def _getBrowser(self, target_file: TargetFile) -> IBrowserHistory: if "History" in target_file.get_name(): if ".db" in target_file.get_extension(): return SafaryHistory(target_file.get_path()) else: return ChromeHistory(target_file.get_path()) else: if "places" in target_file.get_name(): return FirefoxHistory(target_file.get_path()) return None
def _run(self, target_file: TargetFile, pwd_list: list): result = {} result["new_files"] = [] result["new_path_files"] = [] binary = None decripted_password = None with ZipFile(target_file.get_path(), 'r') as zip: for info in zip.infolist(): if info.filename[-1] == '/': #it is a dir, so ignore, then we create the dirs continue try: with zip.open(info.filename, 'r') as file: binary = file.read() except: pass if not binary: "probamos con contraseña" for pwd in pwd_list: try: binary = self._decrypt_with_password( info.filename, pwd) if binary: decripted_password = pwd break except: pass if not binary: "probamos con contraseña y algoritmo de cifrado AES" for pwd in pwd_list: try: binary = self._decrypt_AES_WithPassword( target_file, info.filename, pwd) if binary: decripted_password = pwd break except: pass if binary: path_saved = Safe.create_file( os.path.join( "./zipextractor", "./" + os.path.join( target_file.get_path(), info.filename)), binary) result["new_files"].append(info.filename) result["new_path_files"].append(path_saved) if decripted_password: result["password"] = decripted_password.decode() else: result[ "error"] = "Bad password or wrong decrypted algorithm" return result
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: fullmft = self.parse_mft(target_file.get_path()) mft_objects = [] for key, value, in fullmft.items(): info = self._get_interesing_info(value) if info is not None: info["path"] = target_file.get_path() mft_objects.append(info) piped = utils.pipe_to_another_output(self._params, mft_objects) return { "n_mft_objects": len(mft_objects) } if piped else { "mft": mft_objects }
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: return { "content": self._extract_text(target_file.get_path(), self._get_server_param()) }
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: decoded_list = decode(Image.open(target_file.get_path())) i = 0 result = {} if len(decoded_list) >0: result["values"] = [] for dec in decoded_list: result["values"].append(dec.data.decode("utf-8")) return result
def _strings(self, target_file: TargetFile, min_chars: int) -> List: call = subprocess.run(Constructor.get_command(target_file.get_path(), min_chars), capture_output=True) if len(call.stderr) > 0: raise Exception(auxiliar.get_str_utf_8_from_bytes(call.stderr)) else: data = auxiliar.get_str_utf_8_from_bytes(call.stdout).splitlines() return list(filter(lambda a: a != "", data))
def _decrypt_AES_WithPassword(self, target_file: TargetFile, file_name, pwd): try: with AESZipFile(target_file.get_path(), 'r') as zf: zf.pwd = pwd binary = zf.read(file_name) return binary except: return None
def test_load_from_path(self): collie_path = "./tests/examples/collie.jpg" target_file = TargetFile(collie_path) self.assertEqual(target_file.get_extension(), ".jpg") self.assertTrue("JPEG" in target_file.get_type()) self.assertEqual(target_file.get_name(), "collie.jpg") self.assertEqual(len(target_file.get_binary()), 19863) self.assertEqual(target_file.get_path(), collie_path) self.assertEqual(target_file.get_directory(), "./tests/examples") self.assertEqual(target_file.get_info()["extension"], target_file.get_extension())
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: predictions_response = self._get_predictions(target_file.get_path()) result = {} predictions_names = [] probabilites = [] for other, prediction_name, probability in predictions_response[0]: predictions_names.append(prediction_name) probabilites.append(probability) result["prediction_names"] = predictions_names result["probabilites"] = probabilites return result
def _parse_pstost(self, target_file: TargetFile) -> List: pff_file = pypff.file() result = [] try: pff_file.open(target_file.get_path()) pff_root_folder = pff_file.get_root_folder() result = self._get_recursive(pff_root_folder, target_file) except: traceback.print_exc() finally: pff_file.close() return result
def _get_info_from_path(self, target_file: TargetFile) -> dict: try: path = target_file.get_path() return { "emails": self._get_emails(path), "URLs": self._get_urls(path), "IBANs": self._get_ibans(path), "Bitcoin": self._get_bitcoin_address(path) } except: pass return {}
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: events = [] self._filter_ids = self._get_filter_ids_from_params() parser = PyEvtxParser(target_file.get_path()) for record in parser.records(): try: parsed = xmltodict.parse(record["data"]) event = self._get_info(parsed, target_file) if event is not None: events.append(event) except: pass piped = utils.pipe_to_another_output(self._params, events) return {"n_events": len(events)} if piped else {"events": events}
def _get_info(self, parsed, target_file: TargetFile): event_id = parsed["Event"]["System"]["EventID"] if isinstance(event_id, OrderedDict): id = int(event_id["#text"]) else: id = int(event_id) if self._filter_ids: if id not in self._filter_ids: return None info = self._get_system_info(parsed) info.update( self._extract_info_in_data_parsed(parsed["Event"]["EventData"])) info["path"] = target_file.get_path() return info
def _get_recursive(self, pypff_folder: pypff.folder, target_file: TargetFile) -> List: result = [] for item in pypff_folder.sub_items: if isinstance(item, pypff.folder): n_messages = item.get_number_of_sub_messages() if n_messages > 0: index = 0 while index < n_messages: item_message = item.get_sub_message(index) message = {} try: message["path"] = target_file.get_path() message["folder"] = item.name message[ "identifier"] = item_message.get_identifier() message["subject"] = item_message.get_subject() message[ "creation_time"] = Time.change_output_date_format_from_epoch( item_message.get_creation_time().timestamp( )) message[ "delivery_time"] = Time.change_output_date_format_from_epoch( item_message.get_delivery_time().timestamp( )) message[ "client_submit_time"] = Time.change_output_date_format_from_epoch( item_message.get_client_submit_time( ).timestamp()) message[ "sender_name"] = item_message.get_sender_name( ) message[ "headers"] = item_message.get_transport_headers( ) message["html_body"] = item_message.get_html_body().decode() \ if item_message.get_html_body() is not None else "" message["plain_text_body"] = item_message.get_plain_text_body().decode() \ if item_message.get_plain_text_body() is not None else "" message[ "n_attachments"] = item_message.get_number_of_attachments( ) if item_message.get_number_of_attachments() > 0: message["attachments"] = [] for i in range( 0, item_message.get_number_of_attachments( )): base_path_to_save = message[ "folder"] + "/" + str( message["identifier"] ) + "/attachment/" + str(i) file_size = item_message.get_attachment( i).get_size() binary = item_message.get_attachment( i).read_buffer(file_size) path_saved = Safe.create_file( os.path.join("./pstostparser", base_path_to_save), binary) message["attachments"].append(path_saved) result.append(message) except: pass index += 1 result.extend(self._get_recursive(item, target_file)) return result
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: cleanresult = {} with exiftool.ExifTool() as et: result = et.get_metadata(target_file.get_path()) cleanresult = self._clean(result) return cleanresult
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: return self._extract_data(target_file.get_path())
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: result = self._extract_image_text(target_file.get_path()) return result
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: result = self._parse_prefecth_file(target_file.get_path()) return result