def recreateTree(self, caseDbFile): self.tree_ctrl_1.Freeze() self.tree_ctrl_1.DeleteAllItems() global caseName for x in caseDetails: caseName = str(x[2]) + "_" + x[3] root = self.tree_ctrl_1.AddRoot( caseName) #adds the name of case as root item in treectrl summary = self.tree_ctrl_1.AppendItem(root, "Summary") conn = connectdb.create_connection( caseDbFile) #connect to case database evidenceInfo = connectdb.select_evidence_details( conn ) #get evidenceName, EvidenceDbPath EvidenceDatetime and Md5 from case database #EvidenceDbPath = path to tsk database generated when onAddEvidence is called for x in evidenceInfo: evidenceDbConn = connectdb.create_connection( x[2]) #connect to tsk database evidenceDbInfo = connectdb.select_image_info( evidenceDbConn ) #get evidence name, size and md5 from tsk database evidencePart = connectdb.select_image_partitions( evidenceDbConn) #get partition info from tsk database count = 0 for i in evidenceDbInfo: fileName = os.path.basename(i[0]) temp = self.tree_ctrl_1.AppendItem( summary, fileName) #append evidence name to treectrl for i in evidencePart: i = list(i) count += 1 self.tree_ctrl_1.AppendItem( temp, "Vol{count} {desc}: {start}-{end})".format( count=count, desc=str(i[2]), start=str(i[0]), end=str(i[1])) ) #append evidence partition to evidence name self.tree_ctrl_1.AppendItem(summary, "Timeline") self.tree_ctrl_1.AppendItem(summary, "Bookmarks") self.tree_ctrl_1.AppendItem(summary, "Search") analyzedData = self.tree_ctrl_1.AppendItem(root, "Analyzed Data") for x in analyzedDataTree: self.tree_ctrl_1.AppendItem(analyzedData, x) docTree = self.tree_ctrl_1.AppendItem(analyzedData, "Documents") for x in documentsTree: self.tree_ctrl_1.AppendItem(docTree, x) exeTree = self.tree_ctrl_1.AppendItem(analyzedData, "Executables") for x in executablesTree: self.tree_ctrl_1.AppendItem(exeTree, x) self.tree_ctrl_1.ExpandAll() self.tree_ctrl_1.Thaw()
def addAuiTab(self, tabName, evidenceDetails): global caseDir for x in caseDetails: caseDir = x[4] if tabName == "Summary": self.auiNotebook.AddPage(SummaryTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "Deleted files": mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog LoadingDialog(mainFrame._dialog) #start loading self.auiNotebook.AddPage(DeletedFilesTab.TabPanel(self.auiNotebook, tabName, caseDir), tabName, False, wx.NullBitmap) #calls and open a aui tab from DeletedFilesTab.py LoadingDialog.endLoadingDialog(self) #stop loading if tabName == "Bookmarks": mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(mainFrame._dialog) self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) #calls and open a aui tab from SummaryTab.py LoadingDialog.endLoadingDialog(self) for x in analyzedDataTree: if tabName == x and tabName != "Deleted files": mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(mainFrame._dialog) addingPage = self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self) for x in documentsTree: if tabName == x: mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(mainFrame._dialog) self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self) for x in executablesTree: if tabName == x: mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(mainFrame._dialog) self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self) for x in evidenceDetails: evidenceDbConn = connectdb.create_connection(x[2]) #connects to tsk database evidenceDbInfo = connectdb.select_image_info(evidenceDbConn) #get name, size and md5 from tsk database evidencePart = connectdb.select_image_partitions(evidenceDbConn) #get partition info from tsk database count = 0 for i in evidencePart: count += 1 if tabName == "Vol{count} {desc}: {start}-{end})".format(count=count, desc=str(i[2]), start=str(i[0]), end=str(i[1])): mainFrame._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(mainFrame._dialog) self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self)
def onAddEvidence(self, event): try: caseDetails except NameError: wx.MessageBox('Case not opened!', ' ', wx.OK | wx.ICON_INFORMATION) #if caseDetails not defined print("Case not opened") else: #if caseDetails is defined openFileDialog = wx.FileDialog( self, "Open", "", "", "*.dd", #creates a filedialog that only allow user to select .dd files wx.FD_OPEN | wx.FD_FILE_MUST_EXIST) openFileDialog.ShowModal() global caseDir, caseDbPath evidencePath = openFileDialog.GetPath( ) #get path of selected dd file fileName = os.path.basename(evidencePath) for x in caseDetails: caseDir = x[4] #get case directory from caseDetails caseDbPath = x[5] #get case database path from caseDetails evidenceDbDir = Path(caseDir + "/Evidence_Database") if evidenceDbDir.is_dir() == False: #check if directory exist os.mkdir( str(evidenceDbDir)) #create directory if it does not exist if fileName != "": self._dialog = wx.ProgressDialog( "Adding evidence", "Creating database for '{s}'".format(s=fileName), 100) LoadingDialog(self._dialog) #starts the loading dialog load_db = subprocess.call([ "tsk_loaddb", "-d", "{caseDir}/Evidence_Database/{fileName}.db".format( caseDir=caseDir, fileName=fileName), evidencePath ]) #use tsk_loaddb to generate tsk database LoadingDialog.endLoadingDialog(self) #ends the loading dialog if load_db == 0: #if no error conn = connectdb.create_connection(caseDbPath) with conn: evidenceDbPath = str( evidenceDbDir) + "/" + fileName + ".db" #hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}") #evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0] md5_hash = hashlib.md5() f = open(evidencePath, 'rb') # Read and update hash in chunks of 4K for byte_block in iter(lambda: f.read(4096), b""): md5_hash.update(byte_block) print(md5_hash.hexdigest()) evidenceMd5 = md5_hash.hexdigest() insertEvidence = (1, fileName, evidenceDbPath, datetime.datetime.now().strftime( "%Y-%m-%d %H:%M:%S"), evidenceMd5) connectdb.insertEvidenceDetails( conn, insertEvidence ) #insert to EvidenceInfo in case database evidenceConn = connectdb.create_connection( caseDir + "/Evidence_Database/" + fileName + ".db") #connect to tsk database evidencePart = connectdb.select_image_partitions( evidenceConn) #get image partitions from tsk database if Path(caseDir + "/Evidence_Database/Deleted_Files.db").is_file( ) == False: #check if Deleted_Files.db exist createDeletedFilesDb = connectdb.create_connection( caseDir + "/Evidence_Database/Deleted_Files.db") deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);" connectdb.createTable( createDeletedFilesDb, deteledFilesTable) #creates if it does not exist else: createDeletedFilesDb = connectdb.create_connection( caseDir + "/Evidence_Database/Deleted_Files.db" ) #connects to Deleted_Files.db for x in evidencePart: if x[2] != "Unallocated": subprocess.Popen( [ "tsk_recover", "-e", "-o", str(x[0]), evidencePath, caseDir + "/Extracted/" + fileName ] ) #recover files from all partitions that re not unallocated listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format( offset=str(x[0]), image=evidencePath) process = subprocess.Popen( listAllDeletedFiles, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) #list all deleted files stdout, stderr = process.communicate() output = stdout.decode() chk = re.sub( r'[ ]\*[ ]', '\t*\t', output ) #change all ' ' in the second and third column of fls output to to '\t' chk = re.sub(r'\n', '\t', chk) #change all '\n' to '\t' chk = chk.split( '\t' ) #splits all values between \t into a list itemList = [] k = 0 for i in range(k, len(chk) - 1, 11): k = i itemList.append( chk[k:k + 11] ) #appends every 11 items into a list with createDeletedFilesDb: for list in itemList: insertDeletedFiles = (list[0], list[1], list[2], list[3], list[4], list[5], list[6], list[7], list[8], list[9], list[10], fileName) connectdb.insertDeletedFiles( createDeletedFilesDb, insertDeletedFiles ) #inserts all deleted files info into Deleted_Files.db wx.MessageBox( "Extracting '{file}' in the background.".format( file=fileName)) global evidenceDetails evidenceDetails = connectdb.select_evidence_details(conn) self.auiNotebook.DeletePage(0) self.auiNotebook.RemovePage(0) self.addAuiTab("Summary", evidenceDetails) self.recreateTree(caseDbPath) openFileDialog.Destroy()
def addAuiTab(self, tabName, evidenceDetails): global caseDir for x in caseDetails: caseDir = x[4] if tabName == "Summary": self.auiNotebook.AddPage( SummaryTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "File": self.auiNotebook.AddPage( FileTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "Images": self.auiNotebook.AddPage( ImagesTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "Sessions": self.auiNotebook.AddPage( SessionsTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "DNS": self.auiNotebook.AddPage( DNSTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "Credentials": self.auiNotebook.AddPage( CredentialsTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "Bookmarks": self._dialog = wx.ProgressDialog( "Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(self._dialog) self.auiNotebook.AddPage( AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) #calls and open a aui tab from SummaryTab.py LoadingDialog.endLoadingDialog(self) for x in evidenceDetails: evidenceDbConn = connectdb.create_connection( x[2]) #connects to tsk database evidenceDbInfo = connectdb.select_image_info( evidenceDbConn) #get name, size and md5 from tsk database evidencePart = connectdb.select_image_partitions( evidenceDbConn) #get partition info from tsk database count = 0 for i in evidencePart: count += 1 if tabName == "Vol{count} {desc}: {start}-{end})".format( count=count, desc=str(i[2]), start=str(i[0]), end=str(i[1])): self._dialog = wx.ProgressDialog( "Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(self._dialog) self.auiNotebook.AddPage( AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self)
def runddfile(lock): lock.acquire() global fileName, evidencePath for x in caseDetails: caseDir = x[4] #get case directory from caseDetails caseDbPath = x[5] #get case database path from caseDetails evidenceDbDir = Path(caseDir+"/Evidence_Database") if evidenceDbDir.is_dir() == False: #check if directory exist os.mkdir(str(evidenceDbDir)) #create directory if it does not exist if fileName != "": mainFrame._dialog = wx.ProgressDialog("Adding evidence", "Creating database for '{s}'".format(s=fileName), 100) LoadingDialog(mainFrame._dialog) #starts the loading dialog load_db = subprocess.call(["tsk_loaddb", "-d", "{caseDir}/Evidence_Database/{fileName}.db".format(caseDir=caseDir, fileName=fileName), evidencePath]) #use tsk_loaddb to generate tsk database LoadingDialog.endLoadingDialog(mainFrame) #ends the loading dialog if load_db == 0: #if no error conn = connectdb.create_connection(caseDbPath) with conn: evidenceDbPath = str(evidenceDbDir)+"/"+fileName+".db" #hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}") #evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0] evidenceMd5 = "None" insertEvidence = (1, fileName, evidenceDbPath, datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"), evidenceMd5) connectdb.insertEvidenceDetails(conn, insertEvidence) #insert to EvidenceInfo in case database evidenceConn = connectdb.create_connection(caseDir+"/Evidence_Database/"+fileName+".db") #connect to tsk database evidencePart = connectdb.select_image_partitions(evidenceConn) #get image partitions from tsk database if Path(caseDir+"/Evidence_Database/Deleted_Files.db").is_file() == False: #check if Deleted_Files.db exist createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db") deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);" connectdb.createTable(createDeletedFilesDb, deteledFilesTable) #creates if it does not exist else: createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db") #connects to Deleted_Files.db for x in evidencePart: if x[2] != "Unallocated": subprocess.Popen(["tsk_recover", "-e", "-o", str(x[0]), evidencePath, caseDir+"/Extracted/"+fileName]) #recover files from all partitions that re not unallocated listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(offset=str(x[0]), image=evidencePath) process = subprocess.Popen(listAllDeletedFiles, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #list all deleted files stdout,stderr = process.communicate() output = stdout.decode() chk = re.sub(r'[ ]\*[ ]', '\t*\t', output) #change all ' ' in the second and third column of fls output to to '\t' chk = re.sub(r'\n', '\t', chk) #change all '\n' to '\t' chk = chk.split('\t') #splits all values between \t into a list itemList = [] k=0 for i in range(k,len(chk)-1,11): k=i itemList.append(chk[k:k+11]) #appends every 11 items into a list with createDeletedFilesDb: for list in itemList: insertDeletedFiles = (list[0], list[1], list[2], list[3], list[4], list[5], list[6], list[7], list[8], list[9], list[10], fileName) connectdb.insertDeletedFiles(createDeletedFilesDb, insertDeletedFiles) #inserts all deleted files info into Deleted_Files.db wx.MessageBox("Extracting '{file}' in the background.".format(file=fileName)) global evidenceDetails evidenceDetails = connectdb.select_evidence_details(conn) self.auiNotebook.DeletePage(0) self.auiNotebook.RemovePage(0) self.addAuiTab("Summary", evidenceDetails) self.recreateTree(caseDbPath) lock.release()
def addAuiTab(self, tabName, evidenceDetails): global caseDir for x in caseDetails: caseDir = x[4] if tabName == "Summary": self.auiNotebook.AddPage(SummaryTab.TabPanel(self.auiNotebook, caseDetails, evidenceDetails), tabName, False, wx.NullBitmap) if tabName == "File": self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog LoadingDialog(self._dialog) #start loading self.auiNotebook.AddPage(pcapFilesTab.TabPanel(self.auiNotebook, tabName, caseDir), tabName, False, wx.NullBitmap) #calls and open a aui tab from DeletedFilesTab.py LoadingDialog.endLoadingDialog(self) #sequence = [frameNumber, evidencePath, src_host_str, src_port, dst_host_str, dst_port, protocol, fileName, ext, size, timestamp] window = self.auiNotebook.GetPage(self.auiNotebook.GetPageCount() - 1) # we've just added a page so the page we want to access is the last one sequence = [1, "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"] pcapFilesTab.TabPanel.addPcapDetails(window, sequence) # Get the PCAP data from the database and display in the GUI (File tab) index = 1 while (True): row = connectdb.selectPcapEvidenceDetails(self.conn, index) if ( () == row or None == row ): break # from while-loop (no more data) pcapFilesTab.TabPanel.addPcapDetails(window, row) index = index + 1 if tabName == "Images": self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(self._dialog) self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self) if tabName == "Sessions": self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog LoadingDialog(self._dialog) #start loading self.auiNotebook.AddPage(pcapSessionsTab.TabPanel(self.auiNotebook, caseDir), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self) #sequence = [Packet, timestamp, src_ip, dst_ip, request] window = self.auiNotebook.GetPage(self.auiNotebook.GetPageCount() - 1) # we've just added a page so the page we want to access is the last one sequence = [1, "2", "3", "4", "5"] pcapSessionsTab.TabPanel.addSessionsDetails(window, sequence) # Get the PCAP data from the database and display in the GUI (Sessions tab) index = 1 while (True): row = connectdb.selectPcapSessionsDetails(self.conn, index) if ( () == row or None == row ): break # from while-loop (no more data) pcapSessionsTab.TabPanel.addSessionsDetails(window, row) index = index + 1 if tabName == "DNS": self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) #create loading dialog LoadingDialog(self._dialog) #start loading self.auiNotebook.AddPage(pcapDNSTab.TabPanel(self.auiNotebook, caseDir), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self) if tabName == "Bookmarks": self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(self._dialog) self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self) for x in evidenceDetails: evidenceDbConn = connectdb.create_connection(x[2]) #connects to tsk database evidenceDbInfo = connectdb.select_image_info(evidenceDbConn) #get name, size and md5 from tsk database evidencePart = connectdb.select_image_partitions(evidenceDbConn) #get partition info from tsk database count = 0 for i in evidencePart: count += 1 if tabName == "Vol{count} {desc}: {start}-{end})".format(count=count, desc=str(i[2]), start=str(i[0]), end=str(i[1])): self._dialog = wx.ProgressDialog("Loading", "Loading {tabName}".format(tabName=tabName), 100) LoadingDialog(self._dialog) self.auiNotebook.AddPage(AnalyzedDataTab.TabPanel(self.auiNotebook, tabName, evidenceDetails, caseDir, caseDbPath), tabName, False, wx.NullBitmap) LoadingDialog.endLoadingDialog(self)