def test03cpTests(self):
""" Test the cp (copy) command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env, command="load",
argv=[self.test_case,])
## Make a directory for the files:
tmpname = os.tmpnam()
os.mkdir(tmpname)
pyflagsh.shell_execv(env=self.env, command="cp",
argv=["/dscf108*", tmpname])
## Now verify the copy worked:
fd = open(tmpname+"/dscf1080.jpg",'r')
data = fd.read()
md5sum = md5.new()
md5sum.update(data)
self.assertEqual(md5sum.hexdigest(),'9e03e022404a945575b813ffb56fd841')
## Clean up:
for file in os.listdir(tmpname):
os.unlink(tmpname+'/'+file)
os.rmdir(tmpname)
def test01ls(self):
""" Test the ls command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env, command="load",
argv=[self.test_case,])
## Check we can list default directory
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=[])]
self.assertEqual(len(lines),18)
## Check we can list directories
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=["docs"])]
self.assert_(len(lines)>=3)
## Check that we can glob files:
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=["*.jpg"])]
self.assertEqual(len(lines),5)
## Check that we can glob directories:
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=["do*"])]
self.assert_(len(lines)>3)
def test01RunScanners(self):
""" Running Logical Index Scanner """
## Make sure the word secret is in there.
pdbh = DB.DBO()
pdbh.execute("select * from dictionary where word='secret' limit 1")
row = pdbh.fetch()
if not row:
pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'})
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'IndexScan'])
dbh = DB.DBO(self.test_case)
dbh2 = DB.DBO(self.test_case)
fsfd = DBFS(self.test_case)
dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB))
count = 0
for row in dbh:
count += 1
path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id'])
fd = fsfd.open(inode=inode)
fd.overread = True
fd.slack = True
fd.seek(row['offset'])
data = fd.read(row['length'])
print "Looking for %s: Found in %s at offset %s length %s %r" % (
row['word'], inode, row['offset'], row['length'],data)
self.assertEqual(data.lower(), row['word'].lower())
## Did we find all the secrets?
self.assertEqual(count,2)
def test01RunScanner(self):
""" Test cache scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'MozCacheScan','GoogleImageScanner'])
def test02catTests(self):
""" Test the cat command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env, command="load",
argv=[self.test_case,])
self.fsfd = FileSystem.DBFS(self.test_case)
fd = self.fsfd.open("/dscf1080.jpg")
data1=fd.read()
fd = self.fsfd.open("/dscf1081.jpg")
data2=fd.read()
fd = self.fsfd.open("/dscf1082.jpg")
data3=fd.read()
result = ''
for l in pyflagsh.shell_execv_iter(env=self.env, command="cat",
argv=["/dscf1081.jpg"]):
result+=l
self.assertEqual(result,data2)
result = ''
for l in pyflagsh.shell_execv_iter(env=self.env, command="cat",
argv=["/dscf108*"]):
result+=l
self.assertEqual(len(result),len(data1)+len(data2)+len(data3))
self.assert_(result==data1+data2+data3)
def test01SMTPScanner(self):
""" Test SMTP Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"SMTPScanner", "RFC2822", "TypeScan"
]) ## List of Scanners
def test01GmailScanner(self):
""" Test Google Image Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"GoogleImageScanner",
]) ## List of Scanners
def test01YahooMailScanner(self):
""" Test Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"YahooMail20Scan",
]) ## List of Scanners
def test01(self):
""" Test Reassebler """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"NetworkScanners",
]) ## List of Scanners
def test01RunScanner(self):
""" Running scanners """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan', 'TarScan', 'GZScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'JPEGCarver', 'ZipScan', 'TarScan', 'GZScan', 'TypeScan', 'IndexScan'])
def test01GmailScanner(self):
""" Test Gmail Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"GmailScanner", "YahooMailScan",
"SquirrelMailScan", "HotmailScanner"
]) ## List of Scanners
def test02Hash(self):
""" Test the hashes of loaded files """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'MD5Scan'])
dbh = DB.DBO(self.test_case)
dbh.execute("select binary_md5 from hash where binary_md5=%b",
"04D68B7C8993A3A485A5780EC1A8D62D".decode("hex"))
self.assert_(dbh.fetch(), "Expected hash not found")
def test01CarveImage(self):
""" Carving from Image """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ScriptCarver'])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from type where type like %r", "%script")
row = dbh.fetch()
self.assert_(row != None)
self.assert_(row['c']>=3)
def test01RunScanner(self):
""" Test IE History scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'IECarver'])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from ie_history")
row = dbh.fetch()['c']
print "Got %s rows" % row
self.assert_(row >= 20)
def test01TypeScan(self):
""" Check the type scanner works """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'TypeScan'])
## Make sure the extra magic is being used properly.
dbh = DB.DBO(self.test_case)
dbh.execute('select count(*) as count from type where type like "%%Outlook%%"')
count = dbh.fetch()['count']
self.failIf(count==0, "Unable to locate an Outlook PST file - maybe we are not using our custom magic file?")
def test01FTPScanner(self):
""" Test basic FTP scanning """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"FTPScanner"
]) ## List of Scanners
## What should we have found? FIXME
dbh = DB.DBO(self.test_case)
def setUp(self):
""" Load test Case"""
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(command="delete_case", env=env,
argv=[self.test_case])
pyflagsh.shell_execv(command="create_case", env=env,
argv=[self.test_case])
if self.test_case:
pyflagsh.shell_execv(command='execute', env=env,
argv=['Load Data.Load AFF4 Volume',
'case=%s' % self.test_case,
'filename=%s' % self.test_file])
def test04LocatingNTFS_ADS(self):
""" Test for finding ADS files """
## Do type scanning:
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'TypeScan'])
dbh = DB.DBO(self.test_case)
dbh.execute('select type.type from type,inode where type.inode_id=inode.inode_id and type like "%executable%" and inode.inode like "%33-128-7%"')
row = dbh.fetch()
self.assert_(row, "Executable within ADS was not found???")
def test01TypeScan(self):
""" Check the type scanner works """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'TypeScan'])
pyflagsh.shell_execv(env=env, command="export",
argv=["Images","HTMLDirectoryRenderer",
"TypeCaseTable.Thumbnail",
"TypeCaseTable.Type","InodeTable.Size",
#'filter=Type contains JPEG',
])
def test01SMTPScanner(self):
""" Test POP Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"POPScanner", "RFC2822",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as total from passwords where type='POP3'")
row = dbh.fetch()
self.failIf(row['total']==0,"Could not parse any POP3 passwords")
def test01HotmailScanner(self):
""" Test Hotmail Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"HotmailScanner",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from webmail_messages")
row = dbh.fetch()
self.assert_(row['c'] > 0, "No hotmail messages were found")
def test01HTTPScanner(self):
""" Test HTTP Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"HTTPScanner",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as total from http")
row = dbh.fetch()
print "Number of HTTP transfers found %s" % row['total']
self.failIf(row['total']==0,"Count not find any HTTP transfers?")
def test01RunScanner(self):
""" Test IE History scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'IEIndex','GoogleImageScanner'])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from http_parameters where `key`='q' and value='anna netrebko'")
row=dbh.fetch()
self.assertEqual(row['c'], 3, 'Unable to find all search URLs')
def test01DNS(self):
"Test DNS handling"
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"DNSScanner",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select * from dns where name = 'www.google.com.'")
self.assert_(dbh.fetch())
dbh.execute("select count(*) as c from dns where name like '%google%'")
row = dbh.fetch()
self.assertEqual(row['c'], 14)
def test_scanner(self):
""" Check the virus scanner works """
dbh = DB.DBO(self.test_case)
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'VirScan','ZipScan','TypeScan'])
dbh.execute("select * from virus limit 1")
row = dbh.fetch()
## We expect to pick this rootkit:
self.assert_(row, "Unable to find any viruses")
self.assert_("NTRootKit" in row['virus'] , "Unable to find Trojan.NTRootKit.044")
def test01YahooMailScanner(self):
""" Test Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"YahooMail20Scan", "YahooMailScan",
]) ## List of Scanners
print "Closing volume"
t = time.time()
#CacheManager.AFF4_MANAGER.close(self.test_case)
print "Closed in %s seconds " % (time.time()- t)
print CacheManager.oracle.flush()
def test_scanner(self):
""" Check the hash scanner works """
dbh = DB.DBO(self.test_case)
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'MD5Scan'])
dbh.execute("select count(*) as c,NSRL_product, NSRL_filename from hash where NSRL_product like 'Guide to Hacking %%' group by NSRL_product")
row = dbh.fetch()
self.assertEqual(row['c'], 14, "Hashes not recognised. You might need to load the NSRL database")
def test01CarveImage(self):
""" Carving from Image """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'JPEGCarver'])
## See if we found the two images from within the word
## document:
expected = [ "Itest|K1289-0-0|o150712:85550", "Itest|K1289-0-0|o96317:141763"]
dbh = DB.DBO(self.test_case)
for inode in expected:
dbh.execute("select inode from inode where inode=%r limit 1", inode)
row = dbh.fetch()
self.assert_(row != None)
def test_type_scan(self):
""" Check the Zip scanner works """
dbh = DB.DBO(self.test_case)
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan','GZScan','TarScan','TypeScan'])
dbh.execute("select count(*) as count from inode where inode like '%%|Z%%'")
count = dbh.fetch()['count']
self.failIf(count==0, "Could not find any zip files?")
dbh.execute("select count(*) as count from inode where inode like '%%|G0'")
count = dbh.fetch()['count']
self.failIf(count==0, "Could not find any gzip files?")
def test01Scan(self):
""" Scan for MSN Messages """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"MSNScanner"
]) ## List of Scanners
## What should we have found?
dbh = DB.DBO(self.test_case)
dbh.execute("""select count(*) as total from `msn_session` where type=\"MESSAGE\"""")
row = dbh.fetch()
assert row['total'] == 10
CacheManager.AFF4_MANAGER.close(self.test_case)