def test03MultipleSources(self): """ Test that multiple images can be loaded on the same VFS """ pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load IO Data Source", "case=%s" % self.test_case, "iosource=second_image", "subsys=EWF", "filename=ntfs_image.e01", ], ) pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load Filesystem image", "case=%s" % self.test_case, "iosource=second_image", "fstype=Sleuthkit", "mount_point=/ntfsimage/", ], ) ## Try to read a file from the first source: fsfd = DBFS(self.test_case) fd = fsfd.open("/stdimage/dscf1081.jpg") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(), "11bec410aebe0c22c14f3eaaae306f46") ## Try to read a file from the second source: fd = fsfd.open("/ntfsimage/Books/80day11.txt") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(), "f5b394b5d0ca8c9ce206353e71d1d1f2")
def test02catTests(self): """ Test the cat command """ self.env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=self.env, command="load", argv=[ self.test_case, ]) self.fsfd = FileSystem.DBFS(self.test_case) fd = self.fsfd.open("/dscf1080.jpg") data1 = fd.read() fd = self.fsfd.open("/dscf1081.jpg") data2 = fd.read() fd = self.fsfd.open("/dscf1082.jpg") data3 = fd.read() result = '' for l in pyflagsh.shell_execv_iter(env=self.env, command="cat", argv=["/dscf1081.jpg"]): result += l self.assertEqual(result, data2) result = '' for l in pyflagsh.shell_execv_iter(env=self.env, command="cat", argv=["/dscf108*"]): result += l self.assertEqual(len(result), len(data1) + len(data2) + len(data3)) self.assert_(result == data1 + data2 + data3)
def test01RunScanner(self): """ Test cache scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'ZipScan']) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'MozCacheScan','GoogleImageScanner'])
def test02LoadFilesystem(self): """ Test that basic filesystems load """ pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load IO Data Source", "case=%s" % self.test_case, "iosource=first_image", "subsys=Standard", "filename=pyflag_stdimage_0.4.dd", "offset=16128s", ], ) pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load Filesystem image", "case=%s" % self.test_case, "iosource=first_image", "fstype=Sleuthkit", "mount_point=/stdimage/", ], ) dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as count from inode") self.assertEqual(dbh.fetch()["count"], 90)
def test03MultipleSources(self): """ Test that multiple images can be loaded on the same VFS """ pyflagsh.shell_execv(command="execute", argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case, "iosource=second_image", "subsys=EWF", "filename=ntfs_image.e01" , ]) pyflagsh.shell_execv(command="execute", argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case, "iosource=second_image", "fstype=Sleuthkit", "mount_point=/ntfsimage/"]) ## Try to read a file from the first source: fsfd = DBFS(self.test_case) fd = fsfd.open("/stdimage/dscf1081.jpg") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(),'11bec410aebe0c22c14f3eaaae306f46') ## Try to read a file from the second source: fd = fsfd.open("/ntfsimage/Books/80day11.txt") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')
def test02catTests(self): """ Test the cat command """ self.env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=self.env, command="load", argv=[self.test_case,]) self.fsfd = FileSystem.DBFS(self.test_case) fd = self.fsfd.open("/dscf1080.jpg") data1=fd.read() fd = self.fsfd.open("/dscf1081.jpg") data2=fd.read() fd = self.fsfd.open("/dscf1082.jpg") data3=fd.read() result = '' for l in pyflagsh.shell_execv_iter(env=self.env, command="cat", argv=["/dscf1081.jpg"]): result+=l self.assertEqual(result,data2) result = '' for l in pyflagsh.shell_execv_iter(env=self.env, command="cat", argv=["/dscf108*"]): result+=l self.assertEqual(len(result),len(data1)+len(data2)+len(data3)) self.assert_(result==data1+data2+data3)
def test03cpTests(self): """ Test the cp (copy) command """ self.env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=self.env, command="load", argv=[self.test_case,]) ## Make a directory for the files: tmpname = os.tmpnam() os.mkdir(tmpname) pyflagsh.shell_execv(env=self.env, command="cp", argv=["/dscf108*", tmpname]) ## Now verify the copy worked: fd = open(tmpname+"/dscf1080.jpg",'r') data = fd.read() md5sum = md5.new() md5sum.update(data) self.assertEqual(md5sum.hexdigest(),'9e03e022404a945575b813ffb56fd841') ## Clean up: for file in os.listdir(tmpname): os.unlink(tmpname+'/'+file) os.rmdir(tmpname)
def test01LoadRaid(self): """ Test the RAID IO Source loader """ ## This image was made by the linux raid5 implementation. ## Just to make things a bit more complicated, each image of ## each individual disk was acquired using ewfacquire into an ## EWF file. We use the io://EWF/filename=/raid/linux/d1.E01 ## URL notation as the image filename in order to use the EWF ## IO Source driver to read the file. pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load IO Data Source", 'case=%s' % self.test_case, "iosource=test", "subsys=RAID5 (1 Parity)", "filename=io://EWF/filename=/raid/linux/d1.E01", "filename=io://EWF/filename=/raid/linux/d2.E01", "filename=io://EWF/filename=/raid/linux/d3.E01", "offset=0", "map=1.0.P.P.3.2.4.P.5", "period=3", "blocksize=64k", "TZ=%s" % self.TZ ]) pyflagsh.shell_execv(command="execute", argv=[ "Load Data.Load Filesystem image", 'case=%s' % self.test_case, "iosource=test", "fstype=Sleuthkit", "mount_point=/" ])
def test01ls(self): """ Test the ls command """ self.env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=self.env, command="load", argv=[self.test_case,]) ## Check we can list default directory lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls", argv=[])] self.assertEqual(len(lines),18) ## Check we can list directories lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls", argv=["docs"])] self.assert_(len(lines)>=3) ## Check that we can glob files: lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls", argv=["*.jpg"])] self.assertEqual(len(lines),5) ## Check that we can glob directories: lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls", argv=["do*"])] self.assert_(len(lines)>3)
def test03cpTests(self): """ Test the cp (copy) command """ self.env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=self.env, command="load", argv=[ self.test_case, ]) ## Make a directory for the files: tmpname = os.tmpnam() os.mkdir(tmpname) pyflagsh.shell_execv(env=self.env, command="cp", argv=["/dscf108*", tmpname]) ## Now verify the copy worked: fd = open(tmpname + "/dscf1080.jpg", 'r') data = fd.read() md5sum = md5.new() md5sum.update(data) self.assertEqual(md5sum.hexdigest(), '9e03e022404a945575b813ffb56fd841') ## Clean up: for file in os.listdir(tmpname): os.unlink(tmpname + '/' + file) os.rmdir(tmpname)
def test01RunScanners(self): """ Running Logical Index Scanner """ ## Make sure the word secret is in there. pdbh = DB.DBO() pdbh.execute("select * from dictionary where word='secret' limit 1") row = pdbh.fetch() if not row: pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'}) env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'IndexScan']) dbh = DB.DBO(self.test_case) dbh2 = DB.DBO(self.test_case) fsfd = DBFS(self.test_case) dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB)) count = 0 for row in dbh: count += 1 path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id']) fd = fsfd.open(inode=inode) fd.overread = True fd.slack = True fd.seek(row['offset']) data = fd.read(row['length']) print "Looking for %s: Found in %s at offset %s length %s %r" % ( row['word'], inode, row['offset'], row['length'],data) self.assertEqual(data.lower(), row['word'].lower()) ## Did we find all the secrets? self.assertEqual(count,2)
def test01LoadRaid(self): """ Test the RAID IO Source loader """ ## This image was made by the linux raid5 implementation. ## Just to make things a bit more complicated, each image of ## each individual disk was acquired using ewfacquire into an ## EWF file. We use the io://EWF/filename=/raid/linux/d1.E01 ## URL notation as the image filename in order to use the EWF ## IO Source driver to read the file. pyflagsh.shell_execv(command="execute", argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case, "iosource=test", "subsys=RAID5 (1 Parity)", "filename=io://EWF/filename=/raid/linux/d1.E01", "filename=io://EWF/filename=/raid/linux/d2.E01", "filename=io://EWF/filename=/raid/linux/d3.E01", "offset=0", "map=1.0.P.P.3.2.4.P.5", "period=3", "blocksize=64k", "TZ=%s" % self.TZ ]) pyflagsh.shell_execv(command="execute", argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case, "iosource=test", "fstype=Sleuthkit", "mount_point=/"])
def test01RunScanner(self): """ Running scanners """ ## Populate the key words into the dictionary: dbh = DB.DBO() for row in self.case_sensitive_keywords: id = row[0] w = row[1] dbh.delete('dictionary', 'id=%r' % (id + 1000), _fast=True) dbh.insert('dictionary', _fast=True, **{ 'id': id + 1000, 'class': "DFTT", 'type': 'literal', 'word': w }) for row in self.regex_keywords: id = row[0] w = row[1] dbh.delete('dictionary', 'id=%r' % (id + 1000), _fast=True) dbh.insert('dictionary', _fast=True, **{ 'id': id + 1000, 'class': "DFTT", 'type': 'regex', 'word': w }) env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", 'IndexScan'])
def test01IRCScanner(self): """ Test IRC Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "IRCScanner", ]) ## List of Scanners
def test01RunScanner(self): """ Running scanners """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'ZipScan', 'TarScan', 'GZScan']) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'JPEGCarver', 'ZipScan', 'TarScan', 'GZScan', 'TypeScan', 'IndexScan'])
def test01SMTPScanner(self): """ Test SMTP Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "SMTPScanner", "RFC2822", "TypeScan" ]) ## List of Scanners
def test01(self): """ Test Reassebler """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "NetworkScanners", ]) ## List of Scanners
def test01YahooMailScanner(self): """ Test Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "YahooMail20Scan", ]) ## List of Scanners
def test01GmailScanner(self): """ Test Google Image Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "GoogleImageScanner", ]) ## List of Scanners
def test01GmailScanner(self): """ Test Gmail Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "GmailScanner", "YahooMailScan", "SquirrelMailScan", "HotmailScanner" ]) ## List of Scanners
def test00preLoadCase(self): """ Reset case """ import pyflag.pyflagsh as pyflagsh pyflagsh.shell_execv(command = "execute", argv=["Case Management.Remove case",'remove_case=%s' % self.test_case]) pyflagsh.shell_execv(command="execute", argv=["Case Management.Create new case",'create_case=%s' % self.test_case])
def test02Hash(self): """ Test the hashes of loaded files """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", 'MD5Scan']) dbh = DB.DBO(self.test_case) dbh.execute("select binary_md5 from hash where binary_md5=%b", "04D68B7C8993A3A485A5780EC1A8D62D".decode("hex")) self.assert_(dbh.fetch(), "Expected hash not found")
def test02Hash(self): """ Test the hashes of loaded files """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'MD5Scan']) dbh = DB.DBO(self.test_case) dbh.execute("select binary_md5 from hash where binary_md5=%b", "04D68B7C8993A3A485A5780EC1A8D62D".decode("hex")) self.assert_(dbh.fetch(), "Expected hash not found")
def test01RunScanner(self): """ Test IE History scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", 'IECarver']) dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as c from ie_history") row = dbh.fetch()['c'] print "Got %s rows" % row self.assert_(row >= 20)
def test00preLoadCase(self): """ Load Memory image """ #pyflag.tests.ScannerTest.test00preLoadCase(self) pyflagsh.shell_execv(command="execute", argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case, "iosource=test", "fstype=Linux Memory", "profile=2_6_18-8_1_15_el5", "map=System.map-2.6.18-8.1.15.el5.map", "mount_point=%s" % self.mount_point])
def test01(self): """ Test Reassebler """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv( env=env, command="scan", argv=[ "*", ## Inodes (All) "NetworkScanners", ]) ## List of Scanners
def test01CarveImage(self): """ Carving from Image """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'ScriptCarver']) dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as c from type where type like %r", "%script") row = dbh.fetch() self.assert_(row != None) self.assert_(row['c']>=3)
def test01FTPScanner(self): """ Test basic FTP scanning """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "FTPScanner" ]) ## List of Scanners ## What should we have found? FIXME dbh = DB.DBO(self.test_case)
def test01RunScanner(self): """ Test IE History scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'IECarver']) dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as c from ie_history") row = dbh.fetch()['c'] print "Got %s rows" % row self.assert_(row >= 20)
def test01TypeScan(self): """ Check the type scanner works """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'TypeScan']) ## Make sure the extra magic is being used properly. dbh = DB.DBO(self.test_case) dbh.execute('select count(*) as count from type where type like "%%Outlook%%"') count = dbh.fetch()['count'] self.failIf(count==0, "Unable to locate an Outlook PST file - maybe we are not using our custom magic file?")
def test04LocatingNTFS_ADS(self): """ Test for finding ADS files """ ## Do type scanning: env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'TypeScan']) dbh = DB.DBO(self.test_case) dbh.execute('select type.type from type,inode where type.inode_id=inode.inode_id and type like "%executable%" and inode.inode like "%33-128-7%"') row = dbh.fetch() self.assert_(row, "Executable within ADS was not found???")
def test00preLoadCase(self): """ Load Memory image """ #pyflag.tests.ScannerTest.test00preLoadCase(self) pyflagsh.shell_execv(command="execute", argv=[ "Load Data.Load Filesystem image", 'case=%s' % self.test_case, "iosource=test", "fstype=Linux Memory", "profile=2_6_18-8_1_15_el5", "map=System.map-2.6.18-8.1.15.el5.map", "mount_point=%s" % self.mount_point ])
def test01SMTPScanner(self): """ Test SMTP Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv( env=env, command="scan", argv=[ "*", ## Inodes (All) "SMTPScanner", "RFC2822", "TypeScan" ]) ## List of Scanners
def test01TypeScan(self): """ Check the type scanner works """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'TypeScan']) pyflagsh.shell_execv(env=env, command="export", argv=["Images","HTMLDirectoryRenderer", "TypeCaseTable.Thumbnail", "TypeCaseTable.Type","InodeTable.Size", #'filter=Type contains JPEG', ])
def test01HotmailScanner(self): """ Test Hotmail Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "HotmailScanner", ]) ## List of Scanners dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as c from webmail_messages") row = dbh.fetch() self.assert_(row['c'] > 0, "No hotmail messages were found")
def test01RunScanner(self): """ Running scanners """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", 'ZipScan', 'TarScan', 'GZScan']) pyflagsh.shell_execv(env=env, command="scan", argv=[ "*", 'JPEGCarver', 'ZipScan', 'TarScan', 'GZScan', 'TypeScan', 'IndexScan' ])
def test01HTTPScanner(self): """ Test HTTP Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "HTTPScanner", ]) ## List of Scanners dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as total from http") row = dbh.fetch() print "Number of HTTP transfers found %s" % row['total'] self.failIf(row['total']==0,"Count not find any HTTP transfers?")
def test01FTPScanner(self): """ Test basic FTP scanning """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv( env=env, command="scan", argv=[ "*", ## Inodes (All) "FTPScanner" ]) ## List of Scanners ## What should we have found? FIXME dbh = DB.DBO(self.test_case)
def test01RunScanner(self): """ Test IE History scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'ZipScan']) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'IEIndex','GoogleImageScanner']) dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as c from http_parameters where `key`='q' and value='anna netrebko'") row=dbh.fetch() self.assertEqual(row['c'], 3, 'Unable to find all search URLs')
def test01SMTPScanner(self): """ Test POP Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "POPScanner", "RFC2822", ]) ## List of Scanners dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as total from passwords where type='POP3'") row = dbh.fetch() self.failIf(row['total']==0,"Could not parse any POP3 passwords")
def create_output_file(): global output_fd, output_file print "Will read from %s and write to %s. Will use these scanners: %s" % (directory, output_file, scanners) ## Check if the file is already there: filename = config.UPLOADDIR + "/" + output_file if output_file != "-": try: os.stat(filename) ## Yep its there: output_fd = open(filename, "a") output_fd.seek(0, os.SEEK_END) offset = output_fd.tell() ## There can be only one: try: fcntl.flock(output_fd, fcntl.LOCK_EX | fcntl.LOCK_NB) except IOError, e: print "Highlander Error: %s" % e sys.exit(1) except OSError: output_fd = open(filename, "w") ## This is a hardcoded header for the output file: header = "\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00" offset = len(header) ## Write the file header on output_fd.write(header) output_fd.flush() else: output_fd = None offset = 0 ## Make a new IO source for the output: try: pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load IO Data Source", "case=%s" % config.case, "iosource=%s" % config.iosource, "subsys=Standard", "filename=%s" % (output_file), "offset=0", ], ) except Reports.ReportError: FlagFramework.print_bt_string()
def test01YahooMailScanner(self): """ Test Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "YahooMail20Scan", "YahooMailScan", ]) ## List of Scanners print "Closing volume" t = time.time() #CacheManager.AFF4_MANAGER.close(self.test_case) print "Closed in %s seconds " % (time.time()- t) print CacheManager.oracle.flush()
def test01LoadingFD(self): """ Try to load a filesystem using the Remote source """ pyflagsh.shell_execv(command="execute", argv=[ "Case Management.Remove case", 'remove_case=%s' % self.test_case ]) pyflagsh.shell_execv(command="execute", argv=[ "Case Management.Create new case", 'create_case=%s' % self.test_case ]) pyflagsh.shell_execv(command="execute", argv=[ "Load Data.Load IO Data Source", 'case=%s' % self.test_case, "iosource=test", "subsys=Remote", "filename=%s" % (self.test_file), ]) pyflagsh.shell_execv(command="execute", argv=[ "Load Data.Load Filesystem image", 'case=%s' % self.test_case, "iosource=test", "fstype=%s" % self.fstype, "mount_point=/" ])
def test_scanner(self): """ Check the hash scanner works """ dbh = DB.DBO(self.test_case) env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'ZipScan']) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'MD5Scan']) dbh.execute("select count(*) as c,NSRL_product, NSRL_filename from hash where NSRL_product like 'Guide to Hacking %%' group by NSRL_product") row = dbh.fetch() self.assertEqual(row['c'], 14, "Hashes not recognised. You might need to load the NSRL database")
def test01DNS(self): "Test DNS handling" env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*", ## Inodes (All) "DNSScanner", ]) ## List of Scanners dbh = DB.DBO(self.test_case) dbh.execute("select * from dns where name = 'www.google.com.'") self.assert_(dbh.fetch()) dbh.execute("select count(*) as c from dns where name like '%google%'") row = dbh.fetch() self.assertEqual(row['c'], 14)
def create_output_file(): global output_fd, output_file print "Will read from %s and write to %s. Will use these scanners: %s" % ( directory, output_file, scanners) ## Check if the file is already there: filename = config.UPLOADDIR + '/' + output_file if output_file != '-': try: os.stat(filename) ## Yep its there: output_fd = open(filename, 'a') output_fd.seek(0, os.SEEK_END) offset = output_fd.tell() ## There can be only one: try: fcntl.flock(output_fd, fcntl.LOCK_EX | fcntl.LOCK_NB) except IOError, e: print "Highlander Error: %s" % e sys.exit(1) except OSError: output_fd = open(filename, 'w') ## This is a hardcoded header for the output file: header = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00' offset = len(header) ## Write the file header on output_fd.write(header) output_fd.flush() else: output_fd = None offset = 0 ## Make a new IO source for the output: try: pyflagsh.shell_execv(command="execute", argv=[ "Load Data.Load IO Data Source", 'case=%s' % config.case, "iosource=%s" % config.iosource, "subsys=Standard", "filename=%s" % (output_file), "offset=0", ]) except Reports.ReportError: FlagFramework.print_bt_string()
def test_type_scan(self): """ Check the Zip scanner works """ dbh = DB.DBO(self.test_case) env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'ZipScan','GZScan','TarScan','TypeScan']) dbh.execute("select count(*) as count from inode where inode like '%%|Z%%'") count = dbh.fetch()['count'] self.failIf(count==0, "Could not find any zip files?") dbh.execute("select count(*) as count from inode where inode like '%%|G0'") count = dbh.fetch()['count'] self.failIf(count==0, "Could not find any gzip files?")
def test01HotmailScanner(self): """ Test Hotmail Scanner """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv( env=env, command="scan", argv=[ "*", ## Inodes (All) "HotmailScanner", ]) ## List of Scanners dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as c from webmail_messages") row = dbh.fetch() self.assert_(row['c'] > 0, "No hotmail messages were found")
def test00Cleanup(self): """ Remove test log tables """ ## Create the case if it does not already exist: pyflagsh.shell_execv(command="delete_case", argv=[self.test_case]) ## Create the case if it does not already exist: pyflagsh.shell_execv(command="create_case", argv=[self.test_case]) ## clear any existing presets of the same name: drop_preset(self.log_preset) drop_preset(self.log_preset_two) ## Clear any existing tables of the same name drop_table(self.test_case, self.test_table) drop_table(self.test_case, self.test_table_two)
def test00preLoadCase(self): """ Reset case """ import pyflag.pyflagsh as pyflagsh pyflagsh.shell_execv(command="execute", argv=[ "Case Management.Remove case", 'remove_case=%s' % self.test_case ]) pyflagsh.shell_execv(command="execute", argv=[ "Case Management.Create new case", 'create_case=%s' % self.test_case ])
def test01CarveImage(self): """ Carving from Image """ env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'JPEGCarver']) ## See if we found the two images from within the word ## document: expected = [ "Itest|K1289-0-0|o150712:85550", "Itest|K1289-0-0|o96317:141763"] dbh = DB.DBO(self.test_case) for inode in expected: dbh.execute("select inode from inode where inode=%r limit 1", inode) row = dbh.fetch() self.assert_(row != None)
def test01CaseCreation(self): """ Test that basic tables have been added to new cases """ pyflagsh.shell_execv(command="execute", argv=["Case Management.Remove case",'remove_case=%s' % self.test_case]) pyflagsh.shell_execv(command="execute", argv=["Case Management.Create new case",'create_case=%s' % self.test_case]) dbh = DB.DBO(self.test_case) dbh.execute("show tables") tables = [ row.values()[0] for row in dbh ] ## At a minimum these tables must exist: for required in ['annotate', 'block', 'file', 'filesystems', 'inode', 'meta', 'resident', 'sql_cache', 'xattr']: self.assert_(required in tables)