def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from Windows Restore Point rp.log files.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help='path of the Windows Restore Point rp.log file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False log_file = rp_log.RestorePointLogFile(debug=options.debug, output_writer=output_writer) log_file.Open(options.source) print('Windows Restore Point rp.log information:') print('') log_file.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from utmp files.')) argument_parser.add_argument( '-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help='path of the utmp file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig( level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print('Unable to open output writer with error: {0!s}'.format(exception)) print('') return False with open(options.source, 'rb') as file_object: file_object.seek(0, os.SEEK_SET) utmp_signature = file_object.read(11) if utmp_signature == b'utmpx-1.00\x00': utmp_file = utmp.MacOSXUtmpxFile( debug=options.debug, output_writer=output_writer) else: utmp_file = utmp.LinuxLibc6UtmpFile( debug=options.debug, output_writer=output_writer) utmp_file.Open(options.source) output_writer.WriteText('utmp information:') utmp_file.Close() output_writer.WriteText('') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from Firefox cache version 1 files.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help='path of the Firefox cache version 1 file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False filename = os.path.basename(options.source) if filename == '_CACHE_MAP_': cache_file = firefox_cache1.CacheMapFile(debug=options.debug, output_writer=output_writer) elif filename.startswith('_CACHE_00'): cache_file = firefox_cache1.CacheBlockFile(debug=options.debug, output_writer=output_writer) cache_file.Open(options.source) print('Firefox cache version 1 information:') print('') cache_file.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from MacOS keychain database files.')) argument_parser.add_argument( '-c', '--content', dest='content', action='store_true', default=False, help='export database content instead of schema.') argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument('source', nargs='?', action='store', metavar='PATH', default=None, help='path of the keychain database file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False keychain_file = keychain.KeychainDatabaseFile(debug=options.debug, output_writer=output_writer) keychain_file.Open(options.source) if not options.content: print('Keychain database file schema:') for table in keychain_file.tables: print('Table: {0:s} (0x{1:08x})'.format(table.relation_name, table.relation_identifier)) number_of_columns = len(table.columns) print('\tNumber of columns:\t{0:d}'.format(number_of_columns)) print('\tColumn\tIdentifier\tName\tType') for index, column in enumerate(table.columns): if column.attribute_identifier >= number_of_columns: attribute_identifier = '' else: attribute_identifier = '{0:d}'.format( column.attribute_identifier) attribute_data_type = ATTRIBUTE_DATA_TYPES.get( column.attribute_data_type, '0x{0:08x}'.format(column.attribute_data_type)) print('\t{0:d}\t{1:s}\t{2:s}\t{3:s}'.format( index, attribute_identifier, column.attribute_name or 'NULL', attribute_data_type)) print('') print('') else: for table in keychain_file.tables: print('Table: {0:s} (0x{1:08x})'.format(table.relation_name, table.relation_identifier)) print('\t'.join( [column.attribute_name for column in table.columns])) for record in table.records: record_values = [] for value in record.values(): if value is None: record_values.append('NULL') else: record_values.append('{0!s}'.format(value)) print('\t'.join(record_values)) print('') keychain_file.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from WMI Common Information Model (CIM) ' 'repository files.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the directory containing the WMI Common Information ' 'Model (CIM) repository files.')) options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False source_basename = os.path.basename(options.source) source_basename = source_basename.upper() cim_repository = wmi_repository.CIMRepository(debug=options.debug, output_writer=output_writer) if source_basename == 'INDEX.BTR': source = os.path.dirname(options.source) cim_repository.OpenIndexBinaryTree(source) else: cim_repository.Open(options.source) object_record_keys = {} for key in cim_repository.GetKeys(): if '.' not in key: continue _, _, key_name = key.rpartition('\\') key_name, _, _ = key_name.partition('.') if key_name not in object_record_keys: object_record_keys[key_name] = [] object_record_keys[key_name].append(key) for key_name, keys in object_record_keys.items(): for key in keys: print(key) object_record = cim_repository.GetObjectRecordByKey(key) object_record.Read() cim_repository.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser( description=('Extracts information from CPIO archive files.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( '--hash', dest='hash', action='store_true', default=False, help='calculate the SHA-256 sum of the file entries.') argument_parser.add_argument('source', nargs='?', action='store', metavar='PATH', default=None, help='path of the CPIO archive file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False if options.hash: cpio_archive_file_hasher = CPIOArchiveFileHasher( options.source, debug=options.debug, output_writer=output_writer) cpio_archive_file_hasher.HashFileEntries() else: # TODO: move functionality to CPIOArchiveFileInfo. cpio_archive_file = cpio.CPIOArchiveFile(debug=options.debug, output_writer=output_writer) cpio_archive_file.Open(options.source) output_writer.WriteText('CPIO archive information:\n') output_writer.WriteText('\tFormat\t\t: {0:s}\n'.format( cpio_archive_file.file_format)) output_writer.WriteText('\tSize\t\t: {0:d} bytes\n'.format( cpio_archive_file.size)) cpio_archive_file.Close() output_writer.WriteText('\n') output_writer.Close() return True
def testWriteText(self): """Tests the WriteText function.""" test_writer = output_writers.StdoutWriter() test_writer.WriteText('')
def testOpen(self): """Tests the Open function.""" test_writer = output_writers.StdoutWriter() test_writer.Open()
def testClose(self): """Tests the Close function.""" test_writer = output_writers.StdoutWriter() test_writer.Close()
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from Windows Recycle.Bin metadata ($I) files.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help='path of the Recycle.Bin metadata ($I) file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False metadata_file = recycle_bin.RecycleBinMetadataFile( debug=options.debug, output_writer=output_writer) metadata_file.Open(options.source) print('Recycle.Bin metadata ($I) file information:') print('\tFormat version\t\t: {0:d}'.format(metadata_file.format_version)) if metadata_file.deletion_time == 0: date_time_string = 'Not set' elif metadata_file.deletion_time == 0x7fffffffffffffff: date_time_string = 'Never' else: date_time = dfdatetime_filetime.Filetime( timestamp=metadata_file.deletion_time) date_time_string = date_time.CopyToDateTimeString() if date_time_string: date_time_string = '{0:s} UTC'.format(date_time_string) else: date_time_string = '0x{08:x}'.format(metadata_file.deletion_time) print('\tDeletion time\t\t: {0:s}'.format(date_time_string)) print('\tOriginal filename\t: {0:s}'.format( metadata_file.original_filename)) print('\tOriginal file size\t: {0:d}'.format( metadata_file.original_file_size)) print('') metadata_file.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from Windows Jump List files.')) argument_parser.add_argument( '-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help='path of the Windows Jump List file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig( level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print('Unable to open output writer with error: {0!s}'.format(exception)) print('') return False if pyolecf.check_file_signature(options.source): jump_list_file = jump_list.AutomaticDestinationsFile( debug=options.debug, output_writer=output_writer) else: jump_list_file = jump_list.CustomDestinationsFile( debug=options.debug, output_writer=output_writer) jump_list_file.Open(options.source) print('Windows Jump List information:') print('Number of entries:\t\t{0:d}'.format(len(jump_list_file.entries))) print('Number of recovered entries:\t{0:d}'.format( len(jump_list_file.recovered_entries))) print('') for lnk_file_entry in jump_list_file.entries: print('LNK file entry: {0:s}'.format(lnk_file_entry.identifier)) for shell_item in lnk_file_entry.GetShellItems(): print('Shell item: 0x{0:02x}'.format(shell_item.class_type)) print('') jump_list_file.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from Windows (Enhanced) Metafile files.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help='path of the Windows (Enhanced) Metafile file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False with open(options.source, 'rb') as file_object: file_object.seek(40, os.SEEK_SET) emf_signature = file_object.read(4) if emf_signature == b'FME ': wemf_file = wemf.EMFFile(debug=options.debug, output_writer=output_writer) else: wemf_file = wemf.WMFFile(debug=options.debug, output_writer=output_writer) wemf_file.Open(options.source) description = '{0:s} information:'.format(wemf_file.FILE_TYPE) output_writer.WriteText(description) wemf_file.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from Apple Unified Logging and Activity Tracing ' 'files.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the Apple Unified Logging and Activity Tracing file.')) options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print( 'Unable to open output writer with error: {0!s}'.format(exception)) print('') return False with open(options.source, 'rb') as file_object: file_signature = file_object.read(4) if file_signature == b'\x99\x88\x77\x66': unified_logging_file = uuidtext.UUIDTextFile( debug=options.debug, output_writer=output_writer) else: unified_logging_file = tracev3.TraceV3File(debug=options.debug, output_writer=output_writer) unified_logging_file.Open(options.source) output_writer.WriteText( 'Apple Unified Logging and Activity Tracing information:\n') unified_logging_file.Close() output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts information from Windows Restore Point change.log files.')) argument_parser.add_argument( '-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help='path of the Windows Restore Point change.log file.') options = argument_parser.parse_args() if not options.source: print('Source file missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig( level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutWriter() try: output_writer.Open() except IOError as exception: print('Unable to open output writer with error: {0!s}'.format(exception)) print('') return False change_log_file = rp_change_log.RestorePointChangeLogFile( debug=options.debug, output_writer=output_writer) change_log_file.Open(options.source) print('Windows Restore Point change.log information:') print('Volume path:\t{0:s}'.format(change_log_file.volume_path)) print('') for change_log_entry in change_log_file.entries: flags = [] for flag, description in change_log_file.LOG_ENTRY_TYPES.items(): if change_log_entry.entry_type & flag: flags.append(description) print('Entry type:\t\t{0:s}'.format(', '.join(flags))) flags = [] for flag, description in change_log_file.LOG_ENTRY_FLAGS.items(): if change_log_entry.entry_flags & flag: flags.append(description) print('Entry flags:\t\t{0:s}'.format(', '.join(flags))) print('Sequence number:\t{0:d}'.format(change_log_entry.sequence_number)) print('Process name:\t\t{0:s}'.format(change_log_entry.process_name)) print('') change_log_file.Close() output_writer.Close() return True