def main(): store = forensicstore.connect(".") items = list(store.select(sys.argv[1])) results = transform(store, items, sys.argv[1], sys.argv[2:]) for result in results: store.insert(result) store.close()
def test_docker(data): client = docker.from_env() # build image image_tag = "test_docker" image, _ = client.images.build(path="docker/process/plaso/", tag=image_tag) # run image store_path = os.path.abspath( os.path.join(data, "data", "example1.forensicstore")) store_path_unix = store_path if store_path[1] == ":": store_path_unix = "/" + store_path.lower()[0] + store_path[2:].replace( "\\", "/") volumes = {store_path_unix: {'bind': '/store', 'mode': 'rw'}} # plugin_dir: {'bind': '/plugins', 'mode': 'ro'} output = client.containers.run( image_tag, command=["--filter", "artifact=WindowsDeviceSetup"], volumes=volumes, stderr=True) print(output) # test results store = forensicstore.connect(store_path) items = list(store.select("event")) store.close() assert len(items) == 69 # cleanup try: shutil.rmtree(data) except PermissionError: pass
def test_add_process_item(self, out_dir, data): store = forensicstore.connect(out_dir + "/iptables.forensicstore") cmd_date = datetime.datetime(2016, 1, 20, 14, 11, 25, 550000) cmd = store.add_process_item("IPTablesRules", "iptables", cmd_date, "/root/", ["-L", "-n", "-v"], "/sbin/iptables -L -n -v", 0, []) with store.add_process_item_stdout( cmd) as stdout, store.add_process_item_stderr(cmd) as stderr: stdout.write(b"foo") stderr.write(b"bar") items = store.all() first = list(items).pop() del first["uid"] assert first == EXAMPLE_FORENSICSTORE[0] with open(out_dir + "/iptables.forensicstore/IPTablesRules/stdout", 'rb') as io: assert io.read() == b"foo" with open(out_dir + "/iptables.forensicstore/IPTablesRules/stderr", 'rb') as io: assert io.read() == b"bar" store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_add_file_item(self, out_dir, data): store = forensicstore.connect(out_dir + "/amcache.forensicstore") file_date = datetime.datetime(2014, 9, 11, 21, 50, 18, 301000) origin = { "path": "C:\\Windows\\appcompat\\Programs\\Amcache.hve", "volume": "2" } file = store.add_file_item("WindowsAMCacheHveFile", "Amcache.hve", file_date, file_date, file_date, origin, []) with store.add_file_item_export(file) as export: export.write(123 * b'A') items = store.all() first = list(items).pop() del first["uid"] assert first == EXAMPLE_FORENSICSTORE[2] with open( out_dir + "/amcache.forensicstore/WindowsAMCacheHveFile/Amcache.hve", 'rb') as io: assert io.read() == 123 * b'A' store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_parse(self, out_dir, data): store = forensicstore.connect(out_dir + "/parse.forensicstore") store.import_stix(data + "/json/example1.json") file = store.select( "file", [{ "origin.path": "C:\\Windows\\appcompat\\Programs\\Amcache.hve" }]) assert list( file)[0]["hashes"]["MD5"] == "9b573b2e4c4b91558f6afd65262a6fb9" reg_key = list( store.select("windows-registry-key", [{ "key": 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CodePage' }])) assert reg_key[0]["values"][0]["data"] == '1252' store.export_stix(out_dir + "/stix.json") with open(out_dir + "/stix.json") as io: objects = list(json.load(io)["objects"].values()) for obj in objects: del obj["uid"] assert sorted(objects, key=lambda k: k['artifact']) == sorted( EXAMPLE_FORENSICSTORE, key=lambda k: k['artifact']) store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def main(): parser = argparse.ArgumentParser(description='parse key pairs into a dictionary') parser.add_argument("--filter", dest="filter", action=StoreDictKeyPair, metavar="type=file,name=System.evtx...") args, _ = parser.parse_known_args(sys.argv[1:]) if args.filter is None: LOGGER.warning("requires a filter to be set") sys.exit(1) store = forensicstore.connect(".") files = [] selected = list(store.select("file", args.filter)) for item in selected: if "export_path" in item and os.path.exists(item["export_path"]): files.append(item["export_path"]) store.close() os.makedirs("Plaso", exist_ok=True) for file in files: subprocess.run( ["log2timeline.py", "--status_view", "none", "--logfile", "test.log", "Plaso/events.plaso", file], check=True ) # TODO: add logfile to forensicstore subprocess.run( ["psort.py", "--status_view", "none", "-o", "forensicstore", "-w", "/store/", "Plaso/events.plaso"], check=True )
def main(): store = forensicstore.connect(".") items = list(store.select(sys.argv[1], combined_conditions(None))) result = transform(store, items, sys.argv[2]) if result: store.insert(result) store.close()
def main(): store = forensicstore.connect(".") usb_usage_data = USBForensicStoreExtractor(store).get_usb_usage_data() for result in usb_usage_data: result["type"] = "usb-device" store.insert(result) store.close()
def test_init_create(self, out_dir, data): store = forensicstore.connect(out_dir + "/init_create.forensicstore") store.close() assert os.path.exists(out_dir + "/init_create.forensicstore/item.db") # print(out_dir + "/init_create.forensicstore/item.db") created empty table shutil.rmtree(out_dir) shutil.rmtree(data)
def test_add_item_with_empty_value(self, out_dir, data): store = forensicstore.connect(out_dir + "/invalid.forensicstore") with pytest.raises(TypeError): store.insert({"type": "file", "name": "foo.txt", "ctime": ""}) store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_add_invalid_item(self, out_dir, data): store = forensicstore.connect(out_dir + "/invalid.forensicstore") with pytest.raises(TypeError): store.insert({"type": "file", "foo": "bar"}) store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_invalid_json(self, out_dir, data): store = forensicstore.connect(out_dir + "/invalid.forensicstore") errors, _ = store.validate_item({"type": "file", "foo": "bar"}) assert len(errors) == 1 assert "Failed validating" in errors[0] store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_import_store(self, out_dir, data): import_store = forensicstore.connect(out_dir + "/tmp/tmp.forensicstore") file_date = datetime.datetime(2014, 9, 11, 21, 50, 18, 301000) origin = { "path": "C:\\Windows\\appcompat\\Programs\\Amcache.hve", "volume": "2" } file1 = import_store.add_file_item("WindowsAMCacheHveFile", "Amcache.hve", file_date, file_date, file_date, origin, []) with import_store.add_file_item_export(file1) as export: export.write(123 * b'A') import_store.close() store = forensicstore.connect(out_dir + "/amcache/amcache.forensicstore") file1 = store.add_file_item("WindowsAMCacheHveFile", "Amcache.hve", file_date, file_date, file_date, origin, []) with store.add_file_item_export(file1) as export: export.write(123 * b'B') store.import_forensicstore(out_dir + "/tmp/tmp.forensicstore") items = store.all() assert len(list(items)) == 2 with open( out_dir + "/amcache/amcache.forensicstore/WindowsAMCacheHveFile/Amcache.hve", 'rb') as io: assert io.read() == 123 * b'B' with open( out_dir + "/amcache/amcache.forensicstore/WindowsAMCacheHveFile/Amcache_0.hve", 'rb') as io: assert io.read() == 123 * b'A' store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def main(): store = forensicstore.connect(".") conditions = [{ 'key': "HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Services\\%" }] items = list( store.select("windows-registry-key", combined_conditions(conditions))) results = transform(items) for result in results: store.insert(result) store.close()
def test_parent_file(self, out_dir, data): store = forensicstore.connect(out_dir + "/missing_file.forensicstore") store.insert({"type": "foo", "foo_path": "../bar"}) errors = store.validate() assert len(errors) == 1 assert errors[0] == "'..' in ../bar" store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def Open(self): """Connects to the database and creates the required tables. Raises: IOError: if the specified output file already exists. OSError: if the specified output file already exists. ValueError: if the filename is not set. """ if not self._filename: raise ValueError('Missing filename.') self._store = forensicstore.connect(self._filename)
def test_networking(data): cwd = os.getcwd() os.chdir(os.path.join(data, "data", "example1.forensicstore")) main() store = forensicstore.connect(os.path.join(data, "data", "example1.forensicstore")) items = list(store.select("known_network")) store.close() assert len(items) == 9 os.chdir(cwd) shutil.rmtree(data)
def main(): store = forensicstore.connect(".") conditions = [{ 'key': "HKEY_LOCAL_MACHINE\\System\\%ControlSet%\\Control\\Session Manager\\AppCompat%" }] items = store.select("windows-registry-key", combined_conditions(conditions)) for item in items: results = transform(item) for result in results: store.insert(result) store.close()
def test_add_directory_item(self, out_dir, data): store = forensicstore.connect(out_dir + "/program_files.forensicstore") dir_date = datetime.datetime(2014, 9, 11, 21, 50, 18, 301000) store.add_directory_item("WindowsEnvironmentVariableProgramFiles", "C:\\Program Files", dir_date, dir_date, dir_date, []) items = store.all() first = list(items).pop() del first["id"] assert first == EXAMPLE_FORENSICSTORE[3] store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_runkeys(data): cwd = os.getcwd() os.chdir(os.path.join(data, "data", "example1.forensicstore")) main() store = forensicstore.connect(os.path.join(data, "data", "example1.forensicstore")) items = list(store.select("runkey")) store.close() assert len(items) == 10 os.chdir(cwd) shutil.rmtree(data)
def test_wrong_size(self, out_dir, data): store = forensicstore.connect(out_dir + "/wrong_size.forensicstore") with store.store_file("bar") as (path, io): io.write(b'b') store.insert({"type": "foo", "foo_path": "bar", "size": 2}) errors = store.validate() assert len(errors) == 1 assert errors[0] == "wrong size for bar" store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_additional_file(self, out_dir, data): store = forensicstore.connect(out_dir + "/additional_file.forensicstore") with store.store_file("bar") as (path, io): io.write(b'b') errors = store.validate() assert len(errors) == 1 assert errors[0] == "additional files: ('/bar')" store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_software(data): cwd = os.getcwd() os.chdir(os.path.join(data, "data", "example1.forensicstore")) main() store = forensicstore.connect( os.path.join(data, "data", "example1.forensicstore")) items = list(store.select("uninstall_entry")) store.close() assert len(items) == 6 os.chdir(cwd) shutil.rmtree(data)
def main(): store = forensicstore.connect(".") conditions = [{ 'key': r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%" }, { 'key': r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Services\Tcpip\Parameters\Interfaces\%" }] items = store.select("windows-registry-key", combined_conditions(conditions)) for result in transform(items): store.insert(result) store.close()
def test_add_registry_key_item(self, out_dir, data): store = forensicstore.connect(out_dir + "/codepage.forensicstore") key_date = datetime.datetime(2009, 7, 14, 4, 34, 14, 225000) key = store.add_registry_key_item("WindowsCodePage", key_date, "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CodePage", []) store.add_registry_value_item(key, "REG_SZ", "1252".encode("utf-16"), "ACP") items = store.all() first = list(items).pop() del first["id"] assert first == EXAMPLE_FORENSICSTORE[5] store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_add_item_with_none_value(self, out_dir, data): store = forensicstore.connect(out_dir + "/invalid.forensicstore") file_id = store.insert({ "type": "file", "name": "foo.txt", "created": None }) item = store.get(file_id) assert "created" not in item store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def main(): store = forensicstore.connect(".") conditions = [{ 'key': "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%" }, { 'key': "HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%" }] items = list( store.select("windows-registry-key", combined_conditions(conditions))) for item in items: results = transform(item) for result in results: store.insert(result) store.close()
def main(): store = forensicstore.connect(".") hklmsw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\" conditions = [{ 'key': hklmsw + "Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\%" }, { 'key': hklmsw + "WOW6432Node\\Microsoft\\Updates\\%\\%" }, { 'key': hklmsw + "Microsoft\\Updates\\%\\%" }] for item in store.select("windows-registry-key", combined_conditions(conditions)): results = transform(item) for result in results: store.insert(result) store.close()
def test_wrong_hash(self, out_dir, data): store = forensicstore.connect(out_dir + "/wrong_hash.forensicstore") with store.store_file("bar") as (path, io): io.write(b'b') store.insert({ "type": "foo", "foo_path": "bar", "hashes": { "MD5": "beef" } }) errors = store.validate() assert len(errors) == 1 assert errors[0] == "hashvalue mismatch MD5 for bar" store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_docker(data): client = docker.from_env() # build image image_tag = "test_artifacts" image, _ = client.images.build(path="docker/imports/artifacts/", tag=image_tag) # run image store_path = os.path.abspath(os.path.join(data, "example.forensicstore")) store_path_unix = to_unix_path(store_path) import_path = os.path.abspath(os.path.join(data, "data", "win10_mock.vhd")) import_path_unix = to_unix_path(import_path) volumes = { store_path_unix: { 'bind': '/store', 'mode': 'rw' }, import_path_unix: { 'bind': '/transit', 'mode': 'ro' } } # plugin_dir: {'bind': '/plugins', 'mode': 'ro'} client.containers.run(image_tag, volumes=volumes, stderr=True).decode("ascii") # test results store = forensicstore.connect(store_path) items = list(store.all()) store.close() assert len(items) == 8 # cleanup try: shutil.rmtree(data) except PermissionError: pass