def onConfirm(self, event):
#create case dir
dirPath = self.txtCaseFolder.GetValue() #get case folder path
casePath = Path(dirPath)
if casePath.is_dir(): #check if it exist
print("dir exist")
else:
os.mkdir(dirPath) #create if does not
#create case database
dbFilePath = self.txtCaseDb.GetValue() #get case database path
my_file = Path(dbFilePath)
#print(dbFilePath)
if my_file.is_file(): #check if file exist
print("file exist")
else:
conn = connectdb.create_connection(dbFilePath) #creates db file and connection if it does not exist
caseInfoTable = "CREATE TABLE 'CaseInfo' ( 'CaseID' INTEGER PRIMARY KEY AUTOINCREMENT, 'InvestigatorName' TEXT, 'CaseNum' INTEGER, 'CaseName' TEXT, 'CaseFolder' TEXT, 'CaseDb' TEXT, 'CaseDesc' TEXT, 'Datetime' TEXT);"
evidenceInfoTable = "CREATE TABLE 'EvidenceInfo' ('CaseID' INTEGER, 'EvidenceName' TEXT, 'EvidenceDbPath' TEXT, 'EvidenceDatetime' TEXT, 'Md5' TEXT, 'EvidencePath' TEXT, 'EvidenceSize' TEXT);"
bookmarksTable = "CREATE TABLE 'Bookmarks' ('fileName' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'uid' INTEGER, 'gid' INTEGER, 'md5' TEXT, 'size' INTEGER, 'parentPath' TEXT, 'extension' TEXT, 'image' TEXT);"
connectdb.createTable(conn, caseInfoTable) #creates CaseInfo table
connectdb.createTable(conn, evidenceInfoTable) #creates EvidenceInfo table
connectdb.createTable(conn, bookmarksTable) #creates Bookmarsk table
connectdb.createFilesEvidenceTable(conn)
connectdb.createSessionsEvidenceTable(conn)
connectdb.createDNSEvidenceTable(conn)
connectdb.createCredentialsEvidenceTable(conn)
#insert case details
with conn:
caseDetails = (self.txtInvestigatorName.GetValue(), self.txtCaseNum.GetValue(), self.txtCaseName.GetValue(), self.txtCaseFolder.GetValue(), self.txtCaseDb.GetValue(), self.txtCaseDescription.GetValue(), datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
connectdb.insertCaseDetails(conn, caseDetails) #insert case details to CaseInfo
self.Close()
def onAddEvidence(self, event):
try:
caseDetails
except NameError:
wx.MessageBox('Case not opened!', ' ', wx.OK
| wx.ICON_INFORMATION) #if caseDetails not defined
print("Case not opened")
else: #if caseDetails is defined
openFileDialog = wx.FileDialog(
self,
"Open",
"",
"",
"*.dd", #creates a filedialog that only allow user to select .dd files
wx.FD_OPEN | wx.FD_FILE_MUST_EXIST)
openFileDialog.ShowModal()
global caseDir, caseDbPath
evidencePath = openFileDialog.GetPath(
) #get path of selected dd file
fileName = os.path.basename(evidencePath)
for x in caseDetails:
caseDir = x[4] #get case directory from caseDetails
caseDbPath = x[5] #get case database path from caseDetails
evidenceDbDir = Path(caseDir + "/Evidence_Database")
if evidenceDbDir.is_dir() == False: #check if directory exist
os.mkdir(
str(evidenceDbDir)) #create directory if it does not exist
if fileName != "":
self._dialog = wx.ProgressDialog(
"Adding evidence",
"Creating database for '{s}'".format(s=fileName), 100)
LoadingDialog(self._dialog) #starts the loading dialog
load_db = subprocess.call([
"tsk_loaddb", "-d",
"{caseDir}/Evidence_Database/{fileName}.db".format(
caseDir=caseDir, fileName=fileName), evidencePath
]) #use tsk_loaddb to generate tsk database
LoadingDialog.endLoadingDialog(self) #ends the loading dialog
if load_db == 0: #if no error
conn = connectdb.create_connection(caseDbPath)
with conn:
evidenceDbPath = str(
evidenceDbDir) + "/" + fileName + ".db"
#hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}")
#evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0]
md5_hash = hashlib.md5()
f = open(evidencePath, 'rb')
# Read and update hash in chunks of 4K
for byte_block in iter(lambda: f.read(4096), b""):
md5_hash.update(byte_block)
print(md5_hash.hexdigest())
evidenceMd5 = md5_hash.hexdigest()
insertEvidence = (1, fileName, evidenceDbPath,
datetime.datetime.now().strftime(
"%Y-%m-%d %H:%M:%S"),
evidenceMd5)
connectdb.insertEvidenceDetails(
conn, insertEvidence
) #insert to EvidenceInfo in case database
evidenceConn = connectdb.create_connection(
caseDir + "/Evidence_Database/" + fileName +
".db") #connect to tsk database
evidencePart = connectdb.select_image_partitions(
evidenceConn) #get image partitions from tsk database
if Path(caseDir +
"/Evidence_Database/Deleted_Files.db").is_file(
) == False: #check if Deleted_Files.db exist
createDeletedFilesDb = connectdb.create_connection(
caseDir + "/Evidence_Database/Deleted_Files.db")
deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);"
connectdb.createTable(
createDeletedFilesDb,
deteledFilesTable) #creates if it does not exist
else:
createDeletedFilesDb = connectdb.create_connection(
caseDir + "/Evidence_Database/Deleted_Files.db"
) #connects to Deleted_Files.db
for x in evidencePart:
if x[2] != "Unallocated":
subprocess.Popen(
[
"tsk_recover", "-e", "-o",
str(x[0]), evidencePath,
caseDir + "/Extracted/" + fileName
]
) #recover files from all partitions that re not unallocated
listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(
offset=str(x[0]), image=evidencePath)
process = subprocess.Popen(
listAllDeletedFiles,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
) #list all deleted files
stdout, stderr = process.communicate()
output = stdout.decode()
chk = re.sub(
r'[ ]\*[ ]', '\t*\t', output
) #change all ' ' in the second and third column of fls output to to '\t'
chk = re.sub(r'\n', '\t',
chk) #change all '\n' to '\t'
chk = chk.split(
'\t'
) #splits all values between \t into a list
itemList = []
k = 0
for i in range(k, len(chk) - 1, 11):
k = i
itemList.append(
chk[k:k + 11]
) #appends every 11 items into a list
with createDeletedFilesDb:
for list in itemList:
insertDeletedFiles = (list[0], list[1],
list[2], list[3],
list[4], list[5],
list[6], list[7],
list[8], list[9],
list[10], fileName)
connectdb.insertDeletedFiles(
createDeletedFilesDb,
insertDeletedFiles
) #inserts all deleted files info into Deleted_Files.db
wx.MessageBox(
"Extracting '{file}' in the background.".format(
file=fileName))
global evidenceDetails
evidenceDetails = connectdb.select_evidence_details(conn)
self.auiNotebook.DeletePage(0)
self.auiNotebook.RemovePage(0)
self.addAuiTab("Summary", evidenceDetails)
self.recreateTree(caseDbPath)
openFileDialog.Destroy()
def runddfile(lock):
lock.acquire()
global fileName, evidencePath
for x in caseDetails:
caseDir = x[4] #get case directory from caseDetails
caseDbPath = x[5] #get case database path from caseDetails
evidenceDbDir = Path(caseDir+"/Evidence_Database")
if evidenceDbDir.is_dir() == False: #check if directory exist
os.mkdir(str(evidenceDbDir)) #create directory if it does not exist
if fileName != "":
mainFrame._dialog = wx.ProgressDialog("Adding evidence", "Creating database for '{s}'".format(s=fileName), 100)
LoadingDialog(mainFrame._dialog) #starts the loading dialog
load_db = subprocess.call(["tsk_loaddb", "-d", "{caseDir}/Evidence_Database/{fileName}.db".format(caseDir=caseDir, fileName=fileName), evidencePath]) #use tsk_loaddb to generate tsk database
LoadingDialog.endLoadingDialog(mainFrame) #ends the loading dialog
if load_db == 0: #if no error
conn = connectdb.create_connection(caseDbPath)
with conn:
evidenceDbPath = str(evidenceDbDir)+"/"+fileName+".db"
#hash = "md5sum {evidencePath} | awk '{col}".format(evidencePath=evidenceDbPath, col="{print $1}")
#evidenceMd5 = subprocess.Popen([hash], stdout=subprocess.PIPE).communicate()[0]
evidenceMd5 = "None"
insertEvidence = (1, fileName, evidenceDbPath, datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"), evidenceMd5)
connectdb.insertEvidenceDetails(conn, insertEvidence) #insert to EvidenceInfo in case database
evidenceConn = connectdb.create_connection(caseDir+"/Evidence_Database/"+fileName+".db") #connect to tsk database
evidencePart = connectdb.select_image_partitions(evidenceConn) #get image partitions from tsk database
if Path(caseDir+"/Evidence_Database/Deleted_Files.db").is_file() == False: #check if Deleted_Files.db exist
createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db")
deteledFilesTable = "CREATE TABLE 'DeletedFiles' ('fileType' TEXT, 'status' TEXT, 'inode' TEXT, 'filePath' TEXT, 'ctime' TEXT, 'crtime' TEXT, 'atime' TEXT, 'mtime' TEXT, 'size' INTEGER, 'uid' INTEGER, 'gid' INTEGER, 'image' TEXT);"
connectdb.createTable(createDeletedFilesDb, deteledFilesTable) #creates if it does not exist
else:
createDeletedFilesDb = connectdb.create_connection(caseDir+"/Evidence_Database/Deleted_Files.db") #connects to Deleted_Files.db
for x in evidencePart:
if x[2] != "Unallocated":
subprocess.Popen(["tsk_recover", "-e", "-o", str(x[0]), evidencePath, caseDir+"/Extracted/"+fileName]) #recover files from all partitions that re not unallocated
listAllDeletedFiles = "fls -rFdl -o {offset} {image}".format(offset=str(x[0]), image=evidencePath)
process = subprocess.Popen(listAllDeletedFiles, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #list all deleted files
stdout,stderr = process.communicate()
output = stdout.decode()
chk = re.sub(r'[ ]\*[ ]', '\t*\t', output) #change all ' ' in the second and third column of fls output to to '\t'
chk = re.sub(r'\n', '\t', chk) #change all '\n' to '\t'
chk = chk.split('\t') #splits all values between \t into a list
itemList = []
k=0
for i in range(k,len(chk)-1,11):
k=i
itemList.append(chk[k:k+11]) #appends every 11 items into a list
with createDeletedFilesDb:
for list in itemList:
insertDeletedFiles = (list[0], list[1], list[2], list[3], list[4], list[5], list[6], list[7], list[8], list[9], list[10], fileName)
connectdb.insertDeletedFiles(createDeletedFilesDb, insertDeletedFiles) #inserts all deleted files info into Deleted_Files.db
wx.MessageBox("Extracting '{file}' in the background.".format(file=fileName))
global evidenceDetails
evidenceDetails = connectdb.select_evidence_details(conn)
self.auiNotebook.DeletePage(0)
self.auiNotebook.RemovePage(0)
self.addAuiTab("Summary", evidenceDetails)
self.recreateTree(caseDbPath)
lock.release()