def getFileHaveBeenOpen():
""" Lấy danh sách các file trong MRU cache. File được lưu vào thư mục "tmpFolder/FileHaveBeenOpen/" được tạo bởi start.preEnv()
"""
api.copyFile(outputDir + "tmpFolder/reg/userReg",
outputDir + "tmpFolder/FileHaveBeenOpen")
listFolder = api.retCmd("ls " + outputDir +
"tmpFolder/FileHaveBeenOpen/userReg").split("\n")
for userFolder in listFolder:
if len(userFolder) > 2:
listReg = api.retCmd("ls " + outputDir +
"tmpFolder/FileHaveBeenOpen/userReg/" +
userFolder).split("\n")
tmpPath = outputDir + "tmpFolder/FileHaveBeenOpen/userReg/" + userFolder + "/"
for regName in listReg:
if len(regName) > 2 and "ntus" in regName.lower(
) and "txt" not in regName.lower():
cmd = "rip.pl -r " + tmpPath + regName + " -p userassist > " + tmpPath + regName.replace(
".DAT", "Full.txt").replace(".dat", "Full.txt")
api.retCmd(cmd)
f = open(
tmpPath + regName.replace(".DAT", "Full.txt").replace(
".dat", "Full.txt"), "r").read().split("\n")
retFile = open(
tmpPath + regName.replace(".DAT", ".txt").replace(
".dat", ".txt"), "w")
tmpCE = commonExtension.split("-")
for line in f:
for cE in tmpCE:
if cE.lower() in line.lower():
retFile.write(line.strip() + "\n")
retFile.close()
def copyChosenFile():
f = open("FileNeedCopy.txt", "r").read().split("\n")
count = 0
for file in f:
if len(file) > 2:
path = outputDir + "tmpFolder/fileCopyOption/" + str(count)
api.retCmd("mkdir -p " + path)
api.copyFile(inputPath + file, path)
count += 1
def copyChosenFile():
"""
Copy các file được yêu cầu trong "FileNeedCopy.txt". File được lưu vào thư mục "tmpFolder/fileCopyOption/" được tạo bởi start.preEnv()
"""
f = open("FileNeedCopy.txt", "r").read().split("\n")
count = 0
for file in f:
if len(file) > 2:
path = outputDir + "tmpFolder/fileCopyOption/" + str(count)
api.retCmd("mkdir -p " + path)
api.copyFile(inputPath + file, path)
count += 1
def getRoughData():
"""
Lấy Dữ liệu thô gồm windows logs và registry. File được lưu vào thư mục "tmpFolder" được tạo bởi start.preEnv()
"""
try:
api.copyFile(inputPath + "Windows/System32/config",
outputDir + "tmpFolder/reg") #registry
api.copyFile(inputPath + "Windows/System32/winevt/Logs",
outputDir + "tmpFolder/winLog") #winlog
api.retCmd("rip.pl -r " + outputDir +
"tmpFolder/reg/config/SAM -p samparse > " + outputDir +
"tmpFolder/reg/config/SAMparse")
except:
print "loi getRoughData phase 1"
try:
getUserAndSID()
for userName in userList:
cacheStore = outputDir + "tmpFolder/reg/userReg/" + userName
api.retCmd("mkdir -p " + cacheStore)
api.copyFile(inputPath + "Users/" + userName + "/NTUSER.DAT",
cacheStore) #user registry
except:
print "loi getRoughData phase 2"
return 0
def getRoughData():
# get reg file and some thing we want to use
try:
api.copyFile(inputPath + "Windows/System32/config",
outputDir + "tmpFolder/reg") #registry
api.copyFile(inputPath + "Windows/System32/winevt/Logs",
outputDir + "tmpFolder/winLog") #winlog
api.retCmd("rip.pl -r " + outputDir +
"tmpFolder/reg/config/SAM -p samparse > " + outputDir +
"tmpFolder/reg/config/SAMparse")
except:
print "loi getRoughData phase 1"
try:
getUserAndSID()
for userName in userList:
cacheStore = outputDir + "tmpFolder/reg/userReg/" + userName
api.retCmd("mkdir -p " + cacheStore)
api.copyFile(inputPath + "Users/" + userName + "/NTUSER.DAT",
cacheStore) #user registry
except:
print "loi getRoughData phase 2"
return 0
def getBrowserCache():
"""
Lấy cache các trình duyệt phổ biến gồm: chrome, coccoc, IE, firefox, opera. File được lưu vào thư mục "tmpFolder/browserCache/" được tạo bởi start.preEnv()
"""
getUserAndSID()
for userName in userList:
cacheStore = outputDir + "tmpFolder/browserCache/" + userName
api.retCmd("mkdir -p " + cacheStore)
# -------------------------------------------- test chay binh thuong --------------------------------------------
chromeCache = inputPath + "Users/" + userName + "/AppData/Local/Google/Chrome/User Data/Default/Cache"
if os.path.exists(chromeCache):
api.copyFile(chromeCache, cacheStore + "/chrome")
coccocCache = inputPath + "Users/" + userName + "/AppData/Local/CocCoc/Browser/User Data/Default/Cache"
if os.path.exists(coccocCache):
api.copyFile(coccocCache, cacheStore + "/coccoc")
ieCache = inputPath + "Users/" + userName + "/AppData/Local/Microsoft/Windows/INetCache/IE"
if os.path.exists(ieCache):
api.copyFile(ieCache, cacheStore + "/IE1")
ieCache = inputPath + "Users/" + userName + "/AppData/Local/Microsoft/Windows/Caches"
if os.path.exists(ieCache):
api.copyFile(ieCache, cacheStore + "/IE2")
ieCache = inputPath + "Users/" + userName + "/AppData/Local/Microsoft/Windows/Profiles/INetCache/IE"
if os.path.exists(ieCache):
api.copyFile(ieCache, cacheStore + "/IE3")
# ---------------------------------------------------------------------------------------
operaCache = inputPath + "Users/" + userName + "AppData/Local/Opera Software/Opera Stable"
if os.path.exists(operaCache):
api.copyFile(operaCache, cacheStore + "/opera")
firefoxCache = inputPath + "Users/" + userName + "/AppData/Local/Mozilla/Firefox/Profiles"
if os.path.exists(firefoxCache):
api.copyFile(firefoxCache, cacheStore + "/firefox")
def getMRUCache():
api.copyFile(outputDir + "tmpFolder/reg/userReg",
outputDir + "tmpFolder/MRUCache")