def render_pane(self, branch, query, result, condition='1'): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return elements = [ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), IntegerType(column='proto', name='Protocol'), IntegerType(column='port', name='Port'), TimestampType('Time Created', 'create_time') ] try: condition += " and proto=%s" % branch[1] del elements[2] except IndexError: pass try: condition += " and port=%s" % branch[2] del elements[2] except IndexError: pass result.heading("Show sockets found in memory") result.text("This statistic show the sockets found in memory") result.table( elements=elements, table='sockets', where=condition, case=self.case, )
def __init__(self, **kwargs): kwargs['name'] = "Attachment" kwargs['column'] = 'indirect' link = FlagFramework.query_type(case=kwargs.get('case'), family='Disk Forensics', report='ViewFile', mode='Summary', __target__='inode_id') kwargs['link'] = link kwargs['link_pane'] = 'popup' IntegerType.__init__(self, **kwargs)
def __init__(self, **kwargs): kwargs['name']="Attachment" kwargs['column'] = 'indirect' link = FlagFramework.query_type(case=kwargs.get('case'), family='Disk Forensics', report='ViewFile', mode = 'Summary', __target__ = 'inode_id') kwargs['link'] = link kwargs['link_pane'] = 'popup' IntegerType.__init__(self, **kwargs)
def parse(self, query, datafile='datafile'): Simple.SimpleLog.parse(self, query, datafile) self.fields = [ IntegerType(name='Record', column='record'), TimestampType(name='Timestamp', column='time'), StringType(name='message', column='message'), IntegerType(name='EventID', column='event'), StringType(name='Source', column="Source"), StringType(name='arg1', column='arg1'), StringType(name='arg2', column='arg2'), StringType(name='arg3', column='arg3'), ]
def display(self, query, result): dbh = DB.DBO(query['case']) dbh.execute( "select unix_timestamp(create_time) as time from INFORMATION_SCHEMA.TABLES where table_schema = %r and table_name = 'top_talkers'", query['case']) last_updated = dbh.fetch() if not last_updated or last_updated['time'] + 3600 < time.time(): dbh.execute("drop table if exists top_talkers") dbh.execute( "create table top_talkers select dest_ip,sum(length) as bytes from connection join connection_details using(inode_id) group by dest_ip" ) #__target__ = "filter", link = FlagFramework.query_type( case=query['case'], family='Network Forensics', report='/Network Forensics/View Connections', __target__='filter', __target_format__="'Destination IP'='%s'") result.table(elements=[ IPType('Destination IP', 'dest_ip', link=link), IntegerType('Bytes Transfered', 'bytes') ], table='top_talkers', case=query['case'], order=1, direction=0)
def render_pane(self, branch, query, result): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) == 1: result.heading("Show executables found in memory") result.text("This statistic show the executables found in memory") elif len(branch) == 2: t = branch[1].replace("__", '/') result.table( elements=[ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), TimestampType('Time Created', 'create_time') ], table='tasks', where='pid = %r' % t, case=self.case, ) else: for c in self.classes: if branch[2] == c.name: self.chain_pane(c, branch[2:], query, result, condition="pid='%s'" % branch[1])
def pane_cb(path, tmp): query['order'] = 'Filename' ## If we are asked to show a file, we will show the ## contents of the directory the file is in: fsfd = FileSystem.DBFS(query["case"]) if not fsfd.isdir(path): path = os.path.dirname(path) tmp.table( elements=[ InodeIDType(case=query['case']), FilenameType(basename=True, case=query['case']), DeletedType(), IntegerType('File Size', 'size'), TimestampType('Last Modified', 'mtime'), StringType('Mode', 'mode', table='file') ], table='inode', where=DB.expand("file.path=%r and file.mode!='d/d'", (path + '/')), case=query['case'], pagesize=10, filter="filter2", ) target = tmp.defaults.get('open_tree', '/') tmp.toolbar(text=DB.expand("Scan %s", target), icon="examine.png", link=query_type(family="Load Data", report="ScanFS", path=target, case=query['case']), pane='popup')
def pane_cb(path, result): if not path.endswith('/'): path=path+'/' result.heading("Path is %s" % path) case = query['case'] dbh = DB.DBO(case) fsfd = Registry.FILESYSTEMS.dispatch(query['fstype'])(case) ## Try to see if the directory is already loaded: dbh.execute("select * from file where path=%r and name=''", path) if not dbh.fetch(): fsfd.load(mount_point = query['mount_point'], iosource_name= query['iosource'], directory = path) ## Now display the table result.table( elements = [ InodeIDType(case=query['case']), FilenameType(case=query['case']), DeletedType(), IntegerType(name='File Size',column='size'), TimestampType(name = 'Last Modified',column = 'mtime'), ], table='inode', where=DB.expand("file.path=%r and file.mode!='d/d'",(path)), case = query['case'], pagesize=10, )
def Timeline(query, result): def add_new_event(query, result): timeline = TimelineObj(case=query['case']) ## We got submitted - actually try to do the deed: if 'Add To Timeline' in query.getarray('__submit__'): result.start_table() newEvent = timeline.add(query, result) result.para("The following is the new timeline entry:") timeline.show(newEvent,result) result.end_table() result.link("Close this window", target=original_query, pane='parent') return result result.start_form(query, pane='self') result.heading("Add an arbitrary event") timeline.add_form(query,result) result.end_form(value="Add To Timeline") return result result.table( elements = [ IntegerType(name='id', column='id'), TimestampType(name='Time', column='time'), EditableStringType('Notes', 'notes'), StringType('Category', 'category') ], table = 'timeline', case = query['case'], filter="filter2", ) result.toolbar(add_new_event, "Add abritrary event", icon="clock.png")
def show_packets(self, query, result): """ Shows the packets which belong in this stream """ combined_fd = self.get_combined_fd() result.table(elements=[ IntegerType('Packet ID', 'packet_id', link=query_type(family="Network Forensics", report='View Packet', case=query['case'], open_tree="/eth/payload/payload/data", __target__='id')), PCAPTime('Date', 'packet_id'), IntegerType('Length', 'length'), DataType('Data', combined_fd=combined_fd) ], table='connection', where='inode_id="%s" ' % combined_fd.lookup_id(), case=query['case'])
def render_pane(self, branch, query, result, condition='1'): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) == 1: result.heading("Show executables found in memory") result.text("This statistic show the executables found in memory") else: t = branch[1].replace("__", '/') result.table( elements=[ StringType(column='iosource', name='IOSource'), IntegerType(column='filename', name='File Name'), IntegerType(column='pid', name='Process ID') ], table='open_files', where=condition, case=self.case, )
def Annotated_IPs(query, result): result.table( elements = [ IntegerType('id','id'), IPType('ip', 'ip'), StringType('Notes', 'notes'), StringType('Category', 'category') ], table = 'interesting_ips', case = query['case'], filter="filter3", )
def render_pane(self, branch, query, result, condition='1'): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) >= 1: result.table( elements=[ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), StringType(column='path', name="Path"), ## Render base address in Hex: IntegerType(column="base", name="Base", callback=lambda x: "0x%08X" % x), IntegerType(column="size", name="Size") ], table='modules', where=condition, case=self.case, )
def streams(query, result): result.table(elements=[ IntegerType("FTP Session id", "ftp_session_id", link=query_type(family="Network Forensics", case=query['case'], report="Browse FTP Data")), TimestampType("Time Created", "time_created"), StringType("Purpose", "purpose"), InodeIDType(case=query['case']) ], table='ftp_data_streams', case=query['case'])
def commands(query, result): result.table(elements=[ IntegerType("FTP Session id", "ftp_session_id", link=query_type(family="Network Forensics", case=query['case'], report="Browse FTP Data")), StringType("Command Type", "command_type"), StringType("Command", "command"), StringType("Data", "data") ], table='ftp_commands', case=query['case'])
def sessions(query, result): result.table( elements=[ #IntegerType("FTP Session id", "ftp_session_id"), InodeIDType(case=query['case']), TimestampType("Start Time", "start_time"), IPType("Client IP", "client_ip", case=query['case']), IPType("Server IP", "server_ip", case=query['case']), StringType("Username", "username"), StringType("Password", "password"), StringType("Server Banner", "server_banner"), IntegerType("Total bytes", "total_bytes") ], table="ftp_sessions", case=query['case'])
def tabular_view(query, result): result.table( elements=[ InodeIDType(case=query['case']), StringType(name='Mode', column='mode', table='file'), FilenameType(case=query['case']), DeletedType(), IntegerType(name='File Size', column='size'), TimestampType(name='Last Modified', column='mtime'), TimestampType(name='Last Accessed', column='atime'), TimestampType(name='Created', column='ctime'), ], table='inode', case=query['case'], filter="filter1", )
def display(self,query,result): try: result.table( elements = [ ThumbnailType(name='Thumbnail',case=query['case']), FilenameType(case=query['case']), StringType('Type','type'), IntegerType('Size','size', table='inode'), TimestampType(name='Timestamp',column='mtime', table='inode') ], table = 'type', case = query['case'] ) except DB.DBError,e: result.para("Error reading the type table. Did you remember to run the TypeScan scanner?") result.para("Error reported was:") result.text(e,style="red")
def pane_cb(path,tmp): fsfd = FileSystem.DBFS( query["case"]) if not fsfd.isdir(path): path=posixpath.dirname(path) new_query = make_new_query(query, path + '/') tmp.table( elements = [ InodeIDType(case=query['case']), FilenameType(basename=True, case=query['case'], link = new_query, link_pane = 'parent'), IntegerType('File Size','size'), ], table='inode', where=DB.expand("file.path=%r and file.mode!='d/d'", (path+'/')), case=query['case'], pagesize=10, filter="filter2", )
def render_pane(self, branch, query, result): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch)==1: result.heading("Show file types") result.text("This statistic allows different file types to be examined") else: t = branch[1].replace("__",'/') result.table( elements = [ AFF4URN(case = self.case), FilenameType(case = self.case, link_pane='main'), IntegerType('Size','size', table='vfs'), TimestampType('Timestamp','mtime', table='vfs'), StringType('Mime', 'mime', table='type')], table = 'type', where = DB.expand('type.type=%r ', t), case = self.case, )
def render_pane(self, branch, query, result): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) == 1: result.heading("Show infected files") result.text("Lists all the files infected with a particular virus") else: t = branch[1].replace("__", '/') result.table( elements=[ AFF4URN(case=self.case), FilenameType(case=self.case), IntegerType('Size', 'size', table='inode'), TimestampType('Timestamp', 'mtime', table='inode') ], table='virus', where='virus.virus = %r ' % t, case=self.case, )
def parse(self, query, datafile='datafile'): LogFile.Log.parse(self, query, datafile) self.datafile = query.getarray(datafile) # set these params, then we can just use SimpleLog's get_fields self.delimiter = re.compile(' ') self.prefilters = ['PFDateFormatChange2'] if self.datafile: query.clear('fields') for f in self.find_fields_line(): query['fields'] = f # now for the IIS magic, the code below sets up the # fields, types, and indexes arrays req'd by load # replaces the need for the form in SimpleLog # try to guess types based on known field-names, not perfect... # automatically index the non-varchar fields, leave the rest self.fields = [] ## Note the original log file has -ip, -status etc, but after ## MakeSQLSafe dashes turn to underscores. for field in query.getarray('fields'): if field == 'time': tmp = TimestampType('Timestamp', 'timestamp') tmp.index = True self.fields.append(tmp) elif '_ip' in field: tmp = IPType('IP Address', 'IP Address') tmp.index = True self.fields.append(tmp) elif '_status' in field or '_bytes' in field: tmp = IntegerType(field, field) tmp.index = True self.fields.append(tmp) else: tmp = StringType(field, field) tmp.index = True self.fields.append(tmp)
table='dictionary', ## Class names starting with _ are private and should not ## be user selectable: where="left(class,1) != '_' ", case=None, ) result.row(table, form, valign='top') class OffsetType(IntegerType): hidden = True LogCompatible = False def __init__(self, case, table='LogicalIndexOffsets'): self.case = case IntegerType.__init__(self, name='Offset', column='offset', table=table) def select(self): return "concat(%s, ',', %s)" % (self.escape_column_name('offset'), self.escape_column_name('length')) def display(self, value, row, result): offset, length = value.split(",") inode = row['Inode'] query = query_type(case=self.case, family="Disk Forensics", report='ViewFile', mode='HexDump', inode_id=inode, offset=offset, hexlimit=max(int(offset) - 50, 0),
if not os.path.isdir(full_filename): s = os.stat(full_filename) dbh.mass_insert(filename = filename, _timestamp = "from_unixtime(%d)" % s.st_mtime, size = s.st_size) except OSError: pass dbh.mass_insert_commit() except OSError,e: pass new_query=query.clone() new_query['__target__'] = name new_query['__target_type__'] = 'append' elements = [ IntegerType(name='Size', column='size'), TimestampType(name='Timestamp', column='timestamp'), StringType(name='Filename', column='filename', link = new_query, link_pane='parent' ) ] ## Now display the table widget: result.table( elements = elements, table = tablename, case = case, order = 2, direction = 1 ) ## Submit all the nodes in the display:
filename=filename, _timestamp="from_unixtime(%d)" % s.st_mtime, size=s.st_size) except OSError: pass dbh.mass_insert_commit() except OSError, e: pass new_query = query.clone() new_query['__target__'] = name new_query['__target_type__'] = 'append' elements = [ IntegerType(name='Size', column='size'), TimestampType(name='Timestamp', column='timestamp'), StringType(name='Filename', column='filename', link=new_query, link_pane='parent') ] ## Now display the table widget: result.table(elements=elements, table=tablename, case=case, order=2, direction=1) ## Submit all the nodes in the display:
base_stream_inode = value tmp.link(value,target = FlagFramework.query_type((), family='Disk Forensics', case=query['case'], inode=base_stream_inode, report='View File Contents', mode="Combined streams" )) return tmp def text_cb(value, **options): tmp = result.__class__(result) tmp.text(value, **options) return tmp result.table( elements = [ IntegerType('ID','id'), PCAPTime("Timestamp","packet_id"), InodeType("Stream","inode", link = query_type(family='Disk Forensics', case=query['case'], __target__='inode', report='View File Contents', mode="Combined streams"), case=query['case']), IntegerType("Packet", 'packet_id', link = query_type(family="Network Forensics", case=query['case'], report='View Packet', __target__='inode')), StringType("Command",'command'), StringType("Sender Nick","sender"),
def vfs_popup(query, result): if not query.has_key('case'): result.heading("No case selected") else: import pyflag.FileSystem as FileSystem def make_new_query(query, path=''): case = query['case'] new_query = query.clone() new_query['__target__'] = name new_query['__target_type__'] = 'append' new_query['__target_format__'] = "vfs://%s%s%%s" % (case, path) new_query.poparray('callback_stored') return new_query def tree_view_cb(query, result): def tree_cb(path): fsfd = FileSystem.DBFS(query['case']) query.default("path", '/') if not path.endswith('/'): path = path + '/' dirs = [] for i in fsfd.dent_walk(path): if i['mode'] == "d/d" and i[ 'status'] == 'alloc' and i[ 'name'] not in dirs: dirs.append(i['name']) yield (([i['name'], i['name'], 'branch'])) def pane_cb(path, tmp): fsfd = FileSystem.DBFS(query["case"]) if not fsfd.isdir(path): path = posixpath.dirname(path) new_query = make_new_query(query, path + '/') tmp.table( elements=[ InodeIDType(case=query['case']), FilenameType(basename=True, case=query['case'], link=new_query, link_pane='parent'), IntegerType('File Size', 'size'), ], table='inode', where=DB.expand( "file.path=%r and file.mode!='d/d'", (path + '/')), case=query['case'], pagesize=10, filter="filter2", ) result.tree(tree_cb=tree_cb, pane_cb=pane_cb, branch=['']) def table_view_cb(query, result): case = query['case'] new_query = make_new_query(query, '') result.table(elements=[ InodeIDType(), FilenameType(case=case, link=new_query, link_pane='parent'), IntegerType('File Size', 'size') ], table='inode', case=case, order=2, direction=1)
def __init__(self, case, table='LogicalIndexOffsets'): self.case = case IntegerType.__init__(self, name='Offset', column='offset', table=table)