def run(self, evidence, result):
"""Task that extracts binaries with image_export.py.
Args:
evidence (Evidence object): The evidence we will process.
result (TurbiniaTaskResult): The object to place task results into.
Returns:
TurbiniaTaskResult object.
"""
config.LoadConfig()
binary_extraction_evidence = BinaryExtraction()
binary_extraction_evidence.local_path = self.output_dir
image_export_log = os.path.join(self.output_dir,
'binary_extraction.log')
self.binary_extraction_dir = os.path.join(self.output_dir,
'extracted_binaries')
self.json_path = os.path.join(self.binary_extraction_dir,
'hashes.json')
cmd = [
'image_export.py', '--partitions', 'all', '--no_vss',
'--signatures', 'elf,exe_mz', '--logfile', image_export_log
]
if config.DEBUG_TASKS:
cmd.append('-d')
cmd.extend(['-w', self.binary_extraction_dir, evidence.local_path])
result.log('Running image_export as [{0:s}]'.format(' '.join(cmd)))
self.execute(cmd,
result,
log_files=[image_export_log, self.json_path],
new_evidence=[binary_extraction_evidence],
close=True)
binary_cnt, hash_cnt = self.check_extraction()
result.status = ('Extracted {0:d} hashes and {1:d} binaries from the '
'evidence.'.format(hash_cnt, binary_cnt))
if hash_cnt != binary_cnt:
result.log(
'Number of extracted binaries is not equal to the number '
'of extracted hashes. This might indicate issues with '
'image_export.py. Check binary_extraction.log for more '
'details.', logging.WARNING)
binary_extraction_evidence.compress()
return result
def run(self, evidence, result):
"""Task that extracts binaries with image_export.py.
Args:
evidence (Evidence object): The evidence we will process.
result (TurbiniaTaskResult): The object to place task results into.
Returns:
TurbiniaTaskResult object.
"""
config.LoadConfig()
binary_extraction_evidence = BinaryExtraction()
binary_extraction_evidence.local_path = self.output_dir
binary_extraction_evidence.uncompressed_directory = self.output_dir
image_export_log = os.path.join(self.output_dir,
'binary_extraction.log')
self.binary_extraction_dir = os.path.join(self.output_dir,
'extracted_binaries')
self.json_path = os.path.join(self.binary_extraction_dir,
'hashes.json')
cmd = [
'image_export.py', '--partitions', 'all', '--no_vss', '--logfile',
image_export_log
]
if evidence.config and evidence.config.get('binary_extraction_path'):
artifact_dir = os.path.join(self.tmp_dir, 'artifacts')
artifact_file = os.path.join(artifact_dir, 'artifacts.yaml')
os.mkdir(artifact_dir)
binary_extraction_path = evidence.config.get(
'binary_extraction_path')
result.log('Using custom artifact path {0:s}'.format(
binary_extraction_path))
artifact_text = textwrap.dedent("""
name: TurbiniaCustomArtifact
doc: Ad hoc artifact created for file extraction.
sources:
- type: FILE
attributes:
paths: ['{0:s}']
""")
artifact_text = artifact_text.format(binary_extraction_path)
with open(artifact_file, 'wb') as artifact:
artifact.write(artifact_text.encode('utf-8'))
cmd.extend([
'--custom_artifact_definitions', artifact_file,
'--artifact_filters', 'TurbiniaCustomArtifact'
])
else:
cmd.extend(['--signatures', 'elf,exe_mz'])
if config.DEBUG_TASKS or evidence.config.get('debug_tasks'):
cmd.append('-d')
cmd.extend(['-w', self.binary_extraction_dir, evidence.local_path])
result.log('Running image_export as [{0:s}]'.format(' '.join(cmd)))
self.execute(cmd,
result,
log_files=[image_export_log, self.json_path],
new_evidence=[binary_extraction_evidence])
try:
binary_cnt, hash_cnt = self.check_extraction()
except TurbiniaException as exception:
message = 'File extraction failed: {0!s}'.format(exception)
result.close(self, success=False, status=message)
return result
status = ('Extracted {0:d} hashes and {1:d} files from the '
'evidence.'.format(hash_cnt, binary_cnt))
if hash_cnt != binary_cnt:
result.log(
'Number of extracted binaries is not equal to the number '
'of extracted hashes. This might indicate issues with '
'image_export.py. Check binary_extraction.log for more '
'details.', logging.WARNING)
binary_extraction_evidence.compress()
result.close(self, success=True, status=status)
return result