Add modules utils under mix_utils folder to avoid duplication in JSON…

.gitignore

@@ -9,6 +9,8 @@
 .venv/
 venv/
 
+*wpr
+*wpu
 # Build Artifacts
 build/
 dist/

case_mapping/uco/observable.py

@@ -485,9 +485,51 @@ def __init__(
                 "uco-observable:userName": url_username,
             }
         )
-        self._int_vars(**{"uco-observable:port": url_port})
-
-
+        self._int_vars(**{"uco-observable:port": url_port})        
+
+class FacetBrowserBookmark(FacetEntity):
+    def __init__(
+        self,
+        accessedTime=None,
+        application_id=None,
+        bookmarkPath=None,
+        modifiedTime=None,
+        createdTime=None,
+        urlTargeted_id=None,
+        visitCount=None
+    ):
+        """
+        This CASEObject represents a grouping of characteristics unique to a saved shortcut that directs a
+        WWW (World Wide Web) browser software program to a particular WWW accessible resource.
+        :param accessedTime: The date and time at which the Object was accessed (dateTime).
+        :param application_id: The application associated with this object (ObservableObject).
+        :param bookmarkPath: The folder containing the bookmark (string).
+        :param modifiedTime: The date and time at which the Object was last modified (dateTime).
+        :param createdTime: The date and time at which the observable object being characterized was created (dateTime).
+        :param urlTargeted_id: The target of the bookmark. (anyURI).
+        :param visitCount: Specifies the number of times a URL has been visited by a particular web browser (integer).
+        """
+        super().__init__()
+        self["@type"] = "uco-observable:BrowserBookmarkFacet"
+        self._str_vars(
+            **{
+                "observable:bookmarkPath": bookmarkPath
+            }
+        )
+        self._int_vars(
+            **{
+                "uco-observable:visitCount": visitCount
+            }
+        )
+        self._node_reference_vars(**{"uco-observable:application": application_id,
+                                     "uco-observable:urlTargeted": urlTargeted_id} )
+        self._datetime_vars(
+            **{
+                "uco-observable:observableCreatedTime": accessedTime,
+                "uco-observable:modifiedTime": modifiedTime,
+                "uco-observable:accessedTime": accessedTime
+            })      
+
 class FacetRasterPicture(FacetEntity):
     def __init__(
         self,
@@ -1015,6 +1057,8 @@ def __init__(
         cyber_action=None,
         computer_name=None,
         created_time=None,
+        start_time=None,
+        end_time=None
     ):
         """
          An event facet is a grouping of characteristics unique to something that happens in a digital context
@@ -1023,10 +1067,12 @@ def __init__(
         :param event_text: The textual representation of the event.
         :param event_id: The identifier of the event.
         :param cyber_action: The action taken in response to the event.
-        :param computer_name: A name of the computer on which the log entry was created.
+        :param created_time: The date and time at which the observable object being characterized was created.
+        :param start_time: The date and time at which the observable object being characterized started.
+        :param end_time: The date and time at which the observable object being characterized ended.
         """
         super().__init__()
-        self["@type"] = "uco-observable:EventFacet"
+        self["@type"] = "uco-observable:EventRecordFacet"
         self._str_vars(
             **{
                 "uco-observable:eventType": event_type,
@@ -1036,7 +1082,8 @@ def __init__(
             }
         )
         self._node_reference_vars(**{"uco-observable:cyberAction": cyber_action})
-        self._datetime_vars(**{"uco-observable:observableCreatedTime": created_time})
+        self._datetime_vars(**{"uco-observable:startTime": start_time,
+                               "uco-observable:endTime": end_time})
 
 
 class ObservableRelationship(ObjectEntity):

case_mapping/uco/tool.py

@@ -8,7 +8,7 @@ def __init__(
         """
         The Uco tool is a way to define the specifics of a tool used in an investigation
         :param tool_name: The name of the tool (e.g., "exiftool")
-        :param tool_creator: The developer and or organisation that produces this tool {might need to add a dict here}
+        :param tool_creator: An ObservableObject The developer and or organisation that produces this tool {might need to add a dict here}
         :param tool_type: The type of tool
         :param tool_version: The version of the tool
         """
@@ -18,10 +18,10 @@ def __init__(
             **{
                 "uco-core:name": tool_name,
                 "uco-tool:version": tool_version,
-                "uco-tool:toolType": tool_type,
-                "uco-tool:creator": tool_creator,
+                "uco-tool:toolType": tool_type
             }
         )
+        self._node_reference_vars(**{"uco-tool:creator": tool_creator} )        
 
 
 directory = {"uco-tool:Tool": Tool}

mix_utils/utils.py

@@ -0,0 +1,151 @@
+import re
+from datetime import datetime
+
+class CheckDuplicate():    
+    """It aims to avoid duplication in the JSON/CASE file generated by the parsers (UFED, AXIOM etc.)
+    """    
+
+    def check_value(self, *args, value=None, list_values=None, list_objects=None, observable_generating_f=None):
+        """It checks if a specific value has been already generated related to an ObservableObject relying on
+        the list of its values. This is meant to avoid duplication in the JSON/CASE file generated by the
+        parsers (UFED, AXIOM etc.).
+        If the value is not in the list_values, a new ObservableObject is generated by using  the function
+        observable_generating_f that returns, as a result, the new ObservableObject (e.g. uco-observable:ApplicationFacet,
+        uco-observable:AccountFacet, uco-location:LatLongCoordinatesFacet: drafting:SearchedItemFacet, "uco-observable:URLFacet,
+        uco-observable:ApplicationAccountFacet, uco-observable:DigitalAccountFacet, uco-observable:PhoneAccountFacet).
+
+        Finally the new ObservableObject is added to the list_objects (any kind of ObservableObject maintains a different list).
+        If the value is already in the list_values, the ObservableObject list_objects[index] is returned.
+
+        :param value: the value to be checked within the list_values
+        :param list_values: the current list of values
+        :param list_objects: the current list of a specific kind of ObservableObject
+        :param observable_generating_f: the function that will generate the corresponding kind of ObservableObject
+        :param *args: the actual parameter of the observable_generating_f function
+        :return: an Observableobject of a specific kind depending by the actual parameters
+        """        
+        if value in list_values:
+            idx = list_values.index(value)            
+            observable_app = list_objects[idx]
+        else:            
+            observable_app = observable_generating_f(*args)
+            list_values.append(value)
+            list_objects.append(observable_app)
+
+        return observable_app
+
+class AdjustText():    
+    """It amends the data to either make it homogeneous or get rid of some dirty chracters extracted from the XML reports.
+    """      
+    def adjust_date(self, original_date=''):
+        """
+        Amend the original date to convert it into a uniform format. The xsd:dateTime will have the format
+        YYYY-MM-DDTHH:MM:SS(+HH:MM).
+        """
+        aMonths = {
+            'Jan': '01',
+            'Feb': '02',
+            'Mar': '03',
+            'Apr': '04',
+            'May': '05',
+            'Jun': '06',
+            'Jul': '07',
+            'Aug': '08',
+            'Sep': '09',
+            'Oct': '10',
+            'Nov': '11',
+            'Dec': '12'
+        }
+
+        chars_to_replace = {
+            "/" : "-",
+            "(" : "-",
+            ")" :  "-", 
+            'UTC':  '',
+            'AM': '',
+            'PM': ''
+        }
+
+        uniform_date = original_date.strip()
+
+        if 	uniform_date == '':
+            return None
+
+        for k,v in aMonths.items():
+            if uniform_date.find(k) > -1:
+                uniform_date = uniform_date.replace(k, v)
+                break
+        for k,v in chars_to_replace.items():
+            uniform_date = uniform_date.replace(k, v)
+
+        uniform_date = uniform_date.replace(' ', 'T', 1)
+
+        if re.search('^[0-9]{4}', uniform_date):
+            pass
+        else:
+            # when uniform_date is in Italian formato and the Year is placed before 'T' and 
+            # composed of two digits, i.e. Year=YY
+            uniform_date = re.sub('-([0-9][0-9])T', '-20\g<1>T', uniform_date)
+            uniform_date = str(uniform_date[6:10]) + uniform_date[2:6] + uniform_date[0:2] + \
+                                uniform_date[10:] 
+
+        #start_tz = uniform_date.find("+")
+        #if start_tz > -1:
+        #    uniform_date = uniform_date[:start_tz]
+
+        date_chars = uniform_date[:10] # YYYY-MM-DD
+        date_chars = date_chars.replace(".", "-")
+        uniform_date = date_chars + uniform_date[10:]
+
+        #if uniform_date[-1] == '-':
+        #    uniform_date = uniform_date[0:-1]
+
+        uniform_date = uniform_date.replace('.000', '').replace('.', ':')
+
+        uniform_date = uniform_date.replace('.', ':')
+
+        if re.search('T\d{2}\.', uniform_date):
+            uniform_date = uniform_date.replace('.', ':')
+
+        if re.search('(\d{2}:\d{2}:\d{2})$', uniform_date):
+            pass
+        else:
+            uniform_date = re.sub('(\d{2}:\d{2})$', '\g<1>:00', uniform_date)
+
+        if re.search('T(\d):', uniform_date):
+            uniform_date = re.sub('T(\d):', 'T0\g<1>:', uniform_date)
+
+        if re.search(':(\d)', uniform_date):
+            uniform_date = re.sub(':(\d):', ':0\g<1>', uniform_date)
+
+        if re.search('T\d{2}:\d{2}:\d{2}(.+)$', uniform_date):
+            uniform_date = re.sub('(T\d{2}:\d{2}:\d{2})(.+)$', '\g<1>', uniform_date)
+
+
+        if uniform_date.find('+') > -1:
+            uniform_date = datetime.strptime(uniform_date, 
+                                                             '%Y-%m-%dT%H:%M:%S.%f%z')
+        else:
+            uniform_date = datetime.strptime(uniform_date, 
+                                                             '%Y-%m-%dT%H:%M:%S')
+
+        return uniform_date
+
+    def adjust_json(self, original_json=''):
+        """
+        It gets rid of some dirty characters not allowd in the JSON values.
+        """        
+        chars_to_replace = {
+            '"' : '',
+            '\n' : '',
+            '\r' : '', 
+            '\t':  '',
+            "\\'": '',
+            '\\': ''
+        }
+        conform_json = original_json.strip()        
+
+        for k,v in chars_to_replace.items():
+            conform_json = conform_json.replace(k, v)
+
+        return conform_json