def module(): # KEEP THIS - ENABLES WRITING OUTPUT FILE. _output = data_writer(_modName, _headers) # -------------BEGIN MODULE-SPECIFIC LOGIC------------- # preferences = plistlib.readPlist(os.path.join(inputdir, 'Library/Preferences/SystemConfiguration/preferences.plist')) systemversion = plistlib.readPlist(os.path.join(inputdir, 'System/Library/CoreServices/SystemVersion.plist')) # KEEP THE LINE BELOW TO GENERATE AN ORDEREDDICT BASED ON THE HEADERS record = OrderedDict((h, '') for h in _headers) record['local_hostname'] = full_prefix.split(',')[1] record['ipaddress'] = full_prefix.split(',')[2] computer_name = finditem(preferences, 'ComputerName') if computer_name is not None: record['computer_name'] = computer_name.encode('utf-8') record['hostname'] = finditem(preferences, 'HostName') record['model'] = finditem(preferences, 'Model') record['product_version'] = OSVersion record['product_build_version'] = finditem(systemversion, 'ProductBuildVersion') g = glob.glob(os.path.join(inputdir, 'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*')) check_dbs = ['consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db'] serial_dbs = [loc for loc in g if any(db in loc for db in check_dbs)] serial_query = 'SELECT SerialNumber FROM TableInfo;' for db in serial_dbs: try: cursor = sqlite3.connect(db).cursor() record['serial_no'] = cursor.execute(serial_query).fetchone()[0] break except sqlite3.OperationalError: record['serial_no'] = 'SERIALERROR0' log.error("Could not retrieve system serial number.") record['volume_created'] = stats2(inputdir + "/", oMACB=True)['btime'] record['amtc_runtime'] = str(startTime).replace(' ', 'T').replace('+00:00', 'Z') if 'Volumes' not in inputdir and forensic_mode is not True: tz, e = subprocess.Popen(["systemsetup", "-gettimezone"], stdout=subprocess.PIPE).communicate() record['system_tz'] = tz.rstrip().replace('Time Zone: ', '') _fdestatus, e = subprocess.Popen(["fdesetup", "status"], stdout=subprocess.PIPE).communicate() if 'On' in _fdestatus: record['fvde_status'] = "On" else: record['fvde_status'] = "Off" else: record['system_tz'] = "DEAD_DISK" record['fvde_status'] = "NA" # PROVIDE OUTPUT LINE, AND WRITE TO OUTFILE line = record.values() _output.write_entry(line)
def module(): # KEEP THIS - ENABLES WRITING OUTPUT FILE. _output = data_writer(_modName, _headers) # -------------BEGIN MODULE-SPECIFIC LOGIC------------- # globalpreferences = read_bplist( os.path.join(inputdir, 'Library/Preferences/.GlobalPreferences.plist')) preferences = plistlib.readPlist( os.path.join( inputdir, 'Library/Preferences/SystemConfiguration/preferences.plist')) systemversion = plistlib.readPlist( os.path.join(inputdir, 'System/Library/CoreServices/SystemVersion.plist')) # KEEP THE LINE BELOW TO GENERATE AN ORDEREDDICT BASED ON THE HEADERS record = OrderedDict((h, '') for h in _headers) record['local_hostname'] = finditem(preferences, 'LocalHostName') record['ipaddress'] = full_prefix.split(',')[2] computer_name = finditem(preferences, 'ComputerName') if computer_name is not None: record['computer_name'] = computer_name.encode('utf-8') record['hostname'] = finditem(preferences, 'HostName') record['model'] = finditem(preferences, 'Model') record['product_version'] = OSVersion record['product_build_version'] = finditem(systemversion, 'ProductBuildVersion') g = glob.glob( os.path.join( inputdir, 'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*')) check_dbs = [ 'consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db' ] serial_dbs = [ loc for loc in g if any(loc.endswith(db) for db in check_dbs) ] serial_query = 'SELECT SerialNumber FROM TableInfo;' for db in serial_dbs: try: cursor = sqlite3.connect(db).cursor() record['serial_no'] = cursor.execute(serial_query).fetchone()[0] break except Exception, e: log.debug("Could not get serial number from {0}: {1}".format( db, [traceback.format_exc()])) record['serial_no'] = 'ERROR'
def get_extensions(extlist, user, prof, extensions_output, extensions_headers): log.debug("Writing extension data...") for ext in extlist: with open(ext) as file: data = json.loads(file.read()) #these json files have various different keys depending on the author record = OrderedDict((h, '') for h in extensions_headers) record['user'] = user record['profile'] = prof record['name'] = finditem(data, "name") record['author'] = finditem(data, "author") record['permissions'] = finditem(data, "permissions") record['description'] = finditem(data, "description") record['scripts'] = finditem(data, "scripts") record['persistent'] = finditem(data, "persistent") record['version'] = finditem(data, "version") extensions_output.write_entry(record.values()) log.debug("Completed writing extension data.")
def module(chrome_location): # for all chrome dirs on disk, parse their local state files profile_headers = [ 'user', 'profile', 'active_time', 'is_using_default_avatar', 'is_omitted_from_profile_list', 'name', 'gaia_picture_file_name', 'user_name', 'managed_user_id', 'gaia_name', 'avatar_icon', 'gaia_id', 'local_auth_credentials', 'gaia_given_name', 'is_using_default_name', 'background_apps', 'is_ephemeral' ] profile_output = data_writer('browser_chrome_profiles', profile_headers) for c in chrome_location: userpath = c.split('/') userindex = userpath.index('Users') + 1 user = userpath[userindex] log.debug( "Parsing Chrome Local State data under {0} user.".format(user)) localstate_file = os.path.join(c, 'Local State') if os.path.exists(localstate_file): with open(localstate_file, 'r') as data: jdata = json.loads(data.read()) chrome_ver = finditem(jdata, "stats_version") log.debug("Chrome version {0} identified.".format(chrome_ver)) profile_data = finditem(jdata, "info_cache") parse_profiles(profile_data, user, profile_output, profile_headers) else: log.debug("File not found: {0}".format(localstate_file)) # make a full list of all chrome profiles under all chrome dirs full_list_raw = [ multiglob(c, ['Default', 'Profile *', 'Guest Profile']) for c in chrome_location ] full_list = list(itertools.chain.from_iterable(full_list_raw)) urls_headers = [ 'user', 'profile', 'visit_time', 'title', 'url', 'visit_count', 'last_visit_time', 'typed_count', 'visit_duration', 'search_term' ] urls_output = data_writer('browser_chrome_history', urls_headers) downloads_headers = [ 'user', 'profile', 'download_path', 'current_path', 'download_started', 'download_finished', 'danger_type', 'opened', 'last_modified', 'referrer', 'tab_url', 'tab_referrer_url', 'download_url', 'url' ] downloads_output = data_writer('browser_chrome_downloads', downloads_headers) for prof in full_list: userpath = prof.split('/') userindex = userpath.index('Users') + 1 user = userpath[userindex] chromeindex = userpath.index('Chrome') + 1 profile = userpath[chromeindex] log.debug( "Starting parsing for Chrome history under {0} user.".format(user)) history_db = connect_to_db(os.path.join(prof, 'History')) if history_db: pull_visit_history(history_db, user, profile, urls_output, urls_headers) pull_download_history(history_db, user, profile, downloads_output, downloads_headers) try: os.remove(os.path.join(outputdir, 'History-tmp')) except OSError: pass