def _getBrowser(self, target_file: TargetFile) -> IBrowserHistory:
if "History" in target_file.get_name():
if ".db" in target_file.get_extension():
return SafaryHistory(target_file.get_path())
else:
return ChromeHistory(target_file.get_path())
else:
if "places" in target_file.get_name():
return FirefoxHistory(target_file.get_path())
return None
def _run(self, target_file: TargetFile, pwd_list: list):
result = {}
result["new_files"] = []
result["new_path_files"] = []
binary = None
decripted_password = None
with ZipFile(target_file.get_path(), 'r') as zip:
for info in zip.infolist():
if info.filename[-1] == '/':
#it is a dir, so ignore, then we create the dirs
continue
try:
with zip.open(info.filename, 'r') as file:
binary = file.read()
except:
pass
if not binary:
"probamos con contraseña"
for pwd in pwd_list:
try:
binary = self._decrypt_with_password(
info.filename, pwd)
if binary:
decripted_password = pwd
break
except:
pass
if not binary:
"probamos con contraseña y algoritmo de cifrado AES"
for pwd in pwd_list:
try:
binary = self._decrypt_AES_WithPassword(
target_file, info.filename, pwd)
if binary:
decripted_password = pwd
break
except:
pass
if binary:
path_saved = Safe.create_file(
os.path.join(
"./zipextractor", "./" + os.path.join(
target_file.get_path(), info.filename)),
binary)
result["new_files"].append(info.filename)
result["new_path_files"].append(path_saved)
if decripted_password:
result["password"] = decripted_password.decode()
else:
result[
"error"] = "Bad password or wrong decrypted algorithm"
return result
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
fullmft = self.parse_mft(target_file.get_path())
mft_objects = []
for key, value, in fullmft.items():
info = self._get_interesing_info(value)
if info is not None:
info["path"] = target_file.get_path()
mft_objects.append(info)
piped = utils.pipe_to_another_output(self._params, mft_objects)
return {
"n_mft_objects": len(mft_objects)
} if piped else {
"mft": mft_objects
}
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
return {
"content":
self._extract_text(target_file.get_path(),
self._get_server_param())
}
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict:
decoded_list = decode(Image.open(target_file.get_path()))
i = 0
result = {}
if len(decoded_list) >0:
result["values"] = []
for dec in decoded_list:
result["values"].append(dec.data.decode("utf-8"))
return result
def _strings(self, target_file: TargetFile, min_chars: int) -> List:
call = subprocess.run(Constructor.get_command(target_file.get_path(),
min_chars),
capture_output=True)
if len(call.stderr) > 0:
raise Exception(auxiliar.get_str_utf_8_from_bytes(call.stderr))
else:
data = auxiliar.get_str_utf_8_from_bytes(call.stdout).splitlines()
return list(filter(lambda a: a != "", data))
def _decrypt_AES_WithPassword(self, target_file: TargetFile, file_name,
pwd):
try:
with AESZipFile(target_file.get_path(), 'r') as zf:
zf.pwd = pwd
binary = zf.read(file_name)
return binary
except:
return None
def test_load_from_path(self):
collie_path = "./tests/examples/collie.jpg"
target_file = TargetFile(collie_path)
self.assertEqual(target_file.get_extension(), ".jpg")
self.assertTrue("JPEG" in target_file.get_type())
self.assertEqual(target_file.get_name(), "collie.jpg")
self.assertEqual(len(target_file.get_binary()), 19863)
self.assertEqual(target_file.get_path(), collie_path)
self.assertEqual(target_file.get_directory(), "./tests/examples")
self.assertEqual(target_file.get_info()["extension"],
target_file.get_extension())
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict:
predictions_response = self._get_predictions(target_file.get_path())
result = {}
predictions_names = []
probabilites = []
for other, prediction_name, probability in predictions_response[0]:
predictions_names.append(prediction_name)
probabilites.append(probability)
result["prediction_names"] = predictions_names
result["probabilites"] = probabilites
return result
def _parse_pstost(self, target_file: TargetFile) -> List:
pff_file = pypff.file()
result = []
try:
pff_file.open(target_file.get_path())
pff_root_folder = pff_file.get_root_folder()
result = self._get_recursive(pff_root_folder, target_file)
except:
traceback.print_exc()
finally:
pff_file.close()
return result
def _get_info_from_path(self, target_file: TargetFile) -> dict:
try:
path = target_file.get_path()
return {
"emails": self._get_emails(path),
"URLs": self._get_urls(path),
"IBANs": self._get_ibans(path),
"Bitcoin": self._get_bitcoin_address(path)
}
except:
pass
return {}
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
events = []
self._filter_ids = self._get_filter_ids_from_params()
parser = PyEvtxParser(target_file.get_path())
for record in parser.records():
try:
parsed = xmltodict.parse(record["data"])
event = self._get_info(parsed, target_file)
if event is not None:
events.append(event)
except:
pass
piped = utils.pipe_to_another_output(self._params, events)
return {"n_events": len(events)} if piped else {"events": events}
def _get_info(self, parsed, target_file: TargetFile):
event_id = parsed["Event"]["System"]["EventID"]
if isinstance(event_id, OrderedDict):
id = int(event_id["#text"])
else:
id = int(event_id)
if self._filter_ids:
if id not in self._filter_ids:
return None
info = self._get_system_info(parsed)
info.update(
self._extract_info_in_data_parsed(parsed["Event"]["EventData"]))
info["path"] = target_file.get_path()
return info
def _get_recursive(self, pypff_folder: pypff.folder,
target_file: TargetFile) -> List:
result = []
for item in pypff_folder.sub_items:
if isinstance(item, pypff.folder):
n_messages = item.get_number_of_sub_messages()
if n_messages > 0:
index = 0
while index < n_messages:
item_message = item.get_sub_message(index)
message = {}
try:
message["path"] = target_file.get_path()
message["folder"] = item.name
message[
"identifier"] = item_message.get_identifier()
message["subject"] = item_message.get_subject()
message[
"creation_time"] = Time.change_output_date_format_from_epoch(
item_message.get_creation_time().timestamp(
))
message[
"delivery_time"] = Time.change_output_date_format_from_epoch(
item_message.get_delivery_time().timestamp(
))
message[
"client_submit_time"] = Time.change_output_date_format_from_epoch(
item_message.get_client_submit_time(
).timestamp())
message[
"sender_name"] = item_message.get_sender_name(
)
message[
"headers"] = item_message.get_transport_headers(
)
message["html_body"] = item_message.get_html_body().decode() \
if item_message.get_html_body() is not None else ""
message["plain_text_body"] = item_message.get_plain_text_body().decode() \
if item_message.get_plain_text_body() is not None else ""
message[
"n_attachments"] = item_message.get_number_of_attachments(
)
if item_message.get_number_of_attachments() > 0:
message["attachments"] = []
for i in range(
0,
item_message.get_number_of_attachments(
)):
base_path_to_save = message[
"folder"] + "/" + str(
message["identifier"]
) + "/attachment/" + str(i)
file_size = item_message.get_attachment(
i).get_size()
binary = item_message.get_attachment(
i).read_buffer(file_size)
path_saved = Safe.create_file(
os.path.join("./pstostparser",
base_path_to_save),
binary)
message["attachments"].append(path_saved)
result.append(message)
except:
pass
index += 1
result.extend(self._get_recursive(item, target_file))
return result
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict:
cleanresult = {}
with exiftool.ExifTool() as et:
result = et.get_metadata(target_file.get_path())
cleanresult = self._clean(result)
return cleanresult
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
return self._extract_data(target_file.get_path())
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
result = self._extract_image_text(target_file.get_path())
return result
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
result = self._parse_prefecth_file(target_file.get_path())
return result