def gen_fullprefix(startTime): log.debug("Building output file prefix.") # Get system serial number. g = glob.glob( os.path.join( inputdir, 'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*')) check_dbs = [ 'consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db' ] serial_dbs = [ loc for loc in g if any(loc.endswith(db) for db in check_dbs) ] serial_query = 'SELECT SerialNumber FROM TableInfo;' _serial = "SERROR" for db in serial_dbs: try: cursor = sqlite3.connect(db).cursor() _serial = cursor.execute(serial_query).fetchone()[0] log.debug("Retrieved serial number {0} from {1}.".format( _serial, db)) break except sqlite3.OperationalError: error = [ x for x in traceback.format_exc().split('\n') if "OperationalError" in x ] log.debug("Could not connect [{0}].".format(error[0])) if "database is locked" or "unable to open" in error[0]: tmpdb = os.path.basename(db) + '-tmp' log.debug("Trying to connect to db copied to temp location...") shutil.copyfile(db, os.path.join(outputdir, tmpdb)) db = os.path.join(outputdir, tmpdb) try: cursor = sqlite3.connect(db).cursor() _serial = cursor.execute(serial_query).fetchone()[0] log.debug("Successfully connected.") os.remove(db) break except: log.debug( "Could not get serial number from {0}. Trying another directory." .format(db)) os.remove(db) # Get local hostname. if 'Volumes' not in inputdir and forensic_mode is not True: try: hostname_cmd, e = subprocess.Popen( ["hostname"], stdout=subprocess.PIPE).communicate() hostname_cmd = hostname_cmd.decode('utf-8') _hostname = hostname_cmd.rstrip('\n') log.debug("Retrieved hostname {0}.".format(_hostname)) except Exception: _hostname = 'HNERROR' log.error("Could not retrieve hostname.") else: try: pref_plist = open( os.path.join( inputdir, 'Library/Preferences/SystemConfiguration/preferences.plist' ), 'rb') try: preferences = plistlib.load(pref_plist) except Exception as e: log.debug("Using python2 code to read preferences.plist.") preferences = plistlib.readPlist(pref_plist) _hostname = finditem(preferences, 'HostName') if not _hostname: _hostname = finditem(preferences, 'LocalHostName') log.debug( "Got hostname from the LocalHostName key, rather than HostName." ) except Exception: _hostname = 'HNERROR' log.error("Could not retrieve hostname.") # Get current system IP address (if running on live machine). if 'Volumes' not in inputdir and forensic_mode is not True: _ip, e = subprocess.Popen(["ifconfig", "en0"], stdout=subprocess.PIPE).communicate() try: _ip = ''.join([ i for i in _ip.decode().split('\n\t') if i.startswith("inet ") ]).split(' ')[1] log.debug("Retrieved IPv4 address as {0}.".format(_ip)) except IndexError: _ip = "255.255.255.255" log.error("IPv4 not available, recorded as 255.255.255.255.") else: wifilog = os.path.join(inputdir, 'private/var/log/wifi.log') wifi_bzlogs = glob.glob( os.path.join(inputdir, 'private/var/log/wifi.log.*.bz2')) try: wifi_data = open(wifilog, 'r').readlines() try: last_ip = [i for i in wifi_data if "Local IP" in i][-1].rstrip() _ip = last_ip.split(' ')[-1] iptime = ' '.join(last_ip.split(' ')[0:4]) log.debug( "Last IP address {0} was assigned around {1} (local time)." .format(_ip, iptime)) except IndexError: log.debug( "Could not find last IP in wifi.log, will check historical wifi.log.*.bz2 files." ) except IOError: log.debug( "Could not parse wifi.log, will check historical wifi.log.*.bz2 files." ) wdata = [] if len(wifi_bzlogs) > 0: for i in wifi_bzlogs: try: wifi_bzdata, e = subprocess.Popen( ["bzcat", i], stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate() wdata.append(wifi_bzdata.split('\n')) except Exception as e: log.debug("Could not parse {0}.".format(i)) w = list(itertools.chain.from_iterable(wdata)) try: last_ip = [i for i in w if "Local IP" in i][0].rstrip() _ip = last_ip.split(' ')[-1] iptime = ' '.join(last_ip.split(' ')[0:4]) log.debug( "Last IP address {0} was assigned around {1} (local time).". format(_ip, iptime)) except Exception as e: log.debug( "Could not get last IP from current or historical wifi.log files. Recorded at 255.255.255.255." ) _ip = "255.255.255.255" # Get automactc runtime. _runtime = str(startTime.replace(microsecond=0)).replace('+00:00', 'Z').replace( ' ', 'T') # Assemble prefix. full_prefix = '{0},{1},{2},{3}'.format(_prefix, _hostname, _ip, _runtime).replace(':', '_') return full_prefix, _serial
def gen_fullprefix(startTime): log.debug("Building output file prefix.") # Get system serial number. g = glob.glob( os.path.join( inputdir, 'private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/*')) check_dbs = [ 'consolidated.db', 'cache_encryptedA.db', 'lockCache_encryptedA.db' ] serial_dbs = [loc for loc in g if any(db in loc for db in check_dbs)] serial_query = 'SELECT SerialNumber FROM TableInfo;' for db in serial_dbs: try: cursor = sqlite3.connect(db).cursor() _serial = cursor.execute(serial_query).fetchone()[0] log.debug("Retrieved serial number {0} from {1}.".format( _serial, db)) break except sqlite3.OperationalError: _serial = 'SERIALERROR0' log.error("Could not extract serial number from {0}.".format(db)) # Get local hostname. if 'Volumes' not in inputdir and forensic_mode is not True: try: hostname_cmd, e = subprocess.Popen( ["hostname"], stdout=subprocess.PIPE).communicate() _hostname = hostname_cmd.rstrip('\n') log.debug("Retrieved hostname {0}.".format(_hostname)) except Exception: _hostname = 'HNERROR' log.error("Could not retrieve hostname.") else: try: pref_plist = os.path.join( inputdir, 'Library/Preferences/SystemConfiguration/preferences.plist') preferences = plistlib.readPlist() _hostname = finditem(preferences, 'LocalHostName') except Exception: _hostname = 'HNERROR' log.error("Could not retrieve hostname.") # Get current system IP address (if running on live machine). if 'Volumes' not in inputdir and forensic_mode is not True: _ip, e = subprocess.Popen(["ifconfig", "en0"], stdout=subprocess.PIPE).communicate() try: _ip = ''.join([ i for i in _ip.split('\n\t') if i.startswith("inet ") ]).split(' ')[1] log.debug("Retrieved IPv4 address as {0}.".format(_ip)) except IndexError: _ip = "255.255.255.255" log.error("IPv4 not available, recorded as 255.255.255.255.") else: _ip = "255.255.255.255" # Get automactc runtime. _runtime = str(startTime.replace(microsecond=0)).replace('+00:00', 'Z').replace( ' ', 'T') # Assemble prefix. full_prefix = '{0},{1},{2},{3}'.format(_prefix, _hostname, _ip, _runtime).replace(':', '_') return full_prefix
# Generate full prefix of the filenames. full_prefix, serial = gen_fullprefix(startTime) filename_prefix = ', '.join(full_prefix.split(', ')[:4]) log.debug("Full prefix: {0}".format(full_prefix)) # Capture the OS version as a float for comparison tests in modules. try: pslistfile = open( os.path.join(inputdir, 'System/Library/CoreServices/SystemVersion.plist'), 'rb') try: systemversion = plistlib.load(pslistfile) except AttributeError: systemversion = plistlib.readPlist(pslistfile) OSVersion = finditem(systemversion, 'ProductVersion') log.debug("Got OSVersion: {0}".format(OSVersion)) except IOError: if 'Volumes' not in inputdir and forensic_mode is not True: try: OSVersion, e = subprocess.Popen( ["sw_vers", "-productVersion"], stdout=subprocess.PIPE).communicate() log.debug("Got OSVersion: {0}".format(OSVersion)) except Exception as e: log.error("Could not get OSVersion: {0}".format( [traceback.format_exc()])) else: log.error( "Could not get OSVersion: alternative method does not work on forensic image." )
if 'Volumes' not in inputdir and forensic_mode is not True: try: hostname_cmd, e = subprocess.Popen( ["hostname"], stdout=subprocess.PIPE).communicate() _hostname = hostname_cmd.rstrip('\n') log.debug("Retrieved hostname {0}.".format(_hostname)) except Exception: _hostname = 'HNERROR' log.error("Could not retrieve hostname.") else: try: pref_plist = os.path.join( inputdir, 'Library/Preferences/SystemConfiguration/preferences.plist') preferences = plistlib.readPlist(pref_plist) _hostname = finditem(preferences, 'LocalHostName') if not _hostname: _hostname = finditem(preferences, 'HostName') log.debug( "Got hostname from the HostName key, rather than LocalHostName." ) except Exception: _hostname = 'HNERROR' log.error("Could not retrieve hostname.") # Get current system IP address (if running on live machine). if 'Volumes' not in inputdir and forensic_mode is not True: _ip, e = subprocess.Popen(["ifconfig", "en0"], stdout=subprocess.PIPE).communicate() try: _ip = ''.join([