def add_file(obj, tags=None): if get_sample_path(obj.sha256): self.log('warning', "Skip, file \"{0}\" appears to be already stored".format(obj.name)) return False if __project__.name: pass else: print_error("Must open an investigation to store files") return False # Try to store file object into database. status = self.db.add(obj=obj, tags=tags) if status: # If succeeds, store also in the local repository. # If something fails in the database (for example unicode strings) # we don't want to have the binary lying in the repository with no # associated database record. new_path = store_sample(obj) self.log("success", "Stored file \"{0}\" to {1}".format(obj.name, new_path)) else: return False # Delete the file if requested to do so. if args.delete: try: os.unlink(obj.path) except Exception as e: self.log('warning', "Failed deleting file: {0}".format(e)) return True
def parse_message(self, message_folder): db = Database() email_header = os.path.join(message_folder, 'InternetHeaders.txt') email_body = os.path.join(message_folder, 'Message.txt') attachments = [] envelope = headers = email_text = '' if os.path.exists(email_header): envelope, headers = self.email_headers(email_header) if os.path.exists(email_body): email_text = open(email_body, 'rb').read() tags = 'pst, {0}'.format(message_folder) if os.path.exists(os.path.join(message_folder, 'Attachments')): for filename in os.listdir(os.path.join(message_folder, 'Attachments')): if os.path.isfile(os.path.join(message_folder, 'Attachments', filename)): obj = File(os.path.join(message_folder, 'Attachments', filename)) sha256 = hashlib.sha256(open(os.path.join(message_folder, 'Attachments', filename), 'rb').read()).hexdigest() new_path = store_sample(obj) success = False if new_path: # Add file to the database. success = db.add(obj=obj, tags=tags) # Add Email Details as a Note # To handle duplicates we use multiple notes headers_body = 'Envelope: \n{0}\nHeaders: \n{1}\n'.format(envelope, headers) db.add_note(sha256, 'Headers', headers_body) # Add a note with email body db.add_note(sha256, 'Email Body', string_clean(email_text))
def parse_message(self, message_folder): db = Database() email_header = os.path.join(message_folder, 'InternetHeaders.txt') email_body = os.path.join(message_folder, 'Message.txt') attachments = [] envelope = headers = email_text = '' if os.path.exists(email_header): envelope, headers = self.email_headers(email_header) if os.path.exists(email_body): email_text = open(email_body, 'rb').read() tags = 'pst, {0}'.format(message_folder) if os.path.exists(os.path.join(message_folder, 'Attachments')): for filename in os.listdir( os.path.join(message_folder, 'Attachments')): if os.path.isfile( os.path.join(message_folder, 'Attachments', filename)): obj = File( os.path.join(message_folder, 'Attachments', filename)) sha256 = hashlib.sha256( open( os.path.join(message_folder, 'Attachments', filename), 'rb').read()).hexdigest() new_path = store_sample(obj) success = False if new_path: # Add file to the database. success = db.add(obj=obj, tags=tags) # Add Email Details as a Note # To handle duplicates we use multiple notes headers_body = 'Envelope: \n{0}\nHeaders: \n{1}\n'.format( envelope, headers) db.add_note(sha256, 'Headers', headers_body) # Add a note with email body db.add_note(sha256, 'Email Body', string_clean(email_text))
def do_get(self, line): ''' Command: get Description: Get (copy) a file, or parts of file, from the sensor. Args: get [OPTIONS] <RemotePath> <LocalPath> where OPTIONS are: -o, --offset : The offset to start getting the file at -b, --bytes : How many bytes of the file to get. The default is all bytes. ''' self._needs_attached() import tempfile if __project__.name: pass else: print_error("Must open an investigation to retrieve files") return # close session of current file if opened if __sessions__: __sessions__.close() # establish connection to db db = Database() p = CliArgs(usage='get [OPTIONS] <RemoteFile> <LocalName>') p.add_option('-o', '--offset', default="0", help='Offset of the file to start grabbing') p.add_option('-b', '--bytes', default=None, help='How many bytes to grab') (opts, args) = p.parse_line(line) if len(args) != 2: raise CliArgsException("Wrong number of args to get command") # Create a new temporary file. fout = tempfile.NamedTemporaryFile(delete=False) # Fix file path gfile = self._file_path_fixup(args[0]) hargs = {} offset = 0 if opts.offset != 0: hargs['offset'] = int(opts.offset) if opts.bytes: hargs['get_count'] = int(opts.bytes) try: ret = self._postCommandAndWait("get file", gfile, args=hargs) fid = ret["file_id"] url = '%s/api/v1/cblr/session/%d/file/%d/content' % (self.url, self.session, fid) fdata = self._doGet(url, retJSON=False) fout.write(fdata) fout.close() __sessions__.new(fout.name) store_sample(__sessions__.current.file) __sessions__.current.file.path = get_sample_path(__sessions__.current.file.sha256) db.add(obj=__sessions__.current.file) os.remove(fout.name) except: # delete the output file on error fout.close() os.remove(fout.name) raise