def initComponents(self): self.apps_checkboxes_list = [] self.setLayout(BoxLayout(self, BoxLayout.PAGE_AXIS)) # title self.p_title = SettingsUtils.createPanel() self.lb_title = JLabel("Android Forensics") self.lb_title.setFont(self.lb_title.getFont().deriveFont(Font.BOLD, 11)) self.p_title.add(self.lb_title) self.add(self.p_title) # end of title # info menu self.p_info = SettingsUtils.createPanel() self.lb_info = JLabel("") self.lb_info2 = JLabel("") self.p_info.add(self.lb_info) self.p_info.add(self.lb_info2) self.add(self.p_info) # end of info menu # method menu self.p_method = SettingsUtils.createPanel() self.bg_method = ButtonGroup() self.rb_selectedDatasource = SettingsUtils.createRadioButton("Analyse selected datasource", "method_datasource", self.onMethodChange) self.rb_importReportFile = SettingsUtils.createRadioButton("Import previous generated report file","method_importfile" ,self.onMethodChange) self.rb_liveExtraction = SettingsUtils.createRadioButton("Live extraction with ADB","method_adb", self.onMethodChange) self.rb_selectedDatasource.setSelected(True) self.bg_method.add(self.rb_selectedDatasource) self.bg_method.add(self.rb_importReportFile) self.bg_method.add(self.rb_liveExtraction) self.p_method.add(JLabel("Analysis method")) self.p_method.add(self.rb_selectedDatasource) self.p_method.add(self.rb_importReportFile) self.p_method.add(self.rb_liveExtraction) self.add(self.p_method) # end of method menu #app checkboxes menu self.p_apps = SettingsUtils.createPanel() sorted_items = OrderedDict(sorted(Utils.get_all_packages().items())) for app, app_id in sorted_items.iteritems(): #(app, app_id) checkbox = SettingsUtils.addApplicationCheckbox(app, app_id, self.getSelectedApps) self.add(checkbox) self.apps_checkboxes_list.append(checkbox) self.p_apps.add(checkbox) self.add(self.p_apps)
def appsBlock(self): sorted_items = OrderedDict(sorted(Utils.get_all_packages().items())) for app, app_id in sorted_items.iteritems(): #(app, app_id) checkbox = SettingsUtils.addApplicationCheckbox( app, app_id, self.updateCheckboxes, visible=True) #self.add(checkbox) self.apps_checkboxes_list.append(checkbox) self.p_apps.add(checkbox)
def process(self, dataSource, progressBar): #Set progressbar to an scale of 100% self.progressBar = progressBar progressBar.switchToDeterminate(100) #Initialize list of possible data sources data_sources = [] max_apps = len(Utils.get_all_packages().values()) #Extract method for adb selected #THIS IS ONLY USED IN <= AUTOPSY 4.16 if self.method == "method_adb": #Get list of selected apps to extract self.apps = json.loads(self.settings.getSetting('apps')) jobs = max_apps * 3 #extract, analyser, index self.progressJob = ProgressJob(progressBar, jobs) self.progressJob.next_job("Extracting from ADB") logging.info("Starting ADB") #Variable used to store all folders for each device folders = Extractor(self.apps, DeviceCommunication.list_devices(), self.progressJob, dsprocessor = False).dump_apps() # Add one datasource for each device, with the list of the possible folders for serial, folders_list in folders.items(): datasource_name = "ADB_{}_{}".format(serial, int(time.time())) self.utils.add_to_fileset(datasource_name, folders_list) # Add data source to case to be analised for case_datasources in Case.getCurrentCase().getDataSources(): if case_datasources.getName() == datasource_name: data_sources.append(case_datasources) break logging.info("Ending ADB") # Add the selected files for the datasource (json, dumps or mount case) else: logging.info("Using Selected Datasource") data_sources.append(dataSource) self.progressJob = ProgressJob(progressBar, max_apps * 2) #indexing and analying # For each data source, we will process it each one for source in data_sources: self.process_by_datasource(source) self.progressJob.next_job("Done")
def initComponents(self): self.apps_checkboxes_list = [] self.setLayout(BoxLayout(self, BoxLayout.PAGE_AXIS)) self.setPreferredSize(Dimension(300, 0)) # title self.p_title = SettingsUtils.createPanel() self.lb_title = JLabel("Forensic Analysis for Mobile Apps") self.lb_title.setFont(self.lb_title.getFont().deriveFont( Font.BOLD, 15)) self.p_title.add(self.lb_title) self.add(self.p_title) # end of title # info menu self.p_info = SettingsUtils.createPanel() self.p_info.setPreferredSize(Dimension(300, 20)) self.lb_info = SettingsUtils.createInfoLabel("") self.lb_info2 = SettingsUtils.createInfoLabel("") self.sp2 = SettingsUtils.createSeparators(1) self.p_method = SettingsUtils.createPanel() self.bg_method = ButtonGroup() autopsy_version = PsyUtils.get_autopsy_version() if ((autopsy_version["major"] == 4 and autopsy_version["minor"] <= 17) or autopsy_version["major"] < 4): self.p_info.add(self.lb_info) self.p_info.add(self.lb_info2, BorderLayout.SOUTH) self.rb_selectedDatasource = SettingsUtils.createRadioButton( "Analyze selected datasource", "method_datasource", self.onMethodChange) self.bg_method.add(self.rb_selectedDatasource) # self.rb_importReportFile = SettingsUtils.createRadioButton("Import previous generated report file","method_importfile" ,self.onMethodChange) self.rb_liveExtraction = SettingsUtils.createRadioButton( "Live extraction with ADB", "method_adb", self.onMethodChange) self.rb_selectedDatasource.setSelected(True) #self.bg_method.add(self.rb_importReportFile) self.bg_method.add(self.rb_liveExtraction) self.p_method.add(JLabel("Analysis method")) self.p_method.add(self.rb_selectedDatasource) self.p_method.add(self.rb_liveExtraction) else: self.p_info.add( SettingsUtils.createInfoLabel( "It will analyze the data source with previously selected method and index the forensic artifacts." )) self.add(self.p_method) self.p_apps = SettingsUtils.createPanel(True) sorted_items = OrderedDict(sorted(Utils.get_all_packages().items())) for app, app_id in sorted_items.iteritems(): #(app, app_id) checkbox = SettingsUtils.addApplicationCheckbox( app, app_id, self.getSelectedApps) self.add(checkbox) self.apps_checkboxes_list.append(checkbox) self.p_apps.add(checkbox) self.add(self.p_apps) self.add(self.p_info)
def process_by_datasource(self, dataSource): #Since we are running ingest for the same datasource, we remove the output folder first but only for the datasource! temp_directory = os.path.join(self.temp_module_path, dataSource.getName().replace(":","_")) Utils.remove_folder(temp_directory) Utils.check_and_generate_folder(self.temp_module_path) self.progressJob.change_text("Analyzing Information for {}".format(dataSource.getName())) # We are going to use import previous json file or other data if self.method == "method_importfile": json_report = "Report.json" reports_by_app = {} # Find all Report.json in the data source json_reports = self.fileManager.findFiles(dataSource, json_report) # Processing all datasource json reports for report in json_reports: # Get app id of the json report info = Utils.read_json(report.getLocalPath()) app_id = info["header"]["app_id"] self.progressJob.next_job("Processing report {} ".format(app_id)) # Since we can have multiple json files for multiple apps, we have to track how many reports exists for each app if not reports_by_app.get(app_id): reports_by_app[app_id] = 1 else: reports_by_app[app_id] += 1 # Path for every report report_folder_path = os.path.join(temp_directory, app_id, str(reports_by_app[app_id])) Utils.check_and_generate_folder(report_folder_path) # Copy json report to output folder report_location = os.path.join(report_folder_path, "Report.json") copyfile(report.getLocalPath(), report_location) item = {} item["report"] = report_location item["file"] = report item["app"] = Utils.find_app_name(app_id) self.process_report(item, dataSource) # Not using json report else: reports_by_app = {} #We will find all dumps on the datasource internal = "%_internal.tar.gz" external = "%_external.tar.gz" dumps = [] dumps.extend(self.fileManager.findFiles(dataSource, internal)) dumps.extend(self.fileManager.findFiles(dataSource, external)) #We found dumps, the datasource is not a mount path if dumps: #For each dump, we are going to check it for base in dumps: #Get app id of the dump app_id = base.getName().replace('_internal.tar.gz', '').replace('_external.tar.gz','') self.progressJob.next_job("Processing report {} ".format(app_id)) #No reports for this app yet if not reports_by_app.get(app_id): reports_by_app[app_id] = [] #We can have multiple dumps for the same app. this ensure we don't add the same folder twice base_path = os.path.dirname(base.getLocalPath()) if base_path in reports_by_app[app_id]: continue #Adds the folder to the list of reports by app reports_by_app[app_id].append(base_path) #Multiple dumps per app, we are going to create the folder based on the number of the reports report_folder_path = os.path.join(temp_directory, app_id, str(len(reports_by_app[app_id]))) Utils.check_and_generate_folder(report_folder_path) self.progressJob.change_text("Analyzing Information for {} ({})".format(dataSource.getName(), app_id)) #We are going to analyze the dumps and generate the report analyzer = Analyzer(app_id, base_path, report_folder_path) analyzer.generate_report() #Generated json report location report_location = os.path.join(report_folder_path, "Report.json") #Add to reports list item = {} item["report"] = report_location item["file"] = base item["app"] = Utils.find_app_name(app_id) self.process_report(item, dataSource) else: base_path = None base = None # Little hack to know datasource real path # We only know the real path on files, folders doesn't provide the real path # So we are going to search every file files = self.fileManager.findFiles(dataSource, "%") for x in files: #We should add artifacts to a file, so we add it to the logicalfileset as reference if not base: base = x # Script needs files inside /data/data/ # We find a file with this path, we got the base path if x.getLocalPath() and '/data/data/' in x.getParentPath(): # Multiple SO normalization local = Utils.replace_slash_platform(x.getLocalPath()) if Utils.get_platform().startswith("windows"): base_path = local.split("\\data\\data\\")[0] else: base_path = local.split("/data/data/")[0] #Already have the base folder, stop the find break # If have the base folder if base_path: # For all supported apps for app_id in Utils.get_all_packages().values(): # If app data exists in mount if os.path.exists(os.path.join(base_path, "data", "data", app_id)): # Create report folder report_number = 1 report_folder_path = os.path.join(temp_directory, app_id, str(report_number)) #report path Utils.check_and_generate_folder(report_folder_path) self.progressJob.change_text("Analyzing Information for {} ({})".format(dataSource.getName(), app_id)) # Folder to analyze analyzer = Analyzer(app_id, base_path, report_folder_path) analyzer.generate_report() # Report report_location = os.path.join(report_folder_path, "Report.json") item = {} item["report"] = report_location item["file"] = base item["app"] = Utils.find_app_name(app_id) self.process_report(item, dataSource) # After all reports, post a message to the ingest messages in box. return IngestModule.ProcessResult.OK