {
@ -183,7 +183,7 @@ class EvalRegistryObj extends EvaluatableObject {
} }
if (result == null) { if (result == null) {
return new ObservableResult(id, "RegistryObject: Could not find key " + obj.getKey().getValue(), return new ObservableResult(id, "RegistryObject: Could not find key " + obj.getKey().getValue(), //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} }
} }
@ -191,8 +191,8 @@ class EvalRegistryObj extends EvaluatableObject {
if ((obj.getValues() == null) || (obj.getValues().getValues().isEmpty())) { if ((obj.getValues() == null) || (obj.getValues().getValues().isEmpty())) {
// No values to test // No values to test
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
artData.add(new StixArtifactData(a_regInfo.abstractFile.getId(), id, "Registry")); artData.add(new StixArtifactData(a_regInfo.abstractFile.getId(), id, "Registry")); //NON-NLS
return new ObservableResult(id, "RegistryObject: Found key " + obj.getKey().getValue(), return new ObservableResult(id, "RegistryObject: Found key " + obj.getKey().getValue(), //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
@ -261,25 +261,25 @@ class EvalRegistryObj extends EvaluatableObject {
if (nameSuccess && valueSuccess) { if (nameSuccess && valueSuccess) {
// Found a match for all values // Found a match for all values
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
artData.add(new StixArtifactData(a_regInfo.abstractFile.getId(), id, "Registry")); artData.add(new StixArtifactData(a_regInfo.abstractFile.getId(), id, "Registry")); //NON-NLS
return new ObservableResult(id, "RegistryObject: Found key " + obj.getKey().getValue() return new ObservableResult(id, "RegistryObject: Found key " + obj.getKey().getValue() //NON-NLS
+ " and value " + stixRegValue.getName().getValue().toString() + " and value " + stixRegValue.getName().getValue().toString() //NON-NLS
+ " = " + stixRegValue.getData().getValue().toString(), + " = " + stixRegValue.getData().getValue().toString(),
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
} }
} catch (Exception ex) { } catch (Exception ex) {
// Broad catch here becase the registry parser can create all kinds of exceptions beyond what it reports. // Broad catch here becase the registry parser can create all kinds of exceptions beyond what it reports.
return new ObservableResult(id, "RegistryObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "RegistryObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
} }
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "RegistryObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "RegistryObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
return new ObservableResult(id, "RegistryObject: Not done", return new ObservableResult(id, "RegistryObject: Not done", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -290,9 +290,9 @@ class EvalRegistryObj extends EvaluatableObject {
RegistryKey root = regFile.getRoot(); RegistryKey root = regFile.getRoot();
return root; return root;
} catch (IOException ex) { } catch (IOException ex) {
throw new TskCoreException("Error opening registry file - " + ex.getLocalizedMessage()); throw new TskCoreException("Error opening registry file - " + ex.getLocalizedMessage()); //NON-NLS
} catch (RegistryParseException ex) { } catch (RegistryParseException ex) {
throw new TskCoreException("Error opening root node of registry - " + ex.getLocalizedMessage()); throw new TskCoreException("Error opening root node of registry - " + ex.getLocalizedMessage()); //NON-NLS
} }
} }
@ -356,7 +356,7 @@ class EvalRegistryObj extends EvaluatableObject {
File regFileNameLocalFile = new File(regFileNameLocal); File regFileNameLocalFile = new File(regFileNameLocal);
try { try {
// Don't save any unallocated versions // Don't save any unallocated versions
if (regFile.getMetaFlagsAsString().contains("Allocated")) { if (regFile.getMetaFlagsAsString().contains("Allocated")) { //NON-NLS
ContentUtils.writeToFile(regFile, regFileNameLocalFile); ContentUtils.writeToFile(regFile, regFileNameLocalFile);
regFilesLocal.add(new EvalRegistryObj().new RegistryFileInfo(regFile, regFileNameLocal)); regFilesLocal.add(new EvalRegistryObj().new RegistryFileInfo(regFile, regFileNameLocal));
} }
@ -388,7 +388,7 @@ class EvalRegistryObj extends EvaluatableObject {
List<AbstractFile> allRegistryFiles = fileManager.findFiles(ds, regFileName, "/system32/config"); //NON-NLS List<AbstractFile> allRegistryFiles = fileManager.findFiles(ds, regFileName, "/system32/config"); //NON-NLS
for (AbstractFile regFile : allRegistryFiles) { for (AbstractFile regFile : allRegistryFiles) {
// Don't want anything from regback // Don't want anything from regback
if (!regFile.getParentPath().contains("RegBack")) { if (!regFile.getParentPath().contains("RegBack")) { //NON-NLS
registryFiles.add(regFile); registryFiles.add(regFile);
} }
} }
@ -402,25 +402,25 @@ class EvalRegistryObj extends EvaluatableObject {
List<String> fieldNames = new ArrayList<String>(); List<String> fieldNames = new ArrayList<String>();
if (obj.getNumberValues() != null) { if (obj.getNumberValues() != null) {
fieldNames.add("Number_Values"); fieldNames.add("Number_Values"); //NON-NLS
} }
if (obj.getModifiedTime() != null) { if (obj.getModifiedTime() != null) {
fieldNames.add("Modified_Time"); fieldNames.add("Modified_Time"); //NON-NLS
} }
if (obj.getCreatorUsername() != null) { if (obj.getCreatorUsername() != null) {
fieldNames.add("Creator_Username"); fieldNames.add("Creator_Username"); //NON-NLS
} }
if (obj.getHandleList() != null) { if (obj.getHandleList() != null) {
fieldNames.add("Handle_List"); fieldNames.add("Handle_List"); //NON-NLS
} }
if (obj.getNumberSubkeys() != null) { if (obj.getNumberSubkeys() != null) {
fieldNames.add("Number_Subkeys"); fieldNames.add("Number_Subkeys"); //NON-NLS
} }
if (obj.getSubkeys() != null) { if (obj.getSubkeys() != null) {
fieldNames.add("Subkeys"); fieldNames.add("Subkeys"); //NON-NLS
} }
if (obj.getByteRuns() != null) { if (obj.getByteRuns() != null) {
fieldNames.add("Byte_Runs"); fieldNames.add("Byte_Runs"); //NON-NLS
} }
String warningStr = ""; String warningStr = "";
@ -431,7 +431,7 @@ class EvalRegistryObj extends EvaluatableObject {
warningStr += name; warningStr += name;
} }
addWarning("Unsupported field(s): " + warningStr); addWarning("Unsupported field(s): " + warningStr); //NON-NLS
} }
/** /**

80
Core/src/org/sleuthkit/autopsy/modules/stix/EvalSystemObj.java
View File

@ -66,14 +66,14 @@ class EvalSystemObj extends EvaluatableObject {
if (obj.getHostname() != null) { if (obj.getHostname() != null) {
haveHostname = true; haveHostname = true;
searchString = "Hostname \"" + obj.getHostname().getValue().toString() + "\""; searchString = "Hostname \"" + obj.getHostname().getValue().toString() + "\""; //NON-NLS
} }
if(obj.getProcessorArchitecture() != null){ if(obj.getProcessorArchitecture() != null){
haveProcArch = true; haveProcArch = true;
if(! searchString.isEmpty()){ if(! searchString.isEmpty()){
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Processor architecture \"" + obj.getProcessorArchitecture().getValue().toString() + "\""; searchString += "Processor architecture \"" + obj.getProcessorArchitecture().getValue().toString() + "\""; //NON-NLS
} }
WindowsSystem winSysObj = null; WindowsSystem winSysObj = null;
@ -83,44 +83,44 @@ class EvalSystemObj extends EvaluatableObject {
if (winSysObj.getProductID() != null) { if (winSysObj.getProductID() != null) {
haveProductID = true; haveProductID = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Product ID \"" + winSysObj.getProductID().getValue().toString() + "\""; searchString += "Product ID \"" + winSysObj.getProductID().getValue().toString() + "\""; //NON-NLS
} }
if (winSysObj.getProductName() != null) { if (winSysObj.getProductName() != null) {
haveProductName = true; haveProductName = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Product Name \"" + winSysObj.getProductName().getValue().toString() + "\""; searchString += "Product Name \"" + winSysObj.getProductName().getValue().toString() + "\""; //NON-NLS
} }
if (winSysObj.getRegisteredOrganization() != null) { if (winSysObj.getRegisteredOrganization() != null) {
haveOrganization = true; haveOrganization = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Registered Org \"" + winSysObj.getRegisteredOrganization().getValue().toString() + "\""; searchString += "Registered Org \"" + winSysObj.getRegisteredOrganization().getValue().toString() + "\""; //NON-NLS
} }
if (winSysObj.getRegisteredOwner() != null) { if (winSysObj.getRegisteredOwner() != null) {
haveOwner = true; haveOwner = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Registered Owner \"" + winSysObj.getRegisteredOwner().getValue().toString() + "\""; searchString += "Registered Owner \"" + winSysObj.getRegisteredOwner().getValue().toString() + "\""; //NON-NLS
} }
if (winSysObj.getWindowsSystemDirectory() != null) { if (winSysObj.getWindowsSystemDirectory() != null) {
haveSystemRoot = true; haveSystemRoot = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "System root \"" + winSysObj.getWindowsSystemDirectory().getValue().toString() + "\""; searchString += "System root \"" + winSysObj.getWindowsSystemDirectory().getValue().toString() + "\""; //NON-NLS
} }
if (winSysObj.getWindowsTempDirectory() != null) { if (winSysObj.getWindowsTempDirectory() != null) {
haveTempDir = true; haveTempDir = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Temp dir \"" + winSysObj.getWindowsTempDirectory().getValue().toString() + "\""; searchString += "Temp dir \"" + winSysObj.getWindowsTempDirectory().getValue().toString() + "\""; //NON-NLS
} }
} }
@ -128,7 +128,7 @@ class EvalSystemObj extends EvaluatableObject {
if (!(haveHostname || haveProcArch if (!(haveHostname || haveProcArch
|| haveTempDir || haveProductName || haveSystemRoot || haveProductID || haveTempDir || haveProductName || haveSystemRoot || haveProductID
|| haveOwner || haveOrganization)) { || haveOwner || haveOrganization)) {
return new ObservableResult(id, "SystemObject: No evaluatable fields found", return new ObservableResult(id, "SystemObject: No evaluatable fields found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -204,21 +204,21 @@ class EvalSystemObj extends EvaluatableObject {
if (!finalHits.isEmpty()) { if (!finalHits.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "System")); artData.add(new StixArtifactData(a.getObjectID(), id, "System")); //NON-NLS
} }
return new ObservableResult(id, "SystemObject: Found a match for " + searchString, return new ObservableResult(id, "SystemObject: Found a match for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
// Didn't find any matches // Didn't find any matches
return new ObservableResult(id, "SystemObject: No matches found for " + searchString, return new ObservableResult(id, "SystemObject: No matches found for " + searchString, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} else { } else {
return new ObservableResult(id, "SystemObject: No OS artifacts found", return new ObservableResult(id, "SystemObject: No OS artifacts found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "SystemObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "SystemObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
} }
@ -230,62 +230,62 @@ class EvalSystemObj extends EvaluatableObject {
List<String> fieldNames = new ArrayList<String>(); List<String> fieldNames = new ArrayList<String>();
if (obj.getAvailablePhysicalMemory() != null) { if (obj.getAvailablePhysicalMemory() != null) {
fieldNames.add("Available_Physical_Memory"); fieldNames.add("Available_Physical_Memory"); //NON-NLS
} }
if (obj.getBIOSInfo() != null) { if (obj.getBIOSInfo() != null) {
fieldNames.add("BIOS_Info"); fieldNames.add("BIOS_Info"); //NON-NLS
} }
if (obj.getDate() != null) { if (obj.getDate() != null) {
fieldNames.add("Date"); fieldNames.add("Date"); //NON-NLS
} }
if (obj.getLocalTime() != null) { if (obj.getLocalTime() != null) {
fieldNames.add("Local_Time"); fieldNames.add("Local_Time"); //NON-NLS
} }
if (obj.getNetworkInterfaceList() != null) { if (obj.getNetworkInterfaceList() != null) {
fieldNames.add("Network_Interface_List"); fieldNames.add("Network_Interface_List"); //NON-NLS
} }
if (obj.getOS() != null) { if (obj.getOS() != null) {
fieldNames.add("OS"); fieldNames.add("OS"); //NON-NLS
} }
if(obj.getProcessor() != null){ if(obj.getProcessor() != null){
fieldNames.add("Processor"); fieldNames.add("Processor"); //NON-NLS
} }
if (obj.getSystemTime() != null) { if (obj.getSystemTime() != null) {
fieldNames.add("System_Time"); fieldNames.add("System_Time"); //NON-NLS
} }
if (obj.getTimezoneDST() != null) { if (obj.getTimezoneDST() != null) {
fieldNames.add("Timezone_DST"); fieldNames.add("Timezone_DST"); //NON-NLS
} }
if (obj.getTimezoneStandard() != null) { if (obj.getTimezoneStandard() != null) {
fieldNames.add("Timezone_Standard"); fieldNames.add("Timezone_Standard"); //NON-NLS
} }
if (obj.getTotalPhysicalMemory() != null) { if (obj.getTotalPhysicalMemory() != null) {
fieldNames.add("Total_Physical_Memory"); fieldNames.add("Total_Physical_Memory"); //NON-NLS
} }
if (obj.getUptime() != null) { if (obj.getUptime() != null) {
fieldNames.add("Uptime"); fieldNames.add("Uptime"); //NON-NLS
} }
if (obj.getUsername() != null) { if (obj.getUsername() != null) {
fieldNames.add("Username"); fieldNames.add("Username"); //NON-NLS
} }
if (obj instanceof WindowsSystem) { if (obj instanceof WindowsSystem) {
WindowsSystem winSysObj = (WindowsSystem) obj; WindowsSystem winSysObj = (WindowsSystem) obj;
if (winSysObj.getDomains() != null) { if (winSysObj.getDomains() != null) {
fieldNames.add("Domain"); fieldNames.add("Domain"); //NON-NLS
} }
if (winSysObj.getGlobalFlagList() != null) { if (winSysObj.getGlobalFlagList() != null) {
fieldNames.add("Global_Flag_List"); fieldNames.add("Global_Flag_List"); //NON-NLS
} }
if (winSysObj.getNetBIOSName() != null) { if (winSysObj.getNetBIOSName() != null) {
fieldNames.add("NetBIOS_Name"); fieldNames.add("NetBIOS_Name"); //NON-NLS
} }
if (winSysObj.getOpenHandleList() != null) { if (winSysObj.getOpenHandleList() != null) {
fieldNames.add("Open_Handle_List"); fieldNames.add("Open_Handle_List"); //NON-NLS
} }
if (winSysObj.getWindowsDirectory() != null) { if (winSysObj.getWindowsDirectory() != null) {
fieldNames.add("Windows_Directory"); fieldNames.add("Windows_Directory"); //NON-NLS
} }
} }
@ -297,6 +297,6 @@ class EvalSystemObj extends EvaluatableObject {
warningStr += name; warningStr += name;
} }
addWarning("Unsupported field(s): " + warningStr); addWarning("Unsupported field(s): " + warningStr); //NON-NLS
} }
} }

18
Core/src/org/sleuthkit/autopsy/modules/stix/EvalURIObj.java
View File

@ -49,20 +49,20 @@ class EvalURIObj extends EvaluatableObject {
setWarnings(""); setWarnings("");
if (obj.getValue() == null) { if (obj.getValue() == null) {
return new ObservableResult(id, "URIObject: No URI value field found", return new ObservableResult(id, "URIObject: No URI value field found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
String addressStr = obj.getValue().getValue().toString(); String addressStr = obj.getValue().getValue().toString();
// Strip off http:// or https:// // Strip off http:// or https://
String modifiedAddressStr = addressStr.toLowerCase(); String modifiedAddressStr = addressStr.toLowerCase();
modifiedAddressStr = modifiedAddressStr.replaceAll("http(s)?://", ""); modifiedAddressStr = modifiedAddressStr.replaceAll("http(s)?://", ""); //NON-NLS
// Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test // Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test
if (!((obj.getValue().getApplyCondition() == null) if (!((obj.getValue().getApplyCondition() == null)
|| (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) { || (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) {
return new ObservableResult(id, "URIObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString() return new ObservableResult(id, "URIObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString() //NON-NLS
+ " on URI object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); + " on URI object", spacing, ObservableResult.ObservableState.INDETERMINATE, null); //NON-NLS
} }
Case case1 = Case.getCurrentCase(); Case case1 = Case.getCurrentCase();
@ -115,7 +115,7 @@ class EvalURIObj extends EvaluatableObject {
String modifiedAttrString = attr.getValueString(); String modifiedAttrString = attr.getValueString();
if (modifiedAttrString != null) { if (modifiedAttrString != null) {
modifiedAttrString = modifiedAttrString.toLowerCase(); modifiedAttrString = modifiedAttrString.toLowerCase();
modifiedAttrString = modifiedAttrString.replaceAll("http(s)?://", ""); modifiedAttrString = modifiedAttrString.replaceAll("http(s)?://", ""); //NON-NLS
} }
if (compareStringObject(modifiedAddressStr, obj.getValue().getCondition(), if (compareStringObject(modifiedAddressStr, obj.getValue().getCondition(),
@ -129,18 +129,18 @@ class EvalURIObj extends EvaluatableObject {
if (!finalHits.isEmpty()) { if (!finalHits.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "UriObject")); artData.add(new StixArtifactData(a.getObjectID(), id, "UriObject")); //NON-NLS
} }
return new ObservableResult(id, "UriObject: Found a match for " + addressStr, return new ObservableResult(id, "UriObject: Found a match for " + addressStr, //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
return new ObservableResult(id, "URIObject: Found no matches for " + addressStr, return new ObservableResult(id, "URIObject: Found no matches for " + addressStr, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
/*}*/ /*}*/
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "URIObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "URIObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }

64
Core/src/org/sleuthkit/autopsy/modules/stix/EvalURLHistoryObj.java
View File

@ -50,7 +50,7 @@ class EvalURLHistoryObj extends EvaluatableObject {
setWarnings(""); setWarnings("");
if ((obj.getBrowserInformation() == null) && (obj.getURLHistoryEntries() == null)) { if ((obj.getBrowserInformation() == null) && (obj.getURLHistoryEntries() == null)) {
return new ObservableResult(id, "URLHistoryObject: No browser info or history entries found", return new ObservableResult(id, "URLHistoryObject: No browser info or history entries found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -64,7 +64,7 @@ class EvalURLHistoryObj extends EvaluatableObject {
if (obj.getBrowserInformation().getName() != null) { if (obj.getBrowserInformation().getName() != null) {
haveBrowserName = true; haveBrowserName = true;
} }
baseSearchString = "Browser \"" + obj.getBrowserInformation().getName() + "\""; baseSearchString = "Browser \"" + obj.getBrowserInformation().getName() + "\""; //NON-NLS
} }
// Matching artifacts // Matching artifacts
@ -89,41 +89,41 @@ class EvalURLHistoryObj extends EvaluatableObject {
if ((entry.getURL() != null) && (entry.getURL().getValue() != null)) { if ((entry.getURL() != null) && (entry.getURL().getValue() != null)) {
haveURL = true; haveURL = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "URL \"" + entry.getURL().getValue().getValue() + "\""; searchString += "URL \"" + entry.getURL().getValue().getValue() + "\""; //NON-NLS
} }
if ((entry.getReferrerURL() != null) && (entry.getReferrerURL().getValue() != null)) { if ((entry.getReferrerURL() != null) && (entry.getReferrerURL().getValue() != null)) {
haveReferrer = true; haveReferrer = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Referrer \"" + entry.getReferrerURL().getValue().getValue() + "\""; searchString += "Referrer \"" + entry.getReferrerURL().getValue().getValue() + "\""; //NON-NLS
} }
if (entry.getUserProfileName() != null) { if (entry.getUserProfileName() != null) {
haveUserProfile = true; haveUserProfile = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "UserProfile \"" + entry.getUserProfileName().getValue() + "\""; searchString += "UserProfile \"" + entry.getUserProfileName().getValue() + "\""; //NON-NLS
} }
if (entry.getPageTitle() != null) { if (entry.getPageTitle() != null) {
havePageTitle = true; havePageTitle = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Page title \"" + entry.getPageTitle().getValue() + "\""; searchString += "Page title \"" + entry.getPageTitle().getValue() + "\""; //NON-NLS
} }
if ((entry.getHostname() != null) && (entry.getHostname().getHostnameValue() != null)) { if ((entry.getHostname() != null) && (entry.getHostname().getHostnameValue() != null)) {
haveHostname = true; haveHostname = true;
if (!searchString.isEmpty()) { if (!searchString.isEmpty()) {
searchString += " and "; searchString += " and "; //NON-NLS
} }
searchString += "Hostname \"" + entry.getHostname().getHostnameValue().getValue() + "\""; searchString += "Hostname \"" + entry.getHostname().getHostnameValue().getValue() + "\""; //NON-NLS
} }
if (!finalResultsStr.isEmpty()) { if (!finalResultsStr.isEmpty()) {
@ -133,7 +133,7 @@ class EvalURLHistoryObj extends EvaluatableObject {
if (!(haveURL || haveHostname || haveReferrer if (!(haveURL || haveHostname || haveReferrer
|| havePageTitle || haveUserProfile || haveBrowserName)) { || havePageTitle || haveUserProfile || haveBrowserName)) {
return new ObservableResult(id, "URLHistoryObject: No evaluatable fields found", return new ObservableResult(id, "URLHistoryObject: No evaluatable fields found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -160,7 +160,7 @@ class EvalURLHistoryObj extends EvaluatableObject {
entry.getURL().getValue().getApplyCondition(), entry.getURL().getValue().getApplyCondition(),
attr.getValueString()); attr.getValueString());
} else { } else {
addWarning("Non-AnyURIObjectPropertyType found in URL value field"); addWarning("Non-AnyURIObjectPropertyType found in URL value field"); //NON-NLS
} }
} }
if ((attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID()) if ((attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID())
@ -176,7 +176,7 @@ class EvalURLHistoryObj extends EvaluatableObject {
entry.getURL().getValue().getApplyCondition(), entry.getURL().getValue().getApplyCondition(),
attr.getValueString()); attr.getValueString());
} else { } else {
addWarning("Non-AnyURIObjectPropertyType found in URL value field"); addWarning("Non-AnyURIObjectPropertyType found in URL value field"); //NON-NLS
} }
} }
if ((attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE.getTypeID()) if ((attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE.getTypeID())
@ -208,7 +208,7 @@ class EvalURLHistoryObj extends EvaluatableObject {
} }
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "URLHistoryObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "URLHistoryObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -217,14 +217,14 @@ class EvalURLHistoryObj extends EvaluatableObject {
if (!finalHits.isEmpty()) { if (!finalHits.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "URLHistory")); artData.add(new StixArtifactData(a.getObjectID(), id, "URLHistory")); //NON-NLS
} }
return new ObservableResult(id, "URLHistoryObject: Found at least one match for " + finalResultsStr, return new ObservableResult(id, "URLHistoryObject: Found at least one match for " + finalResultsStr, //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
// Didn't find any matches // Didn't find any matches
return new ObservableResult(id, "URLHistoryObject: No matches found for " + finalResultsStr, return new ObservableResult(id, "URLHistoryObject: No matches found for " + finalResultsStr, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} else if (haveBrowserName) { } else if (haveBrowserName) {
@ -256,23 +256,23 @@ class EvalURLHistoryObj extends EvaluatableObject {
if (!finalHits.isEmpty()) { if (!finalHits.isEmpty()) {
List<StixArtifactData> artData = new ArrayList<StixArtifactData>(); List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
for (BlackboardArtifact a : finalHits) { for (BlackboardArtifact a : finalHits) {
artData.add(new StixArtifactData(a.getObjectID(), id, "URLHistory")); artData.add(new StixArtifactData(a.getObjectID(), id, "URLHistory")); //NON-NLS
} }
return new ObservableResult(id, "URLHistoryObject: Found at least one match", return new ObservableResult(id, "URLHistoryObject: Found at least one match", //NON-NLS
spacing, ObservableResult.ObservableState.TRUE, artData); spacing, ObservableResult.ObservableState.TRUE, artData);
} }
// Didn't find any matches // Didn't find any matches
return new ObservableResult(id, "URLHistoryObject: No matches found for " + baseSearchString, return new ObservableResult(id, "URLHistoryObject: No matches found for " + baseSearchString, //NON-NLS
spacing, ObservableResult.ObservableState.FALSE, null); spacing, ObservableResult.ObservableState.FALSE, null);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
return new ObservableResult(id, "URLHistoryObject: Exception during evaluation: " + ex.getLocalizedMessage(), return new ObservableResult(id, "URLHistoryObject: Exception during evaluation: " + ex.getLocalizedMessage(), //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
} else { } else {
// Nothing to search for // Nothing to search for
return new ObservableResult(id, "URLHistoryObject: No evaluatable fields found", return new ObservableResult(id, "URLHistoryObject: No evaluatable fields found", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }
@ -286,25 +286,25 @@ class EvalURLHistoryObj extends EvaluatableObject {
List<String> fieldNames = new ArrayList<String>(); List<String> fieldNames = new ArrayList<String>();
if (entry.getUserProfileName() != null) { if (entry.getUserProfileName() != null) {
fieldNames.add("User_Profile_Name"); fieldNames.add("User_Profile_Name"); //NON-NLS
} }
if (entry.getVisitCount() != null) { if (entry.getVisitCount() != null) {
fieldNames.add("Visit_Count"); fieldNames.add("Visit_Count"); //NON-NLS
} }
if (entry.getManuallyEnteredCount() != null) { if (entry.getManuallyEnteredCount() != null) {
fieldNames.add("Manually_Entered_Count"); fieldNames.add("Manually_Entered_Count"); //NON-NLS
} }
if (entry.getModificationDateTime() != null) { if (entry.getModificationDateTime() != null) {
fieldNames.add("Modification_DateTime"); fieldNames.add("Modification_DateTime"); //NON-NLS
} }
if (entry.getExpirationDateTime() != null) { if (entry.getExpirationDateTime() != null) {
fieldNames.add("Expiration_DateTime"); fieldNames.add("Expiration_DateTime"); //NON-NLS
} }
if (entry.getFirstVisitDateTime() != null) { if (entry.getFirstVisitDateTime() != null) {
fieldNames.add("First_Visit_DateTime"); fieldNames.add("First_Visit_DateTime"); //NON-NLS
} }
if (entry.getLastVisitDateTime() != null) { if (entry.getLastVisitDateTime() != null) {
fieldNames.add("Last_Visit_DateTime"); fieldNames.add("Last_Visit_DateTime"); //NON-NLS
} }
String warningStr = ""; String warningStr = "";
@ -315,6 +315,6 @@ class EvalURLHistoryObj extends EvaluatableObject {
warningStr += name; warningStr += name;
} }
addWarning("Unsupported URL_History_Entry field(s): " + warningStr); addWarning("Unsupported URL_History_Entry field(s): " + warningStr); //NON-NLS
} }
} }

20
Core/src/org/sleuthkit/autopsy/modules/stix/EvaluatableObject.java
View File

@ -86,14 +86,14 @@ abstract class EvaluatableObject {
BlackboardAttribute.ATTRIBUTE_TYPE attrType) throws TskCoreException { BlackboardAttribute.ATTRIBUTE_TYPE attrType) throws TskCoreException {
if (item.getValue() == null) { if (item.getValue() == null) {
throw new TskCoreException("Error: Value field is null"); throw new TskCoreException("Error: Value field is null"); //NON-NLS
} }
if (item.getCondition() == null) { if (item.getCondition() == null) {
addWarning("Warning: No condition given for " + attrType.getDisplayName() + " field, using substring comparison"); addWarning("Warning: No condition given for " + attrType.getDisplayName() + " field, using substring comparison"); //NON-NLS
} else if (item.getCondition() != ConditionTypeEnum.CONTAINS) { } else if (item.getCondition() != ConditionTypeEnum.CONTAINS) {
addWarning("Warning: Ignoring condition " + item.getCondition() + " for " addWarning("Warning: Ignoring condition " + item.getCondition() + " for " //NON-NLS
+ attrType.getDisplayName() + " field and doing substring comparison"); + attrType.getDisplayName() + " field and doing substring comparison"); //NON-NLS
} }
List<BlackboardArtifact> hits = null; List<BlackboardArtifact> hits = null;
@ -101,7 +101,7 @@ abstract class EvaluatableObject {
Case case1 = Case.getCurrentCase(); Case case1 = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = case1.getSleuthkitCase(); SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
String[] parts = item.getValue().toString().split("##comma##"); String[] parts = item.getValue().toString().split("##comma##"); //NON-NLS
if ((item.getApplyCondition() == null) if ((item.getApplyCondition() == null)
|| (item.getApplyCondition() == ConditionApplicationEnum.ANY)) { || (item.getApplyCondition() == ConditionApplicationEnum.ANY)) {
@ -139,7 +139,7 @@ abstract class EvaluatableObject {
} }
} }
} else { } else {
throw new TskCoreException("Error: Can not apply NONE condition in search"); throw new TskCoreException("Error: Can not apply NONE condition in search"); //NON-NLS
} }
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
addWarning(ex.getLocalizedMessage()); addWarning(ex.getLocalizedMessage());
@ -159,7 +159,7 @@ abstract class EvaluatableObject {
public static boolean compareStringObject(StringObjectPropertyType stringObj, String strField) public static boolean compareStringObject(StringObjectPropertyType stringObj, String strField)
throws TskCoreException { throws TskCoreException {
if (stringObj.getValue() == null) { if (stringObj.getValue() == null) {
throw new TskCoreException("Error: Value field is null"); throw new TskCoreException("Error: Value field is null"); //NON-NLS
} }
String valueStr = stringObj.getValue().toString(); String valueStr = stringObj.getValue().toString();
@ -184,10 +184,10 @@ abstract class EvaluatableObject {
throws TskCoreException { throws TskCoreException {
if (valueStr == null) { if (valueStr == null) {
throw new TskCoreException("Error: Value field is null"); throw new TskCoreException("Error: Value field is null"); //NON-NLS
} }
String[] parts = valueStr.split("##comma##"); String[] parts = valueStr.split("##comma##"); //NON-NLS
String lowerFieldName = strField.toLowerCase(); String lowerFieldName = strField.toLowerCase();
for (String value : parts) { for (String value : parts) {
@ -206,7 +206,7 @@ abstract class EvaluatableObject {
} else if (condition == ConditionTypeEnum.ENDS_WITH) { } else if (condition == ConditionTypeEnum.ENDS_WITH) {
partialResult = lowerFieldName.endsWith(value.toLowerCase()); partialResult = lowerFieldName.endsWith(value.toLowerCase());
} else { } else {
throw new TskCoreException("Could not process condition " + condition.value() + " on " + value); throw new TskCoreException("Could not process condition " + condition.value() + " on " + value); //NON-NLS
} }
// Do all the short-circuiting // Do all the short-circuiting

6
Core/src/org/sleuthkit/autopsy/modules/stix/ObservableResult.java
View File

@ -30,9 +30,9 @@ class ObservableResult {
public enum ObservableState { public enum ObservableState {
TRUE("true "), TRUE("true "), //NON-NLS
FALSE("false "), FALSE("false "), //NON-NLS
INDETERMINATE("indeterminate"); INDETERMINATE("indeterminate"); //NON-NLS
private final String label; private final String label;

87
Core/src/org/sleuthkit/autopsy/modules/stix/STIXReportModule.java
View File

@ -114,12 +114,15 @@ public class STIXReportModule implements GeneralReportModule {
File file = new File(reportPath); File file = new File(reportPath);
output = new BufferedWriter(new FileWriter(file)); output = new BufferedWriter(new FileWriter(file));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, String.format("Unable to open STIX report file %s", reportPath), ex); logger.log(Level.SEVERE, String.format("Unable to open STIX report file %s", reportPath), ex); //NON-NLS
MessageNotifyUtil.Notify.show("STIXReportModule", MessageNotifyUtil.Notify.show("STIXReportModule", //NON-NLS
"Unable to open STIX report file " + reportPath, NbBundle.getMessage(this.getClass(),
"STIXReportModule.notifyMsg.unableToOpenReportFile",
reportPath),
MessageNotifyUtil.MessageType.ERROR); MessageNotifyUtil.MessageType.ERROR);
progressPanel.complete(); progressPanel.complete();
progressPanel.updateStatusLabel("Completed with errors"); progressPanel.updateStatusLabel(
NbBundle.getMessage(this.getClass(), "STIXReportModule.progress.completedWithErrors"));
return; return;
} }
@ -129,31 +132,38 @@ public class STIXReportModule implements GeneralReportModule {
// Process the file/directory name entry // Process the file/directory name entry
String stixFileName = configPanel.getStixFile(); String stixFileName = configPanel.getStixFile();
if (stixFileName == null) { if (stixFileName == null) {
logger.log(Level.SEVERE, "STIXReportModuleConfigPanel.stixFile not initialized "); logger.log(Level.SEVERE, "STIXReportModuleConfigPanel.stixFile not initialized "); //NON-NLS
MessageNotifyUtil.Message.error("No STIX file/directory provided "); MessageNotifyUtil.Message.error(
NbBundle.getMessage(this.getClass(), "STIXReportModule.notifyErr.noFildDirProvided"));
progressPanel.complete(); progressPanel.complete();
progressPanel.updateStatusLabel("No STIX file/directory provided "); progressPanel.updateStatusLabel(
NbBundle.getMessage(this.getClass(), "STIXReportModule.progress.noFildDirProvided"));
return; return;
} }
if (stixFileName.isEmpty()) { if (stixFileName.isEmpty()) {
logger.log(Level.SEVERE, "No STIX file/directory provided "); logger.log(Level.SEVERE, "No STIX file/directory provided "); //NON-NLS
MessageNotifyUtil.Message.error("No STIX file/directory provided "); MessageNotifyUtil.Message.error(
NbBundle.getMessage(this.getClass(), "STIXReportModule.notifyErr.noFildDirProvided"));
progressPanel.complete(); progressPanel.complete();
progressPanel.updateStatusLabel("No STIX file/directory provided "); progressPanel.updateStatusLabel(
NbBundle.getMessage(this.getClass(), "STIXReportModule.progress.noFildDirProvided"));
return; return;
} }
File stixFile = new File(stixFileName); File stixFile = new File(stixFileName);
if (!stixFile.exists()) { if (!stixFile.exists()) {
logger.log(Level.SEVERE, String.format("Unable to open STIX file/directory %s", stixFileName)); logger.log(Level.SEVERE, String.format("Unable to open STIX file/directory %s", stixFileName)); //NON-NLS
MessageNotifyUtil.Message.error("Unable to open STIX file/directory" + stixFileName); MessageNotifyUtil.Message.error(NbBundle.getMessage(this.getClass(),
"STIXReportModule.notifyMsg.unableToOpenFileDir",
stixFileName));
progressPanel.complete(); progressPanel.complete();
progressPanel.updateStatusLabel("Could not open file/directory " + stixFileName); progressPanel.updateStatusLabel(
NbBundle.getMessage(this.getClass(), "STIXReportModule.progress.couldNotOpenFileDir", stixFileName));
return; return;
} }
// Store the path // Store the path
ModuleSettings.setConfigSetting("STIX", "defaultPath", stixFileName); ModuleSettings.setConfigSetting("STIX", "defaultPath", stixFileName); //NON-NLS
// Create array of stix file(s) // Create array of stix file(s)
File[] stixFiles; File[] stixFiles;
@ -172,8 +182,8 @@ public class STIXReportModule implements GeneralReportModule {
try { try {
processFile(file.getAbsolutePath(), progressPanel); processFile(file.getAbsolutePath(), progressPanel);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Unable to process STIX file %s", file), ex); logger.log(Level.SEVERE, String.format("Unable to process STIX file %s", file), ex); //NON-NLS
MessageNotifyUtil.Notify.show("STIXReportModule", MessageNotifyUtil.Notify.show("STIXReportModule", //NON-NLS
ex.getLocalizedMessage(), ex.getLocalizedMessage(),
MessageNotifyUtil.MessageType.ERROR); MessageNotifyUtil.MessageType.ERROR);
hadErrors = true; hadErrors = true;
@ -185,7 +195,7 @@ public class STIXReportModule implements GeneralReportModule {
try { try {
output.close(); output.close();
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, String.format("Error closing STIX report file %s", reportPath), ex); logger.log(Level.SEVERE, String.format("Error closing STIX report file %s", reportPath), ex); //NON-NLS
} }
} }
@ -193,7 +203,8 @@ public class STIXReportModule implements GeneralReportModule {
// the "complete" message to indicate this. // the "complete" message to indicate this.
progressPanel.complete(); progressPanel.complete();
if (hadErrors) { if (hadErrors) {
progressPanel.updateStatusLabel("Completed with errors"); progressPanel.updateStatusLabel(
NbBundle.getMessage(this.getClass(), "STIXReportModule.progress.completedWithErrors"));
} }
} }
@ -237,14 +248,14 @@ public class STIXReportModule implements GeneralReportModule {
try { try {
// Create STIXPackage object from xml. // Create STIXPackage object from xml.
File file = new File(stixFileName); File file = new File(stixFileName);
JAXBContext jaxbContext = JAXBContext.newInstance("org.mitre.stix.stix_1:org.mitre.stix.common_1:org.mitre.stix.indicator_2:" JAXBContext jaxbContext = JAXBContext.newInstance("org.mitre.stix.stix_1:org.mitre.stix.common_1:org.mitre.stix.indicator_2:" //NON-NLS
+ "org.mitre.cybox.objects:org.mitre.cybox.cybox_2:org.mitre.cybox.common_2"); + "org.mitre.cybox.objects:org.mitre.cybox.cybox_2:org.mitre.cybox.common_2"); //NON-NLS
Unmarshaller jaxbUnmarshaller = jaxbContext.createUnmarshaller(); Unmarshaller jaxbUnmarshaller = jaxbContext.createUnmarshaller();
STIXPackage stix = (STIXPackage) jaxbUnmarshaller.unmarshal(file); STIXPackage stix = (STIXPackage) jaxbUnmarshaller.unmarshal(file);
return stix; return stix;
} catch (JAXBException ex) { } catch (JAXBException ex) {
logger.log(Level.SEVERE, String.format("Unable to load STIX file %s", stixFileName), ex.getLocalizedMessage()); logger.log(Level.SEVERE, String.format("Unable to load STIX file %s", stixFileName), ex.getLocalizedMessage()); //NON-NLS
throw new TskCoreException("Error loading STIX file (" + ex.toString() + ")"); throw new TskCoreException("Error loading STIX file (" + ex.toString() + ")"); //NON-NLS
} }
} }
@ -328,15 +339,17 @@ public class STIXReportModule implements GeneralReportModule {
} else if (ind.getId() != null) { } else if (ind.getId() != null) {
s.createArtifact(ind.getId().toString()); s.createArtifact(ind.getId().toString());
} else { } else {
s.createArtifact("Unnamed indicator(s)"); s.createArtifact("Unnamed indicator(s)"); //NON-NLS
} }
// Trying to protect against the case where we end up with tons of artifacts // Trying to protect against the case where we end up with tons of artifacts
// for a single observable because the condition was not restrictive enough // for a single observable because the condition was not restrictive enough
count++; count++;
if (count > 1000) { if (count > 1000) {
MessageNotifyUtil.Notify.show("STIXReportModule", MessageNotifyUtil.Notify.show("STIXReportModule", //NON-NLS
"Too many STIX-related artifacts generated for " + ind.getId() + ". Only saving first 1000.", NbBundle.getMessage(this.getClass(),
"STIXReportModule.notifyMsg.tooManyArtifactsgt1000",
ind.getId()),
MessageNotifyUtil.MessageType.INFO); MessageNotifyUtil.MessageType.INFO);
break; break;
} }
@ -356,28 +369,28 @@ public class STIXReportModule implements GeneralReportModule {
try { try {
if (found) { if (found) {
output.write("----------------\r\n" output.write("----------------\r\n"
+ "Found indicator:\r\n"); + "Found indicator:\r\n"); //NON-NLS
} else { } else {
output.write("-----------------------\r\n" output.write("-----------------------\r\n"
+ "Did not find indicator:\r\n"); + "Did not find indicator:\r\n"); //NON-NLS
} }
if (ind.getTitle() != null) { if (ind.getTitle() != null) {
output.write("Title: " + ind.getTitle() + "\r\n"); output.write("Title: " + ind.getTitle() + "\r\n"); //NON-NLS
} else { } else {
output.write("\r\n"); output.write("\r\n");
} }
if (ind.getId() != null) { if (ind.getId() != null) {
output.write("ID: " + ind.getId() + "\r\n"); output.write("ID: " + ind.getId() + "\r\n"); //NON-NLS
} }
if (ind.getDescription() != null) { if (ind.getDescription() != null) {
String desc = ind.getDescription().getValue(); String desc = ind.getDescription().getValue();
desc = desc.trim(); desc = desc.trim();
output.write("Description: " + desc + "\r\n"); output.write("Description: " + desc + "\r\n"); //NON-NLS
} }
output.write("\r\nObservable results:\r\n" + resultStr + "\r\n\r\n"); output.write("\r\nObservable results:\r\n" + resultStr + "\r\n\r\n"); //NON-NLS
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, String.format("Error writing to STIX report file %s", reportPath), ex); logger.log(Level.SEVERE, String.format("Error writing to STIX report file %s", reportPath), ex); //NON-NLS
} }
} }
} }
@ -398,7 +411,7 @@ public class STIXReportModule implements GeneralReportModule {
output.write("### " + a_fileName + " ###\r\n"); output.write("### " + a_fileName + " ###\r\n");
output.write(header + "\r\n\r\n"); output.write(header + "\r\n\r\n");
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, String.format("Error writing to STIX report file %s", reportPath), ex); logger.log(Level.SEVERE, String.format("Error writing to STIX report file %s", reportPath), ex); //NON-NLS
} }
} }
@ -446,7 +459,7 @@ public class STIXReportModule implements GeneralReportModule {
*/ */
private ObservableResult evaluateObservableComposition(ObservableCompositionType comp, String spacing) throws TskCoreException { private ObservableResult evaluateObservableComposition(ObservableCompositionType comp, String spacing) throws TskCoreException {
if (comp.getOperator() == null) { if (comp.getOperator() == null) {
throw new TskCoreException("No operator found in composition"); throw new TskCoreException("No operator found in composition"); //NON-NLS
} }
if (comp.getObservables() != null) { if (comp.getObservables() != null) {
@ -525,7 +538,7 @@ public class STIXReportModule implements GeneralReportModule {
return result; return result;
} }
} else { } else {
throw new TskCoreException("No observables found in list"); throw new TskCoreException("No observables found in list"); //NON-NLS
} }
} }
@ -567,7 +580,7 @@ public class STIXReportModule implements GeneralReportModule {
return result; return result;
} }
throw new TskCoreException("Error loading/finding object for observable " + obs.getIdref()); throw new TskCoreException("Error loading/finding object for observable " + obs.getIdref()); //NON-NLS
} }
/** /**
@ -609,7 +622,7 @@ public class STIXReportModule implements GeneralReportModule {
if ((type.lastIndexOf(".") + 1) < type.length()) { if ((type.lastIndexOf(".") + 1) < type.length()) {
type = type.substring(type.lastIndexOf(".") + 1); type = type.substring(type.lastIndexOf(".") + 1);
} }
return new ObservableResult(id, type + " not supported", return new ObservableResult(id, type + " not supported", //NON-NLS
spacing, ObservableResult.ObservableState.INDETERMINATE, null); spacing, ObservableResult.ObservableState.INDETERMINATE, null);
} }

18
Core/src/org/sleuthkit/autopsy/modules/stix/STIXReportModuleConfigPanel.java
View File

@ -37,17 +37,17 @@ public class STIXReportModuleConfigPanel extends javax.swing.JPanel {
initComponents(); initComponents();
// Set the default path to the last one used // Set the default path to the last one used
if ((ModuleSettings.getConfigSetting("STIX", "defaultPath") != null) if ((ModuleSettings.getConfigSetting("STIX", "defaultPath") != null) //NON-NLS
&& (!ModuleSettings.getConfigSetting("STIX", "defaultPath").isEmpty())) { && (!ModuleSettings.getConfigSetting("STIX", "defaultPath").isEmpty())) { //NON-NLS
jTextField1.setText(ModuleSettings.getConfigSetting("STIX", "defaultPath")); jTextField1.setText(ModuleSettings.getConfigSetting("STIX", "defaultPath")); //NON-NLS
stixFile = ModuleSettings.getConfigSetting("STIX", "defaultPath"); stixFile = ModuleSettings.getConfigSetting("STIX", "defaultPath"); //NON-NLS
} }
// Set the results checkbox to the last one used // Set the results checkbox to the last one used
if ((ModuleSettings.getConfigSetting("STIX", "showAllResults") != null) if ((ModuleSettings.getConfigSetting("STIX", "showAllResults") != null) //NON-NLS
&& (!ModuleSettings.getConfigSetting("STIX", "showAllResults").isEmpty())) { && (!ModuleSettings.getConfigSetting("STIX", "showAllResults").isEmpty())) { //NON-NLS
if (ModuleSettings.getConfigSetting("STIX", "showAllResults").equals("true")) { if (ModuleSettings.getConfigSetting("STIX", "showAllResults").equals("true")) { //NON-NLS
jCheckBox1.setSelected(true); jCheckBox1.setSelected(true);
showAllResults = true; showAllResults = true;
} else { } else {
@ -177,9 +177,9 @@ public class STIXReportModuleConfigPanel extends javax.swing.JPanel {
// TODO add your handling code here: // TODO add your handling code here:
showAllResults = jCheckBox1.isSelected(); showAllResults = jCheckBox1.isSelected();
if (showAllResults) { if (showAllResults) {
ModuleSettings.setConfigSetting("STIX", "showAllResults", "true"); ModuleSettings.setConfigSetting("STIX", "showAllResults", "true"); //NON-NLS
} else { } else {
ModuleSettings.setConfigSetting("STIX", "showAllResults", "false"); ModuleSettings.setConfigSetting("STIX", "showAllResults", "false"); //NON-NLS
} }
}//GEN-LAST:event_jCheckBox1ActionPerformed }//GEN-LAST:event_jCheckBox1ActionPerformed

10
Core/src/org/sleuthkit/autopsy/modules/stix/StixArtifactData.java
View File

@ -59,15 +59,15 @@ class StixArtifactData {
String setName; String setName;
if (a_title != null) { if (a_title != null) {
setName = "STIX Indicator - " + a_title; setName = "STIX Indicator - " + a_title; //NON-NLS
} else { } else {
setName = "STIX Indicator - (no title)"; setName = "STIX Indicator - (no title)"; //NON-NLS
} }
BlackboardArtifact bba = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); BlackboardArtifact bba = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Stix", setName)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Stix", setName)); //NON-NLS
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(), "Stix", observableId)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(), "Stix", observableId)); //NON-NLS
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), "Stix", objType)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), "Stix", objType)); //NON-NLS
} }
public void print() { public void print() {

4
branding/core/core.jar/org/netbeans/core/startup/Bundle.properties
View File

@ -1,5 +1,5 @@
#Updated by build script #Updated by build script
#Wed, 17 Dec 2014 13:11:49 -0500 #Thu, 19 Feb 2015 12:52:00 -0500
LBL_splash_window_title=Starting Autopsy LBL_splash_window_title=Starting Autopsy
SPLASH_HEIGHT=314 SPLASH_HEIGHT=314
SPLASH_WIDTH=538 SPLASH_WIDTH=538
@ -8,4 +8,4 @@ SplashRunningTextBounds=0,289,538,18
SplashRunningTextColor=0x0 SplashRunningTextColor=0x0
SplashRunningTextFontSize=19 SplashRunningTextFontSize=19
currentVersion=Autopsy 3.1.1 currentVersion=Autopsy 3.1.2

6
branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties
View File

@ -1,5 +1,5 @@
#Updated by build script #Updated by build script
#Wed, 17 Dec 2014 13:11:49 -0500 #Thu, 19 Feb 2015 12:52:00 -0500
CTL_MainWindow_Title=Autopsy 3.1.1 CTL_MainWindow_Title=Autopsy 3.1.2
CTL_MainWindow_Title_No_Project=Autopsy 3.1.1 CTL_MainWindow_Title_No_Project=Autopsy 3.1.2