def _json_event_logs(self, is_win_xp):
server = None # name of the target computer to get event logs, None to get logs from current computer
if self.destination == 'local':
with open(self.output_dir + '\\' + self.computer_name + '_evts' + self.rand_ext, 'wb') as fw:
json_writer = get_json_writer(fw)
header = ['COMPUTER', 'TYPE', 'SOURCE', 'CATEGORY', 'SOURCE NAME', 'ID', 'EVENT_TYPE', 'LOG']
if is_win_xp:
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'):
write_to_json(header, [self.computer_name, 'Logs', 'Security', eventCategory, sourceName,
eventID, eventType, date] + log, json_writer)
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server,
'Application'):
write_to_json(header,
[self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID,
eventType, date, log], json_writer)
for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'):
write_to_json(header, [self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID,
eventType, date, log], json_writer)
else:
# Exports everything from the event viewer
evt_handle = win32evtlog.EvtOpenChannelEnum()
os.mkdir(self.output_dir + r"\evt")
while True:
# opening channel for enumeration
logtype = win32evtlog.EvtNextChannelPath(evt_handle)
if logtype is None:
break
# fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n')
self._list_evt_vista(server, logtype)
close_json_writer(json_writer)
def json_recycle_bin(self):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_recycle_bin' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
header = ["COMPUTER_NAME", "TYPE", "NAME_1", "NAME_2"]
idl = shell.SHGetSpecialFolderLocation(
0, shellcon.CSIDL_BITBUCKET)
desktop = shell.SHGetDesktopFolder()
files = desktop.BindToObject(idl, None, shell.IID_IShellFolder)
for bin_file in files:
write_to_json(header,
[
self.computer_name, 'recycle_bin',
files.GetDisplayNameOf(
bin_file, shellcon.SHGDN_NORMAL),
files.GetDisplayNameOf(
bin_file, shellcon.SHGDN_FORPARSING)
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_recycle_bin' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_windows_prefetch(self, wpref):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_prefetch' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
header = [
"COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE",
"EXEC_NAME", "CREATE_TIME", "MODIFICATION_TIME",
"RUN_COUNT", "START_TIME", "DURATION", "AVERAGE_DURATION",
"DLL_LIST"
]
for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
str_c = ''
for s in list_str_c:
str_c += s.replace('\0', '') + ';'
write_to_json(header, [
self.computer_name, 'prefetch', pref_file,
unicode(format_version),
unicode(file_size),
exec_name.replace('\00', ''),
unicode(tc),
unicode(tm),
unicode(run_count),
unicode(hash_table_a['start_time']),
unicode(hash_table_a['duration']),
unicode(hash_table_a['average_duration']), str_c
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_prefetch' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def process_mft_file(self):
self.sizecheck()
self.build_filepaths()
# reset the file reading
self.num_records = 0
self.file_mft.seek(0)
raw_record = self.file_mft.read(1024)
if self.output is not None and not self.json:
self.file_csv.writerow(mft.mft_to_csv(None, True))
elif self.output is not None and self.json:
self.header = mft.mft_to_csv(None, True)
while raw_record != "":
record = mft.parse_record(raw_record, False)
record['filename'] = self.mft[self.num_records]['filename']
self.do_output(record)
self.num_records += 1
if record['ads'] > 0:
for i in range(0, record['ads']):
record_ads = record.copy()
record_ads['filename'] = record['filename'] + ':' + record[
'data_name', i]
self.do_output(record_ads)
raw_record = self.file_mft.read(1024)
if self.json:
close_json_writer(self.json_writer)
def _json_list_scheduled_jobs(self, is_at_available=False):
self.logger.info('Health : Listing scheduled jobs')
if self.destination == 'local':
file_tasks = self.output_dir + '%s_scheduled_jobs' % self.computer_name + self.rand_ext
with open(file_tasks, 'wb') as tasks_logs:
json_writer = get_json_writer(tasks_logs)
header = [
"COMPUTER_NAME", "TYPE", 'TASK_NAME', 'NEXT_SCHEDULE',
"STATUS"
]
for line in self._list_scheduled_jobs():
write_to_json(header,
[self.computer_name, 'Scheduled Jobs'] +
line.replace('"', '').split(','),
json_writer)
if is_at_available:
for line in self._list_at_scheduled_jobs():
write_to_json(header, [
self.computer_name, 'scheduled_jobs', line[4],
line[2] + ' ' + line[3], line[0]
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_scheduled_jobs' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_get_startup_files(self, path):
with open(
self.output_dir + self.computer_name + '_startup_files' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
header = [
"COMPUTER_NAME", "TYPE", "FILENAME", "USER", "MD5", "SHA1",
"SHA256"
]
for startup_file in self._get_startup_files(path):
write_to_json(header, startup_file, json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_startup_files' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_list_named_pipes(self, pipes):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_named_pipes' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
header = ["COMPUTER_NAME", "TYPE", "NAME"]
for pipe in pipes:
write_to_json(header,
[self.computer_name, 'named_pipes', pipe],
json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_named_pipes' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_infos_fs(self, files):
if self.destination == 'local':
with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw:
json_writer = get_json_writer(fw)
headers = ['COMPUTER NAME', 'TYPE', 'DATE', 'PATH', 'MD5', 'SHA1', 'SHA256', 'MIMETYPE', 'ZIP',
'EMPTY', 'VT']
for f, mime, md5, sha1, sha256, zip_value, datem, empty in files:
f = os.path.splitdrive(self.systemroot)[0] + '\\' + f.split('\\', 6)[-1]
write_to_json(headers, [self.computer_name, 'Filecatcher', unicode(datem), unicode(f), unicode(md5),
unicode(sha1), unicode(sha256), unicode(mime), unicode(zip_value), unicode(empty),
self._get_url_VT(sha256)], json_writer)
close_json_writer(json_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext,
self.output_dir + '\\' + self.computer_name + '_sha256.log')
if self.zip_file:
self.zip_file.close()
def _json_firefox_history(self, fhistory):
with open(
self.output_dir + self.computer_name + '_firefox_history' +
self.rand_ext, 'wb') as output:
header = [
"COMPUTER_NAME", "TYPE", "TIME", "URL", "USER", "PROFILE"
]
json_writer = get_json_writer(output)
for time, url, user, profile in fhistory:
write_to_json(header, [
self.computer_name, 'firefox_history', time, url, user,
profile
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_firefox_history' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')
def _json_chrome_history(self, chistory):
if self.destination == 'local':
with open(
self.output_dir + self.computer_name + '_chrome_history' +
self.rand_ext, 'wb') as output:
json_writer = get_json_writer(output)
header = [
"COMPUTER_NAME", "TYPE", "TIME", "URL", "TITLE", "USER",
"PROFILE"
]
for time, url, title, user, profile in chistory:
write_to_json(header, [
self.computer_name, 'chrome_history', time, url, title,
user, profile
], json_writer)
close_json_writer(json_writer)
record_sha256_logs(
self.output_dir + self.computer_name + '_chrome_history' +
self.rand_ext,
self.output_dir + self.computer_name + '_sha256.log')