diff --git a/bindings/java/src/org/sleuthkit/datamodel/OsAccountRealmManager.java b/bindings/java/src/org/sleuthkit/datamodel/OsAccountRealmManager.java index db28b472f555b83c51318a4c19dbf53e4052e868..9c07e36109f6ffb6665ab29affe40cf564f0072a 100644 --- a/bindings/java/src/org/sleuthkit/datamodel/OsAccountRealmManager.java +++ b/bindings/java/src/org/sleuthkit/datamodel/OsAccountRealmManager.java @@ -37,16 +37,21 @@ */ public final class OsAccountRealmManager { - - // Some Windows accounts have special SIDS. - // we need to identify those and handle them differently for regular - // user account SIDs + // Some windows SID indicate special account. + // These should be handled differently from regular user accounts. private static final Set<String> SPECIAL_SIDS = ImmutableSet.of( "S-1-5-18", // LOCAL_SYSTEM_ACCOUNT "S-1-5-19", // LOCAL_SERVICE_ACCOUNT "S-1-5-20" // NETWORK_SERVICE_ACCOUNT + ); + private static final Set<String> SPECIAL_SID_PREFIXES = ImmutableSet.of( + "S-1-5-80", // Virtual Service accounts + "S-1-5-82", // AppPoolIdentity Virtual accounts. + "S-1-5-83", // Virtual Machine Virtual Accounts. + "S-1-5-90", // Windows Manager Virtual Accounts. + "S-1-5-96" // Font Drive Host Virtual Accounts. ); - + // Special Windows Accounts with short SIDS are given a special realm "address". private final static String SPECIAL_WINDOWS_REALM_ADDR = "SPECIAL_WINDOWS_ACCOUNTS"; @@ -534,8 +539,8 @@ private OsAccountRealm createRealm(String realmName, String realmAddr, String si private String getWindowsRealmAddress(String sid) { String realmAddr; - - if (SPECIAL_SIDS.contains(sid)) { + + if (isWindowsSpecialSid(sid)) { realmAddr = SPECIAL_WINDOWS_REALM_ADDR; } else { // regular SIDs should have at least 5 components: S-1-x-y-z @@ -549,6 +554,24 @@ private String getWindowsRealmAddress(String sid) { return realmAddr; } + /** + * Checks if the given SID is a special Windows SID. + * + * @param sid SID to check. + * + * @return True if the SID is a Windows special SID, false otherwise + */ + private boolean isWindowsSpecialSid(String sid) { + if (SPECIAL_SIDS.contains(sid)) { + return true; + } + for (String specialPrefix: SPECIAL_SID_PREFIXES) { + if (sid.startsWith(specialPrefix)) { + return true; + } + } + return false; + } /** * Makes a realm signature based on given realm address, name scope host. diff --git a/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java b/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java index 2357821a582062c848b510cdf5d6f6e4d04e528d..1440eac703c04e39c92a7ff509ea0e836e2d8f1b 100644 --- a/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java +++ b/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java @@ -148,8 +148,8 @@ public void osAccountRealmTests() throws TskCoreException { Host host1 = caseDB.getHostManager().createHost(HOSTNAME1); String realmName1 = "basis"; - String realmSID1 = "S-1-5-18-1111111111-2222222222-3333333333"; - String realmAddr1 = "S-1-5-18-1111111111-2222222222"; + String realmSID1 = "S-1-5-21-1111111111-2222222222-3333333333"; + String realmAddr1 = "S-1-5-21-1111111111-2222222222"; OsAccountRealm domainRealm1 = caseDB.getOsAccountRealmManager().createWindowsRealm(realmSID1, realmName1, host1, OsAccountRealm.RealmScope.DOMAIN); @@ -377,10 +377,31 @@ public void windowsSpecialAccountTests() throws TskCoreException { } + // Test some other special account. + { + String hostname4 = "host444"; + Host host4 = caseDB.getHostManager().createHost(hostname4); + + String specialSid1 = "S-1-5-80-3696737894-3623014651-202832235-645492566-13622391"; + String specialSid2 = "S-1-5-82-4003674586-223046494-4022293810-2417516693-151509167"; + String specialSid3 = "S-1-5-90-0-2"; + String specialSid4 = "S-1-5-96-0-3"; + + + OsAccount specialAccount1 = caseDB.getOsAccountManager().createWindowsAccount(specialSid1, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN); + OsAccount specialAccount2 = caseDB.getOsAccountManager().createWindowsAccount(specialSid2, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN); + OsAccount specialAccount3 = caseDB.getOsAccountManager().createWindowsAccount(specialSid3, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN); + OsAccount specialAccount4 = caseDB.getOsAccountManager().createWindowsAccount(specialSid4, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN); + + + assertEquals(specialAccount1.getRealm().getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true); + assertEquals(specialAccount2.getRealm().getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true); + assertEquals(specialAccount3.getRealm().getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true); + assertEquals(specialAccount4.getRealm().getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true); + + + } - - - // RAMAN TBD: add other special accounts } finally {