Exemple #1
0
 def testCloudDisk(self, mockEvidence, mockClient):
     """Test Google Cloud Disk evidence."""
     mockClient.create_request.return_value = TurbiniaRequest()
     args = argparse.Namespace(request_id=None,
                               command='googleclouddisk',
                               force_evidence=False,
                               decryption_keys=None,
                               recipe=None,
                               recipe_path=None,
                               skip_recipe_validation=False,
                               dump_json=None,
                               debug_tasks=None,
                               jobs_denylist=None,
                               jobs_allowlist=None,
                               run_local=False,
                               wait=False)
     mockEvidence.return_value = FakeEvidence(type='googleclouddisk',
                                              project='testProject',
                                              disk_name='testDisk',
                                              cloud_only=True)
     turbiniactl.process_evidence(name='My Evidence',
                                  disk_name='testDisk',
                                  zone='testZone',
                                  project='testProject',
                                  args=args,
                                  source='case',
                                  client=mockClient,
                                  group_id='FakeGroupID')
     mockEvidence.assert_called_with(name='My Evidence',
                                     disk_name='testDisk',
                                     project='testProject',
                                     source='case',
                                     zone='testZone')
Exemple #2
0
    def testRawMemory(self, mockEvidence, mockClient):
        """Test raw memory evidence"""
        mockClient.create_request.return_value = TurbiniaRequest()
        args = argparse.Namespace(request_id=None,
                                  command='rawmemory',
                                  force_evidence=False,
                                  decryption_keys=None,
                                  recipe=None,
                                  recipe_path=None,
                                  skip_recipe_validation=False,
                                  dump_json=None,
                                  debug_tasks=None,
                                  jobs_denylist=None,
                                  jobs_allowlist=None,
                                  run_local=False,
                                  wait=False,
                                  module_list=['mod1', 'mod2'])
        mockEvidence.return_value = FakeEvidence(type='rawmemory',
                                                 source_path=self.source_path)
        turbiniactl.process_evidence(name='My Evidence',
                                     source_path=self.source_path,
                                     args=args,
                                     client=mockClient,
                                     group_id='FakeGroupID',
                                     profile='testProfile')

        mockEvidence.assert_called_with(name='My Evidence',
                                        source_path=mock.ANY,
                                        profile='testProfile',
                                        module_list=['mod1', 'mod2'])
Exemple #3
0
 def testRawDiskEvidence(self, mockEvidence, mockClient):
     """Test RawDisk evidence."""
     mockClient.create_request.return_value = TurbiniaRequest()
     args = argparse.Namespace(request_id=None,
                               command='rawdisk',
                               force_evidence=False,
                               decryption_keys=None,
                               recipe=None,
                               recipe_path=None,
                               skip_recipe_validation=False,
                               dump_json=None,
                               debug_tasks=None,
                               jobs_denylist=None,
                               jobs_allowlist=None,
                               run_local=False,
                               wait=False)
     mockEvidence.return_value = FakeEvidence(type='rawdisk',
                                              source_path=self.source_path)
     config.SHARED_FILESYSTEM = True
     turbiniactl.process_evidence(name='My Evidence',
                                  source_path='/tmp/foo.img',
                                  args=args,
                                  source='case',
                                  client=mockClient,
                                  group_id='FakeGroupID')
     mockEvidence.assert_called_with(name='My Evidence',
                                     source_path='/tmp/foo.img',
                                     source='case')
Exemple #4
0
 def testCompressedDirectory(self, mockEvidence, mockClient):
     """Test compressed directory evidence"""
     mockClient.create_request.return_value = TurbiniaRequest()
     args = argparse.Namespace(request_id=None,
                               command='compresseddirectory',
                               force_evidence=False,
                               decryption_keys=None,
                               recipe=None,
                               recipe_path=None,
                               skip_recipe_validation=False,
                               dump_json=None,
                               debug_tasks=None,
                               jobs_denylist=None,
                               jobs_allowlist=None,
                               run_local=False,
                               wait=False)
     archive.ValidateTarFile = mock.MagicMock()
     mockEvidence.return_value = FakeEvidence(type='compresseddirectory',
                                              source_path=self.source_path,
                                              cloud_only=True)
     mockClient.send_request = mock.MagicMock()
     turbiniactl.process_evidence(name='My Evidence',
                                  source_path=self.source_path,
                                  args=args,
                                  source='case',
                                  client=mockClient,
                                  group_id='FakeGroupID')
     self.assertTrue(archive.ValidateTarFile.called)
     mockEvidence.assert_called_with(name='My Evidence',
                                     source_path=mock.ANY,
                                     source='case')
Exemple #5
0
 def testTurbiniaClientRequest(self, mockClient):
     """Test Turbinia client request creation."""
     config.TASK_MANAGER = 'celery'
     mockClient.create_request = mock.MagicMock()
     mockClient.create_request.return_value = TurbiniaRequest(
         recipe=recipe_helpers.DEFAULT_RECIPE)
     test_request = mockClient.create_request()
     self.assertIsNotNone(test_request)
     test_default_recipe = recipe_helpers.DEFAULT_RECIPE
     self.assertEqual(test_request.recipe, test_default_recipe)
Exemple #6
0
 def testDirectoryDiskEvidence(self, mockDirectory, mockCompressedEvidence,
                               mockClient):
     """Test directory evidence."""
     mockClient.create_request.return_value = TurbiniaRequest()
     args = argparse.Namespace(request_id=None,
                               command='directory',
                               force_evidence=False,
                               decryption_keys=None,
                               recipe=None,
                               recipe_path=None,
                               skip_recipe_validation=False,
                               dump_json=None,
                               debug_tasks=None,
                               jobs_denylist=None,
                               jobs_allowlist=None,
                               run_local=False,
                               wait=False)
     # Test not shared filesystem
     archive.CompressDirectory = mock.MagicMock()
     config.SHARED_FILESYSTEM = False
     mockCompressedEvidence.return_value = FakeEvidence(
         type='compresseddirectory',
         source_path=self.source_path,
         cloud_only=True)
     mockClient.send_request = mock.MagicMock()
     turbiniactl.process_evidence(name='My Evidence',
                                  source_path=self.source_path,
                                  args=args,
                                  source='case',
                                  client=mockClient,
                                  group_id='FakeGroupID')
     self.assertTrue(archive.CompressDirectory.called)
     mockCompressedEvidence.assert_called_with(name='My Evidence',
                                               source_path=mock.ANY,
                                               source='case')
     # Test Directory evidence for shared filesystem
     mockDirectory.return_value = FakeEvidence(type='directory',
                                               source_path=self.source_path)
     mockDirectory.cloud_only = False
     config.SHARED_FILESYSTEM = True
     turbiniactl.process_evidence(name='My Evidence',
                                  source_path=self.source_path,
                                  args=args,
                                  source='case',
                                  client=mockClient,
                                  group_id='FakeGroupID')
     mockDirectory.assert_called_with(name='My Evidence',
                                      source_path=mock.ANY,
                                      source='case')
Exemple #7
0
    def testHindsight(self, mockEvidence, mockClient):
        """Test hindsight evidence"""
        mockClient.create_request.return_value = TurbiniaRequest()
        args = argparse.Namespace(request_id=None,
                                  command='hindsight',
                                  force_evidence=False,
                                  decryption_keys=None,
                                  recipe=None,
                                  recipe_path=None,
                                  skip_recipe_validation=False,
                                  dump_json=None,
                                  debug_tasks=None,
                                  jobs_denylist=None,
                                  jobs_allowlist=None,
                                  run_local=False,
                                  wait=False)
        with self.assertRaisesRegex(TurbiniaException,
                                    'Invalid output format.'):
            turbiniactl.process_evidence(name='My Evidence',
                                         source_path=self.source_path,
                                         args=args,
                                         client=mockClient,
                                         group_id='FakeGroupID',
                                         format='invalid')

        with self.assertRaisesRegex(TurbiniaException, 'Browser type'):
            turbiniactl.process_evidence(name='My Evidence',
                                         source_path=self.source_path,
                                         args=args,
                                         client=mockClient,
                                         group_id='FakeGroupID',
                                         format='sqlite',
                                         browser_type='firefox')

        mockEvidence.return_value = FakeEvidence(type='chromiumProfile',
                                                 source_path=self.source_path)
        turbiniactl.process_evidence(name='My Evidence',
                                     source_path=self.source_path,
                                     args=args,
                                     client=mockClient,
                                     group_id='FakeGroupID',
                                     format='sqlite',
                                     browser_type='Chrome')
        mockEvidence.assert_called_with(name='My Evidence',
                                        output_format='sqlite',
                                        browser_type='Chrome',
                                        source_path=mock.ANY)
Exemple #8
0
 def create_request(self,
                    request_id=None,
                    group_id=None,
                    requester=None,
                    recipe=None,
                    context=None,
                    evidence_=None,
                    group_name=None,
                    reason=None,
                    all_args=None):
     """Wrapper method to create a Turbinia request."""
     default_recipe = self.create_recipe()
     request = TurbiniaRequest(request_id=request_id,
                               group_id=group_id,
                               requester=requester,
                               recipe=recipe if recipe else default_recipe,
                               context=context,
                               evidence=evidence_,
                               group_name=group_name,
                               reason=reason,
                               all_args=all_args)
     return request
Exemple #9
0
def main():
  """Main function for turbiniactl"""
  # TODO(aarontp): Allow for single run mode when
  # by specifying evidence which will also terminate the task manager after
  # evidence has been processed.
  parser = argparse.ArgumentParser()
  parser.add_argument(
      '-q', '--quiet', action='store_true', help='Show minimal output')
  parser.add_argument(
      '-v', '--verbose', action='store_true', help='Show verbose output',
      default=True)
  parser.add_argument(
      '-d', '--debug', action='store_true', help='Show debug output',
      default=False)
  parser.add_argument(
      '-a', '--all_fields', action='store_true',
      help='Show all task status fields in output', required=False)
  parser.add_argument(
      '-c', '--config_file', help='Load explicit config file. If specified it '
      'will ignore config files in other default locations '
      '(/etc/turbinia.conf, ~/.turbiniarc, or in paths referenced in '
      'environment variable TURBINIA_CONFIG_PATH)', required=False)
  parser.add_argument(
      '-C', '--recipe_config', help='Recipe configuration data passed in as '
      'comma separated key=value pairs (e.g. '
      '"-C key=value,otherkey=othervalue").  These will get passed to tasks '
      'as evidence config, and will also be written to the metadata.json file '
      'for Evidence types that write it', default=[], type=csv_list)
  parser.add_argument(
      '-f', '--force_evidence', action='store_true',
      help='Force evidence processing request in potentially unsafe conditions',
      required=False)
  parser.add_argument('-o', '--output_dir', help='Directory path for output')
  parser.add_argument('-L', '--log_file', help='Log file')
  parser.add_argument(
      '-r', '--request_id', help='Create new requests with this Request ID',
      required=False)
  parser.add_argument(
      '-R', '--run_local', action='store_true',
      help='Run completely locally without any server or other infrastructure. '
      'This can be used to run one-off Tasks to process data locally.')
  parser.add_argument(
      '-S', '--server', action='store_true',
      help='Run Turbinia Server indefinitely')
  parser.add_argument(
      '-V', '--version', action='version', version=__version__,
      help='Show the version')
  parser.add_argument(
      '-D', '--dump_json', action='store_true',
      help='Dump JSON output of Turbinia Request instead of sending it')
  parser.add_argument(
      '-F', '--filter_patterns_file',
      help='A file containing newline separated string patterns to filter '
      'text based evidence files with (in extended grep regex format). '
      'This filtered output will be in addition to the complete output')
  parser.add_argument(
      '-Y', '--yara_rules_file', help='A file containing Yara rules.')
  parser.add_argument(
      '-j', '--jobs_allowlist', default=[], type=csv_list,
      help='An allowlist for Jobs that will be allowed to run (in CSV format, '
      'no spaces). This will not force them to run if they are not configured '
      'to. This is applied both at server start time and when the client makes '
      'a processing request. When applied at server start time the change is '
      'persistent while the server is running.  When applied by the client, it '
      'will only affect that processing request.')
  parser.add_argument(
      '-J', '--jobs_denylist', default=[], type=csv_list,
      help='A denylist for Jobs we will not allow to run.  See '
      '--jobs_allowlist help for details on format and when it is applied.')
  parser.add_argument(
      '-p', '--poll_interval', default=60, type=int,
      help='Number of seconds to wait between polling for task state info')
  parser.add_argument(
      '-t', '--task',
      help='The name of a single Task to run locally (must be used with '
      '--run_local.')
  parser.add_argument(
      '-w', '--wait', action='store_true',
      help='Wait to exit until all tasks for the given request have completed')

  subparsers = parser.add_subparsers(
      dest='command', title='Commands', metavar='<command>')

  # Action for printing config
  parser_config = subparsers.add_parser('config', help='Print out config file')
  parser_config.add_argument(
      '-f', '--file_only', action='store_true', help='Print out file path only')

  #Sends Test Notification
  parser_testnotify = subparsers.add_parser(
      'testnotify', help='Sends test notification')

  # TODO(aarontp): Find better way to specify these that allows for multiple
  # pieces of evidence to be submitted. Maybe automagically create different
  # commands based on introspection of evidence objects?
  # RawDisk
  parser_rawdisk = subparsers.add_parser(
      'rawdisk', help='Process RawDisk as Evidence')
  parser_rawdisk.add_argument(
      '-l', '--source_path', help='Local path to the evidence', required=True)
  parser_rawdisk.add_argument(
      '-P', '--mount_partition', default=1, type=int,
      help='The partition number to use when mounting this disk.  Defaults to '
      'the entire raw disk.  Only affects mounting, and not what gets '
      'processed.')
  parser_rawdisk.add_argument(
      '-s', '--source', help='Description of the source of the evidence',
      required=False)
  parser_rawdisk.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for APFS Disk Evidence type
  parser_apfs = subparsers.add_parser(
      'apfs', help='Process APFSEncryptedDisk as Evidence')
  parser_apfs.add_argument(
      '-l', '--source_path', help='Local path to the encrypted APFS evidence',
      required=True)
  parser_apfs.add_argument(
      '-r', '--recovery_key', help='Recovery key for the APFS evidence.  '
      'Either recovery key or password must be specified.', required=False)
  parser_apfs.add_argument(
      '-p', '--password', help='Password for the APFS evidence.  '
      'If a recovery key is specified concurrently, password will be ignored.',
      required=False)
  parser_apfs.add_argument(
      '-s', '--source', help='Description of the source of the evidence',
      required=False)
  parser_apfs.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for Bitlocker Disk Evidence type
  parser_bitlocker = subparsers.add_parser(
      'bitlocker', help='Process Bitlocker Disk as Evidence')
  parser_bitlocker.add_argument(
      '-l', '--source_path',
      help='Local path to the encrypted Bitlocker evidence', required=True)
  parser_bitlocker.add_argument(
      '-r', '--recovery_key', help='Recovery key for the Bitlocker evidence.  '
      'Either recovery key or password must be specified.', required=False)
  parser_bitlocker.add_argument(
      '-p', '--password', help='Password for the Bitlocker evidence.  '
      'If a recovery key is specified concurrently, password will be ignored.',
      required=False)
  parser_bitlocker.add_argument(
      '-s', '--source', help='Description of the source of the evidence',
      required=False)
  parser_bitlocker.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for Google Cloud Disk Evidence type
  parser_googleclouddisk = subparsers.add_parser(
      'googleclouddisk',
      help='Process Google Cloud Persistent Disk as Evidence')
  parser_googleclouddisk.add_argument(
      '-C', '--copy_only', action='store_true', help='Only copy disk and do '
      'not process with Turbinia. This only takes effect when a source '
      '--project is defined and can be run without any Turbinia server or '
      'workers configured.')
  parser_googleclouddisk.add_argument(
      '-d', '--disk_name', help='Google Cloud name for disk', required=True)
  parser_googleclouddisk.add_argument(
      '-p', '--project', help='Project that the disk to process is associated '
      'with. If this is different from the project that Turbinia is running '
      'in, it will be copied to the Turbinia project.')
  parser_googleclouddisk.add_argument(
      '-P', '--mount_partition', default=1, type=int,
      help='The partition number to use when mounting this disk.  Defaults to '
      'the entire raw disk.  Only affects mounting, and not what gets '
      'processed.')
  parser_googleclouddisk.add_argument(
      '-z', '--zone', help='Geographic zone the disk exists in')
  parser_googleclouddisk.add_argument(
      '-s', '--source', help='Description of the source of the evidence',
      required=False)
  parser_googleclouddisk.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for Google Cloud Persistent Disk Embedded Raw Image
  parser_googleclouddiskembedded = subparsers.add_parser(
      'googleclouddiskembedded',
      help='Process Google Cloud Persistent Disk with an embedded raw disk '
      'image as Evidence')
  parser_googleclouddiskembedded.add_argument(
      '-C', '--copy_only', action='store_true', help='Only copy disk and do '
      'not process with Turbinia. This only takes effect when a source '
      '--project is defined and can be run without any Turbinia server or '
      'workers configured.')
  parser_googleclouddiskembedded.add_argument(
      '-e', '--embedded_path',
      help='Path within the Persistent Disk that points to the raw image file',
      required=True)
  parser_googleclouddiskembedded.add_argument(
      '-d', '--disk_name', help='Google Cloud name for disk', required=True)
  parser_googleclouddiskembedded.add_argument(
      '-p', '--project', help='Project that the disk to process is associated '
      'with. If this is different from the project that Turbinia is running '
      'in, it will be copied to the Turbinia project.')
  parser_googleclouddiskembedded.add_argument(
      '-P', '--mount_partition', default=1, type=int,
      help='The partition number to use when mounting this disk.  Defaults to '
      'the entire raw disk.  Only affects mounting, and not what gets '
      'processed.')
  parser_googleclouddiskembedded.add_argument(
      '--embedded_mount_partition', default=1, type=int,
      help='The partition number to use when mounting this embedded disk image.'
      ' Defaults to the first partition')
  parser_googleclouddiskembedded.add_argument(
      '-z', '--zone', help='Geographic zone the disk exists in')
  parser_googleclouddiskembedded.add_argument(
      '-s', '--source', help='Description of the source of the evidence',
      required=False)
  parser_googleclouddiskembedded.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # RawMemory
  parser_rawmemory = subparsers.add_parser(
      'rawmemory', help='Process RawMemory as Evidence')
  parser_rawmemory.add_argument(
      '-l', '--source_path', help='Local path to the evidence', required=True)
  parser_rawmemory.add_argument(
      '-P', '--profile', help='Profile to use with Volatility', required=True)
  parser_rawmemory.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)
  parser_rawmemory.add_argument(
      '-m', '--module_list', type=csv_list,
      help='Volatility module(s) to execute', required=True)

  # Parser options for Directory evidence type
  parser_directory = subparsers.add_parser(
      'directory', help='Process a directory as Evidence')
  parser_directory.add_argument(
      '-l', '--source_path', help='Local path to the evidence', required=True)
  parser_directory.add_argument(
      '-s', '--source', help='Description of the source of the evidence',
      required=False)
  parser_directory.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for CompressedDirectory evidence type
  parser_directory = subparsers.add_parser(
      'compressedirectory', help='Process a compressed tar file as Evidence')
  parser_directory.add_argument(
      '-l', '--local_path', help='Local path to the evidence', required=True)
  parser_directory.add_argument(
      '-s', '--source', help='Description of the source of the evidence',
      required=False)
  parser_directory.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for ChromiumProfile evidence type
  parser_hindsight = subparsers.add_parser(
      'hindsight', help='Process ChromiumProfile as Evidence')
  parser_hindsight.add_argument(
      '-l', '--source_path', help='Local path to the evidence', required=True)
  parser_hindsight.add_argument(
      '-f', '--format', help='Output format (supported types are '
      'xlsx, sqlite, jsonl)', default='sqlite')
  parser_hindsight.add_argument(
      '-b', '--browser_type', help='The type of browser the input files belong'
      'to (supported types are Chrome, Brave)', default='Chrome')
  parser_hindsight.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # List Jobs
  subparsers.add_parser(
      'listjobs',
      help='List all available Jobs. These Job names can be used by '
      '--jobs_allowlist and --jobs_denylist')

  # PSQ Worker
  parser_psqworker = subparsers.add_parser('psqworker', help='Run PSQ worker')
  parser_psqworker.add_argument(
      '-S', '--single_threaded', action='store_true',
      help='Run PSQ Worker in a single thread', required=False)

  # Celery Worker
  subparsers.add_parser('celeryworker', help='Run Celery worker')

  # Parser options for Turbinia status command
  parser_status = subparsers.add_parser(
      'status', help='Get Turbinia Task status')
  parser_status.add_argument(
      '-c', '--close_tasks', action='store_true',
      help='Close tasks based on Request ID or Task ID', required=False)
  parser_status.add_argument(
      '-C', '--csv', action='store_true',
      help='When used with --statistics, the output will be in CSV format',
      required=False)
  parser_status.add_argument(
      '-d', '--days_history', default=0, type=int,
      help='Number of days of history to show', required=False)
  parser_status.add_argument(
      '-f', '--force', help='Gatekeeper for --close_tasks', action='store_true',
      required=False)
  parser_status.add_argument(
      '-r', '--request_id', help='Show tasks with this Request ID',
      required=False)
  # 20 == Priority.High. We are setting this manually here because we don't want
  # to load the worker module yet in order to access this Enum.
  parser_status.add_argument(
      '-p', '--priority_filter', default=20, type=int, required=False,
      help='This sets what report sections are shown in full detail in '
      'report output.  Any tasks that have set a report_priority value '
      'equal to or lower than this setting will be shown in full detail, and '
      'tasks with a higher value will only have a summary shown.  To see all '
      'tasks report output in full detail, set --priority_filter=100')
  parser_status.add_argument(
      '-R', '--full_report',
      help='Generate full markdown report instead of just a summary',
      action='store_true', required=False)
  parser_status.add_argument(
      '-s', '--statistics', help='Generate statistics only',
      action='store_true', required=False)
  parser_status.add_argument(
      '-t', '--task_id', help='Show task for given Task ID', required=False)
  parser_status.add_argument(
      '-u', '--user', help='Show task for given user', required=False)

  # Server
  subparsers.add_parser('server', help='Run Turbinia Server')

  args = parser.parse_args()

  # Load the config before final logger setup so we can the find the path to the
  # log file.
  try:
    if args.config_file:
      config.LoadConfig(config_file=args.config_file)
    else:
      config.LoadConfig()
  except TurbiniaException as exception:
    print(
        'Could not load config file ({0!s}).\n{1:s}'.format(
            exception, config.CONFIG_MSG))
    sys.exit(1)

  if args.log_file:
    config.LOG_FILE = args.log_file
  if args.output_dir:
    config.OUTPUT_DIR = args.output_dir

  # Run logger setup again to get file-handler now that we have the logfile path
  # from the config.
  logger.setup()
  if args.quiet:
    log.setLevel(logging.ERROR)
  elif args.debug:
    log.setLevel(logging.DEBUG)
  else:
    log.setLevel(logging.INFO)

  # Enable GCP Stackdriver Logging
  if config.STACKDRIVER_LOGGING and args.command in ('server', 'psqworker'):
    google_cloud.setup_stackdriver_handler(config.TURBINIA_PROJECT)

  log.info('Turbinia version: {0:s}'.format(__version__))

  # Do late import of other needed Turbinia modules.  This is needed because the
  # config is loaded by these modules at load time, and we want to wait to load
  # the config until after we parse the args so that we can use those arguments
  # to point to config paths.
  from turbinia import notify
  from turbinia import client as TurbiniaClientProvider
  from turbinia.client import TurbiniaCeleryClient
  from turbinia.client import TurbiniaServer
  from turbinia.client import TurbiniaCeleryWorker
  from turbinia.client import TurbiniaPsqWorker
  from turbinia import evidence
  from turbinia.message import TurbiniaRequest

  # Print out config if requested
  if args.command == 'config':
    if args.file_only:
      log.info('Config file path is {0:s}\n'.format(config.configSource))
      sys.exit(0)

    try:
      with open(config.configSource, "r") as f:
        print(f.read())
        sys.exit(0)
    except IOError as exception:
      log.info(
          "Failed to read config file {0:s}: {1!s}".format(
              config.configSource, exception))
      sys.exit(1)
  #sends test notification
  if args.command == 'testnotify':
    notify.sendmail(
        config.EMAIL_ADDRESS, 'Turbinia test notification',
        'This is a test notification')
    sys.exit(0)

  args.jobs_allowlist = [j.lower() for j in args.jobs_allowlist]
  args.jobs_denylist = [j.lower() for j in args.jobs_denylist]
  if args.jobs_allowlist and args.jobs_denylist:
    log.error(
        'A Job filter allowlist and denylist cannot be specified at the same '
        'time')
    sys.exit(1)

  # Read set set filter_patterns
  filter_patterns = None
  if (args.filter_patterns_file and
      not os.path.exists(args.filter_patterns_file)):
    log.error('Filter patterns file {0:s} does not exist.')
    sys.exit(1)
  elif args.filter_patterns_file:
    try:
      filter_patterns = open(args.filter_patterns_file).read().splitlines()
    except IOError as e:
      log.warning(
          'Cannot open file {0:s} [{1!s}]'.format(args.filter_patterns_file, e))

  # Read yara rules
  yara_rules = None
  if (args.yara_rules_file and not os.path.exists(args.yara_rules_file)):
    log.error('Filter patterns file {0:s} does not exist.')
    sys.exit(1)
  elif args.yara_rules_file:
    try:
      yara_rules = open(args.yara_rules_file).read()
    except IOError as e:
      log.warning(
          'Cannot open file {0:s} [{1!s}]'.format(args.yara_rules_file, e))
      sys.exit(1)

  # Create Client object
  client = None
  if args.command not in ('psqworker', 'server'):
    client = TurbiniaClientProvider.get_turbinia_client(args.run_local)

  # Make sure run_local flags aren't conflicting with other server/client flags
  server_flags_set = args.server or args.command == 'server'
  worker_flags_set = args.command in ('psqworker', 'celeryworker')
  if args.run_local and (server_flags_set or worker_flags_set):
    log.error('--run_local flag is not compatible with server/worker flags')
    sys.exit(1)

  if args.run_local and not args.task:
    log.error('--run_local flag requires --task flag')
    sys.exit(1)

  # Set zone/project to defaults if flags are not set, and also copy remote
  # disk if needed.
  if args.command in ('googleclouddisk', 'googleclouddiskrawembedded'):
    if not args.zone and config.TURBINIA_ZONE:
      args.zone = config.TURBINIA_ZONE
    elif not args.zone and not config.TURBINIA_ZONE:
      log.error('Turbinia zone must be set by --zone or in config')
      sys.exit(1)

    if not args.project and config.TURBINIA_PROJECT:
      args.project = config.TURBINIA_PROJECT
    elif not args.project and not config.TURBINIA_PROJECT:
      log.error('Turbinia project must be set by --project or in config')
      sys.exit(1)

    if ((args.project and args.project != config.TURBINIA_PROJECT) or
        (args.zone and args.zone != config.TURBINIA_ZONE)):
      new_disk = gcp_forensics.CreateDiskCopy(
          args.project, config.TURBINIA_PROJECT, None, config.TURBINIA_ZONE,
          disk_name=args.disk_name)
      args.disk_name = new_disk.name
      if args.copy_only:
        log.info('--copy_only specified, so not processing with Turbinia')
        sys.exit(0)

  # Start Evidence configuration
  evidence_ = None
  if args.command == 'rawdisk':
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.RawDisk(
        name=args.name, source_path=source_path,
        mount_partition=args.mount_partition, source=args.source)
  elif args.command == 'apfs':
    if not args.password and not args.recovery_key:
      log.error('Neither recovery key nor password is specified.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.APFSEncryptedDisk(
        name=args.name, source_path=source_path, recovery_key=args.recovery_key,
        password=args.password, source=args.source)
  elif args.command == 'bitlocker':
    if not args.password and not args.recovery_key:
      log.error('Neither recovery key nor password is specified.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.BitlockerDisk(
        name=args.name, source_path=source_path, recovery_key=args.recovery_key,
        password=args.password, source=args.source)
  elif args.command == 'directory':
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)

    if not config.SHARED_FILESYSTEM:
      log.info(
          'A Cloud Only Architecture has been detected. '
          'Compressing the directory for GCS upload.')
      source_path = archive.CompressDirectory(source_path, output_path='/tmp')
      args.name = args.name if args.name else source_path
      evidence_ = evidence.CompressedDirectory(
          name=args.name, source_path=source_path, source=args.source)
    else:
      evidence_ = evidence.Directory(
          name=args.name, source_path=source_path, source=args.source)
  elif args.command == 'compressedirectory':
    archive.ValidateTarFile(args.source_path)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.CompressedDirectory(
        name=args.name, source_path=source_path, source=args.source)
  elif args.command == 'googleclouddisk':
    args.name = args.name if args.name else args.disk_name
    evidence_ = evidence.GoogleCloudDisk(
        name=args.name, disk_name=args.disk_name, project=args.project,
        mount_partition=args.mount_partition, zone=args.zone,
        source=args.source)
  elif args.command == 'googleclouddiskembedded':
    args.name = args.name if args.name else args.disk_name
    parent_evidence_ = evidence.GoogleCloudDisk(
        name=args.name, disk_name=args.disk_name, project=args.project,
        mount_partition=args.mount_partition, zone=args.zone,
        source=args.source)
    evidence_ = evidence.GoogleCloudDiskRawEmbedded(
        name=args.name, disk_name=args.disk_name, project=args.project,
        mount_partition=args.mount_partition, zone=args.zone,
        embedded_path=args.embedded_path,
        embedded_partition=args.embedded_mount_partition)
    evidence_.parent_evidence = parent_evidence_
  elif args.command == 'hindsight':
    if args.format not in ['xlsx', 'sqlite', 'jsonl']:
      log.error('Invalid output format.')
      sys.exit(1)
    if args.browser_type not in ['Chrome', 'Brave']:
      log.error('Browser type not supported.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.ChromiumProfile(
        name=args.name, source_path=source_path, output_format=args.format,
        browser_type=args.browser_type)
  elif args.command == 'rawmemory':
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.RawMemory(
        name=args.name, source_path=source_path, profile=args.profile,
        module_list=args.module_list)
  elif args.command == 'psqworker':
    # Set up root logger level which is normally set by the psqworker command
    # which we are bypassing.
    logger.setup()
    worker = TurbiniaPsqWorker(
        jobs_denylist=args.jobs_denylist, jobs_allowlist=args.jobs_allowlist)
    worker.start()
  elif args.command == 'celeryworker':
    logger.setup()
    worker = TurbiniaCeleryWorker(
        jobs_denylist=args.jobs_denylist, jobs_allowlist=args.jobs_allowlist)
    worker.start()
  elif args.command == 'server':
    server = TurbiniaServer(
        jobs_denylist=args.jobs_denylist, jobs_allowlist=args.jobs_allowlist)
    server.start()
  elif args.command == 'status':
    region = config.TURBINIA_REGION
    if args.close_tasks:
      if args.user or args.request_id or args.task_id:
        print(
            client.close_tasks(
                instance=config.INSTANCE_ID, project=config.TURBINIA_PROJECT,
                region=region, request_id=args.request_id, task_id=args.task_id,
                user=args.user, requester=getpass.getuser()))
        sys.exit(0)
      else:
        log.info(
            '--close_tasks (-c) requires --user, --request_id, or/and --task_id'
        )
        sys.exit(1)

    if args.statistics:
      print(
          client.format_task_statistics(
              instance=config.INSTANCE_ID, project=config.TURBINIA_PROJECT,
              region=region, days=args.days_history, task_id=args.task_id,
              request_id=args.request_id, user=args.user, csv=args.csv))
      sys.exit(0)

    if args.wait and args.request_id:
      client.wait_for_request(
          instance=config.INSTANCE_ID, project=config.TURBINIA_PROJECT,
          region=region, request_id=args.request_id, user=args.user,
          poll_interval=args.poll_interval)
    elif args.wait and not args.request_id:
      log.info(
          '--wait requires --request_id, which is not specified. '
          'turbiniactl will exit without waiting.')

    print(
        client.format_task_status(
            instance=config.INSTANCE_ID, project=config.TURBINIA_PROJECT,
            region=region, days=args.days_history, task_id=args.task_id,
            request_id=args.request_id, user=args.user,
            all_fields=args.all_fields, full_report=args.full_report,
            priority_filter=args.priority_filter))
  elif args.command == 'listjobs':
    log.info('Available Jobs:')
    client.list_jobs()
  else:
    log.warning('Command {0!s} not implemented.'.format(args.command))

  if evidence_ and not args.force_evidence:
    if config.SHARED_FILESYSTEM and evidence_.cloud_only:
      log.error(
          'The evidence type {0:s} is Cloud only, and this instance of '
          'Turbinia is not a cloud instance.'.format(evidence_.type))
      sys.exit(1)
    elif not config.SHARED_FILESYSTEM and not evidence_.cloud_only:
      log.error(
          'The evidence type {0:s} cannot run on Cloud instances of '
          'Turbinia. Consider wrapping it in a '
          'GoogleCloudDiskRawEmbedded or other Cloud compatible '
          'object'.format(evidence_.type))
      sys.exit(1)

  # If we have evidence to process and we also want to run as a server, then
  # we'll just process the evidence directly rather than send it through the
  # PubSub frontend interface.  If we're not running as a server then we will
  # create a new TurbiniaRequest and send it over PubSub.
  request = None
  if evidence_ and args.server:
    server = TurbiniaServer()
    server.add_evidence(evidence_)
    server.start()
  elif evidence_:
    request = TurbiniaRequest(
        request_id=args.request_id, requester=getpass.getuser())
    request.evidence.append(evidence_)
    if filter_patterns:
      request.recipe['filter_patterns'] = filter_patterns
    if args.jobs_denylist:
      request.recipe['jobs_denylist'] = args.jobs_denylist
    if args.jobs_allowlist:
      request.recipe['jobs_allowlist'] = args.jobs_allowlist
    if yara_rules:
      request.recipe['yara_rules'] = yara_rules
    if args.recipe_config:
      for pair in args.recipe_config:
        try:
          key, value = pair.split('=')
        except ValueError as exception:
          log.error(
              'Could not parse key=value pair [{0:s}] from recipe config '
              '{1!s}: {2!s}'.format(pair, args.recipe_config, exception))
          sys.exit(1)
        request.recipe[key] = value
    if args.dump_json:
      print(request.to_json().encode('utf-8'))
      sys.exit(0)
    else:
      log.info(
          'Creating request {0:s} with evidence {1:s}'.format(
              request.request_id, evidence_.name))
      log.info(
          'Run command "turbiniactl status -r {0:s}" to see the status of'
          ' this request and associated tasks'.format(request.request_id))
      if not args.run_local:
        client.send_request(request)
      else:
        log.debug('--run_local specified so not sending request to server')

    if args.wait:
      log.info(
          'Waiting for request {0:s} to complete'.format(request.request_id))
      region = config.TURBINIA_REGION
      client.wait_for_request(
          instance=config.INSTANCE_ID, project=config.TURBINIA_PROJECT,
          region=region, request_id=request.request_id,
          poll_interval=args.poll_interval)
      print(
          client.format_task_status(
              instance=config.INSTANCE_ID, project=config.TURBINIA_PROJECT,
              region=region, request_id=request.request_id,
              all_fields=args.all_fields))

  if args.run_local and not evidence_:
    log.error('Evidence must be specified if using --run_local')
    sys.exit(1)
  if args.run_local and evidence_.cloud_only:
    log.error('--run_local cannot be used with Cloud only Evidence types')
    sys.exit(1)
  if args.run_local and evidence_:
    result = client.run_local_task(args.task, request)
    log.info('Task execution result: {0:s}'.format(result))

  log.info('Done.')
  sys.exit(0)
Exemple #10
0
    def Process(self):
        """Process files with Turbinia."""
        log_file_path = os.path.join(self._output_path, 'turbinia.log')
        print('Turbinia log file: {0:s}'.format(log_file_path))

        if self.state.input and not self.disk_name:
            _, disk = self.state.input[0]
            self.disk_name = disk.name
            print('Using disk {0:s} from previous collector'.format(
                self.disk_name))

        evidence_ = evidence.GoogleCloudDisk(disk_name=self.disk_name,
                                             project=self.project,
                                             zone=self.turbinia_zone)
        try:
            evidence_.validate()
        except TurbiniaException as exception:
            self.state.AddError(exception, critical=True)
            return

        request = TurbiniaRequest(requester=getpass.getuser())
        request.evidence.append(evidence_)
        if self.sketch_id:
            request.recipe['sketch_id'] = self.sketch_id
        if not self.run_all_jobs:
            request.recipe['jobs_blacklist'] = ['StringsJob']

        # Get threat intelligence data from any modules that have stored some.
        # In this case, observables is a list of containers.ThreatIntelligence
        # objects.
        threatintel = self.state.GetContainers(containers.ThreatIntelligence)
        if threatintel:
            print(
                'Sending {0:d} threatintel to Turbinia GrepWorkers...'.format(
                    len(threatintel)))
            indicators = [item.indicator for item in threatintel]
            request.recipe['filter_patterns'] = indicators

        request_dict = {
            'instance': self.instance,
            'project': self.project,
            'region': self.turbinia_region,
            'request_id': request.request_id
        }

        try:
            print('Creating Turbinia request {0:s} with Evidence {1!s}'.format(
                request.request_id, evidence_.name))
            self.client.send_request(request)
            print('Waiting for Turbinia request {0:s} to complete'.format(
                request.request_id))
            self.client.wait_for_request(**request_dict)
            task_data = self.client.get_task_data(**request_dict)
        except TurbiniaException as exception:
            # TODO: determine if exception should be converted into a string as
            # elsewhere in the codebase.
            self.state.AddError(exception, critical=True)
            return

        message = self.client.format_task_status(**request_dict,
                                                 full_report=True)
        short_message = self.client.format_task_status(**request_dict)
        print(short_message)

        # Store the message for consumption by any reporting modules.
        report = containers.Report(module_name='TurbiniaProcessor',
                                   text=message,
                                   text_format='markdown')
        self.state.StoreContainer(report)

        local_paths, gs_paths = self._DeterminePaths(task_data)

        if not local_paths and not gs_paths:
            self.state.AddError(
                'No interesting files found in Turbinia output.',
                critical=True)
            return

        timeline_label = '{0:s}-{1:s}'.format(self.project, self.disk_name)
        # Any local files that exist we can add immediately to the output
        all_local_paths = [(timeline_label, p) for p in local_paths
                           if os.path.exists(p)]

        downloaded_gs_paths = self._DownloadFilesFromGCS(
            timeline_label, gs_paths)
        all_local_paths.extend(downloaded_gs_paths)

        if not all_local_paths:
            self.state.AddError('No interesting files could be found.',
                                critical=True)
        self.state.output = all_local_paths

        for _, path in all_local_paths:
            if path.endswith('BinaryExtractorTask.tar.gz'):
                self.state.StoreContainer(
                    containers.ThreatIntelligence(
                        name='BinaryExtractorResults',
                        indicator=None,
                        path=path))
            if path.endswith('hashes.json'):
                self.state.StoreContainer(
                    containers.ThreatIntelligence(name='ImageExportHashes',
                                                  indicator=None,
                                                  path=path))
Exemple #11
0
def main():
  # TODO(aarontp): Allow for single run mode when
  # by specifying evidence which will also terminate the task manager after
  # evidence has been processed.
  parser = argparse.ArgumentParser()
  parser.add_argument(
      '-q', '--quiet', action='store_true', help='Show minimal output')
  parser.add_argument(
      '-v', '--verbose', action='store_true', help='Show verbose output')
  # TODO(aarontp): Turn off debug by default
  parser.add_argument(
      '-d',
      '--debug',
      action='store_true',
      help='Show debug output',
      default=True)
  parser.add_argument(
      '-a',
      '--all_fields',
      action='store_true',
      help='Show all task status fields in output',
      required=False)
  parser.add_argument(
      '-f',
      '--force_evidence',
      action='store_true',
      help='Force evidence processing request in potentially unsafe conditions',
      required=False)
  parser.add_argument('-o', '--output_dir', help='Directory path for output')
  parser.add_argument('-L', '--log_file', help='Log file')
  parser.add_argument(
      '-r',
      '--request_id',
      help='Create new requests with this Request ID',
      required=False)
  parser.add_argument(
      '-S',
      '--server',
      action='store_true',
      help='Run Turbinia Server indefinitely')
  parser.add_argument(
      '-C',
      '--use_celery',
      action='store_true',
      help='Pass this flag when using Celery/Kombu for task queuing and '
      'messaging (instead of Google PSQ/pubsub)')
  parser.add_argument(
      '-V',
      '--version',
      action='version',
      version=__version__,
      help='Show the version')
  parser.add_argument(
      '-D',
      '--dump_json',
      action='store_true',
      help='Dump JSON output of Turbinia Request instead of sending it')
  parser.add_argument(
      '-F',
      '--filter_patterns_file',
      help='A file containing newline separated string patterns to filter '
      'text based evidence files with (in extended grep regex format). '
      'This filtered output will be in addition to the complete output')
  parser.add_argument(
      '-j',
      '--jobs_whitelist',
      help='A whitelist for Jobs that we will allow to run (note that it '
      'will not force them to run).')
  parser.add_argument(
      '-J',
      '--jobs_blacklist',
      help='A blacklist for Jobs we will not allow to run')
  parser.add_argument(
      '-p',
      '--poll_interval',
      default=60,
      type=int,
      help='Number of seconds to wait between polling for task state info')
  parser.add_argument(
      '-w',
      '--wait',
      action='store_true',
      help='Wait to exit until all tasks for the given request have completed')

  subparsers = parser.add_subparsers(
      dest='command', title='Commands', metavar='<command>')

  # TODO(aarontp): Find better way to specify these that allows for multiple
  # pieces of evidence to be submitted. Maybe automagically create different
  # commands based on introspection of evidence objects?
  # RawDisk
  parser_rawdisk = subparsers.add_parser(
      'rawdisk', help='Process RawDisk as Evidence')
  parser_rawdisk.add_argument(
      '-l', '--local_path', help='Local path to the evidence', required=True)
  parser_rawdisk.add_argument(
      '-P',
      '--mount_partition',
      default=1,
      type=int,
      help='The partition number to use when mounting this disk.  Defaults to '
      'the entire raw disk.  Only affects mounting, and not what gets '
      'processed.')
  parser_rawdisk.add_argument(
      '-s',
      '--source',
      help='Description of the source of the evidence',
      required=False)
  parser_rawdisk.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for Google Cloud Disk Evidence type
  parser_googleclouddisk = subparsers.add_parser(
      'googleclouddisk',
      help='Process Google Cloud Persistent Disk as Evidence')
  parser_googleclouddisk.add_argument(
      '-d', '--disk_name', help='Google Cloud name for disk', required=True)
  parser_googleclouddisk.add_argument(
      '-p',
      '--project',
      help='Project that the disk is associated with',
      required=True)
  parser_googleclouddisk.add_argument(
      '-P',
      '--mount_partition',
      default=0,
      type=int,
      help='The partition number to use when mounting this disk.  Defaults to '
      'the entire raw disk.  Only affects mounting, and not what gets '
      'processed.')
  parser_googleclouddisk.add_argument(
      '-z', '--zone', help='Geographic zone the disk exists in', required=True)
  parser_googleclouddisk.add_argument(
      '-s',
      '--source',
      help='Description of the source of the evidence',
      required=False)
  parser_googleclouddisk.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for Google Cloud Persistent Disk Embedded Raw Image
  parser_googleclouddiskembedded = subparsers.add_parser(
      'googleclouddiskembedded',
      help='Process Google Cloud Persistent Disk with an embedded raw disk '
      'image as Evidence')
  parser_googleclouddiskembedded.add_argument(
      '-e',
      '--embedded_path',
      help='Path within the Persistent Disk that points to the raw image file',
      required=True)
  parser_googleclouddiskembedded.add_argument(
      '-d', '--disk_name', help='Google Cloud name for disk', required=True)
  parser_googleclouddiskembedded.add_argument(
      '-p',
      '--project',
      help='Project that the disk is associated with',
      required=True)
  parser_googleclouddiskembedded.add_argument(
      '-P',
      '--mount_partition',
      default=0,
      type=int,
      help='The partition number to use when mounting this disk.  Defaults to '
      'the entire raw disk.  Only affects mounting, and not what gets '
      'processed.')
  parser_googleclouddiskembedded.add_argument(
      '-z', '--zone', help='Geographic zone the disk exists in', required=True)
  parser_googleclouddiskembedded.add_argument(
      '-s',
      '--source',
      help='Description of the source of the evidence',
      required=False)
  parser_googleclouddiskembedded.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # Parser options for Directory evidence type
  parser_directory = subparsers.add_parser(
      'directory', help='Process a directory as Evidence')
  parser_directory.add_argument(
      '-l', '--local_path', help='Local path to the evidence', required=True)
  parser_directory.add_argument(
      '-s',
      '--source',
      help='Description of the source of the evidence',
      required=False)
  parser_directory.add_argument(
      '-n', '--name', help='Descriptive name of the evidence', required=False)

  # List Jobs
  subparsers.add_parser('listjobs', help='List all available jobs')

  # PSQ Worker
  parser_psqworker = subparsers.add_parser('psqworker', help='Run PSQ worker')
  parser_psqworker.add_argument(
      '-S',
      '--single_threaded',
      action='store_true',
      help='Run PSQ Worker in a single thread',
      required=False)

  # Celery Worker
  subparsers.add_parser('celeryworker', help='Run Celery worker')

  # Parser options for Turbinia status command
  parser_status = subparsers.add_parser(
      'status', help='Get Turbinia Task status')
  parser_status.add_argument(
      '-c',
      '--close_tasks',
      action='store_true',
      help='Close tasks based on Request ID or Task ID',
      required=False)
  parser_status.add_argument(
      '-d',
      '--days_history',
      default=0,
      type=int,
      help='Number of days of history to show',
      required=False)
  parser_status.add_argument(
      '-f',
      '--force',
      help='Gatekeeper for --close_tasks',
      action='store_true',
      required=False)
  parser_status.add_argument(
      '-r',
      '--request_id',
      help='Show tasks with this Request ID',
      required=False)
  parser_status.add_argument(
      '-t', '--task_id', help='Show task for given Task ID', required=False)
  parser_status.add_argument(
      '-u', '--user', help='Show task for given user', required=False)

  # Server
  subparsers.add_parser('server', help='Run Turbinia Server')

  args = parser.parse_args()
  if args.quiet:
    log.setLevel(logging.ERROR)
  elif args.verbose:
    log.setLevel(logging.INFO)
  elif args.debug:
    log.setLevel(logging.DEBUG)
  else:
    log.setLevel(logging.WARNING)

  if args.jobs_whitelist and args.jobs_blacklist:
    log.warning('A Job filter whitelist and blacklist cannot be specified '
                'at the same time')
    sys.exit(1)

  filter_patterns = None
  if (args.filter_patterns_file and
      not os.path.exists(args.filter_patterns_file)):
    log.warning('Filter patterns file {0:s} does not exist.')
    sys.exit(1)
  elif args.filter_patterns_file:
    try:
      filter_patterns = open(args.filter_patterns_file).read().splitlines()
    except IOError as e:
      log.warning('Cannot open file {0:s} [{1!s}]'.format(
          args.filter_patterns_file, e))

  # Client
  config.LoadConfig()
  if args.command not in ('psqworker', 'server'):
    if args.use_celery:
      client = TurbiniaCeleryClient()
    else:
      client = TurbiniaClient()
  else:
    client = None

  if args.output_dir:
    config.OUTPUT_DIR = args.output_dir
  if args.log_file:
    config.LOG_FILE = args.log_file

  evidence_ = None
  is_cloud_disk = False
  if args.command == 'rawdisk':
    args.name = args.name if args.name else args.local_path
    local_path = os.path.abspath(args.local_path)
    evidence_ = evidence.RawDisk(
        name=args.name,
        local_path=local_path,
        mount_partition=args.mount_partition,
        source=args.source)
  elif args.command == 'directory':
    args.name = args.name if args.name else args.local_path
    local_path = os.path.abspath(args.local_path)
    evidence_ = evidence.Directory(
        name=args.name, local_path=local_path, source=args.source)
  elif args.command == 'googleclouddisk':
    is_cloud_disk = True
    args.name = args.name if args.name else args.disk_name
    evidence_ = evidence.GoogleCloudDisk(
        name=args.name,
        disk_name=args.disk_name,
        project=args.project,
        mount_partition=args.mount_partition,
        zone=args.zone,
        source=args.source)
  elif args.command == 'googleclouddiskembedded':
    is_cloud_disk = True
    args.name = args.name if args.name else args.disk_name
    evidence_ = evidence.GoogleCloudDiskRawEmbedded(
        name=args.name,
        disk_name=args.disk_name,
        embedded_path=args.embedded_path,
        mount_partition=args.mount_partition,
        project=args.project,
        zone=args.zone,
        source=args.source)
  elif args.command == 'psqworker':
    # Set up root logger level which is normally set by the psqworker command
    # which we are bypassing.
    logger.setup()
    worker = TurbiniaPsqWorker()
    worker.start()
  elif args.command == 'celeryworker':
    logger.setup()
    worker = TurbiniaCeleryWorker()
    worker.start()
  elif args.command == 'server':
    server = TurbiniaServer()
    server.start()
  elif args.command == 'status':
    region = config.TURBINIA_REGION
    if args.close_tasks:
      if args.user or args.request_id or args.task_id:
        print(client.close_tasks(
            instance=config.INSTANCE_ID,
            project=config.PROJECT,
            region=region,
            request_id=args.request_id,
            task_id=args.task_id,
            user=args.user,
            requester=getpass.getuser()))
        sys.exit(0)
      else:
        log.info(
            '--close_tasks (-c) requires --user, --request_id, or/and --task_id'
        )
        sys.exit(1)

    if args.wait and args.request_id:
      client.wait_for_request(
          instance=config.INSTANCE_ID,
          project=config.PROJECT,
          region=region,
          request_id=args.request_id,
          user=args.user,
          poll_interval=args.poll_interval)
    elif args.wait and not args.request_id:
      log.info('--wait requires --request_id, which is not specified. '
               'turbiniactl will exit without waiting.')

    print(client.format_task_status(
        instance=config.INSTANCE_ID,
        project=config.PROJECT,
        region=region,
        days=args.days_history,
        task_id=args.task_id,
        request_id=args.request_id,
        user=args.user,
        all_fields=args.all_fields))
  elif args.command == 'listjobs':
    log.info('Available Jobs:')
    client.list_jobs()
  else:
    log.warning('Command {0:s} not implemented.'.format(args.command))

  if evidence_ and not args.force_evidence:
    if config.SHARED_FILESYSTEM and evidence_.cloud_only:
      log.error('The evidence type {0:s} is Cloud only, and this instance of '
                'Turbinia is not a cloud instance.'.format(evidence_.type))
      sys.exit(1)
    elif not config.SHARED_FILESYSTEM and not evidence_.cloud_only:
      log.error('The evidence type {0:s} cannot run on Cloud instances of '
                'Turbinia. Consider wrapping it in a '
                'GoogleCloudDiskRawEmbedded or other Cloud compatible '
                'object'.format(evidence_.type))
      sys.exit(1)

  if is_cloud_disk and evidence_.project != config.PROJECT:
    msg = ('Turbinia project {0:s} is different from evidence project {1:s}. '
           'This processing request will fail unless the Turbinia service '
           'account has permissions to this project.'.format(
               config.PROJECT, evidence_.project))
    if args.force_evidence:
      log.warning(msg)
    else:
      msg += ' Use --force_evidence if you are sure you want to do this.'
      log.warning(msg)
      sys.exit(1)

  # If we have evidence to process and we also want to run as a server, then
  # we'll just process the evidence directly rather than send it through the
  # PubSub frontend interface.  If we're not running as a server then we will
  # create a new TurbiniaRequest and send it over PubSub.
  if evidence_ and args.server:
    server = TurbiniaServer()
    server.add_evidence(evidence_)
    server.start()
  elif evidence_:
    request = TurbiniaRequest(request_id=args.request_id)
    request.evidence.append(evidence_)
    if filter_patterns:
      request.recipe['filter_patterns'] = filter_patterns
    if args.dump_json:
      print(request.to_json().encode('utf-8'))
    else:
      log.info('Creating request {0:s} with evidence {1:s}'.format(
          request.request_id, evidence_.name))
      client.send_request(request)

    if args.wait:
      log.info('Waiting for request {0:s} to complete'.format(
          request.request_id))
      region = config.TURBINIA_REGION
      client.wait_for_request(
          instance=config.INSTANCE_ID,
          project=config.PROJECT,
          region=region,
          request_id=request.request_id,
          poll_interval=args.poll_interval)
      print(client.format_task_status(
          instance=config.INSTANCE_ID,
          project=config.PROJECT,
          region=region,
          request_id=request.request_id,
          all_fields=args.all_fields))

  log.info('Done.')
  sys.exit(0)
Exemple #12
0
def main():
    """Main function for turbiniactl"""
    # TODO(aarontp): Allow for single run mode when
    # by specifying evidence which will also terminate the task manager after
    # evidence has been processed.
    parser = argparse.ArgumentParser()
    parser.add_argument('-q',
                        '--quiet',
                        action='store_true',
                        help='Show minimal output')
    parser.add_argument('-v',
                        '--verbose',
                        action='store_true',
                        help='Show verbose output',
                        default=True)
    parser.add_argument('-d',
                        '--debug',
                        action='store_true',
                        help='Show debug output',
                        default=False)
    parser.add_argument('-a',
                        '--all_fields',
                        action='store_true',
                        help='Show all task status fields in output',
                        required=False)
    parser.add_argument(
        '-f',
        '--force_evidence',
        action='store_true',
        help=
        'Force evidence processing request in potentially unsafe conditions',
        required=False)
    parser.add_argument('-o', '--output_dir', help='Directory path for output')
    parser.add_argument('-L', '--log_file', help='Log file')
    parser.add_argument('-r',
                        '--request_id',
                        help='Create new requests with this Request ID',
                        required=False)
    parser.add_argument(
        '-R',
        '--run_local',
        action='store_true',
        help=
        'Run completely locally without any server or other infrastructure. '
        'This can be used to run one-off Tasks to process data locally.')
    parser.add_argument('-S',
                        '--server',
                        action='store_true',
                        help='Run Turbinia Server indefinitely')
    parser.add_argument('-V',
                        '--version',
                        action='version',
                        version=__version__,
                        help='Show the version')
    parser.add_argument(
        '-D',
        '--dump_json',
        action='store_true',
        help='Dump JSON output of Turbinia Request instead of sending it')
    parser.add_argument(
        '-F',
        '--filter_patterns_file',
        help='A file containing newline separated string patterns to filter '
        'text based evidence files with (in extended grep regex format). '
        'This filtered output will be in addition to the complete output')
    parser.add_argument(
        '-j',
        '--jobs_whitelist',
        default=[],
        type=csv_list,
        help='A whitelist for Jobs that will be allowed to run (in CSV format, '
        'no spaces). This will not force them to run if they are not configured '
        'to. This is applied both at server start time and when the client makes '
        'a processing request. When applied at server start time the change is '
        'persistent while the server is running.  When applied by the client, it '
        'will only affect that processing request.')
    parser.add_argument(
        '-J',
        '--jobs_blacklist',
        default=[],
        type=csv_list,
        help='A blacklist for Jobs we will not allow to run.  See '
        '--jobs_whitelist help for details on format and when it is applied.')
    parser.add_argument(
        '-p',
        '--poll_interval',
        default=60,
        type=int,
        help='Number of seconds to wait between polling for task state info')
    parser.add_argument(
        '-t',
        '--task',
        help='The name of a single Task to run locally (must be used with '
        '--run_local.')
    parser.add_argument(
        '-w',
        '--wait',
        action='store_true',
        help='Wait to exit until all tasks for the given request have completed'
    )

    subparsers = parser.add_subparsers(dest='command',
                                       title='Commands',
                                       metavar='<command>')

    # TODO(aarontp): Find better way to specify these that allows for multiple
    # pieces of evidence to be submitted. Maybe automagically create different
    # commands based on introspection of evidence objects?
    # RawDisk
    parser_rawdisk = subparsers.add_parser('rawdisk',
                                           help='Process RawDisk as Evidence')
    parser_rawdisk.add_argument('-l',
                                '--local_path',
                                help='Local path to the evidence',
                                required=True)
    parser_rawdisk.add_argument(
        '-P',
        '--mount_partition',
        default=1,
        type=int,
        help='The partition number to use when mounting this disk.  Defaults to '
        'the entire raw disk.  Only affects mounting, and not what gets '
        'processed.')
    parser_rawdisk.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_rawdisk.add_argument('-n',
                                '--name',
                                help='Descriptive name of the evidence',
                                required=False)

    # Parser options for APFS Disk Evidence type
    parser_apfs = subparsers.add_parser(
        'apfs', help='Process APFSEncryptedDisk as Evidence')
    parser_apfs.add_argument('-l',
                             '--local_path',
                             help='Local path to the encrypted APFS evidence',
                             required=True)
    parser_apfs.add_argument(
        '-r',
        '--recovery_key',
        help='Recovery key for the APFS evidence.  '
        'Either recovery key or password must be specified.',
        required=False)
    parser_apfs.add_argument(
        '-p',
        '--password',
        help='Password for the APFS evidence.  '
        'If a recovery key is specified concurrently, password will be ignored.',
        required=False)
    parser_apfs.add_argument('-s',
                             '--source',
                             help='Description of the source of the evidence',
                             required=False)
    parser_apfs.add_argument('-n',
                             '--name',
                             help='Descriptive name of the evidence',
                             required=False)

    # Parser options for Bitlocker Disk Evidence type
    parser_bitlocker = subparsers.add_parser(
        'bitlocker', help='Process Bitlocker Disk as Evidence')
    parser_bitlocker.add_argument(
        '-l',
        '--local_path',
        help='Local path to the encrypted Bitlocker evidence',
        required=True)
    parser_bitlocker.add_argument(
        '-r',
        '--recovery_key',
        help='Recovery key for the Bitlocker evidence.  '
        'Either recovery key or password must be specified.',
        required=False)
    parser_bitlocker.add_argument(
        '-p',
        '--password',
        help='Password for the Bitlocker evidence.  '
        'If a recovery key is specified concurrently, password will be ignored.',
        required=False)
    parser_bitlocker.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_bitlocker.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)

    # Parser options for Google Cloud Disk Evidence type
    parser_googleclouddisk = subparsers.add_parser(
        'googleclouddisk',
        help='Process Google Cloud Persistent Disk as Evidence')
    parser_googleclouddisk.add_argument('-d',
                                        '--disk_name',
                                        help='Google Cloud name for disk',
                                        required=True)
    parser_googleclouddisk.add_argument(
        '-p',
        '--project',
        help='Project that the disk is associated with',
        required=True)
    parser_googleclouddisk.add_argument(
        '-P',
        '--mount_partition',
        default=0,
        type=int,
        help='The partition number to use when mounting this disk.  Defaults to '
        'the entire raw disk.  Only affects mounting, and not what gets '
        'processed.')
    parser_googleclouddisk.add_argument(
        '-z',
        '--zone',
        help='Geographic zone the disk exists in',
        required=True)
    parser_googleclouddisk.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_googleclouddisk.add_argument(
        '-n',
        '--name',
        help='Descriptive name of the evidence',
        required=False)

    # Parser options for Google Cloud Persistent Disk Embedded Raw Image
    parser_googleclouddiskembedded = subparsers.add_parser(
        'googleclouddiskembedded',
        help='Process Google Cloud Persistent Disk with an embedded raw disk '
        'image as Evidence')
    parser_googleclouddiskembedded.add_argument(
        '-e',
        '--embedded_path',
        help=
        'Path within the Persistent Disk that points to the raw image file',
        required=True)
    parser_googleclouddiskembedded.add_argument(
        '-d', '--disk_name', help='Google Cloud name for disk', required=True)
    parser_googleclouddiskembedded.add_argument(
        '-p',
        '--project',
        help='Project that the disk is associated with',
        required=True)
    parser_googleclouddiskembedded.add_argument(
        '-P',
        '--mount_partition',
        default=0,
        type=int,
        help='The partition number to use when mounting this disk.  Defaults to '
        'the entire raw disk.  Only affects mounting, and not what gets '
        'processed.')
    parser_googleclouddiskembedded.add_argument(
        '-z',
        '--zone',
        help='Geographic zone the disk exists in',
        required=True)
    parser_googleclouddiskembedded.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_googleclouddiskembedded.add_argument(
        '-n',
        '--name',
        help='Descriptive name of the evidence',
        required=False)

    # RawMemory
    parser_rawmemory = subparsers.add_parser(
        'rawmemory', help='Process RawMemory as Evidence')
    parser_rawmemory.add_argument('-l',
                                  '--local_path',
                                  help='Local path to the evidence',
                                  required=True)
    parser_rawmemory.add_argument('-P',
                                  '--profile',
                                  help='Profile to use with Volatility',
                                  required=True)
    parser_rawmemory.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)
    parser_rawmemory.add_argument('-m',
                                  '--module_list',
                                  type=csv_list,
                                  help='Volatility module(s) to execute',
                                  required=True)

    # Parser options for Directory evidence type
    parser_directory = subparsers.add_parser(
        'directory', help='Process a directory as Evidence')
    parser_directory.add_argument('-l',
                                  '--local_path',
                                  help='Local path to the evidence',
                                  required=True)
    parser_directory.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_directory.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)

    # Parser options for ChromiumProfile evidence type
    parser_hindsight = subparsers.add_parser(
        'hindsight', help='Process ChromiumProfile as Evidence')
    parser_hindsight.add_argument('-l',
                                  '--local_path',
                                  help='Local path to the evidence',
                                  required=True)
    parser_hindsight.add_argument('-f',
                                  '--format',
                                  help='Output format (supported types are '
                                  'xlsx, sqlite, jsonl)',
                                  default='sqlite')
    parser_hindsight.add_argument(
        '-b',
        '--browser_type',
        help='The type of browser the input files belong'
        'to (supported types are Chrome, Brave)',
        default='Chrome')
    parser_hindsight.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)

    # List Jobs
    subparsers.add_parser(
        'listjobs',
        help='List all available Jobs. These Job names can be used by '
        '--jobs_whitelist and --jobs_blacklist')

    # PSQ Worker
    parser_psqworker = subparsers.add_parser('psqworker',
                                             help='Run PSQ worker')
    parser_psqworker.add_argument('-S',
                                  '--single_threaded',
                                  action='store_true',
                                  help='Run PSQ Worker in a single thread',
                                  required=False)

    # Celery Worker
    subparsers.add_parser('celeryworker', help='Run Celery worker')

    # Parser options for Turbinia status command
    parser_status = subparsers.add_parser('status',
                                          help='Get Turbinia Task status')
    parser_status.add_argument(
        '-c',
        '--close_tasks',
        action='store_true',
        help='Close tasks based on Request ID or Task ID',
        required=False)
    parser_status.add_argument('-d',
                               '--days_history',
                               default=0,
                               type=int,
                               help='Number of days of history to show',
                               required=False)
    parser_status.add_argument('-f',
                               '--force',
                               help='Gatekeeper for --close_tasks',
                               action='store_true',
                               required=False)
    parser_status.add_argument('-r',
                               '--request_id',
                               help='Show tasks with this Request ID',
                               required=False)
    parser_status.add_argument(
        '-p',
        '--priority_filter',
        default=Priority.HIGH,
        type=int,
        required=False,
        help='This sets what report sections are shown in full detail in '
        'report output.  Any tasks that have set a report_priority value '
        'equal to or lower than this setting will be shown in full detail, and '
        'tasks with a higher value will only have a summary shown.  To see all '
        'tasks report output in full detail, set --priority_filter=100')
    parser_status.add_argument(
        '-R',
        '--full_report',
        help='Generate full markdown report instead of just a summary',
        action='store_true',
        required=False)
    parser_status.add_argument('-t',
                               '--task_id',
                               help='Show task for given Task ID',
                               required=False)
    parser_status.add_argument('-u',
                               '--user',
                               help='Show task for given user',
                               required=False)

    # Server
    subparsers.add_parser('server', help='Run Turbinia Server')

    args = parser.parse_args()
    if args.quiet:
        log.setLevel(logging.ERROR)
    elif args.debug:
        log.setLevel(logging.DEBUG)
    else:
        log.setLevel(logging.INFO)

    log.info('Turbinia version: {0:s}'.format(__version__))

    if args.jobs_whitelist and args.jobs_blacklist:
        log.error(
            'A Job filter whitelist and blacklist cannot be specified at the same '
            'time')
        sys.exit(1)

    filter_patterns = None
    if (args.filter_patterns_file
            and not os.path.exists(args.filter_patterns_file)):
        log.error('Filter patterns file {0:s} does not exist.')
        sys.exit(1)
    elif args.filter_patterns_file:
        try:
            filter_patterns = open(
                args.filter_patterns_file).read().splitlines()
        except IOError as e:
            log.warning('Cannot open file {0:s} [{1!s}]'.format(
                args.filter_patterns_file, e))

    # Client
    config.LoadConfig()
    if args.command not in ('psqworker', 'server'):
        if config.TASK_MANAGER.lower() == 'celery':
            client = TurbiniaCeleryClient()
        elif args.run_local:
            client = TurbiniaClient(run_local=True)
        else:
            client = TurbiniaClient()
    else:
        client = None

    server_flags_set = args.server or args.command == 'server'
    worker_flags_set = args.command in ('psqworker', 'celeryworker')
    if args.run_local and (server_flags_set or worker_flags_set):
        log.error(
            '--run_local flag is not compatible with server/worker flags')
        sys.exit(1)

    if args.run_local and not args.task:
        log.error('--run_local flag requires --task flag')
        sys.exit(1)

    if args.output_dir:
        config.OUTPUT_DIR = args.output_dir
    if args.log_file:
        config.LOG_FILE = args.log_file

    evidence_ = None
    is_cloud_disk = False
    if args.command == 'rawdisk':
        args.name = args.name if args.name else args.local_path
        local_path = os.path.abspath(args.local_path)
        evidence_ = evidence.RawDisk(name=args.name,
                                     local_path=local_path,
                                     mount_partition=args.mount_partition,
                                     source=args.source)
    elif args.command == 'apfs':
        if not args.password and not args.recovery_key:
            log.error('Neither recovery key nor password is specified.')
            sys.exit(1)
        args.name = args.name if args.name else args.local_path
        local_path = os.path.abspath(args.local_path)
        evidence_ = evidence.APFSEncryptedDisk(name=args.name,
                                               local_path=local_path,
                                               recovery_key=args.recovery_key,
                                               password=args.password,
                                               source=args.source)
    elif args.command == 'bitlocker':
        if not args.password and not args.recovery_key:
            log.error('Neither recovery key nor password is specified.')
            sys.exit(1)
        args.name = args.name if args.name else args.local_path
        local_path = os.path.abspath(args.local_path)
        evidence_ = evidence.BitlockerDisk(name=args.name,
                                           local_path=local_path,
                                           recovery_key=args.recovery_key,
                                           password=args.password,
                                           source=args.source)
    elif args.command == 'directory':
        args.name = args.name if args.name else args.local_path
        local_path = os.path.abspath(args.local_path)
        evidence_ = evidence.Directory(name=args.name,
                                       local_path=local_path,
                                       source=args.source)
    elif args.command == 'googleclouddisk':
        is_cloud_disk = True
        args.name = args.name if args.name else args.disk_name
        evidence_ = evidence.GoogleCloudDisk(
            name=args.name,
            disk_name=args.disk_name,
            project=args.project,
            mount_partition=args.mount_partition,
            zone=args.zone,
            source=args.source)
    elif args.command == 'googleclouddiskembedded':
        is_cloud_disk = True
        args.name = args.name if args.name else args.disk_name
        evidence_ = evidence.GoogleCloudDiskRawEmbedded(
            name=args.name,
            disk_name=args.disk_name,
            embedded_path=args.embedded_path,
            mount_partition=args.mount_partition,
            project=args.project,
            zone=args.zone,
            source=args.source)
    elif args.command == 'hindsight':
        if args.format not in ['xlsx', 'sqlite', 'jsonl']:
            log.error('Invalid output format.')
            sys.exit(1)
        if args.browser_type not in ['Chrome', 'Brave']:
            log.error('Browser type not supported.')
            sys.exit(1)
        args.name = args.name if args.name else args.local_path
        local_path = os.path.abspath(args.local_path)
        evidence_ = evidence.ChromiumProfile(name=args.name,
                                             local_path=local_path,
                                             output_format=args.format,
                                             browser_type=args.browser_type)
    elif args.command == 'rawmemory':
        args.name = args.name if args.name else args.local_path
        local_path = os.path.abspath(args.local_path)
        evidence_ = evidence.RawMemory(name=args.name,
                                       local_path=local_path,
                                       profile=args.profile,
                                       module_list=args.module_list)
    elif args.command == 'psqworker':
        # Set up root logger level which is normally set by the psqworker command
        # which we are bypassing.
        logger.setup()
        worker = TurbiniaPsqWorker()
        worker.start()
    elif args.command == 'celeryworker':
        logger.setup()
        worker = TurbiniaCeleryWorker()
        worker.start()
    elif args.command == 'server':
        server = TurbiniaServer(jobs_blacklist=args.jobs_blacklist,
                                jobs_whitelist=args.jobs_whitelist)
        server.start()
    elif args.command == 'status':
        region = config.TURBINIA_REGION
        if args.close_tasks:
            if args.user or args.request_id or args.task_id:
                print(
                    client.close_tasks(instance=config.INSTANCE_ID,
                                       project=config.TURBINIA_PROJECT,
                                       region=region,
                                       request_id=args.request_id,
                                       task_id=args.task_id,
                                       user=args.user,
                                       requester=getpass.getuser()))
                sys.exit(0)
            else:
                log.info(
                    '--close_tasks (-c) requires --user, --request_id, or/and --task_id'
                )
                sys.exit(1)

        if args.wait and args.request_id:
            client.wait_for_request(instance=config.INSTANCE_ID,
                                    project=config.TURBINIA_PROJECT,
                                    region=region,
                                    request_id=args.request_id,
                                    user=args.user,
                                    poll_interval=args.poll_interval)
        elif args.wait and not args.request_id:
            log.info('--wait requires --request_id, which is not specified. '
                     'turbiniactl will exit without waiting.')

        print(
            client.format_task_status(instance=config.INSTANCE_ID,
                                      project=config.TURBINIA_PROJECT,
                                      region=region,
                                      days=args.days_history,
                                      task_id=args.task_id,
                                      request_id=args.request_id,
                                      user=args.user,
                                      all_fields=args.all_fields,
                                      full_report=args.full_report,
                                      priority_filter=args.priority_filter))
    elif args.command == 'listjobs':
        log.info('Available Jobs:')
        client.list_jobs()
    else:
        log.warning('Command {0:s} not implemented.'.format(args.command))

    if evidence_ and not args.force_evidence:
        if config.SHARED_FILESYSTEM and evidence_.cloud_only:
            log.error(
                'The evidence type {0:s} is Cloud only, and this instance of '
                'Turbinia is not a cloud instance.'.format(evidence_.type))
            sys.exit(1)
        elif not config.SHARED_FILESYSTEM and not evidence_.cloud_only:
            log.error(
                'The evidence type {0:s} cannot run on Cloud instances of '
                'Turbinia. Consider wrapping it in a '
                'GoogleCloudDiskRawEmbedded or other Cloud compatible '
                'object'.format(evidence_.type))
            sys.exit(1)

    if is_cloud_disk and evidence_.project != config.TURBINIA_PROJECT:
        msg = (
            'Turbinia project {0:s} is different from evidence project {1:s}. '
            'This processing request will fail unless the Turbinia service '
            'account has permissions to this project.'.format(
                config.TURBINIA_PROJECT, evidence_.project))
        if args.force_evidence:
            log.warning(msg)
        else:
            msg += ' Use --force_evidence if you are sure you want to do this.'
            log.error(msg)
            sys.exit(1)

    # If we have evidence to process and we also want to run as a server, then
    # we'll just process the evidence directly rather than send it through the
    # PubSub frontend interface.  If we're not running as a server then we will
    # create a new TurbiniaRequest and send it over PubSub.
    request = None
    if evidence_ and args.server:
        server = TurbiniaServer()
        server.add_evidence(evidence_)
        server.start()
    elif evidence_:
        request = TurbiniaRequest(request_id=args.request_id,
                                  requester=getpass.getuser())
        request.evidence.append(evidence_)
        if filter_patterns:
            request.recipe['filter_patterns'] = filter_patterns
        if args.jobs_blacklist:
            request.recipe['jobs_blacklist'] = args.jobs_blacklist
        if args.jobs_whitelist:
            request.recipe['jobs_whitelist'] = args.jobs_whitelist
        if args.dump_json:
            print(request.to_json().encode('utf-8'))
            sys.exit(0)
        else:
            log.info('Creating request {0:s} with evidence {1:s}'.format(
                request.request_id, evidence_.name))
            log.info(
                'Run command "turbiniactl status -r {0:s}" to see the status of'
                ' this request and associated tasks'.format(
                    request.request_id))
            if not args.run_local:
                client.send_request(request)
            else:
                log.debug(
                    '--run_local specified so not sending request to server')

        if args.wait:
            log.info('Waiting for request {0:s} to complete'.format(
                request.request_id))
            region = config.TURBINIA_REGION
            client.wait_for_request(instance=config.INSTANCE_ID,
                                    project=config.TURBINIA_PROJECT,
                                    region=region,
                                    request_id=request.request_id,
                                    poll_interval=args.poll_interval)
            print(
                client.format_task_status(instance=config.INSTANCE_ID,
                                          project=config.TURBINIA_PROJECT,
                                          region=region,
                                          request_id=request.request_id,
                                          all_fields=args.all_fields))

    if args.run_local and not evidence_:
        log.error('Evidence must be specified if using --run_local')
        sys.exit(1)
    if args.run_local and evidence_.cloud_only:
        log.error('--run_local cannot be used with Cloud only Evidence types')
        sys.exit(1)
    if args.run_local and evidence_:
        result = client.run_local_task(args.task, request)
        log.info('Task execution result: {0:s}'.format(result))

    log.info('Done.')
    sys.exit(0)
Exemple #13
0
    def Process(self):
        """Process files with Turbinia."""
        log_file_path = os.path.join(self._output_path, 'turbinia.log')
        print('Turbinia log file: {0:s}'.format(log_file_path))

        if self.state.input and not self.disk_name:
            _, disk = self.state.input[0]
            self.disk_name = disk.name
            print('Using disk {0:s} from previous collector'.format(
                self.disk_name))

        evidence_ = evidence.GoogleCloudDisk(disk_name=self.disk_name,
                                             project=self.project,
                                             zone=self.turbinia_zone)
        try:
            evidence_.validate()
        except TurbiniaException as exception:
            self.state.AddError(exception, critical=True)
            return

        request = TurbiniaRequest(requester=getpass.getuser())
        request.evidence.append(evidence_)
        if self.sketch_id:
            request.recipe['sketch_id'] = self.sketch_id
        if not self.run_all_jobs:
            request.recipe['jobs_blacklist'] = ['StringsJob']

        # Get threat intelligence data from any modules that have stored some.
        # In this case, observables is a list of containers.ThreatIntelligence
        # objects.
        threatintel = self.state.GetContainers(containers.ThreatIntelligence)
        if threatintel:
            print(
                'Sending {0:d} threatintel to Turbinia GrepWorkers...'.format(
                    len(threatintel)))
            indicators = [item.indicator for item in threatintel]
            request.recipe['filter_patterns'] = indicators

        request_dict = {
            'instance': self.instance,
            'project': self.project,
            'region': self.turbinia_region,
            'request_id': request.request_id
        }

        try:
            print('Creating Turbinia request {0:s} with Evidence {1!s}'.format(
                request.request_id, evidence_.name))
            self.client.send_request(request)
            print('Waiting for Turbinia request {0:s} to complete'.format(
                request.request_id))
            self.client.wait_for_request(**request_dict)
            task_data = self.client.get_task_data(**request_dict)
        except TurbiniaException as exception:
            # TODO: determine if exception should be converted into a string as
            # elsewhere in the codebase.
            self.state.AddError(exception, critical=True)
            return

        message = self.client.format_task_status(**request_dict,
                                                 full_report=True)
        short_message = self.client.format_task_status(**request_dict)
        print(short_message)

        # Store the message for consumption by any reporting modules.
        report = containers.Report(module_name='TurbiniaProcessor',
                                   text=message,
                                   text_format='markdown')
        self.state.StoreContainer(report)

        # This finds all .plaso files in the Turbinia output, and determines if they
        # are local or remote (it's possible this will be running against a local
        # instance of Turbinia).
        local_paths = []
        gs_paths = []
        timeline_label = '{0:s}-{1:s}'.format(self.project, self.disk_name)
        for task in task_data:
            # saved_paths may be set to None
            for path in task.get('saved_paths') or []:
                if path.startswith('/') and path.endswith('.plaso'):
                    local_paths.append(path)
                if path.startswith('gs://') and path.endswith('.plaso'):
                    gs_paths.append(path)

        if not local_paths and not gs_paths:
            self.state.AddError('No .plaso files found in Turbinia output.',
                                critical=True)
            return

        # Any local .plaso files that exist we can add immediately to the output
        self.state.output = [(timeline_label, p) for p in local_paths
                             if os.path.exists(p)]

        # For files remote in GCS we copy each plaso file back from GCS and then add
        # to output paths
        # TODO: Externalize fetching files from GCS buckets to a different module.
        for path in gs_paths:
            local_path = None
            try:
                output_writer = output_manager.GCSOutputWriter(
                    path, local_output_dir=self._output_path)
                local_path = output_writer.copy_from(path)
            except TurbiniaException as exception:
                # TODO: determine if exception should be converted into a string as
                # elsewhere in the codebase.
                self.state.AddError(exception, critical=True)
                return

            if local_path:
                self.state.output.append((timeline_label, local_path))

        if not self.state.output:
            self.state.AddError('No .plaso files could be found.',
                                critical=True)
Exemple #14
0
    def process(self):
        """Process files with Turbinia."""
        log_file_path = os.path.join(self._output_path, 'turbinia.log')
        print('Turbinia log file: {0:s}'.format(log_file_path))

        if self.state.input and not self.disk_name:
            _, disk = self.state.input[0]
            self.disk_name = disk.name
            print('Using disk {0:s} from previous collector'.format(
                self.disk_name))

        evidence_ = evidence.GoogleCloudDisk(disk_name=self.disk_name,
                                             project=self.project,
                                             zone=self.turbinia_zone)
        request = TurbiniaRequest()
        request.evidence.append(evidence_)

        # Get threat intelligence data from any modules that have stored some.
        # In this case, observables is a list of containers.ThreatIntelligence
        # objects.
        threatintel = self.state.get_containers(containers.ThreatIntelligence)
        if threatintel:
            print(
                'Sending {0:d} threatintel to Turbinia GrepWorkers...'.format(
                    len(threatintel)))
            indicators = [item.indicator for item in threatintel]
            request.recipe['filter_patterns'] = indicators

        request_dict = {
            'instance': self.instance,
            'project': self.project,
            'region': self.turbinia_region,
            'request_id': request.request_id
        }

        try:
            print('Creating Turbinia request {0:s} with Evidence {1!s}'.format(
                request.request_id, evidence_.name))
            self.client.send_request(request)
            print('Waiting for Turbinia request {0:s} to complete'.format(
                request.request_id))
            self.client.wait_for_request(**request_dict)
            task_data = self.client.get_task_data(**request_dict)
        except TurbiniaException as e:
            self.state.add_error(e, critical=True)
            return

        # Turbinia run complete, build a human-readable message of results.
        message = 'Completed {0:d} Turbinia tasks\n'.format(len(task_data))
        for task in task_data:
            message += '{0!s} ({1!s}): {2!s}\n'.format(
                task.get('name'), task.get('id'),
                task.get('status', 'No task status'))
            # saved_paths may be set to None
            for path in task.get('saved_paths') or []:
                if path.endswith('worker-log.txt'):
                    continue
                if path.endswith('{0!s}.log'.format(task.get('id'))):
                    continue
                if path.startswith('/'):
                    continue
                message += '  {0:s}\n'.format(path)
        print(message)

        # Store the message for consumption by any reporting modules.
        report = containers.Report(module_name='TurbiniaProcessor',
                                   text=message)
        self.state.store_container(report)

        # This finds all .plaso files in the Turbinia output, and determines if they
        # are local or remote (it's possible this will be running against a local
        # instance of Turbinia).
        local_paths = []
        gs_paths = []
        timeline_label = '{0:s}-{1:s}'.format(self.project, self.disk_name)
        for task in task_data:
            # saved_paths may be set to None
            for path in task.get('saved_paths') or []:
                if path.startswith('/') and path.endswith('.plaso'):
                    local_paths.append(path)
                if path.startswith('gs://') and path.endswith('.plaso'):
                    gs_paths.append(path)

        if not local_paths and not gs_paths:
            self.state.add_error('No .plaso files found in Turbinia output.',
                                 critical=True)
            return

        # Any local .plaso files that exist we can add immediately to the output
        self.state.output = [(timeline_label, p) for p in local_paths
                             if os.path.exists(p)]

        # For files remote in GCS we copy each plaso file back from GCS and then add
        # to output paths
        # TODO: Externalize fetching files from GCS buckets to a different module.
        for path in gs_paths:
            local_path = None
            try:
                output_writer = output_manager.GCSOutputWriter(
                    path, local_output_dir=self._output_path)
                local_path = output_writer.copy_from(path)
            except TurbiniaException as e:
                self.state.add_error(e, critical=True)
                return

            if local_path:
                self.state.output.append((timeline_label, local_path))

        if not self.state.output:
            self.state.add_error('No .plaso files could be found.',
                                 critical=True)
Exemple #15
0
    def process(self):
        """Process files with Turbinia."""
        log_file_path = os.path.join(self._output_path, 'turbinia.log')
        print('Turbinia log file: {0:s}'.format(log_file_path))

        evidence_ = evidence.GoogleCloudDisk(disk_name=self.disk_name,
                                             project=self.project,
                                             zone=self.turbinia_zone)
        request = TurbiniaRequest()
        request.evidence.append(evidence_)

        try:
            print('Creating Turbinia request {0:s} with Evidence {1:s}'.format(
                request.request_id, evidence_.name))
            self.client.send_request(request)
            print('Waiting for Turbinia request {0:s} to complete'.format(
                request.request_id))
            self.client.wait_for_request(instance=self.instance,
                                         project=self.project,
                                         region=self.turbinia_region,
                                         request_id=request.request_id)
            task_data = self.client.get_task_data(
                instance=self.instance,
                project=self.project,
                region=self.turbinia_region,
                request_id=request.request_id)
            print(
                self.client.format_task_status(instance=self.instance,
                                               project=self.project,
                                               region=self.turbinia_region,
                                               request_id=request.request_id,
                                               all_fields=True))
        except TurbiniaException as e:
            self.state.add_error(e, critical=True)
            return

        # This finds all .plaso files in the Turbinia output, and determines if they
        # are local or remote (it's possible this will be running against a local
        # instance of Turbinia).
        local_paths = []
        gs_paths = []
        timeline_label = '{0:s}-{1:s}'.format(self.project, self.disk_name)
        for task in task_data:
            for path in task.get('saved_paths', []):
                if path.startswith('/') and path.endswith('.plaso'):
                    local_paths.append(path)
                if path.startswith('gs://') and path.endswith('.plaso'):
                    gs_paths.append(path)

        if not local_paths and not gs_paths:
            self.state.add_error('No .plaso files found in Turbinia output.',
                                 critical=True)
            return

        # Any local .plaso files that exist we can add immediately to the output
        self.state.output = [(timeline_label, p) for p in local_paths
                             if os.path.exists(p)]

        # For files remote in GCS we copy each plaso file back from GCS and then add
        # to output paths
        # TODO: Externalize fetching files from GCS buckets to a different module.
        for path in gs_paths:
            local_path = None
            try:
                output_writer = output_manager.GCSOutputWriter(
                    path, local_output_dir=self._output_path)
                local_path = output_writer.copy_from(path)
            except TurbiniaException as e:
                self.state.add_error(e, critical=True)
                return

            if local_path:
                self.state.output.append((timeline_label, local_path))

        if not self.state.output:
            self.state.add_error('No .plaso files could be found.',
                                 critical=True)
Exemple #16
0
  def TurbiniaProcess(self, evidence_):
    """Creates and sends a Turbinia processing request.

    Args:
      evidence_(turbinia.evidence.Evidence): The evience to proecess

    Returns:
      list[dict]: The Turbinia task data
    """
    try:
      evidence_.validate()
    except TurbiniaException as exception:
      self.ModuleError(str(exception), critical=True)

    request = TurbiniaRequest(requester=getpass.getuser())
    request.evidence.append(evidence_)
    if self.sketch_id:
      request.recipe['sketch_id'] = self.sketch_id
    if not self.run_all_jobs:
      # TODO(aarontp): Remove once the release with
      # https://github.com/google/turbinia/pull/554 is live.
      request.recipe['jobs_blacklist'] = [
          'StringsJob', 'BinaryExtractorJob', 'BulkExtractorJob', 'PhotorecJob']
      request.recipe['jobs_denylist'] = [
          'StringsJob', 'BinaryExtractorJob', 'BulkExtractorJob', 'PhotorecJob']

    # Get threat intelligence data from any modules that have stored some.
    # In this case, observables is a list of containers.ThreatIntelligence
    # objects.
    threatintel = self.state.GetContainers(containers.ThreatIntelligence)
    if threatintel:
      self.logger.info(
          'Sending {0:d} threatintel to Turbinia GrepWorkers...'.format(
              len(threatintel)))
      indicators = [item.indicator for item in threatintel]
      request.recipe['filter_patterns'] = indicators

    request_dict = {
        'instance': self.instance,
        'project': self.project,
        'region': self.turbinia_region,
        'request_id': request.request_id
    }

    task_data = None
    try:
      self.logger.info(
          'Creating Turbinia request {0:s} with Evidence {1!s}'.format(
              request.request_id, evidence_.name))
      self.client.send_request(request)
      self.logger.info('Waiting for Turbinia request {0:s} to complete'.format(
          request.request_id))
      self.client.wait_for_request(**request_dict)
      task_data = self.client.get_task_data(**request_dict)
    except TurbiniaException as exception:
      # TODO: determine if exception should be converted into a string as
      # elsewhere in the codebase.
      self.ModuleError(str(exception), critical=True)

    message = self.client.format_task_status(full_report=True, **request_dict)
    short_message = self.client.format_task_status(**request_dict)
    self.logger.info(short_message)

    # Store the message for consumption by any reporting modules.
    report = containers.Report(
        module_name='TurbiniaProcessor', text=message, text_format='markdown')
    self.state.StoreContainer(report)

    return task_data
Exemple #17
0
def main():
    """Main function for turbiniactl"""
    # TODO(aarontp): Allow for single run mode when
    # by specifying evidence which will also terminate the task manager after
    # evidence has been processed.
    parser = argparse.ArgumentParser()
    parser.add_argument('-q',
                        '--quiet',
                        action='store_true',
                        help='Show minimal output')
    parser.add_argument('-v',
                        '--verbose',
                        action='store_true',
                        help='Show verbose output',
                        default=True)
    parser.add_argument('-d',
                        '--debug',
                        action='store_true',
                        help='Show debug output',
                        default=False)
    parser.add_argument('-a',
                        '--all_fields',
                        action='store_true',
                        help='Show all task status fields in output',
                        required=False)
    parser.add_argument(
        '-c',
        '--config_file',
        help='Load explicit config file. If specified it '
        'will ignore config files in other default locations '
        '(/etc/turbinia.conf, ~/.turbiniarc, or in paths referenced in '
        'environment variable TURBINIA_CONFIG_PATH)',
        required=False)
    parser.add_argument('-I',
                        '--recipe',
                        help='Name of Recipe to be employed on evidence',
                        required=False)
    parser.add_argument('-P',
                        '--recipe_path',
                        help='Recipe file path to load and use.',
                        required=False)
    parser.add_argument('-X',
                        '--skip_recipe_validation',
                        action='store_true',
                        help='Do not '
                        'perform recipe validation on the client.',
                        required=False,
                        default=False)
    parser.add_argument(
        '-f',
        '--force_evidence',
        action='store_true',
        help=
        'Force evidence processing request in potentially unsafe conditions',
        required=False)
    parser.add_argument(
        '-k',
        '--decryption_keys',
        help='Decryption keys to be passed in as '
        ' comma separated list. Each entry should be in the form type=key. (e.g. '
        '"-k password=123456,recovery_password=XXXX-XXXX-XXXX-XXXX-XXXX-XXXX")',
        default=[],
        type=csv_list)
    parser.add_argument('-o', '--output_dir', help='Directory path for output')
    parser.add_argument('-L', '--log_file', help='Log file')
    parser.add_argument('-r',
                        '--request_id',
                        help='Create new requests with this Request ID',
                        required=False)
    parser.add_argument(
        '-R',
        '--run_local',
        action='store_true',
        help=
        'Run completely locally without any server or other infrastructure. '
        'This can be used to run one-off Tasks to process data locally.')
    parser.add_argument('-S',
                        '--server',
                        action='store_true',
                        help='Run Turbinia Server indefinitely')
    parser.add_argument('-V',
                        '--version',
                        action='version',
                        version=__version__,
                        help='Show the version')
    parser.add_argument(
        '-D',
        '--dump_json',
        action='store_true',
        help='Dump JSON output of Turbinia Request instead of sending it')
    parser.add_argument(
        '-F',
        '--filter_patterns_file',
        help='A file containing newline separated string patterns to filter '
        'text based evidence files with (in extended grep regex format). '
        'This filtered output will be in addition to the complete output')
    parser.add_argument('-Y',
                        '--yara_rules_file',
                        help='A file containing Yara rules.')
    parser.add_argument(
        '-j',
        '--jobs_allowlist',
        default=[],
        type=csv_list,
        help='An allowlist for Jobs that will be allowed to run (in CSV format, '
        'no spaces). This will not force them to run if they are not configured '
        'to. This is applied both at server start time and when the client makes '
        'a processing request. When applied at server start time the change is '
        'persistent while the server is running.  When applied by the client, it '
        'will only affect that processing request.')
    parser.add_argument(
        '-J',
        '--jobs_denylist',
        default=[],
        type=csv_list,
        help='A denylist for Jobs we will not allow to run.  See '
        '--jobs_allowlist help for details on format and when it is applied.')
    parser.add_argument(
        '-p',
        '--poll_interval',
        default=60,
        type=int,
        help='Number of seconds to wait between polling for task state info')
    parser.add_argument(
        '-t',
        '--task',
        help='The name of a single Task to run locally (must be used with '
        '--run_local.')
    parser.add_argument('-T',
                        '--debug_tasks',
                        action='store_true',
                        help='Show debug output for all supported tasks',
                        default=False)
    parser.add_argument(
        '-w',
        '--wait',
        action='store_true',
        help='Wait to exit until all tasks for the given request have completed'
    )
    subparsers = parser.add_subparsers(dest='command',
                                       title='Commands',
                                       metavar='<command>')

    # Action for printing config
    parser_config = subparsers.add_parser('config',
                                          help='Print out config file')
    parser_config.add_argument('-f',
                               '--file_only',
                               action='store_true',
                               help='Print out file path only')

    #Sends Test Notification
    parser_testnotify = subparsers.add_parser('testnotify',
                                              help='Sends test notification')

    # TODO(aarontp): Find better way to specify these that allows for multiple
    # pieces of evidence to be submitted. Maybe automagically create different
    # commands based on introspection of evidence objects?
    # RawDisk
    parser_rawdisk = subparsers.add_parser('rawdisk',
                                           help='Process RawDisk as Evidence')
    parser_rawdisk.add_argument('-l',
                                '--source_path',
                                help='Local path to the evidence',
                                required=True)
    parser_rawdisk.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_rawdisk.add_argument('-n',
                                '--name',
                                help='Descriptive name of the evidence',
                                required=False)

    # Parser options for Google Cloud Disk Evidence type
    parser_googleclouddisk = subparsers.add_parser(
        'googleclouddisk',
        help='Process Google Cloud Persistent Disk as Evidence')
    parser_googleclouddisk.add_argument(
        '-C',
        '--copy_only',
        action='store_true',
        help='Only copy disk and do '
        'not process with Turbinia. This only takes effect when a source '
        '--project is defined and can be run without any Turbinia server or '
        'workers configured.')
    parser_googleclouddisk.add_argument('-d',
                                        '--disk_name',
                                        help='Google Cloud name for disk',
                                        required=True)
    parser_googleclouddisk.add_argument(
        '-p',
        '--project',
        help='Project that the disk to process is associated '
        'with. If this is different from the project that Turbinia is running '
        'in, it will be copied to the Turbinia project.')
    parser_googleclouddisk.add_argument(
        '-z', '--zone', help='Geographic zone the disk exists in')
    parser_googleclouddisk.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_googleclouddisk.add_argument(
        '-n',
        '--name',
        help='Descriptive name of the evidence',
        required=False)

    # Parser options for Google Cloud Persistent Disk Embedded Raw Image
    parser_googleclouddiskembedded = subparsers.add_parser(
        'googleclouddiskembedded',
        help='Process Google Cloud Persistent Disk with an embedded raw disk '
        'image as Evidence')
    parser_googleclouddiskembedded.add_argument(
        '-C',
        '--copy_only',
        action='store_true',
        help='Only copy disk and do '
        'not process with Turbinia. This only takes effect when a source '
        '--project is defined and can be run without any Turbinia server or '
        'workers configured.')
    parser_googleclouddiskembedded.add_argument(
        '-e',
        '--embedded_path',
        help=
        'Path within the Persistent Disk that points to the raw image file',
        required=True)
    parser_googleclouddiskembedded.add_argument(
        '-d', '--disk_name', help='Google Cloud name for disk', required=True)
    parser_googleclouddiskembedded.add_argument(
        '-p',
        '--project',
        help='Project that the disk to process is associated '
        'with. If this is different from the project that Turbinia is running '
        'in, it will be copied to the Turbinia project.')
    parser_googleclouddiskembedded.add_argument(
        '-P',
        '--mount_partition',
        default=1,
        type=int,
        help='The partition number to use when mounting the parent disk.  '
        'Defaults to the first partition.  Only affects mounting, and not what '
        'gets processed.')
    parser_googleclouddiskembedded.add_argument(
        '-z', '--zone', help='Geographic zone the disk exists in')
    parser_googleclouddiskembedded.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_googleclouddiskembedded.add_argument(
        '-n',
        '--name',
        help='Descriptive name of the evidence',
        required=False)

    # RawMemory
    parser_rawmemory = subparsers.add_parser(
        'rawmemory', help='Process RawMemory as Evidence')
    parser_rawmemory.add_argument('-l',
                                  '--source_path',
                                  help='Local path to the evidence',
                                  required=True)
    parser_rawmemory.add_argument('-P',
                                  '--profile',
                                  help='Profile to use with Volatility',
                                  required=True)
    parser_rawmemory.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)
    parser_rawmemory.add_argument('-m',
                                  '--module_list',
                                  type=csv_list,
                                  help='Volatility module(s) to execute',
                                  required=True)

    # Parser options for Directory evidence type
    parser_directory = subparsers.add_parser(
        'directory', help='Process a directory as Evidence')
    parser_directory.add_argument('-l',
                                  '--source_path',
                                  help='Local path to the evidence',
                                  required=True)
    parser_directory.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_directory.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)

    # Parser options for CompressedDirectory evidence type
    parser_directory = subparsers.add_parser(
        'compresseddirectory',
        help='Process a compressed tar file as Evidence')
    parser_directory.add_argument('-l',
                                  '--source_path',
                                  help='Local path to the evidence',
                                  required=True)
    parser_directory.add_argument(
        '-s',
        '--source',
        help='Description of the source of the evidence',
        required=False)
    parser_directory.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)

    # Parser options for ChromiumProfile evidence type
    parser_hindsight = subparsers.add_parser(
        'hindsight', help='Process ChromiumProfile as Evidence')
    parser_hindsight.add_argument('-l',
                                  '--source_path',
                                  help='Local path to the evidence',
                                  required=True)
    parser_hindsight.add_argument('-f',
                                  '--format',
                                  help='Output format (supported types are '
                                  'xlsx, sqlite, jsonl)',
                                  default='sqlite')
    parser_hindsight.add_argument(
        '-b',
        '--browser_type',
        help='The type of browser the input files belong'
        'to (supported types are Chrome, Brave)',
        default='Chrome')
    parser_hindsight.add_argument('-n',
                                  '--name',
                                  help='Descriptive name of the evidence',
                                  required=False)

    # List Jobs
    subparsers.add_parser(
        'listjobs',
        help='List all available Jobs. These Job names can be used by '
        '--jobs_allowlist and --jobs_denylist')

    # PSQ Worker
    parser_psqworker = subparsers.add_parser('psqworker',
                                             help='Run PSQ worker')
    parser_psqworker.add_argument('-S',
                                  '--single_threaded',
                                  action='store_true',
                                  help='Run PSQ Worker in a single thread',
                                  required=False)

    # Celery Worker
    subparsers.add_parser('celeryworker', help='Run Celery worker')

    # Parser options for Turbinia status command
    parser_status = subparsers.add_parser('status',
                                          help='Get Turbinia Task status')
    parser_status.add_argument(
        '-c',
        '--close_tasks',
        action='store_true',
        help='Close tasks based on Request ID or Task ID',
        required=False)
    parser_status.add_argument(
        '-C',
        '--csv',
        action='store_true',
        help='When used with --statistics, the output will be in CSV format',
        required=False)
    parser_status.add_argument('-d',
                               '--days_history',
                               default=0,
                               type=int,
                               help='Number of days of history to show',
                               required=False)
    parser_status.add_argument(
        '-D',
        '--dump_json',
        action='store_true',
        help='Dump JSON status output instead text. Compatible with -d, -u, '
        '-r and -t flags, but not others')
    parser_status.add_argument('-f',
                               '--force',
                               help='Gatekeeper for --close_tasks',
                               action='store_true',
                               required=False)
    parser_status.add_argument('-r',
                               '--request_id',
                               help='Show tasks with this Request ID',
                               required=False)
    # 20 == Priority.High. We are setting this manually here because we don't want
    # to load the worker module yet in order to access this Enum.
    parser_status.add_argument(
        '-p',
        '--priority_filter',
        default=20,
        type=int,
        required=False,
        help='This sets what report sections are shown in full detail in '
        'report output.  Any tasks that have set a report_priority value '
        'equal to or lower than this setting will be shown in full detail, and '
        'tasks with a higher value will only have a summary shown.  To see all '
        'tasks report output in full detail, set --priority_filter=100')
    parser_status.add_argument(
        '-R',
        '--full_report',
        help='Generate full markdown report instead of just a summary',
        action='store_true',
        required=False)
    parser_status.add_argument('-s',
                               '--statistics',
                               help='Generate statistics only',
                               action='store_true',
                               required=False)
    parser_status.add_argument('-t',
                               '--task_id',
                               help='Show task for given Task ID',
                               required=False)
    parser_status.add_argument('-u',
                               '--user',
                               help='Show task for given user',
                               required=False)
    parser_status.add_argument(
        '-i',
        '--requests',
        required=False,
        action='store_true',
        help='Show all requests from a specified timeframe. The default '
        'timeframe is 7 days. Please use the -d flag to extend this.')
    parser_status.add_argument(
        '-w',
        '--workers',
        required=False,
        action='store_true',
        help='Show Worker status information from a specified timeframe. The '
        'default timeframe is 7 days. Please use the -d flag to extend this. '
        'Additionaly, you can use the -a or --all_fields flag to retrieve the '
        'full output containing finished and unassigned worker tasks.')
    parser_log_collector = subparsers.add_parser(
        'gcplogs', help='Collects Turbinia logs from Stackdriver.')
    parser_log_collector.add_argument('-o',
                                      '--output_dir',
                                      help='Directory path for output',
                                      required=False)
    parser_log_collector.add_argument(
        '-q',
        '--query',
        help='Filter expression to use to query Stackdriver logs.')
    parser_log_collector.add_argument('-d',
                                      '--days_history',
                                      default=1,
                                      type=int,
                                      help='Number of days of history to show',
                                      required=False)
    parser_log_collector.add_argument('-s',
                                      '--server_logs',
                                      action='store_true',
                                      help='Collects all server related logs.')
    parser_log_collector.add_argument('-w',
                                      '--worker_logs',
                                      action='store_true',
                                      help='Collects all worker related logs.')

    # Add GCS logs collector
    parser_gcs_logs = subparsers.add_parser(
        'dumpgcs', help='Get Turbinia results from Google Cloud Storage.')
    parser_gcs_logs.add_argument('-o',
                                 '--output_dir',
                                 help='Directory path for output.',
                                 required=True)
    parser_gcs_logs.add_argument(
        '-t', '--task_id', help='Download all the results for given task_id.')
    parser_gcs_logs.add_argument(
        '-r',
        '--request_id',
        help='Download all the results for given request_id.')
    parser_gcs_logs.add_argument(
        '-b',
        '--bucket',
        help='Alternate GCS bucket to download from. Must be in the following '
        'format gs://{BUCKET_NAME}/. Defaults to the BUCKET_NAME as specified '
        'in the config')
    parser_gcs_logs.add_argument(
        '-d',
        '--days_history',
        default=0,
        type=int,
        help='Number of days of history to to query results for',
        required=False)
    parser_gcs_logs.add_argument(
        '-i',
        '--instance_id',
        help='Instance ID used to run tasks/requests. You must provide an '
        'instance ID if the task/request was not processed on the same instance '
        'as your confing file.')
    # Server
    subparsers.add_parser('server', help='Run Turbinia Server')

    args = parser.parse_args()

    # (jorlamd): Importing recipe_helpers late to avoid a bug where
    # client.TASK_MAP is imported early rendering the check for worker
    # status not possible.
    from turbinia.lib import recipe_helpers

    # Load the config before final logger setup so we can the find the path to the
    # log file.
    try:
        if args.config_file:
            config.LoadConfig(config_file=args.config_file)
        else:
            config.LoadConfig()
    except TurbiniaException as exception:
        print('Could not load config file ({0!s}).\n{1:s}'.format(
            exception, config.CONFIG_MSG))
        sys.exit(1)

    if args.log_file:
        config.LOG_FILE = args.log_file
    if args.output_dir:
        config.OUTPUT_DIR = args.output_dir

    config.TURBINIA_COMMAND = args.command
    server_flags_set = args.server or args.command == 'server'
    worker_flags_set = args.command in ('psqworker', 'celeryworker')
    # Run logger setup again if we're running as a server or worker (or have a log
    # file explicitly set on the command line) to set a file-handler now that we
    # have the logfile path from the config.
    if server_flags_set or worker_flags_set or args.log_file:
        logger.setup()
    if args.quiet:
        log.setLevel(logging.ERROR)
    elif args.debug:
        log.setLevel(logging.DEBUG)
    else:
        log.setLevel(logging.INFO)

    # Enable tasks debugging for supported tasks
    if args.debug_tasks:
        config.DEBUG_TASKS = True

    if config.TASK_MANAGER == 'PSQ':
        from turbinia.lib import google_cloud
        from libcloudforensics.providers.gcp import forensics as gcp_forensics

    # Enable GCP Stackdriver Logging
    if config.STACKDRIVER_LOGGING and args.command in ('server', 'psqworker'):
        google_cloud.setup_stackdriver_handler(config.TURBINIA_PROJECT,
                                               args.command)

    log.info('Turbinia version: {0:s}'.format(__version__))

    # Do late import of other needed Turbinia modules.  This is needed because the
    # config is loaded by these modules at load time, and we want to wait to load
    # the config until after we parse the args so that we can use those arguments
    # to point to config paths.
    from turbinia import notify
    from turbinia import client as TurbiniaClientProvider
    from turbinia.client import TurbiniaCeleryClient
    from turbinia.worker import TurbiniaCeleryWorker
    from turbinia.worker import TurbiniaPsqWorker
    from turbinia.server import TurbiniaServer
    from turbinia import evidence
    from turbinia.message import TurbiniaRequest

    # Print out config if requested
    if args.command == 'config':
        if args.file_only:
            log.info('Config file path is {0:s}\n'.format(config.configSource))
            sys.exit(0)

        try:
            with open(config.configSource, "r") as f:
                print(f.read())
                sys.exit(0)
        except IOError as exception:
            log.info("Failed to read config file {0:s}: {1!s}".format(
                config.configSource, exception))
            sys.exit(1)
    #sends test notification
    if args.command == 'testnotify':
        notify.sendmail(config.EMAIL_ADDRESS, 'Turbinia test notification',
                        'This is a test notification')
        sys.exit(0)

    args.jobs_allowlist = [j.lower() for j in args.jobs_allowlist]
    args.jobs_denylist = [j.lower() for j in args.jobs_denylist]
    if args.jobs_allowlist and args.jobs_denylist:
        log.error(
            'A Job filter allowlist and denylist cannot be specified at the same '
            'time')
        sys.exit(1)

    # Read set set filter_patterns
    filter_patterns = []
    if (args.filter_patterns_file
            and not os.path.exists(args.filter_patterns_file)):
        log.error('Filter patterns file {0:s} does not exist.')
        sys.exit(1)
    elif args.filter_patterns_file:
        try:
            filter_patterns = open(
                args.filter_patterns_file).read().splitlines()
        except IOError as e:
            log.warning('Cannot open file {0:s} [{1!s}]'.format(
                args.filter_patterns_file, e))

    # Read yara rules
    yara_rules = ''
    if (args.yara_rules_file and not os.path.exists(args.yara_rules_file)):
        log.error('Filter patterns file {0:s} does not exist.')
        sys.exit(1)
    elif args.yara_rules_file:
        try:
            yara_rules = open(args.yara_rules_file).read()
        except IOError as e:
            log.warning('Cannot open file {0:s} [{1!s}]'.format(
                args.yara_rules_file, e))
            sys.exit(1)

    # Create Client object
    client = None
    if args.command not in ('psqworker', 'server'):
        client = TurbiniaClientProvider.get_turbinia_client(args.run_local)

    # Make sure run_local flags aren't conflicting with other server/client flags
    if args.run_local and (server_flags_set or worker_flags_set):
        log.error(
            '--run_local flag is not compatible with server/worker flags')
        sys.exit(1)

    if args.run_local and not args.task:
        log.error('--run_local flag requires --task flag')
        sys.exit(1)

    # Set zone/project to defaults if flags are not set, and also copy remote
    # disk if needed.
    if args.command in ('googleclouddisk', 'googleclouddiskrawembedded'):
        if not args.zone and config.TURBINIA_ZONE:
            args.zone = config.TURBINIA_ZONE
        elif not args.zone and not config.TURBINIA_ZONE:
            log.error('Turbinia zone must be set by --zone or in config')
            sys.exit(1)

        if not args.project and config.TURBINIA_PROJECT:
            args.project = config.TURBINIA_PROJECT
        elif not args.project and not config.TURBINIA_PROJECT:
            log.error('Turbinia project must be set by --project or in config')
            sys.exit(1)

        if ((args.project and args.project != config.TURBINIA_PROJECT)
                or (args.zone and args.zone != config.TURBINIA_ZONE)):
            new_disk = gcp_forensics.CreateDiskCopy(args.project,
                                                    config.TURBINIA_PROJECT,
                                                    None,
                                                    config.TURBINIA_ZONE,
                                                    disk_name=args.disk_name)
            args.disk_name = new_disk.name
            if args.copy_only:
                log.info(
                    '--copy_only specified, so not processing with Turbinia')
                sys.exit(0)

    # Set request id
    request_id = args.request_id if args.request_id else uuid.uuid4().hex

    # Start Evidence configuration
    evidence_ = None
    if args.command == 'rawdisk':
        args.name = args.name if args.name else args.source_path
        source_path = os.path.abspath(args.source_path)
        evidence_ = evidence.RawDisk(name=args.name,
                                     source_path=source_path,
                                     source=args.source)
    elif args.command == 'directory':
        args.name = args.name if args.name else args.source_path
        source_path = os.path.abspath(args.source_path)

        if not config.SHARED_FILESYSTEM:
            log.info('A Cloud Only Architecture has been detected. '
                     'Compressing the directory for GCS upload.')
            source_path = archive.CompressDirectory(source_path,
                                                    output_path=config.TMP_DIR)
            args.name = args.name if args.name else source_path
            evidence_ = evidence.CompressedDirectory(name=args.name,
                                                     source_path=source_path,
                                                     source=args.source)
        else:
            evidence_ = evidence.Directory(name=args.name,
                                           source_path=source_path,
                                           source=args.source)
    elif args.command == 'compresseddirectory':
        archive.ValidateTarFile(args.source_path)
        args.name = args.name if args.name else args.source_path
        source_path = os.path.abspath(args.source_path)
        evidence_ = evidence.CompressedDirectory(name=args.name,
                                                 source_path=source_path,
                                                 source=args.source)
    elif args.command == 'googleclouddisk':
        args.name = args.name if args.name else args.disk_name
        evidence_ = evidence.GoogleCloudDisk(name=args.name,
                                             disk_name=args.disk_name,
                                             project=args.project,
                                             zone=args.zone,
                                             source=args.source)
    elif args.command == 'googleclouddiskembedded':
        args.name = args.name if args.name else args.disk_name
        parent_evidence_ = evidence.GoogleCloudDisk(
            name=args.name,
            disk_name=args.disk_name,
            project=args.project,
            mount_partition=args.mount_partition,
            zone=args.zone,
            source=args.source)
        evidence_ = evidence.GoogleCloudDiskRawEmbedded(
            name=args.name,
            disk_name=args.disk_name,
            project=args.project,
            zone=args.zone,
            embedded_path=args.embedded_path)
        evidence_.set_parent(parent_evidence_)
    elif args.command == 'hindsight':
        if args.format not in ['xlsx', 'sqlite', 'jsonl']:
            log.error('Invalid output format.')
            sys.exit(1)
        if args.browser_type not in ['Chrome', 'Brave']:
            log.error('Browser type not supported.')
            sys.exit(1)
        args.name = args.name if args.name else args.source_path
        source_path = os.path.abspath(args.source_path)
        evidence_ = evidence.ChromiumProfile(name=args.name,
                                             source_path=source_path,
                                             output_format=args.format,
                                             browser_type=args.browser_type)
    elif args.command == 'rawmemory':
        args.name = args.name if args.name else args.source_path
        source_path = os.path.abspath(args.source_path)
        evidence_ = evidence.RawMemory(name=args.name,
                                       source_path=source_path,
                                       profile=args.profile,
                                       module_list=args.module_list)
    elif args.command == 'psqworker':
        # Set up root logger level which is normally set by the psqworker command
        # which we are bypassing.
        logger.setup()
        worker = TurbiniaPsqWorker(jobs_denylist=args.jobs_denylist,
                                   jobs_allowlist=args.jobs_allowlist)
        worker.start()
    elif args.command == 'celeryworker':
        logger.setup()
        worker = TurbiniaCeleryWorker(jobs_denylist=args.jobs_denylist,
                                      jobs_allowlist=args.jobs_allowlist)
        worker.start()
    elif args.command == 'server':
        server = TurbiniaServer(jobs_denylist=args.jobs_denylist,
                                jobs_allowlist=args.jobs_allowlist)
        server.start()
    elif args.command == 'status':
        region = config.TURBINIA_REGION
        if args.close_tasks:
            if args.user or args.request_id or args.task_id:
                print(
                    client.close_tasks(instance=config.INSTANCE_ID,
                                       project=config.TURBINIA_PROJECT,
                                       region=region,
                                       request_id=args.request_id,
                                       task_id=args.task_id,
                                       user=args.user,
                                       requester=getpass.getuser()))
                sys.exit(0)
            else:
                log.info(
                    '--close_tasks (-c) requires --user, --request_id, or/and --task_id'
                )
                sys.exit(1)

        if args.dump_json and (args.statistics or args.requests
                               or args.workers):
            log.info(
                'The --dump_json flag is not compatible with --statistics, '
                '--reqeusts, or --workers flags')
            sys.exit(1)

        if args.statistics:
            print(
                client.format_task_statistics(instance=config.INSTANCE_ID,
                                              project=config.TURBINIA_PROJECT,
                                              region=region,
                                              days=args.days_history,
                                              task_id=args.task_id,
                                              request_id=args.request_id,
                                              user=args.user,
                                              csv=args.csv))
            sys.exit(0)

        if args.wait and args.request_id:
            client.wait_for_request(instance=config.INSTANCE_ID,
                                    project=config.TURBINIA_PROJECT,
                                    region=region,
                                    request_id=args.request_id,
                                    user=args.user,
                                    poll_interval=args.poll_interval)
        elif args.wait and not args.request_id:
            log.info('--wait requires --request_id, which is not specified. '
                     'turbiniactl will exit without waiting.')

        if args.requests:
            print(
                client.format_request_status(instance=config.INSTANCE_ID,
                                             project=config.TURBINIA_PROJECT,
                                             region=region,
                                             days=args.days_history,
                                             all_fields=args.all_fields))
            sys.exit(0)

        if args.workers:
            print(
                client.format_worker_status(instance=config.INSTANCE_ID,
                                            project=config.TURBINIA_PROJECT,
                                            region=region,
                                            days=args.days_history,
                                            all_fields=args.all_fields))
            sys.exit(0)

        if args.dump_json:
            output_json = True
        else:
            output_json = False
        print(
            client.format_task_status(instance=config.INSTANCE_ID,
                                      project=config.TURBINIA_PROJECT,
                                      region=region,
                                      days=args.days_history,
                                      task_id=args.task_id,
                                      request_id=args.request_id,
                                      user=args.user,
                                      all_fields=args.all_fields,
                                      full_report=args.full_report,
                                      priority_filter=args.priority_filter,
                                      output_json=output_json))
        sys.exit(0)

    elif args.command == 'listjobs':
        log.info('Available Jobs:')
        client.list_jobs()
    elif args.command == 'gcplogs':
        if not config.STACKDRIVER_LOGGING:
            log.error(
                'Stackdriver logging must be enabled in order to use this.')
            sys.exit(1)
        if args.output_dir and not os.path.isdir(args.output_dir):
            log.error('Please provide a valid directory path.')
            sys.exit(1)
        query = None
        if args.query:
            query = args.query
        if args.worker_logs:
            if query:
                query = 'jsonPayload.origin="psqworker" {0:s}'.format(query)
            else:
                query = 'jsonPayload.origin="psqworker"'
        if args.server_logs:
            if query:
                query = 'jsonPayload.origin="server" {0:s}'.format(query)
            else:
                query = 'jsonPayload.origin="server"'
        google_cloud.get_logs(config.TURBINIA_PROJECT, args.output_dir,
                              args.days_history, query)
    elif args.command == 'dumpgcs':
        if not config.GCS_OUTPUT_PATH and not args.bucket:
            log.error('GCS storage must be enabled in order to use this.')
            sys.exit(1)
        if not args.task_id and not args.request_id:
            log.error('You must specify one of task_id or request_id.')
            sys.exit(1)
        if not os.path.isdir(args.output_dir):
            log.error('Please provide a valid directory path.')
            sys.exit(1)

        gcs_bucket = args.bucket if args.bucket else config.GCS_OUTPUT_PATH
        instance_id = args.instance_id if args.instance_id else config.INSTANCE_ID

        try:
            task_data = client.get_task_data(instance=instance_id,
                                             days=args.days_history,
                                             project=config.TURBINIA_PROJECT,
                                             region=config.TURBINIA_REGION,
                                             task_id=args.task_id,
                                             request_id=args.request_id,
                                             function_name='gettasks')
            output_writer = GCSOutputWriter(gcs_bucket,
                                            local_output_dir=args.output_dir)
            if not task_data:
                log.error('No Tasks found for task/request ID')
                sys.exit(1)
            if args.task_id:
                log.info(
                    'Downloading GCS files for task_id {0:s} to {1:s}.'.format(
                        args.task_id, args.output_dir))
                for task in task_data:
                    if task['id'] == args.task_id:
                        if task['saved_paths']:
                            output_writer.copy_from_gcs(task['saved_paths'])
            if args.request_id:
                log.info(
                    'Downloading GCS files for request_id {0:s} to {1:s}.'.
                    format(args.request_id, args.output_dir))
                paths = []
                for task in task_data:
                    if task['saved_paths']:
                        paths.extend(task['saved_paths'])
                output_writer.copy_from_gcs(paths)

        except TurbiniaException as exception:
            log.error('Failed to pull the data {0!s}'.format(exception))
    else:
        log.warning('Command {0!s} not implemented.'.format(args.command))

    if evidence_ and not args.force_evidence:
        if config.SHARED_FILESYSTEM and evidence_.cloud_only:
            log.error(
                'The evidence type {0:s} is Cloud only, and this instance of '
                'Turbinia is not a cloud instance.'.format(evidence_.type))
            sys.exit(1)
        elif not config.SHARED_FILESYSTEM and evidence_.copyable:
            if os.path.exists(evidence_.local_path):
                output_manager = OutputManager()
                output_manager.setup(evidence_.type,
                                     request_id,
                                     remote_only=True)
                output_manager.save_evidence(evidence_)
            else:
                log.error(
                    'The evidence local path does not exist: {0:s}. Please submit '
                    'a new Request with a valid path.'.format(
                        evidence_.local_path))
                sys.exit(1)
        elif not config.SHARED_FILESYSTEM and not evidence_.cloud_only:
            log.error(
                'The evidence type {0:s} cannot run on Cloud instances of '
                'Turbinia. Consider wrapping it in a '
                'GoogleCloudDiskRawEmbedded or other Cloud compatible '
                'object'.format(evidence_.type))
            sys.exit(1)

    # If we have evidence to process and we also want to run as a server, then
    # we'll just process the evidence directly rather than send it through the
    # PubSub frontend interface.  If we're not running as a server then we will
    # create a new TurbiniaRequest and send it over PubSub.
    request = None
    if evidence_ and args.server:
        server = TurbiniaServer()
        server.add_evidence(evidence_)
        server.start()
    elif evidence_:
        request = TurbiniaRequest(request_id=request_id,
                                  requester=getpass.getuser())
        request.evidence.append(evidence_)

        if args.decryption_keys:
            for credential in args.decryption_keys:
                try:
                    credential_type, credential_data = credential.split('=')
                except ValueError as exception:
                    log.error(
                        'Could not parse credential [{0:s}] from decryption keys '
                        '{1!s}: {2!s}'.format(credential, args.decryption_keys,
                                              exception))
                    sys.exit(1)
                evidence_.credentials.append(
                    (credential_type, credential_data))

        if args.recipe or args.recipe_path:
            if (args.jobs_denylist or args.jobs_allowlist
                    or args.filter_patterns_file or args.yara_rules_file):
                log.error(
                    'Specifying a recipe is incompatible with defining '
                    'jobs allow/deny lists, yara rules or a patterns file separately.'
                )
                sys.exit(1)

            if args.recipe_path:
                recipe_file = args.recipe_path
            else:
                recipe_file = os.path.join(config.RECIPE_FILE_DIR, args.recipe)
            if not os.path.exists(recipe_file) and not recipe_file.endswith(
                    '.yaml'):
                log.warning(
                    'Could not find recipe file at {0:s}, checking for file '
                    'with .yaml extension'.format(recipe_file))
                recipe_file = recipe_file + '.yaml'
            if not os.path.exists(recipe_file):
                log.error('Recipe file {0:s} could not be found. Exiting.')
                sys.exit(1)

            recipe_dict = recipe_helpers.load_recipe_from_file(
                recipe_file, not args.skip_recipe_validation)
            if not recipe_dict:
                sys.exit(1)
        else:
            recipe_dict = copy.deepcopy(recipe_helpers.DEFAULT_RECIPE)
            recipe_dict['globals']['debug_tasks'] = args.debug_tasks
            recipe_dict['globals']['filter_patterns'] = filter_patterns
            recipe_dict['globals']['jobs_denylist'] = args.jobs_denylist
            recipe_dict['globals']['jobs_allowlist'] = args.jobs_allowlist
            recipe_dict['globals']['yara_rules'] = yara_rules

        request.recipe = recipe_dict

        if args.dump_json:
            print(request.to_json().encode('utf-8'))
            sys.exit(0)
        else:
            log.info('Creating request {0:s} with evidence {1:s}'.format(
                request.request_id, evidence_.name))
            log.info(
                'Run command "turbiniactl status -r {0:s}" to see the status of'
                ' this request and associated tasks'.format(
                    request.request_id))
            if not args.run_local:
                client.send_request(request)
            else:
                log.debug(
                    '--run_local specified so not sending request to server')

        if args.wait:
            log.info('Waiting for request {0:s} to complete'.format(
                request.request_id))
            region = config.TURBINIA_REGION
            client.wait_for_request(instance=config.INSTANCE_ID,
                                    project=config.TURBINIA_PROJECT,
                                    region=region,
                                    request_id=request.request_id,
                                    poll_interval=args.poll_interval)
            print(
                client.format_task_status(instance=config.INSTANCE_ID,
                                          project=config.TURBINIA_PROJECT,
                                          region=region,
                                          request_id=request.request_id,
                                          all_fields=args.all_fields))

    if args.run_local and not evidence_:
        log.error('Evidence must be specified if using --run_local')
        sys.exit(1)
    if args.run_local and evidence_.cloud_only:
        log.error('--run_local cannot be used with Cloud only Evidence types')
        sys.exit(1)
    if args.run_local and evidence_:
        result = client.run_local_task(args.task, request)
        log.info('Task execution result: {0:s}'.format(result))

    log.info('Done.')
    sys.exit(0)
Exemple #18
0
  def process(self):
    """Process files with Turbinia."""
    log_file_path = os.path.join(self._output_path, 'turbinia.log')
    print('Turbinia log file: {0:s}'.format(log_file_path))

    if self.state.input and not self.disk_name:
      _, disk = self.state.input[0]
      self.disk_name = disk.name
      print('Using disk {0:s} from previous collector'.format(self.disk_name))

    evidence_ = evidence.GoogleCloudDisk(
        disk_name=self.disk_name, project=self.project, zone=self.turbinia_zone)
    request = TurbiniaRequest()
    request.evidence.append(evidence_)

    # Get threat intelligence data from any modules that have stored some.
    # In this case, observables is a list of (name, regex) tuples.
    # This will change with issues/138
    observables = self.state.get_data('threat_intelligence')
    if observables:
      print('Sending {0:d} observables to Turbinia GrepWorkers...'.format(
          len(observables)))
      request.recipe['filter_patterns'] = [obs for _, obs in observables]

    request_dict = {
        'instance': self.instance,
        'project': self.project,
        'region': self.turbinia_region,
        'request_id': request.request_id
    }

    try:
      print('Creating Turbinia request {0:s} with Evidence {1!s}'.format(
          request.request_id, evidence_.name))
      self.client.send_request(request)
      print('Waiting for Turbinia request {0:s} to complete'.format(
          request.request_id))
      self.client.wait_for_request(**request_dict)
      task_data = self.client.get_task_data(**request_dict)
    except TurbiniaException as e:
      self.state.add_error(e, critical=True)
      return

    # Turbinia run complete, build a human-readable message of results.
    message = 'Completed {0:d} Turbinia tasks\n'.format(len(task_data))
    for task in task_data:
      message += '{0!s} ({1!s}): {2!s}\n'.format(
          task.get('name'),
          task.get('id'),
          task.get('status', 'No task status'))
      # saved_paths may be set to None
      for path in task.get('saved_paths') or []:
        if path.endswith('worker-log.txt'):
          continue
        if path.endswith('{0!s}.log'.format(task.get('id'))):
          continue
        if path.startswith('/'):
          continue
        message += '  {0:s}\n'.format(path)

    # Store the message for consumption by any reporting modules.
    self.state.store_data('report', message)

    # This finds all .plaso files in the Turbinia output, and determines if they
    # are local or remote (it's possible this will be running against a local
    # instance of Turbinia).
    local_paths = []
    gs_paths = []
    timeline_label = '{0:s}-{1:s}'.format(self.project, self.disk_name)
    for task in task_data:
      # saved_paths may be set to None
      for path in task.get('saved_paths') or []:
        if path.startswith('/') and path.endswith('.plaso'):
          local_paths.append(path)
        if path.startswith('gs://') and path.endswith('.plaso'):
          gs_paths.append(path)

    if not local_paths and not gs_paths:
      self.state.add_error(
          'No .plaso files found in Turbinia output.', critical=True)
      return

    # Any local .plaso files that exist we can add immediately to the output
    self.state.output = [
        (timeline_label, p) for p in local_paths if os.path.exists(p)]

    # For files remote in GCS we copy each plaso file back from GCS and then add
    # to output paths
    # TODO: Externalize fetching files from GCS buckets to a different module.
    for path in gs_paths:
      local_path = None
      try:
        output_writer = output_manager.GCSOutputWriter(
            path, local_output_dir=self._output_path)
        local_path = output_writer.copy_from(path)
      except TurbiniaException as e:
        self.state.add_error(e, critical=True)
        return

      if local_path:
        self.state.output.append((timeline_label, local_path))

    if not self.state.output:
      self.state.add_error('No .plaso files could be found.', critical=True)