def display(self, query, result): result.heading("These are the currently available presets") link = FlagFramework.query_type((), family=query['family'], report='CreateLogPreset') result.toolbar(text="Add a new Preset", icon="new_preset.png", link=link, tooltip="Create a new Preset") def DeleteIcon(value): tmp = result.__class__(result) tmp.link("Delete", icon="no.png", target=query_type(family=query['family'], report='RemoveLogPreset', log_preset=value)) return tmp result.table(elements=[ ColumnType("Delete?", 'name', callback=DeleteIcon), StringType("Log Preset", 'name'), StringType("Type", "driver"), ], table="log_presets", case=None)
def display(self, query, result): if not query.has_key('table'): result.heading("Delete a table from this case") def DeleteIcon(value): tmp = result.__class__(result) target = query.clone() target.set('table', value) tmp.link("Delete", icon="no.png", target=target) return tmp result.table(elements=[ ColumnType("Delete?", 'table_name', callback=DeleteIcon), StringType("Table Name", 'table_name'), StringType("Type", "preset"), ], table="log_tables", case=query['case']) elif query.has_key('confirm'): LogFile.drop_table(query['case'], query['table']) result.refresh( 0, query_type(family=query['family'], case=query['case'], report=query['report'])) else: result.heading("About to remove %s" % query['table']) query['confirm'] = 1 result.link( "Are you sure you want to drop table %s. Click here to confirm" % query['table'], query)
def index_word(query, result): if query.has_key("indexing_word"): self.set_filter(query, result) result.refresh(0, query, 'parent_pane') return new_query = query.clone() new_query.set('__target__', 'indexing_word') result.start_form(query, pane='self') result.textfield("Keyword", "indexing_word") result.table( case=None, table='dictionary', elements=[ StringType('Word', 'word', link=new_query), StringType('Class', 'class'), StringType('Type', 'type') ], ## Class names starting with _ are private and should not ## be user selectable: where="left(class,1) != '_' ", ) result.end_table() result.end_form()
def form_cb(query, result): result.table( elements = [ InodeIDType(case=query['case']), StringType('Name','name'), StringType('Value', 'value'), ], table = 'mozilla_form_history', filter='form_filter', case = query['case'], )
def display(self, query, result): result.table( elements=[ InodeIDType(case=query['case']), StringType('Property', 'property'), StringType('Value', 'value') ], table='xattr', case=query['case'], )
def display(self, query,result): result.heading("Table Tests") ## Tables need to act on the DB so we create a temporary table ## just for this test: dbh=DB.DBO() dbh.cursor.warnings=False dbh.execute("drop table if exists TestTable") dbh.execute("""create TABLE `TestTable` ( `id` int(11) NOT NULL auto_increment, `time` TIMESTAMP, `data` tinyblob NOT NULL, `foobar` varchar(10), `ip_addr` int(11) unsigned default 0, PRIMARY KEY (`id`) )""") dbh.mass_insert_start("TestTable") dbh.insert("TestTable", _time="from_unixtime(1147329821)", data="Some Data", foobar="X", _ip_addr="inet_aton('192.168.1.1')") dbh.insert("TestTable", _time="from_unixtime(1147329831)", data="More Data", foobar="Y", _ip_addr="inet_aton('192.168.1.22')") dbh.insert("TestTable", _time="from_unixtime(1147329841)", data="Some More Data", foobar="Z", _ip_addr="inet_aton('192.168.1.23')") dbh.insert("TestTable", _time="from_unixtime(1147329851)", data="Another Lot of Data", foobar="Q", _ip_addr="inet_aton('192.168.1.55')") for i in range(0,100): dbh.mass_insert(_time="from_unixtime(%s)" % (1147329851+i), data="Data %s" % i, foobar=i) dbh.mass_insert_commit() def foobar_cb(value): return "foo %s" % value result.table( ## Can use keyword args elements = [ TimestampType(name = 'Timestamp', column = 'time', ), ## Or positional args StringType('Data', 'data', link = query_type( family=query['family'], report='FormTest',__target__='var1')), StringType('Foobar', 'foobar', callback=foobar_cb), ## Note that here we just need to specify the ## field name in the table, the IPType will ## automatically create the translated SQL. IPType('IP Address', 'ip_addr'), ], table = "TestTable", )
def http(self, query, result): inode_id = query.get("inode_id", self.lookup_id()) if inode_id: result.table( elements = [ StringType('Property', 'key'), StringType('Value', 'value'), ], table = 'http_parameters', where = 'inode_id = %s' % inode_id, case = query['case'], )
def Annotated_IPs(query, result): result.table( elements = [ IntegerType('id','id'), IPType('ip', 'ip'), StringType('Notes', 'notes'), StringType('Category', 'category') ], table = 'interesting_ips', case = query['case'], filter="filter3", )
def parse(self, query, datafile='datafile'): Simple.SimpleLog.parse(self, query, datafile) self.fields = [ IntegerType(name='Record', column='record'), TimestampType(name='Timestamp', column='time'), StringType(name='message', column='message'), IntegerType(name='EventID', column='event'), StringType(name='Source', column="Source"), StringType(name='arg1', column='arg1'), StringType(name='arg2', column='arg2'), StringType(name='arg3', column='arg3'), ]
def Annotated_inodes(query, result): result.table( elements = [ TimestampType(name='Time',column='mtime', table='inode'), InodeIDType(case=query['case']), FilenameType(case=query['case']), StringType('Category','category'), StringType('Note','note'), ], table = 'annotate', case = query['case'], filter="filter1", )
def commands(query, result): result.table(elements=[ IntegerType("FTP Session id", "ftp_session_id", link=query_type(family="Network Forensics", case=query['case'], report="Browse FTP Data")), StringType("Command Type", "command_type"), StringType("Command", "command"), StringType("Data", "data") ], table='ftp_commands', case=query['case'])
def tabular_view(query,result): result.table( elements = [ TimestampType('Timestamp','mtime', table='inode'), #TimestampType(name='Date',column='date'), PacketType(name='Request Packet',column='request_packet', case=query['case']), InodeIDType(), StringType('Method','method'), StringType('URL','url'), StringType('Content Type','content_type') ], table="http", case=query['case'] )
def hist_cb(query,result): result.table( elements = [ InodeIDType(case=query['case']), TimestampType('LastVisitDate','LastVisitDate'), StringType('Name', 'name'), StringType('URL', 'url'), StringType('Host', 'host'), StringType('Referrer', 'Referrer'), ], table = 'mozilla_history', case = query['case'], filter='hist_filter', )
def journal(query, output): output.table( elements=[ InodeType('Inode', 'inode'), TimestampType('Start Date', 'startdate'), TimestampType('End Date', 'enddate'), StringType('Type', 'type'), StringType('Comment', 'comment') ], table=('journal'), case=query['case'], filter="filter3", ) return output
def appts(query, output): output.table( elements=[ InodeType('Inode', 'inode'), TimestampType('Start Date', 'startdate'), TimestampType('End Date', 'enddate'), StringType('Location', 'location'), StringType('Comment', 'comment') ], table=('appointment'), case=query['case'], filter="filter2", ) return output
def contacts(query, output): output.table( elements=[ InodeType('Inode', 'inode'), StringType('Name', 'name'), StringType('Email', 'email'), StringType('Address', 'address'), StringType('Phone', 'phone') ], table=('contact'), case=query['case'], filter="filter1", ) return output
def sessions(query, result): result.table( elements=[ #IntegerType("FTP Session id", "ftp_session_id"), InodeIDType(case=query['case']), TimestampType("Start Time", "start_time"), IPType("Client IP", "client_ip", case=query['case']), IPType("Server IP", "server_ip", case=query['case']), StringType("Username", "username"), StringType("Password", "password"), StringType("Server Banner", "server_banner"), IntegerType("Total bytes", "total_bytes") ], table="ftp_sessions", case=query['case'])
def render_pane(self, branch, query, result): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) == 1: result.heading("Show executables found in memory") result.text("This statistic show the executables found in memory") elif len(branch) == 2: t = branch[1].replace("__", '/') result.table( elements=[ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), TimestampType('Time Created', 'create_time') ], table='tasks', where='pid = %r' % t, case=self.case, ) else: for c in self.classes: if branch[2] == c.name: self.chain_pane(c, branch[2:], query, result, condition="pid='%s'" % branch[1])
def Timeline(query, result): def add_new_event(query, result): timeline = TimelineObj(case=query['case']) ## We got submitted - actually try to do the deed: if 'Add To Timeline' in query.getarray('__submit__'): result.start_table() newEvent = timeline.add(query, result) result.para("The following is the new timeline entry:") timeline.show(newEvent,result) result.end_table() result.link("Close this window", target=original_query, pane='parent') return result result.start_form(query, pane='self') result.heading("Add an arbitrary event") timeline.add_form(query,result) result.end_form(value="Add To Timeline") return result result.table( elements = [ IntegerType(name='id', column='id'), TimestampType(name='Time', column='time'), EditableStringType('Notes', 'notes'), StringType('Category', 'category') ], table = 'timeline', case = query['case'], filter="filter2", ) result.toolbar(add_new_event, "Add abritrary event", icon="clock.png")
def pane_cb(path, tmp): query['order'] = 'Filename' ## If we are asked to show a file, we will show the ## contents of the directory the file is in: fsfd = FileSystem.DBFS(query["case"]) if not fsfd.isdir(path): path = os.path.dirname(path) tmp.table( elements=[ InodeIDType(case=query['case']), FilenameType(basename=True, case=query['case']), DeletedType(), IntegerType('File Size', 'size'), TimestampType('Last Modified', 'mtime'), StringType('Mode', 'mode', table='file') ], table='inode', where=DB.expand("file.path=%r and file.mode!='d/d'", (path + '/')), case=query['case'], pagesize=10, filter="filter2", ) target = tmp.defaults.get('open_tree', '/') tmp.toolbar(text=DB.expand("Scan %s", target), icon="examine.png", link=query_type(family="Load Data", report="ScanFS", path=target, case=query['case']), pane='popup')
def render_pane(self, branch, query, result, condition='1'): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return elements = [ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), IntegerType(column='proto', name='Protocol'), IntegerType(column='port', name='Port'), TimestampType('Time Created', 'create_time') ] try: condition += " and proto=%s" % branch[1] del elements[2] except IndexError: pass try: condition += " and port=%s" % branch[2] del elements[2] except IndexError: pass result.heading("Show sockets found in memory") result.text("This statistic show the sockets found in memory") result.table( elements=elements, table='sockets', where=condition, case=self.case, )
def display(self, query, result): result.heading("Interesting Registry Keys") dbh = self.DBO(query['case']) result.table( elements=[ StringType('Path', 'path'), StringType('Key', 'reg_key'), StringType('Value', 'value'), TimestampType('Last Modified', 'modified'), StringType('Category', 'category'), StringType('Description', 'description') ], table='interestingregkeys', case=query['case'], )
def table_notebook_cb(query, result): del new_q['mode'] del new_q['mark'] new_q['__target__'] = 'open_tree' new_q['mode'] = 'Tree View' result.table(elements=[ StringType('Path', 'path', link=new_q), StringType('Type', 'type'), StringType('Key', 'reg_key'), TimestampType('Modified', 'modified'), StringType('Value', 'value') ], table='reg', case=query['case'], filter="filter1")
def ie_history_cb(query,result): dbh=self.DBO(query['case']) dbh.check_index("ie_history" ,"url",10) OffsetType = Registry.COLUMN_TYPES.dispatch("OffsetType") result.table( elements = [ InodeIDType(case=query['case']), OffsetType(case=query['case'], table='ie_history'), StringType('Type','type'), StringType('URL','url'), TimestampType('Modified','modified'), TimestampType('Accessed','accessed'), StringType('Filename', 'filename'), StringType('Headers','headers') ], table='ie_history', case=query['case'], )
def parse(self, query, datafile='datafile'): LogFile.Log.parse(self, query, datafile) self.fields = [] self.delimiter = re.compile("\s+") self.fields.append(TimestampType('Timestamp', 'Timestamp')) self.fields.append(StringType('Hostname', 'Hostname')) self.fields.append(StringType('ServiceName', 'ServiceName')) self.fields.append(StringType('Message', 'Message')) self.datafile = query.getarray(datafile) try: self.yearOfSyslog = int(query['year_of_syslog']) except: pass
def display(self, query, result): result.heading("Email sessions") result.table( elements=[ InodeType('Inode', 'inode', link=query_type(family='Disk Forensics', case=query['case'], __target__='inode', report='View File Contents', mode="Text"), case=query['case']), TimestampType('Date', 'date'), StringType('From', 'from'), StringType('To', 'to'), StringType('Subject', 'subject') ], table=('email'), case=query['case'], )
def email(query, output): output.table( elements=[ InodeType('Inode', 'inode', link=query_type(case=query['case'], family="Disk Forensics", report='ViewFile', __target__='inode', inode="%s:0")), TimestampType('Arrival Date', 'date'), StringType('From', 'from'), StringType('To', 'to'), StringType('Subject', 'subject') ], table=('email'), case=query['case'], filter="filter0", ) return output
def display(self, query, result): result.heading("Virus Scan Results") dbh = self.DBO(query['case']) result.table( elements=[ AFF4URN(case=query['case']), FilenameType(case=query['case']), StringType('Virus Detected', 'virus') ], table='virus', case=query['case'], )
def render_pane(self, branch, query, result, condition='1'): ## We may only draw on the pane that belongs to us: if branch[0] != self.name: return if len(branch) >= 1: result.table( elements=[ StringType(column='iosource', name='IOSource'), IntegerType(column='pid', name='PID'), StringType(column='path', name="Path"), ## Render base address in Hex: IntegerType(column="base", name="Base", callback=lambda x: "0x%08X" % x), IntegerType(column="size", name="Size") ], table='modules', where=condition, case=self.case, )
def streams(query, result): result.table(elements=[ IntegerType("FTP Session id", "ftp_session_id", link=query_type(family="Network Forensics", case=query['case'], report="Browse FTP Data")), TimestampType("Time Created", "time_created"), StringType("Purpose", "purpose"), InodeIDType(case=query['case']) ], table='ftp_data_streams', case=query['case'])
def __init__(self, name=None, combined_fd=None): StringType.__init__(self, name=name, column=name) self.combined_fd = combined_fd