def _json_event_logs(self, is_win_xp): server = None # name of the target computer to get event logs, None to get logs from current computer if self.destination == 'local': with open(self.output_dir + '\\' + self.computer_name + '_evts' + self.rand_ext, 'wb') as fw: json_writer = get_json_writer(fw) header = ['COMPUTER', 'TYPE', 'SOURCE', 'CATEGORY', 'SOURCE NAME', 'ID', 'EVENT_TYPE', 'LOG'] if is_win_xp: for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Security'): write_to_json(header, [self.computer_name, 'Logs', 'Security', eventCategory, sourceName, eventID, eventType, date] + log, json_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'Application'): write_to_json(header, [self.computer_name, 'Logs', 'Application', eventCategory, sourceName, eventID, eventType, date, log], json_writer) for eventCategory, sourceName, eventID, eventType, date, log in self._list_evt_xp(server, 'System'): write_to_json(header, [self.computer_name, 'Logs', 'System', eventCategory, sourceName, eventID, eventType, date, log], json_writer) else: # Exports everything from the event viewer evt_handle = win32evtlog.EvtOpenChannelEnum() os.mkdir(self.output_dir + r"\evt") while True: # opening channel for enumeration logtype = win32evtlog.EvtNextChannelPath(evt_handle) if logtype is None: break # fw.write('"Computer Name"|"Type"|"Date"|"logtype"|"log data"\n') self._list_evt_vista(server, logtype) close_json_writer(json_writer)
def json_recycle_bin(self): if self.destination == 'local': with open( self.output_dir + self.computer_name + '_recycle_bin' + self.rand_ext, 'wb') as output: json_writer = get_json_writer(output) header = ["COMPUTER_NAME", "TYPE", "NAME_1", "NAME_2"] idl = shell.SHGetSpecialFolderLocation( 0, shellcon.CSIDL_BITBUCKET) desktop = shell.SHGetDesktopFolder() files = desktop.BindToObject(idl, None, shell.IID_IShellFolder) for bin_file in files: write_to_json(header, [ self.computer_name, 'recycle_bin', files.GetDisplayNameOf( bin_file, shellcon.SHGDN_NORMAL), files.GetDisplayNameOf( bin_file, shellcon.SHGDN_FORPARSING) ], json_writer) close_json_writer(json_writer) record_sha256_logs( self.output_dir + self.computer_name + '_recycle_bin' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def _json_windows_prefetch(self, wpref): if self.destination == 'local': with open( self.output_dir + self.computer_name + '_prefetch' + self.rand_ext, 'wb') as output: json_writer = get_json_writer(output) header = [ "COMPUTER_NAME", "TYPE", "FILE", "VERSION", "SIZE", "EXEC_NAME", "CREATE_TIME", "MODIFICATION_TIME", "RUN_COUNT", "START_TIME", "DURATION", "AVERAGE_DURATION", "DLL_LIST" ] for pref_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref: str_c = '' for s in list_str_c: str_c += s.replace('\0', '') + ';' write_to_json(header, [ self.computer_name, 'prefetch', pref_file, unicode(format_version), unicode(file_size), exec_name.replace('\00', ''), unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']), unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c ], json_writer) close_json_writer(json_writer) record_sha256_logs( self.output_dir + self.computer_name + '_prefetch' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def process_mft_file(self): self.sizecheck() self.build_filepaths() # reset the file reading self.num_records = 0 self.file_mft.seek(0) raw_record = self.file_mft.read(1024) if self.output is not None and not self.json: self.file_csv.writerow(mft.mft_to_csv(None, True)) elif self.output is not None and self.json: self.header = mft.mft_to_csv(None, True) while raw_record != "": record = mft.parse_record(raw_record, False) record['filename'] = self.mft[self.num_records]['filename'] self.do_output(record) self.num_records += 1 if record['ads'] > 0: for i in range(0, record['ads']): record_ads = record.copy() record_ads['filename'] = record['filename'] + ':' + record[ 'data_name', i] self.do_output(record_ads) raw_record = self.file_mft.read(1024) if self.json: close_json_writer(self.json_writer)
def _json_list_scheduled_jobs(self, is_at_available=False): self.logger.info('Health : Listing scheduled jobs') if self.destination == 'local': file_tasks = self.output_dir + '%s_scheduled_jobs' % self.computer_name + self.rand_ext with open(file_tasks, 'wb') as tasks_logs: json_writer = get_json_writer(tasks_logs) header = [ "COMPUTER_NAME", "TYPE", 'TASK_NAME', 'NEXT_SCHEDULE', "STATUS" ] for line in self._list_scheduled_jobs(): write_to_json(header, [self.computer_name, 'Scheduled Jobs'] + line.replace('"', '').split(','), json_writer) if is_at_available: for line in self._list_at_scheduled_jobs(): write_to_json(header, [ self.computer_name, 'scheduled_jobs', line[4], line[2] + ' ' + line[3], line[0] ], json_writer) close_json_writer(json_writer) record_sha256_logs( self.output_dir + self.computer_name + '_scheduled_jobs' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def _json_get_startup_files(self, path): with open( self.output_dir + self.computer_name + '_startup_files' + self.rand_ext, 'wb') as output: json_writer = get_json_writer(output) header = [ "COMPUTER_NAME", "TYPE", "FILENAME", "USER", "MD5", "SHA1", "SHA256" ] for startup_file in self._get_startup_files(path): write_to_json(header, startup_file, json_writer) close_json_writer(json_writer) record_sha256_logs( self.output_dir + self.computer_name + '_startup_files' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def _json_list_named_pipes(self, pipes): if self.destination == 'local': with open( self.output_dir + self.computer_name + '_named_pipes' + self.rand_ext, 'wb') as output: json_writer = get_json_writer(output) header = ["COMPUTER_NAME", "TYPE", "NAME"] for pipe in pipes: write_to_json(header, [self.computer_name, 'named_pipes', pipe], json_writer) close_json_writer(json_writer) record_sha256_logs( self.output_dir + self.computer_name + '_named_pipes' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def _json_infos_fs(self, files): if self.destination == 'local': with open(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, 'wb') as fw: json_writer = get_json_writer(fw) headers = ['COMPUTER NAME', 'TYPE', 'DATE', 'PATH', 'MD5', 'SHA1', 'SHA256', 'MIMETYPE', 'ZIP', 'EMPTY', 'VT'] for f, mime, md5, sha1, sha256, zip_value, datem, empty in files: f = os.path.splitdrive(self.systemroot)[0] + '\\' + f.split('\\', 6)[-1] write_to_json(headers, [self.computer_name, 'Filecatcher', unicode(datem), unicode(f), unicode(md5), unicode(sha1), unicode(sha256), unicode(mime), unicode(zip_value), unicode(empty), self._get_url_VT(sha256)], json_writer) close_json_writer(json_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_Filecatcher' + self.rand_ext, self.output_dir + '\\' + self.computer_name + '_sha256.log') if self.zip_file: self.zip_file.close()
def _json_firefox_history(self, fhistory): with open( self.output_dir + self.computer_name + '_firefox_history' + self.rand_ext, 'wb') as output: header = [ "COMPUTER_NAME", "TYPE", "TIME", "URL", "USER", "PROFILE" ] json_writer = get_json_writer(output) for time, url, user, profile in fhistory: write_to_json(header, [ self.computer_name, 'firefox_history', time, url, user, profile ], json_writer) close_json_writer(json_writer) record_sha256_logs( self.output_dir + self.computer_name + '_firefox_history' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')
def _json_chrome_history(self, chistory): if self.destination == 'local': with open( self.output_dir + self.computer_name + '_chrome_history' + self.rand_ext, 'wb') as output: json_writer = get_json_writer(output) header = [ "COMPUTER_NAME", "TYPE", "TIME", "URL", "TITLE", "USER", "PROFILE" ] for time, url, title, user, profile in chistory: write_to_json(header, [ self.computer_name, 'chrome_history', time, url, title, user, profile ], json_writer) close_json_writer(json_writer) record_sha256_logs( self.output_dir + self.computer_name + '_chrome_history' + self.rand_ext, self.output_dir + self.computer_name + '_sha256.log')