def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK # we don't know how much work there is yet progressBar.switchToIndeterminate() autopsyCase = Case.getCurrentCase() sleuthkitCase = autopsyCase.getSleuthkitCase() services = Services(sleuthkitCase) fileManager = services.getFileManager() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, file): # If the file has a txt extension, post an artifact to the blackboard. if file.getName().find("test") != -1: art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files") art.addAttribute(att) # Read the contents of the file. inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) # Send the size of the file to the ingest messages in box. msgText = "Size of %s is %d bytes" % ((file.getName(), totLen)) message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText) ingestServices = IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, file): # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().find(".txt") != -1: self.logger.logp(Level.INFO, SampleJythonFileIngestModule.__name__, "process", "Found a text file: " + file.getName()) self.filesFound += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def process(self, file): # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().find(".txt") != -1: self.logger.logp(Level.INFO, SampleJythonFileIngestModule.__name__, "process", "Found a text file: " + file.getName()) self.filesFound+=1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def process(self, file): # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().lower().endswith(".txt"): self.log(Level.INFO, "Found a text file: " + file.getName()) self.filesFound += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artifact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( SampleJythonFileIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)) # For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added # by other modules. We then iterate over its attributes. We'll just print them, but you would probably # want to do something with them. artifactList = file.getArtifacts( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) for artifact in artifactList: attributeList = artifact.getAttributes() for attrib in attributeList: self.log(Level.INFO, attrib.toString()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName) # we don't know how much work there is yet progressBar.switchToIndeterminate() autopsyCase = Case.getCurrentCase() sleuthkitCase = autopsyCase.getSleuthkitCase() services = Services(sleuthkitCase) fileManager = services.getFileManager() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK;
def process(self, file): # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK # This will work in 4.0.1 and beyond # Use blackboard class to index blackboard artifacts for keyword search # blackboard = Case.getCurrentCase().getServices().getBlackboard() # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().lower().endswith(".txt"): self.log(Level.INFO, "Found a text file: " + file.getName()) self.filesFound+=1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artifact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) # This will work in 4.0.1 and beyond #try: # # index the artifact for keyword search # blackboard.indexArtifact(art) #except Blackboard.BlackboardException as e: # self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)); # For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added # by other modules. We then iterate over its attributes. We'll just print them, but you would probably # want to do something with them. artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) for artifact in artifactList: attributeList = artifact.getAttributes(); for attrib in attributeList: self.log(Level.INFO, attrib.toString()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_TV = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_TV) names = [] skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if file.getName() == "80000000000000d1": artifactList = file.getArtifacts(ARTID_NS_TV) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(2048, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() names = names + re.findall("EdidBlock.*?\\\\xfc\\\\x00(.*?)\\\\n.*?EdidExtensionBlock", repr(currentBuffer)) noduplicatesnames = list(set(names)) for tvname in noduplicatesnames: # Don't add to blackboard if the artifact already exists for artifact in artifactList: artifactName = artifact.getAttribute(self.NS_DISPLAY_ATTRIBUTES["Name"][3]) if artifactName.getValueString() == tvname: return IngestModule.ProcessResult.OK art = file.newArtifact(ARTID_NS_TV) art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), ConnectedDisplayIngestModuleFactory.moduleName, "Nintendo Switch - Connected TV")) for attribute in self.NS_DISPLAY_ATTRIBUTES.keys(): art.addAttribute(BlackboardAttribute(self.NS_DISPLAY_ATTRIBUTES[attribute][3], ConnectedDisplayIngestModuleFactory.moduleName, str(tvname))) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ConnectedDisplayIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_TV), None)) return IngestModule.ProcessResult.OK
def create_hash(self, f_target, algorithm): time_start = time.time() hash_creator = hashlib.new(algorithm) inputStream = ReadContentInputStream(f_target) buffer = jarray.zeros(BLOCKSIZE, "b") len = inputStream.read(buffer) while (len != -1): hash_creator.update(buffer) len = inputStream.read(buffer) time_consumed = time.time()-time_start return (hash_creator.hexdigest(),time_consumed)
def getUsersFromFile(self, file): inputStream = ReadContentInputStream(file) users = [] buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while len != -1: totLen = totLen + len len = inputStream.read(buffer) currentBuffer = buffer.tostring() x = re.search("^\{.*\"gender\".*\}", currentBuffer) if x: result = x.string.replace("\x00", "") d = json.loads(result) users.append(d) return users
def process(self, file): def luhnChecksumIsValid(cardNumber): # check to make sure that the card passes a luhn mod-10 checksum total = 0 oddTotal = 0 evenTotal = 0 reversedCardNumber = cardNumber[::-1] oddDigits = reversedCardNumber[0::2] evenDigits = reversedCardNumber[1::2] for count in range(0, len(oddDigits)): oddTotal += int(oddDigits[count]) for count in range(0, len(evenDigits)): evenDigit = int(evenDigits[count]) evenDigit = evenDigit * 2 if evenDigit > 9: evenDigit = evenDigit - 9 evenTotal += evenDigit total = oddTotal + evenTotal return (total % 10 == 0) # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK inputStream = ReadContentInputStream(file) text = IOUtils.toString(inputStream, StandardCharsets.UTF_8) if self.skipBinaries: if b'\x00' in text: return IngestModule.ProcessResult.OK initialCCPattern = '[1-6](?:\d[ -]*?){13,23}' possibleCCs = re.findall(initialCCPattern, text, re.IGNORECASE) self.fileFlagged = 0 if possibleCCs: for cc in possibleCCs: delim_regex = "\D+" cc = re.sub(delim_regex, '', cc) if luhnChecksumIsValid(cc): if self.fileFlagged == 0: self.filesFound += 1 art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE. TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME. getTypeID(), PaymentCardFileIngestModuleFactory.moduleName, "Files With Possible Payment Card Numbers") art.addAttribute(att) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( PaymentCardFileIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE. TSK_INTERESTING_FILE_HIT, None)) self.fileFlagged = 1 return IngestModule.ProcessResult.OK
def process(self, file): # If the file has a txt extension, post an artifact to the blackboard. if file.getName().find("test") != -1: art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files") art.addAttribute(att) # Read the contents of the file. inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) # Send the size of the file to the ingest messages in box. msgText = "Size of %s is %d bytes" % ((file.getName(), totLen)) message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText) ingestServices = IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_WIFI = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_WIFI) networks = {} skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if (file.getName().lower() == "8000000000000050"): artifactList = file.getArtifacts(ARTID_NS_WIFI) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(8192, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() regex = "\x00[^\x00]{16}\x03(?:[^\x20-\x7f]+)(?P<ssid>[\x20-\x7f]+?)\x00(?:[^\x20-\x7f]+)(?P<pass>[\x20-\x7f]+?)\x00" x = re.finditer(regex, currentBuffer) for network in x: networks[network.group('ssid')] = network.group('pass') for ssid, psk in networks.items(): self.log(Level.INFO, ssid) # Don't add to blackboard if the artifact already exists for artifact in artifactList: artifactSSID = artifact.getAttribute( self.NS_WIFI_ATTRIBUTES["SSID"][3]) if artifactSSID.getValueString() == ssid: pass art = file.newArtifact(ARTID_NS_WIFI) art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME. getTypeID(), WiFiIngestModuleFactory.moduleName, "Nintendo Switch - Wireless Credentials")) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["SSID"][3], WiFiIngestModuleFactory.moduleName, ssid)) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["PSK"][3], WiFiIngestModuleFactory.moduleName, psk)) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( WiFiIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_WIFI), None)) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # This will work in 4.0.1 and beyond # Use blackboard class to index blackboard artifacts for keyword search # blackboard = Case.getCurrentCase().getServices().getBlackboard() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) # This will work in 4.0.1 and beyond #try: # # index the artifact for keyword search # blackboard.indexArtifact(art) #except Blackboard.BlackboardException as e: # self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK;
def generateReport(self, baseReportDir, progressBar): # Open the output file. fileName = os.path.join(baseReportDir, self.getRelativeFilePath()) report = open(fileName, 'w') # Query the database for the files (ignore the directories) sleuthkitCase = Case.getCurrentCase().getSleuthkitCase() files = sleuthkitCase.findAllFilesWhere( "NOT meta_type = " + str(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getValue())) # Setup progress Indicator progressBar.setIndeterminate(False) progressBar.start() progressBar.setMaximumProgress(len(files)) for file in files: # For this script I will limit the processing # to files with .txt extensions only if file.getName().lower().endswith(".txt"): # Setup to Read the contents of the file. # Create a Python string to hold the file contents # for processing fileStringBuffer = '' # Setup an inputStream to read the file inputStream = ReadContentInputStream(file) # Setup a jarry buffer to read chunks of the file # we will read 1024 byte chunks buffer = jarray.zeros(1024, "b") # Attempt to read in the first Chunk bytesRead = inputStream.read(buffer) # Continue reading until finished reading # the file indicated by -1 return from # the inputStream.read() method while (bytesRead != -1): for eachItem in buffer: # Now extract only potential ascii characters from the # buffer and build the final Python string # that we will process. if eachItem >= 0 and eachItem <= 255: fileStringBuffer = fileStringBuffer + chr(eachItem) # Read the next file Chunk bytesRead = inputStream.read(buffer) # Once the complete file has been read and the # possible ASCII characters have been extracted # The ExtractProperNames Function # will process the contents of the file # the result will be returned as a Python # dictionary object properNamesDictionary = ExtractProperNames(fileStringBuffer) # For each file processed # Write the information to the Report # File Name, along with each possible proper name # found, with highest occurring words order report.write("\n\nProcessing File: " + file.getUniquePath() + "\n\n") report.write("Possible Name Occurrences \n") report.write("-------------------------------- \n") for eachName in sorted(properNamesDictionary, key=properNamesDictionary.get, reverse=True): theName = '{:20}'.format(eachName) theCnt = '{:5d}'.format(properNamesDictionary[eachName]) report.write(theName + theCnt + "\n") # Increment the progress bar for each # file processed progressBar.increment() # Process the Next File # Close the report and post ProgressBar Complete progressBar.complete(ReportStatus.COMPLETE) report.close() # Add the report to the Case Case.getCurrentCase().addReport(fileName, self.moduleName, "Prop Report")
def cookieMain(self, file): global chrome_pattern_utmb global chrome_pattern_utmz global chrome_pattern_utma global moz_pattern_utma global moz_pattern_utmb global moz_pattern_utmz global ie_utma_pattern global ie_utmb_pattern global ie_utmz_pattern global apple_utma_pattern global apple_utmb_pattern global apple_utmz_pattern global chrome_utma_count global chrome_utmb_count global chrome_utmz_count global ff_utma_count global ff_utmb_count global ff_utmz_count global ie_utma_count global ie_utmb_count global ie_utmz_count global apple_utma_count global apple_utmb_count global apple_utmz_count global gif__UTF16_count global gif_ASCII_count #chrome utm grep patterns chrome_pattern_utma = re.compile(r'__utma(([0-9]{0,10}\.){5}([0-9])*)(\/)') chrome_pattern_utmz = re.compile(r'(__utmz)(([0-9]{0,10}\.){4}utm(.*?)\s*\x2F\x00\x2E)') chrome_pattern_utmb = re.compile(r'(__utmb)(([0-9]{0,10}\.){3}[0-9]{0,10})') #firefox utm grep patterns moz_pattern_utma = re.compile(r'(__utma(([0-9]{0,10}\.){5}[0-9]{1,5}))[^\/](\.?[a-zA-Z\d-]{0,63}){0,4}') moz_pattern_utmb = re.compile(r'__utmb([0-9]{0,10}\.){3}[0-9]{0,10}([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){1,4}') moz_pattern_utmz = re.compile(r'(__utmz)(([0-9]{0,20}\.){4}[ -~]*?)([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){0,4}\/[TS]{1}') #ie patterns ie_utma_pattern = re.compile(r'(__utma)(\x0a(([0-9]{0,10}\.){5})[0-9]{1,10}\n)([ -~]{1,64}\x0a)') ie_utmb_pattern = re.compile(r'(__utmb)(\x0a(([0-9]{0,10}\.){3})[0-9]{1,10}\n)([ -~]{1,64}\x0a)') ie_utmz_pattern = re.compile(r'(__utmz)\x0a(([0-9]{0,10}\.){4}[ -~]{1,200}\x0a)([ -~]{1,64}\x0a)') apple_utma_pattern = re.compile(r'(__utma)\x00(([0-9]{0,10}\.){5}[0-9]{1,5})\x00([ -~]{1,64}\x00\/)') apple_utmb_pattern = re.compile(r'(__utmb)\x00(([0-9]{0,10}\.){3}[0-9]{10})\x00([ -~]{1,64})\x00\/') apple_utmz_pattern = re.compile(r'(__utmz)\x00(([0-9]{0,10}\.){4}[ -~]{1,200}\x00)([ -~]{1,64}\x00\/)') #count vars to keep track of total records processed chrome_utma_count = 0 chrome_utmb_count = 0 chrome_utmz_count = 0 ff_utma_count = 0 ff_utmb_count = 0 ff_utmz_count = 0 ie_utma_count=0 ie_utmb_count=0 ie_utmz_count=0 apple_utma_count = 0 apple_utmb_count = 0 apple_utmz_count = 0 gif__UTF16_count = 0 gif_ASCII_count = 0 self.processed = 0 not_processed= [] #can be increased if more ram is available global maxfilesize maxfilesize = 500000 #printable chars allowed in urls and domain names allowed_chars = r'[\.a-zA-Z\d-]' p_allowed_chars = re.compile(allowed_chars) #loop to keep track of how many segments a file is broken into global loop loop = 0 # Read the contents of the file. nLoops = 0 while 1: inputStream = ReadContentInputStream(file) chunkJarray = jarray.zeros(maxfilesize, "b") if not chunkJarray: break len = inputStream.read(chunkJarray) if len != maxfilesize: print "Not enough bytes read: %d\n" % (len) if nLoops > 0: print" nLoops = %d;breaking\n" % (nLoops) break chunk = StringUtil().fromBytes(chunkJarray) print ("Bytes read: %d\n" % (len)) self.process_chrome_utma(chrome_pattern_utma, chunk) #self.process_chrome_utmb(chrome_pattern_utmb, chunk) #self.process_chrome_utmz(chrome_pattern_utmz, chunk) self.process_firefox_utma(moz_pattern_utma,chunk) #self.process_firefox_utmb(moz_pattern_utmb,chunk) #self.process_firefox_utmz(moz_pattern_utmz,chunk) self.process_ie_utma(ie_utma_pattern,chunk) #self.process_ie_utmb(ie_utmb_pattern,chunk) #self.process_ie_utmz(ie_utmz_pattern,chunk) self.process_apple_utma(apple_utma_pattern,chunk) #self.process_apple_utmb(apple_utmb_pattern,chunk) #self.process_apple_utmz(apple_utmz_pattern,chunk) nLoops = nLoops + 1 if nLoops > 1: print "nLoops too big - breaking" break print "\r\r************ Summary ************" print "Chrome __utma count processed: " + str(chrome_utma_count) print "Chrome __utmb count processed: " + str(chrome_utmb_count) print "Chrome __utmz count found: " + str(chrome_utmz_count) print "FireFox __utma count processed: " + str(ff_utma_count) print "FireFox __utmb count processed: " + str(ff_utmb_count) print "FireFox __utmz count found: " + str(ff_utmz_count) print "FireFox __utmz count processed: " + str(self.processed) print "IE __utma count processed: " + str(ie_utma_count) print "IE __utmb count processed: " + str(ie_utmb_count) print "IE __utmz count processed: " + str(ie_utmz_count) print "apple __utma count processed: " + str(apple_utma_count) print "apple __utmb count processed: " + str(apple_utmb_count) print "apple __utmz count processed: " + str(apple_utmz_count)
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_POWER_STATE = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_POWER_STATE) power_states = [] skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if (file.getName().lower() == "80000000000000a1"): artifactList = file.getArtifacts(ARTID_NS_POWER_STATE) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(8192, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() regex = "nc_started_at.(?P<datetime>[0-9: -]{19}).power_state_start.(?P<state_start>[a-zA-Z]+).power_state_end.(?P<state_end>[a-zA-Z]+)" x = re.finditer(regex, currentBuffer) for state_change in x: timestamp = datetime.strptime(state_change.group('datetime'), '%Y-%m-%d %H:%M:%S') state_start = state_change.group('state_start') state_end = state_change.group('state_end') power_states.append((timestamp, state_start, state_end)) for (timestamp, state_start, state_end) in power_states: # Don't add to blackboard if the artifact already exists self.log(Level.INFO, str(len(artifactList))) for artifact in artifactList: artifact_time = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["time"][3]) artifact_state_start = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_start"][3]) artifact_state_end = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_end"][3]) if artifact_time.getValueString() == str(timestamp): if artifact_state_start.getValueString() == state_start: if artifact_state_end.getValueString() == state_end: return IngestModule.ProcessResult.OK art = file.newArtifact(ARTID_NS_POWER_STATE) art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), PowerStateChangeIngestModuleFactory.moduleName, "Nintendo Switch - Power State Changes")) art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["time"][3], PowerStateChangeIngestModuleFactory.moduleName, str(timestamp))) art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_start"][3], PowerStateChangeIngestModuleFactory.moduleName, state_start)) art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_end"][3], PowerStateChangeIngestModuleFactory.moduleName, state_end)) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(PowerStateChangeIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_POWER_STATE), None)) return IngestModule.ProcessResult.OK