STIX report doesn't run in Autopsy 4.1.1

lorz commented 8 years ago

I get the following error when I try to create an STIX report using this image

Error loading STIX file (javax.xml.bind.UnmarshalException: elemento inesperado (URI:"http://www.w3.org/2001/XMLSchema", local:"schema"). Los elementos esperados son <{http://cybox.mitre.org/objects#APIObject-2}API>,<{http://cybox.mitre.org/objects#ARPCacheObject-1}ARP_Cache>,<{http://cybox.mitre.org/objects#ASObject-1}AS>,<{http://cybox.mitre.org/objects#AccountObject-2}Account>,<{http://cybox.mitre.org/cybox-2}Action>,<{http://cybox.mitre.org/objects#AddressObject-2}Address>,<{http://cybox.mitre.org/objects#ArchiveFileObject-1}Archive_File>,<{http://cybox.mitre.org/objects#ArtifactObject-2}Artifact>,<{http://stix.mitre.org/Campaign-1}Campaign>,<{http://cybox.mitre.org/objects#CodeObject-2}Code_Object>,<{http://stix.mitre.org/CourseOfAction-1}Course_Of_Action>,<{http://cybox.mitre.org/objects#CustomObject-1}Custom>,<{http://cybox.mitre.org/objects#DNSCacheObject-2}DNS_Cache>,<{http://cybox.mitre.org/objects#DNSQueryObject-2}DNS_Query>,<{http://cybox.mitre.org/objects#DNSRecordObject-2}DNS_Record>,<{http://cybox.mitre.org/objects#DeviceObject-2}Device>,<{http://cybox.mitre.org/objects#DiskObject-2}Disk>,<{http://cybox.mitre.org/objects#DiskPartitionObject-2}Disk_Partition>,<{http://cybox.mitre.org/objects#DomainNameObject-1}Domain_Name>,<{http://cybox.mitre.org/objects#EmailMessageObject-2}Email_Message>,<{http://cybox.mitre.org/cybox-2}Event>,<{http://stix.mitre.org/ExploitTarget-1}Exploit_Target>,<{http://cybox.mitre.org/objects#FileObject-2}File>,<{http://cybox.mitre.org/objects#GUIDialogboxObject-2}GUI_Dialogbox>,<{http://cybox.mitre.org/objects#GUIObject-2}GUI_Object>,<{http://cybox.mitre.org/objects#GUIWindowObject-2}GUI_Window>,<{http://cybox.mitre.org/objects#HTTPSessionObject-2}HTTP_Session>,<{http://cybox.mitre.org/objects#HostnameObject-1}Hostname>,<{http://cybox.mitre.org/objects#ImageFileObject-1}Image_File>,<{http://stix.mitre.org/Incident-1}Incident>,<{http://stix.mitre.org/Indicator-2}Indicator>,<{http://cybox.mitre.org/objects#LibraryObject-2}Library>,<{http://cybox.mitre.org/objects#LinkObject-1}Link>,<{http://cybox.mitre.org/objects#LinuxPackageObject-2}Linux_Package>,<{http://cybox.mitre.org/objects#MemoryObject-2}Memory_Region>,<{http://cybox.mitre.org/objects#MutexObject-2}Mutex>,<{http://cybox.mitre.org/objects#NetworkConnectionObject-2}Network_Connection>,<{http://cybox.mitre.org/objects#NetworkFlowObject-2}Network_Flow_Object>,<{http://cybox.mitre.org/objects#PacketObject-2}Network_Packet>,<{http://cybox.mitre.org/objects#NetworkRouteEntryObject-2}Network_Route_Entry>,<{http://cybox.mitre.org/objects#NetworkRouteObject-2}Network_Route_Object>,<{http://cybox.mitre.org/objects#NetworkSocketObject-2}Network_Socket>,<{http://cybox.mitre.org/objects#NetworkSubnetObject-2}Network_Subnet>,<{http://cybox.mitre.org/cybox-2}Object>,<{http://cybox.mitre.org/cybox-2}Observable>,<{http://cybox.mitre.org/cybox-2}Observables>,<{http://cybox.mitre.org/objects#PDFFileObject-1}PDF_File>,<{http://cybox.mitre.org/objects#PipeObject-2}Pipe>,<{http://cybox.mitre.org/objects#PortObject-2}Port>,<{http://cybox.mitre.org/objects#ProcessObject-2}Process>,<{http://cybox.mitre.org/objects#ProductObject-2}Product>,<{http://cybox.mitre.org/cybox-2}Property>,<{http://cybox.mitre.org/objects#WinExecutableFileObject-2}Resource>,<{http://cybox.mitre.org/objects#SMSMessageObject-1}SMS_Message>,<{http://stix.mitre.org/stix-1}STIX_Package>,<{http://cybox.mitre.org/objects#SemaphoreObject-2}Semaphore>,<{http://cybox.mitre.org/objects#SocketAddressObject-1}Socket_Address>,<{http://cybox.mitre.org/objects#SystemObject-2}System>,<{http://stix.mitre.org/TTP-1}TTP>,<{http://stix.mitre.org/ThreatActor-1}Threat_Actor>,<{http://cybox.mitre.org/objects#URIObject-2}URI>,<{http://cybox.mitre.org/objects#URLHistoryObject-1}URL_History>,<{http://cybox.mitre.org/objects#UnixFileObject-2}Unix_File>,<{http://cybox.mitre.org/objects#UnixNetworkRouteEntryObject-2}Unix_Network_Route_Entry>,<{http://cybox.mitre.org/objects#UnixPipeObject-2}Unix_Pipe>,<{http://cybox.mitre.org/objects#UnixProcessObject-2}Unix_Process>,<{http://cybox.mitre.org/objects#UnixUserAccountObject-2}Unix_User_Account>,<{http://cybox.mitre.org/objects#UnixVolumeObject-2}Unix_Volume>,<{http://cybox.mitre.org/objects#UserAccountObject-2}User_Account>,<{http://cybox.mitre.org/objects#UserSessionObject-2}User_Session>,<{http://cybox.mitre.org/objects#WinExecutableFileObject-2}VersionInfoResource>,<{http://cybox.mitre.org/objects#VolumeObject-2}Volume>,<{http://cybox.mitre.org/objects#WhoisObject-2}Whois_Entry>,<{http://cybox.mitre.org/objects#WinSemaphoreObject-2}Win_Semaphore>,<{http://cybox.mitre.org/objects#WinComputerAccountObject-2}Windows_Computer_Account>,<{http://cybox.mitre.org/objects#WinCriticalSectionObject-2}Windows_Critical_Section>,<{http://cybox.mitre.org/objects#WinDriverObject-3}Windows_Driver>,<{http://cybox.mitre.org/objects#WinEventObject-2}Windows_Event>,<{http://cybox.mitre.org/objects#WinEventLogObject-2}Windows_Event_Log>,<{http://cybox.mitre.org/objects#WinExecutableFileObject-2}Windows_Executable_File>,<{http://cybox.mitre.org/objects#WinFileObject-2}Windows_File>,<{http://cybox.mitre.org/objects#WinFilemappingObject-1}Windows_Filemapping>,<{http://cybox.mitre.org/objects#WinHandleObject-2}Windows_Handle>,<{http://cybox.mitre.org/objects#WinHookObject-1}Windows_Hook>,<{http://cybox.mitre.org/objects#WinKernelObject-2}Windows_Kernel>,<{http://cybox.mitre.org/objects#WinKernelHookObject-2}Windows_Kernel_Hook>,<{http://cybox.mitre.org/objects#WinMailslotObject-2}Windows_Mailslot>,<{http://cybox.mitre.org/objects#WinMemoryPageRegionObject-2}Windows_Memory_Page_Region>,<{http://cybox.mitre.org/objects#WinMutexObject-2}Windows_Mutex>,<{http://cybox.mitre.org/objects#WinNetworkRouteEntryObject-2}Windows_Network_Route_Entry>,<{http://cybox.mitre.org/objects#WinNetworkShareObject-2}Windows_Network_Share>,<{http://cybox.mitre.org/objects#WinPipeObject-2}Windows_Pipe>,<{http://cybox.mitre.org/objects#WinPrefetchObject-2}Windows_Prefetch_Entry>,<{http://cybox.mitre.org/objects#WinProcessObject-2}Windows_Process>,<{http://cybox.mitre.org/objects#WinRegistryKeyObject-2}Windows_Registry_Key>,<{http://cybox.mitre.org/objects#WinServiceObject-2}Windows_Service>,<{http://cybox.mitre.org/objects#WinSystemObject-2}Windows_System>,<{http://cybox.mitre.org/objects#WinSystemRestoreObject-2}Windows_System_Restore_Entry>,<{http://cybox.mitre.org/objects#WinTaskObject-2}Windows_Task>,<{http://cybox.mitre.org/objects#WinThreadObject-2}Windows_Thread>,<{http://cybox.mitre.org/objects#WinUserAccountObject-2}Windows_User_Account>,<{http://cybox.mitre.org/objects#WinVolumeObject-2}Windows_Volume>,<{http://cybox.mitre.org/objects#WinWaitableTimerObject-2}Windows_Waitable_Timer>,<{http://cybox.mitre.org/objects#X509CertificateObject-2}X509_Certificate>)

I've tried with several objects, as URI or email message but the error is always the same. I've also tested the 1.1 version of STIX in order to discard compatibility issues but still no luck.

Any piece of advice here?

wishdasher commented 8 years ago

I was not able to reproduce this exception in report generation using the same image with a STIX file. Would it be possible for you to produce the STIX file you are using? Then we may be able to have a better idea of where the error is coming from.

wishdasher commented 8 years ago

An alternative is for you to test a sample STIX file to see if that one parses correctly for you. I've added it at https://github.com/wishdasher/autopsy-files

lorz commented 8 years ago

Dear Sophie;

First of all, I want to thank you your fast answer. Let me explain you the steps I follow in Autopsy:

1) I create my new case and load the image. I let Autopsy scan the files by running all modules. So far so good.

2) I press the generate report button > STIX > Now, I have 2 alternatives. In one case I choose the "stix_v1.2_offline\cybox\objects" folder (http://stix.mitre.org/language/version1.2/stix_v1.2_offline.zip), and in the another one I just choose a single, for instance, "Email_Message_Object.xsd".

3) In any case I always get an error. For example, if I choose the "Email_Message_Object.xsd" file, this is what Autopsy returns:

I'm going to try out the file you have provided me. I'll fill you in ASAP.

Best regards!

De: Sophie Mori notifications@github.com Enviado: martes, 13 de septiembre de 2016 17:07 Para: sleuthkit/autopsy Cc: lorz; Author Asunto: Re: [sleuthkit/autopsy] STIX report doesn't run in Autopsy 4.1.1 (#2312)

An alternative is for you to test a sample STIX file to see if that one parses correctly for you. I've added it at https://github.com/wishdasher/autopsy-files

[https://avatars2.githubusercontent.com/u/9587565?v=3&s=400]https://github.com/wishdasher/autopsy-files

wishdasher/autopsy-fileshttps://github.com/wishdasher/autopsy-files github.com Contribute to autopsy-files development by creating an account on GitHub.

You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/sleuthkit/autopsy/issues/2312#issuecomment-246713182, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABlHn_KBQtX876_TY_jOdY4MXZFXx8o2ks5qprwjgaJpZM4JvATp.

lorz commented 8 years ago

Hello again Sophie;

I've already tried out the file you uploaded but still nothing. I get again the same error. The steps I follow are the same (maybe there's something I'm missing :-S) I told you in my last email.

Any piece of advice?

Regards,

Luis Gomez.

De: Sophie Mori notifications@github.com Enviado: martes, 13 de septiembre de 2016 17:07 Para: sleuthkit/autopsy Cc: lorz; Author Asunto: Re: [sleuthkit/autopsy] STIX report doesn't run in Autopsy 4.1.1 (#2312)

An alternative is for you to test a sample STIX file to see if that one parses correctly for you. I've added it at https://github.com/wishdasher/autopsy-files

[https://avatars2.githubusercontent.com/u/9587565?v=3&s=400]https://github.com/wishdasher/autopsy-files

wishdasher/autopsy-fileshttps://github.com/wishdasher/autopsy-files github.com Contribute to autopsy-files development by creating an account on GitHub.

You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/sleuthkit/autopsy/issues/2312#issuecomment-246713182, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABlHn_KBQtX876_TY_jOdY4MXZFXx8o2ks5qprwjgaJpZM4JvATp.

wishdasher commented 8 years ago

Hi Luis, We weren't able to deduce the exact cause of the error, but we ran an image with the sample STIX file on both a German and Japanese machine. The German one performed without error, but there were similar errors from the Japanese machine.

Perhaps the error is local-based (seeing as you have a Spanish machine).

org.sleuthkit.datamodel.TskCoreException: Error loading STIX file (javax.xml.bind.UnmarshalException

with linked exception: [org.xml.sax. ; systemId: file:/C:/Users/QA/Desktop/samplestix.xml; lineNumber: 61; columnNumber: 21; 後続セクションにはコンテンツを指定できません。]) org.sleuthkit.autopsy.modules.stix.STIXReportModule.loadSTIXFile(STIXReportModule.java:260) org.sleuthkit.autopsy.modules.stix.STIXReportModule.processFile(STIXReportModule.java:223) org.sleuthkit.autopsy.modules.stix.STIXReportModule.generateReport(STIXReportModule.java:173) org.sleuthkit.autopsy.report.ReportGenerator.lambda$generateGeneralReport$0(ReportGenerator.java:149) org.sleuthkit.autopsy.report.ReportGenerator$ReportWorker.doInBackground(ReportGenerator.java:278) org.sleuthkit.autopsy.report.ReportGenerator$ReportWorker.doInBackground(ReportGenerator.java:268) javax.swing.SwingWorker$1.call(Unknown Source) java.util.concurrent.FutureTask.run(Unknown Source) javax.swing.SwingWorker.run(Unknown Source) java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) java.lang.Thread.run(Unknown Source)

lorz commented 8 years ago

Hi Sophie, I thought so yesterday while I was writting you, but it seemed so odd to me... Anyway, I'll prepare a VM with a pure english OS (probably this weekend) and I'll try again. I'll keep you informed [😊]

Thank you for your help.

Best regards!

De: Sophie Mori notifications@github.com Enviado: miércoles, 14 de septiembre de 2016 21:49 Para: sleuthkit/autopsy Cc: lorz; Author Asunto: Re: [sleuthkit/autopsy] STIX report doesn't run in Autopsy 4.1.1 (#2312)

Hi Luis, We weren't able to deduce the exact cause of the error, but we ran an image with the sample STIX file on both a German and Japanese machine. The German one performed without error, but there were similar errors from the Japanese machine.

Perhaps the error is local-based (seeing as you have a Spanish machine).

org.sleuthkit.datamodel.TskCoreException: Error loading STIX file (javax.xml.bind.UnmarshalException

with linked exception: [org.xml.sax. ; systemId: file:/C:/Users/QA/Desktop/samplestix.xml; lineNumber: 61; columnNumber: 21; 後続セクションにはコンテンツを指定できません。]) org.sleuthkit.autopsy.modules.stix.STIXReportModule.loadSTIXFile(STIXReportModule.java:260) org.sleuthkit.autopsy.modules.stix.STIXReportModule.processFile(STIXReportModule.java:223) org.sleuthkit.autopsy.modules.stix.STIXReportModule.generateReport(STIXReportModule.java:173) org.sleuthkit.autopsy.report.ReportGenerator.lambda$generateGeneralReport$0(ReportGenerator.java:149) org.sleuthkit.autopsy.report.ReportGenerator$ReportWorker.doInBackground(ReportGenerator.java:278) org.sleuthkit.autopsy.report.ReportGenerator$ReportWorker.doInBackground(ReportGenerator.java:268) javax.swing.SwingWorker$1.call(Unknown Source) java.util.concurrent.FutureTask.run(Unknown Source) javax.swing.SwingWorker.run(Unknown Source) java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) java.lang.Thread.run(Unknown Source)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/sleuthkit/autopsy/issues/2312#issuecomment-247132251, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABlHnygm__3ULnTVz6l0qWkXBU7Yg-1fks5qqE-9gaJpZM4JvATp.

asdimitriadis commented 3 years ago

An alternative is for you to test a sample STIX file to see if that one parses correctly for you. I've added it at https://github.com/wishdasher/autopsy-files

Hi @wishdasher , could you please refresh the link of these autopsy-files? I am studying STIX module and it would be very helpful if I had the files.

wishdasher commented 3 years ago

@asdimitriadis I provided support on this issue when I was working on this project several years ago for Basis Tech. I am no longer working there and do not have these files anymore, so I would recommend asking the team there or contacting someone who is a current contributor (look at the recent commit history). Good luck.

sleuthkit / autopsy

STIX report doesn't run in Autopsy 4.1.1 #2312