def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.4/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, datasource, progressbar): PostBoard=IngestServices.getInstance() progressbar.switchToIndeterminate() ccase = Case.getCurrentCase().getSleuthkitCase() blackboard = Case.getCurrentCase().getServices().getBlackboard() msgcounter = 0 # if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or # (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or # (file.isFile() == true)): # return IngestModule.ProcessResult.OK # #prepare artifacts artifact_name = "TSK_WINCOM_CONTACT" artifact_desc = "Windows Communication Contacts" try: artID_wincom_contact = ccase.addArtifactType(artifact_name, artifact_desc) attribute_name = "TSK_WINCOM_CONTACT_SERVICE" attribute_name1 = "TSK_WINCOM_CONTACT_APPID" attribute_name2 = "TSK_WINCOM_CONTACT_FIRSTNAME" attribute_name3 = "TSK_WINCOM_CONTACT_LASTNAME" attribute_name4 = "TSK_WINCOM_CONTACT_COUNTRY" attribute_name5 = "TSK_WINCOM_CONTACT_LOCALITY" attribute_name6 = "TSK_WINCOM_CONTACT_REGION" attribute_name7 = "TSK_WINCOM_CONTACT_BIRTHDAY" attID_ex= ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Service vs Person") attID_ex1 = ccase.addArtifactAttributeType(attribute_name1, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Application") attID_ex2 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "First Name") attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Last Name") attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Country") attID_ex5 = ccase.addArtifactAttributeType(attribute_name5, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "City") attID_ex6 = ccase.addArtifactAttributeType(attribute_name6, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Region") attID_ex7 = ccase.addArtifactAttributeType(attribute_name7, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Birthday") except: message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), "Error creating artifacts"+ str(msgcounter)) #IngestServices.getInstance().postMessage(message) self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") artID_wincom_contact = ccase.getArtifactTypeID(artifact_name) artID_wincom_contact_evt = ccase.getArtifactType(artifact_name) #get files ##IngestServices.getInstance().postMessage(message) fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(datasource, "%appcontent-ms") numFiles = len(files) progressbar.switchToDeterminate(numFiles) fileCount = 0 for file in files: fileCount = fileCount + 1 progressbar.progress(fileCount) progressbar.progress("Windows Communication Analyzer") msgcounter+=1 # message = IngestMessage.createMessage( # IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), str(msgcounter) + " - in file loop and found file:" + str(file.getParentPath())) # #IngestServices.getInstance().postMessage(message) ParentPath = file.getParentPath() #if "microsoft.windowscommunicationsapps" in ParentPath and "_8wekyb3d8bbwe" in ParentPath and file.getName().lower().endswith("appcontent-ms") and "Address" in ParentPath : if file.getSize() > 0 and "microsoft.windowscommunicationsapps" in ParentPath: lclXMLPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".appcontent-ms") ContentUtils.writeToFile(file, File(lclXMLPath)) if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK with open(lclXMLPath, "rb") as XMLFile: with open(lclXMLPath+".rewrite", 'w+b') as NewXMLFile: contents = XMLFile.read() newContent = contents.decode('utf-16').encode('utf-8') NewXMLFile.write(newContent.replace('<?xml version="1.0" encoding="utf-16"?>','<?xml version="1.0" encoding="utf-8"?>')) NewXMLFile.close() XMLFile.close() f = open(lclXMLPath+".rewrite", "rb") all = f.read() f.close() message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), all) #IngestServices.getInstance().postMessage(message) #XMLFile = open(lclXMLPath, "rb") AppID="**" FirstName = "**" LastName = "**" HomeAddress1Country = "**" HomeAddress1Locality = "**" HomeAddress1Region = "**" Birthday = "**" Service = "**" root = ET.fromstring(all) for elem in root.iter(): teller = 0 if "System.Contact.ConnectedServiceName" in str(elem.attrib): if len(elem.text) == 2: for child in elem: teller =+1 Service = child.text # if teller == 1: break else: Service = elem.text elif "System.AppUserModel.PackageRelativeApplicationID" in str(elem.attrib): if len(elem.text) == 2: for child in elem: teller =+1 AppID = child.text # if teller == 1: break else: if len(elem.text)==0: AppID = elem.text else: AppID = "**" elif "System.Contact.FirstName" in str(elem.attrib): if len(elem.text) == 2: for child in elem: teller =+1 FirstName = child.text if teller == 1: break else: FirstName = elem.text elif "System.Contact.LastName" in str(elem.attrib): if len(elem.text) == 2: for child in elem: teller =+1 LastName = child.text if teller == 1: break else: LastName = elem.text elif "System.Contact.HomeAddress1Country" in str(elem.attrib): if len(elem.text) == 2: teller =+1 for child in elem: HomeAddress1Country = child.text if teller == 1: break else: HomeAddress1Country = elem.text elif "System.Contact.HomeAddress1Locality" in str(elem.attrib): if len(elem.text) == 2: for child in elem: teller =+1 HomeAddress1Locality = child.text if teller == 1: break else: HomeAddress1Locality = elem.text elif "System.Contact.HomeAddress1Region" in str(elem.attrib): if len(elem.text) == 2: for child in elem: teller =+1 HomeAddress1Region = child.text if teller == 1: break else: HomeAddress1Region = elem.text elif "System.Contact.Birthday" in str(elem.attrib): if len(elem.text) == 2: for child in elem: teller =+1 Birthday = child.text if teller == 1: break else: Birthday = elem.text else: #another value - manual forensics #AppID = "BLAHELSE" pass #IngestServices.getInstance().postMessage(message) #end looping through elements #ready for next file art = file.newArtifact(artID_wincom_contact) attID_ex =ccase.getAttributeType("TSK_WINCOM_CONTACT_SERVICE") art.addAttribute(BlackboardAttribute(attID_ex, WindowsCommunicationModuleFactory.moduleName, Service)) attID_ex1 =ccase.getAttributeType("TSK_WINCOM_CONTACT_APPID") art.addAttribute(BlackboardAttribute(attID_ex1, WindowsCommunicationModuleFactory.moduleName, AppID)) attID_ex2 =ccase.getAttributeType("TSK_WINCOM_CONTACT_FIRSTNAME") art.addAttribute(BlackboardAttribute(attID_ex2, WindowsCommunicationModuleFactory.moduleName, FirstName)) attID_ex3 =ccase.getAttributeType("TSK_WINCOM_CONTACT_LASTNAME") art.addAttribute(BlackboardAttribute(attID_ex3, WindowsCommunicationModuleFactory.moduleName, LastName)) attID_ex4 =ccase.getAttributeType("TSK_WINCOM_CONTACT_COUNTRY") art.addAttribute(BlackboardAttribute(attID_ex4, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Country)) attID_ex5 =ccase.getAttributeType("TSK_WINCOM_CONTACT_LOCALITY") art.addAttribute(BlackboardAttribute(attID_ex5, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Locality)) attID_ex6 =ccase.getAttributeType("TSK_WINCOM_CONTACT_REGION") art.addAttribute(BlackboardAttribute(attID_ex6, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Region)) attID_ex7 =ccase.getAttributeType("TSK_WINCOM_CONTACT_BIRTHDAY") art.addAttribute(BlackboardAttribute(attID_ex7, WindowsCommunicationModuleFactory.moduleName, Birthday)) IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(WindowsCommunicationModuleFactory.moduleName, artID_wincom_contact_evt, None)) else: pass #cleanup try: os.remove(lclXMLPath) os.remove(lclXMLPath+".rewrite") except: self.log(Level.INFO, "Cleanup of files did not work ") message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Windows Communication App - Contacts", "Windows Communication App - Contacts Has Been Analyzed " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK # def shutDown(self): # # As a final part of this example, we'll send a message to the ingest inbox with the number of files found (in this thread) # msg2 = IngestMessage.createMessage( # IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName, # "Found " + str(self.filesFound)) # ingestServices = IngestServices.getInstance().postMessage(msg2)
def process(self, dataSource, progressBar): # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # Find the "contacts.db" file to parse fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "contacts.db") # keep track of progress num_files = len(files) progressBar.switchToDeterminate(num_files) file_count = 0 for f in files: # First check to see if the job was cancelled # If it was, return. if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK # Begin processing the next file self.log(Level.INFO, "Processing file: " + f.getName()) file_count += 1 # need to save the current file to disk for processng lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(f.getId()) + ".db") ContentUtils.writeToFile(f, File(lclDbPath)) # Next we open the db for processing try: Class.forName("org.sqlite.JDBC").newInstance() db_conn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + f.getName() + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # queryr all from the contacts table try: stmt = db_conn.createStatement() result_set = stmt.executeQuery("SELECT * FROM contacts") except SQLException as e: self.log( Level.INFO, "Error querying database for contacts table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Process the DB while result_set.next(): # Make an artifact on the blackboard and give it attributes art = f.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT) # Name found in DB name = result_set.getString("name") art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME_PERSON. getTypeID(), HW11ContactsDbIngestModuleFactory.moduleName, name)) # Email found email = result_set.getString("email") art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL.getTypeID( ), HW11ContactsDbIngestModuleFactory.moduleName, email)) # Phone number found phone = result_set.getString("phone") art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER. getTypeID(), HW11ContactsDbIngestModuleFactory.moduleName, phone)) # Index the artifact for keyword searching try: blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # Update the UI of the newly created artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(HW11ContactsDbIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT, None)) # Clean up tasks for the current file stmt.close() db_conn.close() os.remove(lclDbPath) # After all db's are processed, post a message to the ingest inbox. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ContactsDb Analyzer", "Found %d files" % file_count) IngestServices.getInstance().postMessage(message) # return return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): self.log(Level.INFO, "Starting to process") # we don't know how much work there is yet progressBar.switchToIndeterminate() # Get the temp directory and create the sub directory modDir = os.path.join( Case.getCurrentCase().getModulesOutputDirAbsPath(), "AD1Extractor") try: os.mkdir(modDir) except: self.log(Level.INFO, "AD1 Extractor Directory already Exists " + modDir) moduleName = AD1ExtractorIngestModuleFactory.moduleName # get the current case skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%", "/") numFiles = len(files) self.log(Level.INFO, "Number of files to process ==> " + str(numFiles)) for file in files: self.log(Level.INFO, "File name to process is ==> " + file.getName()) self.log( Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath())) imageFile = file.getLocalAbsPath() if ((imageFile != None) or (not file.isDir())): if ".ad1" in imageFile.lower(): progressBar.progress("Extracting " + file.getName()) filename, file_extension = os.path.splitext(file.getName()) self.log( Level.INFO, "Running program ==> " + self.path_to_exe + " " + imageFile + " " + modDir + " " + os.path.join(modDir, filename + ".db3")) pipe = Popen([ self.path_to_exe, imageFile, modDir, os.path.join(modDir, filename + ".db3") ], stdout=PIPE, stderr=PIPE) outText = pipe.communicate()[0] try: self.log(Level.INFO, "Begin Create New Artifacts") artIdAD1 = skCase.addArtifactType( "AD1_EXTRACTOR", "AD1 Extraction") except: self.log( Level.INFO, "Artifacts Creation Error, Artifact AD1_EXTRACTOR may exist. ==> " ) artIdAD1 = skCase.getArtifactTypeID("AD1_EXTRACTOR") try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection( "jdbc:sqlite:%s" % os.path.join(modDir, filename + ".db3")) except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + os.path.join(modDir, filename + ".db3") + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery(self.sqlStatement) self.log(Level.INFO, "query ad1_info") except SQLException as e: self.log( Level.INFO, "Error querying database for ad1_info tables (" + e.getMessage() + ") ") return IngestModule.ProcessResult.OK # Cycle through each row and get the installed programs and install time while resultSet.next(): try: artAD1 = file.newArtifact(artIdAD1) attributes = ArrayList() attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_NAME, moduleName, resultSet.getString("file_name"))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_TEMP_DIR, moduleName, resultSet.getString("ad1_path_name"))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_DATETIME_CREATED, moduleName, resultSet.getInt("date_created"))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_DATETIME_MODIFIED, moduleName, resultSet.getInt("date_modified"))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_DATETIME_ACCESSED, moduleName, resultSet.getInt("date_accessed"))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_HASH_MD5, moduleName, resultSet.getString("md5_hash"))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_HASH_SHA1, moduleName, resultSet.getString("sha1_hash"))) artAD1.addAttributes(attributes) # index the artifact for keyword search try: blackboard.postArtifact(artAD1) except: pass except SQLException as e: self.log( Level.INFO, "Error getting values from AD1tables (" + e.getMessage() + ")") # Close the database statement try: stmt.close() dbConn.close() except: pass dir_list = [] dir_list.append(modDir) services = IngestServices.getInstance() progress_updater = ProgressUpdater() newDataSources = [] fileManager = Case.getCurrentCase().getServices().getFileManager() skcase_data = Case.getCurrentCase() # Get a Unique device id using uuid device_id = UUID.randomUUID() self.log(Level.INFO, "device id: ==> " + str(device_id)) skcase_data.notifyAddingDataSource(device_id) progressBar.progress( "Adding Takeout files to AD1Extractor Data Source") # Add data source with files newDataSource = fileManager.addLocalFilesDataSource( str(device_id), "AD1", "", dir_list, progress_updater) newDataSources.append(newDataSource.getRootDirectory()) # Get the files that were added files_added = progress_updater.getFiles() for file_added in files_added: progressBar.progress( "Adding AD1 extracted files to new data source") skcase_data.notifyDataSourceAdded(file_added, device_id) #self.log(Level.INFO, "Fire Module1: ==> " + str(file_added)) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "AD1ExtractorSettings", " AD1Extractors Has Been Run ") IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_DEVICE_ACCOUNT_ID = skCase.getArtifactTypeID( self.ARTIFACTTYPENAME_NS_DEVICE_ACCOUNT) # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or not (file.isFile())): return IngestModule.ProcessResult.OK # Use blackboard class to index blackboard artifacts for keyword search # blackboard = Case.getCurrentCase().getServices().getBlackboard() if file.getName() == "8000000000000010": self.filesFound += 1 artifactList = file.getArtifacts( BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT) self.log(Level.INFO, str(artifactList.size())) users = self.getUsersFromFile(file) artifactList = file.getArtifacts(ARTID_NS_DEVICE_ACCOUNT_ID) for user in users: # Don't add to blackboard if the artifact already exists for artifact in artifactList: artifactNickname = artifact.getAttribute( self.NS_ACCOUNT_ATTRIBUTES["nickname"][3]) artifactEmail = artifact.getAttribute( self.NS_ACCOUNT_ATTRIBUTES["email"][3]) if artifactNickname and artifactEmail: if artifactNickname.getValueString( ) == user["nickname"]: if artifactEmail.getValueString() == user["email"]: return IngestModule.ProcessResult.OK art = file.newArtifact(ARTID_NS_DEVICE_ACCOUNT_ID) art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME. getTypeID(), DeviceAccountIngestModuleFactory.moduleName, "Nintendo Switch - Device Accounts")) for attribute in self.NS_ACCOUNT_ATTRIBUTES.keys(): art.addAttribute( BlackboardAttribute( self.NS_ACCOUNT_ATTRIBUTES[attribute][3], DeviceAccountIngestModuleFactory.moduleName, str(user[attribute]))) # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( DeviceAccountIngestModuleFactory.moduleName, skCase.getArtifactType( self.ARTIFACTTYPENAME_NS_DEVICE_ACCOUNT), None)) return IngestModule.ProcessResult.OK
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_WIFI = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_WIFI) networks = {} skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if (file.getName().lower() == "8000000000000050"): artifactList = file.getArtifacts(ARTID_NS_WIFI) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(8192, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() regex = "\x00[^\x00]{16}\x03(?:[^\x20-\x7f]+)(?P<ssid>[\x20-\x7f]+?)\x00(?:[^\x20-\x7f]+)(?P<pass>[\x20-\x7f]+?)\x00" x = re.finditer(regex, currentBuffer) for network in x: networks[network.group('ssid')] = network.group('pass') for ssid, psk in networks.items(): self.log(Level.INFO, ssid) # Don't add to blackboard if the artifact already exists for artifact in artifactList: artifactSSID = artifact.getAttribute( self.NS_WIFI_ATTRIBUTES["SSID"][3]) if artifactSSID.getValueString() == ssid: pass art = file.newArtifact(ARTID_NS_WIFI) art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME. getTypeID(), WiFiIngestModuleFactory.moduleName, "Nintendo Switch - Wireless Credentials")) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["SSID"][3], WiFiIngestModuleFactory.moduleName, ssid)) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["PSK"][3], WiFiIngestModuleFactory.moduleName, psk)) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( WiFiIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_WIFI), None)) return IngestModule.ProcessResult.OK
def __findCallLogsInDB(self, databasePath, abstractFile, dataSource): if not databasePath: return bbartifacts = list() try: connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() # Create a 'Device' account using the data source device id datasourceObjId = dataSource.getDataSource().getId() ds = Case.getCurrentCase().getSleuthkitCase().getDataSource(datasourceObjId) deviceID = ds.getDeviceId() deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().createAccountFileInstance(Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile) for tableName in CallLogAnalyzer._tableNames: try: resultSet = statement.executeQuery("SELECT number, date, duration, type, name FROM " + tableName + " ORDER BY date DESC;") self._logger.log(Level.INFO, "Reading call log from table {0} in db {1}", [tableName, databasePath]) while resultSet.next(): date = resultSet.getLong("date") / 1000 direction = CallLogAnalyzer.fromType(resultSet.getInt("type")) directionString = direction.getDisplayName() if direction is not None else "" number = resultSet.getString("number") duration = resultSet.getLong("duration") # duration of call is in seconds name = resultSet.getString("name") # name of person dialed or called. None if unregistered try: attributes = ArrayList() artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG) # create a call log and then add attributes from result set. if direction == CallLogAnalyzer.OUTGOING: attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO, general.MODULE_NAME, number)) else: # Covers INCOMING and MISSED attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM, general.MODULE_NAME, number)) attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_START, general.MODULE_NAME, date)) attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_END, general.MODULE_NAME, duration + date)) attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, directionString)) attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, general.MODULE_NAME, name)) artifact.addAttributes(attributes) # Create an account calllogAccountInstance = Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().createAccountFileInstance(Account.Type.PHONE, number, general.MODULE_NAME, abstractFile); # create relationship between accounts Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().addRelationships(deviceAccountInstance, [calllogAccountInstance], artifact, Relationship.Type.CALL_LOG, date); bbartifacts.append(artifact) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error("Failed to index call log artifact for keyword search.", artifact.getDisplayName()) except TskCoreException as ex: self._logger.log(Level.SEVERE, "Error posting call log record to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) except SQLException as ex: self._logger.log(Level.WARNING, String.format("Could not read table %s in db %s", tableName, databasePath), ex) except SQLException as ex: self._logger.log(Level.SEVERE, "Could not parse call log; error connecting to db " + databasePath, ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: if bbartifacts: IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(general.MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG, bbartifacts))
def analyze(self, dataSource, fileManager, context): oruxMapsTrackpointsDbs = AppSQLiteDB.findAppDatabases( dataSource, "oruxmapstracks.db", True, self._PACKAGE_NAME) for oruxMapsTrackpointsDb in oruxMapsTrackpointsDbs: try: current_case = Case.getCurrentCaseThrows() poiQueryString = "SELECT poilat, poilon, poitime, poiname FROM pois" poisResultSet = oruxMapsTrackpointsDb.runQuery(poiQueryString) abstractFile = oruxMapsTrackpointsDb.getDBFile() if poisResultSet is not None: while poisResultSet.next(): latitude = poisResultSet.getDouble("poilat") longitude = poisResultSet.getDouble("poilon") time = poisResultSet.getLong( "poitime") / 1000 # milliseconds since unix epoch name = poisResultSet.getString("poiname") attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT ) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_DATETIME, self._MODULE_NAME, time)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LATITUDE, self._MODULE_NAME, latitude)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LONGITUDE, self._MODULE_NAME, longitude)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, self._MODULE_NAME, name)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_PROG_NAME, self._MODULE_NAME, self._PROGRAM_NAME)) artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase( ).getSleuthkitCase().getBlackboard() blackboard.postArtifact(artifact, self._MODULE_NAME) except Blackboard.BlackboardException as ex: self._logger.log( Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error( "Failed to index trackpoint artifact for keyword search.", artifact.getDisplayName()) trackpointsQueryString = "SELECT trkptlat, trkptlon, trkpttime FROM trackpoints" trackpointsResultSet = oruxMapsTrackpointsDb.runQuery( trackpointsQueryString) if trackpointsResultSet is not None: while trackpointsResultSet.next(): latitude = trackpointsResultSet.getDouble("trkptlat") longitude = trackpointsResultSet.getDouble("trkptlon") time = trackpointsResultSet.getLong( "trkpttime" ) / 1000 # milliseconds since unix epoch name = "" attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT ) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_DATETIME, self._MODULE_NAME, time)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LATITUDE, self._MODULE_NAME, latitude)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LONGITUDE, self._MODULE_NAME, longitude)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, self._MODULE_NAME, name)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_PROG_NAME, self._MODULE_NAME, self._PROGRAM_NAME)) artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase( ).getSleuthkitCase().getBlackboard() blackboard.postArtifact(artifact, self._MODULE_NAME) except Blackboard.BlackboardException as ex: self._logger.log( Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error( "Failed to index trackpoint artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: self._logger.log( Level.WARNING, "Error processing query result for Orux Map trackpoints.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) except TskCoreException as ex: self._logger.log( Level.SEVERE, "Failed to add Orux Map trackpoint artifacts.", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) except BlackboardException as ex: self._logger.log(Level.WARNING, "Failed to post artifacts.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) except NoCurrentCaseException as ex: self._logger.log(Level.WARNING, "No case currently open.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) finally: oruxMapsTrackpointsDb.close()
def process(self, dataSource, progressBar): # Check to see if the artifacts exist and if not then create it, also check to see if the attributes # exist and if not then create them skCase = Case.getCurrentCase().getSleuthkitCase(); skCase_Tran = skCase.beginTransaction() try: self.log(Level.INFO, "Begin Create New Artifacts") artID_jl_ad = skCase.addArtifactType( "TSK_JL_AD", "Jump List Auto Dest") except: self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") artID_jl_ad = skCase.getArtifactTypeID("TSK_JL_AD") try: attID_jl_fn = skCase.addArtifactAttributeType("TSK_JLAD_FILE_NAME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "JumpList File Name") except: self.log(Level.INFO, "Attributes Creation Error, JL AD File Name. ==> ") try: attID_jl_fg = skCase.addArtifactAttributeType("TSK_JLAD_FILE_DESCRIPTION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Description") except: self.log(Level.INFO, "Attributes Creation Error, File Description. ==> ") try: attID_jl_in = skCase.addArtifactAttributeType("TSK_JLAD_ITEM_NAME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Item Name") except: self.log(Level.INFO, "Attributes Creation Error, Item Name. ==> ") try: attID_jl_cl = skCase.addArtifactAttributeType("TSK_JLAD_COMMAND_LINE_ARGS", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Command Line Args") except: self.log(Level.INFO, "Attributes Creation Error, Command Line Arguments. ==> ") try: attID_jl_dt = skCase.addArtifactAttributeType("TSK_JLAD_Drive Type", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "Drive Type") except: self.log(Level.INFO, "Attributes Creation Error, Drive Type. ==> ") try: attID_jl_dsn = skCase.addArtifactAttributeType("TSK_JLAD_DRIVE_SERIAL_NUMBER", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "Drive Serial Number") except: self.log(Level.INFO, "Attributes Creation Error, Drive Serial Number. ==> ") try: attID_jl_des = skCase.addArtifactAttributeType("TSK_JLAD_DESCRIPTION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Description") except: self.log(Level.INFO, "Attributes Creation Error, Description. ==> ") try: attID_jl_evl = skCase.addArtifactAttributeType("TSK_JLAD_ENVIRONMENT_VARIABLES_LOCATION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Env Var Location") except: self.log(Level.INFO, "Attributes Creation Error, Env Var Location. ==> ") try: attID_jl_fat = skCase.addArtifactAttributeType("TSK_JLAD_FILE_ACCESS_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Access Time") except: self.log(Level.INFO, "Attributes Creation Error, File Access Time. ==> ") try: attID_jl_faf = skCase.addArtifactAttributeType("TSK_JLAD_FILE_ATTRIBUTE_FLAGS", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "File Attribute Flags") except: self.log(Level.INFO, "Attributes Creation Error, File Attribute Flags. ==> ") try: attID_jl_fct = skCase.addArtifactAttributeType("TSK_JLAD_FILE_CREATION_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Creation Time") except: self.log(Level.INFO, "Attributes Creation Error, File Creation Time. ==> ") try: attID_jl_fmt = skCase.addArtifactAttributeType("TSK_JLAD_FILE_MODIFICATION_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Modification Time") except: self.log(Level.INFO, "Attributes Creation Error, File Modification Time. ==> ") try: attID_jl_fs = skCase.addArtifactAttributeType("TSK_JLAD_FILE_SIZE", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "File Size") except: self.log(Level.INFO, "Attributes Creation Error, File Size. ==> ") try: attID_jl_ic = skCase.addArtifactAttributeType("TSK_JLAD_ICON_LOCATION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Icon Location") except: self.log(Level.INFO, "Attributes Creation Error, Icon Location. ==> ") try: attID_jl_ltid = skCase.addArtifactAttributeType("TSK_JLAD_LINK_TARGET_IDENTIFIER_DATA", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Link Target Identifier Data") except: self.log(Level.INFO, "Attributes Creation Error, Link Target Identifier Data. ==> ") try: attID_jl_lp = skCase.addArtifactAttributeType("TSK_JLAD_LOCAL_PATH", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Local Path") except: self.log(Level.INFO, "Attributes Creation Error, File Modification Time. ==> ") try: attID_jl_mi = skCase.addArtifactAttributeType("TSK_JLAD_FILE_MACHINE_IDENTIFIER", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Machine Identifier") except: self.log(Level.INFO, "Attributes Creation Error, Machine Identifier. ==> ") try: attID_jl_np = skCase.addArtifactAttributeType("TSK_JLAD_NETWORK_PATH", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Network Path") except: self.log(Level.INFO, "Attributes Creation Error, Network Path. ==> ") try: attID_jl_rp = skCase.addArtifactAttributeType("TSK_JLAD_RELATIVE_PATH", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Relative Path") except: self.log(Level.INFO, "Attributes Creation Error, Relative Path. ==> ") try: attID_jl_vl = skCase.addArtifactAttributeType("TSK_JLAD_VOLUME_LABEL", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Volume Label") except: self.log(Level.INFO, "Attributes Creation Error, Volume Label. ==> ") try: attID_jl_wc = skCase.addArtifactAttributeType("TSK_JLAD_WORKING_DIRECTORY", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Working Directory") except: self.log(Level.INFO, "Attributes Creation Error, Working Directory. ==> ") #self.log(Level.INFO, "Get Artifacts after they were created.") # Get the new artifacts and attributes that were just created artID_jl_ad = skCase.getArtifactTypeID("TSK_JL_AD") artID_jl_ad_evt = skCase.getArtifactType("TSK_JL_AD") attID_jl_fn = skCase.getAttributeType("TSK_JLAD_FILE_NAME") attID_jl_fg = skCase.getAttributeType("TSK_JLAD_FILE_DESCRIPTION") attID_jl_in = skCase.getAttributeType("TSK_JLAD_ITEM_NAME") attID_jl_cl = skCase.getAttributeType("TSK_JLAD_COMMAND_LINE_ARGS") attID_jl_dt = skCase.getAttributeType("TSK_JLAD_Drive Type") attID_jl_dsn = skCase.getAttributeType("TSK_JLAD_DRIVE_SERIAL_NUMBER") attID_jl_des = skCase.getAttributeType("TSK_JLAD_DESCRIPTION") attID_jl_evl = skCase.getAttributeType("TSK_JLAD_ENVIRONMENT_VARIABLES_LOCATION") attID_jl_fat = skCase.getAttributeType("TSK_JLAD_FILE_ACCESS_TIME") attID_jl_faf = skCase.getAttributeType("TSK_JLAD_FILE_ATTRIBUTE_FLAGS") attID_jl_fct = skCase.getAttributeType("TSK_JLAD_FILE_CREATION_TIME") attID_jl_fmt = skCase.getAttributeType("TSK_JLAD_FILE_MODIFICATION_TIME") attID_jl_fs = skCase.getAttributeType("TSK_JLAD_FILE_SIZE") attID_jl_ic = skCase.getAttributeType("TSK_JLAD_ICON_LOCATION") attID_jl_ltid = skCase.getAttributeType("TSK_JLAD_LINK_TARGET_IDENTIFIER_DATA") attID_jl_lp = skCase.getAttributeType("TSK_JLAD_LOCAL_PATH") attID_jl_mi = skCase.getAttributeType("TSK_JLAD_FILE_MACHINE_IDENTIFIER") attID_jl_np = skCase.getAttributeType("TSK_JLAD_NETWORK_PATH") attID_jl_rp = skCase.getAttributeType("TSK_JLAD_RELATIVE_PATH") attID_jl_vl = skCase.getAttributeType("TSK_JLAD_VOLUME_LABEL") attID_jl_wd = skCase.getAttributeType("TSK_JLAD_WORKING_DIRECTORY") #self.log(Level.INFO, "Artifact id for TSK_PREFETCH ==> " + str(artID_pf)) # we don't know how much work there is yet progressBar.switchToIndeterminate() # Find the Windows Event Log Files files = [] fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%.automaticDestinations-ms") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; # Create Event Log directory in temp directory, if it exists then continue on processing Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "create Directory " + Temp_Dir + "\JL_AD") try: os.mkdir(Temp_Dir + "\JL_AD") except: self.log(Level.INFO, "JL_AD Directory already exists " + Temp_Dir) # Write out each Event Log file to the temp directory for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK #self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions lclDbPath = os.path.join(Temp_Dir + "\JL_AD", file.getName()) ContentUtils.writeToFile(file, File(lclDbPath)) # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Run the EXE, saving output to a sqlite database self.log(Level.INFO, "Running program on data source parm 1 ==> " + Temp_Dir + "\JL_AD" + " Parm 2 ==> " + Temp_Dir + "\JL_AD.db3") output = subprocess.Popen([self.path_to_exe, Temp_Dir + "\JL_AD", Temp_Dir + "\JL_AD.db3", self.path_to_app_id_db], stdout=subprocess.PIPE).communicate()[0] #self.log(Level.INFO, "Output for the JL_AD program ==> " + output) self.log(Level.INFO, " Return code is ==> " + output) # Set the database to be read to the one created by the Event_EVTX program lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), "JL_AD.db3") self.log(Level.INFO, "Path to the JL_AD database file created ==> " + lclDbPath) # Open the DB using JDBC try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%.automaticDestinations-ms") for file in files: file_name = os.path.splitext(file.getName())[0] self.log(Level.INFO, "File To process in SQL " + file_name + " <<=====") # Query the contacts table in the database and get all columns. try: stmt = dbConn.createStatement() SQL_Statement = "select File_Name, File_Description, Item_Name, command_line_arguments, drive_type, drive_serial_number, " + \ " description, environment_variables_location, file_access_time, file_attribute_flags, file_creation_time, " + \ " file_modification_time, file_size, icon_location, link_target_identifier_data, local_path, " + \ " machine_identifier, network_path, relative_path, volume_label, working_directory " + \ " from Automatic_destinations_JL where upper(File_Name) = upper('" + file_name + "');" # " from Automatic_destinations_JL where File_Name||'.automaticDestinations-ms' = '" + file_name + "';" #self.log(Level.INFO, "SQL Statement " + SQL_Statement + " <<=====") resultSet = stmt.executeQuery(SQL_Statement) except SQLException as e: self.log(Level.INFO, "Error querying database for EventLogs table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Cycle through each row and create artifacts while resultSet.next(): try: # self.log(Level.INFO, "Result (" + resultSet.getString("File_Name") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Recovered_Record") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Computer_Name") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Identifier") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Identifier_Qualifiers") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Level") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Offset") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Identifier") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Source_Name") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_User_Security_Identifier") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time_Epoch") + ")") # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Detail_Text") + ")") File_Name = resultSet.getString("File_Name") File_Description = resultSet.getString("File_Description") Item_Name = resultSet.getString("Item_Name") Command_Line_Arguments = resultSet.getString("command_line_arguments") Drive_Type = resultSet.getInt("drive_type") Drive_Serial_Number = resultSet.getInt("drive_serial_number") Description = resultSet.getString("description") Environment_Variables_Location = resultSet.getString("environment_variables_location") File_Access_Time = resultSet.getString("file_access_time") File_Attribute_Flags = resultSet.getInt("file_attribute_flags") File_Creation_Time = resultSet.getString("file_creation_time") File_Modification_Time = resultSet.getString("file_modification_time") File_Size = resultSet.getInt("file_size") Icon_Location = resultSet.getString("icon_location") Link_Target_Identifier_Data = resultSet.getString("link_target_identifier_data") Local_Path = resultSet.getString("local_path") Machine_Identifier = resultSet.getString("machine_identifier") Network_Path = resultSet.getString("network_path") Relative_Path = resultSet.getString("relative_path") Volume_Label = resultSet.getString("volume_label") Working_Directory = resultSet.getString("working_directory") except SQLException as e: self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")") #fileManager = Case.getCurrentCase().getServices().getFileManager() #files = fileManager.findFiles(dataSource, Prefetch_File_Name) #for file in files: # Make artifact for TSK_PREFETCH, this can happen when custom attributes are fully supported #art = file.newArtifact(artID_pf) # Make an artifact on the blackboard, TSK_PROG_RUN and give it attributes for each of the fields # Not the proper way to do it but it will work for the time being. art = file.newArtifact(artID_jl_ad) # This is for when proper atributes can be created. art.addAttributes(((BlackboardAttribute(attID_jl_fn, JumpListADDbIngestModuleFactory.moduleName, File_Name)), \ (BlackboardAttribute(attID_jl_fg, JumpListADDbIngestModuleFactory.moduleName, File_Description)), \ (BlackboardAttribute(attID_jl_in, JumpListADDbIngestModuleFactory.moduleName, Item_Name)), \ (BlackboardAttribute(attID_jl_cl, JumpListADDbIngestModuleFactory.moduleName, Command_Line_Arguments)), \ (BlackboardAttribute(attID_jl_dt, JumpListADDbIngestModuleFactory.moduleName, Drive_Type)), \ (BlackboardAttribute(attID_jl_dsn, JumpListADDbIngestModuleFactory.moduleName, Drive_Serial_Number)), \ (BlackboardAttribute(attID_jl_des, JumpListADDbIngestModuleFactory.moduleName, Description)), \ (BlackboardAttribute(attID_jl_evl, JumpListADDbIngestModuleFactory.moduleName, Environment_Variables_Location)), \ (BlackboardAttribute(attID_jl_fat, JumpListADDbIngestModuleFactory.moduleName, File_Access_Time)), \ (BlackboardAttribute(attID_jl_faf, JumpListADDbIngestModuleFactory.moduleName, File_Attribute_Flags)), \ (BlackboardAttribute(attID_jl_fct, JumpListADDbIngestModuleFactory.moduleName, File_Creation_Time)), \ (BlackboardAttribute(attID_jl_fmt, JumpListADDbIngestModuleFactory.moduleName, File_Modification_Time)), \ (BlackboardAttribute(attID_jl_fs, JumpListADDbIngestModuleFactory.moduleName, File_Size)), \ (BlackboardAttribute(attID_jl_ic, JumpListADDbIngestModuleFactory.moduleName, Icon_Location)), \ (BlackboardAttribute(attID_jl_ltid, JumpListADDbIngestModuleFactory.moduleName, Link_Target_Identifier_Data)), \ (BlackboardAttribute(attID_jl_lp, JumpListADDbIngestModuleFactory.moduleName, Local_Path)), \ (BlackboardAttribute(attID_jl_mi, JumpListADDbIngestModuleFactory.moduleName, Machine_Identifier)), \ (BlackboardAttribute(attID_jl_np, JumpListADDbIngestModuleFactory.moduleName, Network_Path)), \ (BlackboardAttribute(attID_jl_rp, JumpListADDbIngestModuleFactory.moduleName, Relative_Path)), \ (BlackboardAttribute(attID_jl_vl, JumpListADDbIngestModuleFactory.moduleName, Volume_Label)), \ (BlackboardAttribute(attID_jl_wd, JumpListADDbIngestModuleFactory.moduleName, Working_Directory)))) # Fire an event to notify the UI and others that there are new artifacts IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None)) # Clean up skCase_Tran.commit() stmt.close() dbConn.close() os.remove(lclDbPath) #skCase.close() #Clean up EventLog directory and files for file in files: try: os.remove(Temp_Dir + "\\" + file.getName()) except: self.log(Level.INFO, "removal of JL_AD file failed " + Temp_Dir + "\\" + file.getName()) try: os.rmdir(Temp_Dir) except: self.log(Level.INFO, "removal of JL_AD directory failed " + Temp_Dir) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "JumpList AD", " JumpList AD Has Been Analyzed " ) IngestServices.getInstance().postMessage(message) # Fire an event to notify the UI and others that there are new artifacts IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None)) return IngestModule.ProcessResult.OK
def process(self, file): # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK # Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard() # XML Path xmlPath = file.getUniquePath().replace("/", "\\") xmlPath = xmlPath.replace(file.getName(), "") replaceImgNameA = "\\img_" + str(Case.getCurrentCase().getNumber()) + ".001\\" replaceImgNameB = "img_" + str(Case.getCurrentCase().getNumber()) + ".001\\" xmlPath = xmlPath.replace(replaceImgNameA, ""); xmlPath = xmlPath.replace(replaceImgNameB, ""); # XML fullpath xmlFullpath = file.getUniquePath().replace("/", "\\") xmlFullpath = xmlFullpath.replace(replaceImgNameA, ""); xmlFullpath = xmlFullpath.replace(replaceImgNameB, ""); # XML Data xmlId = file.getMd5Hash() xmlCreated = file.getCrtime() xmlAccessed = file.getAtime() xmlWritten = file.getMtime() xmlFileSize = file.getSize() xmlPhysicalLocation = file.getMetaAddr() xmlDeleted = 0 xmlMyDescription = "Exisiting" xmlHash = file.getMd5Hash() # Start process images ------------------------------------------------------------------------------------- if(file.getMIMEType() in self.listOfImagesMimeToCopy): # Count self.countImages = self.countImages+1 self.countImagesAndMovies = self.countImagesAndMovies+1 # XML Data for picture xmlPicture = file.getName() # Create directory uniquePathFullLinux = file.getUniquePath(); uniquePathFullWindows = uniquePathFullLinux.replace("/", "\\") uniquePathFullWindows = uniquePathFullWindows[1:] fileName = os.path.basename(uniquePathFullWindows) uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameA, ""); uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameB, ""); splitDir = uniquePathWindows.split("\\") pathToCreate = os.path.join(self.filesDirectoryGlobal, "") for directory in splitDir: directory = directory.replace(":", "") pathToCreate = os.path.join(pathToCreate, directory) # self.log(Level.INFO, "==> directory=" + str(directory) + " pathToCreate=" + str(pathToCreate)) try: os.mkdir(pathToCreate) except: pass # Write file (here we can use either file.getName or xmlId try: extractedFile = os.path.join(pathToCreate, file.getName()) ContentUtils.writeToFile(file, File(extractedFile)) except: self.log(Level.SEVERE, "Error writing File " + file.getName() + " to " + extractedFile) # Write image to XML file try: f = open(self.xmlFileImagesGlobal, "a") f.write(" <Image>\n") f.write(" <path><![CDATA[" + str(xmlPath) + "]]></path>\n") f.write(" <picture>" + str(xmlPicture) + "</picture>\n") f.write(" <category>0</category>\n") f.write(" <id>" + str(xmlId) + "</id>\n") f.write(" <fileoffset>0</fileoffset>\n") f.write(" <fullpath><![CDATA[" + str(xmlFullpath) + "]]></fullpath>\n") f.write(" <created>" + str(xmlCreated) + "</created>\n") f.write(" <accessed>" + str(xmlAccessed) + "</accessed>\n") f.write(" <written>" + str(xmlWritten) + "</written>\n") f.write(" <deleted>" + str(xmlDeleted) + "</deleted>\n") f.write(" <hash>" + str(xmlHash) + "</hash>\n") f.write(" <encaseHash>0</encaseHash>\n") f.write(" <myDescription>" + xmlMyDescription + "</myDescription>\n") f.write(" <physicalLocation>" + str(xmlPhysicalLocation) + "</physicalLocation>\n") f.write(" <myUnique>0</myUnique>\n") f.write(" <tagged>0</tagged>\n") f.write(" <subCat></subCat>\n") f.write(" <notes></notes>\n") f.write(" <fileSize>" + str(xmlFileSize) + "</fileSize>\n") f.write(" <bitDepth></bitDepth>\n") f.write(" <aspectRatio></aspectRatio>\n") f.write(" </Image>\n") f.close() except: self.log(Level.SEVERE, "Error could not append to XML file " + self.xmlFileImagesGlobal) # Make artifact on blackboard art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, AutopsyToGriffeyeFactory.moduleName, "Images") art.addAttribute(att) # Index artifact try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # UI IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AutopsyToGriffeyeFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)) # Start process Movies ------------------------------------------------------------------------------------- if(file.getMIMEType() in self.listOfMoviesMimeToCopy): # Count self.countMovies = self.countMovies+1 self.countImagesAndMovies = self.countImagesAndMovies+1 # XML Data for picture xmlVideo = file.getName() # Create directory uniquePathFullLinux = file.getUniquePath(); uniquePathFullWindows = uniquePathFullLinux.replace("/", "\\") uniquePathFullWindows = uniquePathFullWindows[1:] fileName = os.path.basename(uniquePathFullWindows) uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameA, ""); uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameB, ""); splitDir = uniquePathWindows.split("\\") pathToCreate = os.path.join(self.filesDirectoryGlobal, "") for directory in splitDir: directory = directory.replace(":", "") pathToCreate = os.path.join(pathToCreate, directory) # self.log(Level.INFO, "==> directory=" + str(directory) + " pathToCreate=" + str(pathToCreate)) try: os.mkdir(pathToCreate) except: pass # Write file (here we can use either file.getName or xmlId try: extractedFile = os.path.join(pathToCreate, file.getName()) ContentUtils.writeToFile(file, File(extractedFile)) except: self.log(Level.SEVERE, "Error writing File " + file.getName() + " to " + extractedFile) # Write image to XML file try: f = open(self.xmlFileMoviesGlobal, "a") f.write(" <Movie>\n") f.write(" <path><![CDATA[" + str(xmlPath) + "]]></path>\n") f.write(" <movie>" + str(xmlMovie) + "</movie>\n") f.write(" <category>0</category>\n") f.write(" <id>" + str(xmlId) + "</id>\n") f.write(" <fileoffset>0</fileoffset>\n") f.write(" <fullpath><![CDATA[" + str(xmlFullpath) + "]]></fullpath>\n") f.write(" <created>" + str(xmlCreated) + "</created>\n") f.write(" <accessed>" + str(xmlAccessed) + "</accessed>\n") f.write(" <written>" + str(xmlWritten) + "</written>\n") f.write(" <deleted>" + str(xmlDeleted) + "</deleted>\n") f.write(" <hash>" + str(xmlHash) + "</hash>\n") f.write(" <encaseHash>0</encaseHash>\n") f.write(" <myDescription>" + xmlMyDescription + "</myDescription>\n") f.write(" <physicalLocation>" + str(xmlPhysicalLocation) + "</physicalLocation>\n") f.write(" <myUnique>0</myUnique>\n") f.write(" <tagged>0</tagged>\n") f.write(" <subCat></subCat>\n") f.write(" <notes></notes>\n") f.write(" <fileSize>" + str(xmlFileSize) + "</fileSize>\n") f.write(" </Movie>\n") f.close() except: self.log(Level.SEVERE, "Error could not append to XML file " + self.xmlFileMoviesGlobal) # Make artifact on blackboard art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, AutopsyToGriffeyeFactory.moduleName, "Movies") art.addAttribute(att) # Index artifact try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # UI IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AutopsyToGriffeyeFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() self.log(Level.INFO,dataSource.getUniquePath()) # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() self.art_contacts = self.create_artifact_type("Labcif-MSTeams_CONTACTS_"," Contacts", blackboard) self.art_messages = self.create_artifact_type("Labcif-MSTeams_MESSAGES_"," MESSAGES", blackboard) self.art_messages_reacts = self.create_artifact_type("Labcif-MSTeams_MESSAGES_REACTS"," REACTS", blackboard) self.art_messages_files = self.create_artifact_type("Labcif-MSTeams_MESSAGES_FILES"," FILES", blackboard) self.art_call = self.create_artifact_type("Labcif-MSTeams_CALLS_", " Call history", blackboard) self.art_call_one_to_one = self.create_artifact_type("Labcif-MSTeams_CALLS_ONE_TO_ONE", " Call history one to one", blackboard) self.art_teams = self.create_artifact_type("Labcif-MSTeams_TEAMS_"," Teams", blackboard) # contactos self.att_name = self.create_attribute_type('Labcif-MSTeams_CONTACT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Name", blackboard) self.att_email = self.create_attribute_type('Labcif-MSTeams_CONTACT_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Email", blackboard) self.att_orgid = self.create_attribute_type('Labcif-MSTeams_CONTACT_ORGID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Orgid", blackboard) self.att_user_contacts = self.create_attribute_type('Labcif-MSTeams_USERNAME_CONTACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard) self.att_folder_extract_contacts = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_CONTACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard) # reacts self.att_message_id_reacts = self.create_attribute_type('Labcif-MSTeams_MESSAGE_ID_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message ID", blackboard) self.att_sender_name_react = self.create_attribute_type('Labcif-MSTeams_MESSAGE_SENDER_NAME_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Who reacted", blackboard) self.att_reacted_with = self.create_attribute_type('Labcif-MSTeams_MESSAGE_FILE_LOCAL_EMOJI_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Emoji", blackboard) self.att_react_time= self.create_attribute_type('Labcif-MSTeams_MESSAGE_REACT_TIME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "React time", blackboard) self.att_user_message_reacts = self.create_attribute_type('Labcif-MSTeams_USERNAME_MESSAGE_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard) self.att_folder_extract_reacts = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard) # mensagens self.att_message_id = self.create_attribute_type('Labcif-MSTeams_MESSAGE_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message ID", blackboard) self.att_message = self.create_attribute_type('Labcif-MSTeams_MESSAGE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message", blackboard) self.att_sender_name = self.create_attribute_type('Labcif-MSTeams_SENDER', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Senders name", blackboard) self.att_time = self.create_attribute_type('Labcif-MSTeams_TIME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message time", blackboard) self.att_cvid = self.create_attribute_type('Labcif-MSTeams_CONVERSATION_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "CV", blackboard) self.att_user_message = self.create_attribute_type('Labcif-MSTeams_USERNAME_MESSAGE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard) self.att_folder_extract_message = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_MESSAGES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard) # ficheiros self.att_message_id_files = self.create_attribute_type('Labcif-MSTeams_MESSAGE_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message ID", blackboard) self.att_file_name = self.create_attribute_type('Labcif-MSTeams_MESSAGE_FILE_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File name", blackboard) self.att_file_local = self.create_attribute_type('Labcif-MSTeams_MESSAGE_FILE_LINK', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Link", blackboard) self.att_user_message_files = self.create_attribute_type('Labcif-MSTeams_USERNAME_MESSAGE_FILES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard) self.att_folder_extract_files = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_FILES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard) # calls one to one self.att_date_start_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_TIME_START', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one time start", blackboard) self.att_date_finish_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_TIME_FINISH', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one time finish", blackboard) self.att_creator_name_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_CREATOR_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Creator Name", blackboard) self.att_creator_email_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_CREATOR_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Creator Email", blackboard) self.att_participant_name_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_PARTICIPANT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Participant Name", blackboard) self.att_participant_email_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_PARTICIPANT_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Participant Email", blackboard) self.att_state_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_STATE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one state", blackboard) self.att_user_calls_one_to_one = self.create_attribute_type('Labcif-MSTeams_USERNAME_CALLS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard) self.att_folder_extract_calls_one_to_one = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_CALLS_ONE_TO_ONE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard) # teams self.att_cv_id_teams = self.create_attribute_type('Labcif-MSTeams_CV_ID_TEAMS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Conversation ID teams", blackboard) self.att_creator_name_teams = self.create_attribute_type('Labcif-MSTeams_TEAMS_CREATOR_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Creator Name", blackboard) self.att_creator_email_teams = self.create_attribute_type('Labcif-MSTeams_TEAMS_CREATOR_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Creator Email", blackboard) self.att_participant_name_teams = self.create_attribute_type('Labcif-MSTeams_TEAMS_PARTICIPANT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Participant Name", blackboard) self.att_participant_email_teams = self.create_attribute_type('Labcif-MSTeams_teams_PARTICIPANT_EMAIL_ONE_TO_ONE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Participant Email", blackboard) self.att_user_teams = self.create_attribute_type('Labcif-MSTeams_USERNAME_TEAMS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard) self.att_folder_extract_teams = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_TEAMS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard) # calls self.att_date = self.create_attribute_type('Labcif-MSTeams_CALL_DATE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call Date", blackboard) self.att_creator_name = self.create_attribute_type('Labcif-MSTeams_CALL_CREATOR_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Creator Name", blackboard) self.att_creator_email = self.create_attribute_type('Labcif-MSTeams_CALL_CREATOR_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Creator Email", blackboard) self.att_count_people_in = self.create_attribute_type('Labcif-MSTeams_CALL_AMOUNT_PEOPLE_IN', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Amount of people in call", blackboard) self.att_duration = self.create_attribute_type('Labcif-MSTeams_CALL_DURANTION', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call Duration", blackboard) self.att_participant_name = self.create_attribute_type('Labcif-MSTeams_CALL_PARTICIPANT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Participant Name", blackboard) self.att_participant_email = self.create_attribute_type('Labcif-MSTeams_CALL_PARTICIPANT_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Participant Email", blackboard) self.att_user_calls = self.create_attribute_type('Labcif-MSTeams_USERNAME_CALLS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard) self.att_folder_extract_calls = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_CALL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard) # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/latest/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%.ldb","https_teams.microsoft.com_") numFiles = len(files) progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. src = file.getParentPath() pathSplited=src.split("/") user=pathSplited[2] if user not in users: users.append(user) buffer = jarray.zeros(file.getSize(), "b") file.read(buffer,0,file.getSize()) if "lost" not in src and "Roaming" in file.getParentPath() and "ProjetoEI" not in file.getParentPath(): if src not in paths: tm = datetime.fromtimestamp(math.floor(tim.time())).strftime("%m-%d-%Y_%Hh-%Mm-%Ss") paths[src]="Analysis_Autopsy_LDB_{}_{}".format(user,tm) if not os.path.exists(os.path.join(projectEIAppDataPath,paths[src])): try: os.mkdir(os.path.join(projectEIAppDataPath,paths[src])) except OSError: print("Creation of the directory %s failed" % os.path.join(projectEIAppDataPath,paths[src])) else: print("Successfully created the directory %s " % os.path.join(projectEIAppDataPath,paths[src])) f = open(os.path.join(os.path.join(projectEIAppDataPath,paths[src]),file.getName()),"wb") f.write(buffer.tostring()) f.close() # try: # # index the artifact for keyword search # blackboard.indexArtifact(art) # except Blackboard.BlackboardException as e: # self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()+str(e)) # To further the example, this code will read the contents of the file and count the number of bytes # Update the progress bar progressBar.progress(fileCount) for src, path in paths.items(): complementaryFiles=fileManager.findFilesByParentPath(dataSource.getId(),src) for file in complementaryFiles: if "lost" not in file.getParentPath() and ".ldb" not in file.getName() and "lost" not in file.getName() and "Roaming" in file.getParentPath() and "ProjetoEI" not in file.getParentPath(): if file.getName() == "." or file.getName() == ".." or "-slack" in file.getName(): continue buffer = jarray.zeros(file.getSize(), "b") if src not in paths: tm = datetime.fromtimestamp(math.floor(tim.time())).strftime("%m-%d-%Y_%Hh-%Mm-%Ss") paths[src] = "Analysis_Autopsy_LDB_{}_{}".format(user,tm) if not os.path.exists(os.path.join(projectEIAppDataPath,paths[src])): try: os.mkdir(os.path.join(projectEIAppDataPath,paths[src])) except OSError: print("Creation of the directory %s failed" % os.path.join(projectEIAppDataPath,paths[src])) else: print("Successfully created the directory %s " % os.path.join(projectEIAppDataPath,paths[src])) try: f = open(os.path.join(os.path.join(projectEIAppDataPath,paths[src]),file.getName()),"a") file.read(buffer,0,file.getSize()) f.write(buffer.tostring()) f.close() except : self.log(Level.INFO,"File Crash") pathModule = os.path.realpath(__file__) indexCutPath=pathModule.rfind("\\") pathModule=pathModule[0:indexCutPath+1] # message = IngestMessage.createMessage( # IngestMessage.MessageType.DATA, Labcif-MSTeamsFactory.moduleName, # str(self.filesFound) + " files found") analysisPath = "" result = {} for key,value in paths.items(): if key not in result: result[key] = value for key, value in result.items(): p = subprocess.Popen([r"{}EI\EI.exe".format(pathModule),"--pathToEI",r"{}EI\ ".format(pathModule), "-a", value],stderr=subprocess.PIPE) out = p.stderr.read() self.log(Level.INFO, out) p.wait() # os.system("cmd /c \"{}EI\\EI.exe\" --pathToEI \"{}EI\\\" -a {}".format(pathModule,pathModule,value)) results=[] pathResults="Analise Autopsy" for u in users: pathLDB="" for key,value in paths.items(): if "Analysis_Autopsy_LDB_{}".format(u) in value: pathLDB=value break for root, dirs, files in os.walk(projectEIAppDataPath, topdown=False): for name in dirs: if pathResults in name and os.stat(os.path.join(projectEIAppDataPath,pathLDB)).st_mtime < os.stat(os.path.join(projectEIAppDataPath,name)).st_mtime: pathsLDB[pathLDB]=os.path.join(projectEIAppDataPath,name) results.append(os.path.join(projectEIAppDataPath,name)) f = open(os.path.join(projectEIAppDataPath,"filesToReport.txt"),"w") for r in results: for files in os.walk(r,topdown=False): for name in files: for fileName in name: if ".csv" in fileName or ".html" in fileName or ".css" in fileName: f.write(os.path.join(r,fileName)+"\n") f.close() f = open(os.path.join(projectEIAppDataPath,"filesToReport.txt"), "r") for line in f: line = line.replace("\n","") pathExtract="" if ".csv" in line: # ok if "EventCall" in line: rowcount=0 for key,value in pathsLDB.items(): if value in line: for k,v in paths.items(): if v == key: pathExtract=k break with io.open(line,encoding="utf-8") as csvfile: reader = csv.reader(x.replace('\0', '') for x in csvfile) for row in reader: # each row is a list try: row = row[0].split(";") if rowcount!=0: art = dataSource.newArtifact(self.art_call.getTypeID()) dura=str(int(float(row[4]))) art.addAttribute(BlackboardAttribute(self.att_date, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0]))) art.addAttribute(BlackboardAttribute(self.att_creator_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1]))) art.addAttribute(BlackboardAttribute(self.att_creator_email, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2]))) art.addAttribute(BlackboardAttribute(self.att_count_people_in, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3]))) art.addAttribute(BlackboardAttribute(self.att_duration, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName,dura )) art.addAttribute(BlackboardAttribute(self.att_participant_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[5]))) art.addAttribute(BlackboardAttribute(self.att_participant_email, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[6]))) art.addAttribute(BlackboardAttribute(self.att_user_calls, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[7]))) art.addAttribute(BlackboardAttribute(self.att_folder_extract_calls, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract)) except: self.log(Level.INFO,"File empty") rowcount+=1 csvfile.close() # ok elif "Conversations" in line: rowcount=0 for key,value in pathsLDB.items(): if value in line: for k,v in paths.items(): if v == key: pathExtract=k break with io.open(line,encoding="utf-8") as csvfile: reader = csv.reader(x.replace('\0', '') for x in csvfile) for row in reader: # each row is a list try: row = row[0].split(";") if rowcount!=0: art = dataSource.newArtifact(self.art_teams.getTypeID()) art.addAttribute(BlackboardAttribute(self.att_cv_id_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0]))) art.addAttribute(BlackboardAttribute(self.att_creator_name_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1]))) art.addAttribute(BlackboardAttribute(self.att_creator_email_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2]))) art.addAttribute(BlackboardAttribute(self.att_participant_name_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3]))) art.addAttribute(BlackboardAttribute(self.att_participant_email_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[4]))) art.addAttribute(BlackboardAttribute(self.att_user_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[5]))) art.addAttribute(BlackboardAttribute(self.att_folder_extract_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract)) except: self.log(Level.INFO,"File empty") rowcount+=1 csvfile.close() # ok elif "CallOneToOne" in line: rowcount=0 for key,value in pathsLDB.items(): if value in line: for k,v in paths.items(): if v == key: pathExtract=k break with io.open(line,encoding="utf-8") as csvfile: reader = csv.reader(x.replace('\0', '') for x in csvfile) for row in reader: # each row is a list try: row = row[0].split(";") if rowcount!=0: art = dataSource.newArtifact(self.art_call_one_to_one.getTypeID()) art.addAttribute(BlackboardAttribute(self.att_date_start_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2]))) art.addAttribute(BlackboardAttribute(self.att_date_finish_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3]))) art.addAttribute(BlackboardAttribute(self.att_creator_name_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0]))) art.addAttribute(BlackboardAttribute(self.att_creator_email_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1]))) art.addAttribute(BlackboardAttribute(self.att_participant_name_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[4]))) art.addAttribute(BlackboardAttribute(self.att_participant_email_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[5]))) art.addAttribute(BlackboardAttribute(self.att_state_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[6]))) art.addAttribute(BlackboardAttribute(self.att_user_calls_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[7]))) art.addAttribute(BlackboardAttribute(self.att_folder_extract_calls_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract)) except: self.log(Level.INFO,"File empty") rowcount+=1 csvfile.close() elif "Files" in line: rowcount=0 for key,value in pathsLDB.items(): if value in line: for k,v in paths.items(): if v == key: pathExtract=k break with io.open(line,encoding="utf-8") as csvfile: reader = csv.reader(x.replace('\0', '') for x in csvfile) for row in reader: # each row is a list try: row = row[0].split(";") if rowcount!=0: art = dataSource.newArtifact(self.art_messages_files.getTypeID()) art.addAttribute(BlackboardAttribute(self.att_message_id_files, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0]))) art.addAttribute(BlackboardAttribute(self.att_file_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1]))) art.addAttribute(BlackboardAttribute(self.att_file_local, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2]))) art.addAttribute(BlackboardAttribute(self.att_user_message_files, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3]))) art.addAttribute(BlackboardAttribute(self.att_folder_extract_files, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract)) except: self.log(Level.INFO,"File empty") rowcount+=1 csvfile.close() elif "Mensagens" in line: rowcount=0 for key,value in pathsLDB.items(): if value in line: for k,v in paths.items(): if v == key: pathExtract=k break idMessage="" message="" sender="" timee="" cvid="" userMessage="" with open(line) as csvfile: reader = csv.reader(x.replace('\0', '') for x in csvfile) for row in reader: # each row is a list try: self.log(Level.INFO,str(row)) if rowcount!=0: if len(row) == 1: row = row[0].split(";") idMessage=str(row[0]) message=str(row[1]) timee=str(row[2]) sender=str(row[3]) cvid=str(row[4]) userMessage=str(row[5]) else: partOne = row[0].split(";") idMessage=str(partOne[0]) lastPart=row[len(row)-1].split(";") timee=str(lastPart[1]) sender=str(lastPart[2]) cvid=str(lastPart[3]) userMessage=str(lastPart[4]) message=str(partOne[1])+"," if len(row)!=2: for x in range(1,len(row)-1): message+=str(row[x])+"," message+=str(lastPart[0]) art = dataSource.newArtifact(self.art_messages.getTypeID()) art.addAttribute(BlackboardAttribute(self.att_message_id, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, idMessage)) art.addAttribute(BlackboardAttribute(self.att_message, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, message)) art.addAttribute(BlackboardAttribute(self.att_sender_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, sender)) art.addAttribute(BlackboardAttribute(self.att_time, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, timee)) art.addAttribute(BlackboardAttribute(self.att_cvid, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, cvid)) art.addAttribute(BlackboardAttribute(self.att_user_message, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, userMessage)) art.addAttribute(BlackboardAttribute(self.att_folder_extract_message, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract)) except: self.log(Level.INFO,"File empty") rowcount+=1 csvfile.close() elif "Reacts" in line: rowcount=0 for key,value in pathsLDB.items(): if value in line: for k,v in paths.items(): if v == key: pathExtract=k break with io.open(line,encoding="utf-8") as csvfile: reader = csv.reader(x.replace('\0', '') for x in csvfile) for row in reader: # each row is a list try: row = row[0].split(";") if rowcount!=0: art = dataSource.newArtifact(self.art_messages_reacts.getTypeID()) try: art.addAttribute(BlackboardAttribute(self.att_message_id_reacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0]))) art.addAttribute(BlackboardAttribute(self.att_reacted_with, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1]))) art.addAttribute(BlackboardAttribute(self.att_sender_name_react, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2]))) art.addAttribute(BlackboardAttribute(self.att_react_time, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3]))) art.addAttribute(BlackboardAttribute(self.att_user_message_reacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[4]))) art.addAttribute(BlackboardAttribute(self.att_folder_extract_reacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract)) except: pass else: pass except: self.log(Level.INFO,"File empty") rowcount+=1 csvfile.close() elif "Contactos.csv" in line: rowcount=0 for key,value in pathsLDB.items(): if value in line: for k,v in paths.items(): if v == key: pathExtract=k break with io.open(line,encoding="utf-8") as csvfile: reader = csv.reader(x.replace('\0', '') for x in csvfile) for row in reader: # each row is a list try: row = row[0].split(";") if rowcount!=0: art = dataSource.newArtifact(self.art_contacts.getTypeID()) art.addAttribute(BlackboardAttribute(self.att_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0]))) art.addAttribute(BlackboardAttribute(self.att_email, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1]))) art.addAttribute(BlackboardAttribute(self.att_orgid, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2]))) art.addAttribute(BlackboardAttribute(self.att_user_contacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3]))) art.addAttribute(BlackboardAttribute(self.att_folder_extract_contacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract)) except: self.log(Level.INFO,"File empty") rowcount+=1 csvfile.close() rowcount=0 #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Please run MSTeams Report") IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def __findGeoLocationsInDB(self, databasePath, abstractFile): if not databasePath: return try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error opening database. return resultSet = None try: resultSet = statement.executeQuery( "SELECT time, dest_lat, dest_lng, dest_title, dest_address, source_lat, source_lng FROM destination_history;" ) while resultSet.next(): time = Long.valueOf(resultSet.getString("time")) / 1000 dest_title = resultSet.getString("dest_title") dest_address = resultSet.getString("dest_address") dest_lat = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("dest_lat")) dest_lng = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("dest_lng")) source_lat = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("source_lat")) source_lng = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("source_lng")) attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, general.MODULE_NAME, "Destination")) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, time)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LATITUDE_END, general.MODULE_NAME, dest_lat)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LONGITUDE_END, general.MODULE_NAME, dest_lng)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LATITUDE_START, general.MODULE_NAME, source_lat)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_GEO_LONGITUDE_START, general.MODULE_NAME, source_lng)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, general.MODULE_NAME, dest_title)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION, general.MODULE_NAME, dest_address)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME, "Google Maps History")) artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices( ).getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log( Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error( "Failed to index GPS route artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: # Unable to execute Google map locations SQL query against database. pass except Exception as ex: self._logger.log( Level.SEVERE, "Error parsing Google map locations to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing the database. pass
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Use blackboard class to index blackboard artifacts for keyword search # blackboard = Case.getCurrentCase().getServices().getBlackboard() #we're not using indexing # Get case case = Case.getCurrentCase().getSleuthkitCase() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.4/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html fileManager = Case.getCurrentCase().getServices().getFileManager() setting_file = fileManager.findFiles( dataSource, "Phoenix.xml") if self.local_settings.get_parse_settings() else [] cache_files = fileManager.findFiles( dataSource, "%.0%", "com.netgear.android" ) if self.local_settings.get_parse_settings() else [] num_files = len(setting_file) + len(cache_files) self.log(Level.INFO, "found " + str(num_files) + " files") progressBar.switchToDeterminate(num_files) file_count = 0 # Cache Files (Thumbnails in cache/http & cache/cams directories under com.netgear.android if self.local_settings.get_parse_cache(): # Settings File for file in cache_files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) file_count += 1 # # # Make an artifact on the blackboard. # # Set the DB file as an "interesting file" : TSK_INTERESTING_FILE_HIT is a generic type of # # artifact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, ArloIngestModuleFactory.moduleName, "Arlo Thumbnails") art.addAttribute(att) progressBar.progress(file_count) # Settings if self.local_settings.get_parse_settings(): # Settings File for file in setting_file: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) file_count += 1 # Make an artifact on the blackboard. # Set the DB file as an "interesting file" : TSK_INTERESTING_FILE_HIT is a generic type of # artifact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, ArloIngestModuleFactory.moduleName, "Arlo") art.addAttribute(att) # Write to file (any way to contour this?) lcl_setting_path = os.path.join( Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".xml") ContentUtils.writeToFile(file, File(lcl_setting_path)) arlo_settings = minidom.parse(lcl_setting_path) tags = arlo_settings.getElementsByTagName("string") arlo_logins = {} for tag in tags: if tag.getAttribute('name') == "email": arlo_logins['username'] = str(tag.firstChild.data) elif tag.getAttribute('name') == "token": arlo_logins['token'] = str( tag.firstChild.data).replace("\n", "") elif tag.getAttribute('name') == "userId": arlo_logins['user_id'] = str(tag.firstChild.data) art_type_id = case.getArtifactTypeID("ESC_GENERIC_LOGIN") art_type = case.getArtifactType("ESC_GENERIC_LOGIN") # Artifact art = file.newArtifact(art_type_id) # Attributes att_login_username_id = case.getAttributeType( "ESC_GENERIC_LOGIN_USERNAME") att_login_secret_id = case.getAttributeType( "ESC_GENERIC_LOGIN_SECRET") att_login_secret_type_id = case.getAttributeType( "ESC_GENERIC_LOGIN_SECRET_TYPE") att_login_service_id = case.getAttributeType( "ESC_GENERIC_LOGIN_SERVICE") att_login_remarks_id = case.getAttributeType( "ESC_GENERIC_LOGIN_REMARKS") att_login_username = BlackboardAttribute( att_login_username_id, ArloIngestModuleFactory.moduleName, arlo_logins['username']) att_login_secret = BlackboardAttribute( att_login_secret_id, ArloIngestModuleFactory.moduleName, arlo_logins['token']) att_login_secret_type = BlackboardAttribute( att_login_secret_type_id, ArloIngestModuleFactory.moduleName, "Oauth2 Token") att_login_service = BlackboardAttribute( att_login_service_id, ArloIngestModuleFactory.moduleName, "Arlo") att_login_remarks = BlackboardAttribute( att_login_remarks_id, ArloIngestModuleFactory.moduleName, "User ID: %s" % arlo_logins['user_id']) art.addAttribute(att_login_username) art.addAttribute(att_login_secret) art.addAttribute(att_login_secret_type) art.addAttribute(att_login_service) art.addAttribute(att_login_remarks) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(ArloIngestModuleFactory.moduleName, art_type, None)) progressBar.progress(file_count) # FINISHED! # Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Arlo Analysis", "Found %d files" % file_count) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # Find files named contacts.db, regardless of parent path fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "contacts.db") numFiles = len(files) progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".db") ContentUtils.writeToFile(file, File(lclDbPath)) # Open the DB using JDBC try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the contacts table in the database and get all columns. try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery("SELECT * FROM contacts") except SQLException as e: self.log( Level.INFO, "Error querying database for contacts table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Cycle through each row and create artifacts while resultSet.next(): try: name = resultSet.getString("name") email = resultSet.getString("email") phone = resultSet.getString("phone") except SQLException as e: self.log( Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")") # Make an artifact on the blackboard, TSK_CONTACT and give it attributes for each of the fields art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT) attributes = ArrayList() attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME_PERSON. getTypeID(), ContactsDbIngestModuleFactory.moduleName, name)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL.getTypeID( ), ContactsDbIngestModuleFactory.moduleName, email)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER. getTypeID(), ContactsDbIngestModuleFactory.moduleName, phone)) art.addAttributes(attributes) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # Fire an event to notify the UI and others that there are new artifacts IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(ContactsDbIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT, None)) # Clean up stmt.close() dbConn.close() os.remove(lclDbPath) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ContactsDb Analyzer", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # Check if this is Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK progressBar.switchToIndeterminate() skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() # In most Autopsy plugins this is where, the plugins searches for the files it's going to parse (i.e. a Registry hive or Log file) # In this plugin the data were adding to the case comes from outside autopsy, so there isn't really a file to associate the output with # but Autopsy expects the artifacts produced by the plugin to be associated with a file # So, this plugin just selects the very first file in the dataset, and associates the artifacts with that. files = fileManager.findFiles(dataSource, "%") self.log( Level.INFO, "CloudTrail logs will be associated with " + files[0].getName()) Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "Found temporary directory: " + Temp_Dir) mydb = Temp_Dir + "\\Cloudtopsy.db" # Parse some keys self.log( Level.INFO, "Downloading and parsing CloudTrail logs: \"" + self.my_exe + "\" -a \"" + self.Access_Key + "\" -s \"" + self.Secret_Key + "\" -r \"" + self.Region + "\" -b \"" + self.Bucket + "\" -d \"" + mydb + "\"") subprocess.Popen([ self.my_exe, '-a', self.Access_Key, '-s', self.Secret_Key, '-r', self.Region, '-b', self.Bucket, '-d', mydb ]).communicate()[0] try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb) except SQLException as e: self.log( Level.INFO, "Could not open database file " + mydb + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Retrieve a list of CloudTrail APIs called try: stmt = dbConn.createStatement() tableSet = stmt.executeQuery( "SELECT name from sqlite_master WHERE type='table' ORDER by name; " ) self.log( Level.INFO, "SQLite Query: SELECT name from sqlite_master WHERE type='table' ORDER by name;" ) except SQLException as e: self.log( Level.INFO, "Error Running Query: SELECT name from sqlite_master WHERE type='table' ORDER by name;" ) return IngestModule.ProcessResult.OK while tableSet.next(): self.List_Of_tables.append(tableSet.getString("name")) # Retrieve a count of CloudTrail APIs called and use it for the Progress Bar try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery( "SELECT COUNT(*) as count FROM Sqlite_Master WHERE type='table'; " ) self.log( Level.INFO, "SELECT COUNT(*) as count FROM Sqlite_Master WHERE type='table';" ) except SQLException as e: self.log( Level.INFO, "SELECT COUNT(*) as count FROM Sqlite_Master WHERE type='table';" ) return IngestModule.ProcessResult.OK progressBar.switchToDeterminate(int(resultSet.getString("count"))) stmt.close() dbConn.close() # Ingest the tables in mydb in Autopsy count = 0 for table_name in self.List_Of_tables: SQL_String_1 = "Select * from " + table_name + ";" SQL_String_2 = "PRAGMA table_info('" + table_name + "')" artifact_name = "TSK_" + table_name.upper() artifact_desc = "CloudTrail: " + table_name.upper() artID_amc = skCase.addArtifactType(artifact_name, artifact_desc) artID_amc = skCase.getArtifactTypeID(artifact_name) artID_amc_evt = skCase.getArtifactType(artifact_name) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb) stmt = dbConn.createStatement() except SQLException as e: return IngestModule.ProcessResult.OK Column_Names = [] Column_Types = [] self.log(Level.INFO, "Running Query: " + SQL_String_2) resultSet2 = stmt.executeQuery(SQL_String_2) while resultSet2.next(): Column_Names.append(resultSet2.getString("name").upper()) Column_Types.append(resultSet2.getString("type").upper()) if resultSet2.getString("type").upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log( Level.INFO, "Attributes Creation Error (string), " + resultSet2.getString("name") + " ==> ") elif resultSet2.getString("type").upper() == "": try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log( Level.INFO, "Attributes Creation Error (string2), " + resultSet2.getString("name") + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name")) except: self.log( Level.INFO, "Attributes Creation Error (long), " + resultSet2.getString("name") + " ==> ") self.log(Level.INFO, "Running Query: " + SQL_String_1) resultSet3 = stmt.executeQuery(SQL_String_1) while resultSet3.next(): art = files[0].newArtifact(artID_amc) Column_Number = 1 for col_name in Column_Names: c_name = "TSK_" + col_name attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1] == "TEXT": art.addAttribute( BlackboardAttribute( attID_ex1, CloudtopsyIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) elif Column_Types[Column_Number - 1] == "": art.addAttribute( BlackboardAttribute( attID_ex1, CloudtopsyIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) else: art.addAttribute( BlackboardAttribute( attID_ex1, CloudtopsyIngestModuleFactory.moduleName, long(resultSet3.getInt(Column_Number)))) Column_Number = Column_Number + 1 IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(CloudtopsyIngestModuleFactory.moduleName, artID_amc_evt, None)) stmt.close() dbConn.close() count += 1 progressBar.progress(count) message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "Cloudtopsy", " CloudTrail Logs Successfully Ingested!") IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): self.log( Level.INFO, "Starting to process, Just before call to parse_safari_history") # we don't know how much work there is yet progressBar.switchToIndeterminate() # Get the temp directory and create the sub directory Temp_Dir = Case.getCurrentCase().getTempDirectory() try: os.mkdir(Temp_Dir + "\MacFSEvents") except: self.log(Level.INFO, "FSEvents Directory already exists " + Temp_Dir) # Set the database to be read to the once created by the prefetch parser program skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%", ".fseventsd") numFiles = len(files) for file in files: #self.log(Level.INFO, "Files ==> " + file.getName()) if (file.getName() == "..") or (file.getName() == '.') or (file.getName() == 'fseventsd-uuid'): pass #self.log(Level.INFO, "Files ==> " + str(file)) else: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK # Save the DB locally in the temp folder. use file id as name to reduce collisions filePath = os.path.join(Temp_Dir + "\MacFSEvents", file.getName()) ContentUtils.writeToFile(file, File(filePath)) self.log(Level.INFO, "Number of files to process ==> " + str(numFiles)) self.log(Level.INFO, "Running program ==> " + self.MacFSEvents_Executable + " -c Autopsy " + "-o " + Temp_Dir + \ " -s " + Temp_Dir + "\MacFSEvents") pipe = Popen([ self.MacFSEvents_Executable, "-c", "Autopsy", "-o", Temp_Dir, "-s", Temp_Dir + "\MacFSEvents" ], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) database_file = Temp_Dir + "\\autopsy_FSEvents-Parsed_Records_DB.sqlite" #open the database to get the SQL and artifact info out of try: head, tail = os.path.split(os.path.abspath(__file__)) settings_db = head + "\\fsevents_sql.db3" Class.forName("org.sqlite.JDBC").newInstance() dbConn1 = DriverManager.getConnection("jdbc:sqlite:%s" % settings_db) except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK try: stmt1 = dbConn1.createStatement() sql_statement1 = "select distinct artifact_name, artifact_title from extracted_content_sql;" #self.log(Level.INFO, "SQL Statement ==> " + sql_statement) resultSet1 = stmt1.executeQuery(sql_statement1) while resultSet1.next(): try: self.log(Level.INFO, "Begin Create New Artifacts") artID_fse = skCase.addArtifactType( resultSet1.getString("artifact_name"), resultSet1.getString("artifact_title")) except: self.log( Level.INFO, "Artifacts Creation Error, " + resultSet1.getString("artifact_name") + " some artifacts may not exist now. ==> ") except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") #return IngestModule.ProcessResult.OK # Create the attribute type, if it exists then catch the error try: attID_fse_fn = skCase.addArtifactAttributeType( "TSK_FSEVENTS_FILE_NAME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Name") except: self.log(Level.INFO, "Attributes Creation Error, File Name. ==> ") try: attID_fse_msk = skCase.addArtifactAttributeType( "TSK_FSEVENTS_FILE_MASK", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Mask") except: self.log(Level.INFO, "Attributes Creation Error, Mask. ==> ") try: attID_fse_src = skCase.addArtifactAttributeType( "TSK_FSEVENTS_SOURCE", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Source File") except: self.log(Level.INFO, "Attributes Creation Error, Mask. ==> ") try: attID_fse_dte = skCase.addArtifactAttributeType( "TSK_FSEVENTS_DATES", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Date(s)") except: self.log(Level.INFO, "Attributes Creation Error, Mask. ==> ") try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection( "jdbc:sqlite:%s" % Temp_Dir + "\\autopsy_FSEvents-Parsed_Records_DB.sqlite") except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK #artID_fse = skCase.getArtifactTypeID("TSK_MACOS_FSEVENTS") #artID_fse_evt = skCase.getArtifactType("TSK_MACOS_FSEVENTS") artID_fse = skCase.getArtifactTypeID("TSK_MACOS_ALL_FSEVENTS") artID_fse_evt = skCase.getArtifactType("TSK_MACOS_ALL_FSEVENTS") attID_fse_fn = skCase.getAttributeType("TSK_FSEVENTS_FILE_NAME") attID_fse_msk = skCase.getAttributeType("TSK_FSEVENTS_FILE_MASK") attID_fse_src = skCase.getAttributeType("TSK_FSEVENTS_SOURCE") attID_fse_dte = skCase.getAttributeType("TSK_FSEVENTS_DATES") # Query the database for file in files: if ('slack' in file.getName()): pass elif (file.getName() == '..') or (file.getName() == '.'): pass else: stmt1 = dbConn1.createStatement() sql_statement1 = "select sql_statement, artifact_name, artifact_title from extracted_content_sql;" #self.log(Level.INFO, "SQL Statement ==> " + sql_statement) resultSet1 = stmt1.executeQuery(sql_statement1) while resultSet1.next(): try: artID_fse = skCase.getArtifactTypeID( resultSet1.getString("artifact_name")) artID_fse_evt = skCase.getArtifactType( resultSet1.getString("artifact_name")) try: stmt = dbConn.createStatement() sql_statement = resultSet1.getString( "sql_statement" ) + " and source like '%" + file.getName() + "';" #self.log(Level.INFO, "SQL Statement ==> " + sql_statement) resultSet = stmt.executeQuery(sql_statement) #self.log(Level.INFO, "query SQLite Master table ==> " ) #self.log(Level.INFO, "query " + str(resultSet)) # Cycle through each row and create artifact while resultSet.next(): # Add the attributes to the artifact. art = file.newArtifact(artID_fse) #self.log(Level.INFO, "Result ==> " + resultSet.getString("mask") + ' <==> ' + resultSet.getString("source")) art.addAttributes(((BlackboardAttribute(attID_fse_fn, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("filename"))), \ (BlackboardAttribute(attID_fse_msk, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("mask"))), \ (BlackboardAttribute(attID_fse_src, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("source"))), \ (BlackboardAttribute(attID_fse_dte, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("OTHER_DATES"))))) #try: # index the artifact for keyword search #blackboard.indexArtifact(art) #except: #self.log(Level.INFO, "Error indexing artifact " + art.getDisplayName()) except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") try: stmt.close() except: self.log(Level.INFO, "Error closing statement for " + file.getName()) # Fire an event to notify the UI and others that there are new artifacts IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(MacFSEventsIngestModuleFactory.moduleName, artID_fse_evt, None)) try: stmt.close() dbConn.close() stmt1.close() dbConn1.close() os.remove(Temp_Dir + "\Autopsy_FSEvents-EXCEPTIONS_LOG.txt") os.remove(Temp_Dir + "\Autopsy_FSEvents-Parsed_Records.tsv") os.remove(Temp_Dir + "\Autopsy_FSEvents-Parsed_Records_DB.sqlite") shutil.rmtree(Temp_Dir + "\MacFSEvents") except: self.log( Level.INFO, "removal of MacFSEvents imageinfo database failed " + Temp_Dir) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "MacFSEventsSettings", " MacFSEventsSettings Has Been Analyzed ") IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Set the database to be read to the once created by the SAM parser program skCase = Case.getCurrentCase().getSleuthkitCase(); fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "$UsnJrnl:$J", "$Extend") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; # Create Event Log directory in temp directory, if it exists then continue on processing Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "create Directory " + Temp_Dir) temp_dir = os.path.join(Temp_Dir, "usnj") try: os.mkdir(temp_dir) except: self.log(Level.INFO, "Usnj Directory already exists " + temp_dir) for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK #self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions lclDbPath = os.path.join(temp_dir, "usnj.txt") ContentUtils.writeToFile(file, File(lclDbPath)) self.log(Level.INFO, "Saved File ==> " + lclDbPath) # Run the EXE, saving output to a sqlite database #try: self.log(Level.INFO, "Running program ==> " + self.path_to_exe + " " + Temp_Dir + "\\usnj\\usnj.txt" + \ " " + Temp_Dir + "\\usnj.db3") pipe = Popen([self.path_to_exe, os.path.join(temp_dir, "usnj.txt"), os.path.join(temp_dir, "usnj.db3")], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) # Open the DB using JDBC lclDbPath = os.path.join(temp_dir, "usnj.db3") self.log(Level.INFO, "Path the system database file created ==> " + lclDbPath) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) usnj.db3 (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the contacts table in the database and get all columns. try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER; ") self.log(Level.INFO, "query SQLite Master table") except SQLException as e: self.log(Level.INFO, "Error querying database for system table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK try: self.log(Level.INFO, "Begin Create New Artifacts") artID_usnj = skCase.addArtifactType("TSK_USNJ", "NTFS UsrJrnl entries") except: self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") artID_usnj = skCase.getArtifactTypeID("TSK_USNJ") artID_usnj_evt = skCase.getArtifactType("TSK_USNJ") #self.log(Level.INFO, "get artifacts ID's " + str(artID_usnj)) #self.log(Level.INFO, "get artifacts ID's " + str(resultSet)) # Cycle through each row and create artifacts while resultSet.next(): try: #self.log(Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")") table_name = resultSet.getString("tbl_name") #self.log(Level.INFO, "Result get information from table " + resultSet.getString("tbl_name") + " ") SQL_String_1 = "Select * from " + table_name + ";" SQL_String_2 = "PRAGMA table_info('" + table_name + "')" #self.log(Level.INFO, SQL_String_1) #self.log(Level.INFO, SQL_String_2) Column_Names = [] Column_Types = [] resultSet2 = stmt.executeQuery(SQL_String_2) while resultSet2.next(): Column_Names.append(resultSet2.getString("name").upper()) Column_Types.append(resultSet2.getString("type")) if resultSet2.getString("type").upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType("TSK_USNJ_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log(Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType("TSK_USNJ_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log(Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") resultSet3 = stmt.executeQuery(SQL_String_1) while resultSet3.next(): art = file.newArtifact(artID_usnj) Column_Number = 1 for col_name in Column_Names: #self.log(Level.INFO, "Result get information for column " + Column_Names[Column_Number - 1] + " ") #self.log(Level.INFO, "Result get information for column " + Column_Types[Column_Number - 1] + " ") #self.log(Level.INFO, "Result get information for column_number " + str(Column_Number) + " ") c_name = "TSK_USNJ_" + col_name #self.log(Level.INFO, "Attribute Name is " + c_name + " Atribute Type is " + str(Column_Types[Column_Number - 1])) attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1] == "TEXT": art.addAttribute(BlackboardAttribute(attID_ex1, ParseUsnJIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) else: art.addAttribute(BlackboardAttribute(attID_ex1, ParseUsnJIngestModuleFactory.moduleName, resultSet3.getInt(Column_Number))) Column_Number = Column_Number + 1 except SQLException as e: self.log(Level.INFO, "Error getting values from usnj table (" + e.getMessage() + ")") # Clean up stmt.close() dbConn.close() # Fire an event to notify the UI and others that there are new artifacts IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(ParseUsnJIngestModuleFactory.moduleName, artID_usnj_evt, None)) #Clean up EventLog directory and files os.remove(lclDbPath) try: os.remove(os.path.join(temp_dir, "usnj.txt")) except: self.log(Level.INFO, "removal of usnj.txt file failed " + temp_dir + "\\" + file.getName()) try: os.rmdir(temp_dir) except: self.log(Level.INFO, "removal of usnj directory failed " + temp_dir) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Usnj Parser", " Usnj Has Been Analyzed " ) IngestServices.getInstance().postMessage(message) # Fire an event to notify the UI and others that there are new artifacts IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(ParseUsnJIngestModuleFactory.moduleName, artID_usnj_evt, None)) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Set the database to be read to the once created by the prefetch parser program skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "Amcache.hve") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 # Create Event Log directory in temp directory, if it exists then continue on processing Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "create Directory " + Temp_Dir) try: os.mkdir(Temp_Dir + "\Amcache") except: self.log(Level.INFO, "Amcache Directory already exists " + Temp_Dir) # Write out each Event Log file to the temp directory for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK #self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions lclDbPath = os.path.join(Temp_Dir + "\Amcache", file.getName()) ContentUtils.writeToFile(file, File(lclDbPath)) # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Run the EXE, saving output to a sqlite database self.log( Level.INFO, "Running program on data source parm 1 ==> " + Temp_Dir + " Parm 2 ==> " + Temp_Dir + "\Amcache.db3") subprocess.Popen([ self.path_to_exe, Temp_Dir + "\Amcache\Amcache.hve", Temp_Dir + "\Amcache.db3" ]).communicate()[0] for file in files: # Open the DB using JDBC lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), "Amcache.db3") self.log(Level.INFO, "Path the Amcache database file created ==> " + lclDbPath) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the contacts table in the database and get all columns. for am_table_name in self.List_Of_tables: try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery( "Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('" + am_table_name + "'); ") # resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('associated_file_entries', " + \ # "'unassociated_programs', 'program_entries'); ") self.log(Level.INFO, "query SQLite Master table for " + am_table_name) except SQLException as e: self.log( Level.INFO, "Error querying database for Prefetch table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Cycle through each row and create artifacts while resultSet.next(): try: self.log( Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")") table_name = resultSet.getString("tbl_name") #self.log(Level.INFO, "Result get information from table " + resultSet.getString("tbl_name") + " ") SQL_String_1 = "Select * from " + table_name + ";" SQL_String_2 = "PRAGMA table_info('" + table_name + "')" artifact_name = "TSK_" + table_name.upper() artifact_desc = "Amcache " + table_name.upper() #self.log(Level.INFO, SQL_String_1) #self.log(Level.INFO, "Artifact_Name ==> " + artifact_name) #self.log(Level.INFO, "Artifact_desc ==> " + artifact_desc) #self.log(Level.INFO, SQL_String_2) try: self.log(Level.INFO, "Begin Create New Artifacts") artID_amc = skCase.addArtifactType( artifact_name, artifact_desc) except: self.log( Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> " ) artID_amc = skCase.getArtifactTypeID(artifact_name) artID_amc_evt = skCase.getArtifactType(artifact_name) Column_Names = [] Column_Types = [] resultSet2 = stmt.executeQuery(SQL_String_2) while resultSet2.next(): Column_Names.append( resultSet2.getString("name").upper()) Column_Types.append( resultSet2.getString("type").upper()) #self.log(Level.INFO, "Add Attribute TSK_" + resultSet2.getString("name").upper() + " ==> " + resultSet2.getString("type")) #self.log(Level.INFO, "Add Attribute TSK_" + resultSet2.getString("name").upper() + " ==> " + resultSet2.getString("name")) #attID_ex1 = skCase.addAttrType("TSK_" + resultSet2.getString("name").upper(), resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) if resultSet2.getString("type").upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE. STRING, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log( Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") elif resultSet2.getString("type").upper() == "": try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE. STRING, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log( Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE. LONG, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log( Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") resultSet3 = stmt.executeQuery(SQL_String_1) while resultSet3.next(): art = file.newArtifact(artID_amc) Column_Number = 1 for col_name in Column_Names: #self.log(Level.INFO, "Result get information for column " + Column_Names[Column_Number - 1] + " ") #self.log(Level.INFO, "Result get information for column_number " + str(Column_Number) + " ") #self.log(Level.INFO, "Result get information for column type " + Column_Types[Column_Number - 1] + " <== ") c_name = "TSK_" + col_name #self.log(Level.INFO, "Attribute Name is " + c_name + " ") attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1] == "TEXT": art.addAttribute( BlackboardAttribute( attID_ex1, ParseAmcacheIngestModuleFactory. moduleName, resultSet3.getString( Column_Number))) # art.addAttribute(BlackboardAttribute(attID_ex1, ParseAmcacheIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) elif Column_Types[Column_Number - 1] == "": art.addAttribute( BlackboardAttribute( attID_ex1, ParseAmcacheIngestModuleFactory. moduleName, resultSet3.getString( Column_Number))) # elif Column_Types[Column_Number - 1] == "BLOB": # art.addAttribute(BlackboardAttribute(attID_ex1, ParseAmcacheIngestModuleFactory.moduleName, "BLOBS Not Supported")) # elif Column_Types[Column_Number - 1] == "REAL": # art.addAttribute(BlackboardAttribute(attID_ex1, ParseAmcacheIngestModuleFactory.moduleName, resultSet3.getFloat(Column_Number))) else: #self.log(Level.INFO, "Value for column type ==> " + str(resultSet3.getInt(Column_Number)) + " <== ") art.addAttribute( BlackboardAttribute( attID_ex1, ParseAmcacheIngestModuleFactory. moduleName, long( resultSet3.getInt( Column_Number)))) Column_Number = Column_Number + 1 IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( ParseAmcacheIngestModuleFactory.moduleName, artID_amc_evt, None)) except SQLException as e: self.log( Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")") # Clean up stmt.close() dbConn.close() #os.remove(lclDbPath) #Clean up EventLog directory and files for file in files: try: os.remove(Temp_Dir + "\\" + file.getName()) except: self.log( Level.INFO, "removal of Amcache file failed " + Temp_Dir + "\\" + file.getName()) try: os.rmdir(Temp_Dir) except: self.log(Level.INFO, "removal of Amcache directory failed " + Temp_Dir) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Parser", " Amcache Has Been Analyzed ") IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def processSpotlightDb(self, dbConn, file): skCase = Case.getCurrentCase().getSleuthkitCase(); try: self.log(Level.INFO, "Begin Create New Artifacts") artID = skCase.addArtifactType("TSK_SPOTLIGHT", "Mac OS Spotlight Data") except: self.log(Level.INFO, "Artifacts Creation Error, TSK_SPOTLIGHT some artifacts may not exist now. ==> ") columnDefs = [] sqlPragma = 'Pragma Table_Info (spotlight_data)' try: sqlStmtPragma = dbConn.createStatement() resultSetPragma = sqlStmtPragma.executeQuery(sqlPragma) except: return IngestModule.ProcessResult.OK while resultSetPragma.next(): columnDef = [] attributeName = 'TSK_' + resultSetPragma.getString("name").upper() columnName = resultSetPragma.getString("name").upper() columnDef.append(columnName) columnDef.append(resultSetPragma.getString("type").upper()) if resultSetPragma.getString("type").upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, columnName) except: self.log(Level.INFO, "Attributes Creation Error, " + attributeName + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, columnName) except: self.log(Level.INFO, "Attributes Creation Error, " + attributeName + " ==> ") columnDef.append(attributeName) columnDef.append(skCase.getAttributeType(attributeName)) columnDefs.append(columnDef) sqlStatement = 'select * from spotlight_data' #self.log(Level.INFO, "SQL Statement ==> ") # Query the contacts table in the database and get all columns. try: sqlStmt = dbConn.createStatement() resultSet = sqlStmt.executeQuery(sqlStatement) #self.log(Level.INFO, "query message table") except SQLException as e: #self.log(Level.INFO, "Error querying database for message table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK artIdSpotlight = skCase.getArtifactTypeID("TSK_SPOTLIGHT") artIdSpotlightType = skCase.getArtifactType("TSK_SPOTLIGHT") moduleName = ProcessSpotlightIngestModuleFactory.moduleName # Cycle through each row and create artifacts while resultSet.next(): # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK try: artSpotlight = file.newArtifact(artIdSpotlight) attributes = ArrayList() for columnName in columnDefs: self.log(Level.INFO, "Column Info ==> " + str(columnName[0]) + " " + str(columnName[1]) + " " + str(columnName[2]) + " " + str(columnName[3])) attId = skCase.getAttributeType(columnName[2]) self.log(Level.INFO, "Column Info ==> " + str(attId)) if columnName[1] == "TEXT": attributes.add(BlackboardAttribute(attId, moduleName, resultSet.getString(columnName[0]))) else: attributes.add(BlackboardAttribute(attId, moduleName, long(resultSet.getInt(columnName[0])))) artSpotlight.addAttributes(attributes) try: blackboard.indexArtifact(artSpotlight) except: pass # self._logger.log(Level.SEVERE, "Error indexing artifact " + artEmail.getDisplayName()) except SQLException as e: self.log(Level.INFO, "Error getting values from message table (" + e.getMessage() + ")") # Close the database statement sqlStmt.close() sqlStmtPragma.close()
def __findTangoMessagesInDB(self, databasePath, abstractFile, dataSource): if not databasePath: return try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error opening database. return # Create a 'Device' account using the data source device id datasourceObjId = dataSource.getDataSource().getId() ds = Case.getCurrentCase().getSleuthkitCase().getDataSource( datasourceObjId) deviceID = ds.getDeviceId() deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase( ).getCommunicationsManager().createAccountFileInstance( Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile) resultSet = None try: resultSet = statement.executeQuery( "SELECT conv_id, create_time, direction, payload FROM messages ORDER BY create_time DESC;" ) while resultSet.next(): conv_id = resultSet.getString( "conv_id" ) # seems to wrap around the message found in payload after decoding from base-64 create_time = Long.valueOf( resultSet.getString("create_time")) / 1000 if resultSet.getString( "direction") == "1": # 1 incoming, 2 outgoing direction = "Incoming" else: direction = "Outgoing" payload = resultSet.getString("payload") attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE ) #create a call log and then add attributes from result set. attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, create_time)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, direction)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT, general.MODULE_NAME, TangoMessageAnalyzer.decodeMessage(conv_id, payload))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE, general.MODULE_NAME, "Tango Message")) artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getSleuthkitCase( ).getBlackboard() blackboard.postArtifact(artifact, general.MODULE_NAME) except Blackboard.BlackboardException as ex: self._logger.log( Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error( "Failed to index Tango message artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: # Unable to execute Tango messages SQL query against database. pass except Exception as ex: self._logger.log(Level.SEVERE, "Error parsing Tango messages to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing database. pass
def __findContactsInDB(self, databasePath, abstractFile, dataSource): if not databasePath: return bbartifacts = list() try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error opening database. return # Create a 'Device' account using the data source device id datasourceObjId = dataSource.getDataSource().getId() ds = Case.getCurrentCase().getSleuthkitCase().getDataSource( datasourceObjId) deviceID = ds.getDeviceId() deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase( ).getCommunicationsManager().createAccountFileInstance( Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile) resultSet = None try: # get display_name, mimetype(email or phone number) and data1 (phonenumber or email address depending on mimetype) # sorted by name, so phonenumber/email would be consecutive for a person if they exist. # check if contacts.name_raw_contact_id exists. Modify the query accordingly. columnFound = False metadata = connection.getMetaData() columnListResultSet = metadata.getColumns(None, None, "contacts", None) while columnListResultSet.next(): if columnListResultSet.getString( "COLUMN_NAME") == "name_raw_contact_id": columnFound = True break if columnFound: resultSet = statement.executeQuery( "SELECT mimetype, data1, name_raw_contact.display_name AS display_name \n" + "FROM raw_contacts JOIN contacts ON (raw_contacts.contact_id=contacts._id) \n" + "JOIN raw_contacts AS name_raw_contact ON(name_raw_contact_id=name_raw_contact._id) " + "LEFT OUTER JOIN data ON (data.raw_contact_id=raw_contacts._id) \n" + "LEFT OUTER JOIN mimetypes ON (data.mimetype_id=mimetypes._id) \n" + "WHERE mimetype = 'vnd.android.cursor.item/phone_v2' OR mimetype = 'vnd.android.cursor.item/email_v2'\n" + "ORDER BY name_raw_contact.display_name ASC;") else: resultSet = statement.executeQuery( "SELECT mimetype, data1, raw_contacts.display_name AS display_name \n" + "FROM raw_contacts JOIN contacts ON (raw_contacts.contact_id=contacts._id) \n" + "LEFT OUTER JOIN data ON (data.raw_contact_id=raw_contacts._id) \n" + "LEFT OUTER JOIN mimetypes ON (data.mimetype_id=mimetypes._id) \n" + "WHERE mimetype = 'vnd.android.cursor.item/phone_v2' OR mimetype = 'vnd.android.cursor.item/email_v2'\n" + "ORDER BY raw_contacts.display_name ASC;") attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT) oldName = "" while resultSet.next(): name = resultSet.getString("display_name") data1 = resultSet.getString( "data1") # the phone number or email mimetype = resultSet.getString( "mimetype") # either phone or email attributes = ArrayList() if name != oldName: artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, general.MODULE_NAME, name)) if mimetype == "vnd.android.cursor.item/phone_v2": attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_PHONE_NUMBER, general.MODULE_NAME, data1)) acctType = Account.Type.PHONE else: attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, general.MODULE_NAME, data1)) acctType = Account.Type.EMAIL artifact.addAttributes(attributes) # Create an account instance contactAccountInstance = Case.getCurrentCase( ).getSleuthkitCase().getCommunicationsManager( ).createAccountFileInstance(acctType, data1, general.MODULE_NAME, abstractFile) # create relationship between accounts Case.getCurrentCase().getSleuthkitCase( ).getCommunicationsManager().addRelationships( deviceAccountInstance, [contactAccountInstance], artifact, Relationship.Type.CONTACT, 0) oldName = name bbartifacts.append(artifact) except SQLException as ex: # Unable to execute contacts SQL query against database. pass except TskCoreException as ex: self._logger.log(Level.SEVERE, "Error posting to blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: if bbartifacts: Case.getCurrentCase().getSleuthkitCase().getBlackboard( ).postArtifacts(bbartifacts, general.MODULE_NAME) try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing database. pass
def process(self, dataSource, progressBar): skCase = Case.getCurrentCase().getSleuthkitCase() #Create all the variables needed for show them in the autopsy interface self.log(Level.INFO, "Begin Create New Artifacts") try: artID_eu = skCase.addArtifactType("TSK_ATPR", "ATPR Results") except: self.log(Level.INFO, "Artifacts Creation Error, ID ==> ") try: attID_filePath = skCase.addArtifactAttributeType( "TSK_FILE_PATH", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Path") except: self.log(Level.INFO, "Attributes Creation Error, File path ==> ") try: attID_match = skCase.addArtifactAttributeType( "TSK_WORD", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Word") except: self.log(Level.INFO, "Attributes Creation Error, Word ==> ") try: attTotal_match = skCase.addArtifactAttributeType( "TSK_TOTAL", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Total") except: self.log(Level.INFO, "Attributes Creation Error, Total ==> ") try: attType_match = skCase.addArtifactAttributeType( "TSK_TYPE", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Type") except: self.log(Level.INFO, "Attributes Creation Error, Type ==> ") try: attDict_match = skCase.addArtifactAttributeType( "TSK_DICT", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Dict") except: self.log(Level.INFO, "Attributes Creation Error, Dict ==> ") artID_eu = skCase.getArtifactTypeID("TSK_ATPR") artID_eu_evt = skCase.getArtifactType("TSK_ATPR") attID_fp = skCase.getAttributeType("TSK_FILE_PATH") attID_match = skCase.getAttributeType("TSK_WORD") attTotal_match = skCase.getAttributeType("TSK_TOTAL") attType_match = skCase.getAttributeType("TSK_TYPE") attDict_match = skCase.getAttributeType("TSK_DICT") # we don't know how much work there will be progressBar.switchToIndeterminate() # Get the folder with de texts files inputDir = Case.getCurrentCase().getModulesOutputDirAbsPath( ) + "\TextFiles" try: os.makesdirs(inputDir) self.log( Level.INFO, "Find Text Directory must exists for launching the module" + inputDir) except: self.log(Level.INFO, "Find Text Directory exists " + inputDir) # We'll save our output to a file in the reports folder, named based on EXE and data source ID reportPath = Case.getCurrentCase().getCaseDirectory( ) + "\\Reports\\atprResult-" + str(dataSource.getId()) + ".csv" #reportPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(dataSource.getId())) logPath = Case.getCurrentCase().getCaseDirectory( ) + "\\Reports\\log" + str(dataSource.getId()) + ".txt" logHandle = open(logPath, 'w') # Run the EXE, saving output to the report self.log(Level.INFO, "Running program on data source") self.log( Level.INFO, self.path_to_exe + " -c match -i " + inputDir + " -d " + self.path_to_dirs + " -o " + reportPath) subprocess.Popen([ self.path_to_exe, "-c", "match", "-i", inputDir, "-d", self.path_to_dirs, "-o", reportPath ], stdout=logHandle).communicate() logHandle.close() # Add the report to the case, so it shows up in the tree Case.getCurrentCase().addReport(reportPath, "Run EXE", "ATPR result output") self.log(Level.INFO, "Report created on " + reportPath) self.log(Level.INFO, "Adding elements to Autopsy") #Open with codecs for utf-8 parsing result = codecs.open(reportPath, encoding='utf-8') files_array = set() for line in result: fields = line.split(';') fields_splitted = fields[0].split("\\") files_array.add(fields_splitted[len(fields_splitted) - 1]) fileManager = Case.getCurrentCase().getServices().getFileManager() result.close() #Adding elements to autopsy reports interface for item in files_array: files = fileManager.findFiles(dataSource, item) for file in files: result = codecs.open(reportPath, encoding='utf-8') for line in result: fields = line.split(';') if file.getName() in fields[0]: art = file.newArtifact(artID_eu) art.addAttributes(((BlackboardAttribute(attID_fp, RunExeIngestModuleFactory.moduleName, fields[0])), \ (BlackboardAttribute(attID_match, RunExeIngestModuleFactory.moduleName, fields[1])), \ (BlackboardAttribute(attTotal_match, RunExeIngestModuleFactory.moduleName, fields[2])), \ (BlackboardAttribute(attType_match, RunExeIngestModuleFactory.moduleName, fields[3])), \ (BlackboardAttribute(attDict_match, RunExeIngestModuleFactory.moduleName, fields[4])))) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(RunExeIngestModuleFactory.moduleName, artID_eu_evt, None)) result.close() self.log(Level.INFO, "Done") return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # Find files named contacts.db, regardless of parent path fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%.jpg") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artifact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, PerceptualHashIngestModuleFactory.moduleName, "Picture Files") art.addAttribute(att) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( PerceptualHashIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)) Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "Create Directory " + Temp_Dir) try: temp_dir = os.path.join(Temp_Dir, "Pictures") os.mkdir(temp_dir) except: self.log(Level.INFO, "Pictures Directory already exists " + temp_dir) # Save the File locally in a user-defined temp folder. lclDbPath = os.path.join(temp_dir, file.getName()) ContentUtils.writeToFile(file, File(lclDbPath)) # This code will use the phash library to calculate perceptual hash value and difference. phash = PHash() path_img = os.path.join(temp_dir, file.getName()) bit_phash = phash.getHash(path_img) hex_phash = PHash.binaryString2hexString(bit_phash) self.log(Level.INFO, file.getName() + ":Path ==> " + path_img + " ") #self.log(Level.INFO, #file.getName() + ":pHash(bit) ==> " + bit_phash + " ") self.log(Level.INFO, file.getName() + ":PHash ==> " + hex_phash + " ") if (self.pHashToCheck != ""): self.log(Level.INFO, "pHashToCheck ==> " + self.pHashToCheck + " ") differ_phash = PHash.distance( PHash.hexString2binaryString(self.pHashToCheck), bit_phash) self.log( Level.INFO, file.getName() + ":Difference ==> " + str(differ_phash) + " ") if (differ_phash < 20): self.log(Level.INFO, file.getName() + ":Similar? ==> True ") else: self.log(Level.INFO, file.getName() + ":Similar? ==> False ") # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "PerceptualHash Analyzer", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Hive files to extract filesToExtract = ("SAM", "SYSTEM") # Set the database to be read to the once created by the prefetch parser program skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() # Create BAM directory in temp directory, if it exists then continue on processing Temp_Dir = Case.getCurrentCase().getTempDirectory() temp_dir = os.path.join(Temp_Dir, "bam") self.log(Level.INFO, "create Directory " + temp_dir) try: os.mkdir(temp_dir) except: self.log(Level.INFO, "bam Directory already exists " + temp_dir) # Setup variables to use to store information systemHiveFile = [] userRids = {} bamRecord = [] for fileName in filesToExtract: files = fileManager.findFiles(dataSource, fileName, "Windows/System32/Config") numFiles = len(files) for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK # Check path to only get the hive files in the config directory and no others if file.getParentPath().upper() == '/WINDOWS/SYSTEM32/CONFIG/': # Save the DB locally in the temp folder. use file id as name to reduce collisions filePath = os.path.join(temp_dir, file.getName()) ContentUtils.writeToFile(file, File(filePath)) # Save SYSTEM Hive abstract file information to use later if file.getName() == 'SYSTEM': systemHiveFile = file bamRecord = self.processSYSTEMHive(filePath) elif file.getName() == 'SAM': # Get information from the SAM file returns dictionary with key of rid and value of user name userRids = self.processSAMHive(filePath) # Setup Artifact try: self.log(Level.INFO, "Begin Create New Artifacts") artID_ls = skCase.addArtifactType("TSK_BAM_KEY", "BAM Registry Key") except: self.log( Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> " ) artifactName = "TSK_BAM_KEY" artId = skCase.getArtifactTypeID(artifactName) moduleName = BamKeyIngestModuleFactory.moduleName # Attributes to use TSK_USER_NAME, TSK_PROG_NAME, TSK_DATETIME for bamRec in bamRecord: attributes = ArrayList() art = systemHiveFile.newArtifact(artId) self.log(Level.INFO, "BamRec ==> " + str(bamRec)) if bamRec[0] in userRids.keys(): attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME. getTypeID(), moduleName, userRids[bamRec[0]])) else: attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME. getTypeID(), moduleName, bamRec[0])) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID( ), moduleName, bamRec[1])) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID( ), moduleName, int(bamRec[2]))) art.addAttributes(attributes) # index the artifact for keyword search try: blackboard.indexArtifact(artChat) except: self._logger.log( Level.WARNING, "Error indexing artifact " + art.getDisplayName()) #Clean up prefetch directory and files try: shutil.rmtree(temp_dir) except: self.log(Level.INFO, "removal of directory tree failed " + temp_dir) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "BamKey", " BamKey Files Have Been Analyzed ") IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK