def run_mastiff(evidence, file_to_process, folder_path, evidence_no_quotes, outfile):
print("Getting ready to run Mastiff.....")
print("The file to process is: " + file_to_process)
#make output folder for this file
check_for_folder(folder_path + "/" + file_to_process + "/MASTIFF", "NONE")
#get md5 hash of file we are processing
md5_hash = calculate_md5(evidence_no_quotes)
print("The md5 hash of this file is: " + md5_hash)
#set up mastiff command
mastiff_command = "mas.py " + evidence
print("The mastiff command is: " + mastiff_command)
outfile.write("The mastiff command is: " + mastiff_command + "\n\n")
#run mastiff command
subprocess.call([mastiff_command], shell=True)
#move the mastiff output folder to the mantaray output folder
move_command = "mv /var/log/mastiff/" + md5_hash + " " + "'" + folder_path + "/" + file_to_process + "/MASTIFF" + "'"
print("The move command is: " + move_command)
outfile.write("The move command is: " + move_command + "\n\n")
#run move_command
subprocess.call([move_command], shell=True)
def process_folder(folder_to_process, export_file, outfile, outfile_error, now):
# initialize list of plist names to process
# plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.sidebarlists.plist', 'com.apple.Bluetooth.plist' ]
# plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.Bluetooth.plist' ]
# open input file containing list of plists to process
# infile = ('/usr/local/src/Manta_Ray/docs/plists_to_process.txt', encoding='utf-8')
with open("/usr/local/src/Manta_Ray/docs/plists_to_process.txt") as f:
plists_to_process = f.read().splitlines()
print("Plists_to_process type is: " + str(type(plists_to_process)))
print("The plists to process are: " + str(plists_to_process))
# recurse once to find systemversion.plist to get OSX version
for root, dirs, files in os.walk(folder_to_process):
for file_name in files:
fileName, fileExtension = os.path.splitext(file_name)
abs_file_path = os.path.join(root, file_name)
# check for plist extension and not link files
if (fileExtension == ".plist") and not os.path.islink(abs_file_path):
# get file size
try:
file_size = os.path.getsize(abs_file_path)
except:
print("Could not get filesize for file: " + abs_file_path)
outfile.write("Could not get filesize for file: " + abs_file_path + "\n")
# process plist files that are not links and are not 0 in size
if file_size:
# Get OSX version First
if file_name == "SystemVersion.plist":
print("Plist to process is: " + file_name)
# get metadata
md5 = calculate_md5(abs_file_path)
print("The md5 is: " + md5)
# process SystemVersion.plist
process_systemversion_plist(abs_file_path, export_file, md5, outfile)
for root, dirs, files in os.walk(folder_to_process):
for file_name in files:
fileName, fileExtension = os.path.splitext(file_name)
abs_file_path = os.path.join(root, file_name)
quoted_abs_file_path = '"' + abs_file_path + '"'
# check if /tmp/binary_plists folder exists, if not create
if not os.path.exists("/tmp/binary_plists/"):
os.makedirs("/tmp/binary_plists/")
# print("Just created folder: " + path)
outfile.write("\nJust created output folder: /tmp/binary_plists/\n")
else:
# delete temp path
shutil.rmtree("/tmp/binary_plists/")
os.makedirs("/tmp/binary_plists/")
# check for plist extension and not link files
if (fileExtension == ".plist") and not os.path.islink(abs_file_path):
# get file size
try:
file_size = os.path.getsize(abs_file_path)
except:
print("Could not get filesize for file: " + abs_file_path)
outfile.write("Could not get filesize for file: " + abs_file_path + "\n")
# process plist files that are not links and are not 0 in size
if file_size:
# process other plists in the list
for plist in plists_to_process:
if file_name == plist:
# check if plist is binary
plist_file = open(abs_file_path, "r", encoding="utf-8", errors="ignore")
first_line = plist_file.readline()
first_line = first_line.strip()
# get length of first line
length_first_line = len(first_line)
# grab lines from file until we get one that is longer than 3 characters
if length_first_line > 3:
print("First line is over 3 characters long")
else:
first_line = plist_file.readline()
print("The first line is: " + first_line)
# close plist file
plist_file.close()
if re.search("bplist", first_line):
file_format = "binary_plist"
print(file_name + " is " + file_format)
elif re.search("xml version", first_line):
file_format = "xml_plist"
print(file_name + " is " + file_format)
else:
file_format = "text_plist"
print(file_name + " is " + file_format)
# get metadata
md5 = calculate_md5(abs_file_path)
md5 = md5.strip()
print("The md5 is: " + md5)
outfile.write("About to process: " + abs_file_path + "\n")
if file_format == "xml_plist":
process_system_plists(abs_file_path, export_file, md5, outfile, outfile_error)
elif file_format == "binary_plist":
# convert binary file
plutil_command = (
"plutil -i "
+ quoted_abs_file_path
+ " -o /tmp/binary_plists/"
+ file_name
+ "_"
+ md5
+ ".plist"
)
print("The plutil command is: " + plutil_command)
try:
subprocess.call([plutil_command], shell=True)
outfile.write(
"The converted binary plist is named: /tmp/binary_plists/"
+ file_name
+ "_"
+ md5
+ ".plist\n"
)
except:
print("Call to plutil failed for file: " + abs_file_path)
outfile_error.write("Call to plutil failed for file: " + abs_file_path + "\n")
process_converted_binary_plist(
"/tmp/binary_plists/" + file_name + "_" + md5 + ".plist",
md5,
export_file,
outfile,
abs_file_path,
)
def process_folder(folder_to_process, export_file, outfile, outfile_error,
now):
#initialize list of plist names to process
#plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.sidebarlists.plist', 'com.apple.Bluetooth.plist' ]
#plists_to_process = ['com.apple.airport.preferences.plist', 'com.apple.Bluetooth.plist' ]
#open input file containing list of plists to process
#infile = ('/usr/share/mantaray/docs/plists_to_process.txt', encoding='utf-8')
with open('/usr/share/mantaray/docs/plists_to_process.txt') as f:
plists_to_process = f.read().splitlines()
print("Plists_to_process type is: " + str(type(plists_to_process)))
print("The plists to process are: " + str(plists_to_process))
#recurse once to find systemversion.plist to get OSX version
for root, dirs, files in os.walk(folder_to_process):
for file_name in files:
fileName, fileExtension = os.path.splitext(file_name)
abs_file_path = os.path.join(root, file_name)
#check for plist extension and not link files
if (fileExtension
== ".plist") and not os.path.islink(abs_file_path):
#get file size
try:
file_size = os.path.getsize(abs_file_path)
except:
print("Could not get filesize for file: " + abs_file_path)
outfile.write("Could not get filesize for file: " +
abs_file_path + "\n")
#process plist files that are not links and are not 0 in size
if (file_size):
#Get OSX version First
if file_name == "SystemVersion.plist":
print("Plist to process is: " + file_name)
#get metadata
md5 = calculate_md5(abs_file_path)
print("The md5 is: " + md5)
#process SystemVersion.plist
process_systemversion_plist(abs_file_path, export_file,
md5, outfile)
for root, dirs, files in os.walk(folder_to_process):
for file_name in files:
fileName, fileExtension = os.path.splitext(file_name)
abs_file_path = os.path.join(root, file_name)
quoted_abs_file_path = '"' + abs_file_path + '"'
#check if /tmp/binary_plists folder exists, if not create
if not os.path.exists('/tmp/binary_plists/'):
os.makedirs('/tmp/binary_plists/')
#print("Just created folder: " + path)
outfile.write(
"\nJust created output folder: /tmp/binary_plists/\n")
else:
#delete temp path
shutil.rmtree('/tmp/binary_plists/')
os.makedirs('/tmp/binary_plists/')
#check for plist extension and not link files
if (fileExtension
== ".plist") and not os.path.islink(abs_file_path):
#get file size
try:
file_size = os.path.getsize(abs_file_path)
except:
print("Could not get filesize for file: " + abs_file_path)
outfile.write("Could not get filesize for file: " +
abs_file_path + "\n")
#process plist files that are not links and are not 0 in size
if (file_size):
#process other plists in the list
for plist in plists_to_process:
if file_name == plist:
#check if plist is binary
plist_file = open(abs_file_path,
'r',
encoding='utf-8',
errors='ignore')
first_line = plist_file.readline()
first_line = first_line.strip()
#get length of first line
length_first_line = len(first_line)
#grab lines from file until we get one that is longer than 3 characters
if (length_first_line > 3):
print("First line is over 3 characters long")
else:
first_line = plist_file.readline()
print("The first line is: " + first_line)
#close plist file
plist_file.close()
if (re.search('bplist', first_line)):
file_format = "binary_plist"
print(file_name + " is " + file_format)
elif (re.search('xml version', first_line)):
file_format = "xml_plist"
print(file_name + " is " + file_format)
else:
file_format = "text_plist"
print(file_name + " is " + file_format)
#get metadata
md5 = calculate_md5(abs_file_path)
md5 = md5.strip()
print("The md5 is: " + md5)
outfile.write("About to process: " +
abs_file_path + "\n")
if (file_format == "xml_plist"):
process_system_plists(abs_file_path,
export_file, md5,
outfile, outfile_error)
elif (file_format == "binary_plist"):
#convert binary file
plutil_command = "plutil -i " + quoted_abs_file_path + " -o /tmp/binary_plists/" + file_name + "_" + md5 + ".plist"
print("The plutil command is: " +
plutil_command)
try:
subprocess.call([plutil_command],
shell=True)
outfile.write(
"The converted binary plist is named: /tmp/binary_plists/"
+ file_name + "_" + md5 + ".plist\n")
except:
print("Call to plutil failed for file: " +
abs_file_path)
outfile_error.write(
"Call to plutil failed for file: " +
abs_file_path + "\n")
process_converted_binary_plist(
"/tmp/binary_plists/" + file_name + "_" +
md5 + ".plist", md5, export_file, outfile,
abs_file_path)
