def pane_cb(path, tmp):
query['order'] = 'Filename'
## If we are asked to show a file, we will show the
## contents of the directory the file is in:
fsfd = FileSystem.DBFS(query["case"])
if not fsfd.isdir(path):
path = os.path.dirname(path)
tmp.table(
elements=[
InodeIDType(case=query['case']),
FilenameType(basename=True, case=query['case']),
DeletedType(),
IntegerType('File Size', 'size'),
TimestampType('Last Modified', 'mtime'),
StringType('Mode', 'mode', table='file')
],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'",
(path + '/')),
case=query['case'],
pagesize=10,
filter="filter2",
)
target = tmp.defaults.get('open_tree', '/')
tmp.toolbar(text=DB.expand("Scan %s", target),
icon="examine.png",
link=query_type(family="Load Data",
report="ScanFS",
path=target,
case=query['case']),
pane='popup')
def display(self, query, result):
if not query.has_key('table'):
result.heading("Delete a table from this case")
def DeleteIcon(value):
tmp = result.__class__(result)
target = query.clone()
target.set('table', value)
tmp.link("Delete", icon="no.png", target=target)
return tmp
result.table(elements=[
ColumnType("Delete?", 'table_name', callback=DeleteIcon),
StringType("Table Name", 'table_name'),
StringType("Type", "preset"),
],
table="log_tables",
case=query['case'])
elif query.has_key('confirm'):
LogFile.drop_table(query['case'], query['table'])
result.refresh(
0,
query_type(family=query['family'],
case=query['case'],
report=query['report']))
else:
result.heading("About to remove %s" % query['table'])
query['confirm'] = 1
result.link(
"Are you sure you want to drop table %s. Click here to confirm"
% query['table'], query)
def test01CreatePreset(self):
""" Test that IIS Presets can be created """
dbh = DB.DBO(self.test_case)
log = IISLog(case=self.test_case)
query = query_type(datafile=self.test_file, log_preset=self.log_preset)
log.parse(query)
log.store(self.log_preset)
def test03CreateAnotherPreset(self):
""" Another setup test for Simple log file preset ... """
dbh = DB.DBO(self.test_case)
myLog = SimpleLog(case=self.test_case)
myQuery = query_type(datafile=self.test_file_two,
log_preset=self.log_preset_two,
delimiter=",",
field0="AString",
field1="SomeNumber",
field2="FirstIP",
field3="BString",
field4="SecondIP",
field5="OtherNumber",
field6="ThirdIP",
type0="StringType",
type1="IntegerType",
type2="IPType",
type3="StringType",
type4="IPType",
type5="IntegerType",
type6="IPType")
myLog.parse(myQuery)
myLog.store(self.log_preset_two)
def pane_cb(path,tmp):
query['order']='Filename'
## If we are asked to show a file, we will show the
## contents of the directory the file is in:
fsfd = FileSystem.DBFS( query["case"])
if not fsfd.isdir(path):
path=os.path.dirname(path)
tmp.table(
elements = [ InodeIDType(case=query['case']),
FilenameType(basename=True, case=query['case']),
DeletedType(),
IntegerType('File Size','size'),
TimestampType('Last Modified','mtime'),
StringType('Mode','mode', table='file') ],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'", (path+'/')),
case=query['case'],
pagesize=10,
filter="filter2",
)
target = tmp.defaults.get('open_tree','/')
tmp.toolbar(text=DB.expand("Scan %s",target),
icon="examine.png",
link=query_type(family="Load Data", report="ScanFS",
path=target,
case=query['case']), pane='popup'
)
def pane_cb(path, result):
query['order'] = 'Filename'
if path == '': path = '/'
## If we are asked to show a file, we will show the
## contents of the directory the file is in:
fsfd = FileSystem.DBFS(query["case"])
if not fsfd.isdir(path):
path = os.path.dirname(path)
self.make_table_widget(
['URN', 'Name', 'Size', 'Modified'],
query,
result,
where=DB.expand(
"path=%r and (isnull(type) or type!='directory')",
(path)),
)
result.toolbar(text=DB.expand("Scan %s", path),
icon="examine.png",
link=query_type(family="Load Data",
report="ScanFS",
path=path,
case=query['case']),
pane='popup')
def test03CreateAnotherPreset(self):
""" Another setup test for Simple log file preset ... """
dbh = DB.DBO(self.test_case)
myLog = SimpleLog(case=self.test_case)
myQuery = query_type(datafile = self.test_file_two, log_preset=self.log_preset_two,
delimiter=",",
field0="AString",
field1="SomeNumber",
field2="FirstIP",
field3="BString",
field4="SecondIP",
field5="OtherNumber",
field6="ThirdIP",
type0="StringType",
type1="IntegerType",
type2="IPType",
type3="StringType",
type4="IPType",
type5="IntegerType",
type6="IPType"
)
myLog.parse(myQuery)
myLog.store(self.log_preset_two)
def test01CreatePreset(self):
""" Test that Simple Presets can be created """
dbh = DB.DBO(self.test_case)
log = SimpleLog(case=self.test_case)
query = query_type(datafile=self.test_file,
log_preset=self.log_preset,
delimiter="\s+",
field0="Time",
field1="Protocol",
field2="SourceIP",
field3="SourcePort",
field4="DestIP",
field5="DestPort",
field6="Bytes",
type0="EpochTimestamp",
type1="IntegerType",
type2="IPType",
type3="IntegerType",
type4="IPType",
type5="IntegerType",
type6="IntegerType",
index0="yes",
index1="yes",
index2="yes",
index4="yes",
index5="yes")
log.parse(query)
log.store(self.log_preset)
def display(self,query, result):
if not query.has_key('table'):
result.heading("Delete a table from this case")
def DeleteIcon(value):
tmp=result.__class__(result)
target = query.clone()
target.set('table',value)
tmp.link("Delete", icon="no.png",
target=target)
return tmp
result.table(
elements = [ ColumnType("Delete?",'table_name',
callback = DeleteIcon),
StringType("Table Name",'table_name'),
StringType("Type", "preset"),
],
table="log_tables",
case=query['case']
)
elif query.has_key('confirm'):
LogFile.drop_table(query['case'] , query['table'])
result.refresh(0, query_type(family=query['family'], case=query['case'],
report=query['report']))
else:
result.heading("About to remove %s" % query['table'])
query['confirm']=1
result.link("Are you sure you want to drop table %s. Click here to confirm"% query['table'], query)
def DeleteIcon(value):
tmp=result.__class__(result)
tmp.link("Delete", icon="no.png",
target=query_type(family=query['family'],
report='RemoveLogPreset',
log_preset=value))
return tmp
def test01CreatePreset(self):
""" Test that Simple Presets can be created """
dbh = DB.DBO(self.test_case)
log = SimpleLog(case=self.test_case)
query = query_type(datafile = self.test_file, log_preset=self.log_preset,
delimiter="\s+",
field0="Time",
field1="Protocol",
field2="SourceIP",
field3="SourcePort",
field4="DestIP",
field5="DestPort",
field6="Bytes",
type0="EpochTimestamp",
type1="IntegerType",
type2="IPType",
type3="IntegerType",
type4="IPType",
type5="IntegerType",
type6="IntegerType",
index0="yes",
index1="yes",
index2="yes",
index4="yes",
index5="yes")
log.parse(query)
log.store(self.log_preset)
class Log:
""" This base class abstracts Loading of log files.
Log files are loaded through the use of log file drivers. These
drivers extend this class, possibly providing new methods for form
and field, and potentially even read_record.
"""
name = "BaseClass"
datafile = None
query = query_type()
def parse(self, query, datafile="datafile"):
""" Parse all options from query and update ourselves.
This may be done several times during the life of an
object. We need to ensure that we completely refresh all data
which is unique to our instance.
Note that you may or may not be provided with a datafile
here. Its ok to parse the datafile to get some important
information (e.g. number of columns etc) if its provided but
you must save those details in the query so you can retrieve
them from the query in the case you dont have a datafile.
The important requirement here is that you must be able to
completely parse an instance of the driver from a query string
and nothing else (because thats how it gets stored in the db).
"""
self.query = query
def __init__(self, case=None):
self.case = case
def display(self,query,result):
result.heading("New log file preset %s created" % query['log_preset'])
result.link("Load a log file", query_type(case=None,
family='Load Data',
report='LoadPresetLog',
log_preset=query['log_preset']))
return result
def test01CreatePreset(self):
""" Test that EventLog Presets can be created """
dbh = DB.DBO(self.test_case)
log = EventLogLog(case=self.test_case)
query = query_type(datafile=self.test_file, log_preset=self.log_preset)
log.parse(query)
log.store(self.log_preset)
def test01CreatePreset(self):
""" Test that Advanced Presets can be created """
dbh = DB.DBO(self.test_case)
log = AdvancedLog(case=self.test_case)
query = query_type(datafile = self.test_file, log_preset=self.log_preset,
field_param_1_name="Timestamp",
field_param_1_column="time",
field_param_1_format="%b %d %H:%M:%S",
field_param_1_override_year="2007",
field_types1="TimestampType",
field_types2="StringType",
field_param_2_name = "Host",
field_param_2_column = 'host',
field_types3="StringType",
field_param_3_name ="Service",
field_param_3_column = "service",
field_types4="PadType",
field_param_4_regex = "(\[[^\]]+\])?",
field_types5="StringType",
field_param_5_name = "Message",
field_param_5_column = 'messages',
field_param_5_regex = '.*',
)
log.parse(query)
log.store(self.log_preset)
def end(query,result):
""" This is typically the last wizard callback - we just refresh
into the load preset log file report"""
query['log_preset'] = 'test'
result.refresh(0, query_type(preset=query['log_preset'],
report="Load Preset Log File",
family="Load Data"),
pane='parent')
def test01CreatePreset(self):
""" Create a preset """
## First create a preset
log = ApacheLog(case=self.test_case)
log.parse(query_type(formats['debian_common'],
datafile = self.datafile))
log.store(self.log_preset)
def DeleteIcon(value):
tmp = result.__class__(result)
tmp.link("Delete",
icon="no.png",
target=query_type(family=query['family'],
report='RemoveLogPreset',
log_preset=value))
return tmp
def display(self, query, result):
LogFile.drop_preset(query['log_preset'])
result.heading("Deleted preset %s from the database" %
query['log_preset'])
result.link(
"Manage more Presets",
query_type(family=query['family'], report="Manage Log Presets"))
def restore(self, name):
""" Restores the table from the log tables (This is the
opposite of self.store(name))
"""
dbh = DB.DBO()
dbh.execute("select * from log_presets where name=%r limit 1" , name)
row = dbh.fetch()
self.query = query_type(string=row['query'])
self.name = name
def restore(self, name):
""" Restores the table from the log tables (This is the
opposite of self.store(name))
"""
dbh = DB.DBO()
dbh.execute("select * from log_presets where name=%r limit 1", name)
row = dbh.fetch()
self.query = query_type(string=row['query'])
self.name = name
def end(query, result):
""" This is typically the last wizard callback - we just refresh
into the load preset log file report"""
query['log_preset'] = 'test'
result.refresh(0,
query_type(preset=query['log_preset'],
report="Load Preset Log File",
family="Load Data"),
pane='parent')
def display(self,query,result):
result.heading("Chat sessions")
def Stream_cb(value):
tmp = result.__class__(result)
try:
base_stream_inode = value[:value.index('/')]
except IndexError:
base_stream_inode = value
tmp.link(value,target = FlagFramework.query_type((),
family='Disk Forensics', case=query['case'],
inode=base_stream_inode,
report='View File Contents', mode="Combined streams"
))
return tmp
def text_cb(value, **options):
tmp = result.__class__(result)
tmp.text(value, **options)
return tmp
result.table(
elements = [ IntegerType('ID','id'),
PCAPTime("Timestamp","packet_id"),
InodeType("Stream","inode",
link = query_type(family='Disk Forensics',
case=query['case'],
__target__='inode',
report='View File Contents',
mode="Combined streams"),
case=query['case']),
IntegerType("Packet", 'packet_id',
link = query_type(family="Network Forensics",
case=query['case'],
report='View Packet',
__target__='inode')),
StringType("Command",'command'),
StringType("Sender Nick","sender"),
StringType("Recipient", 'recipient'),
StringType("Text",'data') ],
table = "irc_messages" ,
case = query['case']
)
def operator_hit(self, column, operator, arg):
""" Search for a hit in the dictionary """
## Try to work out if we need to reindex:
reindex = False
dbh = DB.DBO()
dbh.execute("select id from dictionary where word = %r limit 1", arg)
row = dbh.fetch()
if self.ui:
## If the word is not in the dictionary, we definitely want to reindex
if not row:
count, total, tables, sql = self.outstanding_inodes()
message = "Word %s is not in the dictionary" % arg
## If the word is in the dictionary we want to know how may
## inodes are outdated
else:
count, total, tables, sql = self.outstanding_inodes(
word_id=row['id'])
message = "There are some inodes which are not up to date"
## Any inodes to process?
if count > 0:
reindex = True
## We do not need to reindex - just do it
if not reindex:
return DB.expand(
"(%s = %s)",
(self.escape_column_name(self.column), row.get('id', 0)))
## Allow the user to reindex the currently selected set of
## inodes with a new dictionary based on the new word
self.ui.heading(message)
self.ui.para(
"This will affect %s inodes and require rescanning %s bytes" %
(count, total))
## Make up the link for the use:
context = FlagFramework.STORE.put(
dict(tables=tables,
inode_sql=sql,
previous_query=self.ui.defaults,
target='parent_pane',
where=self.table_where_clause))
link = query_type(report="Add Word",
family="Keyword Indexing",
case=self.case,
context=context,
word=arg)
self.ui.link("Click here to scan these inodes", link, pane='self')
## Ok - Show the error to the user:
raise self.ui
def display(self, query,result):
result.heading("Table Tests")
## Tables need to act on the DB so we create a temporary table
## just for this test:
dbh=DB.DBO()
dbh.cursor.warnings=False
dbh.execute("drop table if exists TestTable")
dbh.execute("""create TABLE `TestTable` (
`id` int(11) NOT NULL auto_increment,
`time` TIMESTAMP,
`data` tinyblob NOT NULL,
`foobar` varchar(10),
`ip_addr` int(11) unsigned default 0,
PRIMARY KEY (`id`)
)""")
dbh.mass_insert_start("TestTable")
dbh.insert("TestTable", _time="from_unixtime(1147329821)", data="Some Data",
foobar="X", _ip_addr="inet_aton('192.168.1.1')")
dbh.insert("TestTable", _time="from_unixtime(1147329831)", data="More Data",
foobar="Y", _ip_addr="inet_aton('192.168.1.22')")
dbh.insert("TestTable", _time="from_unixtime(1147329841)", data="Some More Data",
foobar="Z", _ip_addr="inet_aton('192.168.1.23')")
dbh.insert("TestTable", _time="from_unixtime(1147329851)", data="Another Lot of Data",
foobar="Q", _ip_addr="inet_aton('192.168.1.55')")
for i in range(0,100):
dbh.mass_insert(_time="from_unixtime(%s)" % (1147329851+i), data="Data %s" % i, foobar=i)
dbh.mass_insert_commit()
def foobar_cb(value):
return "foo %s" % value
result.table(
## Can use keyword args
elements = [ TimestampType(name = 'Timestamp',
column = 'time',
),
## Or positional args
StringType('Data', 'data',
link = query_type(
family=query['family'], report='FormTest',__target__='var1')),
StringType('Foobar', 'foobar', callback=foobar_cb),
## Note that here we just need to specify the
## field name in the table, the IPType will
## automatically create the translated SQL.
IPType('IP Address', 'ip_addr'),
],
table = "TestTable",
)
def commands(query, result):
result.table(
elements = [ IntegerType("FTP Session id", "ftp_session_id",
link = query_type(family = "Network Forensics",
case = query['case'],
report = "Browse FTP Data")),
StringType("Command Type", "command_type"),
StringType("Command", "command"),
StringType("Data", "data")],
table = 'ftp_commands',
case = query['case'])
def streams(query, result):
result.table(
elements = [ IntegerType("FTP Session id", "ftp_session_id",
link = query_type(family = "Network Forensics",
case = query['case'],
report = "Browse FTP Data")),
TimestampType("Time Created", "time_created"),
StringType("Purpose", "purpose"),
AFF4URN(case=query['case'])],
table = 'ftp_data_streams',
case = query['case'])
def ipid_plot(self, query, result):
new_query = query_type(family="Network Forensics", report="IPIDPlot",\
case=query["case"], pane="self")
new_query.default("inode_list", self.inode)
new_query.default("time_off", 15)
graph_report = Registry.REPORTS.dispatch(family = 'Network Forensics',\
report = "IPIDPlot")(None, result)
result.start_form(new_query, pane='self')
graph_report.form(new_query, result)
result.end_form()
def ipid_plot(self, query, result):
new_query = query_type(family="Network Forensics", report="IPIDPlot",\
case=query["case"], pane="self")
new_query.default("inode_list", self.inode)
new_query.default("time_off", 15)
graph_report = Registry.REPORTS.dispatch(family = 'Network Forensics',\
report = "IPIDPlot")(None, result)
result.start_form(new_query, pane='self')
graph_report.form(new_query, result)
result.end_form()
def operator_hit(self, column, operator, arg):
""" Search for a hit in the dictionary """
## Try to work out if we need to reindex:
reindex = False
dbh = DB.DBO()
dbh.execute("select id from dictionary where word = %r limit 1", arg)
row = dbh.fetch()
if self.ui:
## If the word is not in the dictionary, we definitely want to reindex
if not row:
count, total, tables, sql = self.outstanding_inodes()
message = "Word %s is not in the dictionary" % arg
## If the word is in the dictionary we want to know how may
## inodes are outdated
else:
count, total, tables, sql = self.outstanding_inodes(word_id = row['id'])
message = "There are some inodes which are not up to date"
## Any inodes to process?
if count > 0:
reindex = True
## We do not need to reindex - just do it
if not reindex:
return DB.expand("(%s = %s)",
(self.escape_column_name(self.column),
row.get('id',0)))
## Allow the user to reindex the currently selected set of
## inodes with a new dictionary based on the new word
self.ui.heading(message)
self.ui.para("This will affect %s inodes and require rescanning %s bytes" % (count,total))
## Make up the link for the use:
context = FlagFramework.STORE.put(dict(tables = tables,
inode_sql = sql,
previous_query = self.ui.defaults,
target = 'parent_pane',
where = self.table_where_clause
))
link = query_type(report = "Add Word", family = "Keyword Indexing",
case = self.case,
context = context,
word = arg)
self.ui.link("Click here to scan these inodes", link,
pane = 'self')
## Ok - Show the error to the user:
raise self.ui
def test01CreatePreset(self):
""" Test that IPTables Presets can be created """
dbh = DB.DBO(self.test_case)
log = IPTablesLog(case=self.test_case)
query = query_type(datafile=self.test_file, log_preset=self.log_preset)
## Add all the possible columns here:
for row in IPTABLES_FIELDS:
query[row[0]] = 1
log.parse(query)
log.store(self.log_preset)
def commands(query, result):
result.table(elements=[
IntegerType("FTP Session id",
"ftp_session_id",
link=query_type(family="Network Forensics",
case=query['case'],
report="Browse FTP Data")),
StringType("Command Type", "command_type"),
StringType("Command", "command"),
StringType("Data", "data")
],
table='ftp_commands',
case=query['case'])
def streams(query, result):
result.table(elements=[
IntegerType("FTP Session id",
"ftp_session_id",
link=query_type(family="Network Forensics",
case=query['case'],
report="Browse FTP Data")),
TimestampType("Time Created", "time_created"),
StringType("Purpose", "purpose"),
InodeIDType(case=query['case'])
],
table='ftp_data_streams',
case=query['case'])
def display(self, value, row, result):
offset, length = value.split(",")
inode = row['Inode']
query = query_type(case=self.case,
family="Disk Forensics",
report='ViewFile',
mode='HexDump',
inode_id=inode,
offset = offset,
hexlimit=max(int(offset)-50,0),
highlight=offset,
highlight_length=length)
result.link(offset, query, pane='new')
return result
def email(query,output):
output.table(
elements = [ InodeType('Inode','inode',
link = query_type(case=query['case'],
family="Disk Forensics",
report='ViewFile',
__target__='inode',
inode="%s:0")),
TimestampType('Arrival Date','date'),
StringType('From','from'),
StringType('To', 'to'),
StringType('Subject', 'subject') ],
table=('email'),
case=query['case'],
filter="filter0",
)
return output
def open(case, iosource):
""" Opens the named iosource from the specified case """
## Try to get it from the cache first:
key = "%s|%s" % (case, iosource)
try:
image =IO_Cache.get(key)
except KeyError:
dbh = DB.DBO(case)
dbh.execute("select name,parameters from iosources where name=%r", iosource)
row = dbh.fetch()
if not row:
raise IOError("IO Source (%r) not created yet" % key)
query = query_type(string=row['parameters'])
image = Registry.IMAGES.dispatch(query['subsys'])()
IO_Cache.put(image, key=key)
return image.open(iosource,case)
def show_packets(self, query, result):
""" Shows the packets which belong in this stream """
combined_fd = self.get_combined_fd()
result.table(elements=[
IntegerType('Packet ID',
'packet_id',
link=query_type(family="Network Forensics",
report='View Packet',
case=query['case'],
open_tree="/eth/payload/payload/data",
__target__='id')),
PCAPTime('Date', 'packet_id'),
IntegerType('Length', 'length'),
DataType('Data', combined_fd=combined_fd)
],
table='connection',
where='inode_id="%s" ' % combined_fd.lookup_id(),
case=query['case'])
def display(self, query, result):
result.heading("Uploaded log file into database")
result.para(
"Successfully uploaded the following files into case %s, table %s:" % (query["case"], query["table"])
)
for fn in query.getarray("datafile"):
result.para(fn)
try:
if len(query["filter"]) > 1:
result.text("Log was filtered with: %s\n" % query["filter"], style="red")
except KeyError:
pass
result.link(
"Browse this log file",
query_type(case=query["case"], family="Log Analysis", report="ListLogFile", logtable=query["table"]),
)
return result
def plain_display_hook(self, value, row, result):
word_id, inode_id = value.split(',')
dbh = DB.DBO()
dbh.execute("select word, type from dictionary where id=%r limit 1", word_id)
row = dbh.fetch()
if not row: return "?"
if row['type'] in ['literal','regex']:
word = row['word'].decode("ascii", "ignore")
else:
## Force it to ascii for display
word = row['word'].decode("utf8")
result.link(word,
target = query_type(report="ViewInodeHits",
family="Keyword Indexing",
inode_id=inode_id,
word_id=word_id,
case = self.case),
tooltip="View All Hits in Inode")
def show_packets(self,query,result):
""" Shows the packets which belong in this stream """
combined_fd = self.get_combined_fd()
result.table(
elements = [ IntegerType('Packet ID','packet_id',
link = query_type(family="Network Forensics",
report='View Packet',
case=query['case'],
open_tree ="/eth/payload/payload/data",
__target__='id')),
PCAPTime('Date','packet_id'),
IntegerType('Length','length'),
DataType('Data', combined_fd = combined_fd)
],
table= 'connection',
where = 'inode_id="%s" ' % combined_fd.lookup_id(),
case=query['case']
)
def pane_cb(path,result):
query['order']='Filename'
if path=='': path='/'
## If we are asked to show a file, we will show the
## contents of the directory the file is in:
fsfd = FileSystem.DBFS( query["case"])
if not fsfd.isdir(path):
path=os.path.dirname(path)
self.make_table_widget(['URN','Name',
'Size','Modified'],
query, result,
where=DB.expand("path=%r and (isnull(type) or type!='directory')", (path)),)
result.toolbar(text=DB.expand("Scan %s",path),
icon="examine.png",
link=query_type(family="Load Data", report="ScanFS",
path=path,
case=query['case']), pane='popup'
)
def pane_cb(path, table):
tmp = result.__class__(result)
path = path + '/'
dbh.execute(
"select modified as time from reg where path=%r limit 1",
(path))
row = dbh.fetch()
try:
tmp.text("Last modified %s " % row['time'], style='red')
table.row(tmp)
except TypeError:
pass
def callback(value):
if len(value) > 50:
value = value[:50] + " ..."
return value
# now display keys in table
new_q['mode'] = 'display'
new_q['path'] = path
table.table(elements=[
StringType('Key',
'reg_key',
link=query_type(family=query['family'],
report='BrowseRegistryKey',
path=path,
__target__='key',
case=query['case'])),
StringType('Type', 'type'),
StringType('Value', 'value', callback=callback)
],
table='reg',
where=DB.expand("path=%r", path),
case=query['case'],
filter="filter2")
def pane_cb(path,table):
tmp=result.__class__(result)
path = path+'/'
dbh.execute("select modified as time from reg where path=%r limit 1",(path))
row=dbh.fetch()
try:
tmp.text("Last modified %s " % row['time'],style='red')
table.row(tmp)
except TypeError:
pass
def callback(value):
if len(value)>50:
value = value[:50] + " ..."
return value
# now display keys in table
new_q['mode'] = 'display'
new_q['path']=path
table.table(
elements = [ StringType('Key','reg_key',
link = query_type(family=query['family'],
report='BrowseRegistryKey',
path=path,
__target__='key',
case=query['case'])),
StringType('Type','type'),
StringType('Value','value', callback = callback) ],
table='reg',
where=DB.expand("path=%r", path),
case=query['case'],
filter = "filter2"
)
try:
result.text("Classified as %s by magic" % image.GetMagic())
except IOError, e:
result.text("Unable to classify file, no blocks: %s" % e)
image = None
except:
pass
names, callbacks = fd.make_tabs()
result.notebook(names=names, callbacks=callbacks, context="mode")
result.toolbar(text="Scan this File",
icon="examine.png",
link=query_type(family="Load Data",
report="ScanInode",
inode=query['inode'],
case=query['case']),
pane='pane')
def form(self, query, result):
result.defaults = query
result.case_selector()
result.textfield('Inode', 'inode')
return result
class MACTimes(FlagFramework.EventHandler):
def create(self, dbh, case):
dbh.execute("""create table if not exists mac(
`inode_id` INT NOT NULL default 0,
`status` varchar(8) default '',
def open(case, iosource):
""" Opens the named iosource from the specified case """
## Try to get it from the cache first:
key = "%s|%s" % (case, iosource)
try:
image = IO_Cache.get(key)
except KeyError:
dbh = DB.DBO(case)
dbh.execute("select name,parameters from iosources where name=%r",
iosource)
row = dbh.fetch()
if not row:
raise IOError("IO Source (%r) not created yet" % key)
query = query_type(string=row['parameters'])
image = Registry.IMAGES.dispatch(query['subsys'])()
IO_Cache.put(image, key=key)
return image.open(iosource, case)
## IO subsystem unit tests:
import unittest
import random, time
from hashlib import md5
def test_read_random(io1, io2, size, sample_size, number):
""" Tests if both ios return the same data for random input """
for i in range(0, number):
family='Disk Forensics', case=query['case'],
inode=base_stream_inode,
report='View File Contents', mode="Combined streams"
))
return tmp
def text_cb(value, **options):
tmp = result.__class__(result)
tmp.text(value, **options)
return tmp
result.table(
elements = [ IntegerType('ID','id'),
PCAPTime("Timestamp","packet_id"),
InodeType("Stream","inode",
link = query_type(family='Disk Forensics',
case=query['case'],
__target__='inode',
report='View File Contents',
mode="Combined streams"),
case=query['case']),
IntegerType("Packet", 'packet_id',
link = query_type(family="Network Forensics",
case=query['case'],
report='View Packet',
__target__='inode')),
StringType("Command",'command'),
StringType("Sender Nick","sender"),
StringType("Recipient", 'recipient'),
StringType("Text",'data') ],
table = "irc_messages" ,
case = query['case']
## Adjust all the filenames to be rooted at the UPLOADDIR:
for f in filenames:
## if "://" not in f:
## query['filename'] = posixpath.normpath(
## "%s/%s" % (config.UPLOADDIR, f))
## else:
query["filename"] = f
io = image.open(query["iosource"], query["case"], query)
except Exception, e:
pyflaglog.log(pyflaglog.WARNING, "Error instantiating driver: %s" % e)
raise Reports.ReportError(ui=result, exception=e)
## If we get here all went well - go to next step
result.refresh(
0, query_type(case=query["case"], family="Load Data", report="LoadFS", iosource=query["iosource"])
)
## def form(self,query,result):
## result.start_table()
## try:
## result.case_selector()
## result.ruler()
## subsystems=IO.subsystems.keys()
## result.const_selector("Select IO Subsystem",'subsys',subsystems,subsystems)
## #this will cause a form to be placed into result.
## fd=IO.IOFactory(query,result)
## result.textfield("Unique Data Load ID","iosource")
## except (KeyError, RuntimeError):
## pass
def display(self,query,result):
LogFile.drop_preset(query['log_preset'])
result.heading("Deleted preset %s from the database" % query['log_preset'])
result.link("Manage more Presets", query_type(family=query['family'],
report="Manage Log Presets"))
result.text("Unable to classify file, no blocks: %s" % e)
image = None
except:
pass
names, callbacks = fd.make_tabs()
result.notebook(
names=names,
callbacks=callbacks,
context="mode"
)
result.toolbar(text="Scan this File",icon="examine.png",
link=query_type(family="Load Data", report="ScanInode",
inode = query['inode'],
case=query['case']
),
pane = 'pane'
)
def form(self,query,result):
result.defaults = query
result.case_selector()
result.textfield('Inode','inode')
return result
class MACTimes(FlagFramework.EventHandler):
def create(self, dbh, case):
dbh.execute("""create table if not exists mac(
`inode_id` INT NOT NULL default 0,
`status` varchar(8) default '',