#set Mount Point mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S") #get case number case_number = get_case_number() #get output location folder_path = get_output_location(case_number) #open a log file for output log_file = folder_path + "/" + case_number + "_logfile.txt" outfile = open(log_file, 'wt+') #select dd image to process Image_Path = select_file_to_process(outfile) #check if Image file is in Encase format if re.search(".E01", Image_Path): #strip out single quotes from the quoted path #no_quotes_path = Image_Path.replace("'","") #print("THe no quotes path is: " + no_quotes_path) #call mount_ewf function Image_Path = mount_ewf(Image_Path, outfile, mount_point) #call mmls function partition_info_dict = mmls(outfile, Image_Path) partition_info_dict_temp = partition_info_dict #get filesize of mmls_output.txt
def entropy_module(item_to_process, folder_path, case_number): #get datetime now = datetime.datetime.now() #open a log file for output log_file = folder_path + "/" + case_number + "_logfile.txt" outfile = open(log_file, 'a') #open file to write output exp_file = folder_path + "/" + case_number + "_entropy.csv" export_file = open(exp_file, 'a') if (item_to_process == "file"): file_to_process = select_file_to_process(outfile) ent = calc_entropy(file_to_process) print(ent) elif (item_to_process == "folder"): folder_to_process = select_folder_to_process(outfile) process_folder(folder_to_process, export_file) elif (item_to_process == "L01"): file_to_process = select_file_to_process(outfile) mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile) process_folder(mount_point, export_file) #umount if (os.path.exists(mount_point)): subprocess.call(['sudo umount -f ' + mount_point], shell=True) os.rmdir(mount_point) elif (item_to_process == "image"): Image_Path = select_file_to_process(outfile) #process every file on every partition #get datetime now = datetime.datetime.now() #set Mount Point mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S") #check if Image file is in Encase format if re.search(".E01", Image_Path): #strip out single quotes from the quoted path #no_quotes_path = Image_Path.replace("'","") #print("THe no quotes path is: " + no_quotes_path) #call mount_ewf function Image_Path = mount_ewf(Image_Path, outfile, mount_point) #call mmls function partition_info_dict = mmls(outfile, Image_Path) partition_info_dict_temp = partition_info_dict #get filesize of mmls_output.txt file_size = os.path.getsize("/tmp/mmls_output.txt") #if filesize of mmls output is 0 then run parted if (file_size == 0): print("mmls output was empty, running parted") outfile.write("mmls output was empty, running parted") #call parted function partition_info_dict = parted(outfile, Image_Path) else: #read through the mmls output and look for GUID Partition Tables (used on MACS) mmls_output_file = open("/tmp/mmls_output.txt", 'r') for line in mmls_output_file: if re.search("GUID Partition Table", line): print( "We found a GUID partition table, need to use parted") outfile.write( "We found a GUID partition table, need to use parted\n" ) #call parted function partition_info_dict = parted(outfile, Image_Path) #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY) for key, value in sorted(partition_info_dict.items()): #call mount sub-routine success_code = mount(value, str(key), Image_Path, outfile, mount_point) if (success_code): print("Could not mount partition with filesystem: " + value + " at offset:" + str(key)) outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key)) else: print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n") outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n") #call entropy function for each mount_point process_folder(mount_point, export_file) #unmount and remove mount points if (os.path.exists(mount_point)): subprocess.call(['sudo umount -f ' + mount_point], shell=True) os.rmdir(mount_point) #close output file export_file.close() #sort output file sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv" subprocess.call([sort_command], shell=True) #write header row to export_file sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number + "_entropy_sorted.csv" subprocess.call([sed_command], shell=True) #remove original output file os.remove(exp_file)
#set Mount Point mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S") #get case number case_number = get_case_number() #get output location folder_path = get_output_location(case_number) #open a log file for output log_file = folder_path + "/" + case_number + "_logfile.txt" outfile = open(log_file, 'wt+') #select dd image to process Image_Path = select_file_to_process(outfile) #check if Image file is in Encase format if re.search(".E01", Image_Path): #strip out single quotes from the quoted path #no_quotes_path = Image_Path.replace("'","") #print("THe no quotes path is: " + no_quotes_path) #call mount_ewf function Image_Path = mount_ewf(Image_Path, outfile,mount_point) #call mmls function partition_info_dict = mmls(outfile, Image_Path) partition_info_dict_temp = partition_info_dict
def entropy_module(item_to_process, folder_path, case_number): #get datetime now = datetime.datetime.now() #open a log file for output log_file = folder_path + "/" + case_number + "_logfile.txt" outfile = open(log_file, 'a') #open file to write output exp_file = folder_path + "/" + case_number +"_entropy.csv" export_file = open(exp_file, 'a') if(item_to_process == "file"): file_to_process = select_file_to_process(outfile) ent = calc_entropy(file_to_process) print(ent) elif(item_to_process == "folder"): folder_to_process = select_folder_to_process(outfile) process_folder(folder_to_process, export_file) elif(item_to_process =="L01"): file_to_process = select_file_to_process(outfile) mount_point = mount_encase_v6_l01(case_number, file_to_process, outfile) process_folder(mount_point, export_file) #umount if(os.path.exists(mount_point)): subprocess.call(['sudo umount -f ' + mount_point], shell=True) os.rmdir(mount_point) elif(item_to_process == "image"): Image_Path = select_file_to_process(outfile) #process every file on every partition #get datetime now = datetime.datetime.now() #set Mount Point mount_point = "/mnt/" + now.strftime("%Y-%m-%d_%H_%M_%S") #check if Image file is in Encase format if re.search(".E01", Image_Path): #strip out single quotes from the quoted path #no_quotes_path = Image_Path.replace("'","") #print("THe no quotes path is: " + no_quotes_path) #call mount_ewf function Image_Path = mount_ewf(Image_Path, outfile,mount_point) #call mmls function partition_info_dict = mmls(outfile, Image_Path) partition_info_dict_temp = partition_info_dict #get filesize of mmls_output.txt file_size = os.path.getsize("/tmp/mmls_output.txt") #if filesize of mmls output is 0 then run parted if(file_size == 0): print("mmls output was empty, running parted") outfile.write("mmls output was empty, running parted") #call parted function partition_info_dict = parted(outfile, Image_Path) else: #read through the mmls output and look for GUID Partition Tables (used on MACS) mmls_output_file = open("/tmp/mmls_output.txt", 'r') for line in mmls_output_file: if re.search("GUID Partition Table", line): print("We found a GUID partition table, need to use parted") outfile.write("We found a GUID partition table, need to use parted\n") #call parted function partition_info_dict = parted(outfile, Image_Path) #loop through the dictionary containing the partition info (filesystem is VALUE, offset is KEY) for key,value in sorted(partition_info_dict.items()): #call mount sub-routine success_code = mount(value,str(key),Image_Path, outfile, mount_point) if(success_code): print("Could not mount partition with filesystem: " + value + " at offset:" + str(key)) outfile.write("Could not mount partition with filesystem: " + value + " at offset:" + str(key)) else: print("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n") outfile.write("We just mounted filesystem: " + value + " at offset:" + str(key) + "\n") #call entropy function for each mount_point process_folder(mount_point, export_file) #unmount and remove mount points if(os.path.exists(mount_point)): subprocess.call(['sudo umount -f ' + mount_point], shell=True) os.rmdir(mount_point) #close output file export_file.close() #sort output file sort_command = "strings -a " + "'" + exp_file + "'" + " |sort -t\| -r -k 2n > " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv" subprocess.call([sort_command], shell=True) #write header row to export_file sed_command = "sed -i '1i\ Entropy,File Name,File Size,File Path' " + "'" + folder_path + "'" + "/" + case_number +"_entropy_sorted.csv" subprocess.call([sed_command], shell=True) #remove original output file os.remove(exp_file)