Merge pull request #391 from APriestman/stix

Stix

bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java

@@ -125,6 +125,8 @@ public enum ARTIFACT_TYPE implements SleuthkitVisitableItem {
                                      bundle.getString("BlackboardArtifact.tskInterestingArtifactHit.text")),	// Any artifact that should be called out
         TSK_GPS_ROUTE(36, "TSK_GPS_ROUTE", //NON-NLS
                       bundle.getString("BlackboardArtifact.tskGpsRoute.text")),	// Route based on GPS coordinates
+        TSK_REMOTE_DRIVE(37, "TSK_REMOTE_DRIVE", //NON-NLS
+                    bundle.getString("BlackboardArtifact.tskRemoteDrive.text")),
         ; 
 
 		/* SEE ABOVE -- KEEP C++ CODE IN SYNC */

bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java

@@ -314,6 +314,21 @@ public enum ATTRIBUTE_TYPE {
                     bundle.getString("BlackboardAttribute.tskGeoLongitudeEnd.text")), //Ending Location longitude
 		TSK_READ_STATUS(102, "TSK_READ_STATUS", //NON-NLS
                     bundle.getString("BlackboardAttribute.tskReadStatus.text")), // Message read status: 1 if read, 0 if unread
+        TSK_LOCAL_PATH(103, "TSK_LOCAL_PATH", //NON-NLS
+                    bundle.getString("BlackboardAttribute.tskLocalPath.text")), // Local path to a network drive
+        TSK_REMOTE_PATH(104, "TSK_REMOTE_PATH", //NON-NLS
+                    bundle.getString("BlackboardAttribute.tskRemotePath.text")), // Remote path of a network drive
+        TSK_PROCESSOR_NAME(105, "TSK_PROCESSOR_NAME", //NON-NLS
+                    bundle.getString("BlackboardAttribute.tskProcessorName.text")), // Processor name
+        TSK_TEMP_DIR(106, "TSK_TEMP_DIR", //NON-NLS
+                    bundle.getString("BlackboardAttribute.tskTempDir.text")), // Default temporary files directory
+        TSK_PRODUCT_ID(107, "TSK_PRODUCT_ID", //NON-NLS
+                    bundle.getString("BlackboardAttribute.tskProductId.text")), // Product ID
+        TSK_OWNER(108, "TSK_OWNER", //NON-NLS
+                    bundle.getString("BlackboardAttribute.tskOwner.text")), // Registered owner of a piece of software
+        TSK_ORGANIZATION(109, "TSK_ORGANIZATION", //NON-NLS
+                    bundle.getString("BlackboardAttribute.tskOrganization.text")), // Registered Organization for a piece of software
+		
 		;
 		/* SEE ABOVE -- ALSO ADD TO C++ CODE */
 		private String label;

bindings/java/src/org/sleuthkit/datamodel/Bundle.properties

@@ -33,6 +33,7 @@ BlackboardArtifact.tskProgRun.text=Run Programs
 BlackboardArtifact.tskEncryptionDetected.text=Encryption Detected
 BlackboardArtifact.tskExtMismatchDetected.text=Extension Mismatch Detected
 BlackboardArtifact.tskInterestingArtifactHit.text=Interesting Results
+BlackboardArtifact.tskRemoteDrive.text=Remote Drive
 BlackboardAttribute.tskUrl.text=URL
 BlackboardAttribute.tskDatetime.text=Date/Time
 BlackboardAttribute.tskName.text=Name
@@ -128,6 +129,13 @@ BlackboardAttribute.tskPathSource.text=Path Source
 BlackboardAttribute.tskPermissions.text=Permissions
 BlackboardAttribute.tskAssociatedArtifact.text=Associated Artifact
 BlackboardAttribute.tskIsDeleted.text=Is Deleted
+BlackboardAttribute.tskLocalPath.text=Local Path
+BlackboardAttribute.tskRemotePath.text=Remote Path
+BlackboardAttribute.tskProcessorName.text=Processor Name
+BlackboardAttribute.tskTempDir.text=Temporary Files Directory
+BlackboardAttribute.tskProductId.text=Product ID
+BlackboardAttribute.tskOwner.text=Owner
+BlackboardAttribute.tskOrganization.text=Organization
 AbstractFile.readLocal.exception.msg4.text=Error reading local file\: {0}
 AbstractFile.readLocal.exception.msg1.text=Error reading local file, local path is not set
 AbstractFile.readLocal.exception.msg2.text=Error reading local file, it does not exist at local path\: {0}

bindings/java/src/org/sleuthkit/datamodel/OSInfo.java

+/*
+ * Sleuth Kit Data Model
+ * 
+ * Copyright 2013 Basis Technology Corp.
+ * Contact: carrier <at> sleuthkit <dot> org
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.datamodel;
+
+import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
+
+import java.util.Map;
+import java.util.HashMap;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Utility class to hold information from OS Info artifacts
+ */
+public class OSInfo {
+
+	private final List<BlackboardArtifact> artifacts;
+	private final Map<Integer, String> attributeMap;
+	private final boolean isBackup;
+	private final boolean haveFsContent;
+	private final long fileSystemId;
+	private final boolean haveParentId;
+	private final long parentObjId;
+
+	public OSInfo() {
+		artifacts = new ArrayList<BlackboardArtifact>();
+		attributeMap = new HashMap<Integer, String>();
+		isBackup = false;
+		fileSystemId = 0;
+		haveFsContent = false;
+		parentObjId = 0;
+		haveParentId = false;
+	}
+
+	/**
+	 * Initialize an OSInfo object
+	 *
+	 * @param a_art - OSInfo artifact associated with one registry hive
+	 * @param a_isBackup - True if the registry hive was found in a "RegBack"
+	 * directory
+	 * @param a_fileSystemId - File system ID for FS containing the registry
+	 * hive
+	 * @param a_parent - Parent directory containing the registry hive. Can be
+	 * null
+	 * @throws TskCoreException
+	 */
+	public OSInfo(BlackboardArtifact a_art, boolean a_isBackup, long a_fileSystemId, Content a_parent) throws TskCoreException {
+		artifacts = new ArrayList<BlackboardArtifact>();
+		artifacts.add(a_art);
+		isBackup = a_isBackup;
+		fileSystemId = a_fileSystemId;
+		haveFsContent = true;
+		attributeMap = new HashMap<Integer, String>();
+		for (BlackboardAttribute attr : a_art.getAttributes()) {
+			attributeMap.put(attr.getAttributeTypeID(), attr.getValueString());
+		}
+
+		if (a_parent != null) {
+			parentObjId = a_parent.getId();
+			haveParentId = true;
+		} else {
+			parentObjId = 0;
+			haveParentId = false;
+		}
+	}
+
+	/**
+	 * Initialize an OSInfo object (without file system information)
+	 *
+	 * @param a_art - OSInfo artifact associated with one registry hive
+	 * @param a_isBackup - True if the registry hive was found in a "RegBack"
+	 * directory
+	 * @param a_parent - Parent directory containing the registry hive. Can be
+	 * null
+	 * @throws TskCoreException
+	 */
+	public OSInfo(BlackboardArtifact a_art, boolean a_isBackup, Content a_parent) throws TskCoreException {
+		artifacts = new ArrayList<BlackboardArtifact>();
+		artifacts.add(a_art);
+		isBackup = a_isBackup;
+		fileSystemId = 0;
+		haveFsContent = false;
+		if (a_parent != null) {
+			parentObjId = a_parent.getId();
+			haveParentId = true;
+		} else {
+			parentObjId = 0;
+			haveParentId = false;
+		}
+		attributeMap = new HashMap<Integer, String>();
+		for (BlackboardAttribute attr : a_art.getAttributes()) {
+			attributeMap.put(attr.getAttributeTypeID(), attr.getValueString());
+		}
+	}
+
+	/**
+	 * Determine whether two OSInfo objects should be combined.
+	 *
+	 * @param a_osInfo - the OSInfo object to compare against
+	 * @return
+	 */
+	public boolean matches(OSInfo a_osInfo) {
+
+		// Check if the two are in the same directory.
+		// OSInfo is only dependant on SYSTEM and SOFTWARE, which should always be in the same directory
+		// on the file system.
+		if (haveParentId && a_osInfo.haveParentId) {
+
+			return (parentObjId == a_osInfo.parentObjId);
+		}
+
+		// If we don't have a parent directory, just see if they're on the same file system,
+		// and both have the same backup status.
+		if (haveFsContent && a_osInfo.haveFsContent) {
+			return ((a_osInfo.isBackup == isBackup) && (a_osInfo.fileSystemId == fileSystemId));
+		}
+
+		return false;
+	}
+
+	/**
+	 * Combine the attribute map for two OSInfo objects.
+	 *
+	 * @param a_osInfo - The OSInfo object to combine with
+	 */
+	public void combine(OSInfo a_osInfo) {
+		artifacts.addAll(a_osInfo.artifacts);
+		attributeMap.putAll(a_osInfo.attributeMap);
+	}
+
+	public List<BlackboardArtifact> getArtifacts() {
+		return artifacts;
+	}
+
+	public boolean haveFileSystem() {
+		return haveFsContent;
+	}
+
+	public long getFileSystemId() {
+		return fileSystemId;
+	}
+
+	public boolean getIsBackup() {
+		return isBackup;
+	}
+
+	/**
+	 * Generic method to get an OSInfo attribute value by ATTRIBUTE_TYPE.
+	 *
+	 * @param attrType - the attribute to get
+	 * @return
+	 */
+	public String getAttributeValue(ATTRIBUTE_TYPE attrType) {
+		if (attributeMap.containsKey(attrType.getTypeID())) {
+			return attributeMap.get(attrType.getTypeID());
+		}
+		return "";
+	}
+
+	/*
+	 * Dedicated getters for the most common attributes.
+	 */
+	public String getCompName() {
+		return getAttributeValue(ATTRIBUTE_TYPE.TSK_NAME);
+	}
+
+	public String getProcessorArchitecture() {
+		return getAttributeValue(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE);
+	}
+
+	public String getDomain() {
+		return getAttributeValue(ATTRIBUTE_TYPE.TSK_DOMAIN);
+	}
+
+	public String getOSName() {
+		return getAttributeValue(ATTRIBUTE_TYPE.TSK_PROG_NAME);
+	}
+
+}

bindings/java/src/org/sleuthkit/datamodel/OSUtility.java

+/*
+ * Sleuth Kit Data Model
+ * 
+ * Copyright 2013 Basis Technology Corp.
+ * Contact: carrier <at> sleuthkit <dot> org
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.datamodel;
+
+import java.util.List;
+import java.util.ArrayList;
+
+import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
+
+/**
+ * Utility class to combine information from various OS info artifacts into
+ * fewer objects.
+ */
+public class OSUtility {
+
+	private OSUtility() {
+	}
+
+	/**
+	 * Get all non-backup OSInfo data
+	 *
+	 * @param skCase - Have to pass this in because we don't have access to the
+	 * normal method
+	 * @return List of OSInfo objects
+	 * @throws TskCoreException
+	 */
+	public static List<OSInfo> getOSInfo(SleuthkitCase skCase) throws TskCoreException {
+		return getOSInfoInternal(skCase, false, false, 0);
+	}
+
+	/**
+	 * Get OSInfo from the same file system as the given object. Will not
+	 * include backups.
+	 *
+	 * @param skCase - Have to pass this in because we don't have access to the
+	 * normal method
+	 * @param fsc - FsContent from the same file system we want the OS
+	 * information from
+	 * @return - List of OSInfo objects
+	 * @throws TskCoreException
+	 */
+	public static List<OSInfo> getOSInfo(SleuthkitCase skCase, FsContent fsc) throws TskCoreException {
+		return getOSInfoInternal(skCase, false, true, fsc.getFileSystemId());
+	}
+
+	/**
+	 * Creates a list of all OS Info data on any file system, including the
+	 * backups
+	 *
+	 * @param skCase - Have to pass this in because we don't have access to the
+	 * normal method
+	 * @return - List of OSInfo objects
+	 * @throws TskCoreException
+	 */
+	public static List<OSInfo> getAllOSInfo(SleuthkitCase skCase) throws TskCoreException {
+		return getOSInfoInternal(skCase, true, false, 0);
+	}
+
+	/**
+	 * Internal method to find and combine the requested OS Info data.
+	 *
+	 * @param skCase - Have to pass this in because we don't have access to the
+	 * normal method
+	 * @param includeBackups - true if we should include registry data found in
+	 * "RegBack"
+	 * @param restrictFs - true if an file system id is being provided to match
+	 * against
+	 * @param fsId - the file system ID that the registry hives must be on (if
+	 * restrictFs is set)
+	 * @return - List of OSInfo objects
+	 * @throws TskCoreException
+	 */
+	private static List<OSInfo> getOSInfoInternal(SleuthkitCase skCase, boolean includeBackups,
+			boolean restrictFs, long fsId) throws TskCoreException {
+
+		List<OSInfo> infoList = new ArrayList<OSInfo>();
+
+		// Get all OS_INFO artifacts for this case
+		ArrayList<BlackboardArtifact> results = skCase.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO);
+
+		for (BlackboardArtifact art : results) {
+
+			AbstractFile file = skCase.getAbstractFileById(art.getObjectID());
+
+			// Check if we're in a backup directory. If so and we're not including backups,
+			// skip this artifact.
+			boolean isBackup = file.getParentPath().contains("RegBack");
+			if (isBackup && (!includeBackups)) {
+				continue;
+			}
+
+			// FsContent allows us to get the file system ID.
+			if (file instanceof FsContent) {
+				FsContent fsc = (FsContent) file;
+
+				// If we're restricting the file system, skip any that don't match
+				if (restrictFs && (fsId != fsc.getFileSystemId())) {
+					continue;
+				}
+
+				// Make a new OSInfo object
+				OSInfo newInfo = new OSInfo(art, isBackup, fsc.getFileSystemId(), file.getParent());
+
+				// Attempt to merge it with an existing object
+				boolean mergedInfo = false;
+				for (OSInfo info : infoList) {
+					if (info.matches(newInfo)) {
+						info.combine(newInfo);
+						mergedInfo = true;
+						break;
+					}
+				}
+
+				// If nothing matched, add the new object to the list
+				if (!mergedInfo) {
+					infoList.add(newInfo);
+				}
+			} else if (!restrictFs) {
+				// Make a new OSInfo object (no file system ID in this case)
+				OSInfo newInfo = new OSInfo(art, isBackup, file.getParent());
+
+				// Attempt to merge it with an existing object
+				boolean mergedInfo = false;
+				for (OSInfo info : infoList) {
+					if (info.matches(newInfo)) {
+						info.combine(newInfo);
+						mergedInfo = true;
+						break;
+					}
+				}
+
+				// If nothing matched, add the new object to the list
+				if (!mergedInfo) {
+					infoList.add(newInfo);
+				}
+			} else {
+				// If we're limiting the search to one FS, don't include any
+				// data we can't find the FS for
+			}
+		}
+
+		return infoList;
+	}
+
+}

framework/tsk/framework/services/TskBlackboard.cpp

@@ -48,6 +48,7 @@ map<int, TskArtifactNames> initializeArtifactTypeMap(){
     retval.insert(pair<int, TskArtifactNames>(TSK_EXT_MISMATCH_DETECTED, TskArtifactNames("TSK_EXT_MISMATCH_DETECTED", "Extension Mismatch Detected")));
     retval.insert(pair<int, TskArtifactNames>(TSK_INTERESTING_ARTIFACT_HIT, TskArtifactNames("TSK_INTERESTING_ARTIFACT_HIT", "Interesting Results")));
     retval.insert(pair<int, TskArtifactNames>(TSK_GPS_ROUTE, TskArtifactNames("TSK_GPS_ROUTE", "GPS Route")));
+    retval.insert(pair<int, TskArtifactNames>(TSK_REMOTE_DRIVE, TskArtifactNames("TSK_REMOTE_DRIVE", "Remote Drive")));
 
     return retval;
 }
@@ -153,6 +154,13 @@ map<int, TskAttributeNames> initializeAttributeTypeMap(){
     retval.insert(pair<int, TskAttributeNames>(TSK_GEO_LONGITUDE_START, TskAttributeNames("TSK_GEO_LONGITUDE_START", "Starting Longitude")));
     retval.insert(pair<int, TskAttributeNames>(TSK_GEO_LONGITUDE_END, TskAttributeNames("TSK_GEO_LONGITUDE_END", "Ending Longitude")));
     retval.insert(pair<int, TskAttributeNames>(TSK_READ_STATUS, TskAttributeNames("TSK_READ_STATUS",  "Read")));
+    retval.insert(pair<int, TskAttributeNames>(TSK_LOCAL_PATH, TskAttributeNames("TSK_LOCAL_PATH",  "Local Path")));
+    retval.insert(pair<int, TskAttributeNames>(TSK_REMOTE_PATH, TskAttributeNames("TSK_REMOTE_PATH",  "Remote Path")));
+    retval.insert(pair<int, TskAttributeNames>(TSK_PROCESSOR_NAME, TskAttributeNames("TSK_PROCESSOR_NAME",  "Processor Name")));
+    retval.insert(pair<int, TskAttributeNames>(TSK_TEMP_DIR, TskAttributeNames("TSK_TEMP_DIR",  "Temporary Files Directory")));
+    retval.insert(pair<int, TskAttributeNames>(TSK_PRODUCT_ID, TskAttributeNames("TSK_PRODUCT_ID",  "Product ID")));
+    retval.insert(pair<int, TskAttributeNames>(TSK_OWNER, TskAttributeNames("TSK_OWNER",  "Owner")));
+    retval.insert(pair<int, TskAttributeNames>(TSK_ORGANIZATION, TskAttributeNames("TSK_ORGANIZATION",  "Organization")));
 
     return retval;
 }

framework/tsk/framework/services/TskBlackboard.h

@@ -82,6 +82,7 @@ enum TSK_ARTIFACT_TYPE {
     TSK_EXT_MISMATCH_DETECTED = 34, ///< Extension Mismatch
     TSK_INTERESTING_ARTIFACT_HIT = 35,	///< Any artifact interesting enough that it should be called out in the UI.
 	TSK_GPS_ROUTE = 36,	///< Route based on GPS coordinates
+	TSK_REMOTE_DRIVE = 37, ///< Network drive
     
     /* SEE ABOVE:
     * - KEEP JAVA CODE IN SYNC 
@@ -202,6 +203,14 @@ enum TSK_ATTRIBUTE_TYPE {
     TSK_GEO_LONGITUDE_START= 100, ///< Starting location longitude
     TSK_GEO_LONGITUDE_END = 101, ///< Ending Location longitude
     TSK_READ_STATUS = 102, ///< Message read status: 1 if read, 0 if unread
+    TSK_LOCAL_PATH = 103, ///< Local path to a network share
+    TSK_REMOTE_PATH = 104, ///< Remote path of the network share
+	TSK_PROCESSOR_NAME = 105, ///< Processor name (ex: Intel64 Family 6 Model 58 Stepping 9, GenuineIntel)
+    TSK_TEMP_DIR = 106, ///< Path to the default temp directory
+    TSK_PRODUCT_ID = 107, ///< ID string
+    TSK_OWNER = 108, ///< Registered owner for software
+    TSK_ORGANIZATION = 109, ///< Registered organization for software
+
     /* SEE ABOVE: 
     * - KEEP JAVA CODE IN SYNC 
     * - UPDATE map in TskBlackBoard.cpp too */