def run(self, evidence, result): """Extracts artifacts using Plaso image_export.py. Args: evidence: evidence to be processed. result: A TurbiniaTaskResult object to place task results into. Returns: TurbiniaTaskResult object. """ config.LoadConfig() export_directory = os.path.join(self.output_dir, 'export') image_export_log = os.path.join(self.output_dir, '{0:s}.log'.format(self.id)) cmd = [ 'image_export.py', '--logfile', image_export_log, '-w', export_directory, '--partitions', 'all', '--artifact_filters', self.artifact_name, ] if config.DEBUG_TASKS: cmd.append('-d') # Path to the source image/directory. cmd.append(evidence.local_path) result.log('Running image_export as [{0:s}]'.format(' '.join(cmd))) ret, _ = self.execute(cmd, result, log_files=[image_export_log]) if ret: result.close( self, False, 'image_export.py failed for artifact {0:s}.'.format( self.artifact_name)) return result for dirpath, _, filenames in os.walk(export_directory): for filename in filenames: exported_artifact = ExportedFileArtifact( artifact_name=self.artifact_name) exported_artifact.local_path = os.path.join(dirpath, filename) result.log('Adding artifact {0:s}'.format(filename)) result.add_evidence(exported_artifact, evidence.config) result.close( self, True, 'Extracted {0:d} new {1:s} artifacts'.format( len(result.evidence), self.artifact_name)) return result
def run(self, evidence, result): """Extracts artifacts using Plaso image_export.py. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ config.LoadConfig() export_directory = os.path.join(self.output_dir, 'export') image_export_log = os.path.join( self.output_dir, '{0:s}.log'.format(self.id)) cmd = [ 'sudo', 'image_export.py', '--no-hashes', '--logfile', image_export_log, '-w', export_directory, '--partitions', 'all', '--volumes', 'all', '--unattended', '--artifact_filters', self.artifact_name, ] if config.DEBUG_TASKS or self.task_config.get('debug_tasks'): cmd.append('-d') if evidence.credentials: for credential_type, credential_data in evidence.credentials: cmd.extend([ '--credential', '{0:s}:{1:s}'.format( credential_type, credential_data) ]) # Path to the source image/directory. cmd.append(evidence.local_path) result.log('Running image_export as [{0:s}]'.format(' '.join(cmd))) ret, _ = self.execute(cmd, result, log_files=[image_export_log]) if ret: result.close( self, False, 'image_export.py failed for artifact {0:s}.'.format( self.artifact_name)) return result for dirpath, _, filenames in os.walk(export_directory): for filename in filenames: exported_artifact = ExportedFileArtifact( artifact_name=self.artifact_name, source_path=os.path.join( dirpath, filename)) result.log('Adding artifact {0:s}'.format(filename)) result.add_evidence(exported_artifact, evidence.config) result.close( self, True, 'Extracted {0:d} new {1:s} artifacts'.format( len(result.evidence), self.artifact_name)) return result
def run(self, evidence, result): """Extracts artifacts using Plaso image_export.py. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ config.LoadConfig() export_directory = os.path.join(self.output_dir, 'export') image_export_log = os.path.join(self.output_dir, '{0:s}.log'.format(self.id)) cmd = [ 'sudo', 'image_export.py', '--logfile', image_export_log, '-w', export_directory, '--partitions', 'all', '--artifact_filters', self.artifact_name, ] if config.DEBUG_TASKS or evidence.config.get('debug_tasks'): cmd.append('-d') # Path to the source image/directory. cmd.append(evidence.local_path) result.log('Running image_export as [{0:s}]'.format(' '.join(cmd))) ret, _ = self.execute(cmd, result, log_files=[image_export_log]) if ret: result.close( self, False, 'image_export.py failed for artifact {0:s}.'.format( self.artifact_name)) return result for dirpath, _, filenames in os.walk(export_directory): for filename in filenames: if filename == 'hashes.json' and dirpath == export_directory: # Ignore the hashes.json file created by image export. # TODO: remove this when # https://github.com/log2timeline/plaso/pull/3320 # is pushed. continue exported_artifact = ExportedFileArtifact( artifact_name=self.artifact_name, source_path=os.path.join(dirpath, filename)) result.log('Adding artifact {0:s}'.format(filename)) result.add_evidence(exported_artifact, evidence.config) result.close( self, True, 'Extracted {0:d} new {1:s} artifacts'.format( len(result.evidence), self.artifact_name)) return result