def __init__(self, parent, caseDetails, evidenceDetails): # begin wxGlade: MyFrame.__init__ wx.Panel.__init__(self, parent=parent) self.SetSize((655, 673)) self.panel_1 = wx.Panel(self, wx.ID_ANY) self.panel_2 = wx.ScrolledWindow(self.panel_1, wx.ID_ANY, style=wx.TAB_TRAVERSAL) self.txtCaseDb = wx.TextCtrl(self.panel_1, wx.ID_ANY, "", style=wx.TE_READONLY | wx.BORDER_NONE) self.txtCaseDesc = wx.TextCtrl(self.panel_1, wx.ID_ANY, "", style=wx.TE_MULTILINE | wx.TE_READONLY) global evidenceInfo for x in caseDetails: try: conn = connectdb.create_connection( x[5]) #call to get evidence database from evidence table evidenceInfo = connectdb.select_evidence_details(conn) except Error as e: print(e) self.__set_properties() self.__do_layout(caseDetails, evidenceDetails)
def onOpenCase(self, event): openFileDialog = wx.FileDialog( self, "Open", "", "", "*.db", #creates a filedialog that only allow user to select .db files wx.FD_OPEN | wx.FD_FILE_MUST_EXIST) openFileDialog.ShowModal() global caseDbPath caseDbPath = openFileDialog.GetPath() #get path selected in filedialog global caseDetails, evidenceDetails try: conn = connectdb.create_connection( caseDbPath ) #try to connect to case database and get case and evidence details caseDetails = connectdb.select_case_details(conn) evidenceDetails = connectdb.select_evidence_details( conn ) #get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database self.addAuiTab("Summary", evidenceDetails) #opens summary page openTabs.append("Summary") self.recreateTree(caseDbPath) wx.MessageBox('Case Opened!', ' ', wx.OK | wx.ICON_INFORMATION) except: pass #ignore if try: fails openFileDialog.Destroy()
def onOpenCase(self, event): #creates a filedialog that only allow user to select .db files openFileDialog = wx.FileDialog(self, "Open", "", "","*.db", wx.FD_OPEN | wx.FD_FILE_MUST_EXIST) openFileDialog.ShowModal() global caseDbPath #get path selected in filedialog caseDbPath = openFileDialog.GetPath() global caseDetails, evidenceDetails try: #try to connect to case database and get case and evidence details conn = connectdb.create_connection(caseDbPath) caseDetails = connectdb.select_case_details(conn) #get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database evidenceDetails = connectdb.select_evidence_details(conn) #opens summary page self.addAuiTab("Summary", evidenceDetails) openTabs.append("Summary") self.recreateTree(caseDbPath) except: #ignore if try: fails pass openFileDialog.Destroy()
def recreateTree(self, caseDbFile): self.tree_ctrl_1.Freeze() self.tree_ctrl_1.DeleteAllItems() global caseName for x in caseDetails: caseName = str(x[2]) + "_" + x[3] #adds the name of case as root item in treectrl root = self.tree_ctrl_1.AddRoot(caseName) self.tree_ctrl_1.AppendItem(root, "Summary") #connect to case database conn = connectdb.create_connection(caseDbFile) #get evidenceName, EvidenceDbPath EvidenceDatetime and Md5 from case database #EvidenceDbPath = path to tsk database generated when onAddEvidence is called evidenceInfo = connectdb.select_evidence_details(conn) self.tree_ctrl_1.AppendItem(root, "Bookmarks") self.tree_ctrl_1.AppendItem(root, "File") self.tree_ctrl_1.AppendItem(root, "Images") self.tree_ctrl_1.AppendItem(root, "Sessions") self.tree_ctrl_1.AppendItem(root, "DNS") self.tree_ctrl_1.AppendItem(root, "Credentials") self.tree_ctrl_1.ExpandAll() self.tree_ctrl_1.Thaw()
def on_menu_Open_Case(self, event): # wxGlade: mainNetAnalysis.<event_handler> openFileDialog = wx.FileDialog( self, "Open", "", "", "*.db", #creates a filedialog that only allow user to select .db files wx.FD_OPEN | wx.FD_FILE_MUST_EXIST) openFileDialog.ShowModal() global caseDbPath caseDbPath = openFileDialog.GetPath() #get path selected in filedialog global caseDetails, evidenceDetails try: conn = connectdb.create_connection( caseDbPath ) #try to connect to case database and get case and evidence details caseDetails = connectdb.select_case_details(conn) evidenceDetails = connectdb.select_evidence_details( conn ) #get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database self.addAuiTab("Summary", evidenceDetails) #opens summary page openTabs.append("Summary") self.recreateTree(caseDbPath) except: pass #ignore if try: fails openFileDialog.Destroy()
def recreateTree(self, caseDbFile): self.tree_ctrl_1.Freeze() self.tree_ctrl_1.DeleteAllItems() global caseName for x in caseDetails: caseName = str(x[2]) + "_" + x[3] root = self.tree_ctrl_1.AddRoot( caseName) #adds the name of case as root item in treectrl summary = self.tree_ctrl_1.AppendItem(root, "Summary") conn = connectdb.create_connection( caseDbFile) #connect to case database evidenceInfo = connectdb.select_evidence_details( conn ) #get evidenceName, EvidenceDbPath EvidenceDatetime and Md5 from case database #EvidenceDbPath = path to tsk database generated when onAddEvidence is called for x in evidenceInfo: evidenceDbConn = connectdb.create_connection( x[2]) #connect to tsk database evidenceDbInfo = connectdb.select_image_info( evidenceDbConn ) #get evidence name, size and md5 from tsk database evidencePart = connectdb.select_image_partitions( evidenceDbConn) #get partition info from tsk database count = 0 for i in evidenceDbInfo: fileName = os.path.basename(i[0]) temp = self.tree_ctrl_1.AppendItem( summary, fileName) #append evidence name to treectrl for i in evidencePart: i = list(i) count += 1 self.tree_ctrl_1.AppendItem( temp, "Vol{count} {desc}: {start}-{end})".format( count=count, desc=str(i[2]), start=str(i[0]), end=str(i[1])) ) #append evidence partition to evidence name self.tree_ctrl_1.AppendItem(summary, "Timeline") self.tree_ctrl_1.AppendItem(summary, "Bookmarks") self.tree_ctrl_1.AppendItem(summary, "Search") analyzedData = self.tree_ctrl_1.AppendItem(root, "Analyzed Data") for x in analyzedDataTree: self.tree_ctrl_1.AppendItem(analyzedData, x) docTree = self.tree_ctrl_1.AppendItem(analyzedData, "Documents") for x in documentsTree: self.tree_ctrl_1.AppendItem(docTree, x) exeTree = self.tree_ctrl_1.AppendItem(analyzedData, "Executables") for x in executablesTree: self.tree_ctrl_1.AppendItem(exeTree, x) self.tree_ctrl_1.ExpandAll() self.tree_ctrl_1.Thaw()
def onAddEvidence(self, event): try: caseDetails except NameError: wx.MessageBox('Case not opened!', ' ', wx.OK | wx.ICON_INFORMATION) #if caseDetails not defined print("Case not opened") else: #if caseDetails is defined openFileDialog = wx.FileDialog( self, "Open", "", "", "*.dd", #creates a filedialog that only allow user to select .dd files wx.FD_OPEN | wx.FD_FILE_MUST_EXIST) openFileDialog.ShowModal() global caseDir, caseDbPath evidencePath = openFileDialog.GetPath( ) #get path of selected dd file fileName = os.path.basename(evidencePath) for x in caseDetails: caseDir = x[4] #get case directory from caseDetails caseDbPath = x[5] #get case database path from caseDetails evidenceDbDir = Path(caseDir + "/Evidence_Database") if evidenceDbDir.is_dir() == False: #check if directory exist os.mkdir( str(evidenceDbDir)) #create directory if it does not exist if fileName != "": self._dialog = wx.ProgressDialog( "Adding evidence", "Creating database for '{s}'".format(s=fileName), 100) LoadingDialog(self._dialog) #starts the loading dialog load_db = subprocess.call([ "tsk_loaddb", "-d", "{caseDir}/Evidence_Database/{fileName}.db".format( caseDir=caseDir, fileName=fileName), evidencePath ]) #use tsk_loaddb to generate tsk database LoadingDialog.endLoadingDialog(self) #ends the loading dialog if load_db == 0: #if no error conn = connectdb.create_connection(caseDbPath) with conn: evidenceDbPath = str( evidenceDbDir) + "/" + fileName + ".db" #hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}") #evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0] md5_hash = hashlib.md5() f = open(evidencePath, 'rb') # Read and update hash in chunks of 4K for byte_block in iter(lambda: f.read(4096), b""): md5_hash.update(byte_block) print(md5_hash.hexdigest()) evidenceMd5 = md5_hash.hexdigest() insertEvidence = (1, fileName, evidenceDbPath, datetime.datetime.now().strftime( "%Y-%m-%d %H:%M:%S"), evidenceMd5) connectdb.insertEvidenceDetails( conn, insertEvidence ) #insert to EvidenceInfo in case database evidenceConn = connectdb.create_connection( caseDir + "/Evidence_Database/" + fileName + ".db") #connect to tsk database evidencePart = connectdb.select_image_partitions( evidenceConn) #get image partitions from tsk database if Path(caseDir + "/Evidence_Database/Deleted_Files.db").is_file( ) == False: #check if Deleted_Files.db exist createDeletedFilesDb = connectdb.create_connection( caseDir + "/Evidence_Database/Deleted_Files.db") deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);" connectdb.createTable( createDeletedFilesDb, deteledFilesTable) #creates if it does not exist else: createDeletedFilesDb = connectdb.create_connection( caseDir + "/Evidence_Database/Deleted_Files.db" ) #connects to Deleted_Files.db for x in evidencePart: if x[2] != "Unallocated": subprocess.Popen( [ "tsk_recover", "-e", "-o", str(x[0]), evidencePath, caseDir + "/Extracted/" + fileName ] ) #recover files from all partitions that re not unallocated listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format( offset=str(x[0]), image=evidencePath) process = subprocess.Popen( listAllDeletedFiles, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) #list all deleted files stdout, stderr = process.communicate() output = stdout.decode() chk = re.sub( r'[ ]\*[ ]', '\t*\t', output ) #change all ' ' in the second and third column of fls output to to '\t' chk = re.sub(r'\n', '\t', chk) #change all '\n' to '\t' chk = chk.split( '\t' ) #splits all values between \t into a list itemList = [] k = 0 for i in range(k, len(chk) - 1, 11): k = i itemList.append( chk[k:k + 11] ) #appends every 11 items into a list with createDeletedFilesDb: for list in itemList: insertDeletedFiles = (list[0], list[1], list[2], list[3], list[4], list[5], list[6], list[7], list[8], list[9], list[10], fileName) connectdb.insertDeletedFiles( createDeletedFilesDb, insertDeletedFiles ) #inserts all deleted files info into Deleted_Files.db wx.MessageBox( "Extracting '{file}' in the background.".format( file=fileName)) global evidenceDetails evidenceDetails = connectdb.select_evidence_details(conn) self.auiNotebook.DeletePage(0) self.auiNotebook.RemovePage(0) self.addAuiTab("Summary", evidenceDetails) self.recreateTree(caseDbPath) openFileDialog.Destroy()
def runddfile(lock): lock.acquire() global fileName, evidencePath for x in caseDetails: caseDir = x[4] #get case directory from caseDetails caseDbPath = x[5] #get case database path from caseDetails evidenceDbDir = Path(caseDir+"/Evidence_Database") if evidenceDbDir.is_dir() == False: #check if directory exist os.mkdir(str(evidenceDbDir)) #create directory if it does not exist if fileName != "": mainFrame._dialog = wx.ProgressDialog("Adding evidence", "Creating database for '{s}'".format(s=fileName), 100) LoadingDialog(mainFrame._dialog) #starts the loading dialog load_db = subprocess.call(["tsk_loaddb", "-d", "{caseDir}/Evidence_Database/{fileName}.db".format(caseDir=caseDir, fileName=fileName), evidencePath]) #use tsk_loaddb to generate tsk database LoadingDialog.endLoadingDialog(mainFrame) #ends the loading dialog if load_db == 0: #if no error conn = connectdb.create_connection(caseDbPath) with conn: evidenceDbPath = str(evidenceDbDir)+"/"+fileName+".db" #hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}") #evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0] evidenceMd5 = "None" insertEvidence = (1, fileName, evidenceDbPath, datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"), evidenceMd5) connectdb.insertEvidenceDetails(conn, insertEvidence) #insert to EvidenceInfo in case database evidenceConn = connectdb.create_connection(caseDir+"/Evidence_Database/"+fileName+".db") #connect to tsk database evidencePart = connectdb.select_image_partitions(evidenceConn) #get image partitions from tsk database if Path(caseDir+"/Evidence_Database/Deleted_Files.db").is_file() == False: #check if Deleted_Files.db exist createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db") deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);" connectdb.createTable(createDeletedFilesDb, deteledFilesTable) #creates if it does not exist else: createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db") #connects to Deleted_Files.db for x in evidencePart: if x[2] != "Unallocated": subprocess.Popen(["tsk_recover", "-e", "-o", str(x[0]), evidencePath, caseDir+"/Extracted/"+fileName]) #recover files from all partitions that re not unallocated listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(offset=str(x[0]), image=evidencePath) process = subprocess.Popen(listAllDeletedFiles, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #list all deleted files stdout,stderr = process.communicate() output = stdout.decode() chk = re.sub(r'[ ]\*[ ]', '\t*\t', output) #change all ' ' in the second and third column of fls output to to '\t' chk = re.sub(r'\n', '\t', chk) #change all '\n' to '\t' chk = chk.split('\t') #splits all values between \t into a list itemList = [] k=0 for i in range(k,len(chk)-1,11): k=i itemList.append(chk[k:k+11]) #appends every 11 items into a list with createDeletedFilesDb: for list in itemList: insertDeletedFiles = (list[0], list[1], list[2], list[3], list[4], list[5], list[6], list[7], list[8], list[9], list[10], fileName) connectdb.insertDeletedFiles(createDeletedFilesDb, insertDeletedFiles) #inserts all deleted files info into Deleted_Files.db wx.MessageBox("Extracting '{file}' in the background.".format(file=fileName)) global evidenceDetails evidenceDetails = connectdb.select_evidence_details(conn) self.auiNotebook.DeletePage(0) self.auiNotebook.RemovePage(0) self.addAuiTab("Summary", evidenceDetails) self.recreateTree(caseDbPath) lock.release()