Added Domain Name Object parsing.

Fixed bug in saving warnings.
2025-07-06 21:00:22 +00:00 · 2015-02-06 11:42:12 -05:00 · 2015-02-06 11:42:12 -05:00 · f54a65ab1e
commit f54a65ab1e
parent 436394ecc8
4 changed files with 127 additions and 1 deletions
--- a/Core/src/org/sleuthkit/autopsy/modules/stix/EvalDomainObj.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/stix/EvalDomainObj.java
@ -0,0 +1,116 @@
+/*
+ * Autopsy Forensic Browser
+ * 
+ * Copyright 2013 Basis Technology Corp.
+ * Contact: carrier <at> sleuthkit <dot> org
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.autopsy.modules.stix;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.mitre.cybox.common_2.ConditionApplicationEnum;
+import org.mitre.cybox.common_2.ConditionTypeEnum;
+import org.mitre.cybox.objects.DomainName;
+import org.sleuthkit.datamodel.BlackboardArtifact;
+import org.sleuthkit.datamodel.BlackboardAttribute;
+import org.sleuthkit.datamodel.TskCoreException;
+import org.sleuthkit.autopsy.casemodule.Case;
+import org.sleuthkit.datamodel.SleuthkitCase;
+
+/**
+ *
+ */
+class EvalDomainObj extends EvaluatableObject {
+
+    private final DomainName obj;
+
+    public EvalDomainObj(DomainName a_obj, String a_id, String a_spacing) {
+        obj = a_obj;
+        id = a_id;
+        spacing = a_spacing;
+    }
+
+    @Override
+    public synchronized ObservableResult evaluate() {
+
+        setWarnings("");
+
+        if (obj.getValue() == null) {
+            return new ObservableResult(id, "DomainObject: No domain value field found",
+                    spacing, ObservableResult.ObservableState.INDETERMINATE, null);
+        }
+
+        // Since we have single URL artifacts, ALL and NONE conditions probably don't make sense to test
+        if (!((obj.getValue().getApplyCondition() == null)
+                || (obj.getValue().getApplyCondition() == ConditionApplicationEnum.ANY))) {
+            return new ObservableResult(id, "URIObject: Can not process apply condition " + obj.getValue().getApplyCondition().toString()
+                    + " on URI object", spacing, ObservableResult.ObservableState.INDETERMINATE, null);
+        }
+
+        // If the condition is not "CONTAINS", add a warning that it's being ignored
+        if ((obj.getValue().getCondition() != null)
+                && (obj.getValue().getCondition() != ConditionTypeEnum.CONTAINS)) {
+            addWarning("Warning: Ignoring condition " + obj.getValue().getCondition().toString()
+                    + " on DomainName - using substring comparison");
+        }
+
+        Case case1 = Case.getCurrentCase();
+        SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
+
+        try {
+            // Set up the list of matching artifacts
+            List<BlackboardArtifact> finalHits = new ArrayList<BlackboardArtifact>();
+
+            // Get all the URL artifacts
+            List<BlackboardArtifact> artList
+                    = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
+
+            for (BlackboardArtifact art : artList) {
+
+                for (BlackboardAttribute attr : art.getAttributes()) {
+                    if (attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
+                        String url = attr.getValueString();
+
+                        // Check whether the domain name is a substring of the URL (regardless 
+                        // of the condition on the domain name object)
+                        if (compareStringObject(obj.getValue().getValue().toString(), ConditionTypeEnum.CONTAINS,
+                                obj.getValue().getApplyCondition(), url)) {
+                            finalHits.add(art);
+                        }
+                    }
+                }
+            }
+
+            if (!finalHits.isEmpty()) {
+                List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
+                for (BlackboardArtifact a : finalHits) {
+                    artData.add(new StixArtifactData(a.getObjectID(), id, "DomainNameObject"));
+                }
+                return new ObservableResult(id, "DomainNameObject: Found a match for " + obj.getValue().getValue().toString()
+                        + " " + getPrintableWarnings(),
+                        spacing, ObservableResult.ObservableState.TRUE, artData);
+            }
+
+            return new ObservableResult(id, "DomainNameObject: Found no matches for " + obj.getValue().getValue().toString()
+                    + " " + getPrintableWarnings(),
+                    spacing, ObservableResult.ObservableState.FALSE, null);
+        } catch (TskCoreException ex) {
+            return new ObservableResult(id, "DomainNameObject: Exception during evaluation: " + ex.getLocalizedMessage(),
+                    spacing, ObservableResult.ObservableState.INDETERMINATE, null);
+        }
+
+    }
+
+}
--- a/Core/src/org/sleuthkit/autopsy/modules/stix/EvaluatableObject.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/stix/EvaluatableObject.java
@ -67,6 +67,7 @@ abstract class EvaluatableObject {
    public void addWarning(String a_newWarning) {
        if ((warnings == null) || warnings.isEmpty()) {
            warnings = a_newWarning;
+            return;
        }
        warnings = warnings + ", " + a_newWarning;
    }
--- a/Core/src/org/sleuthkit/autopsy/modules/stix/STIXReportModule.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/stix/STIXReportModule.java
@ -55,6 +55,7 @@ import org.mitre.cybox.objects.WindowsNetworkShare;
 import org.mitre.cybox.objects.AccountObjectType;
 import org.mitre.cybox.objects.SystemObjectType;
 import org.mitre.cybox.objects.URLHistory;
+import org.mitre.cybox.objects.DomainName;
 import org.mitre.cybox.objects.WindowsRegistryKey;
 import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
 import org.sleuthkit.autopsy.coreutils.ModuleSettings;
@ -585,6 +586,8 @@ public class STIXReportModule implements GeneralReportModule {
            evalObj = new EvalSystemObj((SystemObjectType) obj.getProperties(), id, spacing);
        } else if (obj.getProperties() instanceof URLHistory) {
            evalObj = new EvalURLHistoryObj((URLHistory) obj.getProperties(), id, spacing);
+        } else if (obj.getProperties() instanceof DomainName) {
+            evalObj = new EvalDomainObj((DomainName) obj.getProperties(), id, spacing);
        } else if (obj.getProperties() instanceof WindowsRegistryKey) {
            evalObj = new EvalRegistryObj((WindowsRegistryKey) obj.getProperties(), id, spacing, registryFileData);
        } else {
--- a/docs/doxygen-user/stix.dox
+++ b/docs/doxygen-user/stix.dox
@ -21,9 +21,13 @@ Quick Start

 Supported CybOX Objects
 =======================
+
 - Address Object
    - Address_Value

+- Domain Name Object
+    - Value
+	
 - Email Message Object
    - To
    - CC
@ -84,6 +88,8 @@ Supported CybOX Objects
 - Win User Account Object
    - SID
 	
+See http://cybox.mitre.org for more information on CybOX Objects.
+
 Limitations
 ===========
 - As shown in the list above, not all CybOX objects/fields are currently supported. When an unsupported object/field is found in an observable, its status is set to "indeterminate" instead of true or false. These indeterminate fields will not change the result of the observable composition (i.e., if the rest is true, the overall result will stay as true).