def test_select(self, out_dir, data): store = forensicstore.open(data + "/forensicstore/example1.forensicstore") assert len(list(store.select([{"type": "file"}]))) == 2 store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_all(self, out_dir, data): store = forensicstore.open(data + "/forensicstore/example1.forensicstore") assert len(list(store.all())) == 7 store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_add_column(self, out_dir, data): store = forensicstore.open(data + "/forensicstore/example1.forensicstore") store.update("process--920d7c41-0fef-4cf8-bce2-ead120f6b506", {"new_column": "foo"}) assert len(list(store.all())) == 7 first = store.get("process--920d7c41-0fef-4cf8-bce2-ead120f6b506") assert first == { "id": "process--920d7c41-0fef-4cf8-bce2-ead120f6b506", "artifact": "IPTablesRules", "type": "process", "name": "iptables", "created_time": "2016-01-20T14:11:25.550Z", "cwd": "/root/", "command_line": "/sbin/iptables -L -n -v", "stdout_path": "IPTablesRules/stdout", "stderr_path": "IPTablesRules/stderr", "return_code": 0, "new_column": "foo" } store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def run(self): # do we have a key list for decryption? encryption_keys = [] if self.args.keyfile: try: with open(self.args.keyfile, 'r') as keyfile: encryption_keys = encryption_handlers.read_key_list( keyfile) except OSError as err: LOGGER.error("Could not open key file: %s", err.strerror) extractor = None store_file = self.args.output_store print("Using output forensicstore:", store_file) store = forensicstore.open(store_file) try: handler = encryption_handlers.ConsoleEncryptionHandler( encryption_keys) extractor = ArtifactExtractor(self.args.input_evidence, store, self.artifact_registry, handler, self.args.zip_mode) to_extract = [ a.strip() for a in self.args.artifact_names.split(',') ] for artifact in to_extract: print("Extract %s" % artifact) extractor.extract_artifact(artifact) except Exception as error: LOGGER.exception("Uncaught exception during job: %s", error) finally: store.close() if extractor: extractor.clean_up()
def main(url): print(json.dumps({"header": ["Name", "Command", "SID", "Key"]})) store = forensicstore.open(url) hklmsw = "HKEY_LOCAL_MACHINE\\Software\\" hkusw = "HKEY_USERS\\%\\Software\\" conditions = [ {'key': hklmsw + r"Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"}, {'key': hklmsw + r"Microsoft\Windows\CurrentVersion\Run"}, {'key': hklmsw + r"Microsoft\Windows\CurrentVersion\RunOnce"}, {'key': hklmsw + r"Microsoft\Windows\CurrentVersion\RunOnce\Setup"}, {'key': hklmsw + r"Microsoft\Windows\CurrentVersion\RunOnceEx"}, {'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Run"}, {'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"}, {'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup"}, {'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx"}, {'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"}, {'key': hkusw + r"Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"}, {'key': hkusw + r"Microsoft\Windows\CurrentVersion\Run"}, {'key': hkusw + r"Microsoft\Windows\CurrentVersion\RunOnce"}, {'key': hkusw + r"Microsoft\Windows\CurrentVersion\RunOnce\Setup"}, {'key': hkusw + r"Microsoft\Windows\CurrentVersion\RunOnceEx"}, {'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"}, {'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Run"}, {'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"}, {'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup"}, {'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx"} ] items = store.select(conditions) for result in transform(items): print(json.dumps(result)) store.close()
def __init__(self, forensicstore_path: str): """ Initializes forensicstore wrapper class. :param forensicstore_path: Path to an existing forensicstore. """ self.forensicstore_path = forensicstore_path self._fs_store = forensicstore.open(self.forensicstore_path)
def main(url): LOGGER.debug("process usb") store = forensicstore.open(url) usb_usage_data = USBForensicStoreExtractor(store).get_usb_usage_data() for result in usb_usage_data: result["type"] = "usb-device" print(json.dumps(result)) store.close()
def main(url): store = forensicstore.open(url) conditions = [{ 'key': "HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Services\\%" }] items = list(store.select(conditions)) for result in transform(items): print(json.dumps(result)) store.close()
def __init__(self, url, sigmaconfig): if not os.path.exists(sigmaconfig): raise FileNotFoundError(sigmaconfig) if not os.path.exists(url): raise FileNotFoundError(url) self.table = "elements" self.store = forensicstore.open(url) self.config = SigmaConfiguration(open(sigmaconfig)) self.SQL = ForensicStoreBackend(self.config)
def test_query_fts(self, out_dir, data): store = forensicstore.open(data + "/forensicstore/example1.forensicstore") res = list( store.query( 'SELECT json FROM elements WHERE elements MATCH (\'"IPTablesRules" OR "powershell"\')' )) assert len(res) == 2 print(res[0].keys()) assert res[0]['id'] == "process--920d7c41-0fef-4cf8-bce2-ead120f6b506" assert res[1]['id'] == "process--9da4aa39-53b8-412e-b3cd-6b26c772ad4d"
def main(url): store = forensicstore.open(url) conditions = [{ 'key': "HKEY_LOCAL_MACHINE\\System\\%ControlSet%\\Control\\Session Manager\\AppCompat%" }] items = store.select(conditions) for item in items: results = transform(item) for result in results: print(json.dumps(result)) store.close()
def Open(self): """Connects to the database and creates the required tables. Raises: IOError: if the specified output file already exists. OSError: if the specified output file already exists. ValueError: if the filename is not set. """ if not self._filename: raise ValueError('Missing filename.') self._store = forensicstore.open(self._filename)
def main(url): print(json.dumps({ "header": ['Name', 'Description', 'DisplayName', 'Group', 'Start Mode', 'Service Type', 'ImagePath', 'Service DLL', 'Service Key Changed', 'Parameters Key Changed', 'Source Key']})) store = forensicstore.open(url) conditions = [{'key': "HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Services\\%"}] items = list(store.select(conditions)) for result in transform(items): print(json.dumps(result)) store.close()
def test_import_image(tmp): return client = docker.from_env() # build image image_tag = "test_artifacts" image, _ = client.images.build(path="import-image/", tag=image_tag) store = forensicstore.new(os.path.join(tmp, "input.forensicstore")) store.close() # run image store_path = os.path.abspath(tmp) store_path_unix = to_unix_path(store_path) import_path = os.path.abspath(os.path.join(tmp, INPUT_IMAGE_SUBDIR)) import_path_unix = to_unix_path(import_path) volumes = { store_path_unix: { 'bind': '/input', 'mode': 'rw' }, import_path_unix: { 'bind': '/input/' + INPUT_IMAGE_SUBDIR, 'mode': 'ro' } } container = client.containers.run( image_tag, command=["--input-file", "win10_mock.vhd"], volumes=volumes, detach=True, ) result = container.wait() out = container.logs() container.remove() print(out.decode("utf-8")) assert result["StatusCode"] == 0 # test results store = forensicstore.open(os.path.join(store_path, "input.forensicstore")) items = list(store.all()) store.close() # shutil.copyfile(os.path.join(store_path, "input.forensicstore"), "./input.forensicstore") assert len(items) == 1832 # cleanup try: shutil.rmtree(tmp) except PermissionError: pass
def __init__(self, source_paths: List[str], url: str, artifact_registry: Registry, encryption_handler: dfvfs_helper.EncryptionHandler): self.dfvfs_list = [] self.artifact_registry = artifact_registry self.tmp_dir = None new_source_path = source_paths[0] self.dfvfs_list = [ dfvfs_helper.DFVFSHelper(new_source_path, encryption_handler) ] self.encryption_handler = encryption_handler # noinspection PyTypeChecker self.store = forensicstore.open(url)
def main(url): store = forensicstore.open(url) conditions = [{ 'key': r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%" }, { 'key': r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Services\Tcpip\Parameters\Interfaces\%" }] items = store.select(conditions) for result in transform(items): print(json.dumps(result)) store.close()
def main(url): store = forensicstore.open(url) conditions = [{ 'key': "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%" }, { 'key': "HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%" }] for item in store.select(conditions): results = transform(item) for result in results: print(json.dumps(result)) store.close()
def main(url): print(json.dumps({"header": ["Hotfix", "Installed", "Source", "Component"]})) LOGGER.debug("search for hotfixes") store = forensicstore.open(url) hklmsw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\" conditions = [ {'key': hklmsw + "Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\%"}, {'key': hklmsw + "WOW6432Node\\Microsoft\\Updates\\%\\%"}, {'key': hklmsw + "Microsoft\\Updates\\%\\%"} ] for item in store.select(conditions): for result in transform(item): print(json.dumps(result)) store.close()
def test_insert(self, out_dir, data): store = forensicstore.open(data + "/forensicstore/example1.forensicstore") assert len(list(store.all())) == 7 store.insert({ "type": "foo", "id": "foo--2cd66ab1-9b85-4110-8d77-4b6906819693" }) assert len(list(store.all())) == 8 assert store.get("foo--2cd66ab1-9b85-4110-8d77-4b6906819693") == { "type": "foo", "id": "foo--2cd66ab1-9b85-4110-8d77-4b6906819693" } store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def main(url): print(json.dumps({ "header": ["Name", "Version", "Publisher", "InstallDate", "Source", "Location", "Uninstall", "Key", "Key Timestamp"]})) store = forensicstore.open(url) conditions = [{ 'key': "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%" }, { 'key': "HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%" }] for item in store.select(conditions): results = transform(item) for result in results: print(json.dumps(result)) store.close()
def test_add_type_add_column(self, out_dir, data): store = forensicstore.open(data + "/forensicstore/example1.forensicstore") element_id = store.insert({"type": "foo"}) store.update(element_id, {"new_column": '"foo"'}) first = store.get(element_id) assert first == { "id": element_id, "new_column": '"foo"', "type": "foo", } store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def main(url): print( json.dumps({ "header": [ "vendor_name", "product_name", "usb_revision", "usb_uid", "volume_guid", "user_sid" ], })) LOGGER.debug("process usb") store = forensicstore.open(url) usb_usage_data = USBForensicStoreExtractor(store).get_usb_usage_data() for result in usb_usage_data: result["type"] = "usb-device" print(json.dumps(result)) store.close()
def test_docker(tmp): client = docker.from_env() # build image image_tag = "test_artifacts" image, _ = client.images.build(path="import-image/", tag=image_tag) store = forensicstore.new(os.path.join(tmp, "input.forensicstore")) store.close() # run image store_path = os.path.abspath(tmp) store_path_unix = to_unix_path(store_path) import_path = os.path.abspath(os.path.join(tmp, "in")) import_path_unix = to_unix_path(import_path) volumes = { store_path_unix: { 'bind': '/store', 'mode': 'rw' }, import_path_unix: { 'bind': '/data', 'mode': 'ro' } } out = client.containers.run(image_tag, command=["input.forensicstore"], volumes=volumes, stderr=True).decode("ascii") # print(out) # test results store = forensicstore.open(os.path.join(store_path, "input.forensicstore")) items = list(store.all()) store.close() shutil.copyfile(os.path.join(store_path, "input.forensicstore"), "./input.forensicstore") # assert len(items) == 8 # cleanup try: shutil.rmtree(tmp) except PermissionError: pass
def main(): parser = argparse.ArgumentParser( description='parse key pairs into a dictionary') parser.add_argument("--filter", dest="filter", action=StoreDictKeyPair, metavar="type=file,name=System.evtx...") args, _ = parser.parse_known_args(sys.argv[1:]) if args.filter is None: args.filter = [{"type": "file"}] store = forensicstore.open("/elementary/input.forensicstore") files = [] tmpdir = tempfile.mkdtemp() selected = list(store.select(args.filter)) for item in selected: if "export_path" in item: dst_path = os.path.join(tmpdir, item["export_path"].strip("/")) os.makedirs(os.path.dirname(dst_path), exist_ok=True) with store.load_file(item["export_path"]) as src, open( dst_path, "wb") as dest: dest.write(src.read()) files.append(dst_path) store.close() os.makedirs("Plaso", exist_ok=True) for file in files: subprocess.run([ "log2timeline.py", "--status_view", "none", "--logfile", "test.log", "Plaso/events.plaso", file ], check=True) # TODO: add logfile to forensicstore subprocess.run([ "psort.py", "--status_view", "none", "-o", "forensicstore", "-w", "/elementary/input.forensicstore", "Plaso/events.plaso" ], check=True)
def main(rules_dir): paths = {} for rule in os.listdir(rules_dir): if rule.endswith(".yar") or rule.endswith(".yara"): paths[rule] = os.path.join(rules_dir, rule) rules = yara.compile(filepaths=paths) store = forensicstore.open("/input/input.forensicstore") for path in store.fs.walk.files(): with store.fs.open(path, mode='rb') as io: data = io.read() for match in rules.match(data=data): print( json.dumps({ "type": "alert", "subtype": "yara", "file": path, "name": match.rule })) store.close()
def main(url): print( json.dumps({ "header": [ "GUID", "DHCP", "IPs", "SubNetMask", "NameServer", "IP Key Changed", "Network Key Changed", "Friendly Name" ] })) store = forensicstore.open(url) conditions = [{ 'key': r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%" }, { 'key': r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Services\Tcpip\Parameters\Interfaces\%" }] items = store.select(conditions) for result in transform(items): print(json.dumps(result)) store.close()
def test_docker(data): client = docker.from_env() # build image image_tag = "test_docker" image, _ = client.images.build(path="plaso/", tag=image_tag) # run image store_path = os.path.abspath(os.path.join(data, "input.forensicstore")) store_path_unix = store_path if store_path[1] == ":": store_path_unix = "/" + store_path.lower()[0] + store_path[2:].replace( "\\", "/") volumes = { store_path_unix: { 'bind': '/elementary/input.forensicstore', 'mode': 'rw' } } output = client.containers.run(image_tag, command=[ "--filter", "artifact=WindowsDeviceSetup", "input.forensicstore" ], volumes=volumes, stderr=True, stdout=True) print(output) # test results store = forensicstore.open(store_path) items = list(store.select([{"type": "event"}])) store.close() assert len(items) == 69 # cleanup try: shutil.rmtree(data) except PermissionError: pass
def test_save(self, out_dir, data): store = forensicstore.open(data + "/forensicstore/example1.forensicstore") store.close() shutil.rmtree(out_dir) shutil.rmtree(data)
def test_get_not_existing(self, out_dir, data): with pytest.raises(forensicstore.forensicstore.StoreNotExitsError): forensicstore.open(data + "/non_existing.forensicstore") shutil.rmtree(out_dir) shutil.rmtree(data)
def main(): root_parser = argparse.ArgumentParser(description='Handle forensicstores') root_subparsers = root_parser.add_subparsers(dest='root_command') root_subparsers.required = True create_parser = root_subparsers.add_parser("create") create_parser.add_argument('store') import_parser = root_subparsers.add_parser("import") import_parser.add_argument('url') import_parser.add_argument('store') validate_parser = root_subparsers.add_parser("validate") validate_parser.add_argument('store') validate_parser.add_argument('--no-fail', action='store_true', dest="nofail") element_parser = root_subparsers.add_parser("element") element_subparsers = element_parser.add_subparsers(dest='command') element_subparsers.required = True get_parser = element_subparsers.add_parser("get") get_parser.add_argument('id') get_parser.add_argument('store') select_parser = element_subparsers.add_parser("select") select_parser.add_argument('type') select_parser.add_argument('store') all_parser = element_subparsers.add_parser("all") all_parser.add_argument('store') insert_parser = element_subparsers.add_parser("insert") insert_parser.add_argument('json') insert_parser.add_argument('store') update_parser = element_subparsers.add_parser("update") update_parser.add_argument('id') update_parser.add_argument('json') update_parser.add_argument('store') args = root_parser.parse_args() if args.root_command == "create": store = forensicstore.new(args.store) store.close() elif args.root_command == "validate": store = forensicstore.open(args.store) errors = store.validate() if errors: print(json.dumps(errors)) if args.nofail: sys.exit(0) sys.exit(len(errors)) elif args.root_command == "element": if args.command == "get": store = forensicstore.open(args.store) element = store.get(args.id) print(json.dumps(element)) store.close() elif args.command == "select": store = forensicstore.open(args.store) elements = list(store.select([{"type": args.type}])) print(json.dumps(elements)) store.close() elif args.command == "all": store = forensicstore.open(args.store) elements = list(store.all()) print(json.dumps(elements)) store.close() elif args.command == "insert": store = forensicstore.open(args.store) element = store.insert(json.loads(args.json)) print(json.dumps(element)) store.close() elif args.command == "update": store = forensicstore.open(args.store) print(args.json) element = store.update(args.id, json.loads(args.json)) print(json.dumps(element)) store.close() else: NotImplementedError("Sub command %s does not exist" % args.command) else: NotImplementedError("Command %s does not exist" % args.root_command)