def appts(query, output): output.table( elements=[ InodeType('Inode', 'inode'), TimestampType('Start Date', 'startdate'), TimestampType('End Date', 'enddate'), StringType('Location', 'location'), StringType('Comment', 'comment') ], table=('appointment'), case=query['case'], filter="filter2", ) return output
def journal(query, output): output.table( elements=[ InodeType('Inode', 'inode'), TimestampType('Start Date', 'startdate'), TimestampType('End Date', 'enddate'), StringType('Type', 'type'), StringType('Comment', 'comment') ], table=('journal'), case=query['case'], filter="filter3", ) return output
def ie_history_cb(query,result): dbh=self.DBO(query['case']) dbh.check_index("ie_history" ,"url",10) OffsetType = Registry.COLUMN_TYPES.dispatch("OffsetType") result.table( elements = [ InodeIDType(case=query['case']), OffsetType(case=query['case'], table='ie_history'), StringType('Type','type'), StringType('URL','url'), TimestampType('Modified','modified'), TimestampType('Accessed','accessed'), StringType('Filename', 'filename'), StringType('Headers','headers') ], table='ie_history', case=query['case'], )
def render_pane(self, branch, query, result): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) == 1: result.heading("Show executables found in memory") result.text("This statistic show the executables found in memory") elif len(branch) == 2: t = branch[1].replace("__", '/') result.table( elements=[ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), TimestampType('Time Created', 'create_time') ], table='tasks', where='pid = %r' % t, case=self.case, ) else: for c in self.classes: if branch[2] == c.name: self.chain_pane(c, branch[2:], query, result, condition="pid='%s'" % branch[1])
def tabular_view(query, result): result.table( elements=[ InodeIDType(case=query['case']), StringType(name='Mode', column='mode', table='file'), FilenameType(case=query['case']), DeletedType(), IntegerType(name='File Size', column='size'), TimestampType(name='Last Modified', column='mtime'), TimestampType(name='Last Accessed', column='atime'), TimestampType(name='Created', column='ctime'), ], table='inode', case=query['case'], filter="filter1", )
def Timeline(query, result): def add_new_event(query, result): timeline = TimelineObj(case=query['case']) ## We got submitted - actually try to do the deed: if 'Add To Timeline' in query.getarray('__submit__'): result.start_table() newEvent = timeline.add(query, result) result.para("The following is the new timeline entry:") timeline.show(newEvent,result) result.end_table() result.link("Close this window", target=original_query, pane='parent') return result result.start_form(query, pane='self') result.heading("Add an arbitrary event") timeline.add_form(query,result) result.end_form(value="Add To Timeline") return result result.table( elements = [ IntegerType(name='id', column='id'), TimestampType(name='Time', column='time'), EditableStringType('Notes', 'notes'), StringType('Category', 'category') ], table = 'timeline', case = query['case'], filter="filter2", ) result.toolbar(add_new_event, "Add abritrary event", icon="clock.png")
def pane_cb(path, tmp): query['order'] = 'Filename' ## If we are asked to show a file, we will show the ## contents of the directory the file is in: fsfd = FileSystem.DBFS(query["case"]) if not fsfd.isdir(path): path = os.path.dirname(path) tmp.table( elements=[ InodeIDType(case=query['case']), FilenameType(basename=True, case=query['case']), DeletedType(), IntegerType('File Size', 'size'), TimestampType('Last Modified', 'mtime'), StringType('Mode', 'mode', table='file') ], table='inode', where=DB.expand("file.path=%r and file.mode!='d/d'", (path + '/')), case=query['case'], pagesize=10, filter="filter2", ) target = tmp.defaults.get('open_tree', '/') tmp.toolbar(text=DB.expand("Scan %s", target), icon="examine.png", link=query_type(family="Load Data", report="ScanFS", path=target, case=query['case']), pane='popup')
def render_pane(self, branch, query, result, condition='1'): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return elements = [ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), IntegerType(column='proto', name='Protocol'), IntegerType(column='port', name='Port'), TimestampType('Time Created', 'create_time') ] try: condition += " and proto=%s" % branch[1] del elements[2] except IndexError: pass try: condition += " and port=%s" % branch[2] del elements[2] except IndexError: pass result.heading("Show sockets found in memory") result.text("This statistic show the sockets found in memory") result.table( elements=elements, table='sockets', where=condition, case=self.case, )
def pane_cb(path, result): if not path.endswith('/'): path=path+'/' result.heading("Path is %s" % path) case = query['case'] dbh = DB.DBO(case) fsfd = Registry.FILESYSTEMS.dispatch(query['fstype'])(case) ## Try to see if the directory is already loaded: dbh.execute("select * from file where path=%r and name=''", path) if not dbh.fetch(): fsfd.load(mount_point = query['mount_point'], iosource_name= query['iosource'], directory = path) ## Now display the table result.table( elements = [ InodeIDType(case=query['case']), FilenameType(case=query['case']), DeletedType(), IntegerType(name='File Size',column='size'), TimestampType(name = 'Last Modified',column = 'mtime'), ], table='inode', where=DB.expand("file.path=%r and file.mode!='d/d'",(path)), case = query['case'], pagesize=10, )
def display(self, query,result): result.heading("Table Tests") ## Tables need to act on the DB so we create a temporary table ## just for this test: dbh=DB.DBO() dbh.cursor.warnings=False dbh.execute("drop table if exists TestTable") dbh.execute("""create TABLE `TestTable` ( `id` int(11) NOT NULL auto_increment, `time` TIMESTAMP, `data` tinyblob NOT NULL, `foobar` varchar(10), `ip_addr` int(11) unsigned default 0, PRIMARY KEY (`id`) )""") dbh.mass_insert_start("TestTable") dbh.insert("TestTable", _time="from_unixtime(1147329821)", data="Some Data", foobar="X", _ip_addr="inet_aton('192.168.1.1')") dbh.insert("TestTable", _time="from_unixtime(1147329831)", data="More Data", foobar="Y", _ip_addr="inet_aton('192.168.1.22')") dbh.insert("TestTable", _time="from_unixtime(1147329841)", data="Some More Data", foobar="Z", _ip_addr="inet_aton('192.168.1.23')") dbh.insert("TestTable", _time="from_unixtime(1147329851)", data="Another Lot of Data", foobar="Q", _ip_addr="inet_aton('192.168.1.55')") for i in range(0,100): dbh.mass_insert(_time="from_unixtime(%s)" % (1147329851+i), data="Data %s" % i, foobar=i) dbh.mass_insert_commit() def foobar_cb(value): return "foo %s" % value result.table( ## Can use keyword args elements = [ TimestampType(name = 'Timestamp', column = 'time', ), ## Or positional args StringType('Data', 'data', link = query_type( family=query['family'], report='FormTest',__target__='var1')), StringType('Foobar', 'foobar', callback=foobar_cb), ## Note that here we just need to specify the ## field name in the table, the IPType will ## automatically create the translated SQL. IPType('IP Address', 'ip_addr'), ], table = "TestTable", )
def parse(self, query, datafile='datafile'): Simple.SimpleLog.parse(self, query, datafile) self.fields = [ IntegerType(name='Record', column='record'), TimestampType(name='Timestamp', column='time'), StringType(name='message', column='message'), IntegerType(name='EventID', column='event'), StringType(name='Source', column="Source"), StringType(name='arg1', column='arg1'), StringType(name='arg2', column='arg2'), StringType(name='arg3', column='arg3'), ]
def Annotated_inodes(query, result): result.table( elements = [ TimestampType(name='Time',column='mtime', table='inode'), InodeIDType(case=query['case']), FilenameType(case=query['case']), StringType('Category','category'), StringType('Note','note'), ], table = 'annotate', case = query['case'], filter="filter1", )
def hist_cb(query,result): result.table( elements = [ InodeIDType(case=query['case']), TimestampType('LastVisitDate','LastVisitDate'), StringType('Name', 'name'), StringType('URL', 'url'), StringType('Host', 'host'), StringType('Referrer', 'Referrer'), ], table = 'mozilla_history', case = query['case'], filter='hist_filter', )
def tabular_view(query,result): result.table( elements = [ TimestampType('Timestamp','mtime', table='inode'), #TimestampType(name='Date',column='date'), PacketType(name='Request Packet',column='request_packet', case=query['case']), InodeIDType(), StringType('Method','method'), StringType('URL','url'), StringType('Content Type','content_type') ], table="http", case=query['case'] )
def streams(query, result): result.table(elements=[ IntegerType("FTP Session id", "ftp_session_id", link=query_type(family="Network Forensics", case=query['case'], report="Browse FTP Data")), TimestampType("Time Created", "time_created"), StringType("Purpose", "purpose"), InodeIDType(case=query['case']) ], table='ftp_data_streams', case=query['case'])
def sessions(query, result): result.table( elements=[ #IntegerType("FTP Session id", "ftp_session_id"), InodeIDType(case=query['case']), TimestampType("Start Time", "start_time"), IPType("Client IP", "client_ip", case=query['case']), IPType("Server IP", "server_ip", case=query['case']), StringType("Username", "username"), StringType("Password", "password"), StringType("Server Banner", "server_banner"), IntegerType("Total bytes", "total_bytes") ], table="ftp_sessions", case=query['case'])
def display(self,query,result): try: result.table( elements = [ ThumbnailType(name='Thumbnail',case=query['case']), FilenameType(case=query['case']), StringType('Type','type'), IntegerType('Size','size', table='inode'), TimestampType(name='Timestamp',column='mtime', table='inode') ], table = 'type', case = query['case'] ) except DB.DBError,e: result.para("Error reading the type table. Did you remember to run the TypeScan scanner?") result.para("Error reported was:") result.text(e,style="red")
def table_notebook_cb(query, result): del new_q['mode'] del new_q['mark'] new_q['__target__'] = 'open_tree' new_q['mode'] = 'Tree View' result.table(elements=[ StringType('Path', 'path', link=new_q), StringType('Type', 'type'), StringType('Key', 'reg_key'), TimestampType('Modified', 'modified'), StringType('Value', 'value') ], table='reg', case=query['case'], filter="filter1")
def parse(self, query, datafile='datafile'): LogFile.Log.parse(self, query, datafile) self.datafile = query.getarray(datafile) # set these params, then we can just use SimpleLog's get_fields self.delimiter = re.compile(' ') self.prefilters = ['PFDateFormatChange2'] if self.datafile: query.clear('fields') for f in self.find_fields_line(): query['fields'] = f # now for the IIS magic, the code below sets up the # fields, types, and indexes arrays req'd by load # replaces the need for the form in SimpleLog # try to guess types based on known field-names, not perfect... # automatically index the non-varchar fields, leave the rest self.fields = [] ## Note the original log file has -ip, -status etc, but after ## MakeSQLSafe dashes turn to underscores. for field in query.getarray('fields'): if field == 'time': tmp = TimestampType('Timestamp', 'timestamp') tmp.index = True self.fields.append(tmp) elif '_ip' in field: tmp = IPType('IP Address', 'IP Address') tmp.index = True self.fields.append(tmp) elif '_status' in field or '_bytes' in field: tmp = IntegerType(field, field) tmp.index = True self.fields.append(tmp) else: tmp = StringType(field, field) tmp.index = True self.fields.append(tmp)
def display(self, query, result): result.heading("Interesting Registry Keys") dbh = self.DBO(query['case']) result.table( elements=[ StringType('Path', 'path'), StringType('Key', 'reg_key'), StringType('Value', 'value'), TimestampType('Last Modified', 'modified'), StringType('Category', 'category'), StringType('Description', 'description') ], table='interestingregkeys', case=query['case'], )
def display(self, query, result): dbh = self.DBO(query['case']) result.heading("File Timeline for Filesystem") result.table( elements=[ TimestampType('Timestamp', 'time'), AFF4URN(case=query['case']), DeletedType(), BinaryType('m', "m"), BinaryType('a', "a"), BinaryType('c', "c"), BinaryType('d', "d"), FilenameType(), ], table='mac', case=query['case'], )
def parse(self, query, datafile='datafile'): LogFile.Log.parse(self, query, datafile) self.fields = [] self.delimiter = re.compile("\s+") self.fields.append(TimestampType('Timestamp', 'Timestamp')) self.fields.append(StringType('Hostname', 'Hostname')) self.fields.append(StringType('ServiceName', 'ServiceName')) self.fields.append(StringType('Message', 'Message')) self.datafile = query.getarray(datafile) try: self.yearOfSyslog = int(query['year_of_syslog']) except: pass
def display(self, query, result): result.table( elements=[ TimestampType('Timestamp', 'mtime', table='inode'), InodeIDType(case=query['case']), StringType('From', 'From'), StringType('To', 'To'), StringType('CC', 'CC'), StringType('BCC', 'BCC'), StringType('Subject', 'Subject'), HTMLStringType('Message', 'Message'), #StringType('MessageID', 'message_id'), AttachmentColumn(name='Attachment', case=query['case']), StringType('Type', 'type'), StringType('Service', 'service'), ], table='webmail_messages', case=query['case'])
def parse(self, query, datafile="datafile"): LogFile.Log.parse(self, query, datafile) self.datafile = query.getarray(datafile) # set these params, then we can just use SimpleLog's get_fields self.delimiter = re.compile(" ") self.prefilters = ["PFDateFormatChange2"] if self.datafile: query.clear("fields") for f in self.find_fields_line(): query["fields"] = f # now for the IIS magic, the code below sets up the # fields, types, and indexes arrays req'd by load # replaces the need for the form in SimpleLog # try to guess types based on known field-names, not perfect... # automatically index the non-varchar fields, leave the rest self.fields = [] ## Note the original log file has -ip, -status etc, but after ## MakeSQLSafe dashes turn to underscores. for field in query.getarray("fields"): if field == "time": tmp = TimestampType("Timestamp", "timestamp") tmp.index = True self.fields.append(tmp) elif "_ip" in field: tmp = IPType("IP Address", "IP Address") tmp.index = True self.fields.append(tmp) elif "_status" in field or "_bytes" in field: tmp = IntegerType(field, field) tmp.index = True self.fields.append(tmp) else: tmp = StringType(field, field) tmp.index = True self.fields.append(tmp)
def email(query, output): output.table( elements=[ InodeType('Inode', 'inode', link=query_type(case=query['case'], family="Disk Forensics", report='ViewFile', __target__='inode', inode="%s:0")), TimestampType('Arrival Date', 'date'), StringType('From', 'from'), StringType('To', 'to'), StringType('Subject', 'subject') ], table=('email'), case=query['case'], filter="filter0", ) return output
def render_pane(self, branch, query, result): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch)==1: result.heading("Show file types") result.text("This statistic allows different file types to be examined") else: t = branch[1].replace("__",'/') result.table( elements = [ AFF4URN(case = self.case), FilenameType(case = self.case, link_pane='main'), IntegerType('Size','size', table='vfs'), TimestampType('Timestamp','mtime', table='vfs'), StringType('Mime', 'mime', table='type')], table = 'type', where = DB.expand('type.type=%r ', t), case = self.case, )
def display(self, query, result): result.heading("Email sessions") result.table( elements=[ InodeType('Inode', 'inode', link=query_type(family='Disk Forensics', case=query['case'], __target__='inode', report='View File Contents', mode="Text"), case=query['case']), TimestampType('Date', 'date'), StringType('From', 'from'), StringType('To', 'to'), StringType('Subject', 'subject') ], table=('email'), case=query['case'], )
def render_pane(self, branch, query, result): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) == 1: result.heading("Show infected files") result.text("Lists all the files infected with a particular virus") else: t = branch[1].replace("__", '/') result.table( elements=[ AFF4URN(case=self.case), FilenameType(case=self.case), IntegerType('Size', 'size', table='inode'), TimestampType('Timestamp', 'mtime', table='inode') ], table='virus', where='virus.virus = %r ' % t, case=self.case, )
def parse(self, query, datafile="datafile"): LogFile.Log.parse(self, query, datafile) self.datafile = query.getarray(datafile) self.cre = re.compile("([A-Z]+)=([^ ]*)") self.prefix_re = re.compile("([^ :]+):IN=") self.date_re = re.compile("^(...)\s+(\d+)\s+(\d\d:\d\d:\d\d)") self.fields = [ TimestampType(name="TIME", column="TIME"), StringType(name="Action", column="action") ] self.parameters = {} for parameter, name, desc, column, default, index in IPTABLES_FIELDS: if query.has_key(parameter): new_column = column(name=name, column=parameter) new_column.index = index self.fields.append(new_column) self.parameters[parameter] = new_column if len(self.fields) == 0: raise RuntimeError("No columns were selected")
_timestamp="from_unixtime(%d)" % s.st_mtime, size=s.st_size) except OSError: pass dbh.mass_insert_commit() except OSError, e: pass new_query = query.clone() new_query['__target__'] = name new_query['__target_type__'] = 'append' elements = [ IntegerType(name='Size', column='size'), TimestampType(name='Timestamp', column='timestamp'), StringType(name='Filename', column='filename', link=new_query, link_pane='parent') ] ## Now display the table widget: result.table(elements=elements, table=tablename, case=case, order=2, direction=1) ## Submit all the nodes in the display: def submit_all(query, new_result):