def cmd_investigations(self, *args):
parser = argparse.ArgumentParser(prog='investigations', description="Open a case", epilog="List or switch current investigations")
group = parser.add_mutually_exclusive_group()
group.add_argument('-l', '--list', action='store_true', help="List all existing investigations")
group.add_argument('-s', '--switch', metavar='NAME', help="Switch to the specified investigation")
group.add_argument('-d', '--delete', type=int, metavar='ID', help="delete investigation by id.")
try:
args = parser.parse_args(args)
except:
return
projects_path = os.path.join(os.getcwd(), 'investigations')
if not os.path.exists(projects_path):
self.log('info', "The investigations directory does not exist yet")
return
if args.list:
self.log('info', "Current Investigations:")
rows = []
items = self.db.get_investigation_list()
# Populate the list of search results.
count = 1
for item in items:
row = [item.id, item.name]
rows.append(row)
self.log('table', dict(header=['ID', 'Name'], rows=rows))
elif args.switch:
if __sessions__.is_set():
__sessions__.close()
self.log('info', "Closed opened session")
__project__.open(args.switch, self.db)
self.log('info', "Switched to investigation {0}".format(bold(args.switch)))
# Need to re-initialize the Database to open the new SQLite file.
self.db = Database()
elif args.delete:
if __sessions__.is_set():
__sessions__.close()
self.log('info', "Closed opened session")
__project__.delete(args.delete, self.db)
self.log('info', "Deleted investigation {0}".format(bold(args.delete)))
# Need to re-initialize the Database to open the new SQLite file.
self.db = Database()
else:
self.log('info', parser.print_usage())
def cmd_delete(self, *args):
if __sessions__.is_set():
while True:
choice = input("Are you sure you want to delete this binary? Can't be reverted! [y/n] ")
if choice == 'y':
break
elif choice == 'n':
return
rows = self.db.find('sha256', __sessions__.current.file.sha256)
if rows:
malware_id = rows[0].id
if self.db.delete_file(malware_id):
self.log("success", "File deleted")
else:
self.log('error', "Unable to delete file")
os.remove(__sessions__.current.file.path)
__sessions__.close()
else:
self.log('error', "No session opened")
def do_get(self, line):
'''
Command: get
Description:
Get (copy) a file, or parts of file, from the sensor.
Args:
get [OPTIONS] <RemotePath> <LocalPath>
where OPTIONS are:
-o, --offset : The offset to start getting the file at
-b, --bytes : How many bytes of the file to get. The default is all bytes.
'''
self._needs_attached()
import tempfile
if __project__.name:
pass
else:
print_error("Must open an investigation to retrieve files")
return
# close session of current file if opened
if __sessions__:
__sessions__.close()
# establish connection to db
db = Database()
p = CliArgs(usage='get [OPTIONS] <RemoteFile> <LocalName>')
p.add_option('-o', '--offset', default="0", help='Offset of the file to start grabbing')
p.add_option('-b', '--bytes', default=None, help='How many bytes to grab')
(opts, args) = p.parse_line(line)
if len(args) != 2:
raise CliArgsException("Wrong number of args to get command")
# Create a new temporary file.
fout = tempfile.NamedTemporaryFile(delete=False)
# Fix file path
gfile = self._file_path_fixup(args[0])
hargs = {}
offset = 0
if opts.offset != 0:
hargs['offset'] = int(opts.offset)
if opts.bytes:
hargs['get_count'] = int(opts.bytes)
try:
ret = self._postCommandAndWait("get file", gfile, args=hargs)
fid = ret["file_id"]
url = '%s/api/v1/cblr/session/%d/file/%d/content' % (self.url, self.session, fid)
fdata = self._doGet(url, retJSON=False)
fout.write(fdata)
fout.close()
__sessions__.new(fout.name)
store_sample(__sessions__.current.file)
__sessions__.current.file.path = get_sample_path(__sessions__.current.file.sha256)
db.add(obj=__sessions__.current.file)
os.remove(fout.name)
except:
# delete the output file on error
fout.close()
os.remove(fout.name)
raise
def cmd_close(self, *args):
__sessions__.close()