def __init__(self, parent, caseDetails, evidenceDetails):
# begin wxGlade: MyFrame.__init__
wx.Panel.__init__(self, parent=parent)
self.SetSize((655, 673))
self.panel_1 = wx.Panel(self, wx.ID_ANY)
self.panel_2 = wx.ScrolledWindow(self.panel_1,
wx.ID_ANY,
style=wx.TAB_TRAVERSAL)
self.txtCaseDb = wx.TextCtrl(self.panel_1,
wx.ID_ANY,
"",
style=wx.TE_READONLY | wx.BORDER_NONE)
self.txtCaseDesc = wx.TextCtrl(self.panel_1,
wx.ID_ANY,
"",
style=wx.TE_MULTILINE | wx.TE_READONLY)
global evidenceInfo
for x in caseDetails:
try:
conn = connectdb.create_connection(
x[5]) #call to get evidence database from evidence table
evidenceInfo = connectdb.select_evidence_details(conn)
except Error as e:
print(e)
self.__set_properties()
self.__do_layout(caseDetails, evidenceDetails)
def onOpenCase(self, event):
openFileDialog = wx.FileDialog(
self,
"Open",
"",
"",
"*.db", #creates a filedialog that only allow user to select .db files
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDbPath
caseDbPath = openFileDialog.GetPath() #get path selected in filedialog
global caseDetails, evidenceDetails
try:
conn = connectdb.create_connection(
caseDbPath
) #try to connect to case database and get case and evidence details
caseDetails = connectdb.select_case_details(conn)
evidenceDetails = connectdb.select_evidence_details(
conn
) #get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database
self.addAuiTab("Summary", evidenceDetails) #opens summary page
openTabs.append("Summary")
self.recreateTree(caseDbPath)
wx.MessageBox('Case Opened!', ' ', wx.OK | wx.ICON_INFORMATION)
except:
pass #ignore if try: fails
openFileDialog.Destroy()
def onOpenCase(self, event):
#creates a filedialog that only allow user to select .db files
openFileDialog = wx.FileDialog(self, "Open", "", "","*.db",
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDbPath
#get path selected in filedialog
caseDbPath = openFileDialog.GetPath()
global caseDetails, evidenceDetails
try:
#try to connect to case database and get case and evidence details
conn = connectdb.create_connection(caseDbPath)
caseDetails = connectdb.select_case_details(conn)
#get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database
evidenceDetails = connectdb.select_evidence_details(conn)
#opens summary page
self.addAuiTab("Summary", evidenceDetails)
openTabs.append("Summary")
self.recreateTree(caseDbPath)
except:
#ignore if try: fails
pass
openFileDialog.Destroy()
def recreateTree(self, caseDbFile):
self.tree_ctrl_1.Freeze()
self.tree_ctrl_1.DeleteAllItems()
global caseName
for x in caseDetails:
caseName = str(x[2]) + "_" + x[3]
#adds the name of case as root item in treectrl
root = self.tree_ctrl_1.AddRoot(caseName)
self.tree_ctrl_1.AppendItem(root, "Summary")
#connect to case database
conn = connectdb.create_connection(caseDbFile)
#get evidenceName, EvidenceDbPath EvidenceDatetime and Md5 from case database
#EvidenceDbPath = path to tsk database generated when onAddEvidence is called
evidenceInfo = connectdb.select_evidence_details(conn)
self.tree_ctrl_1.AppendItem(root, "Bookmarks")
self.tree_ctrl_1.AppendItem(root, "File")
self.tree_ctrl_1.AppendItem(root, "Images")
self.tree_ctrl_1.AppendItem(root, "Sessions")
self.tree_ctrl_1.AppendItem(root, "DNS")
self.tree_ctrl_1.AppendItem(root, "Credentials")
self.tree_ctrl_1.ExpandAll()
self.tree_ctrl_1.Thaw()
def on_menu_Open_Case(self,
event): # wxGlade: mainNetAnalysis.<event_handler>
openFileDialog = wx.FileDialog(
self,
"Open",
"",
"",
"*.db", #creates a filedialog that only allow user to select .db files
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDbPath
caseDbPath = openFileDialog.GetPath() #get path selected in filedialog
global caseDetails, evidenceDetails
try:
conn = connectdb.create_connection(
caseDbPath
) #try to connect to case database and get case and evidence details
caseDetails = connectdb.select_case_details(conn)
evidenceDetails = connectdb.select_evidence_details(
conn
) #get EvidenceName, EvidenceDbPath, EvidenceDatatime and Md5 from case database
self.addAuiTab("Summary", evidenceDetails) #opens summary page
openTabs.append("Summary")
self.recreateTree(caseDbPath)
except:
pass #ignore if try: fails
openFileDialog.Destroy()
def recreateTree(self, caseDbFile):
self.tree_ctrl_1.Freeze()
self.tree_ctrl_1.DeleteAllItems()
global caseName
for x in caseDetails:
caseName = str(x[2]) + "_" + x[3]
root = self.tree_ctrl_1.AddRoot(
caseName) #adds the name of case as root item in treectrl
summary = self.tree_ctrl_1.AppendItem(root, "Summary")
conn = connectdb.create_connection(
caseDbFile) #connect to case database
evidenceInfo = connectdb.select_evidence_details(
conn
) #get evidenceName, EvidenceDbPath EvidenceDatetime and Md5 from case database
#EvidenceDbPath = path to tsk database generated when onAddEvidence is called
for x in evidenceInfo:
evidenceDbConn = connectdb.create_connection(
x[2]) #connect to tsk database
evidenceDbInfo = connectdb.select_image_info(
evidenceDbConn
) #get evidence name, size and md5 from tsk database
evidencePart = connectdb.select_image_partitions(
evidenceDbConn) #get partition info from tsk database
count = 0
for i in evidenceDbInfo:
fileName = os.path.basename(i[0])
temp = self.tree_ctrl_1.AppendItem(
summary, fileName) #append evidence name to treectrl
for i in evidencePart:
i = list(i)
count += 1
self.tree_ctrl_1.AppendItem(
temp, "Vol{count} {desc}: {start}-{end})".format(
count=count,
desc=str(i[2]),
start=str(i[0]),
end=str(i[1]))
) #append evidence partition to evidence name
self.tree_ctrl_1.AppendItem(summary, "Timeline")
self.tree_ctrl_1.AppendItem(summary, "Bookmarks")
self.tree_ctrl_1.AppendItem(summary, "Search")
analyzedData = self.tree_ctrl_1.AppendItem(root, "Analyzed Data")
for x in analyzedDataTree:
self.tree_ctrl_1.AppendItem(analyzedData, x)
docTree = self.tree_ctrl_1.AppendItem(analyzedData, "Documents")
for x in documentsTree:
self.tree_ctrl_1.AppendItem(docTree, x)
exeTree = self.tree_ctrl_1.AppendItem(analyzedData, "Executables")
for x in executablesTree:
self.tree_ctrl_1.AppendItem(exeTree, x)
self.tree_ctrl_1.ExpandAll()
self.tree_ctrl_1.Thaw()
def onAddEvidence(self, event):
try:
caseDetails
except NameError:
wx.MessageBox('Case not opened!', ' ', wx.OK
| wx.ICON_INFORMATION) #if caseDetails not defined
print("Case not opened")
else: #if caseDetails is defined
openFileDialog = wx.FileDialog(
self,
"Open",
"",
"",
"*.dd", #creates a filedialog that only allow user to select .dd files
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDir, caseDbPath
evidencePath = openFileDialog.GetPath(
) #get path of selected dd file
fileName = os.path.basename(evidencePath)
for x in caseDetails:
caseDir = x[4] #get case directory from caseDetails
caseDbPath = x[5] #get case database path from caseDetails
evidenceDbDir = Path(caseDir + "/Evidence_Database")
if evidenceDbDir.is_dir() == False: #check if directory exist
os.mkdir(
str(evidenceDbDir)) #create directory if it does not exist
if fileName != "":
self._dialog = wx.ProgressDialog(
"Adding evidence",
"Creating database for '{s}'".format(s=fileName), 100)
LoadingDialog(self._dialog) #starts the loading dialog
load_db = subprocess.call([
"tsk_loaddb", "-d",
"{caseDir}/Evidence_Database/{fileName}.db".format(
caseDir=caseDir, fileName=fileName), evidencePath
]) #use tsk_loaddb to generate tsk database
LoadingDialog.endLoadingDialog(self) #ends the loading dialog
if load_db == 0: #if no error
conn = connectdb.create_connection(caseDbPath)
with conn:
evidenceDbPath = str(
evidenceDbDir) + "/" + fileName + ".db"
#hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}")
#evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0]
md5_hash = hashlib.md5()
f = open(evidencePath, 'rb')
# Read and update hash in chunks of 4K
for byte_block in iter(lambda: f.read(4096), b""):
md5_hash.update(byte_block)
print(md5_hash.hexdigest())
evidenceMd5 = md5_hash.hexdigest()
insertEvidence = (1, fileName, evidenceDbPath,
datetime.datetime.now().strftime(
"%Y-%m-%d %H:%M:%S"),
evidenceMd5)
connectdb.insertEvidenceDetails(
conn, insertEvidence
) #insert to EvidenceInfo in case database
evidenceConn = connectdb.create_connection(
caseDir + "/Evidence_Database/" + fileName +
".db") #connect to tsk database
evidencePart = connectdb.select_image_partitions(
evidenceConn) #get image partitions from tsk database
if Path(caseDir +
"/Evidence_Database/Deleted_Files.db").is_file(
) == False: #check if Deleted_Files.db exist
createDeletedFilesDb = connectdb.create_connection(
caseDir + "/Evidence_Database/Deleted_Files.db")
deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);"
connectdb.createTable(
createDeletedFilesDb,
deteledFilesTable) #creates if it does not exist
else:
createDeletedFilesDb = connectdb.create_connection(
caseDir + "/Evidence_Database/Deleted_Files.db"
) #connects to Deleted_Files.db
for x in evidencePart:
if x[2] != "Unallocated":
subprocess.Popen(
[
"tsk_recover", "-e", "-o",
str(x[0]), evidencePath,
caseDir + "/Extracted/" + fileName
]
) #recover files from all partitions that re not unallocated
listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(
offset=str(x[0]), image=evidencePath)
process = subprocess.Popen(
listAllDeletedFiles,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
) #list all deleted files
stdout, stderr = process.communicate()
output = stdout.decode()
chk = re.sub(
r'[ ]\*[ ]', '\t*\t', output
) #change all ' ' in the second and third column of fls output to to '\t'
chk = re.sub(r'\n', '\t',
chk) #change all '\n' to '\t'
chk = chk.split(
'\t'
) #splits all values between \t into a list
itemList = []
k = 0
for i in range(k, len(chk) - 1, 11):
k = i
itemList.append(
chk[k:k + 11]
) #appends every 11 items into a list
with createDeletedFilesDb:
for list in itemList:
insertDeletedFiles = (list[0], list[1],
list[2], list[3],
list[4], list[5],
list[6], list[7],
list[8], list[9],
list[10], fileName)
connectdb.insertDeletedFiles(
createDeletedFilesDb,
insertDeletedFiles
) #inserts all deleted files info into Deleted_Files.db
wx.MessageBox(
"Extracting '{file}' in the background.".format(
file=fileName))
global evidenceDetails
evidenceDetails = connectdb.select_evidence_details(conn)
self.auiNotebook.DeletePage(0)
self.auiNotebook.RemovePage(0)
self.addAuiTab("Summary", evidenceDetails)
self.recreateTree(caseDbPath)
openFileDialog.Destroy()
def runddfile(lock):
lock.acquire()
global fileName, evidencePath
for x in caseDetails:
caseDir = x[4] #get case directory from caseDetails
caseDbPath = x[5] #get case database path from caseDetails
evidenceDbDir = Path(caseDir+"/Evidence_Database")
if evidenceDbDir.is_dir() == False: #check if directory exist
os.mkdir(str(evidenceDbDir)) #create directory if it does not exist
if fileName != "":
mainFrame._dialog = wx.ProgressDialog("Adding evidence", "Creating database for '{s}'".format(s=fileName), 100)
LoadingDialog(mainFrame._dialog) #starts the loading dialog
load_db = subprocess.call(["tsk_loaddb", "-d", "{caseDir}/Evidence_Database/{fileName}.db".format(caseDir=caseDir, fileName=fileName), evidencePath]) #use tsk_loaddb to generate tsk database
LoadingDialog.endLoadingDialog(mainFrame) #ends the loading dialog
if load_db == 0: #if no error
conn = connectdb.create_connection(caseDbPath)
with conn:
evidenceDbPath = str(evidenceDbDir)+"/"+fileName+".db"
#hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}")
#evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0]
evidenceMd5 = "None"
insertEvidence = (1, fileName, evidenceDbPath, datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"), evidenceMd5)
connectdb.insertEvidenceDetails(conn, insertEvidence) #insert to EvidenceInfo in case database
evidenceConn = connectdb.create_connection(caseDir+"/Evidence_Database/"+fileName+".db") #connect to tsk database
evidencePart = connectdb.select_image_partitions(evidenceConn) #get image partitions from tsk database
if Path(caseDir+"/Evidence_Database/Deleted_Files.db").is_file() == False: #check if Deleted_Files.db exist
createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db")
deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);"
connectdb.createTable(createDeletedFilesDb, deteledFilesTable) #creates if it does not exist
else:
createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db") #connects to Deleted_Files.db
for x in evidencePart:
if x[2] != "Unallocated":
subprocess.Popen(["tsk_recover", "-e", "-o", str(x[0]), evidencePath, caseDir+"/Extracted/"+fileName]) #recover files from all partitions that re not unallocated
listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(offset=str(x[0]), image=evidencePath)
process = subprocess.Popen(listAllDeletedFiles, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #list all deleted files
stdout,stderr = process.communicate()
output = stdout.decode()
chk = re.sub(r'[ ]\*[ ]', '\t*\t', output) #change all ' ' in the second and third column of fls output to to '\t'
chk = re.sub(r'\n', '\t', chk) #change all '\n' to '\t'
chk = chk.split('\t') #splits all values between \t into a list
itemList = []
k=0
for i in range(k,len(chk)-1,11):
k=i
itemList.append(chk[k:k+11]) #appends every 11 items into a list
with createDeletedFilesDb:
for list in itemList:
insertDeletedFiles = (list[0], list[1], list[2], list[3], list[4], list[5], list[6], list[7], list[8], list[9], list[10], fileName)
connectdb.insertDeletedFiles(createDeletedFilesDb, insertDeletedFiles) #inserts all deleted files info into Deleted_Files.db
wx.MessageBox("Extracting '{file}' in the background.".format(file=fileName))
global evidenceDetails
evidenceDetails = connectdb.select_evidence_details(conn)
self.auiNotebook.DeletePage(0)
self.auiNotebook.RemovePage(0)
self.addAuiTab("Summary", evidenceDetails)
self.recreateTree(caseDbPath)
lock.release()
