def main():
store = forensicstore.connect(".")
items = list(store.select(sys.argv[1]))
results = transform(store, items, sys.argv[1], sys.argv[2:])
for result in results:
store.insert(result)
store.close()
def test_docker(data):
client = docker.from_env()
# build image
image_tag = "test_docker"
image, _ = client.images.build(path="docker/process/plaso/", tag=image_tag)
# run image
store_path = os.path.abspath(
os.path.join(data, "data", "example1.forensicstore"))
store_path_unix = store_path
if store_path[1] == ":":
store_path_unix = "/" + store_path.lower()[0] + store_path[2:].replace(
"\\", "/")
volumes = {store_path_unix: {'bind': '/store', 'mode': 'rw'}}
# plugin_dir: {'bind': '/plugins', 'mode': 'ro'}
output = client.containers.run(
image_tag,
command=["--filter", "artifact=WindowsDeviceSetup"],
volumes=volumes,
stderr=True)
print(output)
# test results
store = forensicstore.connect(store_path)
items = list(store.select("event"))
store.close()
assert len(items) == 69
# cleanup
try:
shutil.rmtree(data)
except PermissionError:
pass
def test_add_process_item(self, out_dir, data):
store = forensicstore.connect(out_dir + "/iptables.forensicstore")
cmd_date = datetime.datetime(2016, 1, 20, 14, 11, 25, 550000)
cmd = store.add_process_item("IPTablesRules", "iptables", cmd_date,
"/root/", ["-L", "-n", "-v"],
"/sbin/iptables -L -n -v", 0, [])
with store.add_process_item_stdout(
cmd) as stdout, store.add_process_item_stderr(cmd) as stderr:
stdout.write(b"foo")
stderr.write(b"bar")
items = store.all()
first = list(items).pop()
del first["uid"]
assert first == EXAMPLE_FORENSICSTORE[0]
with open(out_dir + "/iptables.forensicstore/IPTablesRules/stdout",
'rb') as io:
assert io.read() == b"foo"
with open(out_dir + "/iptables.forensicstore/IPTablesRules/stderr",
'rb') as io:
assert io.read() == b"bar"
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_add_file_item(self, out_dir, data):
store = forensicstore.connect(out_dir + "/amcache.forensicstore")
file_date = datetime.datetime(2014, 9, 11, 21, 50, 18, 301000)
origin = {
"path": "C:\\Windows\\appcompat\\Programs\\Amcache.hve",
"volume": "2"
}
file = store.add_file_item("WindowsAMCacheHveFile", "Amcache.hve",
file_date, file_date, file_date, origin, [])
with store.add_file_item_export(file) as export:
export.write(123 * b'A')
items = store.all()
first = list(items).pop()
del first["uid"]
assert first == EXAMPLE_FORENSICSTORE[2]
with open(
out_dir +
"/amcache.forensicstore/WindowsAMCacheHveFile/Amcache.hve",
'rb') as io:
assert io.read() == 123 * b'A'
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_parse(self, out_dir, data):
store = forensicstore.connect(out_dir + "/parse.forensicstore")
store.import_stix(data + "/json/example1.json")
file = store.select(
"file",
[{
"origin.path": "C:\\Windows\\appcompat\\Programs\\Amcache.hve"
}])
assert list(
file)[0]["hashes"]["MD5"] == "9b573b2e4c4b91558f6afd65262a6fb9"
reg_key = list(
store.select("windows-registry-key", [{
"key":
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CodePage'
}]))
assert reg_key[0]["values"][0]["data"] == '1252'
store.export_stix(out_dir + "/stix.json")
with open(out_dir + "/stix.json") as io:
objects = list(json.load(io)["objects"].values())
for obj in objects:
del obj["uid"]
assert sorted(objects, key=lambda k: k['artifact']) == sorted(
EXAMPLE_FORENSICSTORE, key=lambda k: k['artifact'])
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def main():
parser = argparse.ArgumentParser(description='parse key pairs into a dictionary')
parser.add_argument("--filter", dest="filter", action=StoreDictKeyPair, metavar="type=file,name=System.evtx...")
args, _ = parser.parse_known_args(sys.argv[1:])
if args.filter is None:
LOGGER.warning("requires a filter to be set")
sys.exit(1)
store = forensicstore.connect(".")
files = []
selected = list(store.select("file", args.filter))
for item in selected:
if "export_path" in item and os.path.exists(item["export_path"]):
files.append(item["export_path"])
store.close()
os.makedirs("Plaso", exist_ok=True)
for file in files:
subprocess.run(
["log2timeline.py", "--status_view", "none", "--logfile", "test.log", "Plaso/events.plaso", file],
check=True
)
# TODO: add logfile to forensicstore
subprocess.run(
["psort.py", "--status_view", "none", "-o", "forensicstore", "-w", "/store/", "Plaso/events.plaso"],
check=True
)
def main():
store = forensicstore.connect(".")
items = list(store.select(sys.argv[1], combined_conditions(None)))
result = transform(store, items, sys.argv[2])
if result:
store.insert(result)
store.close()
def main():
store = forensicstore.connect(".")
usb_usage_data = USBForensicStoreExtractor(store).get_usb_usage_data()
for result in usb_usage_data:
result["type"] = "usb-device"
store.insert(result)
store.close()
def test_init_create(self, out_dir, data):
store = forensicstore.connect(out_dir + "/init_create.forensicstore")
store.close()
assert os.path.exists(out_dir + "/init_create.forensicstore/item.db")
# print(out_dir + "/init_create.forensicstore/item.db") created empty table
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_add_item_with_empty_value(self, out_dir, data):
store = forensicstore.connect(out_dir + "/invalid.forensicstore")
with pytest.raises(TypeError):
store.insert({"type": "file", "name": "foo.txt", "ctime": ""})
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_add_invalid_item(self, out_dir, data):
store = forensicstore.connect(out_dir + "/invalid.forensicstore")
with pytest.raises(TypeError):
store.insert({"type": "file", "foo": "bar"})
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_invalid_json(self, out_dir, data):
store = forensicstore.connect(out_dir + "/invalid.forensicstore")
errors, _ = store.validate_item({"type": "file", "foo": "bar"})
assert len(errors) == 1
assert "Failed validating" in errors[0]
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_import_store(self, out_dir, data):
import_store = forensicstore.connect(out_dir +
"/tmp/tmp.forensicstore")
file_date = datetime.datetime(2014, 9, 11, 21, 50, 18, 301000)
origin = {
"path": "C:\\Windows\\appcompat\\Programs\\Amcache.hve",
"volume": "2"
}
file1 = import_store.add_file_item("WindowsAMCacheHveFile",
"Amcache.hve", file_date, file_date,
file_date, origin, [])
with import_store.add_file_item_export(file1) as export:
export.write(123 * b'A')
import_store.close()
store = forensicstore.connect(out_dir +
"/amcache/amcache.forensicstore")
file1 = store.add_file_item("WindowsAMCacheHveFile", "Amcache.hve",
file_date, file_date, file_date, origin,
[])
with store.add_file_item_export(file1) as export:
export.write(123 * b'B')
store.import_forensicstore(out_dir + "/tmp/tmp.forensicstore")
items = store.all()
assert len(list(items)) == 2
with open(
out_dir +
"/amcache/amcache.forensicstore/WindowsAMCacheHveFile/Amcache.hve",
'rb') as io:
assert io.read() == 123 * b'B'
with open(
out_dir +
"/amcache/amcache.forensicstore/WindowsAMCacheHveFile/Amcache_0.hve",
'rb') as io:
assert io.read() == 123 * b'A'
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def main():
store = forensicstore.connect(".")
conditions = [{
'key':
"HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Services\\%"
}]
items = list(
store.select("windows-registry-key", combined_conditions(conditions)))
results = transform(items)
for result in results:
store.insert(result)
store.close()
def test_parent_file(self, out_dir, data):
store = forensicstore.connect(out_dir + "/missing_file.forensicstore")
store.insert({"type": "foo", "foo_path": "../bar"})
errors = store.validate()
assert len(errors) == 1
assert errors[0] == "'..' in ../bar"
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def Open(self):
"""Connects to the database and creates the required tables.
Raises:
IOError: if the specified output file already exists.
OSError: if the specified output file already exists.
ValueError: if the filename is not set.
"""
if not self._filename:
raise ValueError('Missing filename.')
self._store = forensicstore.connect(self._filename)
def test_networking(data):
cwd = os.getcwd()
os.chdir(os.path.join(data, "data", "example1.forensicstore"))
main()
store = forensicstore.connect(os.path.join(data, "data", "example1.forensicstore"))
items = list(store.select("known_network"))
store.close()
assert len(items) == 9
os.chdir(cwd)
shutil.rmtree(data)
def main():
store = forensicstore.connect(".")
conditions = [{
'key':
"HKEY_LOCAL_MACHINE\\System\\%ControlSet%\\Control\\Session Manager\\AppCompat%"
}]
items = store.select("windows-registry-key",
combined_conditions(conditions))
for item in items:
results = transform(item)
for result in results:
store.insert(result)
store.close()
def test_add_directory_item(self, out_dir, data):
store = forensicstore.connect(out_dir + "/program_files.forensicstore")
dir_date = datetime.datetime(2014, 9, 11, 21, 50, 18, 301000)
store.add_directory_item("WindowsEnvironmentVariableProgramFiles", "C:\\Program Files", dir_date, dir_date,
dir_date, [])
items = store.all()
first = list(items).pop()
del first["id"]
assert first == EXAMPLE_FORENSICSTORE[3]
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_runkeys(data):
cwd = os.getcwd()
os.chdir(os.path.join(data, "data", "example1.forensicstore"))
main()
store = forensicstore.connect(os.path.join(data, "data", "example1.forensicstore"))
items = list(store.select("runkey"))
store.close()
assert len(items) == 10
os.chdir(cwd)
shutil.rmtree(data)
def test_wrong_size(self, out_dir, data):
store = forensicstore.connect(out_dir + "/wrong_size.forensicstore")
with store.store_file("bar") as (path, io):
io.write(b'b')
store.insert({"type": "foo", "foo_path": "bar", "size": 2})
errors = store.validate()
assert len(errors) == 1
assert errors[0] == "wrong size for bar"
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_additional_file(self, out_dir, data):
store = forensicstore.connect(out_dir +
"/additional_file.forensicstore")
with store.store_file("bar") as (path, io):
io.write(b'b')
errors = store.validate()
assert len(errors) == 1
assert errors[0] == "additional files: ('/bar')"
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_software(data):
cwd = os.getcwd()
os.chdir(os.path.join(data, "data", "example1.forensicstore"))
main()
store = forensicstore.connect(
os.path.join(data, "data", "example1.forensicstore"))
items = list(store.select("uninstall_entry"))
store.close()
assert len(items) == 6
os.chdir(cwd)
shutil.rmtree(data)
def main():
store = forensicstore.connect(".")
conditions = [{
'key':
r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%"
}, {
'key':
r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Services\Tcpip\Parameters\Interfaces\%"
}]
items = store.select("windows-registry-key",
combined_conditions(conditions))
for result in transform(items):
store.insert(result)
store.close()
def test_add_registry_key_item(self, out_dir, data):
store = forensicstore.connect(out_dir + "/codepage.forensicstore")
key_date = datetime.datetime(2009, 7, 14, 4, 34, 14, 225000)
key = store.add_registry_key_item("WindowsCodePage", key_date,
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CodePage", [])
store.add_registry_value_item(key, "REG_SZ", "1252".encode("utf-16"), "ACP")
items = store.all()
first = list(items).pop()
del first["id"]
assert first == EXAMPLE_FORENSICSTORE[5]
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_add_item_with_none_value(self, out_dir, data):
store = forensicstore.connect(out_dir + "/invalid.forensicstore")
file_id = store.insert({
"type": "file",
"name": "foo.txt",
"created": None
})
item = store.get(file_id)
assert "created" not in item
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def main():
store = forensicstore.connect(".")
conditions = [{
'key':
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%"
}, {
'key':
"HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%"
}]
items = list(
store.select("windows-registry-key", combined_conditions(conditions)))
for item in items:
results = transform(item)
for result in results:
store.insert(result)
store.close()
def main():
store = forensicstore.connect(".")
hklmsw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\"
conditions = [{
'key':
hklmsw +
"Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\%"
}, {
'key': hklmsw + "WOW6432Node\\Microsoft\\Updates\\%\\%"
}, {
'key': hklmsw + "Microsoft\\Updates\\%\\%"
}]
for item in store.select("windows-registry-key",
combined_conditions(conditions)):
results = transform(item)
for result in results:
store.insert(result)
store.close()
def test_wrong_hash(self, out_dir, data):
store = forensicstore.connect(out_dir + "/wrong_hash.forensicstore")
with store.store_file("bar") as (path, io):
io.write(b'b')
store.insert({
"type": "foo",
"foo_path": "bar",
"hashes": {
"MD5": "beef"
}
})
errors = store.validate()
assert len(errors) == 1
assert errors[0] == "hashvalue mismatch MD5 for bar"
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_docker(data):
client = docker.from_env()
# build image
image_tag = "test_artifacts"
image, _ = client.images.build(path="docker/imports/artifacts/",
tag=image_tag)
# run image
store_path = os.path.abspath(os.path.join(data, "example.forensicstore"))
store_path_unix = to_unix_path(store_path)
import_path = os.path.abspath(os.path.join(data, "data", "win10_mock.vhd"))
import_path_unix = to_unix_path(import_path)
volumes = {
store_path_unix: {
'bind': '/store',
'mode': 'rw'
},
import_path_unix: {
'bind': '/transit',
'mode': 'ro'
}
}
# plugin_dir: {'bind': '/plugins', 'mode': 'ro'}
client.containers.run(image_tag, volumes=volumes,
stderr=True).decode("ascii")
# test results
store = forensicstore.connect(store_path)
items = list(store.all())
store.close()
assert len(items) == 8
# cleanup
try:
shutil.rmtree(data)
except PermissionError:
pass
