def startUp(self, context): self.context = context #Show parameters that are passed in self.log(Level.INFO, "Username =====>" + str(self.userName)) self.log(Level.INFO, "password =====>" + str(self.password)) self.log(Level.INFO, "IP Address =====>" + str(self.IP_Address)) self.log(Level.INFO, "Port_Number =====>" + str(self.Port_Number)) self.log(Level.INFO, "Sketch Name =====> " + str(self.sketchName)) self.log(Level.INFO, "sketch Description =====> " + str(self.sketchDescription)) # Check to see if the file to execute exists, if it does not then raise an exception and log error # data is taken from the UI if PlatformUtil.isWindowsOS(): self.path_to_Timesketch_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "timesketch_autopsy.exe") if not os.path.exists(self.path_to_Timesketch_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_Timesketch_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Timesketch_Autopsy") if not os.path.exists(self.path_to_Timesketch_exe): raise IngestModuleException("Linux Executable was not found in module folder") # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "amcache_parser.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'amcache_parser') if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux Executable was not found in module folder") if self.local_settings.getSetting('associateFileEntries') == 'true': self.List_Of_tables.append('associated_file_entries') if self.local_settings.getSetting('programEntries') == 'true': self.List_Of_tables.append('program_entries') if self.local_settings.getSetting('unassociatePrograms') == 'true': self.List_Of_tables.append('unassociated_programs') #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events)) self.log( Level.INFO, str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables))) # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "amcache_parser.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'amcache_parser') if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux Executable was not found in module folder") if self.local_settings.getSetting('associateFileEntries') =='true': self.List_Of_tables.append('associated_file_entries') if self.local_settings.getSetting('programEntries') == 'true': self.List_Of_tables.append('program_entries') if self.local_settings.getSetting('unassociatePrograms') == 'true': self.List_Of_tables.append('unassociated_programs') #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events)) self.log(Level.INFO, str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables))) # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context #Show parameters that are passed in if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "fseparser_v2.1.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "FSEParser_V2.1") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux Executable was not found in module folder") self.MacFSEvents_Executable = self.path_to_exe self.log(Level.INFO, "MacFSEvents Executable ==> " + self.MacFSEvents_Executable) # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "export_jl_ad.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "EXE was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'Export_JL_Ad') if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux Executable was not found in module folder") self.path_to_app_id_db = os.path.join( os.path.dirname(os.path.abspath(__file__)), "Jump_List_App_Ids.db3") # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "appxreg.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'Appxreg') if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux Executable was not found in module folder") pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "parse_prefetch.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'parse_prefetch') if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux Executable was not found in module folder")
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_Webcache.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'Export_Webcache') if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux Executable was not found in module folder")
def startUp(self, context): self.context = context if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "appxreg.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'Appxreg') if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux Executable was not found in module folder") pass
def checkExecutables(self): executableProgramsWindows = ['sysdiagnose-sys.exe','sysdiagnose-networkprefs.exe','sysdiagnose-networkinterfaces.exe', 'sysdiagnose-mobilecontainermanager.exe', \ 'sysdiagnose-mobilebackup.exe', 'sysdiagnose-mobileactivation.exe','sysdiagnose-wifi-plist.exe', 'sysdiagnose-wifi-icloud.exe', \ 'sysdiagnose-wifi-net.exe.', 'sysdiagnose-wifi-kml.exe', 'sysdiagnose-uuid2path.exe', 'sysdiagnose-net-ext-cache.exe', 'sysdiagnose-appconduit.exe', \ 'sysdiagnose-appupdates.exe'] executableProgramsFound = [] if PlatformUtil.isWindowsOS(): for executable in executableProgramsWindows: pathToExe = os.path.join( os.path.dirname(os.path.abspath(__file__)), executable) if not os.path.exists(pathToExe): self.log( Level.INFO, "iOS sysdiagnose Windows program " + pathToExe + " not found.") else: executableProgramsFound.append(pathToExe) else: for executable in executableProgramsWindows: pathToExe = os.path.join( os.path.dirname(os.path.abspath(__file__)), executable) if not os.path.exists(pathToExe): self.log( Level.INFO, "iOS sysdiagnose Linux program " + pathToExe + " not found.") else: executableProgramsFound.append(pathToExe) self.log(Level.INFO, "Programs to execute: " + str(executableProgramsFound)) return executableProgramsFound
def process(self, dataSource, progressBar): # we don't know how much work there will be progressBar.switchToIndeterminate() # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Verify we have a disk image and not a folder of files if not isinstance(dataSource, Image): self.log(Level.INFO, "Ignoring data source. Not an image") return IngestModule.ProcessResult.OK # Get disk image paths imagePaths = dataSource.getPaths() # We'll save our output to a file in the reports folder, named based on EXE and data source ID reportPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "Reports", "img_stat-" + str(dataSource.getId()) + ".txt") reportHandle = open(reportPath, 'w') # Run the EXE, saving output to the report # NOTE: we should really be checking for if the module has been # cancelled and then killing the process. self.log(Level.INFO, "Running program on data source") subprocess.Popen([self.path_to_exe, imagePaths[0]], stdout=reportHandle).communicate()[0] reportHandle.close() # Add the report to the case, so it shows up in the tree Case.getCurrentCase().addReport(reportPath, "Run EXE", "img_stat output") return IngestModule.ProcessResult.OK
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("EXE was not found in module folder") else: self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Export_EVTX") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux executable was not found in module folder") if self.local_settings.getSetting('All') == 'true': self.List_Of_Events.append('ALL') #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked") else: if self.local_settings.getSetting('Other') == 'true': #self.List_Of_Events.append('Other') Event_List = self.local_settings.getSetting('Eventids').split() self.log(Level.INFO, "Event List ==> " + str(Event_List)) for evt in Event_List: self.List_Of_Events.append(str(evt)) #self.Event_Id_List = "','".join(self.List_Of_Events) self.Event_Id_List = self.local_settings.getSetting('Eventids').replace(',','\',\'') self.Event_Id_List.replace(',','\',\'') # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("EXE was not found in module folder") else: self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Export_EVTX") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux executable was not found in module folder") if self.local_settings.getFlag(): self.List_Of_Events.append('ALL') #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked") else: if self.local_settings.getFlag4(): #self.List_Of_Events.append('Other') Event_List = self.local_settings.getArea().split() self.log(Level.INFO, "Event List ==> " + str(Event_List)) for evt in Event_List: self.List_Of_Events.append(str(evt)) #self.Event_Id_List = "','".join(self.List_Of_Events) self.Event_Id_List = self.local_settings.getArea().replace(',','\',\'') self.Event_Id_List.replace(',','\',\'') # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to executable based on where this script is run from. # Assumes executable is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.pathToExe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "export_esedb.exe") if not os.path.exists(self.pathToExe): raise IngestModuleException( "export_esedb.exe was not found in module folder") if not os.path.exists( os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_esedb_records.exe")): raise IngestModuleException( "export_esedb_records.exe was not found in module folder") else: self.pathToExe2 = os.path.dirname(os.path.abspath(__file__)) self.pathToExe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "export_esedb") if not os.path.exists(self.pathToExe): raise IngestModuleException( "export_esedb was not found in module folder") if not os.path.exists( os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_esedb_records")): raise IngestModuleException( "export_esedb_records was not found in module folder")
def startUp(self, context): self.context = context if PlatformUtil.isWindowsOS(): self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "leveldb-dump.exe") # self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "leveldb_Parser.exe") if not os.path.exists(self.pathToExe): raise IngestModuleException("fb_chat.exe was not found in module folder") else: pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "shimcache_parser.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Shimcache_parser") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux Executable was not found in module folder") # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_recentApps_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "show_ccm_recentlyusedapps.exe") if not os.path.exists(self.path_to_recentApps_exe): raise IngestModuleException("Windows executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_recentApps_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "show_CCM_RecentlyUsedApps") if not os.path.exists(self.path_to_recentApps_exe): raise IngestModuleException("Linux Executable was not found in module folder") # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def processEsedbFile(self, extractedFile, databaseFile): #self.log(Level.INFO, "Running program ==> " + self.pathToExe + " " + extractedFile + databaseFile) if PlatformUtil.isWindowsOS(): pipe = Popen([self.pathToExe, extractedFile, databaseFile], stdout=PIPE, stderr=PIPE) else: pipe = Popen([self.pathToExe, extractedFile, databaseFile, self.pathToExe2], stdout=PIPE, stderr=PIPE) outputFromRun = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + outputFromRun)
def startUp(self, context): self.context = context #Show parameters that are passed in if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "fseparser_v2.1.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "FSEParser_V2.1") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux Executable was not found in module folder") self.MacFSEvents_Executable = self.path_to_exe self.log(Level.INFO, "MacFSEvents Executable ==> " + self.MacFSEvents_Executable) # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Check if the arser for .evtx is in place - i.e., the export_evtx.exe if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe") if not os.path.exists(self.path_to_exe): # stop ingest module and return error raise IngestModuleException( "EXE was not found in module folder")
def startUp(self, context): self.context = context if self.local_settings.getSetting('Flag') == 'true': #self.List_Of_DBs.append('Other') DBs_List = self.local_settings.getSetting('plists').split(',') for DBs in DBs_List: self.List_Of_DBs.append(str(DBs).strip('\n').replace(' ','')) #self.logger.logp(Level.INFO, GUI_TestWithUI.__name__, "startUp", str(self.List_Of_Events)) self.log(Level.INFO, str(self.List_Of_DBs)) if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "plist2db.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'plist2db') if not os.path.exists(self.path_to_exe): raise IngestModuleException("Linux Executable was not found in module folder")
def startUp(self, context): self.context = context if not PlatformUtil.isWindowsOS(): raise IngestModuleException("Not running on Windows") self.EXE_PATH = os.path.join( os.path.dirname(os.path.abspath(__file__)), "w10-facemessenger.exe") if not os.path.exists(self.EXE_PATH): raise IngestModuleException( "w10-facemessenger.exe was not found in module folder") self.CSV_DELIMITER = "\x1E" # ASCII non-printing character 30 (Record Separator) self._startUpAttributeTypes()
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "export_SRUDB.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "EXE was not found in module folder") else: self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "Export_SRUDB") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux Executable was not found in module folder") if self.local_settings.getSetting('all') == 'true': self.List_Of_SRUDB.append('application_resource_usage') self.List_Of_SRUDB.append('energy_estimation_provider') self.List_Of_SRUDB.append('energy_usage_data') self.List_Of_SRUDB.append('network_connectivity') self.List_Of_SRUDB.append('network_usage') self.List_Of_SRUDB.append('windows_push_notification') #self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", "All Events CHecked") else: #self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", "No Boxes Checked") if self.local_settings.getSetting( 'application_resource_usage') == 'true': self.List_Of_SRUDB.append('application_resource_usage') if self.local_settings.getSetting( 'energy_estimation_provider') == 'true': self.List_Of_SRUDB.append('energy_estimation_provider') if self.local_settings.getSetting('energy_usage_data') == 'true': self.List_Of_SRUDB.append('energy_usage_data') if self.local_settings.getSetting( 'network_connectivity') == 'true': self.List_Of_SRUDB.append('network_connectivity') if self.local_settings.getSetting('network_usage') == 'true': self.List_Of_SRUDB.append('network_usage') if self.local_settings.getSetting( 'windows_push_notification') == 'true': self.List_Of_SRUDB.append('windows_push_notification') #self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", str(self.List_Of_Events)) self.log(Level.INFO, str(self.List_Of_SRUDB)) # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to executable based on where this script is run from. # Assumes executable is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "spotlight_parser.exe") if not os.path.exists(self.pathToExe): raise IngestModuleException("spotlight_parser.exe was not found in module folder") else: self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "spotlight_parser") if not os.path.exists(self.pathToExe): raise IngestModuleException("spotlight_parser was not found in module folder")
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts # Check what OS you are running from if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "samparse.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'Samparse') if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux Executable was not found in module folder") # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def processEsedbFile(self, extractedFile, databaseFile): #self.log(Level.INFO, "Running program ==> " + self.pathToExe + " " + extractedFile + databaseFile) if PlatformUtil.isWindowsOS(): pipe = Popen([self.pathToExe, extractedFile, databaseFile], stdout=PIPE, stderr=PIPE) else: pipe = Popen( [self.pathToExe, extractedFile, databaseFile, self.pathToExe2], stdout=PIPE, stderr=PIPE) outputFromRun = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + outputFromRun)
def process(self, dataSource, progressBar): # Set the ogress bar to an Indeterminate state for now progressBar.switchToIndeterminate() # Return if we're not running on a windows sytem if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Verify we have a disk image and not a folder of files if not isinstance(dataSource, Image): self.log(Level.INFO, "Ignoring data source. Not an image") return IngestModule.ProcessResult.OK # Get disk image paths imagePaths = dataSource.getPaths() # Save our output to a file in the reports folder # named based on EXE and data source ID reportFile = File(Case.getCurrentCase().getCaseDirectory() + "\\Reports" + "\\img_stat-" + str(dataSource.getId()) + ".txt") # Run the EXE, saving output to the report # Check if the ingest is terminated and # delete the incomplete report file self.log(Level.INFO, "Running program on data source") cmd = ArrayList() cmd.add(self.pathToEXE.toString()) cmd.add(imagePaths[0]) processBuilder = ProcessBuilder(cmd) processBuilder.redirectOutput(reportFile) ExecUtil.execute(processBuilder, DataSourceIngestModuleProcessTerminator(self.context)) # Add the report to the case, so it shows up in the tree if not self.context.dataSourceIngestIsCancelled(): Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE", "img_stat output") else: if reportFile.exists(): if not reportFile.delete(): self.log(LEVEL.warning, "Error deleting the incomplete report file") return IngestModule.ProcessResult.OK
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe_foremost = os.path.join(os.path.dirname(os.path.abspath(__file__)), "foremost.exe") if not os.path.exists(self.path_to_exe_foremost): raise IngestModuleException("Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe_foremost = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'foremost') if not os.path.exists(self.path_to_exe_foremost): raise IngestModuleException("Linux Executable was not found in module folder") if self.local_settings.getSetting('Default_Mime_Types') == 'true': self.List_Of_tables.append('Default_Mime_Types') if self.local_settings.getSetting('All_Mime_Types') == 'true': self.List_Of_tables.append('All_Mime_Types') if self.local_settings.getSetting('Include_Slack_Space') == 'true': self.List_Of_tables.append('Include_Slack_Space') #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events)) self.log(Level.INFO, str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables))) if "Default_Mime_Types" in self.List_Of_tables: self.mimeTypesToFind = ["application/octet-stream","application/x-sqlite3", "application/vnd.ms-excel.sheet.4", "application/x-msoffice","application/msword", "application/msoffice", "application/vnd.ms-excel", "application/vnd.ms-powerpoint" ] # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context if self.local_settings.getSetting('Flag') == 'true': #self.List_Of_DBs.append('Other') DBs_List = self.local_settings.getSetting('plists').split(',') for DBs in DBs_List: self.List_Of_DBs.append(str(DBs).strip('\n').replace(' ', '')) #self.logger.logp(Level.INFO, GUI_TestWithUI.__name__, "startUp", str(self.List_Of_Events)) self.log(Level.INFO, str(self.List_Of_DBs)) if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "plist2db.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Windows Executable was not found in module folder") elif PlatformUtil.getOSName() == 'Linux': self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'plist2db') if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux Executable was not found in module folder")
def process(self, dataSource, progressBar): # we don't know how much work there will be progressBar.switchToIndeterminate() # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Verify we have a disk image and not a folder of files if not isinstance(dataSource, Image): self.log(Level.INFO, "Ignoring data source. Not an image") return IngestModule.ProcessResult.OK # Get disk image paths imagePaths = dataSource.getPaths() # We'll save our output to a file in the reports folder, named based on EXE and data source ID reportFile = File(Case.getCurrentCase().getCaseDirectory() + "\\Reports" + "\\img_stat-" + str(dataSource.getId()) + ".txt") # Run the EXE, saving output to the report # Check if the ingest is terminated and delete the incomplete report file # Do not add report to the case tree if the ingest is cancelled before finish. # This can be done by using IngestJobContext.dataSourceIngestIsCancelled # See: http://sleuthkit.org/autopsy/docs/api-docs/4.7.0/_ingest_job_context_8java.html self.log(Level.INFO, "Running program on data source") cmd = ArrayList() cmd.add(self.pathToEXE.toString()) cmd.add(imagePaths[0]) processBuilder = ProcessBuilder(cmd) processBuilder.redirectOutput(reportFile) ExecUtil.execute(processBuilder, DataSourceIngestModuleProcessTerminator(self.context)) # Add the report to the case, so it shows up in the tree if not self.context.dataSourceIngestIsCancelled(): Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE", "img_stat output") else: if reportFile.exists(): if not reportFile.delete(): self.log(LEVEL.warning, "Error deleting the incomplete report file") return IngestModule.ProcessResult.OK
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "EXE was not found in module folder") else: self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "Export_EVTX") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux executable was not found in module folder") if self.local_settings.getFlag(): self.List_Of_Events.append('ALL') #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked") else: #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "No Boxes Checked") if self.local_settings.getFlag1(): self.List_Of_Events.append('Application.Evtx') if self.local_settings.getFlag2(): self.List_Of_Events.append('Security.Evtx') if self.local_settings.getFlag3(): self.List_Of_Events.append('System.Evtx') if self.local_settings.getFlag4(): self.List_Of_Events.append('Other') Event_List = self.local_settings.getArea().split() for evt in Event_List: self.List_Of_Events.append(str(evt)) #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events)) # self.log(Level.INFO, "List Of Events ==> " + str(self.List_Of_Events) + " <== Number of Events ==> " + str(len(self.List_Of_Events))) # if len(self.List_Of_Events) < 1: # message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ParseEvtx", " No Event Logs Selected to Parse " ) # IngestServices.getInstance().postMessage(message) # raise IngestModuleException("No Events were Selected") # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "extract_ad1.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Windows Executable was not found in module folder") self.sqlStatement = "select file_name, ad1_path_name, date_created, date_modified, date_accessed, md5_hash, sha1_hash from ad1_info where ad1_item_type = 0;" # Throw an IngestModule.IngestModuleException exception if there was a problem setting up #raise IngestModuleException(IngestModule(), "Oh No!") pass
def process(self, dataSource, progressBar): # we don't know how much work there will be progressBar.switchToIndeterminate() # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Verify we have a disk image and not a folder of files if not isinstance(dataSource, Image): self.log(Level.INFO, "Ignoring data source. Not an image") return IngestModule.ProcessResult.OK # Get disk image paths imagePaths = dataSource.getPaths() # We'll save our output to a file in the reports folder, named based on EXE and data source ID reportFile = File(Case.getCurrentCase().getCaseDirectory() + "\\Reports" + "\\img_stat-" + str(dataSource.getId()) + ".txt") # Run the EXE, saving output to the report # Check if the ingest is terminated and delete the incomplete report file # Do not add report to the case tree if the ingest is cancelled before finish. # This can be done by using IngestJobContext.dataSourceIngestIsCancelled # See: http://sleuthkit.org/autopsy/docs/api-docs/4.7.0/_ingest_job_context_8java.html self.log(Level.INFO, "Running program on data source") cmd = ArrayList() cmd.add(self.pathToEXE.toString()) cmd.add(imagePaths[0]) processBuilder = ProcessBuilder(cmd); processBuilder.redirectOutput(reportFile) ExecUtil.execute(processBuilder,DataSourceIngestModuleProcessTerminator(self.context)) # Add the report to the case, so it shows up in the tree if not self.context.dataSourceIngestIsCancelled(): Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE", "img_stat output") else: if reportFile.exists(): if not reportFile.delete(): self.log(LEVEL.warning,"Error deleting the incomplete report file") return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there will be progressBar.switchToIndeterminate() # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Verify we have a disk image and not a folder of files if not isinstance(dataSource, Image): self.log(Level.INFO, "Ignoring data source. Not an image") return IngestModule.ProcessResult.OK # Get disk image paths imagePaths = dataSource.getPaths() # We'll save our output to a file in the reports folder, named based on EXE and data source ID reportFile = File(Case.getCurrentCase().getCaseDirectory() + "\\Reports" + "\\img_stat-" + str(dataSource.getId()) + ".txt") # Run the EXE, saving output to reportFile # We use ExecUtil because it will deal with the user cancelling the job self.log(Level.INFO, "Running program on data source") cmd = ArrayList() cmd.add(self.pathToEXE.toString()) # Add each argument in its own line. I.e. "-f foo" would be two calls to .add() cmd.add(imagePaths[0]) processBuilder = ProcessBuilder(cmd); processBuilder.redirectOutput(reportFile) ExecUtil.execute(processBuilder, DataSourceIngestModuleProcessTerminator(self.context)) # Add the report to the case, so it shows up in the tree # Do not add report to the case tree if the ingest is cancelled before finish. if not self.context.dataSourceIngestIsCancelled(): Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE", "img_stat output") else: if reportFile.exists(): if not reportFile.delete(): self.log(LEVEL.warning,"Error deleting the incomplete report file") return IngestModule.ProcessResult.OK
def startUp(self, context): self.context = context # Get path to EXE based on where this script is run from. # Assumes EXE is in same folder as script # Verify it is there before any ingest starts if PlatformUtil.isWindowsOS(): self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "EXE was not found in module folder") else: self.path_to_exe = os.path.join( os.path.dirname(os.path.abspath(__file__)), "Export_EVTX") if not os.path.exists(self.path_to_exe): raise IngestModuleException( "Linux executable was not found in module folder") if self.local_settings.getSetting('All') == 'true': self.List_Of_Events.append('ALL') #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked") else: #self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "No Boxes Checked") if self.local_settings.getSetting('Application') == 'true': self.List_Of_Events.append('Application.Evtx') if self.local_settings.getSetting('Security') == 'true': self.List_Of_Events.append('Security.Evtx') if self.local_settings.getSetting('System') == 'true': self.List_Of_Events.append('System.Evtx') if self.local_settings.getSetting('Other') == 'true': self.List_Of_Events.append('Other') Event_List = self.local_settings.getSetting( 'EventLogs').split() for evt in Event_List: self.List_Of_Events.append(str(evt)) # Throw an IngestModule.IngestModuleException exception if there was a problem setting up # raise IngestModuleException(IngestModule(), "Oh No!") pass
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Check to see if the artifacts exist and if not then create it, also check to see if the attributes # exist and if not then create them skCase = Case.getCurrentCase().getSleuthkitCase(); # This will work in 4.0.1 and beyond # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() try: self.log(Level.INFO, "Begin Create New Artifacts") artID_cat1 = skCase.addArtifactType( "TSK_FH_CATALOG_1", "File History Catalog 1") except: self.log(Level.INFO, "Artifacts Creation Error, Catalog 1. ==> ") artID_cat1 = skCase.getArtifactTypeID("TSK_FH_CATALOG_1") try: self.log(Level.INFO, "Begin Create New Artifacts") artID_cat2 = skCase.addArtifactType( "TSK_FH_CATALOG_2", "File History Catalog 2") except: self.log(Level.INFO, "Artifacts Creation Error, Catalog 2. ==> ") artID_cat2 = skCase.getArtifactTypeID("TSK_FH_CATALOG_2") # Create the attribute type, if it exists then catch the error try: attID_fh_pn = skCase.addArtifactAttributeType('TSK_FH_PATH', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Parent Path") except: self.log(Level.INFO, "Attributes Creation Error, Prefetch Parent Path. ==> ") try: attID_fh_fn = skCase.addArtifactAttributeType('TSK_FH_FILE_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Name") except: self.log(Level.INFO, "Attributes Creation Error, File Name. ==> ") try: attID_fh_fs = skCase.addArtifactAttributeType('TSK_FH_FILE_SIZE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Size") except: self.log(Level.INFO, "Attributes Creation Error, File Size. ==> ") try: attID_fh_usn = skCase.addArtifactAttributeType('TSK_FH_USN_JOURNAL_ENTRY', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "USN Journal Entry") except: self.log(Level.INFO, "Attributes Creation Error, USN Journal Entry. ==> ") try: attID_fh_fc = skCase.addArtifactAttributeType('TSK_FH_FILE_CREATED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "File Created") except: self.log(Level.INFO, "Attributes Creation Error, File Created. ==> ") try: attID_fh_fm = skCase.addArtifactAttributeType('TSK_FH_FILE_MODIFIED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "File Modified") except: self.log(Level.INFO, "Attributes Creation Error, PF Execution DTTM 3. ==> ") try: attID_fh_bq = skCase.addArtifactAttributeType('TSK_FH_BACKUP_QUEUED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Queued") except: self.log(Level.INFO, "Attributes Creation Error, Backup Queued ==> ") try: attID_fh_bc = skCase.addArtifactAttributeType('TSK_FH_BACKUP_CREATED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Created") except: self.log(Level.INFO, "Attributes Creation Error, Backup Created ==> ") try: attID_fh_bcp = skCase.addArtifactAttributeType('TSK_FH_BACKUP_CAPTURED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Captured") except: self.log(Level.INFO, "Attributes Creation Error, Backup Captured. ==> ") try: attID_fh_bu = skCase.addArtifactAttributeType('TSK_FH_BACKUP_UPDATED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Updated") except: self.log(Level.INFO, "Attributes Creation Error, Backup Updated. ==> ") try: attID_fh_bv = skCase.addArtifactAttributeType('TSK_FH_BACKUP_VISIBLE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Visible") except: self.log(Level.INFO, "Attributes Creation Error, Backup Visible ==> ") self.log(Level.INFO, "Get Artifacts after they were created.") # Get the new artifacts and attributes that were just created #artID_wfh = skCase.getArtifactTypeID("TSK_PREFETCH") #artID_cat1 = skCase.getArtifactType("TSK_FH_CATALOG_1") #artID_cat2 = skCase.getArtifactType("TSK_FH_CATALOG_2") attID_fh_pn = skCase.getAttributeType("TSK_FH_PATH") attID_fh_fn = skCase.getAttributeType("TSK_FH_FILE_NAME") attID_fh_fs = skCase.getAttributeType("TSK_FH_FILE_SIZE") attID_fh_usn = skCase.getAttributeType("TSK_FH_USN_JOURNAL_ENTRY") attID_fh_fc = skCase.getAttributeType("TSK_FH_FILE_CREATED") attID_fh_fm = skCase.getAttributeType("TSK_FH_FILE_MODIFIED") attID_fh_bq = skCase.getAttributeType("TSK_FH_BACKUP_QUEUED") attID_fh_bc = skCase.getAttributeType("TSK_FH_BACKUP_CREATED") attID_fh_bcp = skCase.getAttributeType("TSK_FH_BACKUP_CAPTURED") attID_fh_bu = skCase.getAttributeType("TSK_FH_BACKUP_UPDATED") attID_fh_bv = skCase.getAttributeType("TSK_FH_BACKUP_VISIBLE") # we don't know how much work there is yet progressBar.switchToIndeterminate() # Find the file history files from the users folders fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%edb", "%/Windows/FileHistory/%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; # Create file history directory in temp directory, if it exists then continue on processing Temp_Dir = os.path.join(Case.getCurrentCase().getTempDirectory(), "File_History") self.log(Level.INFO, "create Directory " + Temp_Dir) try: os.mkdir(Temp_Dir) except: self.log(Level.INFO, "File_History Directory already exists " + Temp_Dir) # Write out each catalog esedb database to the temp directory for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK #self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions lclDbPath = os.path.join(Temp_Dir, file.getName() + "_" + str(file.getId())) db_name = os.path.splitext(file.getName())[0] lclSQLPath = os.path.join(Temp_Dir, db_name + "_" + str(file.getId()) + ".db3") ContentUtils.writeToFile(file, File(lclDbPath)) # Run the EXE, saving output to a sqlite database if PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Running program on data source parm 1 ==> " + self.path_to_exe + " " + lclDbPath + " " + lclSQLPath) pipe = Popen([self.path_to_exe, lclDbPath, lclSQLPath], stdout=PIPE, stderr=PIPE) else: self.log(Level.INFO, "Running program on data source parm 1 ==> " + self.path_to_exe + " " + lclDbPath + " " + lclSQLPath) pipe = Popen([self.path_to_exe, lclDbPath, lclSQLPath, os.path.dirname(os.path.abspath(__file__))], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) if db_name == "Catalog1": artID_fh = skCase.getArtifactTypeID("TSK_FH_CATALOG_1") artID_fh_evt = skCase.getArtifactType("TSK_FH_CATALOG_1") else: artID_fh = skCase.getArtifactTypeID("TSK_FH_CATALOG_2") artID_fh_evt = skCase.getArtifactType("TSK_FH_CATALOG_2") userpath = file.getParentPath() username = userpath.split('/') self.log(Level.INFO, "Getting Username " + username[2] ) # Open the DB using JDBC try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclSQLPath) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + lclSQLPath + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the contacts table in the database and get all columns. try: stmt = dbConn.createStatement() SQL_Statement = "Select ParentName 'TSK_FH_PATH', Childname 'TSK_FH_FILE_NAME', " + \ "Filesize 'TSK_FH_FILE_SIZE', " + \ "usn 'TSK_FH_USN_JOURNAL_ENTRY', " + \ "FileCreated 'TSK_FH_FILE_CREATED', filemodified 'TSK_FH_FILE_MODIFIED', " + \ "tqueued 'TSK_FH_BACKUP_QUEUED', tcreated 'TSK_FH_BACKUP_CREATED', " + \ "tcaptured 'TSK_FH_BACKUP_CAPTURED', tupdated 'TSK_FH_BACKUP_UPDATED', " + \ "tvisible 'TSK_FH_BACKUP_VISIBLE' from file_history" self.log(Level.INFO, "SQL Statement --> " + SQL_Statement) resultSet = stmt.executeQuery(SQL_Statement) except SQLException as e: self.log(Level.INFO, "Error querying database for File_History table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Cycle through each row and create artifacts while resultSet.next(): try: #self.log(Level.INFO, "Result (" + resultSet.getString("Prefetch_File_Name") + ")") FH_Path = resultSet.getString("TSK_FH_PATH") FH_File_Name = resultSet.getString("TSK_FH_FILE_NAME") FH_Filesize = resultSet.getString("TSK_FH_FILE_SIZE") FH_Usn = resultSet.getString("TSK_FH_USN_JOURNAL_ENTRY") FH_FC = resultSet.getInt("TSK_FH_FILE_CREATED") FH_FM = resultSet.getInt("TSK_FH_FILE_MODIFIED") FH_BQ = resultSet.getInt("TSK_FH_BACKUP_QUEUED") FH_BC = resultSet.getInt("TSK_FH_BACKUP_CREATED") FH_BCP = resultSet.getInt("TSK_FH_BACKUP_CAPTURED") FH_BU = resultSet.getInt("TSK_FH_BACKUP_UPDATED") FH_BV = resultSet.getInt("TSK_FH_BACKUP_VISIBLE") except SQLException as e: self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")") # Make artifact for TSK_PREFETCH, this can happen when custom attributes are fully supported art = file.newArtifact(artID_fh) # Add the attributes to the artifact. art.addAttributes(((BlackboardAttribute(attID_fh_pn, ParseFileHistoryIngestModuleFactory.moduleName, FH_Path)), \ (BlackboardAttribute(attID_fh_fn, ParseFileHistoryIngestModuleFactory.moduleName, FH_File_Name)), \ (BlackboardAttribute(attID_fh_fs, ParseFileHistoryIngestModuleFactory.moduleName, FH_Filesize)), \ (BlackboardAttribute(attID_fh_usn, ParseFileHistoryIngestModuleFactory.moduleName, FH_Usn)), \ (BlackboardAttribute(attID_fh_fc, ParseFileHistoryIngestModuleFactory.moduleName, FH_FC)), \ (BlackboardAttribute(attID_fh_fm, ParseFileHistoryIngestModuleFactory.moduleName, FH_FM)), \ (BlackboardAttribute(attID_fh_bq, ParseFileHistoryIngestModuleFactory.moduleName, FH_BQ)), \ (BlackboardAttribute(attID_fh_bc, ParseFileHistoryIngestModuleFactory.moduleName, FH_BC)), \ (BlackboardAttribute(attID_fh_bcp, ParseFileHistoryIngestModuleFactory.moduleName, FH_BCP)), \ (BlackboardAttribute(attID_fh_bu, ParseFileHistoryIngestModuleFactory.moduleName, FH_BU)), \ (BlackboardAttribute(attID_fh_bv, ParseFileHistoryIngestModuleFactory.moduleName, FH_BV)), \ (BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), \ ParseFileHistoryIngestModuleFactory.moduleName, username[2])))) try: #index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ParseFileHistoryIngestModuleFactory.moduleName, artID_fh_evt, None)) # Clean up stmt.close() dbConn.close() #os.remove(lclDbPath) #Clean up prefetch directory and files try: shutil.rmtree(Temp_Dir) except: self.log(Level.INFO, "removal of directory tree failed " + Temp_Dir) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Windows File History Parser", " Windows File History Has Been Parsed " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Set the database to be read to the once created by the prefetch parser program skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "SRUDB.DAT") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 # Create Event Log directory in temp directory, if it exists then continue on processing Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "create Directory " + Temp_Dir) try: os.mkdir(Temp_Dir + "\SRUDB") except: self.log(Level.INFO, "SRUDB Directory already exists " + Temp_Dir) # Write out each Event Log file to the temp directory for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK #self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions lclDbPath = os.path.join(Temp_Dir + "\SRUDB", file.getName()) ContentUtils.writeToFile(file, File(lclDbPath)) # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Run the EXE, saving output to a sqlite database self.log( Level.INFO, "Running program on data source parm 1 ==> " + Temp_Dir + " Parm 2 ==> " + Temp_Dir + "\SRUDB.db3") subprocess.Popen([ self.path_to_exe, Temp_Dir + "\SRUDB\SRUDB.DAT", Temp_Dir + "\SRUDB.db3" ]).communicate()[0] for file in files: # Open the DB using JDBC lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), "SRUDB.db3") #lclDbPath = "C:\\Users\\Forensic_User\\OneDrive\\Code\\Python_Scripts\\SRUDB\SRUDB.DB3" self.log(Level.INFO, "Path the SRUDB database file created ==> " + lclDbPath) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) except SQLException as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK #PSlsit => TSK_PROG_RUN # # Query the contacts table in the database and get all columns. for SR_table_name in self.List_Of_SRUDB: try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery( "Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('" + SR_table_name + "'); ") self.log(Level.INFO, "query SQLite Master table") except SQLException as e: self.log( Level.INFO, "Error querying database for Prefetch table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Cycle through each row and create artifacts while resultSet.next(): try: self.log( Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")") table_name = resultSet.getString("tbl_name") self.log( Level.INFO, "Result get information from table " + resultSet.getString("tbl_name") + " ") SQL_String_1 = "Select * from " + table_name + ";" SQL_String_2 = "PRAGMA table_info('" + table_name + "')" #self.log(Level.INFO, SQL_String_1) #self.log(Level.INFO, SQL_String_2) artifact_name = "TSK_" + table_name.upper() artifact_desc = "System Resource Usage " + table_name.upper( ) try: self.log(Level.INFO, "Begin Create New Artifacts") artID_amc = skCase.addArtifactType( artifact_name, artifact_desc) except: self.log( Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> " ) artID_sru = skCase.getArtifactTypeID(artifact_name) artID_sru_evt = skCase.getArtifactType(artifact_name) Column_Names = [] Column_Types = [] resultSet2 = stmt.executeQuery(SQL_String_2) while resultSet2.next(): Column_Names.append( resultSet2.getString("name").upper()) Column_Types.append( resultSet2.getString("type").upper()) #attID_ex1 = skCase.addAttrType("TSK_" + resultSet2.getString("name").upper(), resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) if resultSet2.getString("type").upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE. STRING, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log( Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") elif resultSet2.getString("type").upper() == "": try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE. STRING, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log( Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType( "TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute. TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE. LONG, resultSet2.getString("name")) #self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1)) except: self.log( Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ") resultSet3 = stmt.executeQuery(SQL_String_1) while resultSet3.next(): art = file.newArtifact(artID_sru) Column_Number = 1 for col_name in Column_Names: self.log( Level.INFO, "Result get information for column " + Column_Names[Column_Number - 1] + " ") self.log( Level.INFO, "Result get information for column_number " + str(Column_Number) + " ") c_name = "TSK_" + col_name self.log(Level.INFO, "Attribute Name is " + c_name + " ") attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1] == "TEXT": art.addAttribute( BlackboardAttribute( attID_ex1, ParseSRUDBIngestModuleFactory. moduleName, resultSet3.getString( Column_Number))) elif Column_Types[Column_Number - 1] == "": art.addAttribute( BlackboardAttribute( attID_ex1, ParseSRUDBIngestModuleFactory. moduleName, resultSet3.getString( Column_Number))) # elif Column_Types[Column_Number - 1] == "BLOB": # art.addAttribute(BlackboardAttribute(attID_ex1, ParseSRUDBIngestModuleFactory.moduleName, "BLOBS Not Supported")) # elif Column_Types[Column_Number - 1] == "REAL": # art.addAttribute(BlackboardAttribute(attID_ex1, ParseSRUDBIngestModuleFactory.moduleName, resultSet3.getFloat(Column_Number))) else: #self.log(Level.INFO, "Value for column type ==> " + str(resultSet3.getInt(Column_Number)) + " <== ") art.addAttribute( BlackboardAttribute( attID_ex1, ParseSRUDBIngestModuleFactory. moduleName, long( resultSet3.getInt( Column_Number)))) Column_Number = Column_Number + 1 IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( ParseSRUDBIngestModuleFactory.moduleName, artID_sru_evt, None)) except SQLException as e: self.log( Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")") # Clean up os.remove(lclDbPath) #Clean up EventLog directory and files for file in files: try: os.remove(Temp_Dir + "\\" + file.getName()) except: self.log( Level.INFO, "removal of SRUDB file failed " + Temp_Dir + "\\" + file.getName()) try: os.rmdir(Temp_Dir) except: self.log(Level.INFO, "removal of SRUDB directory failed " + Temp_Dir) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "System Resourse Usage DB", " SRUDB Has Been Analyzed ") IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def startUp(self, context): skCase = Case.getCurrentCase().getSleuthkitCase() self.temp_dir = Case.getCurrentCase().getTempDirectory() if PlatformUtil.isWindowsOS(): #self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "ypa.exe") #OLD self.path_to_undark = os.path.join( os.path.dirname(os.path.abspath(__file__)), "undark.exe") if not os.path.exists(self.path_to_undark): raise IngestModuleException( "EXE was not found in module folder") self.att_dp_type = self.create_attribute_type( 'YPA_DP_TYPE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Type", skCase) self.att_dp_offset = self.create_attribute_type( 'YPA_DP_OFFSET', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Offset", skCase) self.att_dp_lenght = self.create_attribute_type( 'YPA_DP_LENGHT', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Lenght", skCase) self.att_dp_data = self.create_attribute_type( 'YPA_DP_DATA', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Data", skCase) self.att_contact_id = self.create_attribute_type( 'YPA_CONTACT_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Contact id", skCase) self.att_address = self.create_attribute_type( 'YPA_ADDRESS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Address", skCase) self.att_display_name = self.create_attribute_type( 'YPA_DISPLAY_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Display name", skCase) self.att_address_type = self.create_attribute_type( 'YPA_ADDRESS_TYPE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Address type", skCase) self.att_times_contacted = self.create_attribute_type( 'YPA_TIMES_CONTACTED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Times contacted", skCase) self.att_last_contacted_time = self.create_attribute_type( 'YPA_LAST_CONTACT_TIME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Last contacted time", skCase) self.att_last_updated_time = self.create_attribute_type( 'YPA_LAST_UPDATE_TIME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Last updated time", skCase) self.att_thread_id = self.create_attribute_type( 'YPA_THREAD_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Thread id", skCase) self.att_message_id = self.create_attribute_type( 'YPA_MESSAGE_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message id", skCase) self.att_recipient_list = self.create_attribute_type( 'YPA_RECIPIENT_LIST', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Recipients", skCase) self.att_from_address = self.create_attribute_type( 'YPA_FROM_ADDRESS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Address", skCase) self.att_body = self.create_attribute_type( 'YPA_BODY', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message Body", skCase) self.att_status = self.create_attribute_type( 'YPA_STATUS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Status", skCase) self.att_timestamp = self.create_attribute_type( 'YPA_TIMESTAMP', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Timestamp", skCase) self.att_mms_text = self.create_attribute_type( 'YPA_MMS_TEXT', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Text", skCase) self.att_num_of_files = self.create_attribute_type( 'YPA_NUM_OF_FILES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Number of files", skCase) self.att_name_of_files = self.create_attribute_type( 'YPA_NAME_OF_FILES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Name of files", skCase) self.att_pic_size = self.create_attribute_type( 'YPA_PIC_SIZE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "Picture size (B)", skCase) self.att_db_uv = self.create_attribute_type( 'YPA_DB_UV', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Sqlite User Version", skCase) self.att_rec_row = self.create_attribute_type( 'YPA_REC_ROW', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Data recovered from unvacuumed row", skCase) self.contact_query = "select a.contact_id, a.address,c.display_name, a.address_type, a.times_contacted, datetime(a.last_contacted_time / 10000000 - 11644473600,'unixepoch') as last_contacted_time, datetime(c.last_updated_time/ 10000000 - 11644473600,'unixepoch') as last_updated_time from address a join contact c on a.contact_id = c.contact_id" self.messages_query = "select m.thread_id, m.message_id, con.recipient_list , ifnull(c.display_name,'n/a') as display_name, m.body, m.status, ifnull(m.from_address,'self') as from_address, datetime(m.timestamp/ 10000000 - 11644473600,'unixepoch') as timestamp from message m left join address a on m.from_address = a.address left join contact c on a.contact_id = c.contact_id join conversation con on con.thread_id = m.thread_id order by m.message_id" self.mms_query = "select mp.message_id, mm.thread_id, mp.content_type, mp.name, mp.text, ifnull(c.display_name,'n/a') as display_name, ma.address from mms_part mp left join mms mm on mp.message_id = mm.message_id left join mms_address ma on mp.message_id = ma.message_id left join address a on ma.address = a.address left join contact c on a.contact_id = c.contact_id where ma.address not like 'insert-address-token' " self.address_types = { '1': 'Home phone number', '2': 'Mobile phone number', '3': 'Office phone number', '4': 'Unknown', '5': 'Main phone number', '6': 'Other phone number' }
def process(self, dataSource, progressBar): blackboard = Case.getCurrentCase().getServices().getBlackboard() skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "phone.db") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") self.anyValidFileFound = False for file in files: dbPath = os.path.join(self.temp_dir, str(file.getName())) ContentUtils.writeToFile(file, File(dbPath)) try: Class.forName("org.sqlite.JDBC").newInstance() config = SQLiteConfig() config.setEncoding(SQLiteConfig.Encoding.UTF8) dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % dbPath, config.toProperties()) except Exception as e: self.log( Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + str(e) + ")") continue try: full_path = (file.getParentPath() + file.getName()) split = full_path.split('/') try: try: userName = split[-11] except IndexError: userName = "******" self.art_contacts = self.create_artifact_type( "YPA_CONTACTS_" + userName, "User " + userName + " - Contacts", skCase) self.art_messages = self.create_artifact_type( "YPA_MESSAGE_" + userName, "User " + userName + " - SMS", skCase) self.art_mms = self.create_artifact_type( "YPA_MMS_" + userName, "User " + userName + " - MMS", skCase) self.art_pictures = self.create_artifact_type( "YPA_PICTURES_" + userName, "User " + userName + " - Recent Pictures", skCase) self.art_freespace = self.create_artifact_type( "YPA_FREESPACE_" + userName, "User " + userName + " - Rows Recovered(undark)", skCase) self.art_dp = self.create_artifact_type( "YPA_DP_" + userName, "User " + userName + " - Rows Recovered(Delete parser)", skCase) self.art_set = self.create_artifact_type( "YPA_SETTINGS_" + userName, "User " + userName + " - Database Settings", skCase) except Exception as e: self.log(Level.INFO, str(e)) continue stmt = dbConn.createStatement() contacts = stmt.executeQuery(self.contact_query) self.processContacts(contacts, file, blackboard, skCase) stmt = dbConn.createStatement() messages = stmt.executeQuery(self.messages_query) self.processMessages(messages, file, blackboard, skCase) stmt = dbConn.createStatement() mms = stmt.executeQuery(self.mms_query) self.processMms(mms, file, blackboard, skCase) self.anyValidFileFound = True stmt = dbConn.createStatement() prag_uv = stmt.executeQuery("pragma user_version") art = file.newArtifact(self.art_set.getTypeID()) prag_uv.next() art.addAttribute( BlackboardAttribute( self.att_db_uv, YourPhoneIngestModuleFactory.moduleName, prag_uv.getString("user_version"))) self.index_artifact(blackboard, art, self.art_set) if PlatformUtil.isWindowsOS(): try: with open(self.temp_dir + '\\freespace.txt', 'w') as f: subprocess.Popen([ self.path_to_undark, '-i', dbPath, '--freespace' ], stdout=f).communicate() with open(self.temp_dir + '\\freespace.txt', 'r') as f: self.log( Level.INFO, ' '.join([ self.path_to_undark, '-i', dbPath, '--freespace >' ])) self.log(Level.INFO, "called undark") line = f.readline() while line: self.log(Level.INFO, "opened result") art = file.newArtifact( self.art_freespace.getTypeID()) art.addAttribute( BlackboardAttribute( self.att_rec_row, YourPhoneIngestModuleFactory. moduleName, str(line))) self.index_artifact(blackboard, art, self.art_freespace) line = f.readline() except Exception as e: self.log(Level.SEVERE, str(e)) pass try: mdg = mdgMod.mdg_modified.sqlite_rec(dbPath) res = mdg.extract_deleted() for line in res: art = file.newArtifact(self.art_dp.getTypeID()) art.addAttribute( BlackboardAttribute( self.att_dp_type, YourPhoneIngestModuleFactory.moduleName, str(line[0]))) art.addAttribute( BlackboardAttribute( self.att_dp_offset, YourPhoneIngestModuleFactory.moduleName, str(line[1]))) art.addAttribute( BlackboardAttribute( self.att_dp_lenght, YourPhoneIngestModuleFactory.moduleName, str(line[2]))) art.addAttribute( BlackboardAttribute( self.att_dp_data, YourPhoneIngestModuleFactory.moduleName, str(line[3]))) self.index_artifact(blackboard, art, self.art_dp) except Exception as e: self.log(Level.SEVERE, str(e)) pass except Exception as e: self.log(Level.SEVERE, str(e)) continue finally: dbConn.close() try: os.remove(dbPath) except (Exception, OSError) as e: self.log(Level.SEVERE, str(e)) try: full_path = (file.getParentPath() + file.getName()) split = full_path.split('/') guidPath = '/'.join(split[:-3]) usrPath = guidPath + '/User' self.log(Level.INFO, usrPath) ufiles = fileManager.findFiles(dataSource, '%', usrPath) self.log(Level.INFO, ufiles[0].getName()) for ufile in ufiles: rpPath = ufile.getParentPath() + ufile.getName( ) + '/Recent Photos/' picfiles = fileManager.findFiles(dataSource, '%', rpPath) for pic in picfiles: self.log(Level.INFO, pic.getName()) # Make an artifact art = pic.newArtifact(self.art_pictures.getTypeID()) # Register file size art.addAttribute( BlackboardAttribute( self.att_pic_size, YourPhoneIngestModuleFactory.moduleName, pic.getSize())) self.index_artifact(blackboard, art, self.art_pictures) except Exception as e: self.log(Level.INFO, "failed to obtain photos") continue if not self.anyValidFileFound: Message.info("YPA: No valid database file found") return IngestModule.ProcessResult.OK
def find_profile(self, image_file): Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "create Directory " + Temp_Dir) self.log(Level.INFO, "File name to process is ==> " + str(image_file)) file_name = os.path.basename(image_file) self.log(Level.INFO, "File Name ==> " + file_name) base_file_name = os.path.splitext(file_name)[0] database_file = os.path.join(Temp_Dir, base_file_name + ".db3") self.log(Level.INFO, "File Name ==> " + self.database_file) found_profile = False if os.path.isfile(self.database_file): self.log(Level.INFO, "Path the volatility database file created ==> " + self.database_file) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % self.database_file) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the database try: stmt = dbConn.createStatement() resultSet1 = stmt.executeQuery('Select "Suggested Profile(s)" from imageinfo') self.log(Level.INFO, "query " + str(resultSet1)) # Cycle through each row and create artifacts profile_names = None while resultSet1.next(): try: profile_names = resultSet1.getString("Suggested Profile(s)") if profile_names == None: self.Profile = None elif ',' in profile_names: profile_list = profile_names.split(",") self.Profile = profile_list[0] elif ' ' in profle_names: profile_list = profile_names.split(" ") self.Profile = profile_list[0] else: self.Profile = profile_names found_profile = True except: self.log(Level.INFO, "Error getting profile name, Profile name is ==> " + profile_names + " <==") except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") try: stmt.close() dbConn.close() #os.remove(database_name) except: self.log(Level.INFO, "removal of volatility imageinfo database failed " + Temp_Dir) if found_profile: pass else: if self.Python_Program: self.log(Level.INFO, "Running program ==> " + "Python " + self.Volatility_Executable + " -f " + image_file + " " + \ " --output=sqlite --output-file=" + self.database_file + " imageinfo") if PlatformUtil.isWindowsOS(): pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", image_file, "--output=sqlite", \ "--output-file=" + self.database_file, "imageinfo"], stdout=PIPE, stderr=PIPE) else: pipe = Popen(["python", self.Volatility_Executable, "-f", image_file, "--output=sqlite", \ "--output-file=" + self.database_file, "imageinfo"], stdout=PIPE, stderr=PIPE) else: self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + image_file + " " + \ " --output=sqlite --output-file=" + self.database_file + " imageinfo") pipe = Popen([self.Volatility_Executable, "-f", image_file, "--output=sqlite", \ "--output-file=" + self.database_file, "imageinfo"], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) # Open the DB using JDBC self.log(Level.INFO, "Path the volatility database file created ==> " + self.database_file) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % self.database_file) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the database try: stmt = dbConn.createStatement() resultSet1 = stmt.executeQuery('Select "Suggested Profile(s)" from imageinfo') self.log(Level.INFO, "query SQLite Master table ==> " ) self.log(Level.INFO, "query " + str(resultSet1)) # Cycle through each row and create artifacts profile_names = None while resultSet1.next(): try: profile_names = resultSet1.getString("Suggested Profile(s)") if profile_names == None: self.Profile = None elif ',' in profile_names: profile_list = profile_names.split(",") self.Profile = profile_list[0] elif ' ' in profle_names: profile_list = profile_names.split(" ") self.Profile = profile_list[0] else: self.Profile = profile_names except: self.log(Level.INFO, "Error getting profile name, Profile name is ==> " + profile_names + " <==") try: exestmt = dbConn.createStatement() resultx = exestmt.execute('create table plugins_loaded_to_Autopsy (table_name text);') except SQLException as e: self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy") return IngestModule.ProcessResult.OK except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")") try: stmt.close() exestmt.close() dbConn.close() #os.remove(database_name) except: self.log(Level.INFO, "removal of volatility imageinfo database failed " + Temp_Dir)
def process(self, dataSource, progressBar): moduleName = CarverFilesIngestModuleFactory.moduleName if len(self.List_Of_tables) < 1: message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "FileCarver", " No Mime Types Selected to Parse " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.ERROR # we don't know how much work there is yet progressBar.switchToIndeterminate() # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/latest/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() if "All_Mime_Types" in self.List_Of_tables: files = fileManager.findFiles(dataSource, "%") if "Include_Slack_Space" in self.List_Of_tables: files=[i for i in files if (i.getSize() > 500)] numFiles = len(files) else: files=[i for i in files if (i.getSize() > 500) and not i.getName().endswith("-slack") ] numFiles = len(files) else: files = fileManager.findFilesByMimeType(self.mimeTypesToFind) if "Include_Slack_Space" in self.List_Of_tables: files=[i for i in files if (i.getSize() > 500)] numFiles = len(files) else: files=[i for i in files if (i.getSize() > 500) and not i.getName().endswith("-slack") ] numFiles = len(files) # if "Default_Mime_Types" in self.List_Of_tables: # files = fileManager.findFilesByMimeType(self.mimeTypesToFind) # if "Include_Slack_Space" in self.List_Of_tables: # files=[i for i in files if (i.getSize() > 1000)] # numFiles = len(files) # else: # files=[i for i in files if (i.getSize() > 1000) and not i.getName().endswith("-slack") ] # numFiles = len(files) # else: # files = fileManager.findFiles(dataSource, "%") # if "Include_Slack_Space" in self.List_Of_tables: # files=[i for i in files if (i.getSize() > 1000)] # numFiles = len(files) # else: # files=[i for i in files if (i.getSize() > 1000) and not i.getName().endswith("-slack") ] # numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 FileExtractCount=0 Temp_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath() tmp_dir = Case.getCurrentCase().getTempDirectory() if PlatformUtil.isWindowsOS(): self.log(Level.INFO, "create Directory " + Temp_Dir) try: os.mkdir(Temp_Dir + "\Carved-Foremost") except: self.log(Level.INFO, "Carved-Foremost Directory already exists " + Temp_Dir) else: self.log(Level.INFO, "create Directory " + Temp_Dir) try: os.mkdir(Temp_Dir + "/Carved-Foremost") except: self.log(Level.INFO, "Carved-Foremost Directory already exists " + Temp_Dir) for file in files: fileCount += 1 # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK if ((file.getSize() > 1000) and (file.getType() != TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) and (file.getType() != TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) and (file.isFile() != False)): self.log(Level.INFO, "Processing file: " + file.getName()) # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. fileGetName=file.getName() if ":" in fileGetName: fileGetName=fileGetName.replace(":","_") else: fileGetName=file.getName() if PlatformUtil.isWindowsOS(): out_dir = os.path.join(Temp_Dir + "\Carved-Foremost", str(file.getId())) try: os.mkdir(Temp_Dir + "\Carved-Foremost\\" + str(file.getId())) except: self.log(Level.INFO, str(file.getId()) + " Directory already exists " + Temp_Dir) else: out_dir = os.path.join(Temp_Dir + "/Carved-Foremost", str(file.getId())) try: os.mkdir(Temp_Dir + "/Carved-Foremost/" + str(file.getId())) except: self.log(Level.INFO, str(file.getId()) + " Directory already exists " + Temp_Dir) lclDbPath=os.path.join(tmp_dir, str(file.getId())) try: ContentUtils.writeToFile(file, File(lclDbPath)) except: pass # Check if output directory exists and if it does then delete it, this may happen with a rerun if os.path.exists(out_dir): shutil.rmtree(out_dir) if os.path.exists(lclDbPath): self.log(Level.INFO, "Running prog ==> " + self.path_to_exe_foremost + " -t " + "jpeg,png,bmp,gif" + " -o " + out_dir + " -i " + lclDbPath) pipe = Popen([self.path_to_exe_foremost, "-t" + "jpeg,png,bmp,gif", "-o", out_dir, "-i", lclDbPath], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) if len(os.listdir(out_dir)) == 1: shutil.rmtree(out_dir) os.remove(lclDbPath) else: art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, CarverFilesIngestModuleFactory.moduleName, "New Carved Data and Sqlite Files") art.addAttribute(att) try: # index the artifact for keyword search skCase.getBlackboard().postArtifact(art, moduleName) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) redactresults = out_dir auditLog = os.path.join(redactresults,"audit.txt") if os.path.exists(auditLog): os.remove(auditLog) imagedirs = os.listdir(redactresults) for imagedir in imagedirs: jpgpath=os.path.join(redactresults,imagedir) imagejpgs=os.listdir(jpgpath) for imagejpg in imagejpgs: srcfile=os.path.join(jpgpath,imagejpg) dstfile=os.path.join(redactresults,imagejpg) shutil.move(srcfile,dstfile) shutil.rmtree(jpgpath) extractedfiles = next(os.walk(out_dir))[2] for extractfile in extractedfiles: FileExtractCount=FileExtractCount+1 self.log(Level.INFO, " File Name is ==> " + extractfile) if PlatformUtil.isWindowsOS(): relativeModulepath=Case.getCurrentCase().getModuleOutputDirectoryRelativePath() + "\Carved-Foremost" else: relativeModulepath=Case.getCurrentCase().getModuleOutputDirectoryRelativePath() + "/Carved-Foremost" relativeCarvedpath=os.path.join(relativeModulepath, str(file.getId())) relativelocal_file = os.path.join(relativeCarvedpath, extractfile) local_file = os.path.join(out_dir,extractfile) self.log(Level.INFO, " Local File Name is ==> " + local_file) derived_file=skCase.addDerivedFile(extractfile, relativelocal_file, os.path.getsize(local_file), 0, 0, 0, 0, True, file, "", "foremost", "1.5", "", TskData.EncodingType.NONE) IngestServices.getInstance().fireModuleContentEvent(ModuleContentEvent(derived_file)) os.remove(lclDbPath) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "File Carver Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) message2 = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "File Carver Module", "Found %d images in %d files " % (FileExtractCount,fileCount)) IngestServices.getInstance().postMessage(message2) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): self.log(Level.INFO, "Starting to process Hiberfil.sys and Crash Dumps") # we don't know how much work there is yet progressBar.switchToIndeterminate() # Get the temp directory and create the sub directory if self.hiber_flag: Mod_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath() try: ModOut_Dir = os.path.join(Mod_Dir, "Volatility", "Memory-Image-hiberfil") self.log(Level.INFO, "Module Output Directory ===> " + ModOut_Dir) #dir_util.mkpath(ModOut_Dir) os.mkdir(os.path.join(Mod_Dir, "Volatility")) os.mkdir(ModOut_Dir) except: self.log(Level.INFO, "***** Error Module Output Directory already exists " + ModOut_Dir) # Set the database to be read to the once created by the prefetch parser program skCase = Case.getCurrentCase().getSleuthkitCase(); fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "hiberfil.sys", "/") numFiles = len(files) self.log(Level.INFO, "Number of files to process ==> " + str(numFiles)) for file in files: self.log(Level.INFO, "File to process is ==> " + str(file)) self.log(Level.INFO, "File name to process is ==> " + file.getName()) tmp_Dir = Case.getCurrentCase().getTempDirectory() Hiber_File = os.path.join(tmp_Dir, file.getName()) ContentUtils.writeToFile(file, File(Hiber_File)) self.log(Level.INFO, "File name to process is ==> " + Hiber_File) # Create the directory to dump the hiberfil dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img") if self.Python_Program: self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \ " -O " + dump_file) if PlatformUtil.isWindowsOS(): pipe = Popen(["Python.exe", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE) else: pipe = Popen(["python", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE) else: self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \ " -O " + dump_file) pipe = Popen([self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) # Add hiberfil memory image to a new local data source services = IngestServices.getInstance() progress_updater = ProgressUpdater() newDataSources = [] dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img") dir_list = [] dir_list.append(dump_file) # skCase = Case.getCurrentCase().getSleuthkitCase(); fileManager_2 = Case.getCurrentCase().getServices().getFileManager() skcase_data = Case.getCurrentCase() # Get a Unique device id using uuid device_id = UUID.randomUUID() self.log(Level.INFO, "device id: ==> " + str(device_id)) skcase_data.notifyAddingDataSource(device_id) # Add data source with files newDataSource = fileManager_2.addLocalFilesDataSource(str(device_id), "Hiberfile Memory Image", "", dir_list, progress_updater) newDataSources.append(newDataSource.getRootDirectory()) # Get the files that were added files_added = progress_updater.getFiles() #self.log(Level.INFO, "Fire Module1: ==> " + str(files_added)) for file_added in files_added: skcase_data.notifyDataSourceAdded(file_added, device_id) self.log(Level.INFO, "Fire Module1: ==> " + str(file_added)) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "HiberFil_Crash", " Hiberfil/Crash Dumps have been extracted fro Image. " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): self.log(Level.INFO, "Starting to process, Just before call to parse_safari_history") # we don't know how much work there is yet progressBar.switchToIndeterminate() # Get the temp directory and create the sub directory Temp_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath() temp_dir = os.path.join(Temp_Dir, "Volatility") try: os.mkdir(temp_dir) except: self.log(Level.INFO, "Plaso Import Directory already exists " + Temp_Dir) # Set the database to be read to the once created by the prefetch parser program skCase = Case.getCurrentCase().getSleuthkitCase(); fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%", "/") numFiles = len(files) self.log(Level.INFO, "Number of files to process ==> " + str(numFiles)) #file_name = os.path.basename(self.path_to_storage_file) #self.log(Level.INFO, "File Name ==> " + file_name) #base_file_name = os.path.splitext(file_name)[0] #self.database_file = Temp_Dir + "\\volatility\\Plaso.db3" for file in files: self.log(Level.INFO, "File name to process is ==> " + str(file)) self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath())) image_file = file.getLocalAbsPath() if image_file != None: self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath())) file_name = os.path.basename(file.getLocalAbsPath()) self.log(Level.INFO, "File Name ==> " + file_name) base_file_name = os.path.splitext(file_name)[0] self.database_file = os.path.join(temp_dir, base_file_name + ".db3") self.log(Level.INFO, "File Name ==> " + self.database_file) if self.isAutodetect: self.find_profile(image_file) if self.Profile == None: continue for plugin_to_run in self.Plugins: if self.Python_Program: self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \ "--profile=" + self.Profile + " --output=sqlite --output-file=" + self.database_file + " " + self.Additional_Parms + " " + plugin_to_run) if PlatformUtil.isWindowsOS(): pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, "--output=sqlite", \ "--output-file=" + self.database_file, self.Additional_Parms, plugin_to_run], stdout=PIPE, stderr=PIPE) else: pipe = Popen(["python", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, "--output=sqlite", \ "--output-file=" + self.database_file, self.Additional_Parms, plugin_to_run], stdout=PIPE, stderr=PIPE) else: self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \ "--profile=" + self.Profile + " --output=sqlite --output-file=" + self.database_file + " " + self.Additional_Parms + " " + plugin_to_run) pipe = Popen([self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, "--output=sqlite", \ "--output-file=" + self.database_file, self.Additional_Parms, plugin_to_run], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) # Open the DB using JDBC self.log(Level.INFO, "Path the volatility database file created ==> " + self.database_file) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % self.database_file) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + self.database_file + " (" + e.getMessage() + ")") try: exestmt = dbConn.createStatement() resultx = exestmt.execute('create table plugins_loaded_to_Autopsy (table_name text);') except SQLException as e: self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy") # Query the database try: stmt = dbConn.createStatement() stmt2 = dbConn.createStatement() stmt3 = dbConn.createStatement() stmt4 = dbConn.createStatement() resultSet1 = stmt.executeQuery("Select upper(tbl_name) tbl_name from SQLITE_MASTER where upper(tbl_name) " \ " not in (select table_name from plugins_loaded_to_Autopsy)" \ " and upper(tbl_name) <> 'PLUGINS_LOADED_TO_AUTOPSY';") # Cycle through each row and create artifacts while resultSet1.next(): try: self.log(Level.INFO, "Begin Create New Artifacts ==> " + resultSet1.getString("tbl_name")) artID_art = skCase.addArtifactType( "TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name, "Volatility " + \ resultSet1.getString("tbl_name") + " " + file_name) except: self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") # Get the artifact and attributes artID_art = skCase.getArtifactTypeID("TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name) artID_art_evt = skCase.getArtifactType("TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name) try: self.log(Level.INFO, "Result (" + resultSet1.getString("tbl_name") + ")") table_name = resultSet1.getString("tbl_name") resultSet4 = stmt4.executeQuery("Select count(*) 'NumRows' from " + resultSet1.getString("tbl_name") + " ") row_count = resultSet4.getInt("NumRows") self.log(Level.INFO, " Number of Rows is " + str(row_count) + " ") if row_count >= 1: SQL_String_1 = "Select * from " + table_name + ";" SQL_String_2 = "PRAGMA table_info('" + table_name + "')" self.log(Level.INFO, SQL_String_1) self.log(Level.INFO, SQL_String_2) artifact_name = "TSK_VOL_" + table_name.upper() + "_" + file_name artID_sql = skCase.getArtifactTypeID(artifact_name) artID_sql_evt = skCase.getArtifactType(artifact_name) Column_Names = [] Column_Types = [] resultSet2 = stmt2.executeQuery(SQL_String_2) while resultSet2.next(): Column_Names.append(resultSet2.getString("name").upper()) Column_Types.append(resultSet2.getString("type").upper()) attribute_name = "TSK_VOL_" + table_name + "_" + resultSet2.getString("name").upper() if resultSet2.getString("type").upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ") elif resultSet2.getString("type").upper() == "LONGVARCHAR": try: attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ") elif resultSet2.getString("type").upper() == "": try: attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ") elif resultSet2.getString("type").upper() == "BLOB": try: attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ") elif resultSet2.getString("type").upper() == "REAL": try: attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ") resultSet3 = stmt3.executeQuery(SQL_String_1) while resultSet3.next(): art = file.newArtifact(artID_sql) Column_Number = 1 for col_name in Column_Names: c_name = "TSK_VOL_" + table_name.upper() + "_" + Column_Names[Column_Number - 1] attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1] == "TEXT": if resultSet3.getString(Column_Number) == None: art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, " ")) else: art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) elif Column_Types[Column_Number - 1] == "": art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) elif Column_Types[Column_Number - 1] == "LONGVARCHAR": art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file")) elif Column_Types[Column_Number - 1] == "BLOB": art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file")) elif Column_Types[Column_Number - 1] == "REAL": art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getFloat(Column_Number)))) else: art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getString(Column_Number)))) Column_Number = Column_Number + 1 IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(VolatilityIngestModuleFactory.moduleName, \ artID_sql_evt, None)) except SQLException as e: self.log(Level.INFO, "Error getting values from table " + resultSet.getString("tbl_name") + " (" + e.getMessage() + ")") try: # exestmt = createStatement() resultx = exestmt.execute("insert into plugins_loaded_to_Autopsy values ('" + table_name + "');") except SQLException as e: self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy") except SQLException as e: self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")") # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "VolatilitySettings", " VolatilitySettings Has Been Analyzed " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def parse_sqlite_data(self, dataSource, progressBar, os_version, mac_os_art_id, settings_db): # we don't know how much work there is yet progressBar.switchToIndeterminate() skCase = Case.getCurrentCase().getSleuthkitCase(); try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % settings_db) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) macos_recents.db3 (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the history_visits table in the database and get all columns. try: stmt = dbConn.createStatement() macos_version_sql = "select mac_osx_art_id, mac_osx_art_type, mac_osx_art_File_Name, mac_osx_art_dir_name, " + \ " mac_osx_art_database_name, mac_osx_art_sql_statement, os_version, " + \ " os_name from mac_artifact a, os_version b where a.os_id = b.os_id and b.os_version = '" + os_version + "'" + \ " and mac_osx_art_id = " + str(mac_os_art_id) + ";" self.log(Level.INFO, macos_version_sql) resultSet = stmt.executeQuery(macos_version_sql) self.log(Level.INFO, "query recent version table") except SQLException as e: self.log(Level.INFO, "Error querying database for recent version (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Get the artifact name and create it. try: stmt_2 = dbConn.createStatement() artifact_sql = "select distinct autopsy_art_type, autopsy_art_name, autopsy_art_description " + \ " from autopsy_artifact a, Art_att_mac_xref b where a.autopsy_art_id = b.autopsy_art_id " + \ " and b.mac_osx_art_id = " + resultSet.getString("mac_osx_art_id") + ";" resultSet_art = stmt_2.executeQuery(artifact_sql) self.log(Level.INFO, "Artifact Type (" + resultSet_art.getString("autopsy_art_type") + ")") if resultSet_art.getString("autopsy_art_type") != 'AUTOPSY': try: self.log(Level.INFO, "Begin Create New Artifacts ==> " + resultSet_art.getString("autopsy_art_name")) artID_art = skCase.addArtifactType( resultSet_art.getString("autopsy_art_name"), \ resultSet_art.getString("autopsy_art_desctiption")) self.artifact_name = resultSet_art.getString("autopsy_art_name") except: self.log(Level.INFO, "Artifacts Creation Error, artifact " + resultSet_art.getString("autopsy_art_name") + " exists. ==> ") else: self.artifact_name = resultSet_art.getString("autopsy_art_name") # Get the attribute types and create them stmt_3 = dbConn.createStatement() attribute_sql = "select distinct autopsy_attrib_type, autopsy_attrib_name, autopsy_attrib_desc, autopsy_attrib_value_type_desc " + \ " from autopsy_attribute a, Art_att_mac_xref b, autopsy_value_type c " + \ " where a.autopsy_attrib_id = b.autopsy_attrib_id and a.autopsy_attrib_value_type = c.autopsy_attrib_value_type " + \ " and b.mac_osx_art_id =" + resultSet.getString("mac_osx_art_id") + ";" self.log(Level.INFO, "Attribute SQL ==> " + attribute_sql) resultSet_att = stmt_3.executeQuery(attribute_sql) while resultSet_att.next(): if resultSet_att.getString("autopsy_attrib_type") == 'CUSTOM': if resultSet_att.getString("autopsy_attrib_value_type_desc") == 'String': try: attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet_att.getString("autopsy_attrib_desc")) except: self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ") elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Integer': try: attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER, resultSet_att.getString("autopsy_attrib_desc")) except: self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ") elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Long': try: attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet_att.getString("autopsy_attrib_desc")) except: self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ") elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Double': try: attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE, resultSet_att.getString("autopsy_attrib_desc")) except: self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ") elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Byte': try: attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE, resultSet_att.getString("autopsy_attrib_desc")) except: self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ") else: try: attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, resultSet_att.getString("autopsy_attrib_desc")) except: self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ") except SQLException as e: self.log(Level.INFO, "Error querying database for artifacts/attributes (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Cycle through each row and create artifacts while resultSet.next(): # Set the database to be read to the once created by the prefetch parser program macos_file_name = resultSet.getString("mac_osx_art_File_Name") macos_dir_name = resultSet.getString("mac_osx_art_dir_name") macos_database_name = resultSet.getString("mac_osx_art_database_name") #macos_table_name = resultSet.getString("mac_osx_art_table_name") #self.path_to_plist_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), resultSet.getString("mac_osx_art_exec_file")) fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, macos_file_name + "%", macos_dir_name) numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; all_files = [] # do this since we want to get the wal or journal files associated with the SQLite database but we want to # make sure we have them to use if numFiles > 1: for file in files: if file.getName() == macos_file_name: self.log(Level.INFO, file.getParentPath()) all_files.append(file) files_to_process = all_files # Create Event Log directory in temp directory, if it exists then continue on processing Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "create Directory " + Temp_Dir) try: os.mkdir(Temp_Dir + "\macos_recent") except: self.log(Level.INFO, "macos_recent Directory already exists " + Temp_Dir) # Write out each Event Log file to the temp directory file_id = 0 for file in files: #self.log(Level.INFO, str(file)) # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK #self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions, also add file id to wal and journal files # if needed so that it can use the journals. self.log(Level.INFO, "File Name ==> " + file.getName() + " <==> " + macos_database_name) if file.getName().upper() == macos_database_name.upper(): file_id = file.getId() self.log(Level.INFO, "File Name ==> " + file.getName() + " <==> " + macos_database_name + " <++> " + str(file.getId())) lclDbPath = os.path.join(Temp_Dir + "\macos_recent", str(file_id) + "-" + file.getName()) self.log(Level.INFO, " Database name ==> " + lclDbPath) ContentUtils.writeToFile(file, File(lclDbPath)) else: lclDbPath = os.path.join(Temp_Dir + "\macos_recent", str(file_id) + "-" + file.getName()) self.log(Level.INFO, " Database name ==> " + lclDbPath) ContentUtils.writeToFile(file, File(lclDbPath)) lclDbPath = os.path.join(Temp_Dir + "\macos_recent", str(file_id) + "-" + macos_database_name) lclFilePath = os.path.join(Temp_Dir + "\macos_recent", macos_file_name) self.log(Level.INFO, " Database name ==> " + lclDbPath + " File Path ==> " + lclFilePath) for file in files_to_process: # Example has only a Windows EXE, so bail if we aren't on Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # Open the DB using JDBC lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory() + "\macos_recent", str(file.getId()) + "-" + macos_database_name) self.log(Level.INFO, "Path the Safari History.db database file created ==> " + lclDbPath) try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Query the history_visits table in the database and get all columns. try: stmt_1 = dbConn.createStatement() macos_recent_sql = resultSet.getString("mac_osx_art_sql_statement") self.log(Level.INFO, macos_recent_sql) resultSet_3 = stmt_1.executeQuery(macos_recent_sql) self.log(Level.INFO, "query " + macos_database_name + " table") except SQLException as e: self.log(Level.INFO, "Error querying database for history table (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK artID_hst = skCase.getArtifactTypeID(self.artifact_name) artID_hst_evt = skCase.getArtifactType(self.artifact_name) meta = resultSet_3.getMetaData() columncount = meta.getColumnCount() column_names = [] self.log(Level.INFO, "Number of Columns in the table ==> " + str(columncount)) for x in range (1, columncount + 1): self.log(Level.INFO, "Column Name ==> " + meta.getColumnLabel(x)) column_names.append(meta.getColumnLabel(x)) self.log(Level.INFO, "All Columns ==> " + str(column_names)) # Cycle through each row and create artifacts while resultSet_3.next(): try: #self.log(Level.INFO, SQL_String_1) self.log(Level.INFO, "Artifact Is ==> " + str(artID_hst)) art = file.newArtifact(artID_hst) self.log(Level.INFO, "Inserting attribute URL") for col_name in column_names: attID_ex1 = skCase.getAttributeType(col_name) self.log(Level.INFO, "Inserting attribute ==> " + str(attID_ex1)) self.log(Level.INFO, "Attribute Type ==> " + str(attID_ex1.getValueType())) if attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING: try: art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getString(col_name))) except: self.log(Level.INFO, "Attributes String Creation Error, " + col_name + " ==> ") elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER: try: art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getInt(col_name))) except: self.log(Level.INFO, "Attributes Integer Creation Error, " + col_name + " ==> ") elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG: try: art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getInt(col_name))) except: self.log(Level.INFO, "Attributes Long Creation Error, " + col_name + " ==> ") elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE: try: art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getInt(col_name))) except: self.log(Level.INFO, "Attributes Double Creation Error, " + col_name + " ==> ") elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE: try: art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getString(col_name))) except: self.log(Level.INFO, "Attributes Byte Creation Error, " + col_name + " ==> ") else: try: art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getReal(col_name))) except: self.log(Level.INFO, "Attributes Datatime Creation Error, " + col_name + " ==> ") except SQLException as e: self.log(Level.INFO, "Error getting values from web_history table (" + e.getMessage() + ")") IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(ParseMacOS_RecentIngestModuleFactory.moduleName, artID_hst_evt, None)) stmt_3.close() stmt_2.close() stmt_1.close() stmt.close() dbConn.close() # Clean up os.remove(lclDbPath) #Clean up EventLog directory and files for file in files: try: os.remove(Temp_Dir + "\\macos_recent\\" + file.getName()) except: self.log(Level.INFO, "removal of Safari History file failed " + Temp_Dir + "\\macos_recent" + file.getName()) try: os.rmdir(Temp_Dir + "\\macos_recent") except: self.log(Level.INFO, "removal of Safari History directory failed " + Temp_Dir)
def process(self, dataSource, progressBar): self.log(Level.INFO, "Starting to process") # we don't know how much work there is yet progressBar.switchToIndeterminate() # Get the temp directory and create the sub directory Temp_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath() temp_dir = os.path.join(Temp_Dir, "Volatility", "Dump-Files") try: os.mkdir(temp_dir) except: self.log(Level.INFO, "Volatility Directory already exists " + temp_dir) self.log(Level.INFO, "Volatility Directory already exists " + str(dataSource.getId())) # Set the database to be read to the once created by the prefetch parser program skCase = Case.getCurrentCase().getSleuthkitCase() fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%", "/") numFiles = len(files) self.log(Level.INFO, "Number of files to process ==> " + str(numFiles)) #file_name = os.path.basename(self.path_to_storage_file) #self.log(Level.INFO, "File Name ==> " + file_name) #base_file_name = os.path.splitext(file_name)[0] for file in files: self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath())) self.log(Level.INFO, "File name to process is ==> " + str(file)) if ('/LogicalFileSet1/' == file.parentPath) or ('/' == file.parentPath): self.log(Level.INFO, "File name to process is ==> " + str(file)) self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath())) mem_abstract_file_info = skCase.getAbstractFileById(file.getId()) image_file = file.getLocalAbsPath() if image_file != None: self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath())) file_name = os.path.basename(file.getLocalAbsPath()) base_file_name = os.path.splitext(file_name)[0] dbFile = base_file_name + ".db3" #tdir = os.path.join(Temp_Dir, "Volatility") self.database_file = os.path.join(Temp_Dir, "Volatility", dbFile) # self.log(Level.INFO, "File Name ==> " + self.database_file) derived_dir = os.path.join("ModuleOutput", "volatility", "Dump-Files") dump_file = temp_dir if self.isAutodetect: self.find_profile(image_file) if self.Profile == None: continue for plugin_to_run in self.Plugins: plugin_dir = os.path.join(dump_file, plugin_to_run) try: os.mkdir(plugin_dir) except: pass if self.Python_Program: if self.Process_Ids_To_Dump == "": new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir) self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \ "--profile=" + self.Profile + " --dump-dir=" + plugin_dir + " " + plugin_to_run) if PlatformUtil.isWindowsOS(): pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \ "--dump-dir=" + plugin_dir, plugin_to_run], stdout=PIPE, stderr=PIPE) else: pipe = Popen(["python", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \ "--dump-dir=" + plugin_dir, plugin_to_run], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) self.add_Volatility_Dump_file(dataSource, new_derived_dir, plugin_dir, derived_dir + "\\" + plugin_to_run) else: for pid_to_run in self.Process_Ids_To_Dump: new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir) pid_dir = os.path.join(plugin_dir, pid_to_run.lstrip()) try: os.mkdir(pid_dir) except: pass new_derived_dir_pid = self.add_Volatility_Dump_dir(dataSource, new_derived_dir, pid_dir, pid_to_run.lstrip(), derived_dir + "\\" + plugin_to_run) self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \ "--profile=" + self.Profile + " --dump-dir=" + pid_dir + " --pid=" + pid_to_run.lstrip() + " " + plugin_to_run) pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \ "--dump-dir=" + pid_dir, "--pid=" + pid_to_run.lstrip(), plugin_to_run], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) self.add_Volatility_Dump_file(dataSource, new_derived_dir_pid, pid_dir, derived_dir + "\\" + plugin_to_run + "\\" + pid_to_run.lstrip(), pid_to_run.lstrip()) else: if self.Process_Ids_To_Dump == "": new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir) self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \ "--profile=" + self.Profile + " --dump-dir=" + plugin_dir + " " + plugin_to_run) pipe = Popen([self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \ "--dump-dir=" + plugin_dir, plugin_to_run], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) self.add_Volatility_Dump_file(dataSource, new_derived_dir, plugin_dir, derived_dir + "\\" + plugin_to_run, " ") else: for pid_to_run in self.Process_Ids_To_Dump: new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir) pid_dir = os.path.join(plugin_dir, pid_to_run.lstrip()) try: os.mkdir(pid_dir) except: pass new_derived_dir_pid = self.add_Volatility_Dump_dir(dataSource, new_derived_dir, plugin_dir, pid_to_run.lstrip(), derived_dir + "\\" + plugin_to_run) self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \ "--profile=" + self.Profile + " --dump-dir=" + pid_dir + " --pid=" + pid_to_run.lstrip() + " " + plugin_to_run) pipe = Popen([self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \ "--dump-dir=" + pid_dir, "--pid=" + pid_to_run.lstrip(), plugin_to_run], stdout=PIPE, stderr=PIPE) out_text = pipe.communicate()[0] self.log(Level.INFO, "Output from run is ==> " + out_text) self.add_Volatility_Dump_file(dataSource, new_derived_dir_pid, pid_dir, derived_dir + "\\" + plugin_to_run + "\\" + pid_to_run.lstrip(), pid_to_run.lstrip()) # After all databases, post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "VolatilitySettings", " VolatilitySettings Has Been Analyzed " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): if len(self.List_Of_tables) < 1: message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, self.moduleName, " Can't find my tables " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.ERROR # Check if this is Windows if not PlatformUtil.isWindowsOS(): self.log(Level.INFO, "Ignoring data source. Not running on Windows") return IngestModule.ProcessResult.OK # we don't know how much work there is yet progressBar.switchToIndeterminate() skCase = Case.getCurrentCase().getSleuthkitCase(); fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "Amcache.hve") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") fileCount = 0; Temp_Dir = Case.getCurrentCase().getTempDirectory() self.log(Level.INFO, "Found temporary directory: " + Temp_Dir) message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " Parsing Amcache.Hve " ) IngestServices.getInstance().postMessage(message) # Dump Amcache.hve files in the temp directory for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions lclDbPath = os.path.join(Temp_Dir, str(file.getId()) + '-amcache.hve') ContentUtils.writeToFile(file, File(lclDbPath)) mydb = Temp_Dir + "\\" + str(file.getId()) + "-myAmcache.db3" # Parse some keys self.log(Level.INFO, "[Executable #1] Parsing Amcache.Hve: \"" + self.my_exe + "\" -r " + lclDbPath + " -d " + mydb) subprocess.Popen([self.my_exe, '-r', lclDbPath, '-d', mydb]).communicate()[0] try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + mydb + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK for am_table_name in self.List_Of_tables: if am_table_name == 'root_file_virustotal_scan': # <-- because we haven't run the executable these tables yet continue if am_table_name == 'inventory_application_file_virustotal_scan': continue try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('" + am_table_name + "'); ") self.log(Level.INFO, "query SQLite Master table for " + am_table_name) except SQLException as e: self.log(Level.INFO, "Error querying database for table " + am_table_name + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK # Cycle through each row and create artifacts while resultSet.next(): try: self.log(Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")") table_name = resultSet.getString("tbl_name") SQL_String_1 = "Select * from " + table_name + ";" SQL_String_2 = "PRAGMA table_info('" + table_name + "')" artifact_name = "TSK_" + table_name.upper() artifact_desc = "Amcache " + table_name.upper() try: self.log(Level.INFO, "Begin Create New Artifacts") artID_amc = skCase.addArtifactType( artifact_name, artifact_desc) except: self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") artID_amc = skCase.getArtifactTypeID(artifact_name) artID_amc_evt = skCase.getArtifactType(artifact_name) Column_Names = [] Column_Types = [] resultSet2 = stmt.executeQuery(SQL_String_2) while resultSet2.next(): Column_Names.append(resultSet2.getString("name").upper()) Column_Types.append(resultSet2.getString("type").upper()) if resultSet2.getString("type").upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType("TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error (string), " + resultSet2.getString("name") + " ==> ") elif resultSet2.getString("type").upper() == "": try: attID_ex1 = skCase.addArtifactAttributeType("TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error (string2), " + resultSet2.getString("name") + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType("TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name")) except: self.log(Level.INFO, "Attributes Creation Error (long), " + resultSet2.getString("name") + " ==> ") resultSet3 = stmt.executeQuery(SQL_String_1) while resultSet3.next(): art = file.newArtifact(artID_amc) Column_Number = 1 for col_name in Column_Names: c_name = "TSK_" + col_name attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1] == "TEXT": art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) elif Column_Types[Column_Number - 1] == "": art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(Column_Number))) else: art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, long(resultSet3.getInt(Column_Number)))) Column_Number = Column_Number + 1 IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AmcacheScanIngestModuleFactory.moduleName, artID_amc_evt, None)) except SQLException as e: self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")") stmt.close() dbConn.close() message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " Amcache Keys Have Been Parsed " ) IngestServices.getInstance().postMessage(message) message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " Beginning VirusTotal Scan " ) IngestServices.getInstance().postMessage(message) for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Save the DB locally in the temp folder. use file id as name to reduce collisions mydb = Temp_Dir + "\\" + str(file.getId()) + "-myAmcache.db3" try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb) except SQLException as e: self.Error_Message.setText("Error Opening Settings") # First check that the 'root_file' table exists try: stmt = dbConn.createStatement() SQL_Statement = 'SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "root_file";' resultSet = stmt.executeQuery(SQL_Statement) self.root_file_exists = int(resultSet.getString("count")) except: self.log(Level.INFO, "LOOK HERE: it's not working.") # If it does, count the number of rows in the table if self.root_file_exists: self.log(Level.INFO, "root_file table exists. Counting rows.") try: stmt = dbConn.createStatement() SQL_Statement = 'SELECT count(*) AS count FROM root_file;' resultSet = stmt.executeQuery(SQL_Statement) self.root_file_count = int(resultSet.getString("count")) except: self.log(Level.INFO, "LOOK HERE: it's not working.") # Now check that the 'inventory_application_file' table exists try: stmt = dbConn.createStatement() SQL_Statement = 'SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "inventory_application_file";' resultSet = stmt.executeQuery(SQL_Statement) self.inventory_application_file_exists = int(resultSet.getString("count")) except: self.log(Level.INFO, "LOOK HERE: it's not working.") # If it does, count the number of rows in the table if self.inventory_application_file_exists: self.log(Level.INFO, "inventory_application_file table exists. Counting rows.") try: stmt = dbConn.createStatement() SQL_Statement = 'SELECT count(*) AS count FROM inventory_application_file;' resultSet = stmt.executeQuery(SQL_Statement) self.inventory_application_file_count = int(resultSet.getString("count")) except: self.log(Level.INFO, "LOOK HERE: it's not working.") stmt.close() dbConn.close() # Now we know how many files we need to scan # Use the sum, to give the user a progress bar self.sum = self.root_file_count + self.inventory_application_file_count progressBar.switchToDeterminate(self.sum) artifact_name = "TSK_" + 'root_file_virustotal_scan'.upper() artifact_desc = "Amcache " + 'root_file_virustotal_scan'.upper() try: self.log(Level.INFO, "Begin creating root_file_virustotal_scan Artifacts") artID_amc = skCase.addArtifactType(artifact_name, artifact_desc) except: self.log(Level.INFO, "ARTIFACTS CREATION ERROR: root_file_virustotal_scan") artID_typeID = skCase.getArtifactTypeID(artifact_name) artID_type = skCase.getArtifactType(artifact_name) Column_Names = ["p_key","file","sha1","vt_positives","vt_ratio","vt_report_link"] Column_Types = ["int","text","text","int","text","text"] # A public VirusTotal API key only allows for 4 requests a minute (1/15 seconds) # Use this to track how much time has passed current_time = time.time() # start scanning root_file SHA1 hashes for i in range(0, self.root_file_count): subprocess.Popen([self.my_exe,'-d', mydb, '-a', self.API_Key, '-t', 'root_file', '-k', str(i + 1)]).communicate()[0] try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + mydb + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK if i == 0: try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery('SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "root_file_virustotal_scan";') self.log(Level.INFO, "query SQLite Master table for root_file_virustotal_scan") except SQLException as e: self.log(Level.INFO, "Error querying database for table root_file_virustotal_scan (" + e.getMessage() + ")") if int(resultSet.getString("count")): self.log(Level.INFO, "root_file_virustotal_scan found") for j in range(0,len(Column_Names)): if Column_Types[j].upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, Column_Names[j]) except: self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, Column_Names[j]) except: self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ") stmt.close() SQL_String_1 = 'SELECT "p_key","file","sha1","vt_positives","vt_ratio","vt_report_link" from "root_file_virustotal_scan" WHERE p_key = ' + str(i + 1) + ';' stmt = dbConn.createStatement() resultSet3 = stmt.executeQuery(SQL_String_1) while resultSet3.next(): art = file.newArtifact(artID_typeID) Column_Number = 1 for col_name in Column_Names: c_name = "TSK_" + col_name.upper() attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1].upper() == "TEXT": art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name))) elif Column_Types[Column_Number - 1] == "": art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name))) else: art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, long(resultSet3.getInt(col_name)))) Column_Number = Column_Number + 1 IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AmcacheScanIngestModuleFactory.moduleName, artID_type, None)) stmt.close() dbConn.close() if not self.Private: after_time = time.time() diff = current_time - after_time time.sleep(15 - diff) current_time = time.time() if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.count += 1 progressBar.progress(self.count) artifact_name = "TSK_" + 'inventory_application_file_virustotal_scan'.upper() artifact_desc = "Amcache " + 'inventory_application_file_virustotal_scan'.upper() try: self.log(Level.INFO, "Begin creating inventory_application_file_virustotal_scan Artifacts") artID_amc = skCase.addArtifactType(artifact_name, artifact_desc) except: self.log(Level.INFO, "ARTIFACTS CREATION ERROR: inventory_application_file_virustotal_scan") artID_typeID = skCase.getArtifactTypeID(artifact_name) artID_type = skCase.getArtifactType(artifact_name) # start scanning 'inventory_application_file' SHA1 hashes for i in range(0, self.inventory_application_file_count): subprocess.Popen([self.my_exe,'-d', mydb, '-a', self.API_Key, '-t', 'inventory_application_file', '-k', str(i + 1)]).communicate()[0] try: Class.forName("org.sqlite.JDBC").newInstance() dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb) except SQLException as e: self.log(Level.INFO, "Could not open database file (not SQLite) " + mydb + " (" + e.getMessage() + ")") return IngestModule.ProcessResult.OK if i == 0: try: stmt = dbConn.createStatement() resultSet = stmt.executeQuery('SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "inventory_application_file_virustotal_scan";') self.log(Level.INFO, "query SQLite Master table for inventory_application_file_virustotal_scan") except SQLException as e: self.log(Level.INFO, "Error querying database for table inventory_application_file_virustotal_scan (" + e.getMessage() + ")") if int(resultSet.getString("count")): self.log(Level.INFO, "inventory_application_file_virustotal_scan found") for j in range(0,len(Column_Names)): if Column_Types[j].upper() == "TEXT": try: attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, Column_Names[j]) except: self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ") else: try: attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, Column_Names[j]) except: self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ") stmt.close() SQL_String_1 = 'SELECT "p_key","file","sha1","vt_positives","vt_ratio","vt_report_link" from "inventory_application_file_virustotal_scan" WHERE p_key = ' + str(i + 1) + ';' stmt = dbConn.createStatement() resultSet3 = stmt.executeQuery(SQL_String_1) while resultSet3.next(): art = file.newArtifact(artID_typeID) Column_Number = 1 for col_name in Column_Names: c_name = "TSK_" + col_name.upper() attID_ex1 = skCase.getAttributeType(c_name) if Column_Types[Column_Number - 1].upper() == "TEXT": art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name))) elif Column_Types[Column_Number - 1] == "": art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name))) else: art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, long(resultSet3.getInt(col_name)))) Column_Number = Column_Number + 1 IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AmcacheScanIngestModuleFactory.moduleName, artID_type, None)) stmt.close() dbConn.close() if not self.Private: after_time = time.time() diff = current_time - after_time time.sleep(15 - diff) if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK current_time = time.time() self.count += 1 progressBar.progress(self.count) message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " VirusTotal Scan Complete " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK