def process(self, file): # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().find(".txt") != -1: self.logger.logp(Level.INFO, SampleJythonFileIngestModule.__name__, "process", "Found a text file: " + file.getName()) self.filesFound+=1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName) # we don't know how much work there is yet progressBar.switchToIndeterminate() autopsyCase = Case.getCurrentCase() sleuthkitCase = autopsyCase.getSleuthkitCase() services = Services(sleuthkitCase) fileManager = services.getFileManager() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK;
def process(self, file): # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK # This will work in 4.0.1 and beyond # Use blackboard class to index blackboard artifacts for keyword search # blackboard = Case.getCurrentCase().getServices().getBlackboard() # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().lower().endswith(".txt"): self.log(Level.INFO, "Found a text file: " + file.getName()) self.filesFound+=1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artifact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) # This will work in 4.0.1 and beyond #try: # # index the artifact for keyword search # blackboard.indexArtifact(art) #except Blackboard.BlackboardException as e: # self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)); # For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added # by other modules. We then iterate over its attributes. We'll just print them, but you would probably # want to do something with them. artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) for artifact in artifactList: attributeList = artifact.getAttributes(); for attrib in attributeList: self.log(Level.INFO, attrib.toString()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def getUsersFromFile(self, file): inputStream = ReadContentInputStream(file) users = [] buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while len != -1: totLen = totLen + len len = inputStream.read(buffer) currentBuffer = buffer.tostring() x = re.search("^\{.*\"gender\".*\}", currentBuffer) if x: result = x.string.replace("\x00", "") d = json.loads(result) users.append(d) return users
def process(self, file): # If the file has a txt extension, post an artifact to the blackboard. if file.getName().find("test") != -1: art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files") art.addAttribute(att) # Read the contents of the file. inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) # Send the size of the file to the ingest messages in box. msgText = "Size of %s is %d bytes" % ((file.getName(), totLen)) message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText) ingestServices = IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def cookieMain(self, file): global chrome_pattern_utmb global chrome_pattern_utmz global chrome_pattern_utma global moz_pattern_utma global moz_pattern_utmb global moz_pattern_utmz global ie_utma_pattern global ie_utmb_pattern global ie_utmz_pattern global apple_utma_pattern global apple_utmb_pattern global apple_utmz_pattern global chrome_utma_count global chrome_utmb_count global chrome_utmz_count global ff_utma_count global ff_utmb_count global ff_utmz_count global ie_utma_count global ie_utmb_count global ie_utmz_count global apple_utma_count global apple_utmb_count global apple_utmz_count global gif__UTF16_count global gif_ASCII_count #chrome utm grep patterns chrome_pattern_utma = re.compile(r'__utma(([0-9]{0,10}\.){5}([0-9])*)(\/)') chrome_pattern_utmz = re.compile(r'(__utmz)(([0-9]{0,10}\.){4}utm(.*?)\s*\x2F\x00\x2E)') chrome_pattern_utmb = re.compile(r'(__utmb)(([0-9]{0,10}\.){3}[0-9]{0,10})') #firefox utm grep patterns moz_pattern_utma = re.compile(r'(__utma(([0-9]{0,10}\.){5}[0-9]{1,5}))[^\/](\.?[a-zA-Z\d-]{0,63}){0,4}') moz_pattern_utmb = re.compile(r'__utmb([0-9]{0,10}\.){3}[0-9]{0,10}([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){1,4}') moz_pattern_utmz = re.compile(r'(__utmz)(([0-9]{0,20}\.){4}[ -~]*?)([a-zA-Z\d-]{,63}\.[a-zA-Z\d-]{,63}){0,4}\/[TS]{1}') #ie patterns ie_utma_pattern = re.compile(r'(__utma)(\x0a(([0-9]{0,10}\.){5})[0-9]{1,10}\n)([ -~]{1,64}\x0a)') ie_utmb_pattern = re.compile(r'(__utmb)(\x0a(([0-9]{0,10}\.){3})[0-9]{1,10}\n)([ -~]{1,64}\x0a)') ie_utmz_pattern = re.compile(r'(__utmz)\x0a(([0-9]{0,10}\.){4}[ -~]{1,200}\x0a)([ -~]{1,64}\x0a)') apple_utma_pattern = re.compile(r'(__utma)\x00(([0-9]{0,10}\.){5}[0-9]{1,5})\x00([ -~]{1,64}\x00\/)') apple_utmb_pattern = re.compile(r'(__utmb)\x00(([0-9]{0,10}\.){3}[0-9]{10})\x00([ -~]{1,64})\x00\/') apple_utmz_pattern = re.compile(r'(__utmz)\x00(([0-9]{0,10}\.){4}[ -~]{1,200}\x00)([ -~]{1,64}\x00\/)') #count vars to keep track of total records processed chrome_utma_count = 0 chrome_utmb_count = 0 chrome_utmz_count = 0 ff_utma_count = 0 ff_utmb_count = 0 ff_utmz_count = 0 ie_utma_count=0 ie_utmb_count=0 ie_utmz_count=0 apple_utma_count = 0 apple_utmb_count = 0 apple_utmz_count = 0 gif__UTF16_count = 0 gif_ASCII_count = 0 self.processed = 0 not_processed= [] #can be increased if more ram is available global maxfilesize maxfilesize = 500000 #printable chars allowed in urls and domain names allowed_chars = r'[\.a-zA-Z\d-]' p_allowed_chars = re.compile(allowed_chars) #loop to keep track of how many segments a file is broken into global loop loop = 0 # Read the contents of the file. nLoops = 0 while 1: inputStream = ReadContentInputStream(file) chunkJarray = jarray.zeros(maxfilesize, "b") if not chunkJarray: break len = inputStream.read(chunkJarray) if len != maxfilesize: print "Not enough bytes read: %d\n" % (len) if nLoops > 0: print" nLoops = %d;breaking\n" % (nLoops) break chunk = StringUtil().fromBytes(chunkJarray) print ("Bytes read: %d\n" % (len)) self.process_chrome_utma(chrome_pattern_utma, chunk) #self.process_chrome_utmb(chrome_pattern_utmb, chunk) #self.process_chrome_utmz(chrome_pattern_utmz, chunk) self.process_firefox_utma(moz_pattern_utma,chunk) #self.process_firefox_utmb(moz_pattern_utmb,chunk) #self.process_firefox_utmz(moz_pattern_utmz,chunk) self.process_ie_utma(ie_utma_pattern,chunk) #self.process_ie_utmb(ie_utmb_pattern,chunk) #self.process_ie_utmz(ie_utmz_pattern,chunk) self.process_apple_utma(apple_utma_pattern,chunk) #self.process_apple_utmb(apple_utmb_pattern,chunk) #self.process_apple_utmz(apple_utmz_pattern,chunk) nLoops = nLoops + 1 if nLoops > 1: print "nLoops too big - breaking" break print "\r\r************ Summary ************" print "Chrome __utma count processed: " + str(chrome_utma_count) print "Chrome __utmb count processed: " + str(chrome_utmb_count) print "Chrome __utmz count found: " + str(chrome_utmz_count) print "FireFox __utma count processed: " + str(ff_utma_count) print "FireFox __utmb count processed: " + str(ff_utmb_count) print "FireFox __utmz count found: " + str(ff_utmz_count) print "FireFox __utmz count processed: " + str(self.processed) print "IE __utma count processed: " + str(ie_utma_count) print "IE __utmb count processed: " + str(ie_utmb_count) print "IE __utmz count processed: " + str(ie_utmz_count) print "apple __utma count processed: " + str(apple_utma_count) print "apple __utmb count processed: " + str(apple_utmb_count) print "apple __utmz count processed: " + str(apple_utmz_count)
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_WIFI = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_WIFI) networks = {} skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if (file.getName().lower() == "8000000000000050"): artifactList = file.getArtifacts(ARTID_NS_WIFI) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(8192, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() regex = "\x00[^\x00]{16}\x03(?:[^\x20-\x7f]+)(?P<ssid>[\x20-\x7f]+?)\x00(?:[^\x20-\x7f]+)(?P<pass>[\x20-\x7f]+?)\x00" x = re.finditer(regex, currentBuffer) for network in x: networks[network.group('ssid')] = network.group('pass') for ssid, psk in networks.items(): self.log(Level.INFO, ssid) # Don't add to blackboard if the artifact already exists for artifact in artifactList: artifactSSID = artifact.getAttribute( self.NS_WIFI_ATTRIBUTES["SSID"][3]) if artifactSSID.getValueString() == ssid: pass art = file.newArtifact(ARTID_NS_WIFI) art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME. getTypeID(), WiFiIngestModuleFactory.moduleName, "Nintendo Switch - Wireless Credentials")) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["SSID"][3], WiFiIngestModuleFactory.moduleName, ssid)) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["PSK"][3], WiFiIngestModuleFactory.moduleName, psk)) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( WiFiIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_WIFI), None)) return IngestModule.ProcessResult.OK