From 81c65a8c014d20a65d5253d6deb0eea47f96be74 Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Tue, 2 Feb 2021 17:25:05 -0500
Subject: [PATCH 1/2] Update LeappFileProcessor.java

Normalize Domain name to TSK/CR standards
---
 .../leappanalyzers/LeappFileProcessor.java    | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
index c6fdb6ae1e..5318ddf85b 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
@@ -59,6 +59,7 @@ import org.sleuthkit.autopsy.casemodule.Case;
 import static org.sleuthkit.autopsy.casemodule.Case.getCurrentCase;
 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
 import org.sleuthkit.autopsy.casemodule.services.FileManager;
+import org.sleuthkit.autopsy.coreutils.NetworkUtils;
 import org.sleuthkit.autopsy.coreutils.Logger;
 import org.sleuthkit.autopsy.coreutils.PlatformUtil;
 import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException;
@@ -379,7 +380,9 @@ public final class LeappFileProcessor {
                 return Collections.emptyList();
             }
 
-            BlackboardAttribute attr = (value == null) ? null : getAttribute(colAttr.getAttributeType(), value, fileName);
+            String formattedValue = formatValueBasedOnAttrType(colAttr, value);
+
+            BlackboardAttribute attr = (value == null) ? null : getAttribute(colAttr.getAttributeType(), formattedValue, fileName);
             if (attr == null) {
                 logger.log(Level.WARNING, String.format("Blackboard attribute could not be parsed column %s at line %d in file %s.  Omitting row.", colAttr.getColumnName(), lineNum, fileName));
                 return Collections.emptyList();
@@ -394,6 +397,21 @@ public final class LeappFileProcessor {
         return attrsToRet;
     }
 
+    /**
+     * Check type of attribute and possibly format string based on it.
+     * 
+     * @param colAttr Column Attribute information
+     * @param value string to be formatted
+     * @return formatted string based on attribute type if no attribute type found then return original string 
+     */
+    private String formatValueBasedOnAttrType(TsvColumn colAttr, String value) {
+        if (colAttr.getAttributeType().getTypeName().equals("TSK_DOMAIN")) {
+            return NetworkUtils.extractDomain(value);
+        }
+        
+        return value;
+    }
+
     /**
      * The format of time stamps in tsv.
      */

From 287f01f0c2ea1541f891dbac09c5d3b980a6ec77 Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Wed, 3 Feb 2021 10:20:42 -0500
Subject: [PATCH 2/2] Update CorrelationAttributeNormalizer.java

Add sanization check in CR
---
 .../datamodel/CorrelationAttributeNormalizer.java            | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeNormalizer.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeNormalizer.java
index 51b9b80f84..f7d423c85d 100644
--- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeNormalizer.java
+++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeNormalizer.java
@@ -27,6 +27,7 @@ import java.util.Set;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.validator.routines.DomainValidator;
 import org.apache.commons.validator.routines.EmailValidator;
+import org.sleuthkit.autopsy.coreutils.NetworkUtils;
 
 /**
  * Provides functions for normalizing data by attribute type before insertion or
@@ -144,11 +145,11 @@ final public class CorrelationAttributeNormalizer {
     private static String normalizeDomain(String data) throws CorrelationAttributeNormalizationException {
         DomainValidator validator = DomainValidator.getInstance(true);
         if (validator.isValid(data)) {
-            return data.toLowerCase();
+            return NetworkUtils.extractDomain(data.toLowerCase());
         } else {
             final String validIpAddressRegex = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$";
             if (data.matches(validIpAddressRegex)) {
-                return data;
+                return NetworkUtils.extractDomain(data);
             } else {
                 throw new CorrelationAttributeNormalizationException(String.format("Data was expected to be a valid domain: %s", data));
             }