def factory(Evidences, args, options): logger.info('Starting getmails command') if options and '--walk' in options: logger.info('Using "--walk" argument.') for evi in Evidences: logger.info('Working on evidence "%s"' % evi.configName) for fs in evi.fileSystems: logger.info('Working on filesystem "%s"' % fs.configName) getOutlookMailsFromWalk(fs, u'.pst') getOutlookMailsFromWalk(fs, u'.ost') else: logger.info('Searching mails from database.') if fritModel.dbExists(): for evi in Evidences: for fs in evi.fileSystems: # Searching for PST and OST files first # Working on normal files first getOutlookMailsFromDb(fs, u'.pst') getOutlookMailsFromDb(fs, u'.ost') else: fritutils.termout.printWarning( 'You need to create the database first with the "store create" command or use the "--walk" option' ) # Working on undeleted files # It's probably quicker to walk undelete files than to query db for evi in Evidences: for fs in evi.fileSystems: getOutlookUndeletedFromWalk(fs)
def factory(Evidences, args, options): logger.info("Starting getmails command") if options and "--walk" in options: logger.info('Using "--walk" argument.') for evi in Evidences: logger.info('Working on evidence "%s"' % evi.configName) for fs in evi.fileSystems: logger.info('Working on filesystem "%s"' % fs.configName) getOutlookMailsFromWalk(fs, u".pst") getOutlookMailsFromWalk(fs, u".ost") else: logger.info("Searching mails from database.") if fritModel.dbExists(): for evi in Evidences: for fs in evi.fileSystems: # Searching for PST and OST files first # Working on normal files first getOutlookMailsFromDb(fs, u".pst") getOutlookMailsFromDb(fs, u".ost") else: fritutils.termout.printWarning( 'You need to create the database first with the "store create" command or use the "--walk" option' ) # Working on undeleted files # It's probably quicker to walk undelete files than to query db for evi in Evidences: for fs in evi.fileSystems: getOutlookUndeletedFromWalk(fs)
def factory(Evidences, args, options): """ args are the hashes command arguments """ logger.info("Starting hashes command.") validArgs = ("update", "md5search", "sha1search", "sha256search", "csvdump", "ssdsearch") if not args or len(args) == 0: fritutils.termout.printWarning("hashes command need at least an argument. Exiting.") logger.error("No argument given.") sys.exit(1) elif args[0] not in validArgs: fritutils.termout.printWarning("hashes command need a valid argument (%s)" % ", ".join(validArgs)) logger.error('"%s" in not a valid arguement. Exiting.' % args[0]) sys.exit(1) elif not fritModel.dbExists(): fritutils.termout.printWarning( 'Database not found. run the "frit store create", followed by "frit hashes update".' ) logger.error("No database found, exiting.") sys.exit(1) else: if args[0] == "update": logger.info("Update arguement given. Starting update.") update(Evidences) if args[0] == "md5search": args.remove("md5search") if len(args) < 1: fritutils.termout.printWarning("md5search command need at least one md5 to search for.") logger.error("md5search command but no argument to search for. Exiting.") sys.exit(1) else: searchFactory(args, Evidences, "md5") if args[0] == "sha1search": args.remove("sha1search") if len(args) < 1: fritutils.termout.printWarning("sha1search command need at least one sha1 to search for.") logger.error("sha1search command but no argument to search for. Exiting.") sys.exit(1) else: searchFactory(args, Evidences, "sha1") if args[0] == "sha256search": args.remove("sha256search") if len(args) < 1: fritutils.termout.printWarning("sha256search command need at least one sha256 to search for.") logger.error("sha256search command but no argument to search for. Exiting.") sys.exit(1) else: searchFactory(args, Evidences, "sha256") if args[0] == "csvdump": csvdump(Evidences) if args[0] == "ssdsearch": args.remove("ssdsearch") if len(args) < 2: fritutils.termout.printWarning("ssdsearch command need a ssdeep hash and a minimal score to match.") logger.error("ssdsearch command but not enough argument (hash and a score). Exiting.") else: ssdeepsearch(args)
def factory(Evidences, args, options, fritConf): validArgs = ('count', 'extract', 'list') stateOptions = { '--normal': u'Normal', '--contained': u'Contained', '--undeleted': u'Undeleted', '--carved': u'Carved' } definedExtensions = getExtLists(fritConf) if not fritModel.dbExists(): fritutils.termout.printWarning( 'The database does not exists yet. You should create it first by issuing "frit store create".' ) logger.warning('Database was not found') sys.exit(1) states = [] extList = [] if not args or len(args) == 0: fritutils.termout.printWarning( 'extensions command need at least an argument to define an action (%s).' % ', '.join(validArgs)) sys.exit(1) elif args[0] not in validArgs: fritutils.termout.printWarning( 'extensions command need a valid argument (%s)' % ', '.join(validArgs)) sys.exit(1) else: subcommand = args[0] args.remove(subcommand) logger.info('subcommand issued: %s' % subcommand) if options: logger.info('options: %s' % ','.join(options)) for o in options: if o in stateOptions.keys(): states.append(stateOptions[o]) if len(states) == 0: states = list(fritModel.FILESTATES) logger.info('states: %s' % ','.join(states)) # Finding extensions to work with # Searching if one or more predefined extensions list is in the args for a in list(args): if a in definedExtensions.keys(): logger.info('Extension list "%s" asked in command line.' % args) args.remove(a) extList.extend(definedExtensions[a]) # the remaining args should be the extensions that we want to list # if there is no more args, we list all extensions if (not args or len(args) == 0) and len(extList) == 0: for ex in fritModel.elixir.session.query( fritModel.Extension.extension).all(): extList.append(ex[0]) else: for ex in args: extList.append(fritutils.unicodify(ex)) logger.info('Extensions: "%s"' % " ".join(extList)) if subcommand == 'count': logger.info('Starting subcommand count') fritModel.listExtensions(Evidences, extList, states) elif subcommand == 'list': logger.info('Starting list subcommand.') for evi in Evidences: for fs in evi.fileSystems: for ext in sorted(extList): for state in states: for fp in fs.ExtensionsFritFiles(ext, state): fritutils.termout.printNormal(fp) elif subcommand == 'extract': logger.info('Starting extract subcommand') # The '--merge' option is used to merge extractions in a single # directory base instead of having a directory by extension. merge = False if options and '--merge' in options: merge = True # we start by extracting 'normal files' because we need to mount the containers and filesystems if u'Normal' in states: logger.info('Starting Normal files extraction.') states.remove(u'Normal') for evi in Evidences: # We count files to extract to see if it's needed to go further enbe = evi.dbCountExtension(extList, u'Normal') if enbe['count'] > 0: logger.info( 'Found %d files to exctract, mounting Evidence container "%s".' % (enbe['count'], evi.configName)) evi.mount('extensions', 'Extracting files based on extensions') for fs in evi.fileSystems: fritutils.termout.printMessage( "\t%s" % fs.evidence.configName + '/' + fs.configName) fs.mount('extensions', 'Extracting files based on extensions') for ext in sorted(extList): nbe = fs.dbCountExtension(ext, u'Normal') fritutils.termout.printMessage( "Extracting %d files (%s)" % (nbe['count'], fritutils.humanize(nbe['size']))) for filepath in fs.ExtensionsOriginalFiles( ext, u'Normal'): if ext == "No Extension": extPath = "no_extension" else: extPath = ext[1:] basePath = os.path.dirname(filepath) if merge: Destination = unicode( os.path.join( '.frit/extractions/by_extensions/', evi.configName, fs.configName, basePath)) else: Destination = unicode( os.path.join( '.frit/extractions/by_extensions/', evi.configName, fs.configName, extPath, basePath)) mountedPath = os.path.join( fs.fsMountPoint, filepath) extractFile(mountedPath, Destination) fs.umount('extensions') evi.umount('extensions') else: logger.info( 'No Normal files to extract on Evidence "%s", skipping' % evi.configName) for state in states: logger.info('Starting to extract %s files' % state) for evi in Evidences: for fs in evi.fileSystems: for ext in sorted(extList): nbe = fs.dbCountExtension(ext, state) if nbe['count'] > 0: fritutils.termout.printMessage( "Extracting %s %d files (%s)" % (state, nbe['count'], fritutils.humanize(nbe['size']))) for filepath in fs.ExtensionsOriginalFiles( ext, state): # as we do not store the first character of the path, we have to re-add the '.' filepath = '.' + filepath if ext == "No Extension": extPath = "no_extension" else: extPath = ext[1:] # we dont want to have '.frit/extractions' in the middle of the destination path: basePath = os.path.dirname( filepath.replace( '.frit/extractions/', '')) if merge: Destination = unicode( os.path.join( '.frit/extractions/by_extensions/', evi.configName, fs.configName, basePath)) else: Destination = unicode( os.path.join( '.frit/extractions/by_extensions/', evi.configName, fs.configName, extPath, basePath)) extractFile(filepath, Destination) else: logger.info( 'Nothing found to extract on "%s".' % (evi.configName + '/' + fs.configName))
def factory(Evidences, args, options): """ args are the hashes command arguments """ logger.info('Starting hashes command.') validArgs = ('update', 'md5search', 'sha1search', 'sha256search', 'csvdump', 'ssdsearch') if not args or len(args) == 0: fritutils.termout.printWarning( 'hashes command need at least an argument. Exiting.') logger.error('No argument given.') sys.exit(1) elif args[0] not in validArgs: fritutils.termout.printWarning( 'hashes command need a valid argument (%s)' % ', '.join(validArgs)) logger.error('"%s" in not a valid arguement. Exiting.' % args[0]) sys.exit(1) elif not fritModel.dbExists(): fritutils.termout.printWarning( 'Database not found. run the "frit store create", followed by "frit hashes update".' ) logger.error("No database found, exiting.") sys.exit(1) else: if args[0] == 'update': logger.info('Update arguement given. Starting update.') update(Evidences) if args[0] == 'md5search': args.remove('md5search') if len(args) < 1: fritutils.termout.printWarning( 'md5search command need at least one md5 to search for.') logger.error( 'md5search command but no argument to search for. Exiting.' ) sys.exit(1) else: searchFactory(args, Evidences, 'md5') if args[0] == 'sha1search': args.remove('sha1search') if len(args) < 1: fritutils.termout.printWarning( 'sha1search command need at least one sha1 to search for.') logger.error( 'sha1search command but no argument to search for. Exiting.' ) sys.exit(1) else: searchFactory(args, Evidences, 'sha1') if args[0] == 'sha256search': args.remove('sha256search') if len(args) < 1: fritutils.termout.printWarning( 'sha256search command need at least one sha256 to search for.' ) logger.error( 'sha256search command but no argument to search for. Exiting.' ) sys.exit(1) else: searchFactory(args, Evidences, 'sha256') if args[0] == 'csvdump': csvdump(Evidences) if args[0] == 'ssdsearch': args.remove('ssdsearch') if len(args) < 2: fritutils.termout.printWarning( 'ssdsearch command need a ssdeep hash and a minimal score to match.' ) logger.error( 'ssdsearch command but not enough argument (hash and a score). Exiting.' ) else: ssdeepsearch(args)
def factory(Evidences, args, options, fritConf): validArgs = ('count', 'extract','list') stateOptions = {'--normal':u'Normal','--contained':u'Contained','--undeleted':u'Undeleted','--carved':u'Carved'} definedExtensions = getExtLists(fritConf) if not fritModel.dbExists(): fritutils.termout.printWarning('The database does not exists yet. You should create it first by issuing "frit store create".') logger.warning('Database was not found') sys.exit(1) states = [] extList = [] if not args or len(args) == 0: fritutils.termout.printWarning('extensions command need at least an argument to define an action (%s).' % ', '.join(validArgs)) sys.exit(1) elif args[0] not in validArgs: fritutils.termout.printWarning('extensions command need a valid argument (%s)' % ', '.join(validArgs)) sys.exit(1) else: subcommand = args[0] args.remove(subcommand) logger.info('subcommand issued: %s' % subcommand) if options: logger.info('options: %s' % ','.join(options)) for o in options: if o in stateOptions.keys(): states.append(stateOptions[o]) if len(states) == 0: states = list(fritModel.FILESTATES) logger.info('states: %s' % ','.join(states)) # Finding extensions to work with # Searching if one or more predefined extensions list is in the args for a in list(args): if a in definedExtensions.keys(): logger.info('Extension list "%s" asked in command line.' % args) args.remove(a) extList.extend(definedExtensions[a]) # the remaining args should be the extensions that we want to list # if there is no more args, we list all extensions if (not args or len(args) == 0) and len(extList) == 0: for ex in fritModel.elixir.session.query(fritModel.Extension.extension).all(): extList.append(ex[0]) else: for ex in args: extList.append(fritutils.unicodify(ex)) logger.info('Extensions: "%s"' % " ".join(extList)) if subcommand == 'count': logger.info('Starting subcommand count') fritModel.listExtensions(Evidences,extList,states) elif subcommand == 'list': logger.info('Starting list subcommand.') for evi in Evidences: for fs in evi.fileSystems: for ext in sorted(extList): for state in states: for fp in fs.ExtensionsFritFiles(ext,state): fritutils.termout.printNormal(fp) elif subcommand == 'extract': logger.info('Starting extract subcommand') # The '--merge' option is used to merge extractions in a single # directory base instead of having a directory by extension. merge = False if options and '--merge' in options: merge = True # we start by extracting 'normal files' because we need to mount the containers and filesystems if u'Normal' in states: logger.info('Starting Normal files extraction.') states.remove(u'Normal') for evi in Evidences: # We count files to extract to see if it's needed to go further enbe = evi.dbCountExtension(extList, u'Normal') if enbe['count'] > 0: logger.info('Found %d files to exctract, mounting Evidence container "%s".' % (enbe['count'],evi.configName)) evi.mount('extensions', 'Extracting files based on extensions') for fs in evi.fileSystems: fritutils.termout.printMessage("\t%s" % fs.evidence.configName + '/' + fs.configName) fs.mount('extensions', 'Extracting files based on extensions') for ext in sorted(extList): nbe = fs.dbCountExtension(ext,u'Normal') fritutils.termout.printMessage("Extracting %d files (%s)" % (nbe['count'],fritutils.humanize(nbe['size']))) for filepath in fs.ExtensionsOriginalFiles(ext,u'Normal'): if ext == "No Extension": extPath = "no_extension" else: extPath = ext[1:] basePath = os.path.dirname(filepath) if merge: Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,basePath)) else: Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,extPath,basePath)) mountedPath = os.path.join(fs.fsMountPoint,filepath) extractFile(mountedPath,Destination) fs.umount('extensions') evi.umount('extensions') else: logger.info('No Normal files to extract on Evidence "%s", skipping' % evi.configName) for state in states: logger.info('Starting to extract %s files' % state) for evi in Evidences: for fs in evi.fileSystems: for ext in sorted(extList): nbe = fs.dbCountExtension(ext,state) if nbe['count'] >0 : fritutils.termout.printMessage("Extracting %s %d files (%s)" % (state,nbe['count'],fritutils.humanize(nbe['size']))) for filepath in fs.ExtensionsOriginalFiles(ext,state): # as we do not store the first character of the path, we have to re-add the '.' filepath = '.' + filepath if ext == "No Extension": extPath = "no_extension" else: extPath = ext[1:] # we dont want to have '.frit/extractions' in the middle of the destination path: basePath = os.path.dirname(filepath.replace('.frit/extractions/','')) if merge: Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,basePath)) else: Destination = unicode(os.path.join('.frit/extractions/by_extensions/',evi.configName,fs.configName,extPath,basePath)) extractFile(filepath,Destination) else: logger.info('Nothing found to extract on "%s".' % (evi.configName + '/' + fs.configName))