def display(self, query, result):
result.heading("These are the currently available presets")
link = FlagFramework.query_type((),
family=query['family'],
report='CreateLogPreset')
result.toolbar(text="Add a new Preset",
icon="new_preset.png",
link=link,
tooltip="Create a new Preset")
def DeleteIcon(value):
tmp = result.__class__(result)
tmp.link("Delete",
icon="no.png",
target=query_type(family=query['family'],
report='RemoveLogPreset',
log_preset=value))
return tmp
result.table(elements=[
ColumnType("Delete?", 'name', callback=DeleteIcon),
StringType("Log Preset", 'name'),
StringType("Type", "driver"),
],
table="log_presets",
case=None)
def display(self, query, result):
if not query.has_key('table'):
result.heading("Delete a table from this case")
def DeleteIcon(value):
tmp = result.__class__(result)
target = query.clone()
target.set('table', value)
tmp.link("Delete", icon="no.png", target=target)
return tmp
result.table(elements=[
ColumnType("Delete?", 'table_name', callback=DeleteIcon),
StringType("Table Name", 'table_name'),
StringType("Type", "preset"),
],
table="log_tables",
case=query['case'])
elif query.has_key('confirm'):
LogFile.drop_table(query['case'], query['table'])
result.refresh(
0,
query_type(family=query['family'],
case=query['case'],
report=query['report']))
else:
result.heading("About to remove %s" % query['table'])
query['confirm'] = 1
result.link(
"Are you sure you want to drop table %s. Click here to confirm"
% query['table'], query)
def index_word(query, result):
if query.has_key("indexing_word"):
self.set_filter(query, result)
result.refresh(0, query, 'parent_pane')
return
new_query = query.clone()
new_query.set('__target__', 'indexing_word')
result.start_form(query, pane='self')
result.textfield("Keyword", "indexing_word")
result.table(
case=None,
table='dictionary',
elements=[
StringType('Word', 'word', link=new_query),
StringType('Class', 'class'),
StringType('Type', 'type')
],
## Class names starting with _ are private and should not
## be user selectable:
where="left(class,1) != '_' ",
)
result.end_table()
result.end_form()
def form_cb(query, result):
result.table(
elements = [ InodeIDType(case=query['case']),
StringType('Name','name'),
StringType('Value', 'value'),
],
table = 'mozilla_form_history',
filter='form_filter',
case = query['case'],
)
def display(self, query, result):
result.table(
elements=[
InodeIDType(case=query['case']),
StringType('Property', 'property'),
StringType('Value', 'value')
],
table='xattr',
case=query['case'],
)
def display(self, query,result):
result.heading("Table Tests")
## Tables need to act on the DB so we create a temporary table
## just for this test:
dbh=DB.DBO()
dbh.cursor.warnings=False
dbh.execute("drop table if exists TestTable")
dbh.execute("""create TABLE `TestTable` (
`id` int(11) NOT NULL auto_increment,
`time` TIMESTAMP,
`data` tinyblob NOT NULL,
`foobar` varchar(10),
`ip_addr` int(11) unsigned default 0,
PRIMARY KEY (`id`)
)""")
dbh.mass_insert_start("TestTable")
dbh.insert("TestTable", _time="from_unixtime(1147329821)", data="Some Data",
foobar="X", _ip_addr="inet_aton('192.168.1.1')")
dbh.insert("TestTable", _time="from_unixtime(1147329831)", data="More Data",
foobar="Y", _ip_addr="inet_aton('192.168.1.22')")
dbh.insert("TestTable", _time="from_unixtime(1147329841)", data="Some More Data",
foobar="Z", _ip_addr="inet_aton('192.168.1.23')")
dbh.insert("TestTable", _time="from_unixtime(1147329851)", data="Another Lot of Data",
foobar="Q", _ip_addr="inet_aton('192.168.1.55')")
for i in range(0,100):
dbh.mass_insert(_time="from_unixtime(%s)" % (1147329851+i), data="Data %s" % i, foobar=i)
dbh.mass_insert_commit()
def foobar_cb(value):
return "foo %s" % value
result.table(
## Can use keyword args
elements = [ TimestampType(name = 'Timestamp',
column = 'time',
),
## Or positional args
StringType('Data', 'data',
link = query_type(
family=query['family'], report='FormTest',__target__='var1')),
StringType('Foobar', 'foobar', callback=foobar_cb),
## Note that here we just need to specify the
## field name in the table, the IPType will
## automatically create the translated SQL.
IPType('IP Address', 'ip_addr'),
],
table = "TestTable",
)
def http(self, query, result):
inode_id = query.get("inode_id", self.lookup_id())
if inode_id:
result.table(
elements = [ StringType('Property', 'key'),
StringType('Value', 'value'),
],
table = 'http_parameters',
where = 'inode_id = %s' % inode_id,
case = query['case'],
)
def Annotated_IPs(query, result):
result.table(
elements = [ IntegerType('id','id'),
IPType('ip', 'ip'),
StringType('Notes', 'notes'),
StringType('Category', 'category')
],
table = 'interesting_ips',
case = query['case'],
filter="filter3",
)
def parse(self, query, datafile='datafile'):
Simple.SimpleLog.parse(self, query, datafile)
self.fields = [
IntegerType(name='Record', column='record'),
TimestampType(name='Timestamp', column='time'),
StringType(name='message', column='message'),
IntegerType(name='EventID', column='event'),
StringType(name='Source', column="Source"),
StringType(name='arg1', column='arg1'),
StringType(name='arg2', column='arg2'),
StringType(name='arg3', column='arg3'),
]
def Annotated_inodes(query, result):
result.table(
elements = [ TimestampType(name='Time',column='mtime', table='inode'),
InodeIDType(case=query['case']),
FilenameType(case=query['case']),
StringType('Category','category'),
StringType('Note','note'),
],
table = 'annotate',
case = query['case'],
filter="filter1",
)
def commands(query, result):
result.table(elements=[
IntegerType("FTP Session id",
"ftp_session_id",
link=query_type(family="Network Forensics",
case=query['case'],
report="Browse FTP Data")),
StringType("Command Type", "command_type"),
StringType("Command", "command"),
StringType("Data", "data")
],
table='ftp_commands',
case=query['case'])
def tabular_view(query,result):
result.table(
elements = [ TimestampType('Timestamp','mtime', table='inode'),
#TimestampType(name='Date',column='date'),
PacketType(name='Request Packet',column='request_packet',
case=query['case']),
InodeIDType(),
StringType('Method','method'),
StringType('URL','url'),
StringType('Content Type','content_type') ],
table="http",
case=query['case']
)
def hist_cb(query,result):
result.table(
elements = [ InodeIDType(case=query['case']),
TimestampType('LastVisitDate','LastVisitDate'),
StringType('Name', 'name'),
StringType('URL', 'url'),
StringType('Host', 'host'),
StringType('Referrer', 'Referrer'),
],
table = 'mozilla_history',
case = query['case'],
filter='hist_filter',
)
def journal(query, output):
output.table(
elements=[
InodeType('Inode', 'inode'),
TimestampType('Start Date', 'startdate'),
TimestampType('End Date', 'enddate'),
StringType('Type', 'type'),
StringType('Comment', 'comment')
],
table=('journal'),
case=query['case'],
filter="filter3",
)
return output
def appts(query, output):
output.table(
elements=[
InodeType('Inode', 'inode'),
TimestampType('Start Date', 'startdate'),
TimestampType('End Date', 'enddate'),
StringType('Location', 'location'),
StringType('Comment', 'comment')
],
table=('appointment'),
case=query['case'],
filter="filter2",
)
return output
def contacts(query, output):
output.table(
elements=[
InodeType('Inode', 'inode'),
StringType('Name', 'name'),
StringType('Email', 'email'),
StringType('Address', 'address'),
StringType('Phone', 'phone')
],
table=('contact'),
case=query['case'],
filter="filter1",
)
return output
def sessions(query, result):
result.table(
elements=[ #IntegerType("FTP Session id", "ftp_session_id"),
InodeIDType(case=query['case']),
TimestampType("Start Time", "start_time"),
IPType("Client IP", "client_ip", case=query['case']),
IPType("Server IP", "server_ip", case=query['case']),
StringType("Username", "username"),
StringType("Password", "password"),
StringType("Server Banner", "server_banner"),
IntegerType("Total bytes", "total_bytes")
],
table="ftp_sessions",
case=query['case'])
def render_pane(self, branch, query, result):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) == 1:
result.heading("Show executables found in memory")
result.text("This statistic show the executables found in memory")
elif len(branch) == 2:
t = branch[1].replace("__", '/')
result.table(
elements=[
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
TimestampType('Time Created', 'create_time')
],
table='tasks',
where='pid = %r' % t,
case=self.case,
)
else:
for c in self.classes:
if branch[2] == c.name:
self.chain_pane(c,
branch[2:],
query,
result,
condition="pid='%s'" % branch[1])
def Timeline(query, result):
def add_new_event(query, result):
timeline = TimelineObj(case=query['case'])
## We got submitted - actually try to do the deed:
if 'Add To Timeline' in query.getarray('__submit__'):
result.start_table()
newEvent = timeline.add(query, result)
result.para("The following is the new timeline entry:")
timeline.show(newEvent,result)
result.end_table()
result.link("Close this window", target=original_query, pane='parent')
return result
result.start_form(query, pane='self')
result.heading("Add an arbitrary event")
timeline.add_form(query,result)
result.end_form(value="Add To Timeline")
return result
result.table(
elements = [ IntegerType(name='id', column='id'),
TimestampType(name='Time', column='time'),
EditableStringType('Notes', 'notes'),
StringType('Category', 'category')
],
table = 'timeline',
case = query['case'],
filter="filter2",
)
result.toolbar(add_new_event, "Add abritrary event",
icon="clock.png")
def pane_cb(path, tmp):
query['order'] = 'Filename'
## If we are asked to show a file, we will show the
## contents of the directory the file is in:
fsfd = FileSystem.DBFS(query["case"])
if not fsfd.isdir(path):
path = os.path.dirname(path)
tmp.table(
elements=[
InodeIDType(case=query['case']),
FilenameType(basename=True, case=query['case']),
DeletedType(),
IntegerType('File Size', 'size'),
TimestampType('Last Modified', 'mtime'),
StringType('Mode', 'mode', table='file')
],
table='inode',
where=DB.expand("file.path=%r and file.mode!='d/d'",
(path + '/')),
case=query['case'],
pagesize=10,
filter="filter2",
)
target = tmp.defaults.get('open_tree', '/')
tmp.toolbar(text=DB.expand("Scan %s", target),
icon="examine.png",
link=query_type(family="Load Data",
report="ScanFS",
path=target,
case=query['case']),
pane='popup')
def render_pane(self, branch, query, result, condition='1'):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
elements = [
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
IntegerType(column='proto', name='Protocol'),
IntegerType(column='port', name='Port'),
TimestampType('Time Created', 'create_time')
]
try:
condition += " and proto=%s" % branch[1]
del elements[2]
except IndexError:
pass
try:
condition += " and port=%s" % branch[2]
del elements[2]
except IndexError:
pass
result.heading("Show sockets found in memory")
result.text("This statistic show the sockets found in memory")
result.table(
elements=elements,
table='sockets',
where=condition,
case=self.case,
)
def display(self, query, result):
result.heading("Interesting Registry Keys")
dbh = self.DBO(query['case'])
result.table(
elements=[
StringType('Path', 'path'),
StringType('Key', 'reg_key'),
StringType('Value', 'value'),
TimestampType('Last Modified', 'modified'),
StringType('Category', 'category'),
StringType('Description', 'description')
],
table='interestingregkeys',
case=query['case'],
)
def table_notebook_cb(query, result):
del new_q['mode']
del new_q['mark']
new_q['__target__'] = 'open_tree'
new_q['mode'] = 'Tree View'
result.table(elements=[
StringType('Path', 'path', link=new_q),
StringType('Type', 'type'),
StringType('Key', 'reg_key'),
TimestampType('Modified', 'modified'),
StringType('Value', 'value')
],
table='reg',
case=query['case'],
filter="filter1")
def ie_history_cb(query,result):
dbh=self.DBO(query['case'])
dbh.check_index("ie_history" ,"url",10)
OffsetType = Registry.COLUMN_TYPES.dispatch("OffsetType")
result.table(
elements = [ InodeIDType(case=query['case']),
OffsetType(case=query['case'], table='ie_history'),
StringType('Type','type'),
StringType('URL','url'),
TimestampType('Modified','modified'),
TimestampType('Accessed','accessed'),
StringType('Filename', 'filename'),
StringType('Headers','headers') ],
table='ie_history',
case=query['case'],
)
def parse(self, query, datafile='datafile'):
LogFile.Log.parse(self, query, datafile)
self.fields = []
self.delimiter = re.compile("\s+")
self.fields.append(TimestampType('Timestamp', 'Timestamp'))
self.fields.append(StringType('Hostname', 'Hostname'))
self.fields.append(StringType('ServiceName', 'ServiceName'))
self.fields.append(StringType('Message', 'Message'))
self.datafile = query.getarray(datafile)
try:
self.yearOfSyslog = int(query['year_of_syslog'])
except:
pass
def display(self, query, result):
result.heading("Email sessions")
result.table(
elements=[
InodeType('Inode',
'inode',
link=query_type(family='Disk Forensics',
case=query['case'],
__target__='inode',
report='View File Contents',
mode="Text"),
case=query['case']),
TimestampType('Date', 'date'),
StringType('From', 'from'),
StringType('To', 'to'),
StringType('Subject', 'subject')
],
table=('email'),
case=query['case'],
)
def email(query, output):
output.table(
elements=[
InodeType('Inode',
'inode',
link=query_type(case=query['case'],
family="Disk Forensics",
report='ViewFile',
__target__='inode',
inode="%s:0")),
TimestampType('Arrival Date', 'date'),
StringType('From', 'from'),
StringType('To', 'to'),
StringType('Subject', 'subject')
],
table=('email'),
case=query['case'],
filter="filter0",
)
return output
def display(self, query, result):
result.heading("Virus Scan Results")
dbh = self.DBO(query['case'])
result.table(
elements=[
AFF4URN(case=query['case']),
FilenameType(case=query['case']),
StringType('Virus Detected', 'virus')
],
table='virus',
case=query['case'],
)
def render_pane(self, branch, query, result, condition='1'):
## We may only draw on the pane that belongs to us:
if branch[0] != self.name:
return
if len(branch) >= 1:
result.table(
elements=[
StringType(column='iosource', name='IOSource'),
IntegerType(column='pid', name='PID'),
StringType(column='path', name="Path"),
## Render base address in Hex:
IntegerType(column="base",
name="Base",
callback=lambda x: "0x%08X" % x),
IntegerType(column="size", name="Size")
],
table='modules',
where=condition,
case=self.case,
)
def streams(query, result):
result.table(elements=[
IntegerType("FTP Session id",
"ftp_session_id",
link=query_type(family="Network Forensics",
case=query['case'],
report="Browse FTP Data")),
TimestampType("Time Created", "time_created"),
StringType("Purpose", "purpose"),
InodeIDType(case=query['case'])
],
table='ftp_data_streams',
case=query['case'])
def __init__(self, name=None, combined_fd=None):
StringType.__init__(self, name=name, column=name)
self.combined_fd = combined_fd
