From cbb8f8f9d4088688643ee262a18558a863e8d0f4 Mon Sep 17 00:00:00 2001 From: Fabrizio Turchi Date: Mon, 30 Sep 2024 10:50:46 +0200 Subject: [PATCH] Extract application from BrowserCookie Artifact --- .gitmodules | 2 +- UFEDtoJSON.py | 40 ++++++++++++++++++++++++++++++---------- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.gitmodules b/.gitmodules index 2ee37a5..6152477 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "CASE-Mapping-Python"] - path = dependencies/CASE-Mapping-Python + path = dependencies/CASE_Mapping_Python url = https://github.com/casework/CASE-Mapping-Python.git diff --git a/UFEDtoJSON.py b/UFEDtoJSON.py index e7616a7..ca7c384 100644 --- a/UFEDtoJSON.py +++ b/UFEDtoJSON.py @@ -5,7 +5,7 @@ import re import sys #from UFED_case_generator import * -from dependencies.CASE_Mapping_Python import base, case, drafting, uco +from dependencies.CASE_Mapping_Python.case_mapping import base, case, drafting, uco from datetime import datetime, date from typing import Dict, List, Optional, Union @@ -287,11 +287,8 @@ def __generateContextUfed(self, ufedVersion, deviceReportCreateTime, # generate Trace/Role for the Performer, D.F. Expert, of the Actions object_role = self.__generateTraceRole('Digital Forensic Expert') - # generate Trace/Relation between the above Role and the Identity traces - # the Relationshi accept ObservableObjects only, so this statement - # raises an error of Type - # self.__generateTraceRelation(object_identity, object_role, - # 'has_role', '', '', None, None); + # generate Trace/Relation between Role and Identity by using the core Relationship + self.__generateTraceRelationCore(object_identity, object_role, relation='Has_Role'); #--- The XML report contains the attribute DeviceInfoExtractionStartDateTime # that is the Acquisition Start Date and similarly for the Acquisition @@ -556,9 +553,12 @@ def __generateTraceWebBookmark(self, wb_id, wb_source, wb_timeStamp, wb_path, wb wb_timeStamp = None else: wb_timeStamp = self.cleanDate(wb_timeStamp) + + url_id = self.__generateTraceURLFullValue(wb_url) + facet_web_bookmark = uco.observable.BrowserBookmarkFacet( application_id=objet_app, - urlTargeted=wb_url, + urlTargeted_id=url_id, bookmarkPath=wb_path, accessedTime=wb_timeStamp ) @@ -701,6 +701,10 @@ def __generateTraceDevice(self, deviceMAC, deviceSN, deviceModel, def __generate_trace_cookie(self, cookie_id, cookie_status, cookie_source, cookie_name, cookie_path, cookie_domain, cookie_creationTime, cookie_lastAccessedTime, cookie_expiry): + id_app = None + if cookie_source.strip() != "": + id_app = self.__check_application_name(cookie_source.strip()) + cookie_creationTime = self.cleanDate(cookie_creationTime) cookie_lastAccessedTime = self.cleanDate(cookie_lastAccessedTime) cookie_expiry = self.cleanDate(cookie_expiry) @@ -709,10 +713,11 @@ def __generate_trace_cookie(self, cookie_id, cookie_status, observable_source = self.__check_application_name(cookie_source) observable_domain = self.__check_application_name(cookie_domain) facet_cookie = uco.observable.BrowserCookieFacet( - name=cookie_name, - path=cookie_path, + application = id_app, + cookie_name=cookie_name, + cookie_path=cookie_path, created_time=cookie_creationTime, - last_access_time=cookie_lastAccessedTime, + accessed_time=cookie_lastAccessedTime, expiration_time=cookie_expiry ) cookie_object.append_facets(facet_cookie) @@ -1063,6 +1068,21 @@ def __generateTraceProvencance(self, uco_core_objects, description, self.bundle.append_to_uco_object(case_provenance) return case_provenance + def __generateTraceRelationCore(self, source, target, relation, start_date=None, end_date=None): + if isinstance(start_date, str): + start_date = self.cleanDate(start_date) + if isinstance(end_date, str): + end_date = self.cleanDate(end_date) + core_relationship = uco.core.Relationship( + source=source, + target=target, + start_time=start_date, + end_time=end_date, + kind_of_relationship=relation, + directional=True) + self.bundle.append_to_uco_object(core_relationship) + return core_relationship + def __generateTraceRelation(self, source, target, relation, table, offset, start_date, end_date): if isinstance(start_date, str):