def process(self, dataSource, progressBar):

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()

        # Use blackboard class to index blackboard artifacts for keyword search
        blackboard = Case.getCurrentCase().getServices().getBlackboard()

        # For our example, we will use FileManager to get all
        # files with the word "test"
        # in the name and then count and read them
        # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
        fileManager = Case.getCurrentCase().getServices().getFileManager()
        files = fileManager.findFiles(dataSource, "%test%")

        numFiles = len(files)
        self.log(Level.INFO, "found " + str(numFiles) + " files")
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0
        for file in files:

            # Check if the user pressed cancel while we were busy
            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            self.log(Level.INFO, "Processing file: " + file.getName())
            fileCount += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
            art.addAttribute(att)

            try:
                # index the artifact for keyword search
                blackboard.indexArtifact(art)
            except Blackboard.BlackboardException as e:
                self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())

            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            readLen = inputStream.read(buffer)
            while (readLen != -1):
                totLen = totLen + readLen
                readLen = inputStream.read(buffer)


            # Update the progress bar
            progressBar.progress(fileCount)


        #Post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK
    def process(self, dataSource, progressBar):
        if self.context.isJobCancelled():
            return IngestModule.ProcessResult.OK

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()

        autopsyCase = Case.getCurrentCase()
        sleuthkitCase = autopsyCase.getSleuthkitCase()
        services = Services(sleuthkitCase)
        fileManager = services.getFileManager()

        # For our example, we will use FileManager to get all
        # files with the word "test"
        # in the name and then count and read them
        files = fileManager.findFiles(dataSource, "%test%")

        numFiles = len(files)
        self.log(Level.INFO, "found " + str(numFiles) + " files")
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0
        for file in files:

            # Check if the user pressed cancel while we were busy
            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            self.log(Level.INFO, "Processing file: " + file.getName())
            fileCount += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(
                BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(),
                SampleJythonDataSourceIngestModuleFactory.moduleName,
                "Test file")
            art.addAttribute(att)

            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            readLen = inputStream.read(buffer)
            while (readLen != -1):
                totLen = totLen + readLen
                readLen = inputStream.read(buffer)

            # Update the progress bar
            progressBar.progress(fileCount)

        #Post a message to the ingest messages in box.
        message = IngestMessage.createMessage(
            IngestMessage.MessageType.DATA,
            "Sample Jython Data Source Ingest Module",
            "Found %d files" % fileCount)
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK
Beispiel #3
0
    def process(self, file):
        # If the file has a txt extension, post an artifact to the blackboard.
        if file.getName().find("test") != -1:
            art = file.newArtifact(
                BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(),
                "Sample Jython File Ingest Module", "Text Files")
            art.addAttribute(att)

            # Read the contents of the file.
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            len = inputStream.read(buffer)
            while (len != -1):
                totLen = totLen + len
                len = inputStream.read(buffer)

            # Send the size of the file to the ingest messages in box.
            msgText = "Size of %s is %d bytes" % ((file.getName(), totLen))
            message = IngestMessage.createMessage(
                IngestMessage.MessageType.DATA,
                "Sample Jython File IngestModule", msgText)
            ingestServices = IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK
    def process(self, file):

        # For an example, we will flag files with .txt in the name and make a blackboard artifact.
        if file.getName().find(".txt") != -1:

            self.logger.logp(Level.INFO, SampleJythonFileIngestModule.__name__,
                             "process", "Found a text file: " + file.getName())
            self.filesFound += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(
                BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(),
                SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
            art.addAttribute(att)

            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            len = inputStream.read(buffer)
            while (len != -1):
                totLen = totLen + len
                len = inputStream.read(buffer)

        return IngestModule.ProcessResult.OK
    def process(self, file):
        
        # For an example, we will flag files with .txt in the name and make a blackboard artifact.
        if file.getName().find(".txt") != -1:
            
            self.logger.logp(Level.INFO, SampleJythonFileIngestModule.__name__, "process", "Found a text file: " + file.getName())
            self.filesFound+=1
			
            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
            art.addAttribute(att)


            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            len = inputStream.read(buffer)
            while (len != -1):
                    totLen = totLen + len
                    len = inputStream.read(buffer)
            
        return IngestModule.ProcessResult.OK
Beispiel #6
0
    def process(self, file):
        # Skip non-files
        if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
                or
            (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
                or (file.isFile() == False)):
            return IngestModule.ProcessResult.OK

        # Use blackboard class to index blackboard artifacts for keyword search
        blackboard = Case.getCurrentCase().getServices().getBlackboard()

        # For an example, we will flag files with .txt in the name and make a blackboard artifact.
        if file.getName().lower().endswith(".txt"):

            self.log(Level.INFO, "Found a text file: " + file.getName())
            self.filesFound += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artifact.  Refer to the developer docs for other examples.
            art = file.newArtifact(
                BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
                SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
            art.addAttribute(att)

            try:
                # index the artifact for keyword search
                blackboard.indexArtifact(art)
            except Blackboard.BlackboardException as e:
                self.log(Level.SEVERE,
                         "Error indexing artifact " + art.getDisplayName())

            # Fire an event to notify the UI and others that there is a new artifact
            IngestServices.getInstance().fireModuleDataEvent(
                ModuleDataEvent(
                    SampleJythonFileIngestModuleFactory.moduleName,
                    BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT,
                    None))

            # For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added
            # by other modules. We then iterate over its attributes.  We'll just print them, but you would probably
            # want to do something with them.
            artifactList = file.getArtifacts(
                BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            for artifact in artifactList:
                attributeList = artifact.getAttributes()
                for attrib in attributeList:
                    self.log(Level.INFO, attrib.toString())

            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            len = inputStream.read(buffer)
            while (len != -1):
                totLen = totLen + len
                len = inputStream.read(buffer)

        return IngestModule.ProcessResult.OK
    def process(self, dataSource, progressBar):
        if self.context.isJobCancelled():
            return IngestModule.ProcessResult.OK
			
        logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName)	

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()

        autopsyCase = Case.getCurrentCase()
        sleuthkitCase = autopsyCase.getSleuthkitCase()
        services = Services(sleuthkitCase)
        fileManager = services.getFileManager()

        # For our example, we will use FileManager to get all 
        # files with the word "test"
        # in the name and then count and read them
        files = fileManager.findFiles(dataSource, "%test%")

        numFiles = len(files)
        logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files")
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0;
        for file in files:

            # Check if the user pressed cancel while we were busy
            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName())
            fileCount += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
            art.addAttribute(att)

            
            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            readLen = inputStream.read(buffer)
            while (readLen != -1):
                totLen = totLen + readLen
                readLen = inputStream.read(buffer)


            # Update the progress bar
            progressBar.progress(fileCount)


        #Post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK;
Beispiel #8
0
    def process(self, file):
        # Skip non-files
        if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or 
            (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or 
            (file.isFile() == False)):
            return IngestModule.ProcessResult.OK

        # This will work in 4.0.1 and beyond
        # Use blackboard class to index blackboard artifacts for keyword search
        # blackboard = Case.getCurrentCase().getServices().getBlackboard()

        # For an example, we will flag files with .txt in the name and make a blackboard artifact.
        if file.getName().lower().endswith(".txt"):

            self.log(Level.INFO, "Found a text file: " + file.getName())
            self.filesFound+=1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artifact.  Refer to the developer docs for other examples.
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, 
                  SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
            art.addAttribute(att)

            # This will work in 4.0.1 and beyond
            #try:
            #    # index the artifact for keyword search
            #    blackboard.indexArtifact(art)
            #except Blackboard.BlackboardException as e:
            #    self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())

            # Fire an event to notify the UI and others that there is a new artifact
            IngestServices.getInstance().fireModuleDataEvent(
                ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName, 
                    BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None));

            # For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added
            # by other modules. We then iterate over its attributes.  We'll just print them, but you would probably
            # want to do something with them. 
            artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            for artifact in artifactList:
                attributeList = artifact.getAttributes();
                for attrib in attributeList:
                    self.log(Level.INFO, attrib.toString())

            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            len = inputStream.read(buffer)
            while (len != -1):
                    totLen = totLen + len
                    len = inputStream.read(buffer)

        return IngestModule.ProcessResult.OK
    def process(self, file):
        skCase = Case.getCurrentCase().getSleuthkitCase()
        ARTID_NS_TV = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_TV)

        names = []

        skCase = Case.getCurrentCase().getSleuthkitCase()

        # Skip non-files
        if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
                or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
                or (file.isFile() is False)):
            return IngestModule.ProcessResult.OK

        blackboard = Case.getCurrentCase().getServices().getBlackboard()

        if file.getName() == "80000000000000d1":
            artifactList = file.getArtifacts(ARTID_NS_TV)

            self.log(Level.INFO, "Found the file" + file.getName())
            self.filesFound += 1

            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(2048, "b")
            totLen = 0
            lengthofbuffer = inputStream.read(buffer)
            while lengthofbuffer != -1:
                totLen = totLen + lengthofbuffer
                lengthofbuffer = inputStream.read(buffer)
                currentBuffer = buffer.tostring()
                names = names + re.findall("EdidBlock.*?\\\\xfc\\\\x00(.*?)\\\\n.*?EdidExtensionBlock", repr(currentBuffer))

            noduplicatesnames = list(set(names))
            for tvname in noduplicatesnames:
                # Don't add to blackboard if the artifact already exists
                for artifact in artifactList:
                    artifactName = artifact.getAttribute(self.NS_DISPLAY_ATTRIBUTES["Name"][3])
                    if artifactName.getValueString() == tvname:
                        return IngestModule.ProcessResult.OK

                art = file.newArtifact(ARTID_NS_TV)
                art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), ConnectedDisplayIngestModuleFactory.moduleName, "Nintendo Switch - Connected TV"))
                for attribute in self.NS_DISPLAY_ATTRIBUTES.keys():
                    art.addAttribute(BlackboardAttribute(self.NS_DISPLAY_ATTRIBUTES[attribute][3], ConnectedDisplayIngestModuleFactory.moduleName, str(tvname)))

                try:
                    # index the artifact for keyword search
                    blackboard.indexArtifact(art)
                except Blackboard.BlackboardException:
                    self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())

                IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ConnectedDisplayIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_TV), None))

        return IngestModule.ProcessResult.OK
Beispiel #10
0
    def create_hash(self, f_target, algorithm):
        time_start = time.time()

        hash_creator = hashlib.new(algorithm)

        inputStream = ReadContentInputStream(f_target)
        buffer = jarray.zeros(BLOCKSIZE, "b")
        len = inputStream.read(buffer)

        while (len != -1):
            hash_creator.update(buffer)
            len = inputStream.read(buffer)

        time_consumed = time.time()-time_start
        return (hash_creator.hexdigest(),time_consumed)
    def getUsersFromFile(self, file):
        inputStream = ReadContentInputStream(file)
        users = []
        buffer = jarray.zeros(1024, "b")
        totLen = 0
        len = inputStream.read(buffer)
        while len != -1:
            totLen = totLen + len
            len = inputStream.read(buffer)
            currentBuffer = buffer.tostring()
            x = re.search("^\{.*\"gender\".*\}", currentBuffer)
            if x:
                result = x.string.replace("\x00", "")
                d = json.loads(result)
                users.append(d)

        return users
    def process(self, file):
        def luhnChecksumIsValid(cardNumber):
            # check to make sure that the card passes a luhn mod-10 checksum
            total = 0
            oddTotal = 0
            evenTotal = 0
            reversedCardNumber = cardNumber[::-1]
            oddDigits = reversedCardNumber[0::2]
            evenDigits = reversedCardNumber[1::2]
            for count in range(0, len(oddDigits)):
                oddTotal += int(oddDigits[count])
            for count in range(0, len(evenDigits)):
                evenDigit = int(evenDigits[count])
                evenDigit = evenDigit * 2
                if evenDigit > 9:
                    evenDigit = evenDigit - 9
                evenTotal += evenDigit
            total = oddTotal + evenTotal
            return (total % 10 == 0)

        # Skip non-files
        if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
                or
            (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
                or (file.isFile() == False)):
            return IngestModule.ProcessResult.OK
        inputStream = ReadContentInputStream(file)
        text = IOUtils.toString(inputStream, StandardCharsets.UTF_8)
        if self.skipBinaries:
            if b'\x00' in text:
                return IngestModule.ProcessResult.OK
        initialCCPattern = '[1-6](?:\d[ -]*?){13,23}'
        possibleCCs = re.findall(initialCCPattern, text, re.IGNORECASE)
        self.fileFlagged = 0
        if possibleCCs:
            for cc in possibleCCs:
                delim_regex = "\D+"
                cc = re.sub(delim_regex, '', cc)
                if luhnChecksumIsValid(cc):
                    if self.fileFlagged == 0:
                        self.filesFound += 1
                        art = file.newArtifact(
                            BlackboardArtifact.ARTIFACT_TYPE.
                            TSK_INTERESTING_FILE_HIT)
                        att = BlackboardAttribute(
                            BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.
                            getTypeID(),
                            PaymentCardFileIngestModuleFactory.moduleName,
                            "Files With Possible Payment Card Numbers")
                        art.addAttribute(att)
                        IngestServices.getInstance().fireModuleDataEvent(
                            ModuleDataEvent(
                                PaymentCardFileIngestModuleFactory.moduleName,
                                BlackboardArtifact.ARTIFACT_TYPE.
                                TSK_INTERESTING_FILE_HIT, None))
                        self.fileFlagged = 1
        return IngestModule.ProcessResult.OK
Beispiel #13
0
    def process(self, file):
        # If the file has a txt extension, post an artifact to the blackboard.
        if file.getName().find("test") != -1:
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files")
            art.addAttribute(att)

            # Read the contents of the file.
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            len = inputStream.read(buffer)
            while (len != -1):
                    totLen = totLen + len
                    len = inputStream.read(buffer)

            # Send the size of the file to the ingest messages in box. 
            msgText = "Size of %s is %d bytes" % ((file.getName(), totLen))
            message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText)
            ingestServices = IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK
    def process(self, file):
        skCase = Case.getCurrentCase().getSleuthkitCase()
        ARTID_NS_WIFI = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_WIFI)

        networks = {}

        skCase = Case.getCurrentCase().getSleuthkitCase()

        # Skip non-files
        if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
                or
            (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
                or (file.isFile() is False)):
            return IngestModule.ProcessResult.OK

        blackboard = Case.getCurrentCase().getServices().getBlackboard()

        if (file.getName().lower() == "8000000000000050"):
            artifactList = file.getArtifacts(ARTID_NS_WIFI)

            self.log(Level.INFO, "Found the file" + file.getName())
            self.filesFound += 1

            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(8192, "b")
            totLen = 0
            lengthofbuffer = inputStream.read(buffer)
            while lengthofbuffer != -1:
                totLen = totLen + lengthofbuffer
                lengthofbuffer = inputStream.read(buffer)
                currentBuffer = buffer.tostring()
                regex = "\x00[^\x00]{16}\x03(?:[^\x20-\x7f]+)(?P<ssid>[\x20-\x7f]+?)\x00(?:[^\x20-\x7f]+)(?P<pass>[\x20-\x7f]+?)\x00"
                x = re.finditer(regex, currentBuffer)
                for network in x:
                    networks[network.group('ssid')] = network.group('pass')

            for ssid, psk in networks.items():
                self.log(Level.INFO, ssid)
                # Don't add to blackboard if the artifact already exists
                for artifact in artifactList:
                    artifactSSID = artifact.getAttribute(
                        self.NS_WIFI_ATTRIBUTES["SSID"][3])
                    if artifactSSID.getValueString() == ssid:
                        pass

                art = file.newArtifact(ARTID_NS_WIFI)
                art.addAttribute(
                    BlackboardAttribute(
                        BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.
                        getTypeID(), WiFiIngestModuleFactory.moduleName,
                        "Nintendo Switch - Wireless Credentials"))
                art.addAttribute(
                    BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["SSID"][3],
                                        WiFiIngestModuleFactory.moduleName,
                                        ssid))
                art.addAttribute(
                    BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["PSK"][3],
                                        WiFiIngestModuleFactory.moduleName,
                                        psk))

                try:
                    # index the artifact for keyword search
                    blackboard.indexArtifact(art)
                except Blackboard.BlackboardException:
                    self.log(Level.SEVERE,
                             "Error indexing artifact " + art.getDisplayName())

                IngestServices.getInstance().fireModuleDataEvent(
                    ModuleDataEvent(
                        WiFiIngestModuleFactory.moduleName,
                        skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_WIFI),
                        None))

            return IngestModule.ProcessResult.OK
Beispiel #15
0
    def process(self, dataSource, progressBar):

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()

        # This will work in 4.0.1 and beyond
        # Use blackboard class to index blackboard artifacts for keyword search
        # blackboard = Case.getCurrentCase().getServices().getBlackboard()

        # For our example, we will use FileManager to get all
        # files with the word "test"
        # in the name and then count and read them
        # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
        fileManager = Case.getCurrentCase().getServices().getFileManager()
        files = fileManager.findFiles(dataSource, "%test%")

        numFiles = len(files)
        self.log(Level.INFO, "found " + str(numFiles) + " files")
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0;
        for file in files:

            # Check if the user pressed cancel while we were busy
            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            self.log(Level.INFO, "Processing file: " + file.getName())
            fileCount += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
            art.addAttribute(att)

            # This will work in 4.0.1 and beyond
            #try:
            #    # index the artifact for keyword search
            #    blackboard.indexArtifact(art)
            #except Blackboard.BlackboardException as e:
            #    self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())

            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            readLen = inputStream.read(buffer)
            while (readLen != -1):
                totLen = totLen + readLen
                readLen = inputStream.read(buffer)


            # Update the progress bar
            progressBar.progress(fileCount)


        #Post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK;
Beispiel #16
0
    def generateReport(self, baseReportDir, progressBar):

        # Open the output file.
        fileName = os.path.join(baseReportDir, self.getRelativeFilePath())
        report = open(fileName, 'w')

        # Query the database for the files (ignore the directories)
        sleuthkitCase = Case.getCurrentCase().getSleuthkitCase()
        files = sleuthkitCase.findAllFilesWhere(
            "NOT meta_type = " +
            str(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getValue()))

        # Setup progress Indicator
        progressBar.setIndeterminate(False)
        progressBar.start()
        progressBar.setMaximumProgress(len(files))

        for file in files:
            # For this script I will limit the processing
            # to files with .txt extensions only

            if file.getName().lower().endswith(".txt"):

                # Setup to Read the contents of the file.

                # Create a Python string to hold the file contents
                # for processing
                fileStringBuffer = ''

                # Setup an inputStream to read the file
                inputStream = ReadContentInputStream(file)

                # Setup a jarry buffer to read chunks of the file
                # we will read 1024 byte chunks

                buffer = jarray.zeros(1024, "b")

                # Attempt to read in the first Chunk
                bytesRead = inputStream.read(buffer)

                # Continue reading until finished reading
                # the file indicated by -1 return from
                # the inputStream.read() method

                while (bytesRead != -1):

                    for eachItem in buffer:
                        # Now extract only potential ascii characters from the
                        # buffer and build the final Python string
                        # that we will process.

                        if eachItem >= 0 and eachItem <= 255:
                            fileStringBuffer = fileStringBuffer + chr(eachItem)

                    # Read the next file Chunk
                    bytesRead = inputStream.read(buffer)

                # Once the complete file has been read and the
                # possible ASCII characters have been extracted

                # The ExtractProperNames Function
                # will process the contents of the file
                # the result will be returned as a Python
                # dictionary object

                properNamesDictionary = ExtractProperNames(fileStringBuffer)

                # For each file processed
                # Write the information to the Report
                # File Name, along with each possible proper name
                # found, with highest occurring words order

                report.write("\n\nProcessing File: " + file.getUniquePath() +
                             "\n\n")
                report.write("Possible Name        Occurrences \n")
                report.write("-------------------------------- \n")

                for eachName in sorted(properNamesDictionary,
                                       key=properNamesDictionary.get,
                                       reverse=True):
                    theName = '{:20}'.format(eachName)
                    theCnt = '{:5d}'.format(properNamesDictionary[eachName])
                    report.write(theName + theCnt + "\n")

            # Increment the progress bar for each
            # file processed
            progressBar.increment()

            # Process the Next File

        # Close the report and post ProgressBar Complete
        progressBar.complete(ReportStatus.COMPLETE)
        report.close()

        # Add the report to the Case
        Case.getCurrentCase().addReport(fileName, self.moduleName,
                                        "Prop Report")
Beispiel #17
0
    def cookieMain(self, file):
    
        global chrome_pattern_utmb
        global chrome_pattern_utmz
        global chrome_pattern_utma
        global moz_pattern_utma
        global moz_pattern_utmb
        global moz_pattern_utmz
        global ie_utma_pattern
        global ie_utmb_pattern
        global ie_utmz_pattern
        global apple_utma_pattern
        global apple_utmb_pattern
        global apple_utmz_pattern
        global chrome_utma_count
        global chrome_utmb_count
        global chrome_utmz_count

        global ff_utma_count
        global ff_utmb_count
        global ff_utmz_count

        global ie_utma_count
        global ie_utmb_count
        global ie_utmz_count

        global apple_utma_count
        global apple_utmb_count
        global apple_utmz_count

        global gif__UTF16_count
        global gif_ASCII_count
    
        #chrome utm grep patterns
        chrome_pattern_utma =  re.compile(r'__utma(([0-9]{0,10}\.){5}([0-9])*)(\/)')
        chrome_pattern_utmz =  re.compile(r'(__utmz)(([0-9]{0,10}\.){4}utm(.*?)\s*\x2F\x00\x2E)')
        chrome_pattern_utmb =  re.compile(r'(__utmb)(([0-9]{0,10}\.){3}[0-9]{0,10})')

        #firefox utm grep patterns
        moz_pattern_utma =  re.compile(r'(__utma(([0-9]{0,10}\.){5}[0-9]{1,5}))[^\/](\.?[a-zA-Z\d-]{0,63}){0,4}')
        moz_pattern_utmb =  re.compile(r'__utmb([0-9]{0,10}\.){3}[0-9]{0,10}([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){1,4}')
        moz_pattern_utmz =  re.compile(r'(__utmz)(([0-9]{0,20}\.){4}[ -~]*?)([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){0,4}\/[TS]{1}')

        #ie patterns
        ie_utma_pattern =  re.compile(r'(__utma)(\x0a(([0-9]{0,10}\.){5})[0-9]{1,10}\n)([ -~]{1,64}\x0a)')
        ie_utmb_pattern =  re.compile(r'(__utmb)(\x0a(([0-9]{0,10}\.){3})[0-9]{1,10}\n)([ -~]{1,64}\x0a)')
        ie_utmz_pattern =  re.compile(r'(__utmz)\x0a(([0-9]{0,10}\.){4}[ -~]{1,200}\x0a)([ -~]{1,64}\x0a)')

        apple_utma_pattern = re.compile(r'(__utma)\x00(([0-9]{0,10}\.){5}[0-9]{1,5})\x00([ -~]{1,64}\x00\/)')
        apple_utmb_pattern = re.compile(r'(__utmb)\x00(([0-9]{0,10}\.){3}[0-9]{10})\x00([ -~]{1,64})\x00\/')
        apple_utmz_pattern = re.compile(r'(__utmz)\x00(([0-9]{0,10}\.){4}[ -~]{1,200}\x00)([ -~]{1,64}\x00\/)')



        #count vars to keep track of total records processed
        chrome_utma_count = 0
        chrome_utmb_count = 0
        chrome_utmz_count = 0

        ff_utma_count = 0
        ff_utmb_count = 0
        ff_utmz_count = 0

        ie_utma_count=0
        ie_utmb_count=0
        ie_utmz_count=0

        apple_utma_count = 0
        apple_utmb_count = 0
        apple_utmz_count = 0

        gif__UTF16_count = 0
        gif_ASCII_count = 0

        self.processed = 0
        not_processed= []

        #can be increased if more ram is available
        global maxfilesize
        maxfilesize = 500000


        #printable chars allowed in urls and domain names
        allowed_chars = r'[\.a-zA-Z\d-]'
        p_allowed_chars = re.compile(allowed_chars)


        #loop to keep track of how many segments a file is broken into
        global loop
        loop = 0
        
        # Read the contents of the file.
        nLoops = 0
        while 1:
            inputStream = ReadContentInputStream(file)
            chunkJarray = jarray.zeros(maxfilesize, "b")
            if not chunkJarray:
               break
            len = inputStream.read(chunkJarray)   
            if len != maxfilesize:
                print "Not enough bytes read: %d\n" % (len)
                if nLoops > 0:
                    print"  nLoops = %d;breaking\n" % (nLoops)
                    break            
            chunk = StringUtil().fromBytes(chunkJarray)     
        
            print ("Bytes read: %d\n" % (len))
    
            self.process_chrome_utma(chrome_pattern_utma, chunk)
            #self.process_chrome_utmb(chrome_pattern_utmb, chunk)
            #self.process_chrome_utmz(chrome_pattern_utmz, chunk)
                    
            self.process_firefox_utma(moz_pattern_utma,chunk)
            #self.process_firefox_utmb(moz_pattern_utmb,chunk)
            #self.process_firefox_utmz(moz_pattern_utmz,chunk)
                
            self.process_ie_utma(ie_utma_pattern,chunk)
            #self.process_ie_utmb(ie_utmb_pattern,chunk)
            #self.process_ie_utmz(ie_utmz_pattern,chunk)
                
                
            self.process_apple_utma(apple_utma_pattern,chunk)
            #self.process_apple_utmb(apple_utmb_pattern,chunk)
            #self.process_apple_utmz(apple_utmz_pattern,chunk)
            
            nLoops = nLoops + 1
            if nLoops > 1:
                print "nLoops too big - breaking"
                break
                
        print "\r\r************ Summary ************"     
        print "Chrome __utma count processed: " + str(chrome_utma_count)
        print "Chrome __utmb count processed: " + str(chrome_utmb_count)
        print "Chrome __utmz count found: " + str(chrome_utmz_count)

        print "FireFox __utma count processed: " + str(ff_utma_count)
        print "FireFox __utmb count processed: " + str(ff_utmb_count)
        print "FireFox __utmz count found: " + str(ff_utmz_count)
        print "FireFox __utmz count processed: " + str(self.processed)

        print "IE __utma count processed: " + str(ie_utma_count)
        print "IE __utmb count processed: " + str(ie_utmb_count)
        print "IE __utmz count processed: " + str(ie_utmz_count)

        print "apple __utma count processed: " + str(apple_utma_count)
        print "apple __utmb count processed: " + str(apple_utmb_count) 
        print "apple __utmz count processed: " + str(apple_utmz_count)  
Beispiel #18
0
    def process(self, file):
        skCase = Case.getCurrentCase().getSleuthkitCase()
        ARTID_NS_POWER_STATE = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_POWER_STATE)

        power_states = []

        skCase = Case.getCurrentCase().getSleuthkitCase()

        # Skip non-files
        if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
                or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
                or (file.isFile() is False)):
            return IngestModule.ProcessResult.OK

        blackboard = Case.getCurrentCase().getServices().getBlackboard()

        if (file.getName().lower() == "80000000000000a1"):
            artifactList = file.getArtifacts(ARTID_NS_POWER_STATE)

            self.log(Level.INFO, "Found the file" + file.getName())
            self.filesFound += 1

            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(8192, "b")
            totLen = 0
            lengthofbuffer = inputStream.read(buffer)
            while lengthofbuffer != -1:
                totLen = totLen + lengthofbuffer
                lengthofbuffer = inputStream.read(buffer)
                currentBuffer = buffer.tostring()
                regex = "nc_started_at.(?P<datetime>[0-9: -]{19}).power_state_start.(?P<state_start>[a-zA-Z]+).power_state_end.(?P<state_end>[a-zA-Z]+)"
                x = re.finditer(regex, currentBuffer)
                for state_change in x:
                    timestamp = datetime.strptime(state_change.group('datetime'), '%Y-%m-%d %H:%M:%S')
                    state_start = state_change.group('state_start')
                    state_end = state_change.group('state_end')
                    power_states.append((timestamp, state_start, state_end))

            for (timestamp, state_start, state_end) in power_states:
                # Don't add to blackboard if the artifact already exists
                self.log(Level.INFO, str(len(artifactList)))
                for artifact in artifactList:
                    artifact_time = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["time"][3])
                    artifact_state_start = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_start"][3])
                    artifact_state_end = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_end"][3])
                    if artifact_time.getValueString() == str(timestamp):
                        if artifact_state_start.getValueString() == state_start:
                            if artifact_state_end.getValueString() == state_end:
                                return IngestModule.ProcessResult.OK

                art = file.newArtifact(ARTID_NS_POWER_STATE)
                art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), PowerStateChangeIngestModuleFactory.moduleName, "Nintendo Switch - Power State Changes"))
                art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["time"][3], PowerStateChangeIngestModuleFactory.moduleName, str(timestamp)))
                art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_start"][3], PowerStateChangeIngestModuleFactory.moduleName, state_start))
                art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_end"][3], PowerStateChangeIngestModuleFactory.moduleName, state_end))

                try:
                    # index the artifact for keyword search
                    blackboard.indexArtifact(art)
                except Blackboard.BlackboardException:
                    self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())

                IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(PowerStateChangeIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_POWER_STATE), None))

            return IngestModule.ProcessResult.OK