def factory(Evidences, args, options):
logger.info('Starting getmails command')
if options and '--walk' in options:
logger.info('Using "--walk" argument.')
for evi in Evidences:
logger.info('Working on evidence "%s"' % evi.configName)
for fs in evi.fileSystems:
logger.info('Working on filesystem "%s"' % fs.configName)
getOutlookMailsFromWalk(fs, u'.pst')
getOutlookMailsFromWalk(fs, u'.ost')
else:
logger.info('Searching mails from database.')
if fritModel.dbExists():
for evi in Evidences:
for fs in evi.fileSystems:
# Searching for PST and OST files first
# Working on normal files first
getOutlookMailsFromDb(fs, u'.pst')
getOutlookMailsFromDb(fs, u'.ost')
else:
fritutils.termout.printWarning(
'You need to create the database first with the "store create" command or use the "--walk" option'
)
# Working on undeleted files
# It's probably quicker to walk undelete files than to query db
for evi in Evidences:
for fs in evi.fileSystems:
getOutlookUndeletedFromWalk(fs)
def factory(Evidences, args, options):
logger.info("Starting getmails command")
if options and "--walk" in options:
logger.info('Using "--walk" argument.')
for evi in Evidences:
logger.info('Working on evidence "%s"' % evi.configName)
for fs in evi.fileSystems:
logger.info('Working on filesystem "%s"' % fs.configName)
getOutlookMailsFromWalk(fs, u".pst")
getOutlookMailsFromWalk(fs, u".ost")
else:
logger.info("Searching mails from database.")
if fritModel.dbExists():
for evi in Evidences:
for fs in evi.fileSystems:
# Searching for PST and OST files first
# Working on normal files first
getOutlookMailsFromDb(fs, u".pst")
getOutlookMailsFromDb(fs, u".ost")
else:
fritutils.termout.printWarning(
'You need to create the database first with the "store create" command or use the "--walk" option'
)
# Working on undeleted files
# It's probably quicker to walk undelete files than to query db
for evi in Evidences:
for fs in evi.fileSystems:
getOutlookUndeletedFromWalk(fs)
def factory(Evidences, args, options):
"""
args are the hashes command arguments
"""
logger.info("Starting hashes command.")
validArgs = ("update", "md5search", "sha1search", "sha256search", "csvdump", "ssdsearch")
if not args or len(args) == 0:
fritutils.termout.printWarning("hashes command need at least an argument. Exiting.")
logger.error("No argument given.")
sys.exit(1)
elif args[0] not in validArgs:
fritutils.termout.printWarning("hashes command need a valid argument (%s)" % ", ".join(validArgs))
logger.error('"%s" in not a valid arguement. Exiting.' % args[0])
sys.exit(1)
elif not fritModel.dbExists():
fritutils.termout.printWarning(
'Database not found. run the "frit store create", followed by "frit hashes update".'
)
logger.error("No database found, exiting.")
sys.exit(1)
else:
if args[0] == "update":
logger.info("Update arguement given. Starting update.")
update(Evidences)
if args[0] == "md5search":
args.remove("md5search")
if len(args) < 1:
fritutils.termout.printWarning("md5search command need at least one md5 to search for.")
logger.error("md5search command but no argument to search for. Exiting.")
sys.exit(1)
else:
searchFactory(args, Evidences, "md5")
if args[0] == "sha1search":
args.remove("sha1search")
if len(args) < 1:
fritutils.termout.printWarning("sha1search command need at least one sha1 to search for.")
logger.error("sha1search command but no argument to search for. Exiting.")
sys.exit(1)
else:
searchFactory(args, Evidences, "sha1")
if args[0] == "sha256search":
args.remove("sha256search")
if len(args) < 1:
fritutils.termout.printWarning("sha256search command need at least one sha256 to search for.")
logger.error("sha256search command but no argument to search for. Exiting.")
sys.exit(1)
else:
searchFactory(args, Evidences, "sha256")
if args[0] == "csvdump":
csvdump(Evidences)
if args[0] == "ssdsearch":
args.remove("ssdsearch")
if len(args) < 2:
fritutils.termout.printWarning("ssdsearch command need a ssdeep hash and a minimal score to match.")
logger.error("ssdsearch command but not enough argument (hash and a score). Exiting.")
else:
ssdeepsearch(args)
def factory(Evidences, args, options, fritConf):
validArgs = ('count', 'extract', 'list')
stateOptions = {
'--normal': u'Normal',
'--contained': u'Contained',
'--undeleted': u'Undeleted',
'--carved': u'Carved'
}
definedExtensions = getExtLists(fritConf)
if not fritModel.dbExists():
fritutils.termout.printWarning(
'The database does not exists yet. You should create it first by issuing "frit store create".'
)
logger.warning('Database was not found')
sys.exit(1)
states = []
extList = []
if not args or len(args) == 0:
fritutils.termout.printWarning(
'extensions command need at least an argument to define an action (%s).'
% ', '.join(validArgs))
sys.exit(1)
elif args[0] not in validArgs:
fritutils.termout.printWarning(
'extensions command need a valid argument (%s)' %
', '.join(validArgs))
sys.exit(1)
else:
subcommand = args[0]
args.remove(subcommand)
logger.info('subcommand issued: %s' % subcommand)
if options:
logger.info('options: %s' % ','.join(options))
for o in options:
if o in stateOptions.keys():
states.append(stateOptions[o])
if len(states) == 0:
states = list(fritModel.FILESTATES)
logger.info('states: %s' % ','.join(states))
# Finding extensions to work with
# Searching if one or more predefined extensions list is in the args
for a in list(args):
if a in definedExtensions.keys():
logger.info('Extension list "%s" asked in command line.' %
args)
args.remove(a)
extList.extend(definedExtensions[a])
# the remaining args should be the extensions that we want to list
# if there is no more args, we list all extensions
if (not args or len(args) == 0) and len(extList) == 0:
for ex in fritModel.elixir.session.query(
fritModel.Extension.extension).all():
extList.append(ex[0])
else:
for ex in args:
extList.append(fritutils.unicodify(ex))
logger.info('Extensions: "%s"' % " ".join(extList))
if subcommand == 'count':
logger.info('Starting subcommand count')
fritModel.listExtensions(Evidences, extList, states)
elif subcommand == 'list':
logger.info('Starting list subcommand.')
for evi in Evidences:
for fs in evi.fileSystems:
for ext in sorted(extList):
for state in states:
for fp in fs.ExtensionsFritFiles(ext, state):
fritutils.termout.printNormal(fp)
elif subcommand == 'extract':
logger.info('Starting extract subcommand')
# The '--merge' option is used to merge extractions in a single
# directory base instead of having a directory by extension.
merge = False
if options and '--merge' in options:
merge = True
# we start by extracting 'normal files' because we need to mount the containers and filesystems
if u'Normal' in states:
logger.info('Starting Normal files extraction.')
states.remove(u'Normal')
for evi in Evidences:
# We count files to extract to see if it's needed to go further
enbe = evi.dbCountExtension(extList, u'Normal')
if enbe['count'] > 0:
logger.info(
'Found %d files to exctract, mounting Evidence container "%s".'
% (enbe['count'], evi.configName))
evi.mount('extensions',
'Extracting files based on extensions')
for fs in evi.fileSystems:
fritutils.termout.printMessage(
"\t%s" % fs.evidence.configName + '/' +
fs.configName)
fs.mount('extensions',
'Extracting files based on extensions')
for ext in sorted(extList):
nbe = fs.dbCountExtension(ext, u'Normal')
fritutils.termout.printMessage(
"Extracting %d files (%s)" %
(nbe['count'],
fritutils.humanize(nbe['size'])))
for filepath in fs.ExtensionsOriginalFiles(
ext, u'Normal'):
if ext == "No Extension":
extPath = "no_extension"
else:
extPath = ext[1:]
basePath = os.path.dirname(filepath)
if merge:
Destination = unicode(
os.path.join(
'.frit/extractions/by_extensions/',
evi.configName, fs.configName,
basePath))
else:
Destination = unicode(
os.path.join(
'.frit/extractions/by_extensions/',
evi.configName, fs.configName,
extPath, basePath))
mountedPath = os.path.join(
fs.fsMountPoint, filepath)
extractFile(mountedPath, Destination)
fs.umount('extensions')
evi.umount('extensions')
else:
logger.info(
'No Normal files to extract on Evidence "%s", skipping'
% evi.configName)
for state in states:
logger.info('Starting to extract %s files' % state)
for evi in Evidences:
for fs in evi.fileSystems:
for ext in sorted(extList):
nbe = fs.dbCountExtension(ext, state)
if nbe['count'] > 0:
fritutils.termout.printMessage(
"Extracting %s %d files (%s)" %
(state, nbe['count'],
fritutils.humanize(nbe['size'])))
for filepath in fs.ExtensionsOriginalFiles(
ext, state):
# as we do not store the first character of the path, we have to re-add the '.'
filepath = '.' + filepath
if ext == "No Extension":
extPath = "no_extension"
else:
extPath = ext[1:]
# we dont want to have '.frit/extractions' in the middle of the destination path:
basePath = os.path.dirname(
filepath.replace(
'.frit/extractions/', ''))
if merge:
Destination = unicode(
os.path.join(
'.frit/extractions/by_extensions/',
evi.configName, fs.configName,
basePath))
else:
Destination = unicode(
os.path.join(
'.frit/extractions/by_extensions/',
evi.configName, fs.configName,
extPath, basePath))
extractFile(filepath, Destination)
else:
logger.info(
'Nothing found to extract on "%s".' %
(evi.configName + '/' + fs.configName))
def factory(Evidences, args, options):
"""
args are the hashes command arguments
"""
logger.info('Starting hashes command.')
validArgs = ('update', 'md5search', 'sha1search', 'sha256search',
'csvdump', 'ssdsearch')
if not args or len(args) == 0:
fritutils.termout.printWarning(
'hashes command need at least an argument. Exiting.')
logger.error('No argument given.')
sys.exit(1)
elif args[0] not in validArgs:
fritutils.termout.printWarning(
'hashes command need a valid argument (%s)' % ', '.join(validArgs))
logger.error('"%s" in not a valid arguement. Exiting.' % args[0])
sys.exit(1)
elif not fritModel.dbExists():
fritutils.termout.printWarning(
'Database not found. run the "frit store create", followed by "frit hashes update".'
)
logger.error("No database found, exiting.")
sys.exit(1)
else:
if args[0] == 'update':
logger.info('Update arguement given. Starting update.')
update(Evidences)
if args[0] == 'md5search':
args.remove('md5search')
if len(args) < 1:
fritutils.termout.printWarning(
'md5search command need at least one md5 to search for.')
logger.error(
'md5search command but no argument to search for. Exiting.'
)
sys.exit(1)
else:
searchFactory(args, Evidences, 'md5')
if args[0] == 'sha1search':
args.remove('sha1search')
if len(args) < 1:
fritutils.termout.printWarning(
'sha1search command need at least one sha1 to search for.')
logger.error(
'sha1search command but no argument to search for. Exiting.'
)
sys.exit(1)
else:
searchFactory(args, Evidences, 'sha1')
if args[0] == 'sha256search':
args.remove('sha256search')
if len(args) < 1:
fritutils.termout.printWarning(
'sha256search command need at least one sha256 to search for.'
)
logger.error(
'sha256search command but no argument to search for. Exiting.'
)
sys.exit(1)
else:
searchFactory(args, Evidences, 'sha256')
if args[0] == 'csvdump':
csvdump(Evidences)
if args[0] == 'ssdsearch':
args.remove('ssdsearch')
if len(args) < 2:
fritutils.termout.printWarning(
'ssdsearch command need a ssdeep hash and a minimal score to match.'
)
logger.error(
'ssdsearch command but not enough argument (hash and a score). Exiting.'
)
else:
ssdeepsearch(args)
def factory(Evidences, args, options, fritConf):
validArgs = ('count', 'extract','list')
stateOptions = {'--normal':u'Normal','--contained':u'Contained','--undeleted':u'Undeleted','--carved':u'Carved'}
definedExtensions = getExtLists(fritConf)
if not fritModel.dbExists():
fritutils.termout.printWarning('The database does not exists yet. You should create it first by issuing "frit store create".')
logger.warning('Database was not found')
sys.exit(1)
states = []
extList = []
if not args or len(args) == 0:
fritutils.termout.printWarning('extensions command need at least an argument to define an action (%s).' % ', '.join(validArgs))
sys.exit(1)
elif args[0] not in validArgs:
fritutils.termout.printWarning('extensions command need a valid argument (%s)' % ', '.join(validArgs))
sys.exit(1)
else:
subcommand = args[0]
args.remove(subcommand)
logger.info('subcommand issued: %s' % subcommand)
if options:
logger.info('options: %s' % ','.join(options))
for o in options:
if o in stateOptions.keys():
states.append(stateOptions[o])
if len(states) == 0:
states = list(fritModel.FILESTATES)
logger.info('states: %s' % ','.join(states))
# Finding extensions to work with
# Searching if one or more predefined extensions list is in the args
for a in list(args):
if a in definedExtensions.keys():
logger.info('Extension list "%s" asked in command line.' % args)
args.remove(a)
extList.extend(definedExtensions[a])
# the remaining args should be the extensions that we want to list
# if there is no more args, we list all extensions
if (not args or len(args) == 0) and len(extList) == 0:
for ex in fritModel.elixir.session.query(fritModel.Extension.extension).all():
extList.append(ex[0])
else:
for ex in args:
extList.append(fritutils.unicodify(ex))
logger.info('Extensions: "%s"' % " ".join(extList))
if subcommand == 'count':
logger.info('Starting subcommand count')
fritModel.listExtensions(Evidences,extList,states)
elif subcommand == 'list':
logger.info('Starting list subcommand.')
for evi in Evidences:
for fs in evi.fileSystems:
for ext in sorted(extList):
for state in states:
for fp in fs.ExtensionsFritFiles(ext,state):
fritutils.termout.printNormal(fp)
elif subcommand == 'extract':
logger.info('Starting extract subcommand')
# The '--merge' option is used to merge extractions in a single
# directory base instead of having a directory by extension.
merge = False
if options and '--merge' in options:
merge = True
# we start by extracting 'normal files' because we need to mount the containers and filesystems
if u'Normal' in states:
logger.info('Starting Normal files extraction.')
states.remove(u'Normal')
for evi in Evidences:
# We count files to extract to see if it's needed to go further
enbe = evi.dbCountExtension(extList, u'Normal')
if enbe['count'] > 0:
logger.info('Found %d files to exctract, mounting Evidence container "%s".' % (enbe['count'],evi.configName))
evi.mount('extensions', 'Extracting files based on extensions')
for fs in evi.fileSystems:
fritutils.termout.printMessage("\t%s" % fs.evidence.configName + '/' + fs.configName)
fs.mount('extensions', 'Extracting files based on extensions')
for ext in sorted(extList):
nbe = fs.dbCountExtension(ext,u'Normal')
fritutils.termout.printMessage("Extracting %d files (%s)" % (nbe['count'],fritutils.humanize(nbe['size'])))
for filepath in fs.ExtensionsOriginalFiles(ext,u'Normal'):
if ext == "No Extension":
extPath = "no_extension"
else:
extPath = ext[1:]
basePath = os.path.dirname(filepath)
if merge:
Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,basePath))
else:
Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,extPath,basePath))
mountedPath = os.path.join(fs.fsMountPoint,filepath)
extractFile(mountedPath,Destination)
fs.umount('extensions')
evi.umount('extensions')
else:
logger.info('No Normal files to extract on Evidence "%s", skipping' % evi.configName)
for state in states:
logger.info('Starting to extract %s files' % state)
for evi in Evidences:
for fs in evi.fileSystems:
for ext in sorted(extList):
nbe = fs.dbCountExtension(ext,state)
if nbe['count'] >0 :
fritutils.termout.printMessage("Extracting %s %d files (%s)" % (state,nbe['count'],fritutils.humanize(nbe['size'])))
for filepath in fs.ExtensionsOriginalFiles(ext,state):
# as we do not store the first character of the path, we have to re-add the '.'
filepath = '.' + filepath
if ext == "No Extension":
extPath = "no_extension"
else:
extPath = ext[1:]
# we dont want to have '.frit/extractions' in the middle of the destination path:
basePath = os.path.dirname(filepath.replace('.frit/extractions/',''))
if merge:
Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,basePath))
else:
Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,extPath,basePath))
extractFile(filepath,Destination)
else:
logger.info('Nothing found to extract on "%s".' % (evi.configName + '/' + fs.configName))
