def appts(query, output):
output.table(
elements=[
InodeType('Inode', 'inode'),
TimestampType('Start Date', 'startdate'),
TimestampType('End Date', 'enddate'),
StringType('Location', 'location'),
StringType('Comment', 'comment')
],
table=('appointment'),
case=query['case'],
filter="filter2",
)
return output
def journal(query, output):
output.table(
elements=[
InodeType('Inode', 'inode'),
TimestampType('Start Date', 'startdate'),
TimestampType('End Date', 'enddate'),
StringType('Type', 'type'),
StringType('Comment', 'comment')
],
table=('journal'),
case=query['case'],
filter="filter3",
)
return output
def ie_history_cb(query,result):
dbh=self.DBO(query['case'])
dbh.check_index("ie_history" ,"url",10)
OffsetType = Registry.COLUMN_TYPES.dispatch("OffsetType")
result.table(
elements = [ InodeIDType(case=query['case']),
OffsetType(case=query['case'], table='ie_history'),
StringType('Type','type'),
StringType('URL','url'),
TimestampType('Modified','modified'),
TimestampType('Accessed','accessed'),
StringType('Filename', 'filename'),
StringType('Headers','headers') ],
table='ie_history',
case=query['case'],
)
def render_pane(self, branch, query, result):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) == 1:
result.heading("Show executables found in memory")
result.text("This statistic show the executables found in memory")
elif len(branch) == 2:
t = branch[1].replace("__", '/')
result.table(
elements=[
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
TimestampType('Time Created', 'create_time')
],
table='tasks',
where='pid = %r' % t,
case=self.case,
)
else:
for c in self.classes:
if branch[2] == c.name:
self.chain_pane(c,
branch[2:],
query,
result,
condition="pid='%s'" % branch[1])
def tabular_view(query, result):
result.table(
elements=[
InodeIDType(case=query['case']),
StringType(name='Mode', column='mode', table='file'),
FilenameType(case=query['case']),
DeletedType(),
IntegerType(name='File Size', column='size'),
TimestampType(name='Last Modified', column='mtime'),
TimestampType(name='Last Accessed', column='atime'),
TimestampType(name='Created', column='ctime'),
],
table='inode',
case=query['case'],
filter="filter1",
)
def Timeline(query, result):
def add_new_event(query, result):
timeline = TimelineObj(case=query['case'])
## We got submitted - actually try to do the deed:
if 'Add To Timeline' in query.getarray('__submit__'):
result.start_table()
newEvent = timeline.add(query, result)
result.para("The following is the new timeline entry:")
timeline.show(newEvent,result)
result.end_table()
result.link("Close this window", target=original_query, pane='parent')
return result
result.start_form(query, pane='self')
result.heading("Add an arbitrary event")
timeline.add_form(query,result)
result.end_form(value="Add To Timeline")
return result
result.table(
elements = [ IntegerType(name='id', column='id'),
TimestampType(name='Time', column='time'),
EditableStringType('Notes', 'notes'),
StringType('Category', 'category')
],
table = 'timeline',
case = query['case'],
filter="filter2",
)
result.toolbar(add_new_event, "Add abritrary event",
icon="clock.png")
def pane_cb(path, tmp):
query['order'] = 'Filename'
## If we are asked to show a file, we will show the
## contents of the directory the file is in:
fsfd = FileSystem.DBFS(query["case"])
if not fsfd.isdir(path):
path = os.path.dirname(path)
tmp.table(
elements=[
InodeIDType(case=query['case']),
FilenameType(basename=True, case=query['case']),
DeletedType(),
IntegerType('File Size', 'size'),
TimestampType('Last Modified', 'mtime'),
StringType('Mode', 'mode', table='file')
],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'",
(path + '/')),
case=query['case'],
pagesize=10,
filter="filter2",
)
target = tmp.defaults.get('open_tree', '/')
tmp.toolbar(text=DB.expand("Scan %s", target),
icon="examine.png",
link=query_type(family="Load Data",
report="ScanFS",
path=target,
case=query['case']),
pane='popup')
def render_pane(self, branch, query, result, condition='1'):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
elements = [
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
IntegerType(column='proto', name='Protocol'),
IntegerType(column='port', name='Port'),
TimestampType('Time Created', 'create_time')
]
try:
condition += " and proto=%s" % branch[1]
del elements[2]
except IndexError:
pass
try:
condition += " and port=%s" % branch[2]
del elements[2]
except IndexError:
pass
result.heading("Show sockets found in memory")
result.text("This statistic show the sockets found in memory")
result.table(
elements=elements,
table='sockets',
where=condition,
case=self.case,
)
def pane_cb(path, result):
if not path.endswith('/'): path=path+'/'
result.heading("Path is %s" % path)
case = query['case']
dbh = DB.DBO(case)
fsfd = Registry.FILESYSTEMS.dispatch(query['fstype'])(case)
## Try to see if the directory is already loaded:
dbh.execute("select * from file where path=%r and name=''", path)
if not dbh.fetch():
fsfd.load(mount_point = query['mount_point'], iosource_name= query['iosource'],
directory = path)
## Now display the table
result.table(
elements = [ InodeIDType(case=query['case']),
FilenameType(case=query['case']),
DeletedType(),
IntegerType(name='File Size',column='size'),
TimestampType(name = 'Last Modified',column = 'mtime'),
],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'",(path)),
case = query['case'],
pagesize=10,
)
def display(self, query,result):
result.heading("Table Tests")
## Tables need to act on the DB so we create a temporary table
## just for this test:
dbh=DB.DBO()
dbh.cursor.warnings=False
dbh.execute("drop table if exists TestTable")
dbh.execute("""create TABLE `TestTable` (
`id` int(11) NOT NULL auto_increment,
`time` TIMESTAMP,
`data` tinyblob NOT NULL,
`foobar` varchar(10),
`ip_addr` int(11) unsigned default 0,
PRIMARY KEY (`id`)
)""")
dbh.mass_insert_start("TestTable")
dbh.insert("TestTable", _time="from_unixtime(1147329821)", data="Some Data",
foobar="X", _ip_addr="inet_aton('192.168.1.1')")
dbh.insert("TestTable", _time="from_unixtime(1147329831)", data="More Data",
foobar="Y", _ip_addr="inet_aton('192.168.1.22')")
dbh.insert("TestTable", _time="from_unixtime(1147329841)", data="Some More Data",
foobar="Z", _ip_addr="inet_aton('192.168.1.23')")
dbh.insert("TestTable", _time="from_unixtime(1147329851)", data="Another Lot of Data",
foobar="Q", _ip_addr="inet_aton('192.168.1.55')")
for i in range(0,100):
dbh.mass_insert(_time="from_unixtime(%s)" % (1147329851+i), data="Data %s" % i, foobar=i)
dbh.mass_insert_commit()
def foobar_cb(value):
return "foo %s" % value
result.table(
## Can use keyword args
elements = [ TimestampType(name = 'Timestamp',
column = 'time',
),
## Or positional args
StringType('Data', 'data',
link = query_type(
family=query['family'], report='FormTest',__target__='var1')),
StringType('Foobar', 'foobar', callback=foobar_cb),
## Note that here we just need to specify the
## field name in the table, the IPType will
## automatically create the translated SQL.
IPType('IP Address', 'ip_addr'),
],
table = "TestTable",
)
def parse(self, query, datafile='datafile'):
Simple.SimpleLog.parse(self, query, datafile)
self.fields = [
IntegerType(name='Record', column='record'),
TimestampType(name='Timestamp', column='time'),
StringType(name='message', column='message'),
IntegerType(name='EventID', column='event'),
StringType(name='Source', column="Source"),
StringType(name='arg1', column='arg1'),
StringType(name='arg2', column='arg2'),
StringType(name='arg3', column='arg3'),
]
def Annotated_inodes(query, result):
result.table(
elements = [ TimestampType(name='Time',column='mtime', table='inode'),
InodeIDType(case=query['case']),
FilenameType(case=query['case']),
StringType('Category','category'),
StringType('Note','note'),
],
table = 'annotate',
case = query['case'],
filter="filter1",
)
def hist_cb(query,result):
result.table(
elements = [ InodeIDType(case=query['case']),
TimestampType('LastVisitDate','LastVisitDate'),
StringType('Name', 'name'),
StringType('URL', 'url'),
StringType('Host', 'host'),
StringType('Referrer', 'Referrer'),
],
table = 'mozilla_history',
case = query['case'],
filter='hist_filter',
)
def tabular_view(query,result):
result.table(
elements = [ TimestampType('Timestamp','mtime', table='inode'),
#TimestampType(name='Date',column='date'),
PacketType(name='Request Packet',column='request_packet',
case=query['case']),
InodeIDType(),
StringType('Method','method'),
StringType('URL','url'),
StringType('Content Type','content_type') ],
table="http",
case=query['case']
)
def streams(query, result):
result.table(elements=[
IntegerType("FTP Session id",
"ftp_session_id",
link=query_type(family="Network Forensics",
case=query['case'],
report="Browse FTP Data")),
TimestampType("Time Created", "time_created"),
StringType("Purpose", "purpose"),
InodeIDType(case=query['case'])
],
table='ftp_data_streams',
case=query['case'])
def sessions(query, result):
result.table(
elements=[ #IntegerType("FTP Session id", "ftp_session_id"),
InodeIDType(case=query['case']),
TimestampType("Start Time", "start_time"),
IPType("Client IP", "client_ip", case=query['case']),
IPType("Server IP", "server_ip", case=query['case']),
StringType("Username", "username"),
StringType("Password", "password"),
StringType("Server Banner", "server_banner"),
IntegerType("Total bytes", "total_bytes")
],
table="ftp_sessions",
case=query['case'])
def display(self,query,result):
try:
result.table(
elements = [ ThumbnailType(name='Thumbnail',case=query['case']),
FilenameType(case=query['case']),
StringType('Type','type'),
IntegerType('Size','size', table='inode'),
TimestampType(name='Timestamp',column='mtime', table='inode')
],
table = 'type',
case = query['case']
)
except DB.DBError,e:
result.para("Error reading the type table. Did you remember to run the TypeScan scanner?")
result.para("Error reported was:")
result.text(e,style="red")
def table_notebook_cb(query, result):
del new_q['mode']
del new_q['mark']
new_q['__target__'] = 'open_tree'
new_q['mode'] = 'Tree View'
result.table(elements=[
StringType('Path', 'path', link=new_q),
StringType('Type', 'type'),
StringType('Key', 'reg_key'),
TimestampType('Modified', 'modified'),
StringType('Value', 'value')
],
table='reg',
case=query['case'],
filter="filter1")
def parse(self, query, datafile='datafile'):
LogFile.Log.parse(self, query, datafile)
self.datafile = query.getarray(datafile)
# set these params, then we can just use SimpleLog's get_fields
self.delimiter = re.compile(' ')
self.prefilters = ['PFDateFormatChange2']
if self.datafile:
query.clear('fields')
for f in self.find_fields_line():
query['fields'] = f
# now for the IIS magic, the code below sets up the
# fields, types, and indexes arrays req'd by load
# replaces the need for the form in SimpleLog
# try to guess types based on known field-names, not perfect...
# automatically index the non-varchar fields, leave the rest
self.fields = []
## Note the original log file has -ip, -status etc, but after
## MakeSQLSafe dashes turn to underscores.
for field in query.getarray('fields'):
if field == 'time':
tmp = TimestampType('Timestamp', 'timestamp')
tmp.index = True
self.fields.append(tmp)
elif '_ip' in field:
tmp = IPType('IP Address', 'IP Address')
tmp.index = True
self.fields.append(tmp)
elif '_status' in field or '_bytes' in field:
tmp = IntegerType(field, field)
tmp.index = True
self.fields.append(tmp)
else:
tmp = StringType(field, field)
tmp.index = True
self.fields.append(tmp)
def display(self, query, result):
result.heading("Interesting Registry Keys")
dbh = self.DBO(query['case'])
result.table(
elements=[
StringType('Path', 'path'),
StringType('Key', 'reg_key'),
StringType('Value', 'value'),
TimestampType('Last Modified', 'modified'),
StringType('Category', 'category'),
StringType('Description', 'description')
],
table='interestingregkeys',
case=query['case'],
)
def display(self, query, result):
dbh = self.DBO(query['case'])
result.heading("File Timeline for Filesystem")
result.table(
elements=[
TimestampType('Timestamp', 'time'),
AFF4URN(case=query['case']),
DeletedType(),
BinaryType('m', "m"),
BinaryType('a', "a"),
BinaryType('c', "c"),
BinaryType('d', "d"),
FilenameType(),
],
table='mac',
case=query['case'],
)
def parse(self, query, datafile='datafile'):
LogFile.Log.parse(self, query, datafile)
self.fields = []
self.delimiter = re.compile("\s+")
self.fields.append(TimestampType('Timestamp', 'Timestamp'))
self.fields.append(StringType('Hostname', 'Hostname'))
self.fields.append(StringType('ServiceName', 'ServiceName'))
self.fields.append(StringType('Message', 'Message'))
self.datafile = query.getarray(datafile)
try:
self.yearOfSyslog = int(query['year_of_syslog'])
except:
pass
def display(self, query, result):
result.table(
elements=[
TimestampType('Timestamp', 'mtime', table='inode'),
InodeIDType(case=query['case']),
StringType('From', 'From'),
StringType('To', 'To'),
StringType('CC', 'CC'),
StringType('BCC', 'BCC'),
StringType('Subject', 'Subject'),
HTMLStringType('Message', 'Message'),
#StringType('MessageID', 'message_id'),
AttachmentColumn(name='Attachment', case=query['case']),
StringType('Type', 'type'),
StringType('Service', 'service'),
],
table='webmail_messages',
case=query['case'])
def parse(self, query, datafile="datafile"):
LogFile.Log.parse(self, query, datafile)
self.datafile = query.getarray(datafile)
# set these params, then we can just use SimpleLog's get_fields
self.delimiter = re.compile(" ")
self.prefilters = ["PFDateFormatChange2"]
if self.datafile:
query.clear("fields")
for f in self.find_fields_line():
query["fields"] = f
# now for the IIS magic, the code below sets up the
# fields, types, and indexes arrays req'd by load
# replaces the need for the form in SimpleLog
# try to guess types based on known field-names, not perfect...
# automatically index the non-varchar fields, leave the rest
self.fields = []
## Note the original log file has -ip, -status etc, but after
## MakeSQLSafe dashes turn to underscores.
for field in query.getarray("fields"):
if field == "time":
tmp = TimestampType("Timestamp", "timestamp")
tmp.index = True
self.fields.append(tmp)
elif "_ip" in field:
tmp = IPType("IP Address", "IP Address")
tmp.index = True
self.fields.append(tmp)
elif "_status" in field or "_bytes" in field:
tmp = IntegerType(field, field)
tmp.index = True
self.fields.append(tmp)
else:
tmp = StringType(field, field)
tmp.index = True
self.fields.append(tmp)
def email(query, output):
output.table(
elements=[
InodeType('Inode',
'inode',
link=query_type(case=query['case'],
family="Disk Forensics",
report='ViewFile',
__target__='inode',
inode="%s:0")),
TimestampType('Arrival Date', 'date'),
StringType('From', 'from'),
StringType('To', 'to'),
StringType('Subject', 'subject')
],
table=('email'),
case=query['case'],
filter="filter0",
)
return output
def render_pane(self, branch, query, result):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch)==1:
result.heading("Show file types")
result.text("This statistic allows different file types to be examined")
else:
t = branch[1].replace("__",'/')
result.table(
elements = [ AFF4URN(case = self.case),
FilenameType(case = self.case, link_pane='main'),
IntegerType('Size','size', table='vfs'),
TimestampType('Timestamp','mtime', table='vfs'),
StringType('Mime', 'mime', table='type')],
table = 'type',
where = DB.expand('type.type=%r ', t),
case = self.case,
)
def display(self, query, result):
result.heading("Email sessions")
result.table(
elements=[
InodeType('Inode',
'inode',
link=query_type(family='Disk Forensics',
case=query['case'],
__target__='inode',
report='View File Contents',
mode="Text"),
case=query['case']),
TimestampType('Date', 'date'),
StringType('From', 'from'),
StringType('To', 'to'),
StringType('Subject', 'subject')
],
table=('email'),
case=query['case'],
)
def render_pane(self, branch, query, result):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) == 1:
result.heading("Show infected files")
result.text("Lists all the files infected with a particular virus")
else:
t = branch[1].replace("__", '/')
result.table(
elements=[
AFF4URN(case=self.case),
FilenameType(case=self.case),
IntegerType('Size', 'size', table='inode'),
TimestampType('Timestamp', 'mtime', table='inode')
],
table='virus',
where='virus.virus = %r ' % t,
case=self.case,
)
def parse(self, query, datafile="datafile"):
LogFile.Log.parse(self, query, datafile)
self.datafile = query.getarray(datafile)
self.cre = re.compile("([A-Z]+)=([^ ]*)")
self.prefix_re = re.compile("([^ :]+):IN=")
self.date_re = re.compile("^(...)\s+(\d+)\s+(\d\d:\d\d:\d\d)")
self.fields = [
TimestampType(name="TIME", column="TIME"),
StringType(name="Action", column="action")
]
self.parameters = {}
for parameter, name, desc, column, default, index in IPTABLES_FIELDS:
if query.has_key(parameter):
new_column = column(name=name, column=parameter)
new_column.index = index
self.fields.append(new_column)
self.parameters[parameter] = new_column
if len(self.fields) == 0:
raise RuntimeError("No columns were selected")
_timestamp="from_unixtime(%d)" %
s.st_mtime,
size=s.st_size)
except OSError:
pass
dbh.mass_insert_commit()
except OSError, e:
pass
new_query = query.clone()
new_query['__target__'] = name
new_query['__target_type__'] = 'append'
elements = [
IntegerType(name='Size', column='size'),
TimestampType(name='Timestamp', column='timestamp'),
StringType(name='Filename',
column='filename',
link=new_query,
link_pane='parent')
]
## Now display the table widget:
result.table(elements=elements,
table=tablename,
case=case,
order=2,
direction=1)
## Submit all the nodes in the display:
def submit_all(query, new_result):
