def onOpenCase(self, event):
#creates a filedialog that only allow user to select .db files
openFileDialog = wx.FileDialog(self, "Open", "", "","*.db",
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDbPath
#get path selected in filedialog
caseDbPath = openFileDialog.GetPath()
global caseDetails, openTabs
try:
#try to connect to Case Database and get Case and Evidence Details
conn = connectdb.create_connection(caseDbPath)
self.conn = connectdb.create_connection(caseDbPath)
caseDetails = connectdb.select_case_details(self.conn)
#get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from Case Database
self.evidenceDetails = connectdb.select_evidence_details(self.conn)
#opens summary page
self.addAuiTab("Summary", self.evidenceDetails)
openTabs.append("Summary")
self.recreateTree(caseDbPath)
except:
#ignore if try: fails
pass
openFileDialog.Destroy()
def recreateTree(self, caseDbFile):
self.tree_ctrl_1.Freeze()
self.tree_ctrl_1.DeleteAllItems()
global caseName
for x in caseDetails:
caseName = str(x[2]) + "_" + x[3]
root = self.tree_ctrl_1.AddRoot(
caseName) #adds the name of case as root item in treectrl
summary = self.tree_ctrl_1.AppendItem(root, "Summary")
conn = connectdb.create_connection(
caseDbFile) #connect to case database
evidenceInfo = connectdb.select_evidence_details(
conn
) #get evidenceName, EvidenceDbPath EvidenceDatetime and Md5 from case database
#EvidenceDbPath = path to tsk database generated when onAddEvidence is called
for x in evidenceInfo:
evidenceDbConn = connectdb.create_connection(
x[2]) #connect to tsk database
evidenceDbInfo = connectdb.select_image_info(
evidenceDbConn
) #get evidence name, size and md5 from tsk database
evidencePart = connectdb.select_image_partitions(
evidenceDbConn) #get partition info from tsk database
count = 0
for i in evidenceDbInfo:
fileName = os.path.basename(i[0])
temp = self.tree_ctrl_1.AppendItem(
summary, fileName) #append evidence name to treectrl
for i in evidencePart:
i = list(i)
count += 1
self.tree_ctrl_1.AppendItem(
temp, "Vol{count} {desc}: {start}-{end})".format(
count=count,
desc=str(i[2]),
start=str(i[0]),
end=str(i[1]))
) #append evidence partition to evidence name
self.tree_ctrl_1.AppendItem(summary, "Timeline")
self.tree_ctrl_1.AppendItem(summary, "Bookmarks")
self.tree_ctrl_1.AppendItem(summary, "Search")
analyzedData = self.tree_ctrl_1.AppendItem(root, "Analyzed Data")
for x in analyzedDataTree:
self.tree_ctrl_1.AppendItem(analyzedData, x)
docTree = self.tree_ctrl_1.AppendItem(analyzedData, "Documents")
for x in documentsTree:
self.tree_ctrl_1.AppendItem(docTree, x)
exeTree = self.tree_ctrl_1.AppendItem(analyzedData, "Executables")
for x in executablesTree:
self.tree_ctrl_1.AppendItem(exeTree, x)
self.tree_ctrl_1.ExpandAll()
self.tree_ctrl_1.Thaw()
def on_menu_Open_Case(self,
event): # wxGlade: mainNetAnalysis.<event_handler>
openFileDialog = wx.FileDialog(
self,
"Open",
"",
"",
"*.db", #creates a filedialog that only allow user to select .db files
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDbPath
caseDbPath = openFileDialog.GetPath() #get path selected in filedialog
global caseDetails, evidenceDetails
try:
conn = connectdb.create_connection(
caseDbPath
) #try to connect to case database and get case and evidence details
caseDetails = connectdb.select_case_details(conn)
evidenceDetails = connectdb.select_evidence_details(
conn
) #get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database
self.addAuiTab("Summary", evidenceDetails) #opens summary page
openTabs.append("Summary")
self.recreateTree(caseDbPath)
except:
pass #ignore if try: fails
openFileDialog.Destroy()
def OnBookmarkSelect(self, event):
#item = self.popupmenu.FindItemById(event.GetId())
sel = self.list_ctrl.GetFocusedItem() #get selected item
fileName = self.list_ctrl.GetItemText(sel, 0)
parentPath = self.list_ctrl.GetItemText(sel, 9)
filePath = parentPath+fileName
conn = connectdb.create_connection(caseDb) #connect to case database
isUnique = connectdb.chkUniqueBookmark(conn, fileName, parentPath) #check if bookmarks table has selected item
if isUnique == True:
_rows = []
for x in evidenceInfo:
_image = ''
if Path(caseDirectory+"/Extracted/"+x[1]+filePath).is_file():
_image = x[1]
selRow = []
for x in range(0,11):
temp = self.list_ctrl.GetItemText(sel, x)
selRow.append(temp) #adds each column of selected row into selRow
selRow.append(_image) #adds the image directory name to selRow
_rows.append(selRow) #add selRow to _rows
with conn:
for x in _rows:
if x[11] != '':
_fileInfo = (x[0], x[1], x[2], x[3], x[4], x[5], x[6], x[7], x[8], x[9], x[10], x[11]) #insert _rows to bookmarks table in case database
connectdb.insertBookmarks(conn, _fileInfo)
else:
wx.MessageBox("Selected item already exist in Bookmarks")
def __init__(self, parent, caseDetails, evidenceDetails):
# begin wxGlade: MyFrame.__init__
wx.Panel.__init__(self, parent=parent)
self.SetSize((655, 673))
self.panel_1 = wx.Panel(self, wx.ID_ANY)
self.panel_2 = wx.ScrolledWindow(self.panel_1,
wx.ID_ANY,
style=wx.TAB_TRAVERSAL)
self.txtCaseDb = wx.TextCtrl(self.panel_1,
wx.ID_ANY,
"",
style=wx.TE_READONLY | wx.BORDER_NONE)
self.txtCaseDesc = wx.TextCtrl(self.panel_1,
wx.ID_ANY,
"",
style=wx.TE_MULTILINE | wx.TE_READONLY)
global evidenceInfo
for x in caseDetails:
try:
conn = connectdb.create_connection(
x[5]) #call to get evidence database from evidence table
evidenceInfo = connectdb.select_evidence_details(conn)
except Error as e:
print(e)
self.__set_properties()
self.__do_layout(caseDetails, evidenceDetails)
def onOpenCase(self, event):
openFileDialog = wx.FileDialog(
self,
"Open",
"",
"",
"*.db", #creates a filedialog that only allow user to select .db files
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDbPath
caseDbPath = openFileDialog.GetPath() #get path selected in filedialog
global caseDetails, evidenceDetails
try:
conn = connectdb.create_connection(
caseDbPath
) #try to connect to case database and get case and evidence details
caseDetails = connectdb.select_case_details(conn)
evidenceDetails = connectdb.select_evidence_details(
conn
) #get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database
self.addAuiTab("Summary", evidenceDetails) #opens summary page
openTabs.append("Summary")
self.recreateTree(caseDbPath)
wx.MessageBox('Case Opened!', ' ', wx.OK | wx.ICON_INFORMATION)
except:
pass #ignore if try: fails
openFileDialog.Destroy()
def recreateTree(self, caseDbFile):
self.tree_ctrl_1.Freeze()
self.tree_ctrl_1.DeleteAllItems()
global caseName
for x in caseDetails:
caseName = str(x[2]) + "_" + x[3]
#adds the name of case as root item in treectrl
root = self.tree_ctrl_1.AddRoot(caseName)
self.tree_ctrl_1.AppendItem(root, "Summary")
#connect to case database
conn = connectdb.create_connection(caseDbFile)
#get evidenceName, EvidenceDbPath EvidenceDatetime and Md5 from case database
#EvidenceDbPath = path to tsk database generated when onAddEvidence is called
evidenceInfo = connectdb.select_evidence_details(conn)
self.tree_ctrl_1.AppendItem(root, "Bookmarks")
self.tree_ctrl_1.AppendItem(root, "File")
self.tree_ctrl_1.AppendItem(root, "Images")
self.tree_ctrl_1.AppendItem(root, "Sessions")
self.tree_ctrl_1.AppendItem(root, "DNS")
self.tree_ctrl_1.AppendItem(root, "Credentials")
self.tree_ctrl_1.ExpandAll()
self.tree_ctrl_1.Thaw()
def onConfirm(self, event):
#create case dir
dirPath = self.txtCaseFolder.GetValue() #get case folder path
casePath = Path(dirPath)
if casePath.is_dir(): #check if it exist
print("dir exist")
else:
os.mkdir(dirPath) #create if does not
#create case database
dbFilePath = self.txtCaseDb.GetValue() #get case database path
my_file = Path(dbFilePath)
#print(dbFilePath)
if my_file.is_file(): #check if file exist
print("file exist")
else:
conn = connectdb.create_connection(dbFilePath) #creates db file and connection if it does not exist
caseInfoTable = "CREATE TABLE 'CaseInfo' ( 'CaseID' INTEGER PRIMARY KEY AUTOINCREMENT, 'InvestigatorName' TEXT, 'CaseNum' INTEGER, 'CaseName' TEXT, 'CaseFolder' TEXT, 'CaseDb' TEXT, 'CaseDesc' TEXT, 'Datetime' TEXT);"
evidenceInfoTable = "CREATE TABLE 'EvidenceInfo' ('CaseID' INTEGER, 'EvidenceName' TEXT, 'EvidenceDbPath' TEXT, 'EvidenceDatetime' TEXT, 'Md5' TEXT, 'EvidencePath' TEXT, 'EvidenceSize' TEXT);"
bookmarksTable = "CREATE TABLE 'Bookmarks' ('fileName' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'uid' INTEGER, 'gid' INTEGER, 'md5' TEXT, 'size' INTEGER, 'parentPath' TEXT, 'extension' TEXT, 'image' TEXT);"
connectdb.createTable(conn, caseInfoTable) #creates CaseInfo table
connectdb.createTable(conn, evidenceInfoTable) #creates EvidenceInfo table
connectdb.createTable(conn, bookmarksTable) #creates Bookmarsk table
connectdb.createFilesEvidenceTable(conn)
connectdb.createSessionsEvidenceTable(conn)
connectdb.createDNSEvidenceTable(conn)
connectdb.createCredentialsEvidenceTable(conn)
#insert case details
with conn:
caseDetails = (self.txtInvestigatorName.GetValue(), self.txtCaseNum.GetValue(), self.txtCaseName.GetValue(), self.txtCaseFolder.GetValue(), self.txtCaseDb.GetValue(), self.txtCaseDescription.GetValue(), datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
connectdb.insertCaseDetails(conn, caseDetails) #insert case details to CaseInfo
self.Close()
def onSearchBtn(self, event):
try:
caseDetails
except:
print("Case not open")
else:
dlg = search.searchDialog(None) #calls searchDialog() from search.py
dlg.Center()
dlg.ShowModal()
searchItem = dlg.searchItems() #calls searchItem() to get search and search option
searchReturn = []
if searchItem[1] == "Normal Search":
for x in evidenceDetails:
conn = connectdb.create_connection(x[2]) #connect to tsk database
searchResults = connectdb.search_file_name(conn, searchItem[0]) #search in tsk database
if searchResults != []:
for i in searchResults:
i = i + (x[1],) #adds image location to end of result
searchReturn.append(i) #append each result
self._dialog = wx.ProgressDialog("Search", "Searching for {val}".format(val=searchItem[0]), 100)
LoadingDialog(self._dialog)
self.auiNotebook.AddPage(searchTab.searchTabPanel(self.auiNotebook, searchReturn, caseDir), "Search ("+searchItem[0]+")", False, wx.NullBitmap) #call and add searchTab aui page
LoadingDialog.endLoadingDialog(self)
else:
print("Regular Expression")
dlg.Destroy()
def load_queried_files(self, list_ctrl, extension, dbFilePath):
try:
conn = connectdb.create_connection(dbFilePath) #connect to tsk database
queriedFileInfo = connectdb.select_queried_files(conn, extension) #returns with files of defined extensions
for x in queriedFileInfo:
if x[2] != "NULL":
ctime = datetime.datetime(1970, 1, 1) + timedelta(seconds=x[2]) #convert seconds to datetime
else:
ctime = x[2]
if x[3] != "NULL":
crtime = datetime.datetime(1970, 1, 1) + timedelta(seconds=x[3])
else:
crtime = x[3]
if x[4] != "NULL":
atime = datetime.datetime(1970, 1, 1) + timedelta(seconds=x[4])
else:
atime = x[4]
if x[5] != "NULL":
mtime = datetime.datetime(1970, 1, 1) + timedelta(seconds=x[5])
else:
mtime = x[5]
self.list_ctrl.Append((x[0], ctime, crtime, atime, mtime, x[6], x[7], x[8], x[1], x[9], x[10])) #append to listctrl
except:
pass
def loadBookmarks(self):
conn = connectdb.create_connection(caseDb) #connect to case database
bookmarkQuery = connectdb.selectBookmarks(
conn) #lookup bookmarks table
for x in bookmarkQuery:
self.list_ctrl.Append(
(x[0], x[1], x[2], x[3], x[4], x[5], x[6], x[7], x[8], x[9],
x[10], x[11])) #apped to listctrl
def onRemoveBookmark(self, event):
#item = self.popupmenu.FindItemById(event.GetId())
sel = self.list_ctrl.GetFocusedItem()
fileName = self.list_ctrl.GetItemText(sel, 0)
parentPath = self.list_ctrl.GetItemText(sel, 9)
conn = connectdb.create_connection(caseDb)
with conn:
connectdb.deleteBookmarkItem(conn, fileName, parentPath)
self.list_ctrl.DeleteItem(sel)
def addAuiTab(self, tabName, evidenceDetails):
global caseDir
for x in caseDetails:
caseDir = x[4]
if tabName == "Summary":
self.auiNotebook.AddPage(SummaryTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap)
if tabName == "Deleted files":
mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog
LoadingDialog(mainFrame._dialog) #start loading
self.auiNotebook.AddPage(DeletedFilesTab.TabPanel(self.auiNotebook, tabName, caseDir), tabName, False, wx.NullBitmap) #calls and open a aui tab from DeletedFilesTab.py
LoadingDialog.endLoadingDialog(self) #stop loading
if tabName == "Bookmarks":
mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(mainFrame._dialog)
self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) #calls and open a aui tab from SummaryTab.py
LoadingDialog.endLoadingDialog(self)
for x in analyzedDataTree:
if tabName == x and tabName != "Deleted files":
mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(mainFrame._dialog)
addingPage = self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
for x in documentsTree:
if tabName == x:
mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(mainFrame._dialog)
self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
for x in executablesTree:
if tabName == x:
mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(mainFrame._dialog)
self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
for x in evidenceDetails:
evidenceDbConn = connectdb.create_connection(x[2]) #connects to tsk database
evidenceDbInfo = connectdb.select_image_info(evidenceDbConn) #get name, size and md5 from tsk database
evidencePart = connectdb.select_image_partitions(evidenceDbConn) #get partition info from tsk database
count = 0
for i in evidencePart:
count += 1
if tabName == "Vol{count} {desc}: {start}-{end})".format(count=count, desc=str(i[2]), start=str(i[0]), end=str(i[1])):
mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(mainFrame._dialog)
self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
def load_queried_files(self, list_ctrl):
if Path(caseDirectory + "/Evidence_Database/Deleted_Files.db").is_file(
): #check if Deleted_Files.db exist
deletedFilesDb = caseDirectory + "/Evidence_Database/Deleted_Files.db"
conn = connectdb.create_connection(
deletedFilesDb) #connect to Deleted_Files.db
query = connectdb.select_deleted_files(
conn) #get all deleted files
for x in query:
self.list_ctrl.Append(
(x[0], x[1], x[2], x[3], x[4], x[5], x[6], x[7], x[8],
x[9], x[10], x[11])) #add all to listctrl
def onNewCase(self, event):
dialog = NewCaseDialog.newCase(None)
dialog.Center()
dialog.ShowModal()
dbPath = dialog.getCaseDb()
global caseDetails
try:
conn = connectdb.create_connection(dbPath) #connects to new case database
caseDetails = connectdb.select_case_details(conn) #get InvestigatorName, CaseNum, CaseName, CaseFolder, CaseDb, CaseDesc, Datatime from case database
self.recreateTree(dbPath) #creates treectrl
except:
pass
dialog.Destroy()
def addAuiTab(self, tabName, evidenceDetails):
global caseDir
for x in caseDetails:
caseDir = x[4]
if tabName == "Summary":
self.auiNotebook.AddPage(SummaryTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap)
if tabName == "File":
self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog
LoadingDialog(self._dialog) #start loading
self.auiNotebook.AddPage(pcapFilesTab.TabPanel(self.auiNotebook, tabName, caseDir), tabName, False, wx.NullBitmap) #calls and open a aui tab from DeletedFilesTab.py
LoadingDialog.endLoadingDialog(self)
#sequence = [frameNumber, evidencePath, src_host_str, src_port, dst_host_str, dst_port, protocol, fileName, ext, size, timestamp]
window = self.auiNotebook.GetPage(self.auiNotebook.GetPageCount() - 1) # we've just added a page so the page we want to access is the last one
sequence = [1, "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"]
pcapFilesTab.TabPanel.addPcapDetails(window, sequence)
# Get the PCAP data from the database and display in the GUI (File tab)
index = 1
while (True):
row = connectdb.selectPcapEvidenceDetails(self.conn, index)
if ( () == row or None == row ):
break # from while-loop (no more data)
pcapFilesTab.TabPanel.addPcapDetails(window, row)
index = index + 1
if tabName == "Images":
self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(self._dialog)
self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
if tabName == "Sessions":
self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog
LoadingDialog(self._dialog) #start loading
self.auiNotebook.AddPage(pcapSessionsTab.TabPanel(self.auiNotebook, caseDir), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
#sequence = [Packet, timestamp, src_ip, dst_ip, request]
window = self.auiNotebook.GetPage(self.auiNotebook.GetPageCount() - 1) # we've just added a page so the page we want to access is the last one
sequence = [1, "2", "3", "4", "5"]
pcapSessionsTab.TabPanel.addSessionsDetails(window, sequence)
# Get the PCAP data from the database and display in the GUI (Sessions tab)
index = 1
while (True):
row = connectdb.selectPcapSessionsDetails(self.conn, index)
if ( () == row or None == row ):
break # from while-loop (no more data)
pcapSessionsTab.TabPanel.addSessionsDetails(window, row)
index = index + 1
if tabName == "DNS":
self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog
LoadingDialog(self._dialog) #start loading
self.auiNotebook.AddPage(pcapDNSTab.TabPanel(self.auiNotebook, caseDir), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
if tabName == "Bookmarks":
self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(self._dialog)
self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
for x in evidenceDetails:
evidenceDbConn = connectdb.create_connection(x[2]) #connects to tsk database
evidenceDbInfo = connectdb.select_image_info(evidenceDbConn) #get name, size and md5 from tsk database
evidencePart = connectdb.select_image_partitions(evidenceDbConn) #get partition info from tsk database
count = 0
for i in evidencePart:
count += 1
if tabName == "Vol{count} {desc}: {start}-{end})".format(count=count, desc=str(i[2]), start=str(i[0]), end=str(i[1])):
self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(self._dialog)
self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
def __do_layout(self, caseDetails, evidenceDetails):
# begin wxGlade: MyFrame.__do_layout
sizer_1 = wx.BoxSizer(wx.VERTICAL)
sizer_9 = wx.BoxSizer(wx.VERTICAL)
sizer_12 = wx.BoxSizer(wx.HORIZONTAL)
sizer_14 = wx.BoxSizer(wx.VERTICAL)
caseInfoGridSizer = wx.FlexGridSizer(6, 2, 0, 0)
sizer_13 = wx.BoxSizer(wx.VERTICAL)
evidenceMainSizer = wx.BoxSizer(wx.HORIZONTAL)
sizer_2 = wx.BoxSizer(wx.HORIZONTAL)
sizer_10 = wx.BoxSizer(wx.HORIZONTAL)
lblSummary = wx.StaticText(self.panel_1, wx.ID_ANY, "Summary")
lblSummary.SetFont(wx.Font(20, wx.DEFAULT, wx.NORMAL, wx.LIGHT, 0, ""))
sizer_10.Add(lblSummary, 1, wx.ALL, 5)
sizer_9.Add(sizer_10, 0, wx.EXPAND, 0)
static_line_1 = wx.StaticLine(self.panel_1, wx.ID_ANY)
sizer_9.Add(static_line_1, 0, wx.BOTTOM | wx.EXPAND | wx.TOP, 5)
lblExtraction = wx.StaticText(self.panel_1, wx.ID_ANY, "Extractions: ")
lblExtraction.SetFont(
wx.Font(15, wx.DEFAULT, wx.NORMAL, wx.NORMAL, 0, ""))
sizer_2.Add(lblExtraction, 0, 0, 0)
lblEvidenceCount = wx.StaticText(self.panel_1, wx.ID_ANY, "0")
lblEvidenceCount.SetFont(
wx.Font(15, wx.DEFAULT, wx.NORMAL, wx.NORMAL, 0, ""))
sizer_2.Add(lblEvidenceCount, 0, 0, 0)
sizer_9.Add(sizer_2, 0, wx.EXPAND, 0)
# for x in imageInfo:
# x = list(x)
# self.addEvidence(evidenceMainSizer, x[0], x[1], x[2])
global evidenceAddDate
for x in evidenceDetails:
evidenceAddDate = x[3]
evidenceCount = 0
for x in evidenceInfo:
global imageInfo
try:
conn = connectdb.create_connection(
x[2]) #connect to tsk database
imageInfo = connectdb.select_image_info(
conn) #get evidence name, size and md5 from tsk database
except:
pass
for i in imageInfo:
i = list(i)
fileName = os.path.basename(i[0])
self.addEvidence(
evidenceMainSizer, fileName, i[1], x[4]
) #sets the evidence along with the details on the top panel
evidenceCount += 1
lblEvidenceCount.SetLabel(str(evidenceCount))
self.panel_2.SetSizer(evidenceMainSizer)
sizer_9.Add(self.panel_2, 1, wx.EXPAND, 0)
lblDeviceInfo = wx.StaticText(self.panel_1, wx.ID_ANY, "Case Info:")
lblDeviceInfo.SetFont(
wx.Font(15, wx.DEFAULT, wx.NORMAL, wx.NORMAL, 0, ""))
sizer_13.Add(lblDeviceInfo, 0, wx.ALL | wx.EXPAND, 5)
static_line_2 = wx.StaticLine(self.panel_1, wx.ID_ANY)
sizer_13.Add(static_line_2, 0, wx.BOTTOM | wx.EXPAND | wx.TOP, 5)
label_5 = wx.StaticText(self.panel_1, wx.ID_ANY, "Investigator Name:")
caseInfoGridSizer.Add(label_5, 0, 0, 0)
lblInvestigatorName = wx.StaticText(self.panel_1, wx.ID_ANY, "")
caseInfoGridSizer.Add(lblInvestigatorName, 0, 0, 0)
label_6 = wx.StaticText(self.panel_1, wx.ID_ANY, "Case Number:")
caseInfoGridSizer.Add(label_6, 0, 0, 0)
lblCaseNum = wx.StaticText(self.panel_1, wx.ID_ANY, "")
caseInfoGridSizer.Add(lblCaseNum, 0, 0, 0)
label_13 = wx.StaticText(self.panel_1, wx.ID_ANY, "Case Name:")
caseInfoGridSizer.Add(label_13, 0, 0, 0)
lblCaseName = wx.StaticText(self.panel_1, wx.ID_ANY, "")
caseInfoGridSizer.Add(lblCaseName, 0, 0, 0)
label_11 = wx.StaticText(self.panel_1, wx.ID_ANY, "Date added:")
caseInfoGridSizer.Add(label_11, 0, 0, 0)
lblDateTime = wx.StaticText(self.panel_1, wx.ID_ANY, "")
caseInfoGridSizer.Add(lblDateTime, 0, 0, 0)
label_9 = wx.StaticText(self.panel_1, wx.ID_ANY, "Case Database:")
caseInfoGridSizer.Add(label_9, 0, 0, 0)
caseInfoGridSizer.Add(self.txtCaseDb, 0, wx.ALL | wx.EXPAND, 5)
label_10 = wx.StaticText(self.panel_1, wx.ID_ANY, "Case Description:")
caseInfoGridSizer.Add(label_10, 0, 0, 0)
caseInfoGridSizer.Add(self.txtCaseDesc, 1, wx.ALL | wx.EXPAND, 5)
caseInfoGridSizer.AddGrowableCol(1)
for x in caseDetails: #sets the case info
lblInvestigatorName.SetLabel(x[1])
lblCaseNum.SetLabel(str(x[2]))
lblCaseName.SetLabel(x[3])
lblDateTime.SetLabel(str(x[7]))
self.txtCaseDb.SetValue(x[5])
self.txtCaseDesc.SetValue(x[6])
sizer_13.Add(
caseInfoGridSizer,
1,
wx.ALL | wx.EXPAND,
)
sizer_12.Add(sizer_13, 1, wx.EXPAND, 0)
sizer_9.Add(sizer_12, 1, wx.EXPAND, 0)
self.panel_1.SetSizer(sizer_9)
sizer_1.Add(self.panel_1, 1, wx.EXPAND, 0)
self.SetSizer(sizer_1)
self.Layout()
def onAddEvidence(self, event):
try:
caseDetails
except NameError:
wx.MessageBox('Case not opened!', ' ', wx.OK
| wx.ICON_INFORMATION) #if caseDetails not defined
print("Case not opened")
else: #if caseDetails is defined
openFileDialog = wx.FileDialog(
self,
"Open",
"",
"",
"*.dd", #creates a filedialog that only allow user to select .dd files
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDir, caseDbPath
evidencePath = openFileDialog.GetPath(
) #get path of selected dd file
fileName = os.path.basename(evidencePath)
for x in caseDetails:
caseDir = x[4] #get case directory from caseDetails
caseDbPath = x[5] #get case database path from caseDetails
evidenceDbDir = Path(caseDir + "/Evidence_Database")
if evidenceDbDir.is_dir() == False: #check if directory exist
os.mkdir(
str(evidenceDbDir)) #create directory if it does not exist
if fileName != "":
self._dialog = wx.ProgressDialog(
"Adding evidence",
"Creating database for '{s}'".format(s=fileName), 100)
LoadingDialog(self._dialog) #starts the loading dialog
load_db = subprocess.call([
"tsk_loaddb", "-d",
"{caseDir}/Evidence_Database/{fileName}.db".format(
caseDir=caseDir, fileName=fileName), evidencePath
]) #use tsk_loaddb to generate tsk database
LoadingDialog.endLoadingDialog(self) #ends the loading dialog
if load_db == 0: #if no error
conn = connectdb.create_connection(caseDbPath)
with conn:
evidenceDbPath = str(
evidenceDbDir) + "/" + fileName + ".db"
#hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}")
#evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0]
md5_hash = hashlib.md5()
f = open(evidencePath, 'rb')
# Read and update hash in chunks of 4K
for byte_block in iter(lambda: f.read(4096), b""):
md5_hash.update(byte_block)
print(md5_hash.hexdigest())
evidenceMd5 = md5_hash.hexdigest()
insertEvidence = (1, fileName, evidenceDbPath,
datetime.datetime.now().strftime(
"%Y-%m-%d %H:%M:%S"),
evidenceMd5)
connectdb.insertEvidenceDetails(
conn, insertEvidence
) #insert to EvidenceInfo in case database
evidenceConn = connectdb.create_connection(
caseDir + "/Evidence_Database/" + fileName +
".db") #connect to tsk database
evidencePart = connectdb.select_image_partitions(
evidenceConn) #get image partitions from tsk database
if Path(caseDir +
"/Evidence_Database/Deleted_Files.db").is_file(
) == False: #check if Deleted_Files.db exist
createDeletedFilesDb = connectdb.create_connection(
caseDir + "/Evidence_Database/Deleted_Files.db")
deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);"
connectdb.createTable(
createDeletedFilesDb,
deteledFilesTable) #creates if it does not exist
else:
createDeletedFilesDb = connectdb.create_connection(
caseDir + "/Evidence_Database/Deleted_Files.db"
) #connects to Deleted_Files.db
for x in evidencePart:
if x[2] != "Unallocated":
subprocess.Popen(
[
"tsk_recover", "-e", "-o",
str(x[0]), evidencePath,
caseDir + "/Extracted/" + fileName
]
) #recover files from all partitions that re not unallocated
listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(
offset=str(x[0]), image=evidencePath)
process = subprocess.Popen(
listAllDeletedFiles,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
) #list all deleted files
stdout, stderr = process.communicate()
output = stdout.decode()
chk = re.sub(
r'[ ]\*[ ]', '\t*\t', output
) #change all ' ' in the second and third column of fls output to to '\t'
chk = re.sub(r'\n', '\t',
chk) #change all '\n' to '\t'
chk = chk.split(
'\t'
) #splits all values between \t into a list
itemList = []
k = 0
for i in range(k, len(chk) - 1, 11):
k = i
itemList.append(
chk[k:k + 11]
) #appends every 11 items into a list
with createDeletedFilesDb:
for list in itemList:
insertDeletedFiles = (list[0], list[1],
list[2], list[3],
list[4], list[5],
list[6], list[7],
list[8], list[9],
list[10], fileName)
connectdb.insertDeletedFiles(
createDeletedFilesDb,
insertDeletedFiles
) #inserts all deleted files info into Deleted_Files.db
wx.MessageBox(
"Extracting '{file}' in the background.".format(
file=fileName))
global evidenceDetails
evidenceDetails = connectdb.select_evidence_details(conn)
self.auiNotebook.DeletePage(0)
self.auiNotebook.RemovePage(0)
self.addAuiTab("Summary", evidenceDetails)
self.recreateTree(caseDbPath)
openFileDialog.Destroy()
def addAuiTab(self, tabName, evidenceDetails):
global caseDir
for x in caseDetails:
caseDir = x[4]
if tabName == "Summary":
self.auiNotebook.AddPage(
SummaryTab.TabPanel(self.auiNotebook, caseDetails,
evidenceDetails), tabName, False,
wx.NullBitmap)
if tabName == "File":
self.auiNotebook.AddPage(
FileTab.TabPanel(self.auiNotebook, caseDetails,
evidenceDetails), tabName, False,
wx.NullBitmap)
if tabName == "Images":
self.auiNotebook.AddPage(
ImagesTab.TabPanel(self.auiNotebook, caseDetails,
evidenceDetails), tabName, False,
wx.NullBitmap)
if tabName == "Sessions":
self.auiNotebook.AddPage(
SessionsTab.TabPanel(self.auiNotebook, caseDetails,
evidenceDetails), tabName, False,
wx.NullBitmap)
if tabName == "DNS":
self.auiNotebook.AddPage(
DNSTab.TabPanel(self.auiNotebook, caseDetails,
evidenceDetails), tabName, False,
wx.NullBitmap)
if tabName == "Credentials":
self.auiNotebook.AddPage(
CredentialsTab.TabPanel(self.auiNotebook, caseDetails,
evidenceDetails), tabName, False,
wx.NullBitmap)
if tabName == "Bookmarks":
self._dialog = wx.ProgressDialog(
"Loading", "Loading {tabName}".format(tabName=tabName), 100)
LoadingDialog(self._dialog)
self.auiNotebook.AddPage(
AnalyzedDataTab.TabPanel(self.auiNotebook, tabName,
evidenceDetails, caseDir, caseDbPath),
tabName, False,
wx.NullBitmap) #calls and open a aui tab from SummaryTab.py
LoadingDialog.endLoadingDialog(self)
for x in evidenceDetails:
evidenceDbConn = connectdb.create_connection(
x[2]) #connects to tsk database
evidenceDbInfo = connectdb.select_image_info(
evidenceDbConn) #get name, size and md5 from tsk database
evidencePart = connectdb.select_image_partitions(
evidenceDbConn) #get partition info from tsk database
count = 0
for i in evidencePart:
count += 1
if tabName == "Vol{count} {desc}: {start}-{end})".format(
count=count,
desc=str(i[2]),
start=str(i[0]),
end=str(i[1])):
self._dialog = wx.ProgressDialog(
"Loading", "Loading {tabName}".format(tabName=tabName),
100)
LoadingDialog(self._dialog)
self.auiNotebook.AddPage(
AnalyzedDataTab.TabPanel(self.auiNotebook, tabName,
evidenceDetails, caseDir,
caseDbPath), tabName, False,
wx.NullBitmap)
LoadingDialog.endLoadingDialog(self)
def runddfile(lock):
lock.acquire()
global fileName, evidencePath
for x in caseDetails:
caseDir = x[4] #get case directory from caseDetails
caseDbPath = x[5] #get case database path from caseDetails
evidenceDbDir = Path(caseDir+"/Evidence_Database")
if evidenceDbDir.is_dir() == False: #check if directory exist
os.mkdir(str(evidenceDbDir)) #create directory if it does not exist
if fileName != "":
mainFrame._dialog = wx.ProgressDialog("Adding evidence", "Creating database for '{s}'".format(s=fileName), 100)
LoadingDialog(mainFrame._dialog) #starts the loading dialog
load_db = subprocess.call(["tsk_loaddb", "-d", "{caseDir}/Evidence_Database/{fileName}.db".format(caseDir=caseDir, fileName=fileName), evidencePath]) #use tsk_loaddb to generate tsk database
LoadingDialog.endLoadingDialog(mainFrame) #ends the loading dialog
if load_db == 0: #if no error
conn = connectdb.create_connection(caseDbPath)
with conn:
evidenceDbPath = str(evidenceDbDir)+"/"+fileName+".db"
#hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}")
#evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0]
evidenceMd5 = "None"
insertEvidence = (1, fileName, evidenceDbPath, datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"), evidenceMd5)
connectdb.insertEvidenceDetails(conn, insertEvidence) #insert to EvidenceInfo in case database
evidenceConn = connectdb.create_connection(caseDir+"/Evidence_Database/"+fileName+".db") #connect to tsk database
evidencePart = connectdb.select_image_partitions(evidenceConn) #get image partitions from tsk database
if Path(caseDir+"/Evidence_Database/Deleted_Files.db").is_file() == False: #check if Deleted_Files.db exist
createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db")
deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);"
connectdb.createTable(createDeletedFilesDb, deteledFilesTable) #creates if it does not exist
else:
createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db") #connects to Deleted_Files.db
for x in evidencePart:
if x[2] != "Unallocated":
subprocess.Popen(["tsk_recover", "-e", "-o", str(x[0]), evidencePath, caseDir+"/Extracted/"+fileName]) #recover files from all partitions that re not unallocated
listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(offset=str(x[0]), image=evidencePath)
process = subprocess.Popen(listAllDeletedFiles, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #list all deleted files
stdout,stderr = process.communicate()
output = stdout.decode()
chk = re.sub(r'[ ]\*[ ]', '\t*\t', output) #change all ' ' in the second and third column of fls output to to '\t'
chk = re.sub(r'\n', '\t', chk) #change all '\n' to '\t'
chk = chk.split('\t') #splits all values between \t into a list
itemList = []
k=0
for i in range(k,len(chk)-1,11):
k=i
itemList.append(chk[k:k+11]) #appends every 11 items into a list
with createDeletedFilesDb:
for list in itemList:
insertDeletedFiles = (list[0], list[1], list[2], list[3], list[4], list[5], list[6], list[7], list[8], list[9], list[10], fileName)
connectdb.insertDeletedFiles(createDeletedFilesDb, insertDeletedFiles) #inserts all deleted files info into Deleted_Files.db
wx.MessageBox("Extracting '{file}' in the background.".format(file=fileName))
global evidenceDetails
evidenceDetails = connectdb.select_evidence_details(conn)
self.auiNotebook.DeletePage(0)
self.auiNotebook.RemovePage(0)
self.addAuiTab("Summary", evidenceDetails)
self.recreateTree(caseDbPath)
lock.release()