def main():
print('Mounting remote filesystem using SSHFS...')
# read configuration
c = get_config()
# print(c)
if not c:
print('Cannot read configuration.')
return 1
# check if sshfs is installed, if not exit
if not has_sshfs(c['sshfs']):
print('SSHFS not installed.')
return 2
# test drive
ok = check_drive(c['drive'])
if not ok:
sys.path.insert(0, os.path.dirname(c['sshfs']))
unmount(c['drive'])
setup_ssh(c['ssh'], c['keygen'], c['userhost'])
set_drive_name(c['drivename'], c['userhost'])
mount(c['sshfs'], c['drive'], c['userhost'])
return 0
def mount_usb():
devices = list_media_devices()
found = []
for device in devices:
mount(device)
if is_mounted(device):
_list_files(get_media_path(device), found)
if len(found) > 0:
return True
else:
unmount(device)
return False
def create_kml_from_exif_mr(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#create output folder path
folder_path = root_folder_path + "/" + "KML_From_EXIF"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/KML_From_EXIF_logfile.txt"
outfile = open(log_file, 'wt+')
#initialize variables
files_of_interest = {}
files_of_interest_list = []
mount_point = "NONE"
log_file3 = folder_path + "/" + case_number + "_files_to_exploit.xls"
outfile3 = open(log_file3, 'wt+')
#write out column headers to xls file
outfile3.write("Name\tMD5\tFile Size (kb)\n")
if(item_to_process == "Directory"):
#select folder to process
folder_process = evidence_no_quotes
#set folder variable to "folder" since this is a folder and not a disk partition
folder = "Directory"
#call process subroutine
process(folder_process, outfile, folder_path, folder, outfile3)
elif(item_to_process == 'EnCase Logical Evidence File'):
folder = "LEF"
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
process(mount_point, outfile, folder_path, folder, outfile3)
#umount
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif(item_to_process == 'Single File'):
process_single_file(evidence_no_quotes, outfile, folder_path, "Single-File", outfile3)
elif(item_to_process == 'Bit-Stream Image'):
#select image to process
Image_Path = evidence
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#check to see if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
no_quotes_path = Image_Path.replace("'","")
print("The no quotes path is: " + no_quotes_path)
#call mount_ewf function
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
#partition_info_dict_temp, temp_time = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time +".txt")
print("The filesize is: " + str(file_size))
#if filesize of mmls output is 0 then run parted
if(file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
#close file
mmls_output_file.close()
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
#for key,value in partition_info_dict.items():
for key,value in sorted(partition_info_dict.items()):
#create output folder for processed files
if not os.path.exists(folder_path + "/Processed_files_" + str(key)):
os.mkdir(folder_path + "/Processed_files_" + str(key))
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code, loopback_device_mount = mount(value,key,Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + ". Scanning for files of interest.....\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#call process subroutine
process(mount_point, outfile, folder_path, key, outfile3)
#unmount and remove mount points
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#delete /tmp files created for processing bit-stream images
if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
#write out list of filenames to end of output file so that user can create a filter for those filenames in Encase
outfile3.write("\n\n******** LIST of FILENAMES of INTEREST ******************\n")
#sort list so that all values are unique
unique(files_of_interest_list)
for files in files_of_interest_list:
outfile3.write(files + "\n")
#program cleanup
outfile.close()
outfile3.close()
#remove mount points created for this program
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
if(os.path.exists(mount_point+"_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point+"_ewf")
#convert outfile using unix2dos
#chdir to output foler
os.chdir(folder_path)
#run text files through unix2dos
for root, dirs, files in os.walk(folder_path):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if(fileExtension.lower() == ".txt"):
full_path = os.path.join(root,filenames)
quoted_full_path = "'" +full_path+"'"
print("Running Unix2dos against file: " + filenames)
unix2dos_command = "sudo unix2dos " + filenames
subprocess.call([unix2dos_command], shell=True)
#delete empty directories in output folder
for root, dirs, files in os.walk(folder_path, topdown=False):
for directories in dirs:
files = []
dir_path = os.path.join(root,directories)
files = os.listdir(dir_path)
if(len(files) == 0):
os.rmdir(dir_path)
#unmount and remove mount points
if(mount_point != "NONE"):
if(os.path.exists(mount_point+"_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point+"_ewf")
def entropy_mr(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#create output folder path
folder_path = root_folder_path + "/" + "Entropy"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/Entropy_logfile.txt"
outfile = open(log_file, 'wt+')
#open file to write output
exp_file = folder_path + "/" + case_number +"_entropy.csv"
export_file = open(exp_file, 'a+', encoding='latin-1', errors="ignore")
#export_file = open(exp_file, 'a')
if(item_to_process == "Single File"):
ent = calc_entropy(evidence)
print(ent)
elif(item_to_process == "Directory"):
folder_to_process = evidence_no_quotes
process_folder(folder_to_process, export_file, outfile)
elif(item_to_process =="EnCase Logical Evidence File"):
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
process_folder(mount_point, export_file, outfile)
#umount
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif(item_to_process == "Bit-Stream Image"):
Image_Path = evidence
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile,mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
#if filesize of mmls output is 0 then run parted
if(file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
mmls_output_file.close()
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key,value in sorted(partition_info_dict.items()):
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code, loopback_device_mount = mount(value,str(key),Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#call entropy function for each mount_point
process_folder(mount_point, export_file, outfile)
print("We just finished calculating the entropy for every file...sorting output")
#unmount and remove mount points
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#delete /tmp files created for each partition
if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
#close output file
export_file.close()
#sort output file
sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
subprocess.call([sort_command], shell=True)
#write header row to export_file
#sed_command = "sed -i '1i\ Entropy,File Name,File Size,MD5,File Path' " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
sed_command = "sed -i '1i\ Entropy,File Name,File Size,FilePath' " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
subprocess.call([sed_command], shell=True)
#remove original output file
os.remove(exp_file)
#remove mount points created for this program
if(os.path.exists(mount_point)):
os.rmdir(mount_point)
if(os.path.exists(mount_point+"_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point+"_ewf")
#for key,value in partition_info_dict.items():
for key, value in sorted(partition_info_dict.items()):
#create output folder for processed files
if not os.path.exists(folder_path + "/Processed_files_" + str(key)):
os.mkdir(folder_path + "/Processed_files_" + str(key))
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code = mount(value, key, Image_Path, outfile, mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + key)
outfile.write("Could not mount partition with filesystem: " +
value + " at offset:" + key)
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + ". Scanning for files of interest.....\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#call process subroutine
process(mount_point, outfile, folder_path, key)
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output.txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key,value in sorted(partition_info_dict.items()):
#call mount sub-routine
success_code = mount(value,str(key),Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
if(value == "fat32") or (value == "ntfs"):
#get path to registry hives
paths = get_system_paths(value, "YES", outfile, mount_point)
#set up path variables from paths list
system_hive_path = paths[0]
def entropy_module(item_to_process, folder_path, case_number):
#get datetime
now = datetime.datetime.now()
#open a log file for output
log_file = folder_path + "/" + case_number + "_logfile.txt"
outfile = open(log_file, 'a')
#open file to write output
exp_file = folder_path + "/" + case_number +"_entropy.csv"
export_file = open(exp_file, 'a')
if(item_to_process == "file"):
file_to_process = select_file_to_process(outfile)
ent = calc_entropy(file_to_process)
print(ent)
elif(item_to_process == "folder"):
folder_to_process = select_folder_to_process(outfile)
process_folder(folder_to_process, export_file)
elif(item_to_process =="L01"):
file_to_process = select_file_to_process(outfile)
mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
process_folder(mount_point, export_file)
#umount
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif(item_to_process == "image"):
Image_Path = select_file_to_process(outfile)
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile,mount_point)
#call mmls function
partition_info_dict = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output.txt")
#if filesize of mmls output is 0 then run parted
if(file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output.txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key,value in sorted(partition_info_dict.items()):
#call mount sub-routine
success_code = mount(value,str(key),Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#call entropy function for each mount_point
process_folder(mount_point, export_file)
#unmount and remove mount points
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#close output file
export_file.close()
#sort output file
sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
subprocess.call([sort_command], shell=True)
#write header row to export_file
sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
subprocess.call([sed_command], shell=True)
#remove original output file
os.remove(exp_file)
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output.txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in sorted(partition_info_dict.items()):
#call mount sub-routine
success_code = mount(value, str(key), Image_Path, outfile, mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + "\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" +
str(key) + "\n")
if (value == "fat32") or (value == "ntfs"):
#get path to registry hives
def av_scanner_mr(item_to_process, case_number, root_folder_path, evidence, conf_file):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
print("The configuration file is located at: " + conf_file)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#create output folder path
output_folder_path = root_folder_path + "/" + "AV_Scanner"
check_for_folder(output_folder_path, "NONE")
#open a log file for output
log_file = output_folder_path + "/AV_Scanner_logfile.txt"
outfile = open(log_file, 'wt+')
if(item_to_process == "Single File"):
print("Please put your file in a folder and then scan the folder")
elif(item_to_process == "Directory"):
folder_to_process = evidence_no_quotes
process_folder(folder_to_process, output_folder_path, outfile, "Directory", conf_file)
elif(item_to_process =="EnCase Logical Evidence File"):
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
process_folder(mount_point, output_folder_path, outfile, "LEF", conf_file)
#umount
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif(item_to_process == "Bit-Stream Image"):
Image_Path = evidence
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile,mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
#if filesize of mmls output is 0 then run parted
if(file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
mmls_output_file.close()
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key,value in sorted(partition_info_dict.items()):
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code, loopback_device_mount = mount(value,str(key),Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#call av_scanner function for each mount_point
process_folder(mount_point, output_folder_path, outfile, "partition_offset_"+str(key), conf_file)
print("We just finished scanning every file...sorting output")
#unmount and remove mount points
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#delete /tmp files created for each partition
if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
#close logfile
outfile.close()
#remove mount points created for this program
if(os.path.exists(mount_point)):
os.rmdir(mount_point)
if(os.path.exists(mount_point+"_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point+"_ewf")
#run text files through unix2dos
for root, dirs, files in os.walk(output_folder_path):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if(fileExtension.lower() == ".txt"):
full_path = os.path.join(root,filenames)
quoted_full_path = "'" +full_path+"'"
print("Running Unix2dos against file: " + quoted_full_path)
#unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
unix2dos_command = "sudo unix2dos " + quoted_full_path
subprocess.call([unix2dos_command], shell=True)
def jumplist_mr(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#create output folder path
folder_path = root_folder_path + "/" + "Jumplist_Parser"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/Jumplist_Parser_logfile.txt"
outfile = open(log_file, 'wt+')
#select image to process
Image_Path = evidence
print("The image path is: " + Image_Path)
#check to see if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
no_quotes_path = Image_Path.replace("'","")
print("The no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(no_quotes_path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time +".txt")
print("The filesize is: " + str(file_size))
#if filesize of mmls output is 0 then run parted
if(file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
#for key,value in partition_info_dict.items():
for key,value in sorted(partition_info_dict.items()):
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#run mount command
success_code, loopback_device_mount = mount(value,key,Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + ".\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#run jl.pl against every JumpList file found under mount_point if filesystem is fat32 or ntfs
if(value == "ntfs") or (value=="fat32"):
for root, dirs, files in os.walk(mount_point):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if(fileExtension.lower() == ".automaticdestinations-ms"):
full_path = os.path.join(root,filenames)
quoted_full_path = "'" +full_path+"'"
print("Processing Jump List: " + filenames)
outfile.write("Processing Jump List: " + filenames + "\n")
#get profile name
profile = get_account_profile_names(full_path, outfile)
print("The profile is: " + profile)
outfile.write("The profile is: " + profile + "\n")
#process Jumplist files with jl.pl
#jl_command = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -f " + full_path + " >> " + "'" + folder_path + "/jumplist_metadata.txt" + "'"
jl_command_tln = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -t -f " + quoted_full_path + " >> " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'"
outfile.write("The jl_command_tln is: " + jl_command_tln + "\n")
subprocess.call([jl_command_tln], shell=True)
else:
print("Scanning file: " + filenames + ". This file is not a jumplist.")
#unmount and remove mount points
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
else:
print("Filesystem: " + value + " at offset:" + str(key) + " is not NTFS or FAT32")
outfile.write("Filesystem: " + value + " at offset:" + str(key) + " is not NTFS or FAT32\n")
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#create timeline
parse_command = "perl /usr/share/windows-perl/parse.pl -f " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'" + "> " + "'" + folder_path + "/jumplist_timeline.txt" + "'"
subprocess.call([parse_command], shell=True)
#unmount and remove mount points
#if(os.path.exists(mount_point)):
# os.rmdir(mount_point)
if(os.path.exists(mount_point+"_ewf")):
print("Unmounting mount point for ewf before exiting\n\n")
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point+"_ewf")
#program cleanup
outfile.close()
#convert outfile using unix2dos
#chdir to output foler
os.chdir(folder_path)
#run text files through unix2dos
for root, dirs, files in os.walk(folder_path):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if(fileExtension.lower() == ".txt"):
full_path = os.path.join(root,filenames)
quoted_full_path = "'" +full_path+"'"
print("Running Unix2dos against file: " + filenames)
unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
subprocess.call([unix2dos_command], shell=True)
#for key,value in partition_info_dict.items():
for key,value in sorted(partition_info_dict.items()):
#create output folder for processed files
if not os.path.exists(folder_path + "/Processed_files_" + str(key)):
os.mkdir(folder_path + "/Processed_files_" + str(key))
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code = mount(value,key,Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + key)
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + key)
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + ". Scanning for files of interest.....\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#call process subroutine
process(mount_point, outfile, folder_path, key)
#call mount sub-routine
print("Unmounting mount point before exiting\n\n")
file_local_path = "/home/stage/Prova.txt"
if flag:
x = open(file_local_path, "w") #apre e scrive un file in locale
for j in range(100):
x.write("Ciao " + str(j) + "\n")
x.close()
flag = False
else:
if devices: # controlla se c'e' la chiavetta
device = devices[0]
path_chiavetta = get_media_path(device)
mount(device) #monta la chiavetta
if is_mounted(device): #controlla se e' montata la usb
shutil.copy2(
file_local_path,
path_chiavetta) #copia il file da locale a chiavetta
os.remove(file_local_path
) #dove va messo, cancellerebbe il file da locale
flag = True
else: # se non c'e' la chiavetta continua a scrivere ciclicamente sul file locale
x = open("file_local_path", "r+")
for j in range(100):
x.write("Ciao" + str(j))
def entropy_module(item_to_process, folder_path, case_number):
#get datetime
now = datetime.datetime.now()
#open a log file for output
log_file = folder_path + "/" + case_number + "_logfile.txt"
outfile = open(log_file, 'a')
#open file to write output
exp_file = folder_path + "/" + case_number + "_entropy.csv"
export_file = open(exp_file, 'a')
if (item_to_process == "file"):
file_to_process = select_file_to_process(outfile)
ent = calc_entropy(file_to_process)
print(ent)
elif (item_to_process == "folder"):
folder_to_process = select_folder_to_process(outfile)
process_folder(folder_to_process, export_file)
elif (item_to_process == "L01"):
file_to_process = select_file_to_process(outfile)
mount_point = mount_encase_v6_l01(case_number, file_to_process,
outfile)
process_folder(mount_point, export_file)
#umount
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif (item_to_process == "image"):
Image_Path = select_file_to_process(outfile)
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output.txt")
#if filesize of mmls output is 0 then run parted
if (file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output.txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print(
"We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n"
)
#call parted function
partition_info_dict = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in sorted(partition_info_dict.items()):
#call mount sub-routine
success_code = mount(value, str(key), Image_Path, outfile,
mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " +
value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + "\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#call entropy function for each mount_point
process_folder(mount_point, export_file)
#unmount and remove mount points
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point],
shell=True)
os.rmdir(mount_point)
#close output file
export_file.close()
#sort output file
sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
subprocess.call([sort_command], shell=True)
#write header row to export_file
sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
subprocess.call([sed_command], shell=True)
#remove original output file
os.remove(exp_file)
def av_scanner_mr(item_to_process, case_number, root_folder_path, evidence,
conf_file):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
print("The configuration file is located at: " + conf_file)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#create output folder path
output_folder_path = root_folder_path + "/" + "AV_Scanner"
check_for_folder(output_folder_path, "NONE")
#open a log file for output
log_file = output_folder_path + "/AV_Scanner_logfile.txt"
outfile = open(log_file, 'wt+')
if (item_to_process == "Single File"):
print("Please put your file in a folder and then scan the folder")
elif (item_to_process == "Directory"):
folder_to_process = evidence_no_quotes
process_folder(folder_to_process, output_folder_path, outfile,
"Directory", conf_file)
elif (item_to_process == "EnCase Logical Evidence File"):
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process,
outfile)
process_folder(mount_point, output_folder_path, outfile, "LEF",
conf_file)
#umount
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif (item_to_process == "Bit-Stream Image"):
Image_Path = evidence
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
#if filesize of mmls output is 0 then run parted
if (file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print(
"We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n"
)
#call parted function
partition_info_dict, temp_time = parted(
outfile, Image_Path)
mmls_output_file.close()
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in sorted(partition_info_dict.items()):
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code, loopback_device_mount = mount(
value, str(key), Image_Path, outfile, mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " +
value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + "\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#call av_scanner function for each mount_point
process_folder(mount_point, output_folder_path, outfile,
"partition_offset_" + str(key), conf_file)
print("We just finished scanning every file...sorting output")
#unmount and remove mount points
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point],
shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#delete /tmp files created for each partition
if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
#close logfile
outfile.close()
#remove mount points created for this program
if (os.path.exists(mount_point)):
os.rmdir(mount_point)
if (os.path.exists(mount_point + "_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point + "_ewf")
#run text files through unix2dos
for root, dirs, files in os.walk(output_folder_path):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if (fileExtension.lower() == ".txt"):
full_path = os.path.join(root, filenames)
quoted_full_path = "'" + full_path + "'"
print("Running Unix2dos against file: " + quoted_full_path)
#unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
unix2dos_command = "sudo unix2dos " + quoted_full_path
subprocess.call([unix2dos_command], shell=True)
def exifdata_mr(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#create output folder path
folder_path = root_folder_path + "/" + "EXIF_Tool"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/EXIF_Tool_logfile.txt"
outfile = open(log_file, 'wt+')
#set up tuple holding all of the file extensions exiftool can process
valid_extensions = ('3FR', '3G2', '3GP2', '3GP', '3GPP', 'ACR', 'AFM', 'ACFM', 'AMFM', 'AI', 'AIT', 'AIFF', 'AIF', 'AIFC', 'APE', 'ARW', 'ASF', 'AVI', 'BMP', 'DIB', 'BTF', 'TIFF', 'TIF', 'CHM', 'COS', 'CR2', 'CRW', 'CIFF', 'CS1', 'DCM', 'DC3', 'DIC', 'DICM', 'DCP', 'DCR', 'DFONT', 'DIVX', 'DJVU', 'DJV', 'DNG', 'DOC', 'DOT', 'DOCX', 'DOCM', 'DOTX', 'DOTM', 'DYLIB', 'DV', 'DVB', 'EIP', 'EPS', 'EPSF', 'EXR', 'PS', 'ERF', 'EXE', 'DLL', 'EXIF', 'F4A', 'F4B', 'F4P', 'F4V', 'FFF', 'FLA', 'FLAC', 'FLV', 'FPX', 'GIF', 'GZ', 'GZIP', 'HDP', 'HDR', 'WDP', 'HTML', 'HTM', 'XHTML', 'ICC', 'ICM', 'IIQ', 'IND', 'INDD', 'INDT', 'INX', 'ITC', 'JP2', 'JPF', 'JPM', 'JPX', 'JPEG', 'JPC', 'JPG', 'J2C', 'J2K', 'K25', 'KDC', 'KEY', 'KTH', 'LNK', 'M2TS', 'MTS', 'M2T', 'TS', 'M4A', 'M4B', 'M4P', 'M4V', 'MEF', 'MIE', 'MIFF', 'MIF', 'MKA', 'MKV', 'MKS', 'MOS', 'MOV', 'Q', 'MP3', 'MP4', 'MPC', 'MPEG', 'MPG', 'M2V', 'MPO', 'MQV', 'QT', 'MRW', 'MXF', 'NEF', 'NMBTEMPLATE', 'NRW', 'NUMBERS', 'ODB', 'ODC', 'ODF', 'ODG', 'OGI', 'ODP', 'ODS', 'ODT', 'OGG', 'ORF', 'OTF', 'PAGES', 'PDF', 'PEF', 'PFA', 'PFB', 'PFM', 'PGF', 'PICT', 'PCT', 'PMP', 'PNG', 'JNG', 'MNG', 'PPM', 'PBM', 'PGM', 'PPT', 'PPS', 'POT', 'POTX', 'POTM', 'PPSX', 'PPSM', 'PPTX', 'PPTM', 'PSD', 'PSB', 'PSP', 'PSPIMAGE', 'QTIF', 'QTI', 'QIF', 'RAF', 'RAM', 'RPM', 'RAW', 'RAR', 'RAW', 'RIFF', 'RIF', 'RM', 'RV', 'RMVB', 'RSRC', 'RTF', 'RW2', 'RWL', 'RWZ', 'SO', 'SR2', 'SRF', 'SRW', 'SVG', 'SWF', 'THM', 'THMX', 'TIFF', 'TIF', 'TTF', 'TTC', 'VOB', 'VRD', 'VSD', 'WAV', 'WEBM', 'WEBP', ',WMA', 'WMV', 'X3F', 'XCF', 'XLS', 'XLT', 'XLSX', 'XLSM', 'XLSB', 'XLTX', 'XLTM', 'XMP', 'ZIP')
if(item_to_process =="EnCase Logical Evidence File"):
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
process_folder(mount_point, valid_extensions, item_to_process)
#umount
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
if(item_to_process == "Directory"):
mount_point = evidence_no_quotes
process_folder(mount_point, valid_extensions, item_to_process, outfile, folder_path)
elif(item_to_process == "Bit-Stream Image"):
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#select dd image to process
Image_Path = evidence
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
#if filesize of mmls output is 0 then run parted
if(file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key,value in partition_info_dict.items():
#set up file object for output file
output_file = folder_path + "/Exif_data_partition_offset_" + str(key) +".txt"
print("The output_file is: " + output_file)
exif_out = open(output_file, 'wt+')
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code, loopback_device_mount = mount(value,key,Image_Path, outfile, mount_point)
if(success_code):
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + ". Scanning for files of interest.....\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
#get the filename without extension
for root,dirs,files in os.walk(mount_point):
for filenames in files:
fileName, fileExtension = os.path.splitext(filenames)
#replace the . in the file extension with nothing
file_extension = fileExtension.replace('.','')
file_extension = file_extension.upper()
file_name = os.path.basename(fileName)
for extension in valid_extensions:
if(file_extension == extension):
print("Running exiftool against file: " + filenames)
outfile.write("Running exiftool against file: " + filenames)
#chdir to output foler
os.chdir(folder_path)
#get absolute path to file
file_name = os.path.join(root,filenames)
quoted_file_name = "'" +file_name +"'"
#enclose strings in quotes
quoted_root = "'" +root +"'"
#set up exiftool command
exif_command = "exiftool -ext " + extension + " -l -sep *********** -z " + quoted_file_name + " >> " + "'" + folder_path + "/Exif_data_partition_offset_" + str(key) +".txt" + "'"
#print("The exif command is: " + exif_command + "\n\n")
outfile.write("The exif command is: " + exif_command + "\n\n")
#execute the exif command
subprocess.call([exif_command], shell=True)
#exif_out.write("\n\n")
#unmount and remove mount points
if(os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#close outfile
exif_out.close()
#program cleanup
outfile.close()
#remove mount points created for this program
if(os.path.exists(mount_point)):
if not (item_to_process == "Directory"):
os.rmdir(mount_point)
if(os.path.exists(mount_point+"_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point+"_ewf")
#delete empty directories in output folder
for root, dirs, files in os.walk(folder_path, topdown=False):
for directories in dirs:
files = []
dir_path = os.path.join(root,directories)
files = os.listdir(dir_path)
if(len(files) == 0):
os.rmdir(dir_path)
file_path = "/media/sdb" # definisce il path della chiavetta
def mount(device, name=None): # definisce la funzione mount
if not name:
name = get_device_name(device)
mount_partition(get_partition(device), name)
devices = list_media_devices()
if devices: # controlla se e' presente la chiavetta
device = devices[0]
path = get_media_path(device)
mount(device)
if is_mounted(device): # controlla se e' montata la chiavetta
print device, "\nsalva sulla chiavetta"
datetime.datetime.now()
print datetime.datetime.now()
shutil.copy2('/home/stage/cartellafatta/localfile.txt',
path) # copia il file da dispositivo a usb
if path + 'localfile.txt':
os.remove('/home/stage/cartellafatta/localfile.txt'
) # cancella il file da locale
os.rmdir('/home/stage/cartellafatta/'
) # cancella la cartella che conteneva il file in locale
a = 0 # ciclo di cyclic che scrive in usb un file
def jumplist_mr(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#create output folder path
folder_path = root_folder_path + "/" + "Jumplist_Parser"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/Jumplist_Parser_logfile.txt"
outfile = open(log_file, 'wt+')
#select image to process
Image_Path = evidence
print("The image path is: " + Image_Path)
#check to see if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
no_quotes_path = Image_Path.replace("'", "")
print("The no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(no_quotes_path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
print("The filesize is: " + str(file_size))
#if filesize of mmls output is 0 then run parted
if (file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", 'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
#for key,value in partition_info_dict.items():
for key, value in sorted(partition_info_dict.items()):
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#run mount command
success_code, loopback_device_mount = mount(value, key, Image_Path,
outfile, mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " +
value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + ".\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#run jl.pl against every JumpList file found under mount_point if filesystem is fat32 or ntfs
if (value == "ntfs") or (value == "fat32"):
for root, dirs, files in os.walk(mount_point):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if (fileExtension.lower() ==
".automaticdestinations-ms"):
full_path = os.path.join(root, filenames)
quoted_full_path = "'" + full_path + "'"
print("Processing Jump List: " + filenames)
outfile.write("Processing Jump List: " +
filenames + "\n")
#get profile name
profile = get_account_profile_names(
full_path, outfile)
print("The profile is: " + profile)
outfile.write("The profile is: " + profile + "\n")
#process Jumplist files with jl.pl
#jl_command = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -f " + full_path + " >> " + "'" + folder_path + "/jumplist_metadata.txt" + "'"
jl_command_tln = "perl /usr/share/windows-perl/jl.pl -u " + "'" + profile + "'" + " -t -f " + quoted_full_path + " >> " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'"
outfile.write("The jl_command_tln is: " +
jl_command_tln + "\n")
subprocess.call([jl_command_tln], shell=True)
else:
print("Scanning file: " + filenames +
". This file is not a jumplist.")
#unmount and remove mount points
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point],
shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
else:
print("Filesystem: " + value + " at offset:" + str(key) +
" is not NTFS or FAT32")
outfile.write("Filesystem: " + value + " at offset:" +
str(key) + " is not NTFS or FAT32\n")
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point],
shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#create timeline
parse_command = "perl /usr/share/windows-perl/parse.pl -f " + "'" + folder_path + "/jumplist_metadata_tln.txt" + "'" + "> " + "'" + folder_path + "/jumplist_timeline.txt" + "'"
subprocess.call([parse_command], shell=True)
#unmount and remove mount points
#if(os.path.exists(mount_point)):
# os.rmdir(mount_point)
if (os.path.exists(mount_point + "_ewf")):
print("Unmounting mount point for ewf before exiting\n\n")
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point + "_ewf")
#program cleanup
outfile.close()
#convert outfile using unix2dos
#chdir to output foler
os.chdir(folder_path)
#run text files through unix2dos
for root, dirs, files in os.walk(folder_path):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if (fileExtension.lower() == ".txt"):
full_path = os.path.join(root, filenames)
quoted_full_path = "'" + full_path + "'"
print("Running Unix2dos against file: " + quoted_full_path)
#unix2dos_command = "sudo unix2dos " + "'"+filenames+"'"
unix2dos_command = "sudo unix2dos " + quoted_full_path
subprocess.call([unix2dos_command], shell=True)
def plist_processor(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#create output folder path
folder_path = root_folder_path + "/" + "PLIST_Processor"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/PLIST_processor_logfile.txt"
outfile = open(log_file, 'wt+')
#open an error file for output
log_file = folder_path + "/PLIST_processor_error_log.txt"
outfile_error = open(log_file, 'wt+')
#open file to write output
exp_file = folder_path + "/" + case_number + "_PLIST_Triage.txt"
export_file = open(exp_file, 'a')
if (item_to_process == "Directory"):
folder_to_process = evidence_no_quotes
process_folder(folder_to_process, export_file, outfile, outfile_error,
now)
elif (item_to_process == "EnCase Logical Evidence File"):
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process,
outfile)
process_folder(mount_point, export_file, outfile, outfile_error, now)
#umount
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif (item_to_process == "Bit-Stream Image"):
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
Image_Path = evidence
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#set mount point
#mount_point = "/mnt/"+ case_number+"_ewf"
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
#if filesize of mmls output is 0 then run parted
if (file_size == 0):
print("mmls output was empty, running parted\n")
outfile.write("mmls output was empty, running parted\n")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print(
"We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n"
)
#call parted function
partition_info_dict, temp_time = parted(
outfile, Image_Path)
mmls_output_file.close()
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in partition_info_dict.items():
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#process plist files
if (value == "hfs+"):
#call mount sub-routine
success_code, loopback_device_mount = mount(
value, str(key), Image_Path, outfile, mount_point)
if (success_code):
print("Could not mount partition with filesystem: " +
value + " at offset:" + str(key))
outfile.write(
"Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
else:
print("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#process
process_folder(mount_point, export_file, outfile,
outfile_error, now)
#unmount
subprocess.call(['umount ' + mount_point], shell=True)
subprocess.call(['losetup -d ' + loopback_device_mount],
shell=True)
else:
print("This partition is not formatted HFS+")
outfile.write("This partition is not formatted HFS+\n\n")
#close export_file
export_file.close()
#chdir to output foler
os.chdir(folder_path)
#unmount and remount points
if re.search(".E01", Image_Path):
if (os.path.exists(mount_point + "_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"],
shell=True)
os.rmdir(mount_point + "_ewf")
#remove empty directories
for root, dirs, files in os.walk(folder_path, topdown=False):
for directory in dirs:
dir_path = os.path.join(root, directory)
if not os.listdir(dir_path):
outfile.write("Removing empty folder: " + dir_path + "\n")
os.rmdir(dir_path)
#close outfiles
outfile.close()
#run text files through unix2dos
for root, dirs, files in os.walk(folder_path):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if (fileExtension.lower() == ".txt"):
full_path = os.path.join(root, filenames)
quoted_full_path = "'" + full_path + "'"
print("Running Unix2dos against file: " + filenames)
unix2dos_command = "sudo unix2dos " + quoted_full_path
subprocess.call([unix2dos_command], shell=True)
#delete /tmp/ls_output.txt
if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
if (os.path.exists("/tmp/timeline_partition_info_" + temp_time +
".txt")):
os.remove("/tmp/timeline_partition_info_" + temp_time + ".txt")
if (os.path.exists("/tmp/dump_" + temp_time + ".txt")):
os.remove("/tmp/dump_" + temp_time + ".txt")
if (os.path.exists("/tmp/fls_output_" + temp_time + ".txt")):
os.remove("/tmp/fls_output_" + temp_time + ".txt")
if (os.path.exists("/tmp/hives_to_rename_" + temp_time)):
shutil.rmtree("/tmp/hives_to_rename_" + temp_time)
def create_kml_from_exif_mr(item_to_process, case_number, root_folder_path,
evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#create output folder path
folder_path = root_folder_path + "/" + "KML_From_EXIF"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/KML_From_EXIF_logfile.txt"
outfile = open(log_file, 'wt+')
#initialize variables
files_of_interest = {}
files_of_interest_list = []
mount_point = "NONE"
log_file3 = folder_path + "/" + case_number + "_files_to_exploit.xls"
outfile3 = open(log_file3, 'wt+')
#write out column headers to xls file
outfile3.write("Name\tMD5\tFile Size (kb)\n")
if (item_to_process == "Directory"):
#select folder to process
folder_process = evidence_no_quotes
#set folder variable to "folder" since this is a folder and not a disk partition
folder = "Directory"
#call process subroutine
process(folder_process, outfile, folder_path, folder, outfile3)
elif (item_to_process == 'EnCase Logical Evidence File'):
folder = "LEF"
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process,
outfile)
process(mount_point, outfile, folder_path, folder, outfile3)
#umount
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif (item_to_process == 'Single File'):
process_single_file(evidence_no_quotes, outfile, folder_path,
"Single-File", outfile3)
elif (item_to_process == 'Bit-Stream Image'):
#select image to process
Image_Path = evidence
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S")
#check to see if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
no_quotes_path = Image_Path.replace("'", "")
print("The no quotes path is: " + no_quotes_path)
#call mount_ewf function
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
#partition_info_dict_temp, temp_time = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
print("The filesize is: " + str(file_size))
#if filesize of mmls output is 0 then run parted
if (file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print(
"We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n"
)
#call parted function
partition_info_dict, temp_time = parted(
outfile, Image_Path)
#close file
mmls_output_file.close()
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
#for key,value in partition_info_dict.items():
for key, value in sorted(partition_info_dict.items()):
#create output folder for processed files
if not os.path.exists(folder_path + "/Processed_files_" +
str(key)):
os.mkdir(folder_path + "/Processed_files_" + str(key))
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code, loopback_device_mount = mount(
value, key, Image_Path, outfile, mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " +
value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + ". Scanning for files of interest.....\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#call process subroutine
process(mount_point, outfile, folder_path, key, outfile3)
#unmount and remove mount points
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point],
shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#delete /tmp files created for processing bit-stream images
if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
#write out list of filenames to end of output file so that user can create a filter for those filenames in Encase
outfile3.write(
"\n\n******** LIST of FILENAMES of INTEREST ******************\n")
#sort list so that all values are unique
unique(files_of_interest_list)
for files in files_of_interest_list:
outfile3.write(files + "\n")
#program cleanup
outfile.close()
outfile3.close()
#remove mount points created for this program
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
if (os.path.exists(mount_point + "_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point + "_ewf")
#convert outfile using unix2dos
#chdir to output foler
os.chdir(folder_path)
#run text files through unix2dos
for root, dirs, files in os.walk(folder_path):
for filenames in files:
#get file extension
fileName, fileExtension = os.path.splitext(filenames)
if (fileExtension.lower() == ".txt"):
full_path = os.path.join(root, filenames)
quoted_full_path = "'" + full_path + "'"
print("Running Unix2dos against file: " + filenames)
unix2dos_command = "sudo unix2dos " + filenames
subprocess.call([unix2dos_command], shell=True)
#delete empty directories in output folder
for root, dirs, files in os.walk(folder_path, topdown=False):
for directories in dirs:
files = []
dir_path = os.path.join(root, directories)
files = os.listdir(dir_path)
if (len(files) == 0):
os.rmdir(dir_path)
#unmount and remove mount points
if (mount_point != "NONE"):
if (os.path.exists(mount_point + "_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"],
shell=True)
os.rmdir(mount_point + "_ewf")
def plist_processor(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
# get datetime
now = datetime.datetime.now()
# set Mount Point
mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
# create output folder path
folder_path = root_folder_path + "/" + "PLIST_Processor"
check_for_folder(folder_path, "NONE")
# open a log file for output
log_file = folder_path + "/PLIST_processor_logfile.txt"
outfile = open(log_file, "wt+")
# open an error file for output
log_file = folder_path + "/PLIST_processor_error_log.txt"
outfile_error = open(log_file, "wt+")
# open file to write output
exp_file = folder_path + "/" + case_number + "_PLIST_Triage.txt"
export_file = open(exp_file, "a")
if item_to_process == "Directory":
folder_to_process = evidence_no_quotes
process_folder(folder_to_process, export_file, outfile, outfile_error, now)
elif item_to_process == "EnCase Logical Evidence File":
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile)
process_folder(mount_point, export_file, outfile, outfile_error, now)
# umount
if os.path.exists(mount_point):
subprocess.call(["sudo umount -f " + mount_point], shell=True)
os.rmdir(mount_point)
elif item_to_process == "Bit-Stream Image":
# set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
Image_Path = evidence
# check if Image file is in Encase format
if re.search(".E01", Image_Path):
# set mount point
# mount_point = "/mnt/"+ case_number+"_ewf"
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
# call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
# get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
# if filesize of mmls output is 0 then run parted
if file_size == 0:
print("mmls output was empty, running parted\n")
outfile.write("mmls output was empty, running parted\n")
# call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
# read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt", "r")
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print("We found a GUID partition table, need to use parted")
outfile.write("We found a GUID partition table, need to use parted\n")
# call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
mmls_output_file.close()
# loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in partition_info_dict.items():
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
# process plist files
if value == "hfs+":
# call mount sub-routine
success_code, loopback_device_mount = mount(value, str(key), Image_Path, outfile, mount_point)
if success_code:
print("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n")
# process
process_folder(mount_point, export_file, outfile, outfile_error, now)
# unmount
subprocess.call(["umount " + mount_point], shell=True)
subprocess.call(["losetup -d " + loopback_device_mount], shell=True)
else:
print("This partition is not formatted HFS+")
outfile.write("This partition is not formatted HFS+\n\n")
# close export_file
export_file.close()
# chdir to output foler
os.chdir(folder_path)
# unmount and remount points
if re.search(".E01", Image_Path):
if os.path.exists(mount_point + "_ewf"):
subprocess.call(["sudo umount -f " + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point + "_ewf")
# remove empty directories
for root, dirs, files in os.walk(folder_path, topdown=False):
for directory in dirs:
dir_path = os.path.join(root, directory)
if not os.listdir(dir_path):
outfile.write("Removing empty folder: " + dir_path + "\n")
os.rmdir(dir_path)
# close outfiles
outfile.close()
# run text files through unix2dos
for root, dirs, files in os.walk(folder_path):
for filenames in files:
# get file extension
fileName, fileExtension = os.path.splitext(filenames)
if fileExtension.lower() == ".txt":
full_path = os.path.join(root, filenames)
quoted_full_path = "'" + full_path + "'"
print("Running Unix2dos against file: " + filenames)
unix2dos_command = "sudo unix2dos " + quoted_full_path
subprocess.call([unix2dos_command], shell=True)
# delete /tmp/ls_output.txt
if os.path.exists("/tmp/mmls_output_" + temp_time + ".txt"):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
if os.path.exists("/tmp/timeline_partition_info_" + temp_time + ".txt"):
os.remove("/tmp/timeline_partition_info_" + temp_time + ".txt")
if os.path.exists("/tmp/dump_" + temp_time + ".txt"):
os.remove("/tmp/dump_" + temp_time + ".txt")
if os.path.exists("/tmp/fls_output_" + temp_time + ".txt"):
os.remove("/tmp/fls_output_" + temp_time + ".txt")
if os.path.exists("/tmp/hives_to_rename_" + temp_time):
shutil.rmtree("/tmp/hives_to_rename_" + temp_time)
def entropy_mr(item_to_process, case_number, root_folder_path, evidence):
print("The item to process is: " + item_to_process)
print("The case_name is: " + case_number)
print("The output folder is: " + root_folder_path)
print("The evidence to process is: " + evidence)
evidence_no_quotes = evidence
evidence = '"' + evidence + '"'
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + "MantaRay_" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#create output folder path
folder_path = root_folder_path + "/" + "Entropy"
check_for_folder(folder_path, "NONE")
#open a log file for output
log_file = folder_path + "/Entropy_logfile.txt"
outfile = open(log_file, 'wt+')
#open file to write output
exp_file = folder_path + "/" + case_number + "_entropy.csv"
export_file = open(exp_file, 'a+', encoding='latin-1', errors="ignore")
#export_file = open(exp_file, 'a')
if (item_to_process == "Single File"):
ent = calc_entropy(evidence)
print(ent)
elif (item_to_process == "Directory"):
folder_to_process = evidence_no_quotes
process_folder(folder_to_process, export_file, outfile)
elif (item_to_process == "EnCase Logical Evidence File"):
file_to_process = evidence
mount_point = mount_encase_v6_l01(case_number, file_to_process,
outfile)
process_folder(mount_point, export_file, outfile)
#umount
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point], shell=True)
os.rmdir(mount_point)
elif (item_to_process == "Bit-Stream Image"):
Image_Path = evidence
#process every file on every partition
#get datetime
now = datetime.datetime.now()
#set Mount Point
mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S_%f")
#check if Image file is in Encase format
if re.search(".E01", Image_Path):
#strip out single quotes from the quoted path
#no_quotes_path = Image_Path.replace("'","")
#print("THe no quotes path is: " + no_quotes_path)
#call mount_ewf function
Image_Path = mount_ewf(Image_Path, outfile, mount_point)
#call mmls function
partition_info_dict, temp_time = mmls(outfile, Image_Path)
partition_info_dict_temp = partition_info_dict
#get filesize of mmls_output.txt
file_size = os.path.getsize("/tmp/mmls_output_" + temp_time + ".txt")
#if filesize of mmls output is 0 then run parted
if (file_size == 0):
print("mmls output was empty, running parted")
outfile.write("mmls output was empty, running parted")
#call parted function
partition_info_dict, temp_time = parted(outfile, Image_Path)
else:
#read through the mmls output and look for GUID Partition Tables (used on MACS)
mmls_output_file = open("/tmp/mmls_output_" + temp_time + ".txt",
'r')
for line in mmls_output_file:
if re.search("GUID Partition Table", line):
print(
"We found a GUID partition table, need to use parted")
outfile.write(
"We found a GUID partition table, need to use parted\n"
)
#call parted function
partition_info_dict, temp_time = parted(
outfile, Image_Path)
mmls_output_file.close()
#loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY)
for key, value in sorted(partition_info_dict.items()):
#disable auto-mount in nautilis - this stops a nautilis window from popping up everytime the mount command is executed
cmd_false = "sudo gsettings set org.gnome.desktop.media-handling automount false && sudo gsettings set org.gnome.desktop.media-handling automount-open false"
try:
subprocess.call([cmd_false], shell=True)
except:
print("Autmount false failed")
#call mount sub-routine
success_code, loopback_device_mount = mount(
value, str(key), Image_Path, outfile, mount_point)
if (success_code):
print("Could not mount partition with filesystem: " + value +
" at offset:" + str(key))
outfile.write("Could not mount partition with filesystem: " +
value + " at offset:" + str(key))
else:
print("We just mounted filesystem: " + value + " at offset:" +
str(key) + "\n")
outfile.write("We just mounted filesystem: " + value +
" at offset:" + str(key) + "\n")
#call entropy function for each mount_point
process_folder(mount_point, export_file, outfile)
print(
"We just finished calculating the entropy for every file...sorting output"
)
#unmount and remove mount points
if (os.path.exists(mount_point)):
subprocess.call(['sudo umount -f ' + mount_point],
shell=True)
os.rmdir(mount_point)
#unmount loopback device if this image was HFS+ - need to run losetup -d <loop_device> before unmounting
if not (loopback_device_mount == "NONE"):
losetup_d_command = "losetup -d " + loopback_device_mount
subprocess.call([losetup_d_command], shell=True)
#delete /tmp files created for each partition
if (os.path.exists("/tmp/mmls_output_" + temp_time + ".txt")):
os.remove("/tmp/mmls_output_" + temp_time + ".txt")
#close output file
export_file.close()
#sort output file
sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
subprocess.call([sort_command], shell=True)
#write header row to export_file
#sed_command = "sed -i '1i\ Entropy,File Name,File Size,MD5,File Path' " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv"
sed_command = "sed -i '1i\ Entropy,File Name,File Size,FilePath' " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv"
subprocess.call([sed_command], shell=True)
#remove original output file
os.remove(exp_file)
#remove mount points created for this program
if (os.path.exists(mount_point)):
os.rmdir(mount_point)
if (os.path.exists(mount_point + "_ewf")):
subprocess.call(['sudo umount -f ' + mount_point + "_ewf"], shell=True)
os.rmdir(mount_point + "_ewf")