def render_pane(self, branch, query, result, condition='1'):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
elements = [
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
IntegerType(column='proto', name='Protocol'),
IntegerType(column='port', name='Port'),
TimestampType('Time Created', 'create_time')
]
try:
condition += " and proto=%s" % branch[1]
del elements[2]
except IndexError:
pass
try:
condition += " and port=%s" % branch[2]
del elements[2]
except IndexError:
pass
result.heading("Show sockets found in memory")
result.text("This statistic show the sockets found in memory")
result.table(
elements=elements,
table='sockets',
where=condition,
case=self.case,
)
def __init__(self, **kwargs):
kwargs['name'] = "Attachment"
kwargs['column'] = 'indirect'
link = FlagFramework.query_type(case=kwargs.get('case'),
family='Disk Forensics',
report='ViewFile',
mode='Summary',
__target__='inode_id')
kwargs['link'] = link
kwargs['link_pane'] = 'popup'
IntegerType.__init__(self, **kwargs)
def __init__(self, **kwargs):
kwargs['name']="Attachment"
kwargs['column'] = 'indirect'
link = FlagFramework.query_type(case=kwargs.get('case'),
family='Disk Forensics',
report='ViewFile',
mode = 'Summary',
__target__ = 'inode_id')
kwargs['link'] = link
kwargs['link_pane'] = 'popup'
IntegerType.__init__(self, **kwargs)
def parse(self, query, datafile='datafile'):
Simple.SimpleLog.parse(self, query, datafile)
self.fields = [
IntegerType(name='Record', column='record'),
TimestampType(name='Timestamp', column='time'),
StringType(name='message', column='message'),
IntegerType(name='EventID', column='event'),
StringType(name='Source', column="Source"),
StringType(name='arg1', column='arg1'),
StringType(name='arg2', column='arg2'),
StringType(name='arg3', column='arg3'),
]
def display(self, query, result):
dbh = DB.DBO(query['case'])
dbh.execute(
"select unix_timestamp(create_time) as time from INFORMATION_SCHEMA.TABLES where table_schema = %r and table_name = 'top_talkers'",
query['case'])
last_updated = dbh.fetch()
if not last_updated or last_updated['time'] + 3600 < time.time():
dbh.execute("drop table if exists top_talkers")
dbh.execute(
"create table top_talkers select dest_ip,sum(length) as bytes from connection join connection_details using(inode_id) group by dest_ip"
)
#__target__ = "filter",
link = FlagFramework.query_type(
case=query['case'],
family='Network Forensics',
report='/Network Forensics/View Connections',
__target__='filter',
__target_format__="'Destination IP'='%s'")
result.table(elements=[
IPType('Destination IP', 'dest_ip', link=link),
IntegerType('Bytes Transfered', 'bytes')
],
table='top_talkers',
case=query['case'],
order=1,
direction=0)
def render_pane(self, branch, query, result):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) == 1:
result.heading("Show executables found in memory")
result.text("This statistic show the executables found in memory")
elif len(branch) == 2:
t = branch[1].replace("__", '/')
result.table(
elements=[
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
TimestampType('Time Created', 'create_time')
],
table='tasks',
where='pid = %r' % t,
case=self.case,
)
else:
for c in self.classes:
if branch[2] == c.name:
self.chain_pane(c,
branch[2:],
query,
result,
condition="pid='%s'" % branch[1])
def pane_cb(path, tmp):
query['order'] = 'Filename'
## If we are asked to show a file, we will show the
## contents of the directory the file is in:
fsfd = FileSystem.DBFS(query["case"])
if not fsfd.isdir(path):
path = os.path.dirname(path)
tmp.table(
elements=[
InodeIDType(case=query['case']),
FilenameType(basename=True, case=query['case']),
DeletedType(),
IntegerType('File Size', 'size'),
TimestampType('Last Modified', 'mtime'),
StringType('Mode', 'mode', table='file')
],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'",
(path + '/')),
case=query['case'],
pagesize=10,
filter="filter2",
)
target = tmp.defaults.get('open_tree', '/')
tmp.toolbar(text=DB.expand("Scan %s", target),
icon="examine.png",
link=query_type(family="Load Data",
report="ScanFS",
path=target,
case=query['case']),
pane='popup')
def pane_cb(path, result):
if not path.endswith('/'): path=path+'/'
result.heading("Path is %s" % path)
case = query['case']
dbh = DB.DBO(case)
fsfd = Registry.FILESYSTEMS.dispatch(query['fstype'])(case)
## Try to see if the directory is already loaded:
dbh.execute("select * from file where path=%r and name=''", path)
if not dbh.fetch():
fsfd.load(mount_point = query['mount_point'], iosource_name= query['iosource'],
directory = path)
## Now display the table
result.table(
elements = [ InodeIDType(case=query['case']),
FilenameType(case=query['case']),
DeletedType(),
IntegerType(name='File Size',column='size'),
TimestampType(name = 'Last Modified',column = 'mtime'),
],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'",(path)),
case = query['case'],
pagesize=10,
)
def Timeline(query, result):
def add_new_event(query, result):
timeline = TimelineObj(case=query['case'])
## We got submitted - actually try to do the deed:
if 'Add To Timeline' in query.getarray('__submit__'):
result.start_table()
newEvent = timeline.add(query, result)
result.para("The following is the new timeline entry:")
timeline.show(newEvent,result)
result.end_table()
result.link("Close this window", target=original_query, pane='parent')
return result
result.start_form(query, pane='self')
result.heading("Add an arbitrary event")
timeline.add_form(query,result)
result.end_form(value="Add To Timeline")
return result
result.table(
elements = [ IntegerType(name='id', column='id'),
TimestampType(name='Time', column='time'),
EditableStringType('Notes', 'notes'),
StringType('Category', 'category')
],
table = 'timeline',
case = query['case'],
filter="filter2",
)
result.toolbar(add_new_event, "Add abritrary event",
icon="clock.png")
def show_packets(self, query, result):
""" Shows the packets which belong in this stream """
combined_fd = self.get_combined_fd()
result.table(elements=[
IntegerType('Packet ID',
'packet_id',
link=query_type(family="Network Forensics",
report='View Packet',
case=query['case'],
open_tree="/eth/payload/payload/data",
__target__='id')),
PCAPTime('Date', 'packet_id'),
IntegerType('Length', 'length'),
DataType('Data', combined_fd=combined_fd)
],
table='connection',
where='inode_id="%s" ' % combined_fd.lookup_id(),
case=query['case'])
def render_pane(self, branch, query, result, condition='1'):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) == 1:
result.heading("Show executables found in memory")
result.text("This statistic show the executables found in memory")
else:
t = branch[1].replace("__", '/')
result.table(
elements=[
StringType(column='iosource', name='IOSource'),
IntegerType(column='filename', name='File Name'),
IntegerType(column='pid', name='Process ID')
],
table='open_files',
where=condition,
case=self.case,
)
def Annotated_IPs(query, result):
result.table(
elements = [ IntegerType('id','id'),
IPType('ip', 'ip'),
StringType('Notes', 'notes'),
StringType('Category', 'category')
],
table = 'interesting_ips',
case = query['case'],
filter="filter3",
)
def render_pane(self, branch, query, result, condition='1'):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) >= 1:
result.table(
elements=[
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
StringType(column='path', name="Path"),
## Render base address in Hex:
IntegerType(column="base",
name="Base",
callback=lambda x: "0x%08X" % x),
IntegerType(column="size", name="Size")
],
table='modules',
where=condition,
case=self.case,
)
def streams(query, result):
result.table(elements=[
IntegerType("FTP Session id",
"ftp_session_id",
link=query_type(family="Network Forensics",
case=query['case'],
report="Browse FTP Data")),
TimestampType("Time Created", "time_created"),
StringType("Purpose", "purpose"),
InodeIDType(case=query['case'])
],
table='ftp_data_streams',
case=query['case'])
def commands(query, result):
result.table(elements=[
IntegerType("FTP Session id",
"ftp_session_id",
link=query_type(family="Network Forensics",
case=query['case'],
report="Browse FTP Data")),
StringType("Command Type", "command_type"),
StringType("Command", "command"),
StringType("Data", "data")
],
table='ftp_commands',
case=query['case'])
def sessions(query, result):
result.table(
elements=[ #IntegerType("FTP Session id", "ftp_session_id"),
InodeIDType(case=query['case']),
TimestampType("Start Time", "start_time"),
IPType("Client IP", "client_ip", case=query['case']),
IPType("Server IP", "server_ip", case=query['case']),
StringType("Username", "username"),
StringType("Password", "password"),
StringType("Server Banner", "server_banner"),
IntegerType("Total bytes", "total_bytes")
],
table="ftp_sessions",
case=query['case'])
def tabular_view(query, result):
result.table(
elements=[
InodeIDType(case=query['case']),
StringType(name='Mode', column='mode', table='file'),
FilenameType(case=query['case']),
DeletedType(),
IntegerType(name='File Size', column='size'),
TimestampType(name='Last Modified', column='mtime'),
TimestampType(name='Last Accessed', column='atime'),
TimestampType(name='Created', column='ctime'),
],
table='inode',
case=query['case'],
filter="filter1",
)
def display(self,query,result):
try:
result.table(
elements = [ ThumbnailType(name='Thumbnail',case=query['case']),
FilenameType(case=query['case']),
StringType('Type','type'),
IntegerType('Size','size', table='inode'),
TimestampType(name='Timestamp',column='mtime', table='inode')
],
table = 'type',
case = query['case']
)
except DB.DBError,e:
result.para("Error reading the type table. Did you remember to run the TypeScan scanner?")
result.para("Error reported was:")
result.text(e,style="red")
def pane_cb(path,tmp):
fsfd = FileSystem.DBFS( query["case"])
if not fsfd.isdir(path):
path=posixpath.dirname(path)
new_query = make_new_query(query, path + '/')
tmp.table(
elements = [ InodeIDType(case=query['case']),
FilenameType(basename=True, case=query['case'],
link = new_query,
link_pane = 'parent'),
IntegerType('File Size','size'),
],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'", (path+'/')),
case=query['case'],
pagesize=10,
filter="filter2",
)
def render_pane(self, branch, query, result):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch)==1:
result.heading("Show file types")
result.text("This statistic allows different file types to be examined")
else:
t = branch[1].replace("__",'/')
result.table(
elements = [ AFF4URN(case = self.case),
FilenameType(case = self.case, link_pane='main'),
IntegerType('Size','size', table='vfs'),
TimestampType('Timestamp','mtime', table='vfs'),
StringType('Mime', 'mime', table='type')],
table = 'type',
where = DB.expand('type.type=%r ', t),
case = self.case,
)
def render_pane(self, branch, query, result):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) == 1:
result.heading("Show infected files")
result.text("Lists all the files infected with a particular virus")
else:
t = branch[1].replace("__", '/')
result.table(
elements=[
AFF4URN(case=self.case),
FilenameType(case=self.case),
IntegerType('Size', 'size', table='inode'),
TimestampType('Timestamp', 'mtime', table='inode')
],
table='virus',
where='virus.virus = %r ' % t,
case=self.case,
)
def parse(self, query, datafile='datafile'):
LogFile.Log.parse(self, query, datafile)
self.datafile = query.getarray(datafile)
# set these params, then we can just use SimpleLog's get_fields
self.delimiter = re.compile(' ')
self.prefilters = ['PFDateFormatChange2']
if self.datafile:
query.clear('fields')
for f in self.find_fields_line():
query['fields'] = f
# now for the IIS magic, the code below sets up the
# fields, types, and indexes arrays req'd by load
# replaces the need for the form in SimpleLog
# try to guess types based on known field-names, not perfect...
# automatically index the non-varchar fields, leave the rest
self.fields = []
## Note the original log file has -ip, -status etc, but after
## MakeSQLSafe dashes turn to underscores.
for field in query.getarray('fields'):
if field == 'time':
tmp = TimestampType('Timestamp', 'timestamp')
tmp.index = True
self.fields.append(tmp)
elif '_ip' in field:
tmp = IPType('IP Address', 'IP Address')
tmp.index = True
self.fields.append(tmp)
elif '_status' in field or '_bytes' in field:
tmp = IntegerType(field, field)
tmp.index = True
self.fields.append(tmp)
else:
tmp = StringType(field, field)
tmp.index = True
self.fields.append(tmp)
table='dictionary',
## Class names starting with _ are private and should not
## be user selectable:
where="left(class,1) != '_' ",
case=None,
)
result.row(table, form, valign='top')
class OffsetType(IntegerType):
hidden = True
LogCompatible = False
def __init__(self, case, table='LogicalIndexOffsets'):
self.case = case
IntegerType.__init__(self, name='Offset', column='offset', table=table)
def select(self):
return "concat(%s, ',', %s)" % (self.escape_column_name('offset'),
self.escape_column_name('length'))
def display(self, value, row, result):
offset, length = value.split(",")
inode = row['Inode']
query = query_type(case=self.case,
family="Disk Forensics",
report='ViewFile',
mode='HexDump',
inode_id=inode,
offset=offset,
hexlimit=max(int(offset) - 50, 0),
if not os.path.isdir(full_filename):
s = os.stat(full_filename)
dbh.mass_insert(filename = filename,
_timestamp = "from_unixtime(%d)" % s.st_mtime,
size = s.st_size)
except OSError:
pass
dbh.mass_insert_commit()
except OSError,e:
pass
new_query=query.clone()
new_query['__target__'] = name
new_query['__target_type__'] = 'append'
elements = [ IntegerType(name='Size', column='size'),
TimestampType(name='Timestamp', column='timestamp'),
StringType(name='Filename', column='filename',
link = new_query, link_pane='parent'
)
]
## Now display the table widget:
result.table(
elements = elements,
table = tablename,
case = case,
order = 2, direction = 1
)
## Submit all the nodes in the display:
filename=filename,
_timestamp="from_unixtime(%d)" %
s.st_mtime,
size=s.st_size)
except OSError:
pass
dbh.mass_insert_commit()
except OSError, e:
pass
new_query = query.clone()
new_query['__target__'] = name
new_query['__target_type__'] = 'append'
elements = [
IntegerType(name='Size', column='size'),
TimestampType(name='Timestamp', column='timestamp'),
StringType(name='Filename',
column='filename',
link=new_query,
link_pane='parent')
]
## Now display the table widget:
result.table(elements=elements,
table=tablename,
case=case,
order=2,
direction=1)
## Submit all the nodes in the display:
base_stream_inode = value
tmp.link(value,target = FlagFramework.query_type((),
family='Disk Forensics', case=query['case'],
inode=base_stream_inode,
report='View File Contents', mode="Combined streams"
))
return tmp
def text_cb(value, **options):
tmp = result.__class__(result)
tmp.text(value, **options)
return tmp
result.table(
elements = [ IntegerType('ID','id'),
PCAPTime("Timestamp","packet_id"),
InodeType("Stream","inode",
link = query_type(family='Disk Forensics',
case=query['case'],
__target__='inode',
report='View File Contents',
mode="Combined streams"),
case=query['case']),
IntegerType("Packet", 'packet_id',
link = query_type(family="Network Forensics",
case=query['case'],
report='View Packet',
__target__='inode')),
StringType("Command",'command'),
StringType("Sender Nick","sender"),
def vfs_popup(query, result):
if not query.has_key('case'):
result.heading("No case selected")
else:
import pyflag.FileSystem as FileSystem
def make_new_query(query, path=''):
case = query['case']
new_query = query.clone()
new_query['__target__'] = name
new_query['__target_type__'] = 'append'
new_query['__target_format__'] = "vfs://%s%s%%s" % (case,
path)
new_query.poparray('callback_stored')
return new_query
def tree_view_cb(query, result):
def tree_cb(path):
fsfd = FileSystem.DBFS(query['case'])
query.default("path", '/')
if not path.endswith('/'): path = path + '/'
dirs = []
for i in fsfd.dent_walk(path):
if i['mode'] == "d/d" and i[
'status'] == 'alloc' and i[
'name'] not in dirs:
dirs.append(i['name'])
yield (([i['name'], i['name'], 'branch']))
def pane_cb(path, tmp):
fsfd = FileSystem.DBFS(query["case"])
if not fsfd.isdir(path):
path = posixpath.dirname(path)
new_query = make_new_query(query, path + '/')
tmp.table(
elements=[
InodeIDType(case=query['case']),
FilenameType(basename=True,
case=query['case'],
link=new_query,
link_pane='parent'),
IntegerType('File Size', 'size'),
],
table='inode',
where=DB.expand(
"file.path=%r and file.mode!='d/d'",
(path + '/')),
case=query['case'],
pagesize=10,
filter="filter2",
)
result.tree(tree_cb=tree_cb, pane_cb=pane_cb, branch=[''])
def table_view_cb(query, result):
case = query['case']
new_query = make_new_query(query, '')
result.table(elements=[
InodeIDType(),
FilenameType(case=case,
link=new_query,
link_pane='parent'),
IntegerType('File Size', 'size')
],
table='inode',
case=case,
order=2,
direction=1)
def __init__(self, case, table='LogicalIndexOffsets'):
self.case = case
IntegerType.__init__(self, name='Offset',
column='offset',
table=table)
