log_file3 = folder_path + "/" + case_number + "_files_to_exploit.xls"
outfile3 = open(log_file3, 'wt+')
#write out column headers to xls file
outfile3.write("Name\tMD5\tFile Size (kb)\n")
#ask user whether they want to process a single file on entire driv
process_choice = buttonbox(msg='What would you like to scan?',
title='AV Scanning',
choices=('Folder', 'Entire Disk Image'),
image=None,
root=None)
if (process_choice == "Folder"):
#select folder to process
folder_process = select_folder_to_process(outfile)
#create output folder for processed files
if not os.path.exists(folder_path + "/Processed_files_FOLDER"):
os.mkdir(folder_path + "/Processed_files_FOLDER")
#set folder variable to "folder" since this is a folder and not a disk partition
folder = "FOLDER"
#call process subroutine
process(folder_process, outfile, folder_path, folder)
else:
#select image to process
Image_Path = select_file_to_process(outfile)
def entropy_module(item_to_process, folder_path, case_number):
#get datetime
now = datetime.datetime.now()
#open a log file for output
log_file = folder_path + "/" + case_number + "_logfile.txt"
outfile = open(log_file, 'a')
#open file to write output
exp_file = folder_path + "/" + case_number + "_entropy.csv"
export_file = open(exp_file, 'a')
if (item_to_process == "file"):
file_to_process = select_file_to_process(outfile)
ent = calc_entropy(file_to_process)
print(ent)
elif (item_to_process == "folder"):
folder_to_process = select_folder_to_process(outfile)
process_folder(folder_to_process, export_file)
elif (item_to_process == "L01"):
file_to_process = select_file_to_process(outfile)
mount_point = mount_encase_v6_l01(case_number, file_to_process,
outfile)
process_folder(mount_point, export_file)
#umount
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif (item_to_process == "image"):
Image_Path = select_file_to_process(outfile)
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output.txt")
#if filesize of mmls output is 0 then run parted
if (file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output.txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print(
"We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n"
)
#call parted function
partition_info_dict = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in sorted(partition_info_dict.items()):
#call mount sub-routine
success_code = mount(value, str(key), Image_Path, outfile,
mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " +
value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + "\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#call entropy function for each mount_point
process_folder(mount_point, export_file)
#unmount and remove mount points
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point],
shell=True)
os.rmdir(mount_point)
#close output file
export_file.close()
#sort output file
sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
subprocess.call([sort_command], shell=True)
#write header row to export_file
sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
subprocess.call([sed_command], shell=True)
#remove original output file
os.remove(exp_file)
#open a log file for output
log_file = folder_path + "/" + case_number + "_logfile.txt"
outfile = open(log_file, 'wt+')
log_file3 = folder_path + "/" + case_number + "_files_to_exploit.xls"
outfile3 = open(log_file3, 'wt+')
#write out column headers to xls file
outfile3.write("Name\tMD5\tFile Size (kb)\n")
#ask user whether they want to process a single file on entire driv
process_choice = buttonbox(msg='What would you like to scan?', title='AV Scanning', choices=('Folder', 'Entire Disk Image'), image=None, root=None)
if(process_choice == "Folder"):
#select folder to process
folder_process = select_folder_to_process(outfile)
#create output folder for processed files
if not os.path.exists(folder_path + "/Processed_files_FOLDER"):
os.mkdir(folder_path + "/Processed_files_FOLDER")
#set folder variable to "folder" since this is a folder and not a disk partition
folder = "FOLDER"
#call process subroutine
process(folder_process, outfile, folder_path, folder)
else:
#select image to process
Image_Path = select_file_to_process(outfile)
def entropy_module(item_to_process, folder_path, case_number):
#get datetime
now = datetime.datetime.now()
#open a log file for output
log_file = folder_path + "/" + case_number + "_logfile.txt"
outfile = open(log_file, 'a')
#open file to write output
exp_file = folder_path + "/" + case_number +"_entropy.csv"
export_file = open(exp_file, 'a')
if(item_to_process == "file"):
file_to_process = select_file_to_process(outfile)
ent = calc_entropy(file_to_process)
print(ent)
elif(item_to_process == "folder"):
folder_to_process = select_folder_to_process(outfile)
process_folder(folder_to_process, export_file)
elif(item_to_process =="L01"):
file_to_process = select_file_to_process(outfile)
mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
process_folder(mount_point, export_file)
#umount
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif(item_to_process == "image"):
Image_Path = select_file_to_process(outfile)
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile,mount_point)
#call mmls function
partition_info_dict = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output.txt")
#if filesize of mmls output is 0 then run parted
if(file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output.txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key,value in sorted(partition_info_dict.items()):
#call mount sub-routine
success_code = mount(value,str(key),Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#call entropy function for each mount_point
process_folder(mount_point, export_file)
#unmount and remove mount points
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#close output file
export_file.close()
#sort output file
sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
subprocess.call([sort_command], shell=True)
#write header row to export_file
sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
subprocess.call([sed_command], shell=True)
#remove original output file
os.remove(exp_file)
