Exemplo n.º 1
0
def module():
    # KEEP THIS - ENABLES WRITING OUTPUT FILE.
    _output = data_writer(_modName, _headers)

    # -------------BEGIN MODULE-SPECIFIC LOGIC------------- #
    preferences = plistlib.readPlist(os.path.join(inputdir, 'Library/Preferences/SystemConfiguration/preferences.plist'))
    systemversion = plistlib.readPlist(os.path.join(inputdir, 'System/Library/CoreServices/SystemVersion.plist'))

    # KEEP THE LINE BELOW TO GENERATE AN ORDEREDDICT BASED ON THE HEADERS
    record = OrderedDict((h, '') for h in _headers)

    record['local_hostname'] = full_prefix.split(',')[1]
    record['ipaddress'] = full_prefix.split(',')[2]

    computer_name = finditem(preferences, 'ComputerName')
    if computer_name is not None:
        record['computer_name'] = computer_name.encode('utf-8')
    record['hostname'] = finditem(preferences, 'HostName')
    record['model'] = finditem(preferences, 'Model')
    record['product_version'] = OSVersion
    record['product_build_version'] = finditem(systemversion, 'ProductBuildVersion')

    g = glob.glob(os.path.join(inputdir, 'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*'))
    check_dbs = ['consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db']
    serial_dbs = [loc for loc in g if any(db in loc for db in check_dbs)]
    serial_query = 'SELECT SerialNumber FROM TableInfo;'

    for db in serial_dbs:
        try:
            cursor = sqlite3.connect(db).cursor()
            record['serial_no'] = cursor.execute(serial_query).fetchone()[0]
            break

        except sqlite3.OperationalError:
            record['serial_no'] = 'SERIALERROR0'
            log.error("Could not retrieve system serial number.")

    record['volume_created'] = stats2(inputdir + "/", oMACB=True)['btime']
    record['amtc_runtime'] = str(startTime).replace(' ', 'T').replace('+00:00', 'Z')

    if 'Volumes' not in inputdir and forensic_mode is not True:

        tz, e = subprocess.Popen(["systemsetup", "-gettimezone"], stdout=subprocess.PIPE).communicate()
        record['system_tz'] = tz.rstrip().replace('Time Zone: ', '')

        _fdestatus, e = subprocess.Popen(["fdesetup", "status"], stdout=subprocess.PIPE).communicate()
        if 'On' in _fdestatus:
            record['fvde_status'] = "On"
        else:
            record['fvde_status'] = "Off"
    else:
        record['system_tz'] = "DEAD_DISK"
        record['fvde_status'] = "NA"

    # PROVIDE OUTPUT LINE, AND WRITE TO OUTFILE
    line = record.values()
    _output.write_entry(line)
Exemplo n.º 2
0
def module():
    # KEEP THIS - ENABLES WRITING OUTPUT FILE.
    _output = data_writer(_modName, _headers)

    # -------------BEGIN MODULE-SPECIFIC LOGIC------------- #
    globalpreferences = read_bplist(
        os.path.join(inputdir, 'Library/Preferences/.GlobalPreferences.plist'))
    preferences = plistlib.readPlist(
        os.path.join(
            inputdir,
            'Library/Preferences/SystemConfiguration/preferences.plist'))
    systemversion = plistlib.readPlist(
        os.path.join(inputdir,
                     'System/Library/CoreServices/SystemVersion.plist'))

    # KEEP THE LINE BELOW TO GENERATE AN ORDEREDDICT BASED ON THE HEADERS
    record = OrderedDict((h, '') for h in _headers)

    record['local_hostname'] = finditem(preferences, 'LocalHostName')
    record['ipaddress'] = full_prefix.split(',')[2]

    computer_name = finditem(preferences, 'ComputerName')
    if computer_name is not None:
        record['computer_name'] = computer_name.encode('utf-8')
    record['hostname'] = finditem(preferences, 'HostName')
    record['model'] = finditem(preferences, 'Model')
    record['product_version'] = OSVersion
    record['product_build_version'] = finditem(systemversion,
                                               'ProductBuildVersion')

    g = glob.glob(
        os.path.join(
            inputdir,
            'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*'))
    check_dbs = [
        'consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db'
    ]
    serial_dbs = [
        loc for loc in g if any(loc.endswith(db) for db in check_dbs)
    ]
    serial_query = 'SELECT SerialNumber FROM TableInfo;'

    for db in serial_dbs:
        try:
            cursor = sqlite3.connect(db).cursor()
            record['serial_no'] = cursor.execute(serial_query).fetchone()[0]
            break

        except Exception, e:
            log.debug("Could not get serial number from {0}: {1}".format(
                db, [traceback.format_exc()]))
            record['serial_no'] = 'ERROR'
Exemplo n.º 3
0
def get_extensions(extlist, user, prof, extensions_output, extensions_headers):
    log.debug("Writing extension data...")

    for ext in extlist:
        with open(ext) as file:
            data = json.loads(file.read())

        #these json files have various different keys depending on the author

        record = OrderedDict((h, '') for h in extensions_headers)
        record['user'] = user
        record['profile'] = prof
        record['name'] = finditem(data, "name")
        record['author'] = finditem(data, "author")
        record['permissions'] = finditem(data, "permissions")
        record['description'] = finditem(data, "description")
        record['scripts'] = finditem(data, "scripts")
        record['persistent'] = finditem(data, "persistent")
        record['version'] = finditem(data, "version")

        extensions_output.write_entry(record.values())

    log.debug("Completed writing extension data.")
Exemplo n.º 4
0
def module(chrome_location):

    # for all chrome dirs on disk, parse their local state files

    profile_headers = [
        'user', 'profile', 'active_time', 'is_using_default_avatar',
        'is_omitted_from_profile_list', 'name', 'gaia_picture_file_name',
        'user_name', 'managed_user_id', 'gaia_name', 'avatar_icon', 'gaia_id',
        'local_auth_credentials', 'gaia_given_name', 'is_using_default_name',
        'background_apps', 'is_ephemeral'
    ]
    profile_output = data_writer('browser_chrome_profiles', profile_headers)

    for c in chrome_location:

        userpath = c.split('/')
        userindex = userpath.index('Users') + 1
        user = userpath[userindex]

        log.debug(
            "Parsing Chrome Local State data under {0} user.".format(user))
        localstate_file = os.path.join(c, 'Local State')
        if os.path.exists(localstate_file):
            with open(localstate_file, 'r') as data:
                jdata = json.loads(data.read())
                chrome_ver = finditem(jdata, "stats_version")
                log.debug("Chrome version {0} identified.".format(chrome_ver))

                profile_data = finditem(jdata, "info_cache")
                parse_profiles(profile_data, user, profile_output,
                               profile_headers)

        else:
            log.debug("File not found: {0}".format(localstate_file))

    # make a full list of all chrome profiles under all chrome dirs
    full_list_raw = [
        multiglob(c, ['Default', 'Profile *', 'Guest Profile'])
        for c in chrome_location
    ]
    full_list = list(itertools.chain.from_iterable(full_list_raw))

    urls_headers = [
        'user', 'profile', 'visit_time', 'title', 'url', 'visit_count',
        'last_visit_time', 'typed_count', 'visit_duration', 'search_term'
    ]
    urls_output = data_writer('browser_chrome_history', urls_headers)

    downloads_headers = [
        'user', 'profile', 'download_path', 'current_path', 'download_started',
        'download_finished', 'danger_type', 'opened', 'last_modified',
        'referrer', 'tab_url', 'tab_referrer_url', 'download_url', 'url'
    ]
    downloads_output = data_writer('browser_chrome_downloads',
                                   downloads_headers)

    for prof in full_list:

        userpath = prof.split('/')
        userindex = userpath.index('Users') + 1
        user = userpath[userindex]

        chromeindex = userpath.index('Chrome') + 1
        profile = userpath[chromeindex]

        log.debug(
            "Starting parsing for Chrome history under {0} user.".format(user))

        history_db = connect_to_db(os.path.join(prof, 'History'))

        if history_db:

            pull_visit_history(history_db, user, profile, urls_output,
                               urls_headers)
            pull_download_history(history_db, user, profile, downloads_output,
                                  downloads_headers)

        try:
            os.remove(os.path.join(outputdir, 'History-tmp'))
        except OSError:
            pass