def process(self, file):
# For an example, we will flag files with .txt in the name and make a blackboard artifact.
if file.getName().find(".txt") != -1:
self.logger.logp(Level.INFO, SampleJythonFileIngestModule.__name__, "process", "Found a text file: " + file.getName())
self.filesFound+=1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
art.addAttribute(att)
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
len = inputStream.read(buffer)
while (len != -1):
totLen = totLen + len
len = inputStream.read(buffer)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
# FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName)
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
autopsyCase = Case.getCurrentCase()
sleuthkitCase = autopsyCase.getSleuthkitCase()
services = Services(sleuthkitCase)
fileManager = services.getFileManager()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att)
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK;
def process(self, file):
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
(file.isFile() == False)):
return IngestModule.ProcessResult.OK
# This will work in 4.0.1 and beyond
# Use blackboard class to index blackboard artifacts for keyword search
# blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For an example, we will flag files with .txt in the name and make a blackboard artifact.
if file.getName().lower().endswith(".txt"):
self.log(Level.INFO, "Found a text file: " + file.getName())
self.filesFound+=1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artifact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
art.addAttribute(att)
# This will work in 4.0.1 and beyond
#try:
# # index the artifact for keyword search
# blackboard.indexArtifact(art)
#except Blackboard.BlackboardException as e:
# self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None));
# For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added
# by other modules. We then iterate over its attributes. We'll just print them, but you would probably
# want to do something with them.
artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
for artifact in artifactList:
attributeList = artifact.getAttributes();
for attrib in attributeList:
self.log(Level.INFO, attrib.toString())
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
len = inputStream.read(buffer)
while (len != -1):
totLen = totLen + len
len = inputStream.read(buffer)
return IngestModule.ProcessResult.OK
def getUsersFromFile(self, file):
inputStream = ReadContentInputStream(file)
users = []
buffer = jarray.zeros(1024, "b")
totLen = 0
len = inputStream.read(buffer)
while len != -1:
totLen = totLen + len
len = inputStream.read(buffer)
currentBuffer = buffer.tostring()
x = re.search("^\{.*\"gender\".*\}", currentBuffer)
if x:
result = x.string.replace("\x00", "")
d = json.loads(result)
users.append(d)
return users
def process(self, file):
# If the file has a txt extension, post an artifact to the blackboard.
if file.getName().find("test") != -1:
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files")
art.addAttribute(att)
# Read the contents of the file.
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
len = inputStream.read(buffer)
while (len != -1):
totLen = totLen + len
len = inputStream.read(buffer)
# Send the size of the file to the ingest messages in box.
msgText = "Size of %s is %d bytes" % ((file.getName(), totLen))
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText)
ingestServices = IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def cookieMain(self, file):
global chrome_pattern_utmb
global chrome_pattern_utmz
global chrome_pattern_utma
global moz_pattern_utma
global moz_pattern_utmb
global moz_pattern_utmz
global ie_utma_pattern
global ie_utmb_pattern
global ie_utmz_pattern
global apple_utma_pattern
global apple_utmb_pattern
global apple_utmz_pattern
global chrome_utma_count
global chrome_utmb_count
global chrome_utmz_count
global ff_utma_count
global ff_utmb_count
global ff_utmz_count
global ie_utma_count
global ie_utmb_count
global ie_utmz_count
global apple_utma_count
global apple_utmb_count
global apple_utmz_count
global gif__UTF16_count
global gif_ASCII_count
#chrome utm grep patterns
chrome_pattern_utma = re.compile(r'__utma(([0-9]{0,10}\.){5}([0-9])*)(\/)')
chrome_pattern_utmz = re.compile(r'(__utmz)(([0-9]{0,10}\.){4}utm(.*?)\s*\x2F\x00\x2E)')
chrome_pattern_utmb = re.compile(r'(__utmb)(([0-9]{0,10}\.){3}[0-9]{0,10})')
#firefox utm grep patterns
moz_pattern_utma = re.compile(r'(__utma(([0-9]{0,10}\.){5}[0-9]{1,5}))[^\/](\.?[a-zA-Z\d-]{0,63}){0,4}')
moz_pattern_utmb = re.compile(r'__utmb([0-9]{0,10}\.){3}[0-9]{0,10}([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){1,4}')
moz_pattern_utmz = re.compile(r'(__utmz)(([0-9]{0,20}\.){4}[ -~]*?)([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){0,4}\/[TS]{1}')
#ie patterns
ie_utma_pattern = re.compile(r'(__utma)(\x0a(([0-9]{0,10}\.){5})[0-9]{1,10}\n)([ -~]{1,64}\x0a)')
ie_utmb_pattern = re.compile(r'(__utmb)(\x0a(([0-9]{0,10}\.){3})[0-9]{1,10}\n)([ -~]{1,64}\x0a)')
ie_utmz_pattern = re.compile(r'(__utmz)\x0a(([0-9]{0,10}\.){4}[ -~]{1,200}\x0a)([ -~]{1,64}\x0a)')
apple_utma_pattern = re.compile(r'(__utma)\x00(([0-9]{0,10}\.){5}[0-9]{1,5})\x00([ -~]{1,64}\x00\/)')
apple_utmb_pattern = re.compile(r'(__utmb)\x00(([0-9]{0,10}\.){3}[0-9]{10})\x00([ -~]{1,64})\x00\/')
apple_utmz_pattern = re.compile(r'(__utmz)\x00(([0-9]{0,10}\.){4}[ -~]{1,200}\x00)([ -~]{1,64}\x00\/)')
#count vars to keep track of total records processed
chrome_utma_count = 0
chrome_utmb_count = 0
chrome_utmz_count = 0
ff_utma_count = 0
ff_utmb_count = 0
ff_utmz_count = 0
ie_utma_count=0
ie_utmb_count=0
ie_utmz_count=0
apple_utma_count = 0
apple_utmb_count = 0
apple_utmz_count = 0
gif__UTF16_count = 0
gif_ASCII_count = 0
self.processed = 0
not_processed= []
#can be increased if more ram is available
global maxfilesize
maxfilesize = 500000
#printable chars allowed in urls and domain names
allowed_chars = r'[\.a-zA-Z\d-]'
p_allowed_chars = re.compile(allowed_chars)
#loop to keep track of how many segments a file is broken into
global loop
loop = 0
# Read the contents of the file.
nLoops = 0
while 1:
inputStream = ReadContentInputStream(file)
chunkJarray = jarray.zeros(maxfilesize, "b")
if not chunkJarray:
break
len = inputStream.read(chunkJarray)
if len != maxfilesize:
print "Not enough bytes read: %d\n" % (len)
if nLoops > 0:
print" nLoops = %d;breaking\n" % (nLoops)
break
chunk = StringUtil().fromBytes(chunkJarray)
print ("Bytes read: %d\n" % (len))
self.process_chrome_utma(chrome_pattern_utma, chunk)
#self.process_chrome_utmb(chrome_pattern_utmb, chunk)
#self.process_chrome_utmz(chrome_pattern_utmz, chunk)
self.process_firefox_utma(moz_pattern_utma,chunk)
#self.process_firefox_utmb(moz_pattern_utmb,chunk)
#self.process_firefox_utmz(moz_pattern_utmz,chunk)
self.process_ie_utma(ie_utma_pattern,chunk)
#self.process_ie_utmb(ie_utmb_pattern,chunk)
#self.process_ie_utmz(ie_utmz_pattern,chunk)
self.process_apple_utma(apple_utma_pattern,chunk)
#self.process_apple_utmb(apple_utmb_pattern,chunk)
#self.process_apple_utmz(apple_utmz_pattern,chunk)
nLoops = nLoops + 1
if nLoops > 1:
print "nLoops too big - breaking"
break
print "\r\r************ Summary ************"
print "Chrome __utma count processed: " + str(chrome_utma_count)
print "Chrome __utmb count processed: " + str(chrome_utmb_count)
print "Chrome __utmz count found: " + str(chrome_utmz_count)
print "FireFox __utma count processed: " + str(ff_utma_count)
print "FireFox __utmb count processed: " + str(ff_utmb_count)
print "FireFox __utmz count found: " + str(ff_utmz_count)
print "FireFox __utmz count processed: " + str(self.processed)
print "IE __utma count processed: " + str(ie_utma_count)
print "IE __utmb count processed: " + str(ie_utmb_count)
print "IE __utmz count processed: " + str(ie_utmz_count)
print "apple __utma count processed: " + str(apple_utma_count)
print "apple __utmb count processed: " + str(apple_utmb_count)
print "apple __utmz count processed: " + str(apple_utmz_count)
def process(self, file):
skCase = Case.getCurrentCase().getSleuthkitCase()
ARTID_NS_WIFI = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_WIFI)
networks = {}
skCase = Case.getCurrentCase().getSleuthkitCase()
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
or (file.isFile() is False)):
return IngestModule.ProcessResult.OK
blackboard = Case.getCurrentCase().getServices().getBlackboard()
if (file.getName().lower() == "8000000000000050"):
artifactList = file.getArtifacts(ARTID_NS_WIFI)
self.log(Level.INFO, "Found the file" + file.getName())
self.filesFound += 1
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(8192, "b")
totLen = 0
lengthofbuffer = inputStream.read(buffer)
while lengthofbuffer != -1:
totLen = totLen + lengthofbuffer
lengthofbuffer = inputStream.read(buffer)
currentBuffer = buffer.tostring()
regex = "\x00[^\x00]{16}\x03(?:[^\x20-\x7f]+)(?P<ssid>[\x20-\x7f]+?)\x00(?:[^\x20-\x7f]+)(?P<pass>[\x20-\x7f]+?)\x00"
x = re.finditer(regex, currentBuffer)
for network in x:
networks[network.group('ssid')] = network.group('pass')
for ssid, psk in networks.items():
self.log(Level.INFO, ssid)
# Don't add to blackboard if the artifact already exists
for artifact in artifactList:
artifactSSID = artifact.getAttribute(
self.NS_WIFI_ATTRIBUTES["SSID"][3])
if artifactSSID.getValueString() == ssid:
pass
art = file.newArtifact(ARTID_NS_WIFI)
art.addAttribute(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.
getTypeID(), WiFiIngestModuleFactory.moduleName,
"Nintendo Switch - Wireless Credentials"))
art.addAttribute(
BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["SSID"][3],
WiFiIngestModuleFactory.moduleName,
ssid))
art.addAttribute(
BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["PSK"][3],
WiFiIngestModuleFactory.moduleName,
psk))
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException:
self.log(Level.SEVERE,
"Error indexing artifact " + art.getDisplayName())
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(
WiFiIngestModuleFactory.moduleName,
skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_WIFI),
None))
return IngestModule.ProcessResult.OK
