def module():
# KEEP THIS - ENABLES WRITING OUTPUT FILE.
_output = data_writer(_modName, _headers)
# -------------BEGIN MODULE-SPECIFIC LOGIC------------- #
preferences = plistlib.readPlist(os.path.join(inputdir, 'Library/Preferences/SystemConfiguration/preferences.plist'))
systemversion = plistlib.readPlist(os.path.join(inputdir, 'System/Library/CoreServices/SystemVersion.plist'))
# KEEP THE LINE BELOW TO GENERATE AN ORDEREDDICT BASED ON THE HEADERS
record = OrderedDict((h, '') for h in _headers)
record['local_hostname'] = full_prefix.split(',')[1]
record['ipaddress'] = full_prefix.split(',')[2]
computer_name = finditem(preferences, 'ComputerName')
if computer_name is not None:
record['computer_name'] = computer_name.encode('utf-8')
record['hostname'] = finditem(preferences, 'HostName')
record['model'] = finditem(preferences, 'Model')
record['product_version'] = OSVersion
record['product_build_version'] = finditem(systemversion, 'ProductBuildVersion')
g = glob.glob(os.path.join(inputdir, 'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*'))
check_dbs = ['consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db']
serial_dbs = [loc for loc in g if any(db in loc for db in check_dbs)]
serial_query = 'SELECT SerialNumber FROM TableInfo;'
for db in serial_dbs:
try:
cursor = sqlite3.connect(db).cursor()
record['serial_no'] = cursor.execute(serial_query).fetchone()[0]
break
except sqlite3.OperationalError:
record['serial_no'] = 'SERIALERROR0'
log.error("Could not retrieve system serial number.")
record['volume_created'] = stats2(inputdir + "/", oMACB=True)['btime']
record['amtc_runtime'] = str(startTime).replace(' ', 'T').replace('+00:00', 'Z')
if 'Volumes' not in inputdir and forensic_mode is not True:
tz, e = subprocess.Popen(["systemsetup", "-gettimezone"], stdout=subprocess.PIPE).communicate()
record['system_tz'] = tz.rstrip().replace('Time Zone: ', '')
_fdestatus, e = subprocess.Popen(["fdesetup", "status"], stdout=subprocess.PIPE).communicate()
if 'On' in _fdestatus:
record['fvde_status'] = "On"
else:
record['fvde_status'] = "Off"
else:
record['system_tz'] = "DEAD_DISK"
record['fvde_status'] = "NA"
# PROVIDE OUTPUT LINE, AND WRITE TO OUTFILE
line = record.values()
_output.write_entry(line)
def module():
# KEEP THIS - ENABLES WRITING OUTPUT FILE.
_output = data_writer(_modName, _headers)
# -------------BEGIN MODULE-SPECIFIC LOGIC------------- #
globalpreferences = read_bplist(
os.path.join(inputdir, 'Library/Preferences/.GlobalPreferences.plist'))
preferences = plistlib.readPlist(
os.path.join(
inputdir,
'Library/Preferences/SystemConfiguration/preferences.plist'))
systemversion = plistlib.readPlist(
os.path.join(inputdir,
'System/Library/CoreServices/SystemVersion.plist'))
# KEEP THE LINE BELOW TO GENERATE AN ORDEREDDICT BASED ON THE HEADERS
record = OrderedDict((h, '') for h in _headers)
record['local_hostname'] = finditem(preferences, 'LocalHostName')
record['ipaddress'] = full_prefix.split(',')[2]
computer_name = finditem(preferences, 'ComputerName')
if computer_name is not None:
record['computer_name'] = computer_name.encode('utf-8')
record['hostname'] = finditem(preferences, 'HostName')
record['model'] = finditem(preferences, 'Model')
record['product_version'] = OSVersion
record['product_build_version'] = finditem(systemversion,
'ProductBuildVersion')
g = glob.glob(
os.path.join(
inputdir,
'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*'))
check_dbs = [
'consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db'
]
serial_dbs = [
loc for loc in g if any(loc.endswith(db) for db in check_dbs)
]
serial_query = 'SELECT SerialNumber FROM TableInfo;'
for db in serial_dbs:
try:
cursor = sqlite3.connect(db).cursor()
record['serial_no'] = cursor.execute(serial_query).fetchone()[0]
break
except Exception, e:
log.debug("Could not get serial number from {0}: {1}".format(
db, [traceback.format_exc()]))
record['serial_no'] = 'ERROR'
def get_extensions(extlist, user, prof, extensions_output, extensions_headers):
log.debug("Writing extension data...")
for ext in extlist:
with open(ext) as file:
data = json.loads(file.read())
#these json files have various different keys depending on the author
record = OrderedDict((h, '') for h in extensions_headers)
record['user'] = user
record['profile'] = prof
record['name'] = finditem(data, "name")
record['author'] = finditem(data, "author")
record['permissions'] = finditem(data, "permissions")
record['description'] = finditem(data, "description")
record['scripts'] = finditem(data, "scripts")
record['persistent'] = finditem(data, "persistent")
record['version'] = finditem(data, "version")
extensions_output.write_entry(record.values())
log.debug("Completed writing extension data.")
def module(chrome_location):
# for all chrome dirs on disk, parse their local state files
profile_headers = [
'user', 'profile', 'active_time', 'is_using_default_avatar',
'is_omitted_from_profile_list', 'name', 'gaia_picture_file_name',
'user_name', 'managed_user_id', 'gaia_name', 'avatar_icon', 'gaia_id',
'local_auth_credentials', 'gaia_given_name', 'is_using_default_name',
'background_apps', 'is_ephemeral'
]
profile_output = data_writer('browser_chrome_profiles', profile_headers)
for c in chrome_location:
userpath = c.split('/')
userindex = userpath.index('Users') + 1
user = userpath[userindex]
log.debug(
"Parsing Chrome Local State data under {0} user.".format(user))
localstate_file = os.path.join(c, 'Local State')
if os.path.exists(localstate_file):
with open(localstate_file, 'r') as data:
jdata = json.loads(data.read())
chrome_ver = finditem(jdata, "stats_version")
log.debug("Chrome version {0} identified.".format(chrome_ver))
profile_data = finditem(jdata, "info_cache")
parse_profiles(profile_data, user, profile_output,
profile_headers)
else:
log.debug("File not found: {0}".format(localstate_file))
# make a full list of all chrome profiles under all chrome dirs
full_list_raw = [
multiglob(c, ['Default', 'Profile *', 'Guest Profile'])
for c in chrome_location
]
full_list = list(itertools.chain.from_iterable(full_list_raw))
urls_headers = [
'user', 'profile', 'visit_time', 'title', 'url', 'visit_count',
'last_visit_time', 'typed_count', 'visit_duration', 'search_term'
]
urls_output = data_writer('browser_chrome_history', urls_headers)
downloads_headers = [
'user', 'profile', 'download_path', 'current_path', 'download_started',
'download_finished', 'danger_type', 'opened', 'last_modified',
'referrer', 'tab_url', 'tab_referrer_url', 'download_url', 'url'
]
downloads_output = data_writer('browser_chrome_downloads',
downloads_headers)
for prof in full_list:
userpath = prof.split('/')
userindex = userpath.index('Users') + 1
user = userpath[userindex]
chromeindex = userpath.index('Chrome') + 1
profile = userpath[chromeindex]
log.debug(
"Starting parsing for Chrome history under {0} user.".format(user))
history_db = connect_to_db(os.path.join(prof, 'History'))
if history_db:
pull_visit_history(history_db, user, profile, urls_output,
urls_headers)
pull_download_history(history_db, user, profile, downloads_output,
downloads_headers)
try:
os.remove(os.path.join(outputdir, 'History-tmp'))
except OSError:
pass
