def gen_fullprefix(startTime):
log.debug("Building output file prefix.")
# Get system serial number.
g = glob.glob(
os.path.join(
inputdir,
'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*'))
check_dbs = [
'consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db'
]
serial_dbs = [
loc for loc in g if any(loc.endswith(db) for db in check_dbs)
]
serial_query = 'SELECT SerialNumber FROM TableInfo;'
_serial = "SERROR"
for db in serial_dbs:
try:
cursor = sqlite3.connect(db).cursor()
_serial = cursor.execute(serial_query).fetchone()[0]
log.debug("Retrieved serial number {0} from {1}.".format(
_serial, db))
break
except sqlite3.OperationalError:
error = [
x for x in traceback.format_exc().split('\n')
if "OperationalError" in x
]
log.debug("Could not connect [{0}].".format(error[0]))
if "database is locked" or "unable to open" in error[0]:
tmpdb = os.path.basename(db) + '-tmp'
log.debug("Trying to connect to db copied to temp location...")
shutil.copyfile(db, os.path.join(outputdir, tmpdb))
db = os.path.join(outputdir, tmpdb)
try:
cursor = sqlite3.connect(db).cursor()
_serial = cursor.execute(serial_query).fetchone()[0]
log.debug("Successfully connected.")
os.remove(db)
break
except:
log.debug(
"Could not get serial number from {0}. Trying another directory."
.format(db))
os.remove(db)
# Get local hostname.
if 'Volumes' not in inputdir and forensic_mode is not True:
try:
hostname_cmd, e = subprocess.Popen(
["hostname"], stdout=subprocess.PIPE).communicate()
hostname_cmd = hostname_cmd.decode('utf-8')
_hostname = hostname_cmd.rstrip('\n')
log.debug("Retrieved hostname {0}.".format(_hostname))
except Exception:
_hostname = 'HNERROR'
log.error("Could not retrieve hostname.")
else:
try:
pref_plist = open(
os.path.join(
inputdir,
'Library/Preferences/SystemConfiguration/preferences.plist'
), 'rb')
try:
preferences = plistlib.load(pref_plist)
except Exception as e:
log.debug("Using python2 code to read preferences.plist.")
preferences = plistlib.readPlist(pref_plist)
_hostname = finditem(preferences, 'HostName')
if not _hostname:
_hostname = finditem(preferences, 'LocalHostName')
log.debug(
"Got hostname from the LocalHostName key, rather than HostName."
)
except Exception:
_hostname = 'HNERROR'
log.error("Could not retrieve hostname.")
# Get current system IP address (if running on live machine).
if 'Volumes' not in inputdir and forensic_mode is not True:
_ip, e = subprocess.Popen(["ifconfig", "en0"],
stdout=subprocess.PIPE).communicate()
try:
_ip = ''.join([
i for i in _ip.decode().split('\n\t') if i.startswith("inet ")
]).split(' ')[1]
log.debug("Retrieved IPv4 address as {0}.".format(_ip))
except IndexError:
_ip = "255.255.255.255"
log.error("IPv4 not available, recorded as 255.255.255.255.")
else:
wifilog = os.path.join(inputdir, 'private/var/log/wifi.log')
wifi_bzlogs = glob.glob(
os.path.join(inputdir, 'private/var/log/wifi.log.*.bz2'))
try:
wifi_data = open(wifilog, 'r').readlines()
try:
last_ip = [i for i in wifi_data
if "Local IP" in i][-1].rstrip()
_ip = last_ip.split(' ')[-1]
iptime = ' '.join(last_ip.split(' ')[0:4])
log.debug(
"Last IP address {0} was assigned around {1} (local time)."
.format(_ip, iptime))
except IndexError:
log.debug(
"Could not find last IP in wifi.log, will check historical wifi.log.*.bz2 files."
)
except IOError:
log.debug(
"Could not parse wifi.log, will check historical wifi.log.*.bz2 files."
)
wdata = []
if len(wifi_bzlogs) > 0:
for i in wifi_bzlogs:
try:
wifi_bzdata, e = subprocess.Popen(
["bzcat", i],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT).communicate()
wdata.append(wifi_bzdata.split('\n'))
except Exception as e:
log.debug("Could not parse {0}.".format(i))
w = list(itertools.chain.from_iterable(wdata))
try:
last_ip = [i for i in w if "Local IP" in i][0].rstrip()
_ip = last_ip.split(' ')[-1]
iptime = ' '.join(last_ip.split(' ')[0:4])
log.debug(
"Last IP address {0} was assigned around {1} (local time).".
format(_ip, iptime))
except Exception as e:
log.debug(
"Could not get last IP from current or historical wifi.log files. Recorded at 255.255.255.255."
)
_ip = "255.255.255.255"
# Get automactc runtime.
_runtime = str(startTime.replace(microsecond=0)).replace('+00:00',
'Z').replace(
' ', 'T')
# Assemble prefix.
full_prefix = '{0},{1},{2},{3}'.format(_prefix, _hostname, _ip,
_runtime).replace(':', '_')
return full_prefix, _serial
def gen_fullprefix(startTime):
log.debug("Building output file prefix.")
# Get system serial number.
g = glob.glob(
os.path.join(
inputdir,
'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*'))
check_dbs = [
'consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db'
]
serial_dbs = [loc for loc in g if any(db in loc for db in check_dbs)]
serial_query = 'SELECT SerialNumber FROM TableInfo;'
for db in serial_dbs:
try:
cursor = sqlite3.connect(db).cursor()
_serial = cursor.execute(serial_query).fetchone()[0]
log.debug("Retrieved serial number {0} from {1}.".format(
_serial, db))
break
except sqlite3.OperationalError:
_serial = 'SERIALERROR0'
log.error("Could not extract serial number from {0}.".format(db))
# Get local hostname.
if 'Volumes' not in inputdir and forensic_mode is not True:
try:
hostname_cmd, e = subprocess.Popen(
["hostname"], stdout=subprocess.PIPE).communicate()
_hostname = hostname_cmd.rstrip('\n')
log.debug("Retrieved hostname {0}.".format(_hostname))
except Exception:
_hostname = 'HNERROR'
log.error("Could not retrieve hostname.")
else:
try:
pref_plist = os.path.join(
inputdir,
'Library/Preferences/SystemConfiguration/preferences.plist')
preferences = plistlib.readPlist()
_hostname = finditem(preferences, 'LocalHostName')
except Exception:
_hostname = 'HNERROR'
log.error("Could not retrieve hostname.")
# Get current system IP address (if running on live machine).
if 'Volumes' not in inputdir and forensic_mode is not True:
_ip, e = subprocess.Popen(["ifconfig", "en0"],
stdout=subprocess.PIPE).communicate()
try:
_ip = ''.join([
i for i in _ip.split('\n\t') if i.startswith("inet ")
]).split(' ')[1]
log.debug("Retrieved IPv4 address as {0}.".format(_ip))
except IndexError:
_ip = "255.255.255.255"
log.error("IPv4 not available, recorded as 255.255.255.255.")
else:
_ip = "255.255.255.255"
# Get automactc runtime.
_runtime = str(startTime.replace(microsecond=0)).replace('+00:00',
'Z').replace(
' ', 'T')
# Assemble prefix.
full_prefix = '{0},{1},{2},{3}'.format(_prefix, _hostname, _ip,
_runtime).replace(':', '_')
return full_prefix
# Generate full prefix of the filenames.
full_prefix, serial = gen_fullprefix(startTime)
filename_prefix = ', '.join(full_prefix.split(', ')[:4])
log.debug("Full prefix: {0}".format(full_prefix))
# Capture the OS version as a float for comparison tests in modules.
try:
pslistfile = open(
os.path.join(inputdir,
'System/Library/CoreServices/SystemVersion.plist'),
'rb')
try:
systemversion = plistlib.load(pslistfile)
except AttributeError:
systemversion = plistlib.readPlist(pslistfile)
OSVersion = finditem(systemversion, 'ProductVersion')
log.debug("Got OSVersion: {0}".format(OSVersion))
except IOError:
if 'Volumes' not in inputdir and forensic_mode is not True:
try:
OSVersion, e = subprocess.Popen(
["sw_vers", "-productVersion"],
stdout=subprocess.PIPE).communicate()
log.debug("Got OSVersion: {0}".format(OSVersion))
except Exception as e:
log.error("Could not get OSVersion: {0}".format(
[traceback.format_exc()]))
else:
log.error(
"Could not get OSVersion: alternative method does not work on forensic image."
)
if 'Volumes' not in inputdir and forensic_mode is not True:
try:
hostname_cmd, e = subprocess.Popen(
["hostname"], stdout=subprocess.PIPE).communicate()
_hostname = hostname_cmd.rstrip('\n')
log.debug("Retrieved hostname {0}.".format(_hostname))
except Exception:
_hostname = 'HNERROR'
log.error("Could not retrieve hostname.")
else:
try:
pref_plist = os.path.join(
inputdir,
'Library/Preferences/SystemConfiguration/preferences.plist')
preferences = plistlib.readPlist(pref_plist)
_hostname = finditem(preferences, 'LocalHostName')
if not _hostname:
_hostname = finditem(preferences, 'HostName')
log.debug(
"Got hostname from the HostName key, rather than LocalHostName."
)
except Exception:
_hostname = 'HNERROR'
log.error("Could not retrieve hostname.")
# Get current system IP address (if running on live machine).
if 'Volumes' not in inputdir and forensic_mode is not True:
_ip, e = subprocess.Popen(["ifconfig", "en0"],
stdout=subprocess.PIPE).communicate()
try:
_ip = ''.join([