def SetUp(
self, # pylint: disable=arguments-differ
incident_id=None,
sketch_id=None,
analyzers=None,
token_password='',
wait_for_timelines=False):
"""Setup a connection to a Timesketch server and create a sketch if needed.
Args:
incident_id (Optional[str]): Incident ID or reference. Used in sketch
description.
sketch_id (Optional[str]): Sketch ID to add the resulting timeline to.
If not provided, a new sketch is created.
analyzers (Optional[List[str]): If provided a list of analyzer names
to run on the sketch after they've been imported to Timesketch.
token_password (str): optional password used to decrypt the
Timesketch credential storage. Defaults to an empty string since
the upstream library expects a string value. An empty string means
a password will be generated by the upstream library.
wait_for_timelines (bool): Whether to wait until timelines are processed
in the Timesketch server or not.
"""
self.wait_for_timelines = bool(wait_for_timelines)
self.timesketch_api = timesketch_utils.GetApiClient(
self.state, token_password=token_password)
if not self.timesketch_api:
self.ModuleError(
'Unable to get a Timesketch API client, try deleting the files '
'~/.timesketchrc and ~/.timesketch.token',
critical=True)
self.incident_id = incident_id
self.sketch_id = int(sketch_id) if sketch_id else None
sketch = None
# Check that we have a timesketch session.
if not (self.timesketch_api or self.timesketch_api.session):
message = 'Could not connect to Timesketch server'
self.ModuleError(message, critical=True)
# If no sketch ID is provided through the CLI, attempt to get it from
# attributes
if not self.sketch_id:
self.sketch_id = self._GetSketchIDFromAttributes()
# If we have a sketch ID, check that we can write to it and cache it.
if self.sketch_id:
sketch = self.timesketch_api.get_sketch(self.sketch_id)
if 'write' not in sketch.my_acl:
self.ModuleError(
'No write access to sketch ID {0:d}, aborting'.format(
sketch_id),
critical=True)
self.state.AddToCache('timesketch_sketch', sketch)
self.sketch_id = sketch.id
if analyzers and isinstance(analyzers, (tuple, list)):
self._analyzers = analyzers
def testInitialization(self):
"""Tests that the processor can be initialized."""
wolf_config = config.Config()
wolf_state = state.DFTimewolfState(wolf_config)
wolf_state.AddToCache('timesketch_client', FakeTimesketchApiClient())
timesketch_client = timesketch_utils.GetApiClient(wolf_state)
self.assertIsNotNone(timesketch_client)
def SetUp(self, # pylint: disable=arguments-differ
incident_id=None,
sketch_id=None,
analyzers=None,
token_password=''):
"""Setup a connection to a Timesketch server and create a sketch if needed.
Args:
incident_id (Optional[str]): Incident ID or reference. Used in sketch
description.
sketch_id (Optional[str]): Sketch ID to add the resulting timeline to.
If not provided, a new sketch is created.
analyzers (Optional[List[str]): If provided a list of analyzer names
to run on the sketch after they've been imported to Timesketch.
token_password (str): optional password used to decrypt the
Timesketch credential storage. Defaults to an empty string since
the upstream library expects a string value. An empty string means
a password will be generated by the upstream library.
"""
self.timesketch_api = timesketch_utils.GetApiClient(
self.state, token_password=token_password)
if not self.timesketch_api:
self.ModuleError(
'Unable to get a Timesketch API client, try deleting the files '
'~/.timesketchrc and ~/.timesketch.token', critical=True)
self.incident_id = incident_id
self.sketch_id = int(sketch_id) if sketch_id else None
sketch = None
# Check that we have a timesketch session.
if not (self.timesketch_api or self.timesketch_api.session):
message = 'Could not connect to Timesketch server'
self.ModuleError(message, critical=True)
if not self.sketch_id:
self.sketch_id = self._GetSketchIDFromAttributes()
if not self.sketch_id: # No sketch id is provided, create it.
if incident_id:
sketch_name = 'Sketch for incident ID: ' + incident_id
else:
sketch_name = 'Untitled sketch'
sketch_description = 'Sketch generated by dfTimewolf'
sketch = self.timesketch_api.create_sketch(
sketch_name, sketch_description)
self.sketch_id = sketch.id
self.logger.info('Sketch {0:d} created'.format(self.sketch_id))
if not sketch:
sketch = self.timesketch_api.get_sketch(self.sketch_id)
self.state.AddToCache('timesketch_sketch', sketch)
if analyzers and isinstance(analyzers, (tuple, list)):
self._analyzers = analyzers
def SetUp(self, # pylint: disable=arguments-differ
incident_id=None,
sketch_id=None,
analyzers=None):
"""Setup a connection to a Timesketch server and create a sketch if needed.
Args:
incident_id (Optional[str]): Incident ID or reference. Used in sketch
description.
sketch_id (Optional[str]): Sketch ID to add the resulting timeline to.
If not provided, a new sketch is created.
analyzers (Optional[List[str]): If provided a list of analyzer names
to run on the sketch after they've been imported to Timesketch.
"""
self.timesketch_api = timesketch_utils.GetApiClient(self.state)
self.incident_id = incident_id
self.sketch_id = int(sketch_id) if sketch_id else None
sketch = None
# Check that we have a timesketch session.
if not (self.timesketch_api or self.timesketch_api.session):
message = 'Could not connect to Timesketch server'
self.state.AddError(message, critical=True)
return
if not self.sketch_id:
self.sketch_id = self._GetSketchIDFromAttributes()
if not self.sketch_id: # No sketch id is provided, create it.
if incident_id:
sketch_name = 'Sketch for incident ID: ' + incident_id
else:
sketch_name = 'Untitled sketch'
sketch_description = 'Sketch generated by dfTimewolf'
sketch = self.timesketch_api.create_sketch(
sketch_name, sketch_description)
self.sketch_id = sketch.id
print('Sketch {0:d} created'.format(self.sketch_id))
if not sketch:
sketch = self.timesketch_api.get_sketch(self.sketch_id)
self.state.AddToCache('timesketch_sketch', sketch)
if analyzers and isinstance(analyzers, (tuple, list)):
self._analyzers = analyzers
def SetUp(self, # pylint: disable=arguments-differ
wait_for_analyzers=True,
searches_to_skip='',
aggregations_to_skip='',
include_stories=False,
token_password='',
max_checks=0,
formatter='html'):
"""Sets up a Timesketch Enhancer module.
Args:
wait_for_analyzers (bool): If set to True then the enhancer will wait
until all analyzers are done running. If set to False, the module
will be skipped, since it does not wait for any results. Defaults to
True.
searches_to_skip (str): A comma separated string with a list of names of
saved searches that are not to be included when generating reports.
aggregations_to_skip (str): A comma separated string with a list of
Aggregation names that are not to be included when generating
reports.
include_stories (bool): If set to True then story content will be
dumped into a report, otherwise stories will be ignored. Defaults
to False.
token_password (str): optional password used to decrypt the
Timesketch credential storage. Defaults to an empty string since
the upstream library expects a string value. An empty string means
a password will be generated by the upstream library.
max_checks (int): The enhancer will wait for analyzers to complete before
attempting to collect data from Timesketch. The tool waits 3 seconds
before each check, and by default the number of checks is 60, meaning
that the module will wait at most 180 seconds before continuing. This
may not be enough time to complete all the work needed, if more time
is needed max_checks can be increased.
formatter (str): optional string defining the formatting class that will
be used for text formatting in reports. Valid options are:
"html" or "markdown", defaults to "html".
"""
self.timesketch_api = timesketch_utils.GetApiClient(
self.state, token_password=token_password)
if not (self.timesketch_api or self.timesketch_api.session):
self.ModuleError(
'Unable to get a Timesketch API client, try deleting the files '
'~/.timesketchrc and ~/.timesketch.token', critical=True)
if max_checks:
self._max_checks = int(max_checks)
self._include_stories = include_stories
self._wait_for_analyzers = wait_for_analyzers
if aggregations_to_skip:
self._aggregations_to_skip = [
x.strip() for x in aggregations_to_skip.split(',')]
if searches_to_skip:
self._searches_to_skip = [x.strip() for x in searches_to_skip.split(',')]
if formatter.lower() == 'markdown':
self._formatter = utils.MarkdownFormatter()
else:
self._formatter = utils.HTMLFormatter()