def startUp(self, context):
self.context = context
#Show parameters that are passed in
self.log(Level.INFO, "Username =====>" + str(self.userName))
self.log(Level.INFO, "password =====>" + str(self.password))
self.log(Level.INFO, "IP Address =====>" + str(self.IP_Address))
self.log(Level.INFO, "Port_Number =====>" + str(self.Port_Number))
self.log(Level.INFO, "Sketch Name =====> " + str(self.sketchName))
self.log(Level.INFO, "sketch Description =====> " + str(self.sketchDescription))
# Check to see if the file to execute exists, if it does not then raise an exception and log error
# data is taken from the UI
if PlatformUtil.isWindowsOS():
self.path_to_Timesketch_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "timesketch_autopsy.exe")
if not os.path.exists(self.path_to_Timesketch_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_Timesketch_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Timesketch_Autopsy")
if not os.path.exists(self.path_to_Timesketch_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"amcache_parser.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'amcache_parser')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
if self.local_settings.getSetting('associateFileEntries') == 'true':
self.List_Of_tables.append('associated_file_entries')
if self.local_settings.getSetting('programEntries') == 'true':
self.List_Of_tables.append('program_entries')
if self.local_settings.getSetting('unassociatePrograms') == 'true':
self.List_Of_tables.append('unassociated_programs')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(
Level.INFO,
str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables)))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "amcache_parser.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'amcache_parser')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
if self.local_settings.getSetting('associateFileEntries') =='true':
self.List_Of_tables.append('associated_file_entries')
if self.local_settings.getSetting('programEntries') == 'true':
self.List_Of_tables.append('program_entries')
if self.local_settings.getSetting('unassociatePrograms') == 'true':
self.List_Of_tables.append('unassociated_programs')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(Level.INFO, str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables)))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
#Show parameters that are passed in
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"fseparser_v2.1.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "FSEParser_V2.1")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
self.MacFSEvents_Executable = self.path_to_exe
self.log(Level.INFO,
"MacFSEvents Executable ==> " + self.MacFSEvents_Executable)
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_jl_ad.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"EXE was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'Export_JL_Ad')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
self.path_to_app_id_db = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"Jump_List_App_Ids.db3")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "appxreg.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'Appxreg')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "parse_prefetch.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'parse_prefetch')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_Webcache.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'Export_Webcache')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
def startUp(self, context):
self.context = context
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "appxreg.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'Appxreg')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
pass
def checkExecutables(self):
executableProgramsWindows = ['sysdiagnose-sys.exe','sysdiagnose-networkprefs.exe','sysdiagnose-networkinterfaces.exe', 'sysdiagnose-mobilecontainermanager.exe', \
'sysdiagnose-mobilebackup.exe', 'sysdiagnose-mobileactivation.exe','sysdiagnose-wifi-plist.exe', 'sysdiagnose-wifi-icloud.exe', \
'sysdiagnose-wifi-net.exe.', 'sysdiagnose-wifi-kml.exe', 'sysdiagnose-uuid2path.exe', 'sysdiagnose-net-ext-cache.exe', 'sysdiagnose-appconduit.exe', \
'sysdiagnose-appupdates.exe']
executableProgramsFound = []
if PlatformUtil.isWindowsOS():
for executable in executableProgramsWindows:
pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), executable)
if not os.path.exists(pathToExe):
self.log(
Level.INFO, "iOS sysdiagnose Windows program " +
pathToExe + " not found.")
else:
executableProgramsFound.append(pathToExe)
else:
for executable in executableProgramsWindows:
pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), executable)
if not os.path.exists(pathToExe):
self.log(
Level.INFO, "iOS sysdiagnose Linux program " +
pathToExe + " not found.")
else:
executableProgramsFound.append(pathToExe)
self.log(Level.INFO,
"Programs to execute: " + str(executableProgramsFound))
return executableProgramsFound
def process(self, dataSource, progressBar):
# we don't know how much work there will be
progressBar.switchToIndeterminate()
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Verify we have a disk image and not a folder of files
if not isinstance(dataSource, Image):
self.log(Level.INFO, "Ignoring data source. Not an image")
return IngestModule.ProcessResult.OK
# Get disk image paths
imagePaths = dataSource.getPaths()
# We'll save our output to a file in the reports folder, named based on EXE and data source ID
reportPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "Reports", "img_stat-" + str(dataSource.getId()) + ".txt")
reportHandle = open(reportPath, 'w')
# Run the EXE, saving output to the report
# NOTE: we should really be checking for if the module has been
# cancelled and then killing the process.
self.log(Level.INFO, "Running program on data source")
subprocess.Popen([self.path_to_exe, imagePaths[0]], stdout=reportHandle).communicate()[0]
reportHandle.close()
# Add the report to the case, so it shows up in the tree
Case.getCurrentCase().addReport(reportPath, "Run EXE", "img_stat output")
return IngestModule.ProcessResult.OK
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Export_EVTX")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux executable was not found in module folder")
if self.local_settings.getSetting('All') == 'true':
self.List_Of_Events.append('ALL')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
else:
if self.local_settings.getSetting('Other') == 'true':
#self.List_Of_Events.append('Other')
Event_List = self.local_settings.getSetting('Eventids').split()
self.log(Level.INFO, "Event List ==> " + str(Event_List))
for evt in Event_List:
self.List_Of_Events.append(str(evt))
#self.Event_Id_List = "','".join(self.List_Of_Events)
self.Event_Id_List = self.local_settings.getSetting('Eventids').replace(',','\',\'')
self.Event_Id_List.replace(',','\',\'')
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Export_EVTX")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux executable was not found in module folder")
if self.local_settings.getFlag():
self.List_Of_Events.append('ALL')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
else:
if self.local_settings.getFlag4():
#self.List_Of_Events.append('Other')
Event_List = self.local_settings.getArea().split()
self.log(Level.INFO, "Event List ==> " + str(Event_List))
for evt in Event_List:
self.List_Of_Events.append(str(evt))
#self.Event_Id_List = "','".join(self.List_Of_Events)
self.Event_Id_List = self.local_settings.getArea().replace(',','\',\'')
self.Event_Id_List.replace(',','\',\'')
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to executable based on where this script is run from.
# Assumes executable is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_esedb.exe")
if not os.path.exists(self.pathToExe):
raise IngestModuleException(
"export_esedb.exe was not found in module folder")
if not os.path.exists(
os.path.join(os.path.dirname(os.path.abspath(__file__)),
"export_esedb_records.exe")):
raise IngestModuleException(
"export_esedb_records.exe was not found in module folder")
else:
self.pathToExe2 = os.path.dirname(os.path.abspath(__file__))
self.pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_esedb")
if not os.path.exists(self.pathToExe):
raise IngestModuleException(
"export_esedb was not found in module folder")
if not os.path.exists(
os.path.join(os.path.dirname(os.path.abspath(__file__)),
"export_esedb_records")):
raise IngestModuleException(
"export_esedb_records was not found in module folder")
def process(self, dataSource, progressBar):
# we don't know how much work there will be
progressBar.switchToIndeterminate()
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Verify we have a disk image and not a folder of files
if not isinstance(dataSource, Image):
self.log(Level.INFO, "Ignoring data source. Not an image")
return IngestModule.ProcessResult.OK
# Get disk image paths
imagePaths = dataSource.getPaths()
# We'll save our output to a file in the reports folder, named based on EXE and data source ID
reportPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "Reports", "img_stat-" + str(dataSource.getId()) + ".txt")
reportHandle = open(reportPath, 'w')
# Run the EXE, saving output to the report
# NOTE: we should really be checking for if the module has been
# cancelled and then killing the process.
self.log(Level.INFO, "Running program on data source")
subprocess.Popen([self.path_to_exe, imagePaths[0]], stdout=reportHandle).communicate()[0]
reportHandle.close()
# Add the report to the case, so it shows up in the tree
Case.getCurrentCase().addReport(reportPath, "Run EXE", "img_stat output")
return IngestModule.ProcessResult.OK
def startUp(self, context):
self.context = context
if PlatformUtil.isWindowsOS():
self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "leveldb-dump.exe")
# self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "leveldb_Parser.exe")
if not os.path.exists(self.pathToExe):
raise IngestModuleException("fb_chat.exe was not found in module folder")
else:
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "shimcache_parser.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Shimcache_parser")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_recentApps_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "show_ccm_recentlyusedapps.exe")
if not os.path.exists(self.path_to_recentApps_exe):
raise IngestModuleException("Windows executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_recentApps_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "show_CCM_RecentlyUsedApps")
if not os.path.exists(self.path_to_recentApps_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def processEsedbFile(self, extractedFile, databaseFile):
#self.log(Level.INFO, "Running program ==> " + self.pathToExe + " " + extractedFile + databaseFile)
if PlatformUtil.isWindowsOS():
pipe = Popen([self.pathToExe, extractedFile, databaseFile], stdout=PIPE, stderr=PIPE)
else:
pipe = Popen([self.pathToExe, extractedFile, databaseFile, self.pathToExe2], stdout=PIPE, stderr=PIPE)
outputFromRun = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + outputFromRun)
def startUp(self, context):
self.context = context
#Show parameters that are passed in
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "fseparser_v2.1.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "FSEParser_V2.1")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
self.MacFSEvents_Executable = self.path_to_exe
self.log(Level.INFO, "MacFSEvents Executable ==> " + self.MacFSEvents_Executable)
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Check if the arser for .evtx is in place - i.e., the export_evtx.exe
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
# stop ingest module and return error
raise IngestModuleException(
"EXE was not found in module folder")
def startUp(self, context):
self.context = context
if self.local_settings.getSetting('Flag') == 'true':
#self.List_Of_DBs.append('Other')
DBs_List = self.local_settings.getSetting('plists').split(',')
for DBs in DBs_List:
self.List_Of_DBs.append(str(DBs).strip('\n').replace(' ',''))
#self.logger.logp(Level.INFO, GUI_TestWithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(Level.INFO, str(self.List_Of_DBs))
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "plist2db.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'plist2db')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
def startUp(self, context):
self.context = context
if not PlatformUtil.isWindowsOS():
raise IngestModuleException("Not running on Windows")
self.EXE_PATH = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"w10-facemessenger.exe")
if not os.path.exists(self.EXE_PATH):
raise IngestModuleException(
"w10-facemessenger.exe was not found in module folder")
self.CSV_DELIMITER = "\x1E" # ASCII non-printing character 30 (Record Separator)
self._startUpAttributeTypes()
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_SRUDB.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "Export_SRUDB")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
if self.local_settings.getSetting('all') == 'true':
self.List_Of_SRUDB.append('application_resource_usage')
self.List_Of_SRUDB.append('energy_estimation_provider')
self.List_Of_SRUDB.append('energy_usage_data')
self.List_Of_SRUDB.append('network_connectivity')
self.List_Of_SRUDB.append('network_usage')
self.List_Of_SRUDB.append('windows_push_notification')
#self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", "All Events CHecked")
else:
#self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", "No Boxes Checked")
if self.local_settings.getSetting(
'application_resource_usage') == 'true':
self.List_Of_SRUDB.append('application_resource_usage')
if self.local_settings.getSetting(
'energy_estimation_provider') == 'true':
self.List_Of_SRUDB.append('energy_estimation_provider')
if self.local_settings.getSetting('energy_usage_data') == 'true':
self.List_Of_SRUDB.append('energy_usage_data')
if self.local_settings.getSetting(
'network_connectivity') == 'true':
self.List_Of_SRUDB.append('network_connectivity')
if self.local_settings.getSetting('network_usage') == 'true':
self.List_Of_SRUDB.append('network_usage')
if self.local_settings.getSetting(
'windows_push_notification') == 'true':
self.List_Of_SRUDB.append('windows_push_notification')
#self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(Level.INFO, str(self.List_Of_SRUDB))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to executable based on where this script is run from.
# Assumes executable is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "spotlight_parser.exe")
if not os.path.exists(self.pathToExe):
raise IngestModuleException("spotlight_parser.exe was not found in module folder")
else:
self.pathToExe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "spotlight_parser")
if not os.path.exists(self.pathToExe):
raise IngestModuleException("spotlight_parser was not found in module folder")
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
# Check what OS you are running from
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "samparse.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'Samparse')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def processEsedbFile(self, extractedFile, databaseFile):
#self.log(Level.INFO, "Running program ==> " + self.pathToExe + " " + extractedFile + databaseFile)
if PlatformUtil.isWindowsOS():
pipe = Popen([self.pathToExe, extractedFile, databaseFile],
stdout=PIPE,
stderr=PIPE)
else:
pipe = Popen(
[self.pathToExe, extractedFile, databaseFile, self.pathToExe2],
stdout=PIPE,
stderr=PIPE)
outputFromRun = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + outputFromRun)
def process(self, dataSource, progressBar):
# Set the ogress bar to an Indeterminate state for now
progressBar.switchToIndeterminate()
# Return if we're not running on a windows sytem
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO,
"Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Verify we have a disk image and not a folder of files
if not isinstance(dataSource, Image):
self.log(Level.INFO, "Ignoring data source. Not an image")
return IngestModule.ProcessResult.OK
# Get disk image paths
imagePaths = dataSource.getPaths()
# Save our output to a file in the reports folder
# named based on EXE and data source ID
reportFile = File(Case.getCurrentCase().getCaseDirectory() +
"\\Reports" + "\\img_stat-" +
str(dataSource.getId()) + ".txt")
# Run the EXE, saving output to the report
# Check if the ingest is terminated and
# delete the incomplete report file
self.log(Level.INFO, "Running program on data source")
cmd = ArrayList()
cmd.add(self.pathToEXE.toString())
cmd.add(imagePaths[0])
processBuilder = ProcessBuilder(cmd)
processBuilder.redirectOutput(reportFile)
ExecUtil.execute(processBuilder,
DataSourceIngestModuleProcessTerminator(self.context))
# Add the report to the case, so it shows up in the tree
if not self.context.dataSourceIngestIsCancelled():
Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE",
"img_stat output")
else:
if reportFile.exists():
if not reportFile.delete():
self.log(LEVEL.warning,
"Error deleting the incomplete report file")
return IngestModule.ProcessResult.OK
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe_foremost = os.path.join(os.path.dirname(os.path.abspath(__file__)), "foremost.exe")
if not os.path.exists(self.path_to_exe_foremost):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe_foremost = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'foremost')
if not os.path.exists(self.path_to_exe_foremost):
raise IngestModuleException("Linux Executable was not found in module folder")
if self.local_settings.getSetting('Default_Mime_Types') == 'true':
self.List_Of_tables.append('Default_Mime_Types')
if self.local_settings.getSetting('All_Mime_Types') == 'true':
self.List_Of_tables.append('All_Mime_Types')
if self.local_settings.getSetting('Include_Slack_Space') == 'true':
self.List_Of_tables.append('Include_Slack_Space')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(Level.INFO, str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables)))
if "Default_Mime_Types" in self.List_Of_tables:
self.mimeTypesToFind = ["application/octet-stream","application/x-sqlite3", "application/vnd.ms-excel.sheet.4", "application/x-msoffice","application/msword", "application/msoffice", "application/vnd.ms-excel", "application/vnd.ms-powerpoint" ]
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
if self.local_settings.getSetting('Flag') == 'true':
#self.List_Of_DBs.append('Other')
DBs_List = self.local_settings.getSetting('plists').split(',')
for DBs in DBs_List:
self.List_Of_DBs.append(str(DBs).strip('\n').replace(' ', ''))
#self.logger.logp(Level.INFO, GUI_TestWithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(Level.INFO, str(self.List_Of_DBs))
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "plist2db.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'plist2db')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
def process(self, dataSource, progressBar):
# we don't know how much work there will be
progressBar.switchToIndeterminate()
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO,
"Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Verify we have a disk image and not a folder of files
if not isinstance(dataSource, Image):
self.log(Level.INFO, "Ignoring data source. Not an image")
return IngestModule.ProcessResult.OK
# Get disk image paths
imagePaths = dataSource.getPaths()
# We'll save our output to a file in the reports folder, named based on EXE and data source ID
reportFile = File(Case.getCurrentCase().getCaseDirectory() +
"\\Reports" + "\\img_stat-" +
str(dataSource.getId()) + ".txt")
# Run the EXE, saving output to the report
# Check if the ingest is terminated and delete the incomplete report file
# Do not add report to the case tree if the ingest is cancelled before finish.
# This can be done by using IngestJobContext.dataSourceIngestIsCancelled
# See: http://sleuthkit.org/autopsy/docs/api-docs/4.7.0/_ingest_job_context_8java.html
self.log(Level.INFO, "Running program on data source")
cmd = ArrayList()
cmd.add(self.pathToEXE.toString())
cmd.add(imagePaths[0])
processBuilder = ProcessBuilder(cmd)
processBuilder.redirectOutput(reportFile)
ExecUtil.execute(processBuilder,
DataSourceIngestModuleProcessTerminator(self.context))
# Add the report to the case, so it shows up in the tree
if not self.context.dataSourceIngestIsCancelled():
Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE",
"img_stat output")
else:
if reportFile.exists():
if not reportFile.delete():
self.log(LEVEL.warning,
"Error deleting the incomplete report file")
return IngestModule.ProcessResult.OK
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "Export_EVTX")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux executable was not found in module folder")
if self.local_settings.getFlag():
self.List_Of_Events.append('ALL')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
else:
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "No Boxes Checked")
if self.local_settings.getFlag1():
self.List_Of_Events.append('Application.Evtx')
if self.local_settings.getFlag2():
self.List_Of_Events.append('Security.Evtx')
if self.local_settings.getFlag3():
self.List_Of_Events.append('System.Evtx')
if self.local_settings.getFlag4():
self.List_Of_Events.append('Other')
Event_List = self.local_settings.getArea().split()
for evt in Event_List:
self.List_Of_Events.append(str(evt))
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
# self.log(Level.INFO, "List Of Events ==> " + str(self.List_Of_Events) + " <== Number of Events ==> " + str(len(self.List_Of_Events)))
# if len(self.List_Of_Events) < 1:
# message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ParseEvtx", " No Event Logs Selected to Parse " )
# IngestServices.getInstance().postMessage(message)
# raise IngestModuleException("No Events were Selected")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "extract_ad1.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
self.sqlStatement = "select file_name, ad1_path_name, date_created, date_modified, date_accessed, md5_hash, sha1_hash from ad1_info where ad1_item_type = 0;"
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
#raise IngestModuleException(IngestModule(), "Oh No!")
pass
def process(self, dataSource, progressBar):
# we don't know how much work there will be
progressBar.switchToIndeterminate()
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Verify we have a disk image and not a folder of files
if not isinstance(dataSource, Image):
self.log(Level.INFO, "Ignoring data source. Not an image")
return IngestModule.ProcessResult.OK
# Get disk image paths
imagePaths = dataSource.getPaths()
# We'll save our output to a file in the reports folder, named based on EXE and data source ID
reportFile = File(Case.getCurrentCase().getCaseDirectory() + "\\Reports" + "\\img_stat-" + str(dataSource.getId()) + ".txt")
# Run the EXE, saving output to the report
# Check if the ingest is terminated and delete the incomplete report file
# Do not add report to the case tree if the ingest is cancelled before finish.
# This can be done by using IngestJobContext.dataSourceIngestIsCancelled
# See: http://sleuthkit.org/autopsy/docs/api-docs/4.7.0/_ingest_job_context_8java.html
self.log(Level.INFO, "Running program on data source")
cmd = ArrayList()
cmd.add(self.pathToEXE.toString())
cmd.add(imagePaths[0])
processBuilder = ProcessBuilder(cmd);
processBuilder.redirectOutput(reportFile)
ExecUtil.execute(processBuilder,DataSourceIngestModuleProcessTerminator(self.context))
# Add the report to the case, so it shows up in the tree
if not self.context.dataSourceIngestIsCancelled():
Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE", "img_stat output")
else:
if reportFile.exists():
if not reportFile.delete():
self.log(LEVEL.warning,"Error deleting the incomplete report file")
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there will be
progressBar.switchToIndeterminate()
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Verify we have a disk image and not a folder of files
if not isinstance(dataSource, Image):
self.log(Level.INFO, "Ignoring data source. Not an image")
return IngestModule.ProcessResult.OK
# Get disk image paths
imagePaths = dataSource.getPaths()
# We'll save our output to a file in the reports folder, named based on EXE and data source ID
reportFile = File(Case.getCurrentCase().getCaseDirectory() + "\\Reports" + "\\img_stat-" + str(dataSource.getId()) + ".txt")
# Run the EXE, saving output to reportFile
# We use ExecUtil because it will deal with the user cancelling the job
self.log(Level.INFO, "Running program on data source")
cmd = ArrayList()
cmd.add(self.pathToEXE.toString())
# Add each argument in its own line. I.e. "-f foo" would be two calls to .add()
cmd.add(imagePaths[0])
processBuilder = ProcessBuilder(cmd);
processBuilder.redirectOutput(reportFile)
ExecUtil.execute(processBuilder, DataSourceIngestModuleProcessTerminator(self.context))
# Add the report to the case, so it shows up in the tree
# Do not add report to the case tree if the ingest is cancelled before finish.
if not self.context.dataSourceIngestIsCancelled():
Case.getCurrentCase().addReport(reportFile.toString(), "Run EXE", "img_stat output")
else:
if reportFile.exists():
if not reportFile.delete():
self.log(LEVEL.warning,"Error deleting the incomplete report file")
return IngestModule.ProcessResult.OK
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "Export_EVTX")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux executable was not found in module folder")
if self.local_settings.getSetting('All') == 'true':
self.List_Of_Events.append('ALL')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
else:
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "No Boxes Checked")
if self.local_settings.getSetting('Application') == 'true':
self.List_Of_Events.append('Application.Evtx')
if self.local_settings.getSetting('Security') == 'true':
self.List_Of_Events.append('Security.Evtx')
if self.local_settings.getSetting('System') == 'true':
self.List_Of_Events.append('System.Evtx')
if self.local_settings.getSetting('Other') == 'true':
self.List_Of_Events.append('Other')
Event_List = self.local_settings.getSetting(
'EventLogs').split()
for evt in Event_List:
self.List_Of_Events.append(str(evt))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Check to see if the artifacts exist and if not then create it, also check to see if the attributes
# exist and if not then create them
skCase = Case.getCurrentCase().getSleuthkitCase();
# This will work in 4.0.1 and beyond
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_cat1 = skCase.addArtifactType( "TSK_FH_CATALOG_1", "File History Catalog 1")
except:
self.log(Level.INFO, "Artifacts Creation Error, Catalog 1. ==> ")
artID_cat1 = skCase.getArtifactTypeID("TSK_FH_CATALOG_1")
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_cat2 = skCase.addArtifactType( "TSK_FH_CATALOG_2", "File History Catalog 2")
except:
self.log(Level.INFO, "Artifacts Creation Error, Catalog 2. ==> ")
artID_cat2 = skCase.getArtifactTypeID("TSK_FH_CATALOG_2")
# Create the attribute type, if it exists then catch the error
try:
attID_fh_pn = skCase.addArtifactAttributeType('TSK_FH_PATH', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Parent Path")
except:
self.log(Level.INFO, "Attributes Creation Error, Prefetch Parent Path. ==> ")
try:
attID_fh_fn = skCase.addArtifactAttributeType('TSK_FH_FILE_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Name")
except:
self.log(Level.INFO, "Attributes Creation Error, File Name. ==> ")
try:
attID_fh_fs = skCase.addArtifactAttributeType('TSK_FH_FILE_SIZE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Size")
except:
self.log(Level.INFO, "Attributes Creation Error, File Size. ==> ")
try:
attID_fh_usn = skCase.addArtifactAttributeType('TSK_FH_USN_JOURNAL_ENTRY', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "USN Journal Entry")
except:
self.log(Level.INFO, "Attributes Creation Error, USN Journal Entry. ==> ")
try:
attID_fh_fc = skCase.addArtifactAttributeType('TSK_FH_FILE_CREATED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "File Created")
except:
self.log(Level.INFO, "Attributes Creation Error, File Created. ==> ")
try:
attID_fh_fm = skCase.addArtifactAttributeType('TSK_FH_FILE_MODIFIED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "File Modified")
except:
self.log(Level.INFO, "Attributes Creation Error, PF Execution DTTM 3. ==> ")
try:
attID_fh_bq = skCase.addArtifactAttributeType('TSK_FH_BACKUP_QUEUED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Queued")
except:
self.log(Level.INFO, "Attributes Creation Error, Backup Queued ==> ")
try:
attID_fh_bc = skCase.addArtifactAttributeType('TSK_FH_BACKUP_CREATED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Created")
except:
self.log(Level.INFO, "Attributes Creation Error, Backup Created ==> ")
try:
attID_fh_bcp = skCase.addArtifactAttributeType('TSK_FH_BACKUP_CAPTURED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Captured")
except:
self.log(Level.INFO, "Attributes Creation Error, Backup Captured. ==> ")
try:
attID_fh_bu = skCase.addArtifactAttributeType('TSK_FH_BACKUP_UPDATED', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Updated")
except:
self.log(Level.INFO, "Attributes Creation Error, Backup Updated. ==> ")
try:
attID_fh_bv = skCase.addArtifactAttributeType('TSK_FH_BACKUP_VISIBLE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Backup Visible")
except:
self.log(Level.INFO, "Attributes Creation Error, Backup Visible ==> ")
self.log(Level.INFO, "Get Artifacts after they were created.")
# Get the new artifacts and attributes that were just created
#artID_wfh = skCase.getArtifactTypeID("TSK_PREFETCH")
#artID_cat1 = skCase.getArtifactType("TSK_FH_CATALOG_1")
#artID_cat2 = skCase.getArtifactType("TSK_FH_CATALOG_2")
attID_fh_pn = skCase.getAttributeType("TSK_FH_PATH")
attID_fh_fn = skCase.getAttributeType("TSK_FH_FILE_NAME")
attID_fh_fs = skCase.getAttributeType("TSK_FH_FILE_SIZE")
attID_fh_usn = skCase.getAttributeType("TSK_FH_USN_JOURNAL_ENTRY")
attID_fh_fc = skCase.getAttributeType("TSK_FH_FILE_CREATED")
attID_fh_fm = skCase.getAttributeType("TSK_FH_FILE_MODIFIED")
attID_fh_bq = skCase.getAttributeType("TSK_FH_BACKUP_QUEUED")
attID_fh_bc = skCase.getAttributeType("TSK_FH_BACKUP_CREATED")
attID_fh_bcp = skCase.getAttributeType("TSK_FH_BACKUP_CAPTURED")
attID_fh_bu = skCase.getAttributeType("TSK_FH_BACKUP_UPDATED")
attID_fh_bv = skCase.getAttributeType("TSK_FH_BACKUP_VISIBLE")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Find the file history files from the users folders
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%edb", "%/Windows/FileHistory/%")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
# Create file history directory in temp directory, if it exists then continue on processing
Temp_Dir = os.path.join(Case.getCurrentCase().getTempDirectory(), "File_History")
self.log(Level.INFO, "create Directory " + Temp_Dir)
try:
os.mkdir(Temp_Dir)
except:
self.log(Level.INFO, "File_History Directory already exists " + Temp_Dir)
# Write out each catalog esedb database to the temp directory
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(Temp_Dir, file.getName() + "_" + str(file.getId()))
db_name = os.path.splitext(file.getName())[0]
lclSQLPath = os.path.join(Temp_Dir, db_name + "_" + str(file.getId()) + ".db3")
ContentUtils.writeToFile(file, File(lclDbPath))
# Run the EXE, saving output to a sqlite database
if PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Running program on data source parm 1 ==> " + self.path_to_exe + " " + lclDbPath + " " + lclSQLPath)
pipe = Popen([self.path_to_exe, lclDbPath, lclSQLPath], stdout=PIPE, stderr=PIPE)
else:
self.log(Level.INFO, "Running program on data source parm 1 ==> " + self.path_to_exe + " " + lclDbPath + " " + lclSQLPath)
pipe = Popen([self.path_to_exe, lclDbPath, lclSQLPath, os.path.dirname(os.path.abspath(__file__))], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
if db_name == "Catalog1":
artID_fh = skCase.getArtifactTypeID("TSK_FH_CATALOG_1")
artID_fh_evt = skCase.getArtifactType("TSK_FH_CATALOG_1")
else:
artID_fh = skCase.getArtifactTypeID("TSK_FH_CATALOG_2")
artID_fh_evt = skCase.getArtifactType("TSK_FH_CATALOG_2")
userpath = file.getParentPath()
username = userpath.split('/')
self.log(Level.INFO, "Getting Username " + username[2] )
# Open the DB using JDBC
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclSQLPath)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + lclSQLPath + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the contacts table in the database and get all columns.
try:
stmt = dbConn.createStatement()
SQL_Statement = "Select ParentName 'TSK_FH_PATH', Childname 'TSK_FH_FILE_NAME', " + \
"Filesize 'TSK_FH_FILE_SIZE', " + \
"usn 'TSK_FH_USN_JOURNAL_ENTRY', " + \
"FileCreated 'TSK_FH_FILE_CREATED', filemodified 'TSK_FH_FILE_MODIFIED', " + \
"tqueued 'TSK_FH_BACKUP_QUEUED', tcreated 'TSK_FH_BACKUP_CREATED', " + \
"tcaptured 'TSK_FH_BACKUP_CAPTURED', tupdated 'TSK_FH_BACKUP_UPDATED', " + \
"tvisible 'TSK_FH_BACKUP_VISIBLE' from file_history"
self.log(Level.INFO, "SQL Statement --> " + SQL_Statement)
resultSet = stmt.executeQuery(SQL_Statement)
except SQLException as e:
self.log(Level.INFO, "Error querying database for File_History table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
#self.log(Level.INFO, "Result (" + resultSet.getString("Prefetch_File_Name") + ")")
FH_Path = resultSet.getString("TSK_FH_PATH")
FH_File_Name = resultSet.getString("TSK_FH_FILE_NAME")
FH_Filesize = resultSet.getString("TSK_FH_FILE_SIZE")
FH_Usn = resultSet.getString("TSK_FH_USN_JOURNAL_ENTRY")
FH_FC = resultSet.getInt("TSK_FH_FILE_CREATED")
FH_FM = resultSet.getInt("TSK_FH_FILE_MODIFIED")
FH_BQ = resultSet.getInt("TSK_FH_BACKUP_QUEUED")
FH_BC = resultSet.getInt("TSK_FH_BACKUP_CREATED")
FH_BCP = resultSet.getInt("TSK_FH_BACKUP_CAPTURED")
FH_BU = resultSet.getInt("TSK_FH_BACKUP_UPDATED")
FH_BV = resultSet.getInt("TSK_FH_BACKUP_VISIBLE")
except SQLException as e:
self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
# Make artifact for TSK_PREFETCH, this can happen when custom attributes are fully supported
art = file.newArtifact(artID_fh)
# Add the attributes to the artifact.
art.addAttributes(((BlackboardAttribute(attID_fh_pn, ParseFileHistoryIngestModuleFactory.moduleName, FH_Path)), \
(BlackboardAttribute(attID_fh_fn, ParseFileHistoryIngestModuleFactory.moduleName, FH_File_Name)), \
(BlackboardAttribute(attID_fh_fs, ParseFileHistoryIngestModuleFactory.moduleName, FH_Filesize)), \
(BlackboardAttribute(attID_fh_usn, ParseFileHistoryIngestModuleFactory.moduleName, FH_Usn)), \
(BlackboardAttribute(attID_fh_fc, ParseFileHistoryIngestModuleFactory.moduleName, FH_FC)), \
(BlackboardAttribute(attID_fh_fm, ParseFileHistoryIngestModuleFactory.moduleName, FH_FM)), \
(BlackboardAttribute(attID_fh_bq, ParseFileHistoryIngestModuleFactory.moduleName, FH_BQ)), \
(BlackboardAttribute(attID_fh_bc, ParseFileHistoryIngestModuleFactory.moduleName, FH_BC)), \
(BlackboardAttribute(attID_fh_bcp, ParseFileHistoryIngestModuleFactory.moduleName, FH_BCP)), \
(BlackboardAttribute(attID_fh_bu, ParseFileHistoryIngestModuleFactory.moduleName, FH_BU)), \
(BlackboardAttribute(attID_fh_bv, ParseFileHistoryIngestModuleFactory.moduleName, FH_BV)), \
(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), \
ParseFileHistoryIngestModuleFactory.moduleName, username[2]))))
try:
#index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ParseFileHistoryIngestModuleFactory.moduleName, artID_fh_evt, None))
# Clean up
stmt.close()
dbConn.close()
#os.remove(lclDbPath)
#Clean up prefetch directory and files
try:
shutil.rmtree(Temp_Dir)
except:
self.log(Level.INFO, "removal of directory tree failed " + Temp_Dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Windows File History Parser", " Windows File History Has Been Parsed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "SRUDB.DAT")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
# Create Event Log directory in temp directory, if it exists then continue on processing
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "create Directory " + Temp_Dir)
try:
os.mkdir(Temp_Dir + "\SRUDB")
except:
self.log(Level.INFO, "SRUDB Directory already exists " + Temp_Dir)
# Write out each Event Log file to the temp directory
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(Temp_Dir + "\SRUDB", file.getName())
ContentUtils.writeToFile(file, File(lclDbPath))
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO,
"Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Run the EXE, saving output to a sqlite database
self.log(
Level.INFO, "Running program on data source parm 1 ==> " +
Temp_Dir + " Parm 2 ==> " + Temp_Dir + "\SRUDB.db3")
subprocess.Popen([
self.path_to_exe, Temp_Dir + "\SRUDB\SRUDB.DAT",
Temp_Dir + "\SRUDB.db3"
]).communicate()[0]
for file in files:
# Open the DB using JDBC
lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(),
"SRUDB.db3")
#lclDbPath = "C:\\Users\\Forensic_User\\OneDrive\\Code\\Python_Scripts\\SRUDB\SRUDB.DB3"
self.log(Level.INFO,
"Path the SRUDB database file created ==> " + lclDbPath)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" %
lclDbPath)
except SQLException as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
file.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
#PSlsit => TSK_PROG_RUN
#
# Query the contacts table in the database and get all columns.
for SR_table_name in self.List_Of_SRUDB:
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery(
"Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('"
+ SR_table_name + "'); ")
self.log(Level.INFO, "query SQLite Master table")
except SQLException as e:
self.log(
Level.INFO,
"Error querying database for Prefetch table (" +
e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
self.log(
Level.INFO,
"Result (" + resultSet.getString("tbl_name") + ")")
table_name = resultSet.getString("tbl_name")
self.log(
Level.INFO, "Result get information from table " +
resultSet.getString("tbl_name") + " ")
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
#self.log(Level.INFO, SQL_String_1)
#self.log(Level.INFO, SQL_String_2)
artifact_name = "TSK_" + table_name.upper()
artifact_desc = "System Resource Usage " + table_name.upper(
)
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_amc = skCase.addArtifactType(
artifact_name, artifact_desc)
except:
self.log(
Level.INFO,
"Artifacts Creation Error, some artifacts may not exist now. ==> "
)
artID_sru = skCase.getArtifactTypeID(artifact_name)
artID_sru_evt = skCase.getArtifactType(artifact_name)
Column_Names = []
Column_Types = []
resultSet2 = stmt.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(
resultSet2.getString("name").upper())
Column_Types.append(
resultSet2.getString("type").upper())
#attID_ex1 = skCase.addAttrType("TSK_" + resultSet2.getString("name").upper(), resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" +
resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.
STRING, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(
Level.INFO,
"Attributes Creation Error, " +
resultSet2.getString("name") + " ==> ")
elif resultSet2.getString("type").upper() == "":
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" +
resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.
STRING, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(
Level.INFO,
"Attributes Creation Error, " +
resultSet2.getString("name") + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" +
resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.
LONG, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(
Level.INFO,
"Attributes Creation Error, " +
resultSet2.getString("name") + " ==> ")
resultSet3 = stmt.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_sru)
Column_Number = 1
for col_name in Column_Names:
self.log(
Level.INFO,
"Result get information for column " +
Column_Names[Column_Number - 1] + " ")
self.log(
Level.INFO,
"Result get information for column_number "
+ str(Column_Number) + " ")
c_name = "TSK_" + col_name
self.log(Level.INFO,
"Attribute Name is " + c_name + " ")
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
art.addAttribute(
BlackboardAttribute(
attID_ex1,
ParseSRUDBIngestModuleFactory.
moduleName,
resultSet3.getString(
Column_Number)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(
BlackboardAttribute(
attID_ex1,
ParseSRUDBIngestModuleFactory.
moduleName,
resultSet3.getString(
Column_Number)))
# elif Column_Types[Column_Number - 1] == "BLOB":
# art.addAttribute(BlackboardAttribute(attID_ex1, ParseSRUDBIngestModuleFactory.moduleName, "BLOBS Not Supported"))
# elif Column_Types[Column_Number - 1] == "REAL":
# art.addAttribute(BlackboardAttribute(attID_ex1, ParseSRUDBIngestModuleFactory.moduleName, resultSet3.getFloat(Column_Number)))
else:
#self.log(Level.INFO, "Value for column type ==> " + str(resultSet3.getInt(Column_Number)) + " <== ")
art.addAttribute(
BlackboardAttribute(
attID_ex1,
ParseSRUDBIngestModuleFactory.
moduleName,
long(
resultSet3.getInt(
Column_Number))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(
ParseSRUDBIngestModuleFactory.moduleName,
artID_sru_evt, None))
except SQLException as e:
self.log(
Level.INFO,
"Error getting values from contacts table (" +
e.getMessage() + ")")
# Clean up
os.remove(lclDbPath)
#Clean up EventLog directory and files
for file in files:
try:
os.remove(Temp_Dir + "\\" + file.getName())
except:
self.log(
Level.INFO, "removal of SRUDB file failed " + Temp_Dir +
"\\" + file.getName())
try:
os.rmdir(Temp_Dir)
except:
self.log(Level.INFO,
"removal of SRUDB directory failed " + Temp_Dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"System Resourse Usage DB",
" SRUDB Has Been Analyzed ")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def startUp(self, context):
skCase = Case.getCurrentCase().getSleuthkitCase()
self.temp_dir = Case.getCurrentCase().getTempDirectory()
if PlatformUtil.isWindowsOS():
#self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "ypa.exe") #OLD
self.path_to_undark = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "undark.exe")
if not os.path.exists(self.path_to_undark):
raise IngestModuleException(
"EXE was not found in module folder")
self.att_dp_type = self.create_attribute_type(
'YPA_DP_TYPE',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Type", skCase)
self.att_dp_offset = self.create_attribute_type(
'YPA_DP_OFFSET',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Offset", skCase)
self.att_dp_lenght = self.create_attribute_type(
'YPA_DP_LENGHT',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Lenght", skCase)
self.att_dp_data = self.create_attribute_type(
'YPA_DP_DATA',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Data", skCase)
self.att_contact_id = self.create_attribute_type(
'YPA_CONTACT_ID',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Contact id", skCase)
self.att_address = self.create_attribute_type(
'YPA_ADDRESS',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Address", skCase)
self.att_display_name = self.create_attribute_type(
'YPA_DISPLAY_NAME',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Display name", skCase)
self.att_address_type = self.create_attribute_type(
'YPA_ADDRESS_TYPE',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Address type", skCase)
self.att_times_contacted = self.create_attribute_type(
'YPA_TIMES_CONTACTED',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Times contacted", skCase)
self.att_last_contacted_time = self.create_attribute_type(
'YPA_LAST_CONTACT_TIME',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Last contacted time", skCase)
self.att_last_updated_time = self.create_attribute_type(
'YPA_LAST_UPDATE_TIME',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Last updated time", skCase)
self.att_thread_id = self.create_attribute_type(
'YPA_THREAD_ID',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Thread id", skCase)
self.att_message_id = self.create_attribute_type(
'YPA_MESSAGE_ID',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Message id", skCase)
self.att_recipient_list = self.create_attribute_type(
'YPA_RECIPIENT_LIST',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Recipients", skCase)
self.att_from_address = self.create_attribute_type(
'YPA_FROM_ADDRESS',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Address", skCase)
self.att_body = self.create_attribute_type(
'YPA_BODY',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Message Body", skCase)
self.att_status = self.create_attribute_type(
'YPA_STATUS',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Status", skCase)
self.att_timestamp = self.create_attribute_type(
'YPA_TIMESTAMP',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Timestamp", skCase)
self.att_mms_text = self.create_attribute_type(
'YPA_MMS_TEXT',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Text", skCase)
self.att_num_of_files = self.create_attribute_type(
'YPA_NUM_OF_FILES',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Number of files", skCase)
self.att_name_of_files = self.create_attribute_type(
'YPA_NAME_OF_FILES',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Name of files", skCase)
self.att_pic_size = self.create_attribute_type(
'YPA_PIC_SIZE',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG,
"Picture size (B)", skCase)
self.att_db_uv = self.create_attribute_type(
'YPA_DB_UV',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Sqlite User Version", skCase)
self.att_rec_row = self.create_attribute_type(
'YPA_REC_ROW',
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Data recovered from unvacuumed row", skCase)
self.contact_query = "select a.contact_id, a.address,c.display_name, a.address_type, a.times_contacted, datetime(a.last_contacted_time / 10000000 - 11644473600,'unixepoch') as last_contacted_time, datetime(c.last_updated_time/ 10000000 - 11644473600,'unixepoch') as last_updated_time from address a join contact c on a.contact_id = c.contact_id"
self.messages_query = "select m.thread_id, m.message_id, con.recipient_list , ifnull(c.display_name,'n/a') as display_name, m.body, m.status, ifnull(m.from_address,'self') as from_address, datetime(m.timestamp/ 10000000 - 11644473600,'unixepoch') as timestamp from message m left join address a on m.from_address = a.address left join contact c on a.contact_id = c.contact_id join conversation con on con.thread_id = m.thread_id order by m.message_id"
self.mms_query = "select mp.message_id, mm.thread_id, mp.content_type, mp.name, mp.text, ifnull(c.display_name,'n/a') as display_name, ma.address from mms_part mp left join mms mm on mp.message_id = mm.message_id left join mms_address ma on mp.message_id = ma.message_id left join address a on ma.address = a.address left join contact c on a.contact_id = c.contact_id where ma.address not like 'insert-address-token' "
self.address_types = {
'1': 'Home phone number',
'2': 'Mobile phone number',
'3': 'Office phone number',
'4': 'Unknown',
'5': 'Main phone number',
'6': 'Other phone number'
}
def process(self, dataSource, progressBar):
blackboard = Case.getCurrentCase().getServices().getBlackboard()
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "phone.db")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
self.anyValidFileFound = False
for file in files:
dbPath = os.path.join(self.temp_dir, str(file.getName()))
ContentUtils.writeToFile(file, File(dbPath))
try:
Class.forName("org.sqlite.JDBC").newInstance()
config = SQLiteConfig()
config.setEncoding(SQLiteConfig.Encoding.UTF8)
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % dbPath,
config.toProperties())
except Exception as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
file.getName() + " (" + str(e) + ")")
continue
try:
full_path = (file.getParentPath() + file.getName())
split = full_path.split('/')
try:
try:
userName = split[-11]
except IndexError:
userName = "******"
self.art_contacts = self.create_artifact_type(
"YPA_CONTACTS_" + userName,
"User " + userName + " - Contacts", skCase)
self.art_messages = self.create_artifact_type(
"YPA_MESSAGE_" + userName,
"User " + userName + " - SMS", skCase)
self.art_mms = self.create_artifact_type(
"YPA_MMS_" + userName, "User " + userName + " - MMS",
skCase)
self.art_pictures = self.create_artifact_type(
"YPA_PICTURES_" + userName,
"User " + userName + " - Recent Pictures", skCase)
self.art_freespace = self.create_artifact_type(
"YPA_FREESPACE_" + userName,
"User " + userName + " - Rows Recovered(undark)",
skCase)
self.art_dp = self.create_artifact_type(
"YPA_DP_" + userName, "User " + userName +
" - Rows Recovered(Delete parser)", skCase)
self.art_set = self.create_artifact_type(
"YPA_SETTINGS_" + userName,
"User " + userName + " - Database Settings", skCase)
except Exception as e:
self.log(Level.INFO, str(e))
continue
stmt = dbConn.createStatement()
contacts = stmt.executeQuery(self.contact_query)
self.processContacts(contacts, file, blackboard, skCase)
stmt = dbConn.createStatement()
messages = stmt.executeQuery(self.messages_query)
self.processMessages(messages, file, blackboard, skCase)
stmt = dbConn.createStatement()
mms = stmt.executeQuery(self.mms_query)
self.processMms(mms, file, blackboard, skCase)
self.anyValidFileFound = True
stmt = dbConn.createStatement()
prag_uv = stmt.executeQuery("pragma user_version")
art = file.newArtifact(self.art_set.getTypeID())
prag_uv.next()
art.addAttribute(
BlackboardAttribute(
self.att_db_uv,
YourPhoneIngestModuleFactory.moduleName,
prag_uv.getString("user_version")))
self.index_artifact(blackboard, art, self.art_set)
if PlatformUtil.isWindowsOS():
try:
with open(self.temp_dir + '\\freespace.txt', 'w') as f:
subprocess.Popen([
self.path_to_undark, '-i', dbPath,
'--freespace'
],
stdout=f).communicate()
with open(self.temp_dir + '\\freespace.txt', 'r') as f:
self.log(
Level.INFO, ' '.join([
self.path_to_undark, '-i', dbPath,
'--freespace >'
]))
self.log(Level.INFO, "called undark")
line = f.readline()
while line:
self.log(Level.INFO, "opened result")
art = file.newArtifact(
self.art_freespace.getTypeID())
art.addAttribute(
BlackboardAttribute(
self.att_rec_row,
YourPhoneIngestModuleFactory.
moduleName, str(line)))
self.index_artifact(blackboard, art,
self.art_freespace)
line = f.readline()
except Exception as e:
self.log(Level.SEVERE, str(e))
pass
try:
mdg = mdgMod.mdg_modified.sqlite_rec(dbPath)
res = mdg.extract_deleted()
for line in res:
art = file.newArtifact(self.art_dp.getTypeID())
art.addAttribute(
BlackboardAttribute(
self.att_dp_type,
YourPhoneIngestModuleFactory.moduleName,
str(line[0])))
art.addAttribute(
BlackboardAttribute(
self.att_dp_offset,
YourPhoneIngestModuleFactory.moduleName,
str(line[1])))
art.addAttribute(
BlackboardAttribute(
self.att_dp_lenght,
YourPhoneIngestModuleFactory.moduleName,
str(line[2])))
art.addAttribute(
BlackboardAttribute(
self.att_dp_data,
YourPhoneIngestModuleFactory.moduleName,
str(line[3])))
self.index_artifact(blackboard, art, self.art_dp)
except Exception as e:
self.log(Level.SEVERE, str(e))
pass
except Exception as e:
self.log(Level.SEVERE, str(e))
continue
finally:
dbConn.close()
try:
os.remove(dbPath)
except (Exception, OSError) as e:
self.log(Level.SEVERE, str(e))
try:
full_path = (file.getParentPath() + file.getName())
split = full_path.split('/')
guidPath = '/'.join(split[:-3])
usrPath = guidPath + '/User'
self.log(Level.INFO, usrPath)
ufiles = fileManager.findFiles(dataSource, '%', usrPath)
self.log(Level.INFO, ufiles[0].getName())
for ufile in ufiles:
rpPath = ufile.getParentPath() + ufile.getName(
) + '/Recent Photos/'
picfiles = fileManager.findFiles(dataSource, '%', rpPath)
for pic in picfiles:
self.log(Level.INFO, pic.getName())
# Make an artifact
art = pic.newArtifact(self.art_pictures.getTypeID())
# Register file size
art.addAttribute(
BlackboardAttribute(
self.att_pic_size,
YourPhoneIngestModuleFactory.moduleName,
pic.getSize()))
self.index_artifact(blackboard, art, self.art_pictures)
except Exception as e:
self.log(Level.INFO, "failed to obtain photos")
continue
if not self.anyValidFileFound:
Message.info("YPA: No valid database file found")
return IngestModule.ProcessResult.OK
def find_profile(self, image_file):
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "create Directory " + Temp_Dir)
self.log(Level.INFO, "File name to process is ==> " + str(image_file))
file_name = os.path.basename(image_file)
self.log(Level.INFO, "File Name ==> " + file_name)
base_file_name = os.path.splitext(file_name)[0]
database_file = os.path.join(Temp_Dir, base_file_name + ".db3")
self.log(Level.INFO, "File Name ==> " + self.database_file)
found_profile = False
if os.path.isfile(self.database_file):
self.log(Level.INFO, "Path the volatility database file created ==> " + self.database_file)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % self.database_file)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the database
try:
stmt = dbConn.createStatement()
resultSet1 = stmt.executeQuery('Select "Suggested Profile(s)" from imageinfo')
self.log(Level.INFO, "query " + str(resultSet1))
# Cycle through each row and create artifacts
profile_names = None
while resultSet1.next():
try:
profile_names = resultSet1.getString("Suggested Profile(s)")
if profile_names == None:
self.Profile = None
elif ',' in profile_names:
profile_list = profile_names.split(",")
self.Profile = profile_list[0]
elif ' ' in profle_names:
profile_list = profile_names.split(" ")
self.Profile = profile_list[0]
else:
self.Profile = profile_names
found_profile = True
except:
self.log(Level.INFO, "Error getting profile name, Profile name is ==> " + profile_names + " <==")
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")")
try:
stmt.close()
dbConn.close()
#os.remove(database_name)
except:
self.log(Level.INFO, "removal of volatility imageinfo database failed " + Temp_Dir)
if found_profile:
pass
else:
if self.Python_Program:
self.log(Level.INFO, "Running program ==> " + "Python " + self.Volatility_Executable + " -f " + image_file + " " + \
" --output=sqlite --output-file=" + self.database_file + " imageinfo")
if PlatformUtil.isWindowsOS():
pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", image_file, "--output=sqlite", \
"--output-file=" + self.database_file, "imageinfo"], stdout=PIPE, stderr=PIPE)
else:
pipe = Popen(["python", self.Volatility_Executable, "-f", image_file, "--output=sqlite", \
"--output-file=" + self.database_file, "imageinfo"], stdout=PIPE, stderr=PIPE)
else:
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + image_file + " " + \
" --output=sqlite --output-file=" + self.database_file + " imageinfo")
pipe = Popen([self.Volatility_Executable, "-f", image_file, "--output=sqlite", \
"--output-file=" + self.database_file, "imageinfo"], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
# Open the DB using JDBC
self.log(Level.INFO, "Path the volatility database file created ==> " + self.database_file)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % self.database_file)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the database
try:
stmt = dbConn.createStatement()
resultSet1 = stmt.executeQuery('Select "Suggested Profile(s)" from imageinfo')
self.log(Level.INFO, "query SQLite Master table ==> " )
self.log(Level.INFO, "query " + str(resultSet1))
# Cycle through each row and create artifacts
profile_names = None
while resultSet1.next():
try:
profile_names = resultSet1.getString("Suggested Profile(s)")
if profile_names == None:
self.Profile = None
elif ',' in profile_names:
profile_list = profile_names.split(",")
self.Profile = profile_list[0]
elif ' ' in profle_names:
profile_list = profile_names.split(" ")
self.Profile = profile_list[0]
else:
self.Profile = profile_names
except:
self.log(Level.INFO, "Error getting profile name, Profile name is ==> " + profile_names + " <==")
try:
exestmt = dbConn.createStatement()
resultx = exestmt.execute('create table plugins_loaded_to_Autopsy (table_name text);')
except SQLException as e:
self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy")
return IngestModule.ProcessResult.OK
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + database_file + " (" + e.getMessage() + ")")
try:
stmt.close()
exestmt.close()
dbConn.close()
#os.remove(database_name)
except:
self.log(Level.INFO, "removal of volatility imageinfo database failed " + Temp_Dir)
def process(self, dataSource, progressBar):
moduleName = CarverFilesIngestModuleFactory.moduleName
if len(self.List_Of_tables) < 1:
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "FileCarver", " No Mime Types Selected to Parse " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.ERROR
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
# FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/latest/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
if "All_Mime_Types" in self.List_Of_tables:
files = fileManager.findFiles(dataSource, "%")
if "Include_Slack_Space" in self.List_Of_tables:
files=[i for i in files if (i.getSize() > 500)]
numFiles = len(files)
else:
files=[i for i in files if (i.getSize() > 500) and not i.getName().endswith("-slack") ]
numFiles = len(files)
else:
files = fileManager.findFilesByMimeType(self.mimeTypesToFind)
if "Include_Slack_Space" in self.List_Of_tables:
files=[i for i in files if (i.getSize() > 500)]
numFiles = len(files)
else:
files=[i for i in files if (i.getSize() > 500) and not i.getName().endswith("-slack") ]
numFiles = len(files)
# if "Default_Mime_Types" in self.List_Of_tables:
# files = fileManager.findFilesByMimeType(self.mimeTypesToFind)
# if "Include_Slack_Space" in self.List_Of_tables:
# files=[i for i in files if (i.getSize() > 1000)]
# numFiles = len(files)
# else:
# files=[i for i in files if (i.getSize() > 1000) and not i.getName().endswith("-slack") ]
# numFiles = len(files)
# else:
# files = fileManager.findFiles(dataSource, "%")
# if "Include_Slack_Space" in self.List_Of_tables:
# files=[i for i in files if (i.getSize() > 1000)]
# numFiles = len(files)
# else:
# files=[i for i in files if (i.getSize() > 1000) and not i.getName().endswith("-slack") ]
# numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
FileExtractCount=0
Temp_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath()
tmp_dir = Case.getCurrentCase().getTempDirectory()
if PlatformUtil.isWindowsOS():
self.log(Level.INFO, "create Directory " + Temp_Dir)
try:
os.mkdir(Temp_Dir + "\Carved-Foremost")
except:
self.log(Level.INFO, "Carved-Foremost Directory already exists " + Temp_Dir)
else:
self.log(Level.INFO, "create Directory " + Temp_Dir)
try:
os.mkdir(Temp_Dir + "/Carved-Foremost")
except:
self.log(Level.INFO, "Carved-Foremost Directory already exists " + Temp_Dir)
for file in files:
fileCount += 1
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
if ((file.getSize() > 1000) and (file.getType() != TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) and (file.getType() != TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) and (file.isFile() != False)):
self.log(Level.INFO, "Processing file: " + file.getName())
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
fileGetName=file.getName()
if ":" in fileGetName:
fileGetName=fileGetName.replace(":","_")
else:
fileGetName=file.getName()
if PlatformUtil.isWindowsOS():
out_dir = os.path.join(Temp_Dir + "\Carved-Foremost", str(file.getId()))
try:
os.mkdir(Temp_Dir + "\Carved-Foremost\\" + str(file.getId()))
except:
self.log(Level.INFO, str(file.getId()) + " Directory already exists " + Temp_Dir)
else:
out_dir = os.path.join(Temp_Dir + "/Carved-Foremost", str(file.getId()))
try:
os.mkdir(Temp_Dir + "/Carved-Foremost/" + str(file.getId()))
except:
self.log(Level.INFO, str(file.getId()) + " Directory already exists " + Temp_Dir)
lclDbPath=os.path.join(tmp_dir, str(file.getId()))
try:
ContentUtils.writeToFile(file, File(lclDbPath))
except:
pass
# Check if output directory exists and if it does then delete it, this may happen with a rerun
if os.path.exists(out_dir):
shutil.rmtree(out_dir)
if os.path.exists(lclDbPath):
self.log(Level.INFO, "Running prog ==> " + self.path_to_exe_foremost + " -t " + "jpeg,png,bmp,gif" + " -o " + out_dir + " -i " + lclDbPath)
pipe = Popen([self.path_to_exe_foremost, "-t" + "jpeg,png,bmp,gif", "-o", out_dir, "-i", lclDbPath], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
if len(os.listdir(out_dir)) == 1:
shutil.rmtree(out_dir)
os.remove(lclDbPath)
else:
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, CarverFilesIngestModuleFactory.moduleName, "New Carved Data and Sqlite Files")
art.addAttribute(att)
try:
# index the artifact for keyword search
skCase.getBlackboard().postArtifact(art, moduleName)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
redactresults = out_dir
auditLog = os.path.join(redactresults,"audit.txt")
if os.path.exists(auditLog):
os.remove(auditLog)
imagedirs = os.listdir(redactresults)
for imagedir in imagedirs:
jpgpath=os.path.join(redactresults,imagedir)
imagejpgs=os.listdir(jpgpath)
for imagejpg in imagejpgs:
srcfile=os.path.join(jpgpath,imagejpg)
dstfile=os.path.join(redactresults,imagejpg)
shutil.move(srcfile,dstfile)
shutil.rmtree(jpgpath)
extractedfiles = next(os.walk(out_dir))[2]
for extractfile in extractedfiles:
FileExtractCount=FileExtractCount+1
self.log(Level.INFO, " File Name is ==> " + extractfile)
if PlatformUtil.isWindowsOS():
relativeModulepath=Case.getCurrentCase().getModuleOutputDirectoryRelativePath() + "\Carved-Foremost"
else:
relativeModulepath=Case.getCurrentCase().getModuleOutputDirectoryRelativePath() + "/Carved-Foremost"
relativeCarvedpath=os.path.join(relativeModulepath, str(file.getId()))
relativelocal_file = os.path.join(relativeCarvedpath, extractfile)
local_file = os.path.join(out_dir,extractfile)
self.log(Level.INFO, " Local File Name is ==> " + local_file)
derived_file=skCase.addDerivedFile(extractfile, relativelocal_file, os.path.getsize(local_file), 0, 0, 0, 0, True, file, "", "foremost", "1.5", "", TskData.EncodingType.NONE)
IngestServices.getInstance().fireModuleContentEvent(ModuleContentEvent(derived_file))
os.remove(lclDbPath)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"File Carver Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
message2 = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"File Carver Module", "Found %d images in %d files " % (FileExtractCount,fileCount))
IngestServices.getInstance().postMessage(message2)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
self.log(Level.INFO, "Starting to process Hiberfil.sys and Crash Dumps")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Get the temp directory and create the sub directory
if self.hiber_flag:
Mod_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath()
try:
ModOut_Dir = os.path.join(Mod_Dir, "Volatility", "Memory-Image-hiberfil")
self.log(Level.INFO, "Module Output Directory ===> " + ModOut_Dir)
#dir_util.mkpath(ModOut_Dir)
os.mkdir(os.path.join(Mod_Dir, "Volatility"))
os.mkdir(ModOut_Dir)
except:
self.log(Level.INFO, "***** Error Module Output Directory already exists " + ModOut_Dir)
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "hiberfil.sys", "/")
numFiles = len(files)
self.log(Level.INFO, "Number of files to process ==> " + str(numFiles))
for file in files:
self.log(Level.INFO, "File to process is ==> " + str(file))
self.log(Level.INFO, "File name to process is ==> " + file.getName())
tmp_Dir = Case.getCurrentCase().getTempDirectory()
Hiber_File = os.path.join(tmp_Dir, file.getName())
ContentUtils.writeToFile(file, File(Hiber_File))
self.log(Level.INFO, "File name to process is ==> " + Hiber_File)
# Create the directory to dump the hiberfil
dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img")
if self.Python_Program:
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \
" -O " + dump_file)
if PlatformUtil.isWindowsOS():
pipe = Popen(["Python.exe", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
else:
pipe = Popen(["python", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
else:
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \
" -O " + dump_file)
pipe = Popen([self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
# Add hiberfil memory image to a new local data source
services = IngestServices.getInstance()
progress_updater = ProgressUpdater()
newDataSources = []
dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img")
dir_list = []
dir_list.append(dump_file)
# skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager_2 = Case.getCurrentCase().getServices().getFileManager()
skcase_data = Case.getCurrentCase()
# Get a Unique device id using uuid
device_id = UUID.randomUUID()
self.log(Level.INFO, "device id: ==> " + str(device_id))
skcase_data.notifyAddingDataSource(device_id)
# Add data source with files
newDataSource = fileManager_2.addLocalFilesDataSource(str(device_id), "Hiberfile Memory Image", "", dir_list, progress_updater)
newDataSources.append(newDataSource.getRootDirectory())
# Get the files that were added
files_added = progress_updater.getFiles()
#self.log(Level.INFO, "Fire Module1: ==> " + str(files_added))
for file_added in files_added:
skcase_data.notifyDataSourceAdded(file_added, device_id)
self.log(Level.INFO, "Fire Module1: ==> " + str(file_added))
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"HiberFil_Crash", " Hiberfil/Crash Dumps have been extracted fro Image. " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
self.log(Level.INFO, "Starting to process, Just before call to parse_safari_history")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Get the temp directory and create the sub directory
Temp_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath()
temp_dir = os.path.join(Temp_Dir, "Volatility")
try:
os.mkdir(temp_dir)
except:
self.log(Level.INFO, "Plaso Import Directory already exists " + Temp_Dir)
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%", "/")
numFiles = len(files)
self.log(Level.INFO, "Number of files to process ==> " + str(numFiles))
#file_name = os.path.basename(self.path_to_storage_file)
#self.log(Level.INFO, "File Name ==> " + file_name)
#base_file_name = os.path.splitext(file_name)[0]
#self.database_file = Temp_Dir + "\\volatility\\Plaso.db3"
for file in files:
self.log(Level.INFO, "File name to process is ==> " + str(file))
self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath()))
image_file = file.getLocalAbsPath()
if image_file != None:
self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath()))
file_name = os.path.basename(file.getLocalAbsPath())
self.log(Level.INFO, "File Name ==> " + file_name)
base_file_name = os.path.splitext(file_name)[0]
self.database_file = os.path.join(temp_dir, base_file_name + ".db3")
self.log(Level.INFO, "File Name ==> " + self.database_file)
if self.isAutodetect:
self.find_profile(image_file)
if self.Profile == None:
continue
for plugin_to_run in self.Plugins:
if self.Python_Program:
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \
"--profile=" + self.Profile + " --output=sqlite --output-file=" + self.database_file + " " + self.Additional_Parms + " " + plugin_to_run)
if PlatformUtil.isWindowsOS():
pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, "--output=sqlite", \
"--output-file=" + self.database_file, self.Additional_Parms, plugin_to_run], stdout=PIPE, stderr=PIPE)
else:
pipe = Popen(["python", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, "--output=sqlite", \
"--output-file=" + self.database_file, self.Additional_Parms, plugin_to_run], stdout=PIPE, stderr=PIPE)
else:
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \
"--profile=" + self.Profile + " --output=sqlite --output-file=" + self.database_file + " " + self.Additional_Parms + " " + plugin_to_run)
pipe = Popen([self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, "--output=sqlite", \
"--output-file=" + self.database_file, self.Additional_Parms, plugin_to_run], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
# Open the DB using JDBC
self.log(Level.INFO, "Path the volatility database file created ==> " + self.database_file)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % self.database_file)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + self.database_file + " (" + e.getMessage() + ")")
try:
exestmt = dbConn.createStatement()
resultx = exestmt.execute('create table plugins_loaded_to_Autopsy (table_name text);')
except SQLException as e:
self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy")
# Query the database
try:
stmt = dbConn.createStatement()
stmt2 = dbConn.createStatement()
stmt3 = dbConn.createStatement()
stmt4 = dbConn.createStatement()
resultSet1 = stmt.executeQuery("Select upper(tbl_name) tbl_name from SQLITE_MASTER where upper(tbl_name) " \
" not in (select table_name from plugins_loaded_to_Autopsy)" \
" and upper(tbl_name) <> 'PLUGINS_LOADED_TO_AUTOPSY';")
# Cycle through each row and create artifacts
while resultSet1.next():
try:
self.log(Level.INFO, "Begin Create New Artifacts ==> " + resultSet1.getString("tbl_name"))
artID_art = skCase.addArtifactType( "TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name, "Volatility " + \
resultSet1.getString("tbl_name") + " " + file_name)
except:
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
# Get the artifact and attributes
artID_art = skCase.getArtifactTypeID("TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name)
artID_art_evt = skCase.getArtifactType("TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name)
try:
self.log(Level.INFO, "Result (" + resultSet1.getString("tbl_name") + ")")
table_name = resultSet1.getString("tbl_name")
resultSet4 = stmt4.executeQuery("Select count(*) 'NumRows' from " + resultSet1.getString("tbl_name") + " ")
row_count = resultSet4.getInt("NumRows")
self.log(Level.INFO, " Number of Rows is " + str(row_count) + " ")
if row_count >= 1:
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
self.log(Level.INFO, SQL_String_1)
self.log(Level.INFO, SQL_String_2)
artifact_name = "TSK_VOL_" + table_name.upper() + "_" + file_name
artID_sql = skCase.getArtifactTypeID(artifact_name)
artID_sql_evt = skCase.getArtifactType(artifact_name)
Column_Names = []
Column_Types = []
resultSet2 = stmt2.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(resultSet2.getString("name").upper())
Column_Types.append(resultSet2.getString("type").upper())
attribute_name = "TSK_VOL_" + table_name + "_" + resultSet2.getString("name").upper()
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "LONGVARCHAR":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "BLOB":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "REAL":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
resultSet3 = stmt3.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_sql)
Column_Number = 1
for col_name in Column_Names:
c_name = "TSK_VOL_" + table_name.upper() + "_" + Column_Names[Column_Number - 1]
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
if resultSet3.getString(Column_Number) == None:
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, " "))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "LONGVARCHAR":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
elif Column_Types[Column_Number - 1] == "BLOB":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
elif Column_Types[Column_Number - 1] == "REAL":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getFloat(Column_Number))))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getString(Column_Number))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(VolatilityIngestModuleFactory.moduleName, \
artID_sql_evt, None))
except SQLException as e:
self.log(Level.INFO, "Error getting values from table " + resultSet.getString("tbl_name") + " (" + e.getMessage() + ")")
try:
# exestmt = createStatement()
resultx = exestmt.execute("insert into plugins_loaded_to_Autopsy values ('" + table_name + "');")
except SQLException as e:
self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy")
except SQLException as e:
self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")")
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"VolatilitySettings", " VolatilitySettings Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def parse_sqlite_data(self, dataSource, progressBar, os_version, mac_os_art_id, settings_db):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
skCase = Case.getCurrentCase().getSleuthkitCase();
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % settings_db)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) macos_recents.db3 (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the history_visits table in the database and get all columns.
try:
stmt = dbConn.createStatement()
macos_version_sql = "select mac_osx_art_id, mac_osx_art_type, mac_osx_art_File_Name, mac_osx_art_dir_name, " + \
" mac_osx_art_database_name, mac_osx_art_sql_statement, os_version, " + \
" os_name from mac_artifact a, os_version b where a.os_id = b.os_id and b.os_version = '" + os_version + "'" + \
" and mac_osx_art_id = " + str(mac_os_art_id) + ";"
self.log(Level.INFO, macos_version_sql)
resultSet = stmt.executeQuery(macos_version_sql)
self.log(Level.INFO, "query recent version table")
except SQLException as e:
self.log(Level.INFO, "Error querying database for recent version (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Get the artifact name and create it.
try:
stmt_2 = dbConn.createStatement()
artifact_sql = "select distinct autopsy_art_type, autopsy_art_name, autopsy_art_description " + \
" from autopsy_artifact a, Art_att_mac_xref b where a.autopsy_art_id = b.autopsy_art_id " + \
" and b.mac_osx_art_id = " + resultSet.getString("mac_osx_art_id") + ";"
resultSet_art = stmt_2.executeQuery(artifact_sql)
self.log(Level.INFO, "Artifact Type (" + resultSet_art.getString("autopsy_art_type") + ")")
if resultSet_art.getString("autopsy_art_type") != 'AUTOPSY':
try:
self.log(Level.INFO, "Begin Create New Artifacts ==> " + resultSet_art.getString("autopsy_art_name"))
artID_art = skCase.addArtifactType( resultSet_art.getString("autopsy_art_name"), \
resultSet_art.getString("autopsy_art_desctiption"))
self.artifact_name = resultSet_art.getString("autopsy_art_name")
except:
self.log(Level.INFO, "Artifacts Creation Error, artifact " + resultSet_art.getString("autopsy_art_name") + " exists. ==> ")
else:
self.artifact_name = resultSet_art.getString("autopsy_art_name")
# Get the attribute types and create them
stmt_3 = dbConn.createStatement()
attribute_sql = "select distinct autopsy_attrib_type, autopsy_attrib_name, autopsy_attrib_desc, autopsy_attrib_value_type_desc " + \
" from autopsy_attribute a, Art_att_mac_xref b, autopsy_value_type c " + \
" where a.autopsy_attrib_id = b.autopsy_attrib_id and a.autopsy_attrib_value_type = c.autopsy_attrib_value_type " + \
" and b.mac_osx_art_id =" + resultSet.getString("mac_osx_art_id") + ";"
self.log(Level.INFO, "Attribute SQL ==> " + attribute_sql)
resultSet_att = stmt_3.executeQuery(attribute_sql)
while resultSet_att.next():
if resultSet_att.getString("autopsy_attrib_type") == 'CUSTOM':
if resultSet_att.getString("autopsy_attrib_value_type_desc") == 'String':
try:
attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet_att.getString("autopsy_attrib_desc"))
except:
self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ")
elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Integer':
try:
attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER, resultSet_att.getString("autopsy_attrib_desc"))
except:
self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ")
elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Long':
try:
attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet_att.getString("autopsy_attrib_desc"))
except:
self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ")
elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Double':
try:
attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE, resultSet_att.getString("autopsy_attrib_desc"))
except:
self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ")
elif resultSet_att.getString("autopsy_attrib_value_type_desc") == 'Byte':
try:
attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE, resultSet_att.getString("autopsy_attrib_desc"))
except:
self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ")
else:
try:
attID_vss_num = skCase.addArtifactAttributeType(resultSet_att.getString("autopsy_attrib_name"), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, resultSet_att.getString("autopsy_attrib_desc"))
except:
self.log(Level.INFO, "Attributes Creation Error for ," + resultSet_att.getString("autopsy_attrib_name") + " ==> ")
except SQLException as e:
self.log(Level.INFO, "Error querying database for artifacts/attributes (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
# Set the database to be read to the once created by the prefetch parser program
macos_file_name = resultSet.getString("mac_osx_art_File_Name")
macos_dir_name = resultSet.getString("mac_osx_art_dir_name")
macos_database_name = resultSet.getString("mac_osx_art_database_name")
#macos_table_name = resultSet.getString("mac_osx_art_table_name")
#self.path_to_plist_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), resultSet.getString("mac_osx_art_exec_file"))
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, macos_file_name + "%", macos_dir_name)
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
all_files = []
# do this since we want to get the wal or journal files associated with the SQLite database but we want to
# make sure we have them to use
if numFiles > 1:
for file in files:
if file.getName() == macos_file_name:
self.log(Level.INFO, file.getParentPath())
all_files.append(file)
files_to_process = all_files
# Create Event Log directory in temp directory, if it exists then continue on processing
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "create Directory " + Temp_Dir)
try:
os.mkdir(Temp_Dir + "\macos_recent")
except:
self.log(Level.INFO, "macos_recent Directory already exists " + Temp_Dir)
# Write out each Event Log file to the temp directory
file_id = 0
for file in files:
#self.log(Level.INFO, str(file))
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions, also add file id to wal and journal files
# if needed so that it can use the journals.
self.log(Level.INFO, "File Name ==> " + file.getName() + " <==> " + macos_database_name)
if file.getName().upper() == macos_database_name.upper():
file_id = file.getId()
self.log(Level.INFO, "File Name ==> " + file.getName() + " <==> " + macos_database_name + " <++> " + str(file.getId()))
lclDbPath = os.path.join(Temp_Dir + "\macos_recent", str(file_id) + "-" + file.getName())
self.log(Level.INFO, " Database name ==> " + lclDbPath)
ContentUtils.writeToFile(file, File(lclDbPath))
else:
lclDbPath = os.path.join(Temp_Dir + "\macos_recent", str(file_id) + "-" + file.getName())
self.log(Level.INFO, " Database name ==> " + lclDbPath)
ContentUtils.writeToFile(file, File(lclDbPath))
lclDbPath = os.path.join(Temp_Dir + "\macos_recent", str(file_id) + "-" + macos_database_name)
lclFilePath = os.path.join(Temp_Dir + "\macos_recent", macos_file_name)
self.log(Level.INFO, " Database name ==> " + lclDbPath + " File Path ==> " + lclFilePath)
for file in files_to_process:
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Open the DB using JDBC
lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory() + "\macos_recent", str(file.getId()) + "-" + macos_database_name)
self.log(Level.INFO, "Path the Safari History.db database file created ==> " + lclDbPath)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the history_visits table in the database and get all columns.
try:
stmt_1 = dbConn.createStatement()
macos_recent_sql = resultSet.getString("mac_osx_art_sql_statement")
self.log(Level.INFO, macos_recent_sql)
resultSet_3 = stmt_1.executeQuery(macos_recent_sql)
self.log(Level.INFO, "query " + macos_database_name + " table")
except SQLException as e:
self.log(Level.INFO, "Error querying database for history table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
artID_hst = skCase.getArtifactTypeID(self.artifact_name)
artID_hst_evt = skCase.getArtifactType(self.artifact_name)
meta = resultSet_3.getMetaData()
columncount = meta.getColumnCount()
column_names = []
self.log(Level.INFO, "Number of Columns in the table ==> " + str(columncount))
for x in range (1, columncount + 1):
self.log(Level.INFO, "Column Name ==> " + meta.getColumnLabel(x))
column_names.append(meta.getColumnLabel(x))
self.log(Level.INFO, "All Columns ==> " + str(column_names))
# Cycle through each row and create artifacts
while resultSet_3.next():
try:
#self.log(Level.INFO, SQL_String_1)
self.log(Level.INFO, "Artifact Is ==> " + str(artID_hst))
art = file.newArtifact(artID_hst)
self.log(Level.INFO, "Inserting attribute URL")
for col_name in column_names:
attID_ex1 = skCase.getAttributeType(col_name)
self.log(Level.INFO, "Inserting attribute ==> " + str(attID_ex1))
self.log(Level.INFO, "Attribute Type ==> " + str(attID_ex1.getValueType()))
if attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING:
try:
art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getString(col_name)))
except:
self.log(Level.INFO, "Attributes String Creation Error, " + col_name + " ==> ")
elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER:
try:
art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getInt(col_name)))
except:
self.log(Level.INFO, "Attributes Integer Creation Error, " + col_name + " ==> ")
elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG:
try:
art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getInt(col_name)))
except:
self.log(Level.INFO, "Attributes Long Creation Error, " + col_name + " ==> ")
elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE:
try:
art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getInt(col_name)))
except:
self.log(Level.INFO, "Attributes Double Creation Error, " + col_name + " ==> ")
elif attID_ex1.getValueType() == BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE:
try:
art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getString(col_name)))
except:
self.log(Level.INFO, "Attributes Byte Creation Error, " + col_name + " ==> ")
else:
try:
art.addAttribute(BlackboardAttribute(attID_ex1, ParseMacOS_RecentIngestModuleFactory.moduleName, resultSet_3.getReal(col_name)))
except:
self.log(Level.INFO, "Attributes Datatime Creation Error, " + col_name + " ==> ")
except SQLException as e:
self.log(Level.INFO, "Error getting values from web_history table (" + e.getMessage() + ")")
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ParseMacOS_RecentIngestModuleFactory.moduleName, artID_hst_evt, None))
stmt_3.close()
stmt_2.close()
stmt_1.close()
stmt.close()
dbConn.close()
# Clean up
os.remove(lclDbPath)
#Clean up EventLog directory and files
for file in files:
try:
os.remove(Temp_Dir + "\\macos_recent\\" + file.getName())
except:
self.log(Level.INFO, "removal of Safari History file failed " + Temp_Dir + "\\macos_recent" + file.getName())
try:
os.rmdir(Temp_Dir + "\\macos_recent")
except:
self.log(Level.INFO, "removal of Safari History directory failed " + Temp_Dir)
def process(self, dataSource, progressBar):
self.log(Level.INFO, "Starting to process")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Get the temp directory and create the sub directory
Temp_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath()
temp_dir = os.path.join(Temp_Dir, "Volatility", "Dump-Files")
try:
os.mkdir(temp_dir)
except:
self.log(Level.INFO, "Volatility Directory already exists " + temp_dir)
self.log(Level.INFO, "Volatility Directory already exists " + str(dataSource.getId()))
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%", "/")
numFiles = len(files)
self.log(Level.INFO, "Number of files to process ==> " + str(numFiles))
#file_name = os.path.basename(self.path_to_storage_file)
#self.log(Level.INFO, "File Name ==> " + file_name)
#base_file_name = os.path.splitext(file_name)[0]
for file in files:
self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath()))
self.log(Level.INFO, "File name to process is ==> " + str(file))
if ('/LogicalFileSet1/' == file.parentPath) or ('/' == file.parentPath):
self.log(Level.INFO, "File name to process is ==> " + str(file))
self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath()))
mem_abstract_file_info = skCase.getAbstractFileById(file.getId())
image_file = file.getLocalAbsPath()
if image_file != None:
self.log(Level.INFO, "File name to process is ==> " + str(file.getLocalAbsPath()))
file_name = os.path.basename(file.getLocalAbsPath())
base_file_name = os.path.splitext(file_name)[0]
dbFile = base_file_name + ".db3"
#tdir = os.path.join(Temp_Dir, "Volatility")
self.database_file = os.path.join(Temp_Dir, "Volatility", dbFile)
# self.log(Level.INFO, "File Name ==> " + self.database_file)
derived_dir = os.path.join("ModuleOutput", "volatility", "Dump-Files")
dump_file = temp_dir
if self.isAutodetect:
self.find_profile(image_file)
if self.Profile == None:
continue
for plugin_to_run in self.Plugins:
plugin_dir = os.path.join(dump_file, plugin_to_run)
try:
os.mkdir(plugin_dir)
except:
pass
if self.Python_Program:
if self.Process_Ids_To_Dump == "":
new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir)
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \
"--profile=" + self.Profile + " --dump-dir=" + plugin_dir + " " + plugin_to_run)
if PlatformUtil.isWindowsOS():
pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \
"--dump-dir=" + plugin_dir, plugin_to_run], stdout=PIPE, stderr=PIPE)
else:
pipe = Popen(["python", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \
"--dump-dir=" + plugin_dir, plugin_to_run], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
self.add_Volatility_Dump_file(dataSource, new_derived_dir, plugin_dir, derived_dir + "\\" + plugin_to_run)
else:
for pid_to_run in self.Process_Ids_To_Dump:
new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir)
pid_dir = os.path.join(plugin_dir, pid_to_run.lstrip())
try:
os.mkdir(pid_dir)
except:
pass
new_derived_dir_pid = self.add_Volatility_Dump_dir(dataSource, new_derived_dir, pid_dir, pid_to_run.lstrip(), derived_dir + "\\" + plugin_to_run)
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \
"--profile=" + self.Profile + " --dump-dir=" + pid_dir + " --pid=" + pid_to_run.lstrip() + " " + plugin_to_run)
pipe = Popen(["Python.exe", self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \
"--dump-dir=" + pid_dir, "--pid=" + pid_to_run.lstrip(), plugin_to_run], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
self.add_Volatility_Dump_file(dataSource, new_derived_dir_pid, pid_dir, derived_dir + "\\" + plugin_to_run + "\\" + pid_to_run.lstrip(), pid_to_run.lstrip())
else:
if self.Process_Ids_To_Dump == "":
new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir)
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \
"--profile=" + self.Profile + " --dump-dir=" + plugin_dir + " " + plugin_to_run)
pipe = Popen([self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \
"--dump-dir=" + plugin_dir, plugin_to_run], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
self.add_Volatility_Dump_file(dataSource, new_derived_dir, plugin_dir, derived_dir + "\\" + plugin_to_run, " ")
else:
for pid_to_run in self.Process_Ids_To_Dump:
new_derived_dir = self.add_Volatility_Dump_dir(dataSource, mem_abstract_file_info, dump_file, plugin_to_run, derived_dir)
pid_dir = os.path.join(plugin_dir, pid_to_run.lstrip())
try:
os.mkdir(pid_dir)
except:
pass
new_derived_dir_pid = self.add_Volatility_Dump_dir(dataSource, new_derived_dir, plugin_dir, pid_to_run.lstrip(), derived_dir + "\\" + plugin_to_run)
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " -f " + file.getLocalAbsPath() + " " + \
"--profile=" + self.Profile + " --dump-dir=" + pid_dir + " --pid=" + pid_to_run.lstrip() + " " + plugin_to_run)
pipe = Popen([self.Volatility_Executable, "-f", file.getLocalAbsPath(), "--profile=" + self.Profile, \
"--dump-dir=" + pid_dir, "--pid=" + pid_to_run.lstrip(), plugin_to_run], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
self.add_Volatility_Dump_file(dataSource, new_derived_dir_pid, pid_dir, derived_dir + "\\" + plugin_to_run + "\\" + pid_to_run.lstrip(), pid_to_run.lstrip())
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"VolatilitySettings", " VolatilitySettings Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
if len(self.List_Of_tables) < 1:
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, self.moduleName, " Can't find my tables " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.ERROR
# Check if this is Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "Amcache.hve")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
fileCount = 0;
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "Found temporary directory: " + Temp_Dir)
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " Parsing Amcache.Hve " )
IngestServices.getInstance().postMessage(message)
# Dump Amcache.hve files in the temp directory
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(Temp_Dir, str(file.getId()) + '-amcache.hve')
ContentUtils.writeToFile(file, File(lclDbPath))
mydb = Temp_Dir + "\\" + str(file.getId()) + "-myAmcache.db3"
# Parse some keys
self.log(Level.INFO, "[Executable #1] Parsing Amcache.Hve: \"" + self.my_exe + "\" -r " + lclDbPath + " -d " + mydb)
subprocess.Popen([self.my_exe, '-r', lclDbPath, '-d', mydb]).communicate()[0]
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + mydb + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
for am_table_name in self.List_Of_tables:
if am_table_name == 'root_file_virustotal_scan': # <-- because we haven't run the executable these tables yet
continue
if am_table_name == 'inventory_application_file_virustotal_scan':
continue
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('" + am_table_name + "'); ")
self.log(Level.INFO, "query SQLite Master table for " + am_table_name)
except SQLException as e:
self.log(Level.INFO, "Error querying database for table " + am_table_name + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
self.log(Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")")
table_name = resultSet.getString("tbl_name")
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
artifact_name = "TSK_" + table_name.upper()
artifact_desc = "Amcache " + table_name.upper()
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_amc = skCase.addArtifactType( artifact_name, artifact_desc)
except:
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
artID_amc = skCase.getArtifactTypeID(artifact_name)
artID_amc_evt = skCase.getArtifactType(artifact_name)
Column_Names = []
Column_Types = []
resultSet2 = stmt.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(resultSet2.getString("name").upper())
Column_Types.append(resultSet2.getString("type").upper())
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error (string), " + resultSet2.getString("name") + " ==> ")
elif resultSet2.getString("type").upper() == "":
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error (string2), " + resultSet2.getString("name") + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error (long), " + resultSet2.getString("name") + " ==> ")
resultSet3 = stmt.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_amc)
Column_Number = 1
for col_name in Column_Names:
c_name = "TSK_" + col_name
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, long(resultSet3.getInt(Column_Number))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AmcacheScanIngestModuleFactory.moduleName, artID_amc_evt, None))
except SQLException as e:
self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
stmt.close()
dbConn.close()
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " Amcache Keys Have Been Parsed " )
IngestServices.getInstance().postMessage(message)
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " Beginning VirusTotal Scan " )
IngestServices.getInstance().postMessage(message)
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
mydb = Temp_Dir + "\\" + str(file.getId()) + "-myAmcache.db3"
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb)
except SQLException as e:
self.Error_Message.setText("Error Opening Settings")
# First check that the 'root_file' table exists
try:
stmt = dbConn.createStatement()
SQL_Statement = 'SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "root_file";'
resultSet = stmt.executeQuery(SQL_Statement)
self.root_file_exists = int(resultSet.getString("count"))
except:
self.log(Level.INFO, "LOOK HERE: it's not working.")
# If it does, count the number of rows in the table
if self.root_file_exists:
self.log(Level.INFO, "root_file table exists. Counting rows.")
try:
stmt = dbConn.createStatement()
SQL_Statement = 'SELECT count(*) AS count FROM root_file;'
resultSet = stmt.executeQuery(SQL_Statement)
self.root_file_count = int(resultSet.getString("count"))
except:
self.log(Level.INFO, "LOOK HERE: it's not working.")
# Now check that the 'inventory_application_file' table exists
try:
stmt = dbConn.createStatement()
SQL_Statement = 'SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "inventory_application_file";'
resultSet = stmt.executeQuery(SQL_Statement)
self.inventory_application_file_exists = int(resultSet.getString("count"))
except:
self.log(Level.INFO, "LOOK HERE: it's not working.")
# If it does, count the number of rows in the table
if self.inventory_application_file_exists:
self.log(Level.INFO, "inventory_application_file table exists. Counting rows.")
try:
stmt = dbConn.createStatement()
SQL_Statement = 'SELECT count(*) AS count FROM inventory_application_file;'
resultSet = stmt.executeQuery(SQL_Statement)
self.inventory_application_file_count = int(resultSet.getString("count"))
except:
self.log(Level.INFO, "LOOK HERE: it's not working.")
stmt.close()
dbConn.close()
# Now we know how many files we need to scan
# Use the sum, to give the user a progress bar
self.sum = self.root_file_count + self.inventory_application_file_count
progressBar.switchToDeterminate(self.sum)
artifact_name = "TSK_" + 'root_file_virustotal_scan'.upper()
artifact_desc = "Amcache " + 'root_file_virustotal_scan'.upper()
try:
self.log(Level.INFO, "Begin creating root_file_virustotal_scan Artifacts")
artID_amc = skCase.addArtifactType(artifact_name, artifact_desc)
except:
self.log(Level.INFO, "ARTIFACTS CREATION ERROR: root_file_virustotal_scan")
artID_typeID = skCase.getArtifactTypeID(artifact_name)
artID_type = skCase.getArtifactType(artifact_name)
Column_Names = ["p_key","file","sha1","vt_positives","vt_ratio","vt_report_link"]
Column_Types = ["int","text","text","int","text","text"]
# A public VirusTotal API key only allows for 4 requests a minute (1/15 seconds)
# Use this to track how much time has passed
current_time = time.time()
# start scanning root_file SHA1 hashes
for i in range(0, self.root_file_count):
subprocess.Popen([self.my_exe,'-d', mydb, '-a', self.API_Key, '-t', 'root_file', '-k', str(i + 1)]).communicate()[0]
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + mydb + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
if i == 0:
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery('SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "root_file_virustotal_scan";')
self.log(Level.INFO, "query SQLite Master table for root_file_virustotal_scan")
except SQLException as e:
self.log(Level.INFO, "Error querying database for table root_file_virustotal_scan (" + e.getMessage() + ")")
if int(resultSet.getString("count")):
self.log(Level.INFO, "root_file_virustotal_scan found")
for j in range(0,len(Column_Names)):
if Column_Types[j].upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, Column_Names[j])
except:
self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, Column_Names[j])
except:
self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ")
stmt.close()
SQL_String_1 = 'SELECT "p_key","file","sha1","vt_positives","vt_ratio","vt_report_link" from "root_file_virustotal_scan" WHERE p_key = ' + str(i + 1) + ';'
stmt = dbConn.createStatement()
resultSet3 = stmt.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_typeID)
Column_Number = 1
for col_name in Column_Names:
c_name = "TSK_" + col_name.upper()
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1].upper() == "TEXT":
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name)))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, long(resultSet3.getInt(col_name))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AmcacheScanIngestModuleFactory.moduleName, artID_type, None))
stmt.close()
dbConn.close()
if not self.Private:
after_time = time.time()
diff = current_time - after_time
time.sleep(15 - diff)
current_time = time.time()
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.count += 1
progressBar.progress(self.count)
artifact_name = "TSK_" + 'inventory_application_file_virustotal_scan'.upper()
artifact_desc = "Amcache " + 'inventory_application_file_virustotal_scan'.upper()
try:
self.log(Level.INFO, "Begin creating inventory_application_file_virustotal_scan Artifacts")
artID_amc = skCase.addArtifactType(artifact_name, artifact_desc)
except:
self.log(Level.INFO, "ARTIFACTS CREATION ERROR: inventory_application_file_virustotal_scan")
artID_typeID = skCase.getArtifactTypeID(artifact_name)
artID_type = skCase.getArtifactType(artifact_name)
# start scanning 'inventory_application_file' SHA1 hashes
for i in range(0, self.inventory_application_file_count):
subprocess.Popen([self.my_exe,'-d', mydb, '-a', self.API_Key, '-t', 'inventory_application_file', '-k', str(i + 1)]).communicate()[0]
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + mydb + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
if i == 0:
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery('SELECT COUNT(*) as count FROM sqlite_master WHERE type = "table" AND name = "inventory_application_file_virustotal_scan";')
self.log(Level.INFO, "query SQLite Master table for inventory_application_file_virustotal_scan")
except SQLException as e:
self.log(Level.INFO, "Error querying database for table inventory_application_file_virustotal_scan (" + e.getMessage() + ")")
if int(resultSet.getString("count")):
self.log(Level.INFO, "inventory_application_file_virustotal_scan found")
for j in range(0,len(Column_Names)):
if Column_Types[j].upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, Column_Names[j])
except:
self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_" + Column_Names[j].upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, Column_Names[j])
except:
self.log(Level.INFO, "Attributes Creation Error, " + Column_Names[j] + " ==> ")
stmt.close()
SQL_String_1 = 'SELECT "p_key","file","sha1","vt_positives","vt_ratio","vt_report_link" from "inventory_application_file_virustotal_scan" WHERE p_key = ' + str(i + 1) + ';'
stmt = dbConn.createStatement()
resultSet3 = stmt.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_typeID)
Column_Number = 1
for col_name in Column_Names:
c_name = "TSK_" + col_name.upper()
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1].upper() == "TEXT":
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, resultSet3.getString(col_name)))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, AmcacheScanIngestModuleFactory.moduleName, long(resultSet3.getInt(col_name))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AmcacheScanIngestModuleFactory.moduleName, artID_type, None))
stmt.close()
dbConn.close()
if not self.Private:
after_time = time.time()
diff = current_time - after_time
time.sleep(15 - diff)
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
current_time = time.time()
self.count += 1
progressBar.progress(self.count)
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Amcache Scan", " VirusTotal Scan Complete " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK