def run_mastiff(evidence, file_to_process, folder_path, evidence_no_quotes, outfile): print("Getting ready to run Mastiff.....") print("The file to process is: " + file_to_process) #make output folder for this file check_for_folder(folder_path + "/" + file_to_process + "/MASTIFF", "NONE") #get md5 hash of file we are processing md5_hash = calculate_md5(evidence_no_quotes) print("The md5 hash of this file is: " + md5_hash) #set up mastiff command mastiff_command = "mas.py " + evidence print("The mastiff command is: " + mastiff_command) outfile.write("The mastiff command is: " + mastiff_command + "\n\n") #run mastiff command subprocess.call([mastiff_command], shell=True) #move the mastiff output folder to the mantaray output folder move_command = "mv /var/log/mastiff/" + md5_hash + " " + "'" + folder_path + "/" + file_to_process + "/MASTIFF" + "'" print("The move command is: " + move_command) outfile.write("The move command is: " + move_command + "\n\n") #run move_command subprocess.call([move_command], shell=True)
def process_folder(folder_to_process, export_file, outfile, outfile_error, now): # initialize list of plist names to process # plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.sidebarlists.plist', 'com.apple.Bluetooth.plist' ] # plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.Bluetooth.plist' ] # open input file containing list of plists to process # infile = ('/usr/local/src/Manta_Ray/docs/plists_to_process.txt', encoding='utf-8') with open("/usr/local/src/Manta_Ray/docs/plists_to_process.txt") as f: plists_to_process = f.read().splitlines() print("Plists_to_process type is: " + str(type(plists_to_process))) print("The plists to process are: " + str(plists_to_process)) # recurse once to find systemversion.plist to get OSX version for root, dirs, files in os.walk(folder_to_process): for file_name in files: fileName, fileExtension = os.path.splitext(file_name) abs_file_path = os.path.join(root, file_name) # check for plist extension and not link files if (fileExtension == ".plist") and not os.path.islink(abs_file_path): # get file size try: file_size = os.path.getsize(abs_file_path) except: print("Could not get filesize for file: " + abs_file_path) outfile.write("Could not get filesize for file: " + abs_file_path + "\n") # process plist files that are not links and are not 0 in size if file_size: # Get OSX version First if file_name == "SystemVersion.plist": print("Plist to process is: " + file_name) # get metadata md5 = calculate_md5(abs_file_path) print("The md5 is: " + md5) # process SystemVersion.plist process_systemversion_plist(abs_file_path, export_file, md5, outfile) for root, dirs, files in os.walk(folder_to_process): for file_name in files: fileName, fileExtension = os.path.splitext(file_name) abs_file_path = os.path.join(root, file_name) quoted_abs_file_path = '"' + abs_file_path + '"' # check if /tmp/binary_plists folder exists, if not create if not os.path.exists("/tmp/binary_plists/"): os.makedirs("/tmp/binary_plists/") # print("Just created folder: " + path) outfile.write("\nJust created output folder: /tmp/binary_plists/\n") else: # delete temp path shutil.rmtree("/tmp/binary_plists/") os.makedirs("/tmp/binary_plists/") # check for plist extension and not link files if (fileExtension == ".plist") and not os.path.islink(abs_file_path): # get file size try: file_size = os.path.getsize(abs_file_path) except: print("Could not get filesize for file: " + abs_file_path) outfile.write("Could not get filesize for file: " + abs_file_path + "\n") # process plist files that are not links and are not 0 in size if file_size: # process other plists in the list for plist in plists_to_process: if file_name == plist: # check if plist is binary plist_file = open(abs_file_path, "r", encoding="utf-8", errors="ignore") first_line = plist_file.readline() first_line = first_line.strip() # get length of first line length_first_line = len(first_line) # grab lines from file until we get one that is longer than 3 characters if length_first_line > 3: print("First line is over 3 characters long") else: first_line = plist_file.readline() print("The first line is: " + first_line) # close plist file plist_file.close() if re.search("bplist", first_line): file_format = "binary_plist" print(file_name + " is " + file_format) elif re.search("xml version", first_line): file_format = "xml_plist" print(file_name + " is " + file_format) else: file_format = "text_plist" print(file_name + " is " + file_format) # get metadata md5 = calculate_md5(abs_file_path) md5 = md5.strip() print("The md5 is: " + md5) outfile.write("About to process: " + abs_file_path + "\n") if file_format == "xml_plist": process_system_plists(abs_file_path, export_file, md5, outfile, outfile_error) elif file_format == "binary_plist": # convert binary file plutil_command = ( "plutil -i " + quoted_abs_file_path + " -o /tmp/binary_plists/" + file_name + "_" + md5 + ".plist" ) print("The plutil command is: " + plutil_command) try: subprocess.call([plutil_command], shell=True) outfile.write( "The converted binary plist is named: /tmp/binary_plists/" + file_name + "_" + md5 + ".plist\n" ) except: print("Call to plutil failed for file: " + abs_file_path) outfile_error.write("Call to plutil failed for file: " + abs_file_path + "\n") process_converted_binary_plist( "/tmp/binary_plists/" + file_name + "_" + md5 + ".plist", md5, export_file, outfile, abs_file_path, )
def process_folder(folder_to_process, export_file, outfile, outfile_error, now): #initialize list of plist names to process #plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.sidebarlists.plist', 'com.apple.Bluetooth.plist' ] #plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.Bluetooth.plist' ] #open input file containing list of plists to process #infile = ('/usr/share/mantaray/docs/plists_to_process.txt', encoding='utf-8') with open('/usr/share/mantaray/docs/plists_to_process.txt') as f: plists_to_process = f.read().splitlines() print("Plists_to_process type is: " + str(type(plists_to_process))) print("The plists to process are: " + str(plists_to_process)) #recurse once to find systemversion.plist to get OSX version for root, dirs, files in os.walk(folder_to_process): for file_name in files: fileName, fileExtension = os.path.splitext(file_name) abs_file_path = os.path.join(root, file_name) #check for plist extension and not link files if (fileExtension == ".plist") and not os.path.islink(abs_file_path): #get file size try: file_size = os.path.getsize(abs_file_path) except: print("Could not get filesize for file: " + abs_file_path) outfile.write("Could not get filesize for file: " + abs_file_path + "\n") #process plist files that are not links and are not 0 in size if (file_size): #Get OSX version First if file_name == "SystemVersion.plist": print("Plist to process is: " + file_name) #get metadata md5 = calculate_md5(abs_file_path) print("The md5 is: " + md5) #process SystemVersion.plist process_systemversion_plist(abs_file_path, export_file, md5, outfile) for root, dirs, files in os.walk(folder_to_process): for file_name in files: fileName, fileExtension = os.path.splitext(file_name) abs_file_path = os.path.join(root, file_name) quoted_abs_file_path = '"' + abs_file_path + '"' #check if /tmp/binary_plists folder exists, if not create if not os.path.exists('/tmp/binary_plists/'): os.makedirs('/tmp/binary_plists/') #print("Just created folder: " + path) outfile.write( "\nJust created output folder: /tmp/binary_plists/\n") else: #delete temp path shutil.rmtree('/tmp/binary_plists/') os.makedirs('/tmp/binary_plists/') #check for plist extension and not link files if (fileExtension == ".plist") and not os.path.islink(abs_file_path): #get file size try: file_size = os.path.getsize(abs_file_path) except: print("Could not get filesize for file: " + abs_file_path) outfile.write("Could not get filesize for file: " + abs_file_path + "\n") #process plist files that are not links and are not 0 in size if (file_size): #process other plists in the list for plist in plists_to_process: if file_name == plist: #check if plist is binary plist_file = open(abs_file_path, 'r', encoding='utf-8', errors='ignore') first_line = plist_file.readline() first_line = first_line.strip() #get length of first line length_first_line = len(first_line) #grab lines from file until we get one that is longer than 3 characters if (length_first_line > 3): print("First line is over 3 characters long") else: first_line = plist_file.readline() print("The first line is: " + first_line) #close plist file plist_file.close() if (re.search('bplist', first_line)): file_format = "binary_plist" print(file_name + " is " + file_format) elif (re.search('xml version', first_line)): file_format = "xml_plist" print(file_name + " is " + file_format) else: file_format = "text_plist" print(file_name + " is " + file_format) #get metadata md5 = calculate_md5(abs_file_path) md5 = md5.strip() print("The md5 is: " + md5) outfile.write("About to process: " + abs_file_path + "\n") if (file_format == "xml_plist"): process_system_plists(abs_file_path, export_file, md5, outfile, outfile_error) elif (file_format == "binary_plist"): #convert binary file plutil_command = "plutil -i " + quoted_abs_file_path + " -o /tmp/binary_plists/" + file_name + "_" + md5 + ".plist" print("The plutil command is: " + plutil_command) try: subprocess.call([plutil_command], shell=True) outfile.write( "The converted binary plist is named: /tmp/binary_plists/" + file_name + "_" + md5 + ".plist\n") except: print("Call to plutil failed for file: " + abs_file_path) outfile_error.write( "Call to plutil failed for file: " + abs_file_path + "\n") process_converted_binary_plist( "/tmp/binary_plists/" + file_name + "_" + md5 + ".plist", md5, export_file, outfile, abs_file_path)