def test03MultipleSources(self):
""" Test that multiple images can be loaded on the same VFS """
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load IO Data Source",
"case=%s" % self.test_case,
"iosource=second_image",
"subsys=EWF",
"filename=ntfs_image.e01",
],
)
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load Filesystem image",
"case=%s" % self.test_case,
"iosource=second_image",
"fstype=Sleuthkit",
"mount_point=/ntfsimage/",
],
)
## Try to read a file from the first source:
fsfd = DBFS(self.test_case)
fd = fsfd.open("/stdimage/dscf1081.jpg")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(), "11bec410aebe0c22c14f3eaaae306f46")
## Try to read a file from the second source:
fd = fsfd.open("/ntfsimage/Books/80day11.txt")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(), "f5b394b5d0ca8c9ce206353e71d1d1f2")
def test02catTests(self):
""" Test the cat command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env,
command="load",
argv=[
self.test_case,
])
self.fsfd = FileSystem.DBFS(self.test_case)
fd = self.fsfd.open("/dscf1080.jpg")
data1 = fd.read()
fd = self.fsfd.open("/dscf1081.jpg")
data2 = fd.read()
fd = self.fsfd.open("/dscf1082.jpg")
data3 = fd.read()
result = ''
for l in pyflagsh.shell_execv_iter(env=self.env,
command="cat",
argv=["/dscf1081.jpg"]):
result += l
self.assertEqual(result, data2)
result = ''
for l in pyflagsh.shell_execv_iter(env=self.env,
command="cat",
argv=["/dscf108*"]):
result += l
self.assertEqual(len(result), len(data1) + len(data2) + len(data3))
self.assert_(result == data1 + data2 + data3)
def test01RunScanner(self):
""" Test cache scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'MozCacheScan','GoogleImageScanner'])
def test02LoadFilesystem(self):
""" Test that basic filesystems load """
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load IO Data Source",
"case=%s" % self.test_case,
"iosource=first_image",
"subsys=Standard",
"filename=pyflag_stdimage_0.4.dd",
"offset=16128s",
],
)
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load Filesystem image",
"case=%s" % self.test_case,
"iosource=first_image",
"fstype=Sleuthkit",
"mount_point=/stdimage/",
],
)
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as count from inode")
self.assertEqual(dbh.fetch()["count"], 90)
def test03MultipleSources(self):
""" Test that multiple images can be loaded on the same VFS """
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case,
"iosource=second_image",
"subsys=EWF",
"filename=ntfs_image.e01" ,
])
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case,
"iosource=second_image",
"fstype=Sleuthkit",
"mount_point=/ntfsimage/"])
## Try to read a file from the first source:
fsfd = DBFS(self.test_case)
fd = fsfd.open("/stdimage/dscf1081.jpg")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(),'11bec410aebe0c22c14f3eaaae306f46')
## Try to read a file from the second source:
fd = fsfd.open("/ntfsimage/Books/80day11.txt")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')
def test02catTests(self):
""" Test the cat command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env, command="load",
argv=[self.test_case,])
self.fsfd = FileSystem.DBFS(self.test_case)
fd = self.fsfd.open("/dscf1080.jpg")
data1=fd.read()
fd = self.fsfd.open("/dscf1081.jpg")
data2=fd.read()
fd = self.fsfd.open("/dscf1082.jpg")
data3=fd.read()
result = ''
for l in pyflagsh.shell_execv_iter(env=self.env, command="cat",
argv=["/dscf1081.jpg"]):
result+=l
self.assertEqual(result,data2)
result = ''
for l in pyflagsh.shell_execv_iter(env=self.env, command="cat",
argv=["/dscf108*"]):
result+=l
self.assertEqual(len(result),len(data1)+len(data2)+len(data3))
self.assert_(result==data1+data2+data3)
def test03cpTests(self):
""" Test the cp (copy) command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env, command="load",
argv=[self.test_case,])
## Make a directory for the files:
tmpname = os.tmpnam()
os.mkdir(tmpname)
pyflagsh.shell_execv(env=self.env, command="cp",
argv=["/dscf108*", tmpname])
## Now verify the copy worked:
fd = open(tmpname+"/dscf1080.jpg",'r')
data = fd.read()
md5sum = md5.new()
md5sum.update(data)
self.assertEqual(md5sum.hexdigest(),'9e03e022404a945575b813ffb56fd841')
## Clean up:
for file in os.listdir(tmpname):
os.unlink(tmpname+'/'+file)
os.rmdir(tmpname)
def test01LoadRaid(self):
""" Test the RAID IO Source loader """
## This image was made by the linux raid5 implementation.
## Just to make things a bit more complicated, each image of
## each individual disk was acquired using ewfacquire into an
## EWF file. We use the io://EWF/filename=/raid/linux/d1.E01
## URL notation as the image filename in order to use the EWF
## IO Source driver to read the file.
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load IO Data Source",
'case=%s' % self.test_case, "iosource=test",
"subsys=RAID5 (1 Parity)",
"filename=io://EWF/filename=/raid/linux/d1.E01",
"filename=io://EWF/filename=/raid/linux/d2.E01",
"filename=io://EWF/filename=/raid/linux/d3.E01", "offset=0",
"map=1.0.P.P.3.2.4.P.5", "period=3", "blocksize=64k",
"TZ=%s" % self.TZ
])
pyflagsh.shell_execv(command="execute",
argv=[
"Load Data.Load Filesystem image",
'case=%s' % self.test_case, "iosource=test",
"fstype=Sleuthkit", "mount_point=/"
])
def test01ls(self):
""" Test the ls command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env, command="load",
argv=[self.test_case,])
## Check we can list default directory
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=[])]
self.assertEqual(len(lines),18)
## Check we can list directories
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=["docs"])]
self.assert_(len(lines)>=3)
## Check that we can glob files:
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=["*.jpg"])]
self.assertEqual(len(lines),5)
## Check that we can glob directories:
lines = [ l for l in pyflagsh.shell_execv_iter(env=self.env, command="ls",
argv=["do*"])]
self.assert_(len(lines)>3)
def test03cpTests(self):
""" Test the cp (copy) command """
self.env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=self.env,
command="load",
argv=[
self.test_case,
])
## Make a directory for the files:
tmpname = os.tmpnam()
os.mkdir(tmpname)
pyflagsh.shell_execv(env=self.env,
command="cp",
argv=["/dscf108*", tmpname])
## Now verify the copy worked:
fd = open(tmpname + "/dscf1080.jpg", 'r')
data = fd.read()
md5sum = md5.new()
md5sum.update(data)
self.assertEqual(md5sum.hexdigest(),
'9e03e022404a945575b813ffb56fd841')
## Clean up:
for file in os.listdir(tmpname):
os.unlink(tmpname + '/' + file)
os.rmdir(tmpname)
def test01RunScanners(self):
""" Running Logical Index Scanner """
## Make sure the word secret is in there.
pdbh = DB.DBO()
pdbh.execute("select * from dictionary where word='secret' limit 1")
row = pdbh.fetch()
if not row:
pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'})
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'IndexScan'])
dbh = DB.DBO(self.test_case)
dbh2 = DB.DBO(self.test_case)
fsfd = DBFS(self.test_case)
dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB))
count = 0
for row in dbh:
count += 1
path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id'])
fd = fsfd.open(inode=inode)
fd.overread = True
fd.slack = True
fd.seek(row['offset'])
data = fd.read(row['length'])
print "Looking for %s: Found in %s at offset %s length %s %r" % (
row['word'], inode, row['offset'], row['length'],data)
self.assertEqual(data.lower(), row['word'].lower())
## Did we find all the secrets?
self.assertEqual(count,2)
def test01LoadRaid(self):
""" Test the RAID IO Source loader """
## This image was made by the linux raid5 implementation.
## Just to make things a bit more complicated, each image of
## each individual disk was acquired using ewfacquire into an
## EWF file. We use the io://EWF/filename=/raid/linux/d1.E01
## URL notation as the image filename in order to use the EWF
## IO Source driver to read the file.
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case,
"iosource=test",
"subsys=RAID5 (1 Parity)",
"filename=io://EWF/filename=/raid/linux/d1.E01",
"filename=io://EWF/filename=/raid/linux/d2.E01",
"filename=io://EWF/filename=/raid/linux/d3.E01",
"offset=0",
"map=1.0.P.P.3.2.4.P.5",
"period=3",
"blocksize=64k",
"TZ=%s" % self.TZ
])
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case,
"iosource=test",
"fstype=Sleuthkit",
"mount_point=/"])
def test01RunScanner(self):
""" Running scanners """
## Populate the key words into the dictionary:
dbh = DB.DBO()
for row in self.case_sensitive_keywords:
id = row[0]
w = row[1]
dbh.delete('dictionary', 'id=%r' % (id + 1000), _fast=True)
dbh.insert('dictionary',
_fast=True,
**{
'id': id + 1000,
'class': "DFTT",
'type': 'literal',
'word': w
})
for row in self.regex_keywords:
id = row[0]
w = row[1]
dbh.delete('dictionary', 'id=%r' % (id + 1000), _fast=True)
dbh.insert('dictionary',
_fast=True,
**{
'id': id + 1000,
'class': "DFTT",
'type': 'regex',
'word': w
})
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan", argv=["*", 'IndexScan'])
def test01IRCScanner(self):
""" Test IRC Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"IRCScanner",
]) ## List of Scanners
def test01RunScanner(self):
""" Running scanners """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan', 'TarScan', 'GZScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'JPEGCarver', 'ZipScan', 'TarScan', 'GZScan', 'TypeScan', 'IndexScan'])
def test01SMTPScanner(self):
""" Test SMTP Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"SMTPScanner", "RFC2822", "TypeScan"
]) ## List of Scanners
def test01(self):
""" Test Reassebler """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"NetworkScanners",
]) ## List of Scanners
def test01YahooMailScanner(self):
""" Test Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"YahooMail20Scan",
]) ## List of Scanners
def test01GmailScanner(self):
""" Test Google Image Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"GoogleImageScanner",
]) ## List of Scanners
def test01GmailScanner(self):
""" Test Gmail Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"GmailScanner", "YahooMailScan",
"SquirrelMailScan", "HotmailScanner"
]) ## List of Scanners
def test00preLoadCase(self):
""" Reset case """
import pyflag.pyflagsh as pyflagsh
pyflagsh.shell_execv(command = "execute",
argv=["Case Management.Remove case",'remove_case=%s' % self.test_case])
pyflagsh.shell_execv(command="execute",
argv=["Case Management.Create new case",'create_case=%s' % self.test_case])
def test02Hash(self):
""" Test the hashes of loaded files """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan", argv=["*", 'MD5Scan'])
dbh = DB.DBO(self.test_case)
dbh.execute("select binary_md5 from hash where binary_md5=%b",
"04D68B7C8993A3A485A5780EC1A8D62D".decode("hex"))
self.assert_(dbh.fetch(), "Expected hash not found")
def test02Hash(self):
""" Test the hashes of loaded files """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'MD5Scan'])
dbh = DB.DBO(self.test_case)
dbh.execute("select binary_md5 from hash where binary_md5=%b",
"04D68B7C8993A3A485A5780EC1A8D62D".decode("hex"))
self.assert_(dbh.fetch(), "Expected hash not found")
def test01RunScanner(self):
""" Test IE History scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan", argv=["*", 'IECarver'])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from ie_history")
row = dbh.fetch()['c']
print "Got %s rows" % row
self.assert_(row >= 20)
def test00preLoadCase(self):
""" Load Memory image """
#pyflag.tests.ScannerTest.test00preLoadCase(self)
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case,
"iosource=test",
"fstype=Linux Memory",
"profile=2_6_18-8_1_15_el5",
"map=System.map-2.6.18-8.1.15.el5.map",
"mount_point=%s" % self.mount_point])
def test01(self):
""" Test Reassebler """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(
env=env,
command="scan",
argv=[
"*", ## Inodes (All)
"NetworkScanners",
]) ## List of Scanners
def test01CarveImage(self):
""" Carving from Image """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ScriptCarver'])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from type where type like %r", "%script")
row = dbh.fetch()
self.assert_(row != None)
self.assert_(row['c']>=3)
def test01FTPScanner(self):
""" Test basic FTP scanning """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"FTPScanner"
]) ## List of Scanners
## What should we have found? FIXME
dbh = DB.DBO(self.test_case)
def test01RunScanner(self):
""" Test IE History scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'IECarver'])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from ie_history")
row = dbh.fetch()['c']
print "Got %s rows" % row
self.assert_(row >= 20)
def test01TypeScan(self):
""" Check the type scanner works """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'TypeScan'])
## Make sure the extra magic is being used properly.
dbh = DB.DBO(self.test_case)
dbh.execute('select count(*) as count from type where type like "%%Outlook%%"')
count = dbh.fetch()['count']
self.failIf(count==0, "Unable to locate an Outlook PST file - maybe we are not using our custom magic file?")
def test04LocatingNTFS_ADS(self):
""" Test for finding ADS files """
## Do type scanning:
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'TypeScan'])
dbh = DB.DBO(self.test_case)
dbh.execute('select type.type from type,inode where type.inode_id=inode.inode_id and type like "%executable%" and inode.inode like "%33-128-7%"')
row = dbh.fetch()
self.assert_(row, "Executable within ADS was not found???")
def test00preLoadCase(self):
""" Load Memory image """
#pyflag.tests.ScannerTest.test00preLoadCase(self)
pyflagsh.shell_execv(command="execute",
argv=[
"Load Data.Load Filesystem image",
'case=%s' % self.test_case, "iosource=test",
"fstype=Linux Memory",
"profile=2_6_18-8_1_15_el5",
"map=System.map-2.6.18-8.1.15.el5.map",
"mount_point=%s" % self.mount_point
])
def test01SMTPScanner(self):
""" Test SMTP Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(
env=env,
command="scan",
argv=[
"*", ## Inodes (All)
"SMTPScanner",
"RFC2822",
"TypeScan"
]) ## List of Scanners
def test01TypeScan(self):
""" Check the type scanner works """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'TypeScan'])
pyflagsh.shell_execv(env=env, command="export",
argv=["Images","HTMLDirectoryRenderer",
"TypeCaseTable.Thumbnail",
"TypeCaseTable.Type","InodeTable.Size",
#'filter=Type contains JPEG',
])
def test01HotmailScanner(self):
""" Test Hotmail Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"HotmailScanner",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from webmail_messages")
row = dbh.fetch()
self.assert_(row['c'] > 0, "No hotmail messages were found")
def test01RunScanner(self):
""" Running scanners """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", 'ZipScan', 'TarScan', 'GZScan'])
pyflagsh.shell_execv(env=env,
command="scan",
argv=[
"*", 'JPEGCarver', 'ZipScan', 'TarScan',
'GZScan', 'TypeScan', 'IndexScan'
])
def test01HTTPScanner(self):
""" Test HTTP Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"HTTPScanner",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as total from http")
row = dbh.fetch()
print "Number of HTTP transfers found %s" % row['total']
self.failIf(row['total']==0,"Count not find any HTTP transfers?")
def test01FTPScanner(self):
""" Test basic FTP scanning """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(
env=env,
command="scan",
argv=[
"*", ## Inodes (All)
"FTPScanner"
]) ## List of Scanners
## What should we have found? FIXME
dbh = DB.DBO(self.test_case)
def test01RunScanner(self):
""" Test IE History scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'IEIndex','GoogleImageScanner'])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from http_parameters where `key`='q' and value='anna netrebko'")
row=dbh.fetch()
self.assertEqual(row['c'], 3, 'Unable to find all search URLs')
def test01SMTPScanner(self):
""" Test POP Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"POPScanner", "RFC2822",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as total from passwords where type='POP3'")
row = dbh.fetch()
self.failIf(row['total']==0,"Could not parse any POP3 passwords")
def create_output_file():
global output_fd, output_file
print "Will read from %s and write to %s. Will use these scanners: %s" % (directory, output_file, scanners)
## Check if the file is already there:
filename = config.UPLOADDIR + "/" + output_file
if output_file != "-":
try:
os.stat(filename)
## Yep its there:
output_fd = open(filename, "a")
output_fd.seek(0, os.SEEK_END)
offset = output_fd.tell()
## There can be only one:
try:
fcntl.flock(output_fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
except IOError, e:
print "Highlander Error: %s" % e
sys.exit(1)
except OSError:
output_fd = open(filename, "w")
## This is a hardcoded header for the output file:
header = "\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00"
offset = len(header)
## Write the file header on
output_fd.write(header)
output_fd.flush()
else:
output_fd = None
offset = 0
## Make a new IO source for the output:
try:
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load IO Data Source",
"case=%s" % config.case,
"iosource=%s" % config.iosource,
"subsys=Standard",
"filename=%s" % (output_file),
"offset=0",
],
)
except Reports.ReportError:
FlagFramework.print_bt_string()
def test01YahooMailScanner(self):
""" Test Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"YahooMail20Scan", "YahooMailScan",
]) ## List of Scanners
print "Closing volume"
t = time.time()
#CacheManager.AFF4_MANAGER.close(self.test_case)
print "Closed in %s seconds " % (time.time()- t)
print CacheManager.oracle.flush()
def test01LoadingFD(self):
""" Try to load a filesystem using the Remote source """
pyflagsh.shell_execv(command="execute",
argv=[
"Case Management.Remove case",
'remove_case=%s' % self.test_case
])
pyflagsh.shell_execv(command="execute",
argv=[
"Case Management.Create new case",
'create_case=%s' % self.test_case
])
pyflagsh.shell_execv(command="execute",
argv=[
"Load Data.Load IO Data Source",
'case=%s' % self.test_case,
"iosource=test",
"subsys=Remote",
"filename=%s" % (self.test_file),
])
pyflagsh.shell_execv(command="execute",
argv=[
"Load Data.Load Filesystem image",
'case=%s' % self.test_case, "iosource=test",
"fstype=%s" % self.fstype, "mount_point=/"
])
def test_scanner(self):
""" Check the hash scanner works """
dbh = DB.DBO(self.test_case)
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan'])
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'MD5Scan'])
dbh.execute("select count(*) as c,NSRL_product, NSRL_filename from hash where NSRL_product like 'Guide to Hacking %%' group by NSRL_product")
row = dbh.fetch()
self.assertEqual(row['c'], 14, "Hashes not recognised. You might need to load the NSRL database")
def test01DNS(self):
"Test DNS handling"
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env,
command="scan",
argv=["*", ## Inodes (All)
"DNSScanner",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select * from dns where name = 'www.google.com.'")
self.assert_(dbh.fetch())
dbh.execute("select count(*) as c from dns where name like '%google%'")
row = dbh.fetch()
self.assertEqual(row['c'], 14)
def create_output_file():
global output_fd, output_file
print "Will read from %s and write to %s. Will use these scanners: %s" % (
directory, output_file, scanners)
## Check if the file is already there:
filename = config.UPLOADDIR + '/' + output_file
if output_file != '-':
try:
os.stat(filename)
## Yep its there:
output_fd = open(filename, 'a')
output_fd.seek(0, os.SEEK_END)
offset = output_fd.tell()
## There can be only one:
try:
fcntl.flock(output_fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
except IOError, e:
print "Highlander Error: %s" % e
sys.exit(1)
except OSError:
output_fd = open(filename, 'w')
## This is a hardcoded header for the output file:
header = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00'
offset = len(header)
## Write the file header on
output_fd.write(header)
output_fd.flush()
else:
output_fd = None
offset = 0
## Make a new IO source for the output:
try:
pyflagsh.shell_execv(command="execute",
argv=[
"Load Data.Load IO Data Source",
'case=%s' % config.case,
"iosource=%s" % config.iosource,
"subsys=Standard",
"filename=%s" % (output_file),
"offset=0",
])
except Reports.ReportError:
FlagFramework.print_bt_string()
def test_type_scan(self):
""" Check the Zip scanner works """
dbh = DB.DBO(self.test_case)
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'ZipScan','GZScan','TarScan','TypeScan'])
dbh.execute("select count(*) as count from inode where inode like '%%|Z%%'")
count = dbh.fetch()['count']
self.failIf(count==0, "Could not find any zip files?")
dbh.execute("select count(*) as count from inode where inode like '%%|G0'")
count = dbh.fetch()['count']
self.failIf(count==0, "Could not find any gzip files?")
def test01HotmailScanner(self):
""" Test Hotmail Scanner """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(
env=env,
command="scan",
argv=[
"*", ## Inodes (All)
"HotmailScanner",
]) ## List of Scanners
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as c from webmail_messages")
row = dbh.fetch()
self.assert_(row['c'] > 0, "No hotmail messages were found")
def test00Cleanup(self):
""" Remove test log tables """
## Create the case if it does not already exist:
pyflagsh.shell_execv(command="delete_case", argv=[self.test_case])
## Create the case if it does not already exist:
pyflagsh.shell_execv(command="create_case", argv=[self.test_case])
## clear any existing presets of the same name:
drop_preset(self.log_preset)
drop_preset(self.log_preset_two)
## Clear any existing tables of the same name
drop_table(self.test_case, self.test_table)
drop_table(self.test_case, self.test_table_two)
def test00preLoadCase(self):
""" Reset case """
import pyflag.pyflagsh as pyflagsh
pyflagsh.shell_execv(command="execute",
argv=[
"Case Management.Remove case",
'remove_case=%s' % self.test_case
])
pyflagsh.shell_execv(command="execute",
argv=[
"Case Management.Create new case",
'create_case=%s' % self.test_case
])
def test01CarveImage(self):
""" Carving from Image """
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'JPEGCarver'])
## See if we found the two images from within the word
## document:
expected = [ "Itest|K1289-0-0|o150712:85550", "Itest|K1289-0-0|o96317:141763"]
dbh = DB.DBO(self.test_case)
for inode in expected:
dbh.execute("select inode from inode where inode=%r limit 1", inode)
row = dbh.fetch()
self.assert_(row != None)
def test01CaseCreation(self):
""" Test that basic tables have been added to new cases """
pyflagsh.shell_execv(command="execute",
argv=["Case Management.Remove case",'remove_case=%s' % self.test_case])
pyflagsh.shell_execv(command="execute",
argv=["Case Management.Create new case",'create_case=%s' % self.test_case])
dbh = DB.DBO(self.test_case)
dbh.execute("show tables")
tables = [ row.values()[0] for row in dbh ]
## At a minimum these tables must exist:
for required in ['annotate', 'block', 'file', 'filesystems',
'inode', 'meta', 'resident', 'sql_cache', 'xattr']:
self.assert_(required in tables)
