Exemplo n.º 1
0
    def test03cpTests(self):
        """ Test the cp (copy) command """
        self.env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=self.env, command="load",
                             argv=[self.test_case,])

        ## Make a directory for the files:
        tmpname = os.tmpnam()
        os.mkdir(tmpname)

        pyflagsh.shell_execv(env=self.env, command="cp",
                             argv=["/dscf108*", tmpname])

        ## Now verify the copy worked:
        fd = open(tmpname+"/dscf1080.jpg",'r')
        data = fd.read()
        md5sum = md5.new()
        md5sum.update(data)
        self.assertEqual(md5sum.hexdigest(),'9e03e022404a945575b813ffb56fd841')

        ## Clean up:
        for file in os.listdir(tmpname):
            os.unlink(tmpname+'/'+file)
            
        os.rmdir(tmpname)
Exemplo n.º 2
0
    def test01ls(self):
        """ Test the ls command """
        self.env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=self.env, command="load",
                             argv=[self.test_case,])

        ## Check we can list default directory
        lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
                                                       argv=[])]
        self.assertEqual(len(lines),18)

        ## Check we can list directories
        lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
                                                       argv=["docs"])]
        self.assert_(len(lines)>=3)

        ## Check that we can glob files:
        lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
                                                       argv=["*.jpg"])]
        self.assertEqual(len(lines),5)
        
        ## Check that we can glob directories:
        lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
                                                       argv=["do*"])]
        self.assert_(len(lines)>3)
Exemplo n.º 3
0
    def test01RunScanners(self):
        """ Running Logical Index Scanner """
        ## Make sure the word secret is in there.
        pdbh = DB.DBO()
        pdbh.execute("select * from dictionary where word='secret' limit 1")
        row = pdbh.fetch()
        if not row:
            pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'})
        
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'IndexScan'])

        dbh = DB.DBO(self.test_case)
        dbh2 = DB.DBO(self.test_case)
        fsfd = DBFS(self.test_case)
        dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB))
        count = 0
        for row in dbh:
            count += 1
            path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id'])
            fd = fsfd.open(inode=inode)
            fd.overread = True
            fd.slack = True
            fd.seek(row['offset'])
            data = fd.read(row['length'])
            print "Looking for %s: Found in %s at offset %s length %s %r" % (
                row['word'], inode, row['offset'], row['length'],data)
            self.assertEqual(data.lower(), row['word'].lower())

        ## Did we find all the secrets?
        self.assertEqual(count,2)
Exemplo n.º 4
0
 def test01RunScanner(self):
     """ Test cache scanner """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env, command="scan",
                          argv=["*",'ZipScan'])
     pyflagsh.shell_execv(env=env, command="scan",
                          argv=["*",'MozCacheScan','GoogleImageScanner'])
Exemplo n.º 5
0
    def test02catTests(self):
        """ Test the cat command """
        self.env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=self.env, command="load",
                             argv=[self.test_case,])

        self.fsfd = FileSystem.DBFS(self.test_case)
        fd = self.fsfd.open("/dscf1080.jpg")
        data1=fd.read()        
        fd = self.fsfd.open("/dscf1081.jpg")
        data2=fd.read()
        fd = self.fsfd.open("/dscf1082.jpg")
        data3=fd.read()

        result = ''
        for l in pyflagsh.shell_execv_iter(env=self.env, command="cat",
                                           argv=["/dscf1081.jpg"]):
            result+=l
        self.assertEqual(result,data2)

        result = ''
        for l in pyflagsh.shell_execv_iter(env=self.env, command="cat",
                                           argv=["/dscf108*"]):
            result+=l

        self.assertEqual(len(result),len(data1)+len(data2)+len(data3))
        self.assert_(result==data1+data2+data3)
Exemplo n.º 6
0
 def test01SMTPScanner(self):
     """ Test SMTP Scanner """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env,
                          command="scan",
                          argv=["*",                   ## Inodes (All)
                                "SMTPScanner", "RFC2822", "TypeScan"
                                ])                   ## List of Scanners
Exemplo n.º 7
0
 def test01GmailScanner(self):
     """ Test Google Image Scanner """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env,
                          command="scan",
                          argv=["*",                   ## Inodes (All)
                                "GoogleImageScanner",
                                ])                   ## List of Scanners
Exemplo n.º 8
0
 def test01YahooMailScanner(self):
     """ Test Scanner """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env,
                          command="scan",
                          argv=["*",                   ## Inodes (All)
                                "YahooMail20Scan",
                                ])                   ## List of Scanners
Exemplo n.º 9
0
 def test01(self):
     """ Test Reassebler """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env,
                          command="scan",
                          argv=["*",                   ## Inodes (All)
                                "NetworkScanners",
                                ])                   ## List of Scanners
Exemplo n.º 10
0
    def test01RunScanner(self):
        """ Running scanners """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'ZipScan', 'TarScan', 'GZScan'])

        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'JPEGCarver', 'ZipScan', 'TarScan', 'GZScan', 'TypeScan', 'IndexScan'])
Exemplo n.º 11
0
 def test01GmailScanner(self):
     """ Test Gmail Scanner """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env,
                          command="scan",
                          argv=["*",                   ## Inodes (All)
                                "GmailScanner", "YahooMailScan",
                                "SquirrelMailScan", "HotmailScanner"
                                ])                   ## List of Scanners
Exemplo n.º 12
0
 def test02Hash(self):
     """ Test the hashes of loaded files """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env, command="scan",
                          argv=["*",'MD5Scan'])
         
     dbh = DB.DBO(self.test_case)
     dbh.execute("select binary_md5 from hash where binary_md5=%b",
                 "04D68B7C8993A3A485A5780EC1A8D62D".decode("hex"))
     self.assert_(dbh.fetch(), "Expected hash not found")
Exemplo n.º 13
0
    def test01CarveImage(self):
        """ Carving from Image """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'ScriptCarver'])

        dbh = DB.DBO(self.test_case)
        dbh.execute("select count(*) as c from type where type like %r", "%script")
        row = dbh.fetch()
        self.assert_(row != None)
        self.assert_(row['c']>=3)
Exemplo n.º 14
0
    def test01RunScanner(self):
        """ Test IE History scanner """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'IECarver'])

        dbh = DB.DBO(self.test_case)
        dbh.execute("select count(*) as c from ie_history")
        row = dbh.fetch()['c']
        print "Got %s rows" % row
        self.assert_(row >= 20)
Exemplo n.º 15
0
    def test01TypeScan(self):
        """ Check the type scanner works """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'TypeScan'])

        ## Make sure the extra magic is being used properly.
        dbh = DB.DBO(self.test_case)
        dbh.execute('select count(*) as count from type where type like "%%Outlook%%"')
        count = dbh.fetch()['count']
        self.failIf(count==0, "Unable to locate an Outlook PST file - maybe we are not using our custom magic file?")
Exemplo n.º 16
0
    def test01FTPScanner(self):
        """ Test basic FTP scanning """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env,
                             command="scan",
                             argv=["*",                   ## Inodes (All)
                                   "FTPScanner"
                                  ])                   ## List of Scanners

        ## What should we have found? FIXME
        dbh = DB.DBO(self.test_case)
Exemplo n.º 17
0
 def setUp(self):
     """ Load test Case"""
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(command="delete_case", env=env,
                          argv=[self.test_case])
     pyflagsh.shell_execv(command="create_case", env=env,
                          argv=[self.test_case])
     if self.test_case:
         pyflagsh.shell_execv(command='execute', env=env,
                              argv=['Load Data.Load AFF4 Volume',
                                    'case=%s' % self.test_case, 
                                    'filename=%s' % self.test_file])
Exemplo n.º 18
0
    def test04LocatingNTFS_ADS(self):
        """ Test for finding ADS files """
        ## Do type scanning:
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'TypeScan'])

        dbh = DB.DBO(self.test_case)
        dbh.execute('select type.type from type,inode where type.inode_id=inode.inode_id and type like "%executable%" and inode.inode like "%33-128-7%"')
        row = dbh.fetch()

        self.assert_(row, "Executable within ADS was not found???")
Exemplo n.º 19
0
    def test01TypeScan(self):
        """ Check the type scanner works """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'TypeScan'])

        pyflagsh.shell_execv(env=env, command="export",
                             argv=["Images","HTMLDirectoryRenderer",
                                   "TypeCaseTable.Thumbnail",
                                   "TypeCaseTable.Type","InodeTable.Size",
                                   #'filter=Type contains JPEG',
                                   ])
Exemplo n.º 20
0
    def test01SMTPScanner(self):
        """ Test POP Scanner """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env,
                             command="scan",
                             argv=["*",                   ## Inodes (All)
                                   "POPScanner", "RFC2822",
                                   ])                   ## List of Scanners

        dbh = DB.DBO(self.test_case)
        dbh.execute("select count(*) as total from passwords where type='POP3'")
        row = dbh.fetch()
        self.failIf(row['total']==0,"Could not parse any POP3 passwords")
Exemplo n.º 21
0
    def test01HotmailScanner(self):
        """ Test Hotmail Scanner """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env,
                             command="scan",
                             argv=["*",                   ## Inodes (All)
                                   "HotmailScanner",
                                   ])                   ## List of Scanners

        dbh = DB.DBO(self.test_case)
        dbh.execute("select count(*) as c from webmail_messages")
        row = dbh.fetch()
        self.assert_(row['c'] > 0, "No hotmail messages were found")
Exemplo n.º 22
0
Arquivo: HTTP.py Projeto: arkem/pyflag
 def test01HTTPScanner(self):
     """ Test HTTP Scanner """
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env,
                          command="scan",
                          argv=["*",                   ## Inodes (All)
                                "HTTPScanner",
                                ])                   ## List of Scanners
     dbh = DB.DBO(self.test_case)
     dbh.execute("select count(*) as total from http")
     row = dbh.fetch()
     print "Number of HTTP transfers found %s" % row['total']
     self.failIf(row['total']==0,"Count not find any HTTP transfers?")
Exemplo n.º 23
0
    def test01RunScanner(self):
        """ Test IE History scanner """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'ZipScan'])

        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'IEIndex','GoogleImageScanner'])

        dbh = DB.DBO(self.test_case)
        dbh.execute("select count(*) as c from http_parameters where `key`='q' and value='anna netrebko'")
        row=dbh.fetch()
        self.assertEqual(row['c'], 3, 'Unable to find all search URLs')
Exemplo n.º 24
0
 def test01DNS(self):
     "Test DNS handling"
     env = pyflagsh.environment(case=self.test_case)
     pyflagsh.shell_execv(env=env,
                          command="scan",
                          argv=["*",                   ## Inodes (All)
                                "DNSScanner",
                                ])                   ## List of Scanners
     dbh = DB.DBO(self.test_case)
     dbh.execute("select * from dns where name = 'www.google.com.'")
     self.assert_(dbh.fetch())
     dbh.execute("select count(*) as c from dns where name like '%google%'")
     row = dbh.fetch()
     self.assertEqual(row['c'], 14)
Exemplo n.º 25
0
    def test_scanner(self):
        """ Check the virus scanner works """
        dbh = DB.DBO(self.test_case)

        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'VirScan','ZipScan','TypeScan'])

        dbh.execute("select * from virus limit 1")
        row = dbh.fetch()

        ## We expect to pick this rootkit:
        self.assert_(row, "Unable to find any viruses")
        self.assert_("NTRootKit" in row['virus'] , "Unable to find Trojan.NTRootKit.044")
Exemplo n.º 26
0
    def test01YahooMailScanner(self):
        """ Test Scanner """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env,
                             command="scan",
                             argv=["*",                   ## Inodes (All)
                                   "YahooMail20Scan", "YahooMailScan",
                                   ])                   ## List of Scanners

        print "Closing volume"
        t = time.time()
        #CacheManager.AFF4_MANAGER.close(self.test_case)
        print "Closed in %s seconds " % (time.time()- t)
        print CacheManager.oracle.flush()
Exemplo n.º 27
0
    def test_scanner(self):
        """ Check the hash scanner works """
        dbh = DB.DBO(self.test_case)

        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'ZipScan'])        

        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'MD5Scan'])        

        dbh.execute("select count(*) as c,NSRL_product, NSRL_filename from hash where NSRL_product like 'Guide to Hacking %%' group by NSRL_product")
        row = dbh.fetch()
        self.assertEqual(row['c'], 14, "Hashes not recognised. You might need to load the NSRL database")
Exemplo n.º 28
0
    def test01CarveImage(self):
        """ Carving from Image """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'JPEGCarver'])

        ## See if we found the two images from within the word
        ## document:
        expected = [ "Itest|K1289-0-0|o150712:85550", "Itest|K1289-0-0|o96317:141763"]
        
        dbh = DB.DBO(self.test_case)
        for inode in expected:
            dbh.execute("select inode from inode where inode=%r limit 1", inode)
            row = dbh.fetch()
            self.assert_(row != None)
Exemplo n.º 29
0
    def test_type_scan(self):
        """ Check the Zip scanner works """
        dbh = DB.DBO(self.test_case)

        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'ZipScan','GZScan','TarScan','TypeScan'])

        dbh.execute("select count(*) as count from inode where inode like '%%|Z%%'")
        count = dbh.fetch()['count']
        self.failIf(count==0, "Could not find any zip files?")
        
        dbh.execute("select count(*) as count from inode where inode like '%%|G0'")
        count = dbh.fetch()['count']
        self.failIf(count==0, "Could not find any gzip files?")
Exemplo n.º 30
0
    def test01Scan(self):
        """ Scan for MSN Messages """
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env,
                             command="scan",
                             argv=["*",                   ## Inodes (All)
                                   "MSNScanner"
                                   ])                   ## List of Scanners

        ## What should we have found?
        dbh = DB.DBO(self.test_case)
        dbh.execute("""select count(*) as total from `msn_session` where type=\"MESSAGE\"""")
        row = dbh.fetch()
        assert row['total'] == 10

        CacheManager.AFF4_MANAGER.close(self.test_case)