def launch_exporter(ts_endpoint, ts_username, ts_password, incident_id,
sketch_id, verbose, processor_output):
"""Threads one or more TimesketchExporter objects.
Args:
ts_endpoint: URL of destination Timesketch server
ts_username: Timesketch username
ts_password: Timesketch password
incident_id: Incident ID or description associated with the investigation
sketch_id: If provided, append the timelines to a given sketch
verbose: Whether verbose output is desired.
processor_output: List of (name, path) tuples to export
Returns:
A list of TimesketchExporter objects that can be join()ed from the caller.
"""
print 'Using timesketch endpoint: {0:s}'.format(ts_endpoint)
timesketch_api = timesketch_utils.TimesketchApiClient(
ts_endpoint, ts_username, ts_password)
exporter = TimesketchExporter(timesketch_api, incident_id, sketch_id,
verbose, processor_output)
exporter.start()
return [exporter]
def testInitialization(self):
"""Tests that the processor can be initialized."""
timesketch_url = 'http://localhost'
username = '******'
password = '******'
timesketch_client = timesketch_utils.TimesketchApiClient(
host_url=timesketch_url, username=username, password=password)
self.assertIsNotNone(timesketch_client)
def SetUp(
self, # pylint: disable=arguments-differ
endpoint=None,
username=None,
password=None,
incident_id=None,
sketch_id=None,
verify_tls=True,
auth_mode='timesketch'):
"""Setup a connection to a Timesketch server and create a sketch if needed.
Args:
endpoint (Optional[str]): Timesketch endpoint, for example
http://timesketch.com/.
username (Optional[str]): Username to authenticate against
the Timesketch endpoint.
password (Optional[str]): Password to authenticate against
the Timesketch endpoint.
incident_id (Optional[str]): Incident ID or reference. Used in sketch
description.
sketch_id (Optional[int]): Sketch ID to add the resulting timeline to.
If not provided, a new sketch is created.
verify_tls (Optional[bool]): Whether to verify the certificate provided
by the Timesketch endpoint.
auth_mode (Optional[str]): The authentication mode to use. Defaults to
'timesketch. 'Supported values are 'timesketch' (Timesketch login
form) and 'http-basic' (HTTP Basic authentication).
"""
self.timesketch_api = timesketch_utils.TimesketchApiClient(
endpoint, username, password, verify_tls, auth_mode)
self.incident_id = None
self.sketch_id = int(sketch_id) if sketch_id else None
# Check that we have a timesketch session
if not self.timesketch_api.session:
message = 'Could not connect to Timesketch server at ' + endpoint
self.state.AddError(message, critical=True)
return
if not self.sketch_id: # No sketch id is provided, create it
if incident_id:
sketch_name = 'Sketch for incident ID: ' + incident_id
else:
sketch_name = 'Untitled sketch'
sketch_description = 'Sketch generated by dfTimewolf'
self.sketch_id = self.timesketch_api.CreateSketch(
sketch_name, sketch_description)
print('Sketch {0:d} created'.format(self.sketch_id))
def SetUp(
self, # pylint: disable=arguments-differ
endpoint=None,
username=None,
password=None,
incident_id=None,
sketch_id=None):
"""Setup a connection to a Timesketch server and create a sketch if needed.
Args:
endpoint (Optional[str]): Timesketch endpoint, for example
http://timesketch.com/.
username (Optional[str]): Username to authenticate against
the Timesketch endpoint.
password (Optional[str]): Password to authenticate against
the Timesketch endpoint.
incident_id (Optional[str]): Incident ID or reference. Used in sketch
description.
sketch_id (Optional[int]): Sketch ID to add the resulting timeline to.
If not provided, a new sketch is created.
"""
self.timesketch_api = timesketch_utils.TimesketchApiClient(
endpoint, username, password)
self.incident_id = None
self.sketch_id = int(sketch_id) if sketch_id else None
# Check that we have a timesketch session
if not self.timesketch_api.session:
message = 'Could not connect to Timesketch server at ' + endpoint
self.state.AddError(message, critical=True)
return
if not self.sketch_id: # No sketch id is provided, create it
if incident_id:
sketch_name = 'Sketch for incident ID: ' + incident_id
else:
sketch_name = 'Untitled sketch'
sketch_description = 'Sketch generated by dfTimewolf'
self.sketch_id = self.timesketch_api.CreateSketch(
sketch_name, sketch_description)
print('Sketch {0:d} created'.format(self.sketch_id))
def __init__(self, authentication_information, incident_id, sketch_id,
verbose, paths):
"""Initializes a filesystem collector.
Args:
authentication_information: an (endpoint, username, password) tuple
incident_id: Incident ID or description associated with the investigation
sketch_id: If provided, append the timelines to a given sketch
verbose: Whether verbose output is desired.
paths: List of (name, path) tuples to export
"""
super(TimesketchExporter, self).__init__(verbose=verbose)
ts_endpoint, ts_username, ts_password = authentication_information
self.timesketch_api = timesketch_utils.TimesketchApiClient(
ts_endpoint, ts_username, ts_password)
if not self.timesketch_api.session:
self.errors.append(
"Could not connect to timesketch server {0:s}".format(
ts_endpoint))
return
self.incident_id = incident_id
self.sketch_id = int(sketch_id) if sketch_id else None
self.paths = paths
self.sketch_url = None
self.output = None
if not self.sketch_id:
if incident_id:
sketch_name = incident_id
sketch_description = incident_id
else:
sketch_name = 'Untitled sketch'
sketch_description = 'No description provided'
self.sketch_id = self.timesketch_api.create_sketch(
sketch_name, sketch_description)
self.console_out.StdOut('New sketch created: {0:d}'.format(
self.sketch_id))
syslog.syslog('New sketch created: {0:d}'.format(self.sketch_id))
"""Timewolf tool."""
try:
_ = FLAGS(argv) # parse flags
except gflags.FlagsError, e:
sys.exit(e)
# Console output helper
console_out = timewolf_utils.TimewolfConsoleOutput(
sender=u'TimewolfCli', verbose=FLAGS.verbose)
if not (FLAGS.paths or FLAGS.hosts or FLAGS.hunt_id):
console_out.StdErr(u'paths or hosts must be specified', die=True)
ts_host = re.search(r'://(\S+):\d+', FLAGS.timesketch_server_url).group(1)
username, password = timewolf_utils.GetCredentials(FLAGS.username, ts_host)
timesketch_api = timesketch_utils.TimesketchApiClient(
FLAGS.timesketch_server_url, username, password)
grr_host = re.search(r'://(\S+):\d+', FLAGS.grr_server_url).group(1)
username, password = timewolf_utils.GetCredentials(FLAGS.username, grr_host)
# Collect artifacts
try:
collected_artifacts = collectors.CollectArtifactsHelper(
FLAGS.hosts, FLAGS.hunt_id, FLAGS.paths, FLAGS.artifacts, FLAGS.use_tsk,
FLAGS.reason, FLAGS.approvers, FLAGS.verbose, FLAGS.grr_server_url,
username, password)
except (ValueError, RuntimeError) as exception:
console_out.StdErr(exception, die=True)
# Process artifacts
if FLAGS.timezone: