def _get_info(self, binary: bytes): cert = self._load_certificate(binary) if cert is None: return {"error": "invalid certificate"} return { "serial_number": str(cert.serial_number), "version": cert.version.name, "extensions": self._parse_extensions(cert.extensions._extensions), "nor_valid_after": Time.change_output_date_format_from_epoch( cert.not_valid_after.timestamp()), "nor_valid_before": Time.change_output_date_format_from_epoch( cert.not_valid_before.timestamp()), "issuer": cert.issuer.rfc4514_string(), "subject": cert.subject.rfc4514_string(), "signature": cert.signature.hex(), "signature_algorithm_hash": cert.signature_hash_algorithm.name, "signature_algorithm": cert.signature_algorithm_oid._name, "key_size": cert.public_key().key_size, "public_key": self._parse_dict_value(cert.public_key().public_numbers().__dict__) }
def get_stat_info(self): stat = os.stat(self._path) result = {} result["st_atime"] = Time.change_output_date_format_from_epoch(stat.st_atime) result["st_ctime"] = Time.change_output_date_format_from_epoch(stat.st_ctime) result["st_mtime"] = Time.change_output_date_format_from_epoch(stat.st_mtime) result["st_gid"] = stat.st_gid result["st_uid"] = stat.st_uid result["st_size"] = stat.st_size result["st_mode"] = stat.st_mode result["st_device"] = stat.st_dev try: #it depends on SO result["st_blocks"] = stat.st_blocks except: pass try: #it depends on SO result["st_blksize"] = stat.st_blksize except: pass try: #it depends on SO result["st_birthtime"] = stat.st_birthtime except: pass try: #it depends on SO result["st_flags"] = stat.st_flags except: pass return result
def __init__(self, **kwargs): self.path = kwargs.get("path") self.browser = kwargs.get("browser") self.site_url = kwargs.get("site_url", None) self.tab_url = kwargs.get("tab_url", None) self.target_path = kwargs.get("target_path", None) self.start_time = Time.change_output_date_format_from_epoch(kwargs.get("start_time", None)) self.end_time = Time.change_output_date_format_from_epoch(kwargs.get("end_time", None)) self.mime_type = kwargs.get("mime_type", None) self.received_bytes = kwargs.get("received_bytes", None) self.total_bytes = kwargs.get("total_bytes", None)
def _get_system_info(self, parsed): event_id = parsed["Event"]["System"]["EventID"] if isinstance(event_id, OrderedDict): id = int(event_id["#text"]) else: id = int(event_id) timestamp = parsed["Event"]["System"]["TimeCreated"]["@SystemTime"] try: timestamp_parsed = datetime.datetime.strptime( timestamp, '%Y-%m-%d %H:%M:%S.%f UTC') except: try: timestamp_parsed = datetime.datetime.strptime( timestamp, '%Y-%m-%d %H:%M:%S UTC') except: return {"error": "invalid timestamp:" + timestamp} return { "EventID": id, "EventRecordID": parsed["Event"]["System"]["EventRecordID"], "Timestamp": Time.change_output_date_format_from_epoch( timestamp_parsed.timestamp()), "Level": parsed["Event"]["System"]["Level"], "Channel": parsed["Event"]["System"]["Channel"], "Computer": parsed["Event"]["System"]["Computer"], }
def _parse_prefecth_file(self, path: str): scca = pyscca.open(path) all_strings = [] for entry_index, file_metrics in enumerate(scca.file_metrics_entries): all_strings.append(file_metrics.filename) last_run_times = [] for exe_timestamp in range(scca.run_count): try: if scca.get_last_run_time_as_integer(exe_timestamp) > 0: time = Time.change_output_date_format_from_epoch( scca.get_last_run_time(exe_timestamp).replace( tzinfo=timezone.utc).timestamp()) last_run_times.append(time) except OSError: # No hay mas fechas de ejecucion guardadas break volume_serial_number = [] volume_device_path = [] volume_timestamp = [] for volume_information in iter(scca.volumes): volume_serial_number.append( format(volume_information.serial_number, 'x').upper()) volume_device_path.append(str(volume_information.device_path)) volume_timestamp.append( Time.change_output_date_format_from_epoch( volume_information.creation_time.replace( tzinfo=timezone.utc).timestamp())) return { "version": scca.format_version, "executable_file_name": str(scca.executable_filename), "hash": format(scca.prefetch_hash, 'x').upper(), "number_of_files_accessed": scca.number_of_file_metrics_entries, "directories_accessed": all_strings, "number_of_volumes": scca.number_of_volumes, "run_counts": scca.run_count, "last_run_times": last_run_times, "volume_timestamp": volume_timestamp, "volume_device_path": volume_device_path, "volume_serial_number": volume_serial_number }
def _get_computer_name(self, reg: RegistryHive): names = [] for subkey_path in reg.get_control_sets( r'Control\ComputerName\ComputerName'): subkey = reg.get_key(subkey_path) try: names.append({ 'name': subkey.get_value('ComputerName'), 'timestamp': Time.change_output_date_format_from_epoch( subkey.header.last_modified) }) except RegistryValueNotFoundException as ex: continue return names
def _get_usbstorage(self, reg: RegistryHive): usbs = [] try: for subkey_path in reg.get_control_sets(r'Enum\USBSTOR'): subkey = reg.get_key(subkey_path) for usb in subkey.iter_subkeys(): usbs.append({ 'device': usb.name, 'timestamp': Time.change_output_date_format_from_epoch( usb.header.last_modified) }) except: return None return usbs
def _get_recursive(self, pypff_folder: pypff.folder, target_file: TargetFile) -> List: result = [] for item in pypff_folder.sub_items: if isinstance(item, pypff.folder): n_messages = item.get_number_of_sub_messages() if n_messages > 0: index = 0 while index < n_messages: item_message = item.get_sub_message(index) message = {} try: message["path"] = target_file.get_path() message["folder"] = item.name message[ "identifier"] = item_message.get_identifier() message["subject"] = item_message.get_subject() message[ "creation_time"] = Time.change_output_date_format_from_epoch( item_message.get_creation_time().timestamp( )) message[ "delivery_time"] = Time.change_output_date_format_from_epoch( item_message.get_delivery_time().timestamp( )) message[ "client_submit_time"] = Time.change_output_date_format_from_epoch( item_message.get_client_submit_time( ).timestamp()) message[ "sender_name"] = item_message.get_sender_name( ) message[ "headers"] = item_message.get_transport_headers( ) message["html_body"] = item_message.get_html_body().decode() \ if item_message.get_html_body() is not None else "" message["plain_text_body"] = item_message.get_plain_text_body().decode() \ if item_message.get_plain_text_body() is not None else "" message[ "n_attachments"] = item_message.get_number_of_attachments( ) if item_message.get_number_of_attachments() > 0: message["attachments"] = [] for i in range( 0, item_message.get_number_of_attachments( )): base_path_to_save = message[ "folder"] + "/" + str( message["identifier"] ) + "/attachment/" + str(i) file_size = item_message.get_attachment( i).get_size() binary = item_message.get_attachment( i).read_buffer(file_size) path_saved = Safe.create_file( os.path.join("./pstostparser", base_path_to_save), binary) message["attachments"].append(path_saved) result.append(message) except: pass index += 1 result.extend(self._get_recursive(item, target_file)) return result
def preprocess_element(self, element: dict): if element: now = Time.get_utc_timestamp() element[ "timestamp_indexed"] = Time.change_output_date_format_from_epoch( now)
def _get_interesing_info(self, record): mft_object = {} if 'baad' in record: mft_object["error"] = "BAAD MFT Record" return mft_object mft_object["filename"] = record['filename'] mft_object["size"] = record["size"] if mft_object["size"] == 0: return None mft_object["alloc_sizef"] = record["alloc_sizef"] if "recordnum" in record: mft_object["recordnum"] = record['recordnum'] if "flags" in record: mft_object["active"] = record['flags'] & 0x0001 mft_object["folder"] = True if int( record['flags']) & 0x0002 else False mft_object["file"] = not mft_object["folder"] if 'corrupt' in record: mft_object["error"] = "Corrupt MFT Record" return mft_object if "seq" in record: mft_object["seq"] = record['seq'] mft_object["sicrtime"] = None mft_object["simtime"] = None mft_object["siatime"] = None mft_object["sictime"] = None mft_object["fncrtime"] = None mft_object["fnmtime"] = None mft_object["fnatime"] = None mft_object["fnctime"] = None if 'si' in record: mft_object["sicrtime"] = Time.change_output_date_format_from_epoch( record['si']['crtime']) mft_object["simtime"] = Time.change_output_date_format_from_epoch( record['si']['mtime']) mft_object["siatime"] = Time.change_output_date_format_from_epoch( record['si']['atime']) mft_object["sictime"] = Time.change_output_date_format_from_epoch( record['si']['ctime']) if record['fncnt'] > 0: mft_object["fncrtime"] = Time.change_output_date_format_from_epoch( record['fn', 0]['crtime']) mft_object["fnmtime"] = Time.change_output_date_format_from_epoch( record['fn', 0]['mtime']) mft_object["fnatime"] = Time.change_output_date_format_from_epoch( record['fn', 0]['atime']) mft_object["fnctime"] = Time.change_output_date_format_from_epoch( record['fn', 0]['ctime']) if 'objid' in record: mft_object["objid"] = record['objid']['objid'] mft_object["orig_volid"] = record['objid']['orig_volid'] mft_object["orig_objid"] = record['objid']['orig_objid'] mft_object["orig_domid"] = record['objid']['orig_domid'] if 'notes' in record: # Log of abnormal activity related to this record mft_object["notes"] = record['notes'] mft_object["ads"] = record['ads'] return mft_object