Esempio n. 1
0
def main():
    print('Mounting remote filesystem using SSHFS...')

    # read configuration
    c = get_config()
    # print(c)
    if not c:
        print('Cannot read configuration.')
        return 1

    # check if sshfs is installed, if not exit
    if not has_sshfs(c['sshfs']):
        print('SSHFS not installed.')
        return 2

    # test drive
    ok = check_drive(c['drive'])

    if not ok:
        sys.path.insert(0, os.path.dirname(c['sshfs']))
        unmount(c['drive'])
        setup_ssh(c['ssh'], c['keygen'], c['userhost'])
        set_drive_name(c['drivename'], c['userhost'])
        mount(c['sshfs'], c['drive'], c['userhost'])

    return 0
Esempio n. 2
0
def mount_usb():

    devices = list_media_devices()
    found = []
    for device in devices:
        mount(device)
        if is_mounted(device):
            _list_files(get_media_path(device), found)
            if len(found) > 0:
                return True
            else:
                unmount(device)
    return False
def create_kml_from_exif_mr(item_to_process, case_number, root_folder_path, evidence):
	print("The item to process is: " + item_to_process)
	print("The case_name is: " + case_number)
	print("The output folder is: " + root_folder_path)
	print("The evidence to process is: " + evidence)

	evidence_no_quotes = evidence
	evidence = '"' + evidence + '"'

	#create output folder path
	folder_path = root_folder_path + "/" + "KML_From_EXIF"
	check_for_folder(folder_path, "NONE")
	

	#open a log file for output
	log_file = folder_path + "/KML_From_EXIF_logfile.txt"
	outfile = open(log_file, 'wt+')

	#initialize variables
	files_of_interest = {}
	files_of_interest_list = []
	mount_point = "NONE"

	log_file3 = folder_path + "/" + case_number + "_files_to_exploit.xls"
	outfile3 = open(log_file3, 'wt+')

	#write out column headers to xls file
	outfile3.write("Name\tMD5\tFile Size (kb)\n")



	if(item_to_process == "Directory"):
		#select folder to process
		folder_process = evidence_no_quotes
	
		#set folder variable to "folder" since this is a folder and not a disk partition
		folder = "Directory"

		#call process subroutine
		process(folder_process, outfile, folder_path, folder, outfile3)

	elif(item_to_process == 'EnCase Logical Evidence File'):
		folder = "LEF"
		file_to_process = evidence
		mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
		process(mount_point, outfile, folder_path, folder, outfile3)

		#umount
		if(os.path.exists(mount_point)):
			subprocess.call(['sudo umount -f ' + mount_point], shell=True)
			os.rmdir(mount_point)

	elif(item_to_process == 'Single File'):
		process_single_file(evidence_no_quotes, outfile, folder_path, "Single-File", outfile3)

	elif(item_to_process == 'Bit-Stream Image'):

		#select image to process
		Image_Path = evidence

		#get datetime
		now = datetime.datetime.now()

		#set Mount Point
		mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")	

		#check to see if Image file is in Encase format
		if re.search(".E01", Image_Path):
			#strip out single quotes from the quoted path
			no_quotes_path = Image_Path.replace("'","")
			print("The no quotes path is: " + no_quotes_path)
			#call mount_ewf function
			cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
			try:
				subprocess.call([cmd_false], shell=True)
			except:
				print("Autmount false failed")
			Image_Path = mount_ewf(Image_Path, outfile, mount_point)

		#call mmls function
		partition_info_dict, temp_time = mmls(outfile, Image_Path)
		#partition_info_dict_temp, temp_time = partition_info_dict

		#get filesize of mmls_output.txt
		file_size = os.path.getsize("/tmp/mmls_output_" + temp_time +".txt") 
		print("The filesize is: " + str(file_size))

		#if filesize of mmls output is 0 then run parted
		if(file_size == 0):
			print("mmls output was empty, running parted")
			outfile.write("mmls output was empty, running parted")
			#call parted function
			partition_info_dict, temp_time = parted(outfile, Image_Path)	

		else:
	
			#read through the mmls output and look for GUID Partition Tables (used on MACS)
			mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
			for line in mmls_output_file:
				if re.search("GUID Partition Table", line):
					print("We found a GUID partition table, need to use parted")
					outfile.write("We found a GUID partition table, need to use parted\n")
					#call parted function
					partition_info_dict, temp_time = parted(outfile, Image_Path)

			#close file
			mmls_output_file.close()

		#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
		#for key,value in partition_info_dict.items():
		for key,value in sorted(partition_info_dict.items()):

			#create output folder for processed files
			if not os.path.exists(folder_path + "/Processed_files_" + str(key)):
				os.mkdir(folder_path + "/Processed_files_" + str(key))

			#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
			cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
			try:
				subprocess.call([cmd_false], shell=True)
			except:
				print("Autmount false failed")

			#call mount sub-routine
			success_code, loopback_device_mount = mount(value,key,Image_Path, outfile, mount_point)

			if(success_code):
				print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
				outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
			else:
		
				print("We just mounted filesystem: " + value + " at offset:" + str(key) + ". Scanning for files of interest.....\n")
				outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")

				#call process subroutine
				process(mount_point, outfile, folder_path, key, outfile3)
			

				#unmount and remove mount points
				if(os.path.exists(mount_point)): 
					subprocess.call(['sudo umount -f ' + mount_point], shell=True)
					os.rmdir(mount_point)
				#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
				if not (loopback_device_mount == "NONE"):
					losetup_d_command = "losetup -d " + loopback_device_mount
					subprocess.call([losetup_d_command], shell=True)

			#delete /tmp files created for processing bit-stream images
			if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
				os.remove("/tmp/mmls_output_" + temp_time + ".txt")

	#write out list of filenames to end of output file so that user can create a filter for those filenames in Encase
	outfile3.write("\n\n******** LIST of FILENAMES of INTEREST ******************\n")
	#sort list so that all values are unique
	unique(files_of_interest_list) 
	for files in files_of_interest_list:
		outfile3.write(files + "\n")
	

	#program cleanup
	outfile.close()
	outfile3.close()

	#remove mount points created for this program
	if(os.path.exists(mount_point)):
		subprocess.call(['sudo umount -f ' + mount_point], shell=True)
		os.rmdir(mount_point)
	if(os.path.exists(mount_point+"_ewf")):
		subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
		os.rmdir(mount_point+"_ewf")
	
	#convert outfile using unix2dos	
	#chdir to output foler
	os.chdir(folder_path)

	#run text files through unix2dos
	for root, dirs, files in os.walk(folder_path):
		for filenames in files:
			#get file extension
			fileName, fileExtension = os.path.splitext(filenames)
			if(fileExtension.lower() == ".txt"):
				full_path = os.path.join(root,filenames)
				quoted_full_path = "'" +full_path+"'"
				print("Running Unix2dos against file: " + filenames)
				unix2dos_command = "sudo unix2dos " + filenames
				subprocess.call([unix2dos_command], shell=True)

	#delete empty directories in output folder
	for root, dirs, files in os.walk(folder_path, topdown=False):	
		for directories in dirs:
			files = []
			dir_path = os.path.join(root,directories)
			files = os.listdir(dir_path)	
			if(len(files) == 0):
				os.rmdir(dir_path)

	#unmount and remove mount points
	if(mount_point != "NONE"):
		if(os.path.exists(mount_point+"_ewf")):
			subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
			os.rmdir(mount_point+"_ewf")
Esempio n. 4
0
def entropy_mr(item_to_process, case_number, root_folder_path, evidence):
	
	print("The item to process is: " + item_to_process)
	print("The case_name is: " + case_number)
	print("The output folder is: " + root_folder_path)
	print("The evidence to process is: " + evidence)

	evidence_no_quotes = evidence
	evidence = '"' + evidence + '"'

	#get datetime
	now = datetime.datetime.now()

	#set Mount Point
	mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
	
	#create output folder path
	folder_path = root_folder_path + "/" + "Entropy"
	check_for_folder(folder_path, "NONE")
	

	#open a log file for output
	log_file = folder_path + "/Entropy_logfile.txt"
	outfile = open(log_file, 'wt+')

	#open file to write output
	exp_file = folder_path + "/" + case_number +"_entropy.csv"
	export_file = open(exp_file, 'a+', encoding='latin-1', errors="ignore")
	#export_file = open(exp_file, 'a')

	if(item_to_process == "Single File"):
		ent = calc_entropy(evidence)
		print(ent)

	elif(item_to_process == "Directory"):
		folder_to_process = evidence_no_quotes
		process_folder(folder_to_process, export_file, outfile)
	elif(item_to_process =="EnCase Logical Evidence File"):
		file_to_process = evidence
		mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
		process_folder(mount_point, export_file, outfile)

		#umount
		if(os.path.exists(mount_point)):
			subprocess.call(['sudo umount -f ' + mount_point], shell=True)
			os.rmdir(mount_point)
	elif(item_to_process == "Bit-Stream Image"):
		Image_Path = evidence
		#process every file on every partition
		#get datetime
		now = datetime.datetime.now()

		#set Mount Point
		mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

		#check if Image file is in Encase format
		if re.search(".E01", Image_Path):

			#strip out single quotes from the quoted path
			#no_quotes_path = Image_Path.replace("'","")
			#print("THe no quotes path is: " +  no_quotes_path)
			#call mount_ewf function
			Image_Path = mount_ewf(Image_Path, outfile,mount_point)


		#call mmls function
		partition_info_dict, temp_time = mmls(outfile, Image_Path)
		partition_info_dict_temp = partition_info_dict

		#get filesize of mmls_output.txt
		file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt") 


		#if filesize of mmls output is 0 then run parted
		if(file_size == 0):
			print("mmls output was empty, running parted")
			outfile.write("mmls output was empty, running parted")
			#call parted function
			partition_info_dict, temp_time = parted(outfile, Image_Path)	

		else:

			#read through the mmls output and look for GUID Partition Tables (used on MACS)
			mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
			for line in mmls_output_file:
				if re.search("GUID Partition Table", line):
					print("We found a GUID partition table, need to use parted")
					outfile.write("We found a GUID partition table, need to use parted\n")
					#call parted function
					partition_info_dict, temp_time = parted(outfile, Image_Path)
			mmls_output_file.close()
			

		#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
		for key,value in sorted(partition_info_dict.items()):

			#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
			cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
			try:
				subprocess.call([cmd_false], shell=True)
			except:
				print("Autmount false failed")

			#call mount sub-routine
			success_code, loopback_device_mount = mount(value,str(key),Image_Path, outfile, mount_point)

			if(success_code):
				print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
				outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
			else:
		
				print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
				outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")

				#call entropy function for each mount_point
				process_folder(mount_point, export_file, outfile)
				print("We just finished calculating the entropy for every file...sorting output")

				#unmount and remove mount points
				if(os.path.exists(mount_point)): 
					subprocess.call(['sudo umount -f ' + mount_point], shell=True)
					os.rmdir(mount_point)
				#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
				if not (loopback_device_mount == "NONE"):
					losetup_d_command = "losetup -d " + loopback_device_mount
					subprocess.call([losetup_d_command], shell=True)

			

		#delete /tmp files created for each partition
		if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
			os.remove("/tmp/mmls_output_" + temp_time + ".txt")

		

	#close output file
	export_file.close()

	#sort output file
	sort_command = "strings -a  " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
	subprocess.call([sort_command], shell=True)

	#write header row to export_file
	#sed_command = "sed -i '1i\ Entropy,File Name,File Size,MD5,File Path' " + "'" + folder_path + "'" + "/" + 	case_number +"_entropy_sorted.csv"
	sed_command = "sed -i '1i\ Entropy,File Name,File Size,FilePath' " + "'" + folder_path + "'" + "/" + 	case_number +"_entropy_sorted.csv"
	subprocess.call([sed_command], shell=True)

	#remove original output file
	os.remove(exp_file)

	#remove mount points created for this program
	if(os.path.exists(mount_point)):
		os.rmdir(mount_point)
	if(os.path.exists(mount_point+"_ewf")):
		subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
		os.rmdir(mount_point+"_ewf")
    #for key,value in partition_info_dict.items():
    for key, value in sorted(partition_info_dict.items()):

        #create output folder for processed files
        if not os.path.exists(folder_path + "/Processed_files_" + str(key)):
            os.mkdir(folder_path + "/Processed_files_" + str(key))

        #disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
        cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
        try:
            subprocess.call([cmd_false], shell=True)
        except:
            print("Autmount false failed")

        #call mount sub-routine
        success_code = mount(value, key, Image_Path, outfile, mount_point)

        if (success_code):
            print("Could not mount partition with filesystem: " + value +
                  " at offset:" + key)
            outfile.write("Could not mount partition with filesystem: " +
                          value + " at offset:" + key)
        else:

            print("We just mounted filesystem: " + value + " at offset:" +
                  str(key) + ". Scanning for files of interest.....\n")
            outfile.write("We just mounted filesystem: " + value +
                          " at offset:" + str(key) + "\n")

        #call process subroutine
        process(mount_point, outfile, folder_path, key)
Esempio n. 6
0
	#read through the mmls output and look for GUID Partition Tables (used on MACS)
	mmls_output_file = open("/tmp/mmls_output.txt", 'r')
	for line in mmls_output_file:
		if re.search("GUID Partition Table", line):
			print("We found a GUID partition table, need to use parted")
			outfile.write("We found a GUID partition table, need to use parted\n")
			#call parted function
			partition_info_dict = parted(outfile, Image_Path)
			

#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key,value in sorted(partition_info_dict.items()):

	#call mount sub-routine
	success_code = mount(value,str(key),Image_Path, outfile, mount_point)

	if(success_code):
		print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
		outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
	else:
		
		print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
		outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")

	if(value == "fat32") or (value == "ntfs"):
		#get path to registry hives	
		paths = get_system_paths(value, "YES", outfile, mount_point)

		#set up path variables from paths list
		system_hive_path = paths[0]
Esempio n. 7
0
def entropy_module(item_to_process, folder_path, case_number):

	#get datetime
	now = datetime.datetime.now()

	#open a log file for output
	log_file = folder_path + "/" + case_number + "_logfile.txt"
	outfile = open(log_file, 'a')

	#open file to write output
	exp_file = folder_path + "/" + case_number +"_entropy.csv"
	export_file = open(exp_file, 'a')

	if(item_to_process == "file"):
		file_to_process = select_file_to_process(outfile)
		ent = calc_entropy(file_to_process)
		print(ent)

	elif(item_to_process == "folder"):
		folder_to_process = select_folder_to_process(outfile)
		process_folder(folder_to_process, export_file)
	elif(item_to_process =="L01"):
		file_to_process = select_file_to_process(outfile)
		mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
		process_folder(mount_point, export_file)

		#umount
		if(os.path.exists(mount_point)):
			subprocess.call(['sudo umount -f ' + mount_point], shell=True)
			os.rmdir(mount_point)
	elif(item_to_process == "image"):
		Image_Path = select_file_to_process(outfile)
	
		#process every file on every partition
		#get datetime
		now = datetime.datetime.now()

		#set Mount Point
		mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")

		#check if Image file is in Encase format
		if re.search(".E01", Image_Path):

			#strip out single quotes from the quoted path
			#no_quotes_path = Image_Path.replace("'","")
			#print("THe no quotes path is: " +  no_quotes_path)
			#call mount_ewf function
			Image_Path = mount_ewf(Image_Path, outfile,mount_point)


		#call mmls function
		partition_info_dict = mmls(outfile, Image_Path)
		partition_info_dict_temp = partition_info_dict

		#get filesize of mmls_output.txt
		file_size = os.path.getsize("/tmp/mmls_output.txt") 


		#if filesize of mmls output is 0 then run parted
		if(file_size == 0):
			print("mmls output was empty, running parted")
			outfile.write("mmls output was empty, running parted")
			#call parted function
			partition_info_dict = parted(outfile, Image_Path)	

		else:

			#read through the mmls output and look for GUID Partition Tables (used on MACS)
			mmls_output_file = open("/tmp/mmls_output.txt", 'r')
			for line in mmls_output_file:
				if re.search("GUID Partition Table", line):
					print("We found a GUID partition table, need to use parted")
					outfile.write("We found a GUID partition table, need to use parted\n")
					#call parted function
					partition_info_dict = parted(outfile, Image_Path)
			

		#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
		for key,value in sorted(partition_info_dict.items()):

			#call mount sub-routine
			success_code = mount(value,str(key),Image_Path, outfile, mount_point)

			if(success_code):
				print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
				outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
			else:
		
				print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
				outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")

				#call entropy function for each mount_point
				process_folder(mount_point, export_file)

				#unmount and remove mount points
				if(os.path.exists(mount_point)):
					subprocess.call(['sudo umount -f ' + mount_point], shell=True)
					os.rmdir(mount_point)

	#close output file
	export_file.close()

	#sort output file
	sort_command = "strings -a  " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
	subprocess.call([sort_command], shell=True)

	#write header row to export_file
	sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
	subprocess.call([sed_command], shell=True)

	#remove original output file
	os.remove(exp_file)
Esempio n. 8
0
    #read through the mmls output and look for GUID Partition Tables (used on MACS)
    mmls_output_file = open("/tmp/mmls_output.txt", 'r')
    for line in mmls_output_file:
        if re.search("GUID Partition Table", line):
            print("We found a GUID partition table, need to use parted")
            outfile.write(
                "We found a GUID partition table, need to use parted\n")
            #call parted function
            partition_info_dict = parted(outfile, Image_Path)

#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in sorted(partition_info_dict.items()):

    #call mount sub-routine
    success_code = mount(value, str(key), Image_Path, outfile, mount_point)

    if (success_code):
        print("Could not mount partition with filesystem: " + value +
              " at offset:" + str(key))
        outfile.write("Could not mount partition with filesystem: " + value +
                      " at offset:" + str(key))
    else:

        print("We just mounted filesystem: " + value + " at offset:" +
              str(key) + "\n")
        outfile.write("We just mounted filesystem: " + value + " at offset:" +
                      str(key) + "\n")

    if (value == "fat32") or (value == "ntfs"):
        #get path to registry hives
Esempio n. 9
0
def av_scanner_mr(item_to_process, case_number, root_folder_path, evidence, conf_file):
	
	print("The item to process is: " + item_to_process)
	print("The case_name is: " + case_number)
	print("The output folder is: " + root_folder_path)
	print("The evidence to process is: " + evidence)
	print("The configuration file is located at: " + conf_file)

	evidence_no_quotes = evidence
	evidence = '"' + evidence + '"'

	#get datetime
	now = datetime.datetime.now()

	#set Mount Point
	mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
	
	#create output folder path
	output_folder_path = root_folder_path + "/" + "AV_Scanner"
	check_for_folder(output_folder_path, "NONE")
	

	#open a log file for output
	log_file = output_folder_path + "/AV_Scanner_logfile.txt"
	outfile = open(log_file, 'wt+')

	if(item_to_process == "Single File"):
		print("Please put your file in a folder and then scan the folder")

	elif(item_to_process == "Directory"):
		folder_to_process = evidence_no_quotes
		process_folder(folder_to_process, output_folder_path, outfile, "Directory", conf_file)
	elif(item_to_process =="EnCase Logical Evidence File"):
		file_to_process = evidence
		mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
		process_folder(mount_point, output_folder_path, outfile, "LEF", conf_file)

		#umount
		if(os.path.exists(mount_point)):
			subprocess.call(['sudo umount -f ' + mount_point], shell=True)
			os.rmdir(mount_point)
	elif(item_to_process == "Bit-Stream Image"):
		Image_Path = evidence
		#process every file on every partition
		#get datetime
		now = datetime.datetime.now()

		#set Mount Point
		mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

		#check if Image file is in Encase format
		if re.search(".E01", Image_Path):

			#strip out single quotes from the quoted path
			#no_quotes_path = Image_Path.replace("'","")
			#print("THe no quotes path is: " +  no_quotes_path)
			#call mount_ewf function
			Image_Path = mount_ewf(Image_Path, outfile,mount_point)


		#call mmls function
		partition_info_dict, temp_time = mmls(outfile, Image_Path)
		partition_info_dict_temp = partition_info_dict

		#get filesize of mmls_output.txt
		file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt") 


		#if filesize of mmls output is 0 then run parted
		if(file_size == 0):
			print("mmls output was empty, running parted")
			outfile.write("mmls output was empty, running parted")
			#call parted function
			partition_info_dict, temp_time = parted(outfile, Image_Path)	

		else:

			#read through the mmls output and look for GUID Partition Tables (used on MACS)
			mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
			for line in mmls_output_file:
				if re.search("GUID Partition Table", line):
					print("We found a GUID partition table, need to use parted")
					outfile.write("We found a GUID partition table, need to use parted\n")
					#call parted function
					partition_info_dict, temp_time = parted(outfile, Image_Path)
			mmls_output_file.close()
			

		#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
		for key,value in sorted(partition_info_dict.items()):

			#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
			cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
			try:
				subprocess.call([cmd_false], shell=True)
			except:
				print("Autmount false failed")

			#call mount sub-routine
			success_code, loopback_device_mount = mount(value,str(key),Image_Path, outfile, mount_point)

			if(success_code):
				print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
				outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
			else:
		
				print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
				outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")

				#call av_scanner function for each mount_point
				process_folder(mount_point, output_folder_path, outfile, "partition_offset_"+str(key), conf_file)
				print("We just finished scanning every file...sorting output")

				#unmount and remove mount points
				if(os.path.exists(mount_point)): 
					subprocess.call(['sudo umount -f ' + mount_point], shell=True)
					os.rmdir(mount_point)
				#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
				if not (loopback_device_mount == "NONE"):
					losetup_d_command = "losetup -d " + loopback_device_mount
					subprocess.call([losetup_d_command], shell=True)

			

		#delete /tmp files created for each partition
		if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
			os.remove("/tmp/mmls_output_" + temp_time + ".txt")

	#close logfile
	outfile.close()

	#remove mount points created for this program
	if(os.path.exists(mount_point)):
		os.rmdir(mount_point)
	if(os.path.exists(mount_point+"_ewf")):
		subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
		os.rmdir(mount_point+"_ewf")

#run text files through unix2dos
	for root, dirs, files in os.walk(output_folder_path):
		for filenames in files:
			#get file extension
			fileName, fileExtension = os.path.splitext(filenames)
			if(fileExtension.lower() == ".txt"):
				full_path = os.path.join(root,filenames)
				quoted_full_path = "'" +full_path+"'"
				print("Running Unix2dos against file: " + quoted_full_path)
				#unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
				unix2dos_command = "sudo unix2dos " + quoted_full_path
				subprocess.call([unix2dos_command], shell=True)
Esempio n. 10
0
def jumplist_mr(item_to_process, case_number, root_folder_path, evidence):


	print("The item to process is: " + item_to_process)
	print("The case_name is: " + case_number)
	print("The output folder is: " + root_folder_path)
	print("The evidence to process is: " + evidence)

	evidence = '"' + evidence + '"'

	#get datetime
	now = datetime.datetime.now()

	#set Mount Point
	mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
	
	#create output folder path
	folder_path = root_folder_path + "/" + "Jumplist_Parser"
	check_for_folder(folder_path, "NONE")
	

	#open a log file for output
	log_file = folder_path + "/Jumplist_Parser_logfile.txt"
	outfile = open(log_file, 'wt+')

	

	#select image to process
	Image_Path = evidence
	print("The image path is: " + Image_Path)

	#check to see if Image file is in Encase format
	if re.search(".E01", Image_Path):
		#strip out single quotes from the quoted path
		no_quotes_path = Image_Path.replace("'","")
		print("The no quotes path is: " + no_quotes_path)
		#call mount_ewf function
		Image_Path = mount_ewf(no_quotes_path, outfile, mount_point)

	#call mmls function
	partition_info_dict, temp_time = mmls(outfile, Image_Path)
	partition_info_dict_temp = partition_info_dict

	#get filesize of mmls_output.txt
	file_size = os.path.getsize("/tmp/mmls_output_" + temp_time +".txt") 
	print("The filesize is: " + str(file_size))

	#if filesize of mmls output is 0 then run parted
	if(file_size == 0):
		print("mmls output was empty, running parted")
		outfile.write("mmls output was empty, running parted")
		#call parted function
		partition_info_dict, temp_time = parted(outfile, Image_Path)

	else:

		#read through the mmls output and look for GUID Partition Tables (used on MACS)
		mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
		for line in mmls_output_file:
			if re.search("GUID Partition Table", line):
				print("We found a GUID partition table, need to use parted")
				outfile.write("We found a GUID partition table, need to use parted\n")
				#call parted function
				partition_info_dict, temp_time = parted(outfile, Image_Path)

	#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
	#for key,value in partition_info_dict.items():
	for key,value in sorted(partition_info_dict.items()):

		#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
		cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
		try:
			subprocess.call([cmd_false], shell=True)
		except:
			print("Autmount false failed")

		#run mount command
		success_code, loopback_device_mount = mount(value,key,Image_Path, outfile, mount_point)

		if(success_code):
			print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
			outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
		else:
		
			print("We just mounted filesystem: " + value + " at offset:" + str(key) + ".\n")
			outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
		
			#run jl.pl against every JumpList file found under mount_point if filesystem is fat32 or ntfs
			if(value == "ntfs") or (value=="fat32"):
				for root, dirs, files in os.walk(mount_point):
					for filenames in files:
						#get file extension
						fileName, fileExtension = os.path.splitext(filenames)
						if(fileExtension.lower() == ".automaticdestinations-ms"):
							full_path = os.path.join(root,filenames)
							quoted_full_path = "'" +full_path+"'"
							print("Processing Jump List: " + filenames)
							outfile.write("Processing Jump List: " + filenames + "\n")

							#get profile name
							profile = get_account_profile_names(full_path, outfile)
							print("The profile is: " + profile)
							outfile.write("The profile is: " + profile + "\n")
			
							#process Jumplist files with jl.pl
							#jl_command = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -f " + full_path + " >> " + "'" + folder_path + "/jumplist_metadata.txt" + "'"
							jl_command_tln = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -t -f " + quoted_full_path + " >> " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'"
							outfile.write("The jl_command_tln is: " + jl_command_tln + "\n")
							subprocess.call([jl_command_tln], shell=True)
						else:
							print("Scanning file: " + filenames + ".  This file is not a jumplist.")
				#unmount and remove mount points
				if(os.path.exists(mount_point)): 
					subprocess.call(['sudo umount -f ' + mount_point], shell=True)
					os.rmdir(mount_point)
				#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
				if not (loopback_device_mount == "NONE"):
					losetup_d_command = "losetup -d " + loopback_device_mount
					subprocess.call([losetup_d_command], shell=True)
			else:
				print("Filesystem: " + value + " at offset:" + str(key) + " is not NTFS or FAT32")
				outfile.write("Filesystem: " + value + " at offset:" + str(key) + " is not NTFS or FAT32\n")

				if(os.path.exists(mount_point)): 
					subprocess.call(['sudo umount -f ' + mount_point], shell=True)
					os.rmdir(mount_point)
				#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
				if not (loopback_device_mount == "NONE"):
					losetup_d_command = "losetup -d " + loopback_device_mount
					subprocess.call([losetup_d_command], shell=True)
			#create timeline
			parse_command = "perl /usr/share/windows-perl/parse.pl -f " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'" + "> " + "'" + folder_path + "/jumplist_timeline.txt" + "'"
			subprocess.call([parse_command], shell=True)

	#unmount and remove mount points
	#if(os.path.exists(mount_point)):
	#	os.rmdir(mount_point)
	if(os.path.exists(mount_point+"_ewf")):
		print("Unmounting mount point for ewf before exiting\n\n")
		subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
		os.rmdir(mount_point+"_ewf")

	#program cleanup
	outfile.close()
	#convert outfile using unix2dos	
	#chdir to output foler
	os.chdir(folder_path)

	#run text files through unix2dos
	for root, dirs, files in os.walk(folder_path):
			for filenames in files:
				#get file extension
				fileName, fileExtension = os.path.splitext(filenames)
				if(fileExtension.lower() == ".txt"):
					full_path = os.path.join(root,filenames)
					quoted_full_path = "'" +full_path+"'"
					print("Running Unix2dos against file: " + filenames)
					unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
					subprocess.call([unix2dos_command], shell=True)
Esempio n. 11
0
	#for key,value in partition_info_dict.items():
	for key,value in sorted(partition_info_dict.items()):

		#create output folder for processed files
		if not os.path.exists(folder_path + "/Processed_files_" + str(key)):
			os.mkdir(folder_path + "/Processed_files_" + str(key))
	
		#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
		cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
		try:
			subprocess.call([cmd_false], shell=True)
		except:
			print("Autmount false failed")

		#call mount sub-routine
		success_code = mount(value,key,Image_Path, outfile, mount_point)

		if(success_code):
			print("Could not mount partition with filesystem: " + value + " at offset:" + key)
			outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + key)
		else:
		
			print("We just mounted filesystem: " + value + " at offset:" + str(key) + ". Scanning for files of interest.....\n")
			outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")

		#call process subroutine
		process(mount_point, outfile, folder_path, key)
			

		#call mount sub-routine
		print("Unmounting mount point before exiting\n\n")
Esempio n. 12
0
    file_local_path = "/home/stage/Prova.txt"

    if flag:
        x = open(file_local_path, "w")  #apre e scrive un file in locale
        for j in range(100):
            x.write("Ciao " + str(j) + "\n")
        x.close()
        flag = False

    else:

        if devices:  # controlla se c'e' la chiavetta
            device = devices[0]
            path_chiavetta = get_media_path(device)
            mount(device)  #monta la chiavetta

            if is_mounted(device):  #controlla se e' montata la usb
                shutil.copy2(
                    file_local_path,
                    path_chiavetta)  #copia il file da locale a chiavetta

            os.remove(file_local_path
                      )  #dove va messo, cancellerebbe il file da locale

            flag = True

        else:  # se non c'e' la chiavetta continua a scrivere ciclicamente sul file locale
            x = open("file_local_path", "r+")
            for j in range(100):
                x.write("Ciao" + str(j))
Esempio n. 13
0
def entropy_module(item_to_process, folder_path, case_number):

    #get datetime
    now = datetime.datetime.now()

    #open a log file for output
    log_file = folder_path + "/" + case_number + "_logfile.txt"
    outfile = open(log_file, 'a')

    #open file to write output
    exp_file = folder_path + "/" + case_number + "_entropy.csv"
    export_file = open(exp_file, 'a')

    if (item_to_process == "file"):
        file_to_process = select_file_to_process(outfile)
        ent = calc_entropy(file_to_process)
        print(ent)

    elif (item_to_process == "folder"):
        folder_to_process = select_folder_to_process(outfile)
        process_folder(folder_to_process, export_file)
    elif (item_to_process == "L01"):
        file_to_process = select_file_to_process(outfile)
        mount_point = mount_encase_v6_l01(case_number, file_to_process,
                                          outfile)
        process_folder(mount_point, export_file)

        #umount
        if (os.path.exists(mount_point)):
            subprocess.call(['sudo umount -f ' + mount_point], shell=True)
            os.rmdir(mount_point)
    elif (item_to_process == "image"):
        Image_Path = select_file_to_process(outfile)

        #process every file on every partition
        #get datetime
        now = datetime.datetime.now()

        #set Mount Point
        mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")

        #check if Image file is in Encase format
        if re.search(".E01", Image_Path):

            #strip out single quotes from the quoted path
            #no_quotes_path = Image_Path.replace("'","")
            #print("THe no quotes path is: " +  no_quotes_path)
            #call mount_ewf function
            Image_Path = mount_ewf(Image_Path, outfile, mount_point)

        #call mmls function
        partition_info_dict = mmls(outfile, Image_Path)
        partition_info_dict_temp = partition_info_dict

        #get filesize of mmls_output.txt
        file_size = os.path.getsize("/tmp/mmls_output.txt")

        #if filesize of mmls output is 0 then run parted
        if (file_size == 0):
            print("mmls output was empty, running parted")
            outfile.write("mmls output was empty, running parted")
            #call parted function
            partition_info_dict = parted(outfile, Image_Path)

        else:

            #read through the mmls output and look for GUID Partition Tables (used on MACS)
            mmls_output_file = open("/tmp/mmls_output.txt", 'r')
            for line in mmls_output_file:
                if re.search("GUID Partition Table", line):
                    print(
                        "We found a GUID partition table, need to use parted")
                    outfile.write(
                        "We found a GUID partition table, need to use parted\n"
                    )
                    #call parted function
                    partition_info_dict = parted(outfile, Image_Path)

        #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
        for key, value in sorted(partition_info_dict.items()):

            #call mount sub-routine
            success_code = mount(value, str(key), Image_Path, outfile,
                                 mount_point)

            if (success_code):
                print("Could not mount partition with filesystem: " + value +
                      " at offset:" + str(key))
                outfile.write("Could not mount partition with filesystem: " +
                              value + " at offset:" + str(key))
            else:

                print("We just mounted filesystem: " + value + " at offset:" +
                      str(key) + "\n")
                outfile.write("We just mounted filesystem: " + value +
                              " at offset:" + str(key) + "\n")

                #call entropy function for each mount_point
                process_folder(mount_point, export_file)

                #unmount and remove mount points
                if (os.path.exists(mount_point)):
                    subprocess.call(['sudo umount -f ' + mount_point],
                                    shell=True)
                    os.rmdir(mount_point)

    #close output file
    export_file.close()

    #sort output file
    sort_command = "strings -a  " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
    subprocess.call([sort_command], shell=True)

    #write header row to export_file
    sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
    subprocess.call([sed_command], shell=True)

    #remove original output file
    os.remove(exp_file)
Esempio n. 14
0
def av_scanner_mr(item_to_process, case_number, root_folder_path, evidence,
                  conf_file):

    print("The item to process is: " + item_to_process)
    print("The case_name is: " + case_number)
    print("The output folder is: " + root_folder_path)
    print("The evidence to process is: " + evidence)
    print("The configuration file is located at: " + conf_file)

    evidence_no_quotes = evidence
    evidence = '"' + evidence + '"'

    #get datetime
    now = datetime.datetime.now()

    #set Mount Point
    mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

    #create output folder path
    output_folder_path = root_folder_path + "/" + "AV_Scanner"
    check_for_folder(output_folder_path, "NONE")

    #open a log file for output
    log_file = output_folder_path + "/AV_Scanner_logfile.txt"
    outfile = open(log_file, 'wt+')

    if (item_to_process == "Single File"):
        print("Please put your file in a folder and then scan the folder")

    elif (item_to_process == "Directory"):
        folder_to_process = evidence_no_quotes
        process_folder(folder_to_process, output_folder_path, outfile,
                       "Directory", conf_file)
    elif (item_to_process == "EnCase Logical Evidence File"):
        file_to_process = evidence
        mount_point = mount_encase_v6_l01(case_number, file_to_process,
                                          outfile)
        process_folder(mount_point, output_folder_path, outfile, "LEF",
                       conf_file)

        #umount
        if (os.path.exists(mount_point)):
            subprocess.call(['sudo umount -f ' + mount_point], shell=True)
            os.rmdir(mount_point)
    elif (item_to_process == "Bit-Stream Image"):
        Image_Path = evidence
        #process every file on every partition
        #get datetime
        now = datetime.datetime.now()

        #set Mount Point
        mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

        #check if Image file is in Encase format
        if re.search(".E01", Image_Path):

            #strip out single quotes from the quoted path
            #no_quotes_path = Image_Path.replace("'","")
            #print("THe no quotes path is: " +  no_quotes_path)
            #call mount_ewf function
            Image_Path = mount_ewf(Image_Path, outfile, mount_point)

        #call mmls function
        partition_info_dict, temp_time = mmls(outfile, Image_Path)
        partition_info_dict_temp = partition_info_dict

        #get filesize of mmls_output.txt
        file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")

        #if filesize of mmls output is 0 then run parted
        if (file_size == 0):
            print("mmls output was empty, running parted")
            outfile.write("mmls output was empty, running parted")
            #call parted function
            partition_info_dict, temp_time = parted(outfile, Image_Path)

        else:

            #read through the mmls output and look for GUID Partition Tables (used on MACS)
            mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
                                    'r')
            for line in mmls_output_file:
                if re.search("GUID Partition Table", line):
                    print(
                        "We found a GUID partition table, need to use parted")
                    outfile.write(
                        "We found a GUID partition table, need to use parted\n"
                    )
                    #call parted function
                    partition_info_dict, temp_time = parted(
                        outfile, Image_Path)
            mmls_output_file.close()

        #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
        for key, value in sorted(partition_info_dict.items()):

            #disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
            cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
            try:
                subprocess.call([cmd_false], shell=True)
            except:
                print("Autmount false failed")

            #call mount sub-routine
            success_code, loopback_device_mount = mount(
                value, str(key), Image_Path, outfile, mount_point)

            if (success_code):
                print("Could not mount partition with filesystem: " + value +
                      " at offset:" + str(key))
                outfile.write("Could not mount partition with filesystem: " +
                              value + " at offset:" + str(key))
            else:

                print("We just mounted filesystem: " + value + " at offset:" +
                      str(key) + "\n")
                outfile.write("We just mounted filesystem: " + value +
                              " at offset:" + str(key) + "\n")

                #call av_scanner function for each mount_point
                process_folder(mount_point, output_folder_path, outfile,
                               "partition_offset_" + str(key), conf_file)
                print("We just finished scanning every file...sorting output")

                #unmount and remove mount points
                if (os.path.exists(mount_point)):
                    subprocess.call(['sudo umount -f ' + mount_point],
                                    shell=True)
                    os.rmdir(mount_point)
                #unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
                if not (loopback_device_mount == "NONE"):
                    losetup_d_command = "losetup -d " + loopback_device_mount
                    subprocess.call([losetup_d_command], shell=True)

        #delete /tmp files created for each partition
        if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
            os.remove("/tmp/mmls_output_" + temp_time + ".txt")

    #close logfile
    outfile.close()

    #remove mount points created for this program
    if (os.path.exists(mount_point)):
        os.rmdir(mount_point)
    if (os.path.exists(mount_point + "_ewf")):
        subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
        os.rmdir(mount_point + "_ewf")

#run text files through unix2dos
    for root, dirs, files in os.walk(output_folder_path):
        for filenames in files:
            #get file extension
            fileName, fileExtension = os.path.splitext(filenames)
            if (fileExtension.lower() == ".txt"):
                full_path = os.path.join(root, filenames)
                quoted_full_path = "'" + full_path + "'"
                print("Running Unix2dos against file: " + quoted_full_path)
                #unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
                unix2dos_command = "sudo unix2dos " + quoted_full_path
                subprocess.call([unix2dos_command], shell=True)
Esempio n. 15
0
def exifdata_mr(item_to_process, case_number, root_folder_path, evidence):
	print("The item to process is: " + item_to_process)
	print("The case_name is: " + case_number)
	print("The output folder is: " + root_folder_path)
	print("The evidence to process is: " + evidence)

	evidence_no_quotes = evidence

	evidence = '"' + evidence + '"'

	#get datetime
	now = datetime.datetime.now()

	#set Mount Point
	mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
	
	#create output folder path
	folder_path = root_folder_path + "/" + "EXIF_Tool"
	check_for_folder(folder_path, "NONE")
	

	#open a log file for output
	log_file = folder_path + "/EXIF_Tool_logfile.txt"
	outfile = open(log_file, 'wt+')

	#set up tuple holding all of the file extensions exiftool can process
	valid_extensions = ('3FR', '3G2', '3GP2', '3GP', '3GPP', 'ACR', 'AFM', 'ACFM', 'AMFM', 'AI', 'AIT', 'AIFF', 'AIF', 'AIFC', 'APE', 'ARW', 'ASF', 'AVI', 'BMP', 'DIB', 'BTF', 'TIFF', 'TIF', 'CHM', 'COS', 'CR2', 'CRW', 'CIFF', 'CS1', 'DCM', 'DC3', 'DIC', 'DICM', 'DCP', 'DCR', 'DFONT', 'DIVX', 'DJVU', 'DJV', 'DNG', 'DOC', 'DOT', 'DOCX', 'DOCM', 'DOTX', 'DOTM', 'DYLIB', 'DV', 'DVB', 'EIP', 'EPS', 'EPSF', 'EXR', 'PS', 'ERF', 'EXE', 'DLL', 'EXIF', 'F4A', 'F4B', 'F4P', 'F4V', 'FFF', 'FLA', 'FLAC', 'FLV', 'FPX', 'GIF', 'GZ', 'GZIP', 'HDP', 'HDR', 'WDP', 'HTML', 'HTM', 'XHTML', 'ICC', 'ICM', 'IIQ', 'IND', 'INDD', 'INDT', 'INX', 'ITC', 'JP2', 'JPF', 'JPM', 'JPX', 'JPEG', 'JPC', 'JPG', 'J2C', 'J2K', 'K25', 'KDC', 'KEY', 'KTH', 'LNK', 'M2TS', 'MTS', 'M2T', 'TS', 'M4A', 'M4B', 'M4P', 'M4V', 'MEF', 'MIE', 'MIFF', 'MIF', 'MKA', 'MKV', 'MKS', 'MOS', 'MOV', 'Q', 'MP3', 'MP4', 'MPC', 'MPEG', 'MPG', 'M2V', 'MPO', 'MQV', 'QT', 'MRW', 'MXF', 'NEF', 'NMBTEMPLATE', 'NRW', 'NUMBERS', 'ODB', 'ODC', 'ODF', 'ODG', 'OGI', 'ODP', 'ODS', 'ODT', 'OGG', 'ORF', 'OTF', 'PAGES', 'PDF', 'PEF', 'PFA', 'PFB', 'PFM', 'PGF', 'PICT', 'PCT', 'PMP', 'PNG', 'JNG', 'MNG', 'PPM', 'PBM', 'PGM', 'PPT', 'PPS', 'POT', 'POTX', 'POTM', 'PPSX', 'PPSM', 'PPTX', 'PPTM', 'PSD', 'PSB', 'PSP', 'PSPIMAGE', 'QTIF', 'QTI', 'QIF', 'RAF', 'RAM', 'RPM', 'RAW', 'RAR', 'RAW', 'RIFF', 'RIF', 'RM', 'RV', 'RMVB', 'RSRC', 'RTF', 'RW2', 'RWL', 'RWZ', 'SO', 'SR2', 'SRF', 'SRW', 'SVG', 'SWF', 'THM', 'THMX', 'TIFF', 'TIF', 'TTF', 'TTC', 'VOB', 'VRD', 'VSD', 'WAV', 'WEBM', 'WEBP', ',WMA', 'WMV', 'X3F', 'XCF', 'XLS', 'XLT', 'XLSX', 'XLSM', 'XLSB', 'XLTX', 'XLTM', 'XMP', 'ZIP')

	if(item_to_process =="EnCase Logical Evidence File"):

		file_to_process = evidence
		mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
		process_folder(mount_point, valid_extensions, item_to_process)

		#umount
		if(os.path.exists(mount_point)):
			subprocess.call(['sudo umount -f ' + mount_point], shell=True)
			os.rmdir(mount_point)


	if(item_to_process == "Directory"):

		mount_point = evidence_no_quotes
		process_folder(mount_point, valid_extensions, item_to_process, outfile, folder_path)

	

	elif(item_to_process == "Bit-Stream Image"):

		#get datetime
		now = datetime.datetime.now()

		#set Mount Point
		mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

		#select dd image to process	
		Image_Path = evidence

		#check if Image file is in Encase format
		if re.search(".E01", Image_Path):

			#strip out single quotes from the quoted path
			#no_quotes_path = Image_Path.replace("'","")
			#print("THe no quotes path is: " +  no_quotes_path)
			#call mount_ewf function
			Image_Path = mount_ewf(Image_Path, outfile, mount_point)

		#call mmls function
		partition_info_dict, temp_time = mmls(outfile, Image_Path)

		#get filesize of mmls_output.txt
		file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt") 

		#if filesize of mmls output is 0 then run parted
		if(file_size == 0):
			print("mmls output was empty, running parted")
			outfile.write("mmls output was empty, running parted")
			#call parted function
			partition_info_dict, temp_time = parted(outfile, Image_Path)	

		else:

			#read through the mmls output and look for GUID Partition Tables (used on MACS)
			mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
			for line in mmls_output_file:
				if re.search("GUID Partition Table", line):
					print("We found a GUID partition table, need to use parted")
					outfile.write("We found a GUID partition table, need to use parted\n")
					#call parted function
					partition_info_dict, temp_time = parted(outfile, Image_Path)

	
		#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
		for key,value in partition_info_dict.items():

			#set up file object for output file
			output_file = folder_path + "/Exif_data_partition_offset_" + str(key) +".txt"
			print("The output_file is: " + output_file)
			exif_out = open(output_file, 'wt+')

			#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
			cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
			try:
				subprocess.call([cmd_false], shell=True)
			except:
				print("Autmount false failed")

			#call mount sub-routine
			success_code, loopback_device_mount = mount(value,key,Image_Path, outfile, mount_point)

			if(success_code):
				print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
				outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
			else:
		
				print("We just mounted filesystem: " + value + " at offset:" + str(key) + ". Scanning for files of interest.....\n")
				outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
			

				#get the filename without extension
				for root,dirs,files in os.walk(mount_point):
					for filenames in files:
						fileName, fileExtension = os.path.splitext(filenames)
					
						#replace the . in the file extension with nothing
						file_extension = fileExtension.replace('.','')	
						file_extension = file_extension.upper()				
						file_name = os.path.basename(fileName)
						for extension in valid_extensions:
							if(file_extension == extension):
								print("Running exiftool against file: " + filenames)
								outfile.write("Running exiftool against file: " + filenames)

								#chdir to output foler
								os.chdir(folder_path)
						
								#get absolute path to file
								file_name = os.path.join(root,filenames)
								quoted_file_name = "'" +file_name +"'"

								#enclose strings in quotes
								quoted_root = "'" +root +"'"	
								
	
								#set up exiftool command			
								exif_command = "exiftool -ext " + extension + " -l -sep *********** -z " + quoted_file_name + " >> " + "'" +  folder_path + "/Exif_data_partition_offset_" + str(key) +".txt" + "'"
										
								#print("The exif command is: " + exif_command + "\n\n")
								outfile.write("The exif command is: " + exif_command + "\n\n")

								#execute the exif command
								subprocess.call([exif_command], shell=True)
								#exif_out.write("\n\n")
						

				#unmount and remove mount points
				if(os.path.exists(mount_point)): 
					subprocess.call(['sudo umount -f ' + mount_point], shell=True)
					os.rmdir(mount_point)
				#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
				if not (loopback_device_mount == "NONE"):
					losetup_d_command = "losetup -d " + loopback_device_mount
					subprocess.call([losetup_d_command], shell=True)

			#close outfile
			exif_out.close()

	#program cleanup
	outfile.close()
	
	#remove mount points created for this program
	if(os.path.exists(mount_point)):
		if not (item_to_process == "Directory"):
			os.rmdir(mount_point)
	if(os.path.exists(mount_point+"_ewf")):
		subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
		os.rmdir(mount_point+"_ewf")

	#delete empty directories in output folder
	for root, dirs, files in os.walk(folder_path, topdown=False):	
		for directories in dirs:
			files = []
			dir_path = os.path.join(root,directories)
			files = os.listdir(dir_path)	
			if(len(files) == 0):
				os.rmdir(dir_path)
Esempio n. 16
0

file_path = "/media/sdb"  # definisce il path della chiavetta


def mount(device, name=None):  # definisce la funzione mount
    if not name:
        name = get_device_name(device)
    mount_partition(get_partition(device), name)


devices = list_media_devices()
if devices:  # controlla se e' presente la chiavetta
    device = devices[0]
    path = get_media_path(device)
    mount(device)

    if is_mounted(device):  # controlla se e' montata la chiavetta
        print device, "\nsalva sulla chiavetta"
        datetime.datetime.now()
        print datetime.datetime.now()
        shutil.copy2('/home/stage/cartellafatta/localfile.txt',
                     path)  # copia il file da dispositivo a usb
        if path + 'localfile.txt':

            os.remove('/home/stage/cartellafatta/localfile.txt'
                      )  # cancella il file da locale
            os.rmdir('/home/stage/cartellafatta/'
                     )  # cancella la cartella che conteneva il file in locale

            a = 0  # ciclo di cyclic che scrive in usb un file
Esempio n. 17
0
def jumplist_mr(item_to_process, case_number, root_folder_path, evidence):

    print("The item to process is: " + item_to_process)
    print("The case_name is: " + case_number)
    print("The output folder is: " + root_folder_path)
    print("The evidence to process is: " + evidence)

    evidence = '"' + evidence + '"'

    #get datetime
    now = datetime.datetime.now()

    #set Mount Point
    mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")

    #create output folder path
    folder_path = root_folder_path + "/" + "Jumplist_Parser"
    check_for_folder(folder_path, "NONE")

    #open a log file for output
    log_file = folder_path + "/Jumplist_Parser_logfile.txt"
    outfile = open(log_file, 'wt+')

    #select image to process
    Image_Path = evidence
    print("The image path is: " + Image_Path)

    #check to see if Image file is in Encase format
    if re.search(".E01", Image_Path):
        #strip out single quotes from the quoted path
        no_quotes_path = Image_Path.replace("'", "")
        print("The no quotes path is: " + no_quotes_path)
        #call mount_ewf function
        Image_Path = mount_ewf(no_quotes_path, outfile, mount_point)

    #call mmls function
    partition_info_dict, temp_time = mmls(outfile, Image_Path)
    partition_info_dict_temp = partition_info_dict

    #get filesize of mmls_output.txt
    file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
    print("The filesize is: " + str(file_size))

    #if filesize of mmls output is 0 then run parted
    if (file_size == 0):
        print("mmls output was empty, running parted")
        outfile.write("mmls output was empty, running parted")
        #call parted function
        partition_info_dict, temp_time = parted(outfile, Image_Path)

    else:

        #read through the mmls output and look for GUID Partition Tables (used on MACS)
        mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
        for line in mmls_output_file:
            if re.search("GUID Partition Table", line):
                print("We found a GUID partition table, need to use parted")
                outfile.write(
                    "We found a GUID partition table, need to use parted\n")
                #call parted function
                partition_info_dict, temp_time = parted(outfile, Image_Path)

    #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
    #for key,value in partition_info_dict.items():
    for key, value in sorted(partition_info_dict.items()):

        #disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
        cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
        try:
            subprocess.call([cmd_false], shell=True)
        except:
            print("Autmount false failed")

        #run mount command
        success_code, loopback_device_mount = mount(value, key, Image_Path,
                                                    outfile, mount_point)

        if (success_code):
            print("Could not mount partition with filesystem: " + value +
                  " at offset:" + str(key))
            outfile.write("Could not mount partition with filesystem: " +
                          value + " at offset:" + str(key))
        else:

            print("We just mounted filesystem: " + value + " at offset:" +
                  str(key) + ".\n")
            outfile.write("We just mounted filesystem: " + value +
                          " at offset:" + str(key) + "\n")

            #run jl.pl against every JumpList file found under mount_point if filesystem is fat32 or ntfs
            if (value == "ntfs") or (value == "fat32"):
                for root, dirs, files in os.walk(mount_point):
                    for filenames in files:
                        #get file extension
                        fileName, fileExtension = os.path.splitext(filenames)
                        if (fileExtension.lower() ==
                                ".automaticdestinations-ms"):
                            full_path = os.path.join(root, filenames)
                            quoted_full_path = "'" + full_path + "'"
                            print("Processing Jump List: " + filenames)
                            outfile.write("Processing Jump List: " +
                                          filenames + "\n")

                            #get profile name
                            profile = get_account_profile_names(
                                full_path, outfile)
                            print("The profile is: " + profile)
                            outfile.write("The profile is: " + profile + "\n")

                            #process Jumplist files with jl.pl
                            #jl_command = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -f " + full_path + " >> " + "'" + folder_path + "/jumplist_metadata.txt" + "'"
                            jl_command_tln = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -t -f " + quoted_full_path + " >> " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'"
                            outfile.write("The jl_command_tln is: " +
                                          jl_command_tln + "\n")
                            subprocess.call([jl_command_tln], shell=True)
                        else:
                            print("Scanning file: " + filenames +
                                  ".  This file is not a jumplist.")
                #unmount and remove mount points
                if (os.path.exists(mount_point)):
                    subprocess.call(['sudo umount -f ' + mount_point],
                                    shell=True)
                    os.rmdir(mount_point)
                #unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
                if not (loopback_device_mount == "NONE"):
                    losetup_d_command = "losetup -d " + loopback_device_mount
                    subprocess.call([losetup_d_command], shell=True)
            else:
                print("Filesystem: " + value + " at offset:" + str(key) +
                      " is not NTFS or FAT32")
                outfile.write("Filesystem: " + value + " at offset:" +
                              str(key) + " is not NTFS or FAT32\n")

                if (os.path.exists(mount_point)):
                    subprocess.call(['sudo umount -f ' + mount_point],
                                    shell=True)
                    os.rmdir(mount_point)
                #unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
                if not (loopback_device_mount == "NONE"):
                    losetup_d_command = "losetup -d " + loopback_device_mount
                    subprocess.call([losetup_d_command], shell=True)
            #create timeline
            parse_command = "perl /usr/share/windows-perl/parse.pl -f " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'" + "> " + "'" + folder_path + "/jumplist_timeline.txt" + "'"
            subprocess.call([parse_command], shell=True)

    #unmount and remove mount points
    #if(os.path.exists(mount_point)):
    #	os.rmdir(mount_point)
    if (os.path.exists(mount_point + "_ewf")):
        print("Unmounting mount point for ewf before exiting\n\n")
        subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
        os.rmdir(mount_point + "_ewf")

    #program cleanup
    outfile.close()
    #convert outfile using unix2dos
    #chdir to output foler
    os.chdir(folder_path)

    #run text files through unix2dos
    for root, dirs, files in os.walk(folder_path):
        for filenames in files:
            #get file extension
            fileName, fileExtension = os.path.splitext(filenames)
            if (fileExtension.lower() == ".txt"):
                full_path = os.path.join(root, filenames)
                quoted_full_path = "'" + full_path + "'"
                print("Running Unix2dos against file: " + quoted_full_path)
                #unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
                unix2dos_command = "sudo unix2dos " + quoted_full_path
                subprocess.call([unix2dos_command], shell=True)
Esempio n. 18
0
def plist_processor(item_to_process, case_number, root_folder_path, evidence):
    print("The item to process is: " + item_to_process)
    print("The case_name is: " + case_number)
    print("The output folder is: " + root_folder_path)
    print("The evidence to process is: " + evidence)

    evidence_no_quotes = evidence
    evidence = '"' + evidence + '"'

    #get datetime
    now = datetime.datetime.now()

    #set Mount Point
    mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

    #create output folder path
    folder_path = root_folder_path + "/" + "PLIST_Processor"
    check_for_folder(folder_path, "NONE")

    #open a log file for output
    log_file = folder_path + "/PLIST_processor_logfile.txt"
    outfile = open(log_file, 'wt+')

    #open an error file for output
    log_file = folder_path + "/PLIST_processor_error_log.txt"
    outfile_error = open(log_file, 'wt+')

    #open file to write output
    exp_file = folder_path + "/" + case_number + "_PLIST_Triage.txt"
    export_file = open(exp_file, 'a')

    if (item_to_process == "Directory"):
        folder_to_process = evidence_no_quotes
        process_folder(folder_to_process, export_file, outfile, outfile_error,
                       now)
    elif (item_to_process == "EnCase Logical Evidence File"):
        file_to_process = evidence
        mount_point = mount_encase_v6_l01(case_number, file_to_process,
                                          outfile)
        process_folder(mount_point, export_file, outfile, outfile_error, now)

        #umount
        if (os.path.exists(mount_point)):
            subprocess.call(['sudo umount -f ' + mount_point], shell=True)
            os.rmdir(mount_point)
    elif (item_to_process == "Bit-Stream Image"):

        #set Mount Point
        mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

        Image_Path = evidence

        #check if Image file is in Encase format
        if re.search(".E01", Image_Path):
            #set mount point
            #mount_point = "/mnt/"+	case_number+"_ewf"
            Image_Path = mount_ewf(Image_Path, outfile, mount_point)

        #call mmls function
        partition_info_dict, temp_time = mmls(outfile, Image_Path)
        partition_info_dict_temp = partition_info_dict

        #get filesize of mmls_output.txt
        file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")

        #if filesize of mmls output is 0 then run parted
        if (file_size == 0):
            print("mmls output was empty, running parted\n")
            outfile.write("mmls output was empty, running parted\n")
            #call parted function
            partition_info_dict, temp_time = parted(outfile, Image_Path)

        else:

            #read through the mmls output and look for GUID Partition Tables (used on MACS)
            mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
                                    'r')
            for line in mmls_output_file:
                if re.search("GUID Partition Table", line):
                    print(
                        "We found a GUID partition table, need to use parted")
                    outfile.write(
                        "We found a GUID partition table, need to use parted\n"
                    )
                    #call parted function
                    partition_info_dict, temp_time = parted(
                        outfile, Image_Path)
            mmls_output_file.close()

        #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
        for key, value in partition_info_dict.items():
            cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
            try:
                subprocess.call([cmd_false], shell=True)
            except:
                print("Autmount false failed")

            #process plist files
            if (value == "hfs+"):
                #call mount sub-routine
                success_code, loopback_device_mount = mount(
                    value, str(key), Image_Path, outfile, mount_point)

                if (success_code):
                    print("Could not mount partition with filesystem: " +
                          value + " at offset:" + str(key))
                    outfile.write(
                        "Could not mount partition with filesystem: " + value +
                        " at offset:" + str(key))
                else:

                    print("We just mounted filesystem: " + value +
                          " at offset:" + str(key) + "\n")
                    outfile.write("We just mounted filesystem: " + value +
                                  " at offset:" + str(key) + "\n")

                    #process
                    process_folder(mount_point, export_file, outfile,
                                   outfile_error, now)

                    #unmount
                    subprocess.call(['umount ' + mount_point], shell=True)
                    subprocess.call(['losetup -d ' + loopback_device_mount],
                                    shell=True)

            else:
                print("This partition is not formatted HFS+")
                outfile.write("This partition is not formatted HFS+\n\n")
        #close export_file
        export_file.close()

        #chdir to output foler
        os.chdir(folder_path)

        #unmount and remount points
        if re.search(".E01", Image_Path):
            if (os.path.exists(mount_point + "_ewf")):
                subprocess.call(['sudo umount -f ' + mount_point + "_ewf"],
                                shell=True)
                os.rmdir(mount_point + "_ewf")

        #remove empty directories
        for root, dirs, files in os.walk(folder_path, topdown=False):
            for directory in dirs:
                dir_path = os.path.join(root, directory)
                if not os.listdir(dir_path):
                    outfile.write("Removing empty folder: " + dir_path + "\n")
                    os.rmdir(dir_path)

        #close outfiles
        outfile.close()

        #run text files through unix2dos
        for root, dirs, files in os.walk(folder_path):
            for filenames in files:
                #get file extension
                fileName, fileExtension = os.path.splitext(filenames)
                if (fileExtension.lower() == ".txt"):
                    full_path = os.path.join(root, filenames)
                    quoted_full_path = "'" + full_path + "'"
                    print("Running Unix2dos against file: " + filenames)
                    unix2dos_command = "sudo unix2dos " + quoted_full_path
                    subprocess.call([unix2dos_command], shell=True)

        #delete /tmp/ls_output.txt
        if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
            os.remove("/tmp/mmls_output_" + temp_time + ".txt")
        if (os.path.exists("/tmp/timeline_partition_info_" + temp_time +
                           ".txt")):
            os.remove("/tmp/timeline_partition_info_" + temp_time + ".txt")
        if (os.path.exists("/tmp/dump_" + temp_time + ".txt")):
            os.remove("/tmp/dump_" + temp_time + ".txt")
        if (os.path.exists("/tmp/fls_output_" + temp_time + ".txt")):
            os.remove("/tmp/fls_output_" + temp_time + ".txt")
        if (os.path.exists("/tmp/hives_to_rename_" + temp_time)):
            shutil.rmtree("/tmp/hives_to_rename_" + temp_time)
Esempio n. 19
0
def create_kml_from_exif_mr(item_to_process, case_number, root_folder_path,
                            evidence):
    print("The item to process is: " + item_to_process)
    print("The case_name is: " + case_number)
    print("The output folder is: " + root_folder_path)
    print("The evidence to process is: " + evidence)

    evidence_no_quotes = evidence
    evidence = '"' + evidence + '"'

    #create output folder path
    folder_path = root_folder_path + "/" + "KML_From_EXIF"
    check_for_folder(folder_path, "NONE")

    #open a log file for output
    log_file = folder_path + "/KML_From_EXIF_logfile.txt"
    outfile = open(log_file, 'wt+')

    #initialize variables
    files_of_interest = {}
    files_of_interest_list = []
    mount_point = "NONE"

    log_file3 = folder_path + "/" + case_number + "_files_to_exploit.xls"
    outfile3 = open(log_file3, 'wt+')

    #write out column headers to xls file
    outfile3.write("Name\tMD5\tFile Size (kb)\n")

    if (item_to_process == "Directory"):
        #select folder to process
        folder_process = evidence_no_quotes

        #set folder variable to "folder" since this is a folder and not a disk partition
        folder = "Directory"

        #call process subroutine
        process(folder_process, outfile, folder_path, folder, outfile3)

    elif (item_to_process == 'EnCase Logical Evidence File'):
        folder = "LEF"
        file_to_process = evidence
        mount_point = mount_encase_v6_l01(case_number, file_to_process,
                                          outfile)
        process(mount_point, outfile, folder_path, folder, outfile3)

        #umount
        if (os.path.exists(mount_point)):
            subprocess.call(['sudo umount -f ' + mount_point], shell=True)
            os.rmdir(mount_point)

    elif (item_to_process == 'Single File'):
        process_single_file(evidence_no_quotes, outfile, folder_path,
                            "Single-File", outfile3)

    elif (item_to_process == 'Bit-Stream Image'):

        #select image to process
        Image_Path = evidence

        #get datetime
        now = datetime.datetime.now()

        #set Mount Point
        mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")

        #check to see if Image file is in Encase format
        if re.search(".E01", Image_Path):
            #strip out single quotes from the quoted path
            no_quotes_path = Image_Path.replace("'", "")
            print("The no quotes path is: " + no_quotes_path)
            #call mount_ewf function
            cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
            try:
                subprocess.call([cmd_false], shell=True)
            except:
                print("Autmount false failed")
            Image_Path = mount_ewf(Image_Path, outfile, mount_point)

        #call mmls function
        partition_info_dict, temp_time = mmls(outfile, Image_Path)
        #partition_info_dict_temp, temp_time = partition_info_dict

        #get filesize of mmls_output.txt
        file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
        print("The filesize is: " + str(file_size))

        #if filesize of mmls output is 0 then run parted
        if (file_size == 0):
            print("mmls output was empty, running parted")
            outfile.write("mmls output was empty, running parted")
            #call parted function
            partition_info_dict, temp_time = parted(outfile, Image_Path)

        else:

            #read through the mmls output and look for GUID Partition Tables (used on MACS)
            mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
                                    'r')
            for line in mmls_output_file:
                if re.search("GUID Partition Table", line):
                    print(
                        "We found a GUID partition table, need to use parted")
                    outfile.write(
                        "We found a GUID partition table, need to use parted\n"
                    )
                    #call parted function
                    partition_info_dict, temp_time = parted(
                        outfile, Image_Path)

            #close file
            mmls_output_file.close()

        #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
        #for key,value in partition_info_dict.items():
        for key, value in sorted(partition_info_dict.items()):

            #create output folder for processed files
            if not os.path.exists(folder_path + "/Processed_files_" +
                                  str(key)):
                os.mkdir(folder_path + "/Processed_files_" + str(key))

            #disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
            cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
            try:
                subprocess.call([cmd_false], shell=True)
            except:
                print("Autmount false failed")

            #call mount sub-routine
            success_code, loopback_device_mount = mount(
                value, key, Image_Path, outfile, mount_point)

            if (success_code):
                print("Could not mount partition with filesystem: " + value +
                      " at offset:" + str(key))
                outfile.write("Could not mount partition with filesystem: " +
                              value + " at offset:" + str(key))
            else:

                print("We just mounted filesystem: " + value + " at offset:" +
                      str(key) + ". Scanning for files of interest.....\n")
                outfile.write("We just mounted filesystem: " + value +
                              " at offset:" + str(key) + "\n")

                #call process subroutine
                process(mount_point, outfile, folder_path, key, outfile3)

                #unmount and remove mount points
                if (os.path.exists(mount_point)):
                    subprocess.call(['sudo umount -f ' + mount_point],
                                    shell=True)
                    os.rmdir(mount_point)
                #unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
                if not (loopback_device_mount == "NONE"):
                    losetup_d_command = "losetup -d " + loopback_device_mount
                    subprocess.call([losetup_d_command], shell=True)

            #delete /tmp files created for processing bit-stream images
            if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
                os.remove("/tmp/mmls_output_" + temp_time + ".txt")

    #write out list of filenames to end of output file so that user can create a filter for those filenames in Encase
    outfile3.write(
        "\n\n******** LIST of FILENAMES of INTEREST ******************\n")
    #sort list so that all values are unique
    unique(files_of_interest_list)
    for files in files_of_interest_list:
        outfile3.write(files + "\n")

    #program cleanup
    outfile.close()
    outfile3.close()

    #remove mount points created for this program
    if (os.path.exists(mount_point)):
        subprocess.call(['sudo umount -f ' + mount_point], shell=True)
        os.rmdir(mount_point)
    if (os.path.exists(mount_point + "_ewf")):
        subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
        os.rmdir(mount_point + "_ewf")

    #convert outfile using unix2dos
    #chdir to output foler
    os.chdir(folder_path)

    #run text files through unix2dos
    for root, dirs, files in os.walk(folder_path):
        for filenames in files:
            #get file extension
            fileName, fileExtension = os.path.splitext(filenames)
            if (fileExtension.lower() == ".txt"):
                full_path = os.path.join(root, filenames)
                quoted_full_path = "'" + full_path + "'"
                print("Running Unix2dos against file: " + filenames)
                unix2dos_command = "sudo unix2dos " + filenames
                subprocess.call([unix2dos_command], shell=True)

    #delete empty directories in output folder
    for root, dirs, files in os.walk(folder_path, topdown=False):
        for directories in dirs:
            files = []
            dir_path = os.path.join(root, directories)
            files = os.listdir(dir_path)
            if (len(files) == 0):
                os.rmdir(dir_path)

    #unmount and remove mount points
    if (mount_point != "NONE"):
        if (os.path.exists(mount_point + "_ewf")):
            subprocess.call(['sudo umount -f ' + mount_point + "_ewf"],
                            shell=True)
            os.rmdir(mount_point + "_ewf")
Esempio n. 20
0
def plist_processor(item_to_process, case_number, root_folder_path, evidence):
    print("The item to process is: " + item_to_process)
    print("The case_name is: " + case_number)
    print("The output folder is: " + root_folder_path)
    print("The evidence to process is: " + evidence)

    evidence_no_quotes = evidence
    evidence = '"' + evidence + '"'

    # get datetime
    now = datetime.datetime.now()

    # set Mount Point
    mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

    # create output folder path
    folder_path = root_folder_path + "/" + "PLIST_Processor"
    check_for_folder(folder_path, "NONE")

    # open a log file for output
    log_file = folder_path + "/PLIST_processor_logfile.txt"
    outfile = open(log_file, "wt+")

    # open an error file for output
    log_file = folder_path + "/PLIST_processor_error_log.txt"
    outfile_error = open(log_file, "wt+")

    # open file to write output
    exp_file = folder_path + "/" + case_number + "_PLIST_Triage.txt"
    export_file = open(exp_file, "a")

    if item_to_process == "Directory":
        folder_to_process = evidence_no_quotes
        process_folder(folder_to_process, export_file, outfile, outfile_error, now)
    elif item_to_process == "EnCase Logical Evidence File":
        file_to_process = evidence
        mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
        process_folder(mount_point, export_file, outfile, outfile_error, now)

        # umount
        if os.path.exists(mount_point):
            subprocess.call(["sudo umount -f " + mount_point], shell=True)
            os.rmdir(mount_point)
    elif item_to_process == "Bit-Stream Image":

        # set Mount Point
        mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

        Image_Path = evidence

        # check if Image file is in Encase format
        if re.search(".E01", Image_Path):
            # set mount point
            # mount_point = "/mnt/"+	case_number+"_ewf"
            Image_Path = mount_ewf(Image_Path, outfile, mount_point)

            # call mmls function
        partition_info_dict, temp_time = mmls(outfile, Image_Path)
        partition_info_dict_temp = partition_info_dict

        # get filesize of mmls_output.txt
        file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")

        # if filesize of mmls output is 0 then run parted
        if file_size == 0:
            print("mmls output was empty, running parted\n")
            outfile.write("mmls output was empty, running parted\n")
            # call parted function
            partition_info_dict, temp_time = parted(outfile, Image_Path)

        else:

            # read through the mmls output and look for GUID Partition Tables (used on MACS)
            mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", "r")
            for line in mmls_output_file:
                if re.search("GUID Partition Table", line):
                    print("We found a GUID partition table, need to use parted")
                    outfile.write("We found a GUID partition table, need to use parted\n")
                    # call parted function
                    partition_info_dict, temp_time = parted(outfile, Image_Path)
            mmls_output_file.close()

            # loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
        for key, value in partition_info_dict.items():
            cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
            try:
                subprocess.call([cmd_false], shell=True)
            except:
                print("Autmount false failed")

                # process plist files
            if value == "hfs+":
                # call mount sub-routine
                success_code, loopback_device_mount = mount(value, str(key), Image_Path, outfile, mount_point)

                if success_code:
                    print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
                    outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
                else:

                    print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
                    outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")

                    # process
                    process_folder(mount_point, export_file, outfile, outfile_error, now)

                    # unmount
                    subprocess.call(["umount " + mount_point], shell=True)
                    subprocess.call(["losetup -d " + loopback_device_mount], shell=True)

            else:
                print("This partition is not formatted HFS+")
                outfile.write("This partition is not formatted HFS+\n\n")
                # close export_file
        export_file.close()

        # chdir to output foler
        os.chdir(folder_path)

        # unmount and remount points
        if re.search(".E01", Image_Path):
            if os.path.exists(mount_point + "_ewf"):
                subprocess.call(["sudo umount -f " + mount_point + "_ewf"], shell=True)
                os.rmdir(mount_point + "_ewf")

                # remove empty directories
        for root, dirs, files in os.walk(folder_path, topdown=False):
            for directory in dirs:
                dir_path = os.path.join(root, directory)
                if not os.listdir(dir_path):
                    outfile.write("Removing empty folder: " + dir_path + "\n")
                    os.rmdir(dir_path)

                    # close outfiles
        outfile.close()

        # run text files through unix2dos
        for root, dirs, files in os.walk(folder_path):
            for filenames in files:
                # get file extension
                fileName, fileExtension = os.path.splitext(filenames)
                if fileExtension.lower() == ".txt":
                    full_path = os.path.join(root, filenames)
                    quoted_full_path = "'" + full_path + "'"
                    print("Running Unix2dos against file: " + filenames)
                    unix2dos_command = "sudo unix2dos " + quoted_full_path
                    subprocess.call([unix2dos_command], shell=True)

                    # delete /tmp/ls_output.txt
        if os.path.exists("/tmp/mmls_output_" + temp_time + ".txt"):
            os.remove("/tmp/mmls_output_" + temp_time + ".txt")
        if os.path.exists("/tmp/timeline_partition_info_" + temp_time + ".txt"):
            os.remove("/tmp/timeline_partition_info_" + temp_time + ".txt")
        if os.path.exists("/tmp/dump_" + temp_time + ".txt"):
            os.remove("/tmp/dump_" + temp_time + ".txt")
        if os.path.exists("/tmp/fls_output_" + temp_time + ".txt"):
            os.remove("/tmp/fls_output_" + temp_time + ".txt")
        if os.path.exists("/tmp/hives_to_rename_" + temp_time):
            shutil.rmtree("/tmp/hives_to_rename_" + temp_time)
Esempio n. 21
0
def entropy_mr(item_to_process, case_number, root_folder_path, evidence):

    print("The item to process is: " + item_to_process)
    print("The case_name is: " + case_number)
    print("The output folder is: " + root_folder_path)
    print("The evidence to process is: " + evidence)

    evidence_no_quotes = evidence
    evidence = '"' + evidence + '"'

    #get datetime
    now = datetime.datetime.now()

    #set Mount Point
    mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

    #create output folder path
    folder_path = root_folder_path + "/" + "Entropy"
    check_for_folder(folder_path, "NONE")

    #open a log file for output
    log_file = folder_path + "/Entropy_logfile.txt"
    outfile = open(log_file, 'wt+')

    #open file to write output
    exp_file = folder_path + "/" + case_number + "_entropy.csv"
    export_file = open(exp_file, 'a+', encoding='latin-1', errors="ignore")
    #export_file = open(exp_file, 'a')

    if (item_to_process == "Single File"):
        ent = calc_entropy(evidence)
        print(ent)

    elif (item_to_process == "Directory"):
        folder_to_process = evidence_no_quotes
        process_folder(folder_to_process, export_file, outfile)
    elif (item_to_process == "EnCase Logical Evidence File"):
        file_to_process = evidence
        mount_point = mount_encase_v6_l01(case_number, file_to_process,
                                          outfile)
        process_folder(mount_point, export_file, outfile)

        #umount
        if (os.path.exists(mount_point)):
            subprocess.call(['sudo umount -f ' + mount_point], shell=True)
            os.rmdir(mount_point)
    elif (item_to_process == "Bit-Stream Image"):
        Image_Path = evidence
        #process every file on every partition
        #get datetime
        now = datetime.datetime.now()

        #set Mount Point
        mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")

        #check if Image file is in Encase format
        if re.search(".E01", Image_Path):

            #strip out single quotes from the quoted path
            #no_quotes_path = Image_Path.replace("'","")
            #print("THe no quotes path is: " +  no_quotes_path)
            #call mount_ewf function
            Image_Path = mount_ewf(Image_Path, outfile, mount_point)

        #call mmls function
        partition_info_dict, temp_time = mmls(outfile, Image_Path)
        partition_info_dict_temp = partition_info_dict

        #get filesize of mmls_output.txt
        file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")

        #if filesize of mmls output is 0 then run parted
        if (file_size == 0):
            print("mmls output was empty, running parted")
            outfile.write("mmls output was empty, running parted")
            #call parted function
            partition_info_dict, temp_time = parted(outfile, Image_Path)

        else:

            #read through the mmls output and look for GUID Partition Tables (used on MACS)
            mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
                                    'r')
            for line in mmls_output_file:
                if re.search("GUID Partition Table", line):
                    print(
                        "We found a GUID partition table, need to use parted")
                    outfile.write(
                        "We found a GUID partition table, need to use parted\n"
                    )
                    #call parted function
                    partition_info_dict, temp_time = parted(
                        outfile, Image_Path)
            mmls_output_file.close()

        #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
        for key, value in sorted(partition_info_dict.items()):

            #disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
            cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
            try:
                subprocess.call([cmd_false], shell=True)
            except:
                print("Autmount false failed")

            #call mount sub-routine
            success_code, loopback_device_mount = mount(
                value, str(key), Image_Path, outfile, mount_point)

            if (success_code):
                print("Could not mount partition with filesystem: " + value +
                      " at offset:" + str(key))
                outfile.write("Could not mount partition with filesystem: " +
                              value + " at offset:" + str(key))
            else:

                print("We just mounted filesystem: " + value + " at offset:" +
                      str(key) + "\n")
                outfile.write("We just mounted filesystem: " + value +
                              " at offset:" + str(key) + "\n")

                #call entropy function for each mount_point
                process_folder(mount_point, export_file, outfile)
                print(
                    "We just finished calculating the entropy for every file...sorting output"
                )

                #unmount and remove mount points
                if (os.path.exists(mount_point)):
                    subprocess.call(['sudo umount -f ' + mount_point],
                                    shell=True)
                    os.rmdir(mount_point)
                #unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
                if not (loopback_device_mount == "NONE"):
                    losetup_d_command = "losetup -d " + loopback_device_mount
                    subprocess.call([losetup_d_command], shell=True)

        #delete /tmp files created for each partition
        if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
            os.remove("/tmp/mmls_output_" + temp_time + ".txt")

    #close output file
    export_file.close()

    #sort output file
    sort_command = "strings -a  " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
    subprocess.call([sort_command], shell=True)

    #write header row to export_file
    #sed_command = "sed -i '1i\ Entropy,File Name,File Size,MD5,File Path' " + "'" + folder_path + "'" + "/" + 	case_number +"_entropy_sorted.csv"
    sed_command = "sed -i '1i\ Entropy,File Name,File Size,FilePath' " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
    subprocess.call([sed_command], shell=True)

    #remove original output file
    os.remove(exp_file)

    #remove mount points created for this program
    if (os.path.exists(mount_point)):
        os.rmdir(mount_point)
    if (os.path.exists(mount_point + "_ewf")):
        subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
        os.rmdir(mount_point + "_ewf")