def testStreamingCallbackNotCalled(self, mock_callback): """Tests that registered callbacks are called only on types for which they are registered.""" test_state = state.DFTimewolfState(config.Config) test_state.LoadRecipe(test_recipe.contents) test_state.SetupModules() # DummyModule1's registered StreamingConsumer only consumes Reports, not # TicketAtttributes attributes = containers.TicketAttribute( type_='asd', name='asd', value='asd') test_state.StreamContainer(attributes) mock_callback.assert_not_called()
def SetUp(self, analysis_project_name, remote_project_name, incident_id, zone, boot_disk_size, boot_disk_type, cpu_cores, remote_instance_name=None, disk_names=None, all_disks=False, image_project='ubuntu-os-cloud', image_family='ubuntu-1804-lts'): """Sets up a Google Cloud Platform(GCP) collector. This method creates and starts an analysis VM in the analysis project and selects disks to copy from the remote project. If disk_names is specified, it will copy the corresponding disks from the project, ignoring disks belonging to any specific instances. If remote_instance_name is specified, two behaviors are possible: * If no other parameters are specified, it will select the instance's boot disk * if all_disks is set to True, it will select all disks in the project that are attached to the instance disk_names takes precedence over instance_names Args: analysis_project_name (str): name of the project that contains the analysis VM. remote_project_name (str): name of the remote project where the disks must be copied from. incident_id (str): incident identifier on which the name of the analysis VM will be based. zone (str): GCP zone in which new resources should be created. boot_disk_size (float): size of the analysis VM boot disk (in GB). boot_disk_type (str): Disk type to use [pd-standard, pd-ssd] cpu_cores (int): number of CPU cores to create the VM with. remote_instance_name (Optional[str]): name of the instance in the remote project containing the disks to be copied. disk_names (Optional[str]): Comma separated disk names to copy. all_disks (Optional[bool]): True if all disks attached to the source instance should be copied. image_project (Optional[str]): name of the project where the analysis VM image is hosted. image_family (Optional[str]): name of the image to use to create the analysis VM. """ if not (remote_instance_name or disk_names): self.state.AddError( 'You need to specify at least an instance name or disks to copy', critical=True) return disk_names = disk_names.split(',') if disk_names else [] self.analysis_project = gcp_project.GoogleCloudProject( analysis_project_name, default_zone=zone) self.remote_project = gcp_project.GoogleCloudProject( remote_project_name) self.remote_instance_name = remote_instance_name self.disk_names = disk_names self.incident_id = incident_id self.all_disks = all_disks self._gcp_label = {'incident_id': self.incident_id} analysis_vm_name = 'gcp-forensics-vm-{0:s}'.format(self.incident_id) self.logger.info( 'Your analysis VM will be: {0:s}'.format(analysis_vm_name)) self.logger.info('Complimentary gcloud command:') self.logger.info( 'gcloud compute ssh --project {0:s} {1:s} --zone {2:s}'.format( self.analysis_project.project_id, analysis_vm_name, zone)) self.state.StoreContainer( containers.TicketAttribute( name=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_NAME, type_=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_TYPE, value=analysis_vm_name)) try: # TODO: Make creating an analysis VM optional # pylint: disable=too-many-function-args # pylint: disable=redundant-keyword-arg self.analysis_vm, _ = gcp_forensics.StartAnalysisVm( self.analysis_project.project_id, analysis_vm_name, zone, boot_disk_size, boot_disk_type, int(cpu_cores), image_project=image_project, image_family=image_family) self.analysis_vm.AddLabels(self._gcp_label) self.analysis_vm.GetBootDisk().AddLabels(self._gcp_label) except (RefreshError, DefaultCredentialsError) as exception: msg = ( 'Something is wrong with your Application Default Credentials. ' 'Try running:\n $ gcloud auth application-default login\n') msg += str(exception) self.ModuleError(msg, critical=True)
def SetUp(self, remote_profile_name, remote_zone, incident_id, remote_instance_id=None, volume_ids=None, all_volumes=False, analysis_profile_name=None, analysis_zone=None, boot_volume_size=50, cpu_cores=16, ami=None): """Sets up an Amazon web Services (AWS) collector. This method creates and starts an analysis VM in the AWS account and selects volumes to copy from the target instance / list of volumes passed in parameter. If volume_ids is specified, it will copy the corresponding volumes from the account, ignoring volumes belonging to any specific instances. If remote_instance_id is specified, two behaviors are possible: * If no other parameters are specified, it will select the instance's boot volume. * if all_volumes is set to True, it will select all volumes in the account that are attached to the instance. volume_ids takes precedence over remote_instance_id. Args: remote_profile_name (str): The AWS account in which the volume(s) exist(s). This is the profile name that is defined in your AWS credentials file. remote_zone (str): The AWS zone in which the source volume(s) exist(s). incident_id (str): Incident identifier used to name the analysis VM. remote_instance_id (str): Optional. Instance ID that needs forensicating. volume_ids (str): Optional. Comma-separated list of volume ids to copy. all_volumes (bool): Optional. True if all volumes attached to the source instance should be copied. analysis_profile_name (str): Optional. The AWS account in which to create the analysis VM. This is the profile name that is defined in your AWS credentials file. analysis_zone (str): Optional. The AWS zone in which to create the VM. If not specified, the VM will be created in the same zone where the volume(s) exist(s). boot_volume_size (int): Optional. The size (in GB) of the boot volume for the analysis VM. Default is 50 GB. cpu_cores (int): Optional. The number of CPU cores to use for the analysis VM. Default is 16. ami (str): Optional. The Amazon Machine Image ID to use to create the analysis VM. If not specified, will default to selecting Ubuntu 18.04 TLS. """ if not (remote_instance_id or volume_ids): self.ModuleError( 'You need to specify at least an instance name or volume ids to copy', critical=True) return if not (remote_profile_name and remote_zone): self.ModuleError('You must specify "remote_profile_name" and "zone" ' 'parameters', critical=True) return self.remote_profile_name = remote_profile_name self.remote_zone = remote_zone self.source_account = aws_account.AWSAccount( self.remote_zone, aws_profile=self.remote_profile_name) self.incident_id = incident_id self.remote_instance_id = remote_instance_id self.volume_ids = volume_ids.split(',') if volume_ids else [] self.all_volumes = all_volumes self.analysis_zone = analysis_zone or remote_zone self.analysis_profile_name = analysis_profile_name or remote_profile_name analysis_vm_name = 'aws-forensics-vm-{0:s}'.format(self.incident_id) print('Your analysis VM will be: {0:s}'.format(analysis_vm_name)) self.state.StoreContainer( containers.TicketAttribute( name=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_NAME, type_=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_TYPE, value=analysis_vm_name)) self.analysis_vm, _ = aws_forensics.StartAnalysisVm( analysis_vm_name, self.analysis_zone, boot_volume_size, ami=ami, cpu_cores=cpu_cores, dst_profile=self.analysis_profile_name, )
def SetUp(self, analysis_project_name, remote_project_name, incident_id=None, zone='us-central1-f', create_analysis_vm=True, boot_disk_size=50, boot_disk_type='pd-standard', cpu_cores=4, remote_instance_name=None, disk_names=None, all_disks=False, image_project='ubuntu-os-cloud', image_family='ubuntu-1804-lts'): """Sets up a Google Cloud Platform(GCP) collector. This method creates and starts an analysis VM in the analysis project and selects disks to copy from the remote project. If analysis_project_name is not specified, analysis_project will be same as remote_project. If disk_names is specified, it will copy the corresponding disks from the project, ignoring disks belonging to any specific instances. If remote_instance_name is specified, two behaviors are possible: * If no other parameters are specified, it will select the instance's boot disk * if all_disks is set to True, it will select all disks in the project that are attached to the instance disk_names takes precedence over instance_names Args: analysis_project_name (str): Optional. name of the project that contains the analysis VM. Default is None. remote_project_name (str): name of the remote project where the disks must be copied from. incident_id (Optional[str]): Optional. Incident identifier on which the name of the analysis VM will be based. Default is None, which means add no label and format VM name as "gcp-forensics-vm-{TIMESTAMP('%Y%m%d%H%M%S')}". zone (Optional[str]): Optional. GCP zone in which new resources should be created. Default is us-central1-f. create_analysis_vm (Optional[bool]): Optional. Create analysis VM in the analysis project. Default is True. boot_disk_size (Optional[float]): Optional. Size of the analysis VM boot disk (in GB). Default is 50. boot_disk_type (Optional[str]): Optional. Disk type to use. Default is pd-standard. cpu_cores (Optional[int]): Optional. Number of CPU cores to create the VM with. Default is 4. remote_instance_name (Optional[str]): Optional. Name of the instance in the remote project containing the disks to be copied. disk_names (Optional[str]): Optional. Comma separated disk names to copy. all_disks (Optional[bool]): Optional. True if all disks attached to the source instance should be copied. image_project (Optional[str]): Optional. Name of the project where the analysis VM image is hosted. image_family (Optional[str]): Optional. Name of the image to use to create the analysis VM. """ if not (remote_instance_name or disk_names): self.ModuleError( 'You need to specify at least an instance name or disks to copy', critical=True) return disk_names = disk_names.split(',') if disk_names else [] self.remote_project = gcp_project.GoogleCloudProject( remote_project_name, default_zone=zone) if analysis_project_name: self.analysis_project = gcp_project.GoogleCloudProject( analysis_project_name, default_zone=zone) else: self.analysis_project = self.remote_project self.remote_instance_name = remote_instance_name self.disk_names = disk_names self.all_disks = all_disks if incident_id: self.incident_id = incident_id self._gcp_label = {'incident_id': self.incident_id} try: if self.remote_instance_name: self.remote_project.compute.GetInstance( self.remote_instance_name) except ResourceNotFoundError as exception: self.ModuleError( message='Instance "{0:s}" not found or insufficient permissions' .format(self.remote_instance_name), critical=True) return if create_analysis_vm: if self.incident_id: analysis_vm_name = 'gcp-forensics-vm-{0:s}'.format( self.incident_id) else: analysis_vm_name = common.GenerateUniqueInstanceName( 'gcp-forensics-vm', common.COMPUTE_NAME_LIMIT) self.logger.info( 'Your analysis VM will be: {0:s}'.format(analysis_vm_name)) self.logger.info('Complimentary gcloud command:') self.logger.info( 'gcloud compute ssh --project {0:s} {1:s} --zone {2:s}'.format( self.analysis_project.project_id, analysis_vm_name, self.analysis_project.default_zone)) self.state.StoreContainer( containers.TicketAttribute( name=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_NAME, type_=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_TYPE, value=analysis_vm_name)) try: # pylint: disable=too-many-function-args # pylint: disable=redundant-keyword-arg self.analysis_vm, _ = gcp_forensics.StartAnalysisVm( self.analysis_project.project_id, analysis_vm_name, self.analysis_project.default_zone, boot_disk_size, boot_disk_type, int(cpu_cores), image_project=image_project, image_family=image_family) if self._gcp_label: self.analysis_vm.AddLabels(self._gcp_label) self.analysis_vm.GetBootDisk().AddLabels(self._gcp_label) except (RefreshError, DefaultCredentialsError) as exception: msg = ( 'Something is wrong with your Application Default Credentials. ' 'Try running:\n $ gcloud auth application-default login\n' ) msg += str(exception) self.ModuleError(msg, critical=True)
def SetUp(self, remote_profile_name, analysis_resource_group_name, incident_id, ssh_public_key, remote_instance_name=None, disk_names=None, all_disks=False, analysis_profile_name=None, analysis_region=None, boot_disk_size=50, cpu_cores=4, memory_in_mb=8192): """Sets up a Microsoft Azure collector. This method creates and starts an analysis VM in the analysis account and selects disks to copy from the remote account. If disk_names is specified, it will copy the corresponding disks from the account, ignoring disks belonging to any specific instances. If remote_instance_name is specified, two behaviors are possible: * If no other parameters are specified, it will select the instance's boot disk * if all_disks is set to True, it will select all disks in the account that are attached to the instance disk_names takes precedence over instance_names Args: remote_profile_name (str): The Azure account in which the disk(s) exist(s). This is the profile name that is defined in your credentials file. analysis_resource_group_name (str): The Azure resource group name in which to create the VM. incident_id (str): Incident identifier used to name the analysis VM. ssh_public_key (str): The public SSH key to attach to the instance. remote_instance_name (str): Instance ID that needs forensicating. disk_names (str): Comma-separated list of disk names to copy. all_disks (bool): True if all disk attached to the source instance should be copied. analysis_profile_name (str): The Azure account in which to create the analysis VM. This is the profile name that is defined in your credentials file. analysis_region (str): The Azure region in which to create the VM. boot_disk_size (int): Optional. The size (in GB) of the boot disk for the analysis VM. Default is 50 GB. cpu_cores (int): Optional. The number of CPU cores to use for the analysis VM. Default is 4. memory_in_mb (int): Optional. The amount of memory in mb to use for the analysis VM. Default is 8Gb. """ if not (remote_instance_name or disk_names): self.ModuleError( 'You need to specify at least an instance name or disks to copy', critical=True) return if not ssh_public_key: self.ModuleError( 'You need to specify a SSH public key to add to the ' 'VM.', critical=True) return if not (remote_profile_name and analysis_resource_group_name): self.ModuleError( 'You must specify "remote_profile_name" and ' '"analysis_resource_group_name" parameters', critical=True) return self.remote_profile_name = remote_profile_name self.analysis_resource_group_name = analysis_resource_group_name self.analysis_profile_name = analysis_profile_name self.source_account = account.AZAccount( self.analysis_resource_group_name, profile_name=self.remote_profile_name) self.incident_id = incident_id self.remote_instance_name = remote_instance_name self.disk_names = disk_names.split(',') if disk_names else [] self.all_disks = all_disks self.analysis_region = analysis_region self.analysis_profile_name = analysis_profile_name or remote_profile_name analysis_vm_name = 'azure-forensics-vm-{0:s}'.format(self.incident_id) print('Your analysis VM will be: {0:s}'.format(analysis_vm_name)) self.state.StoreContainer( containers.TicketAttribute( name=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_NAME, type_=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_TYPE, value=analysis_vm_name)) self.analysis_vm, _ = az_forensics.StartAnalysisVm( self.analysis_resource_group_name, analysis_vm_name, boot_disk_size, ssh_public_key=ssh_public_key, cpu_cores=cpu_cores, memory_in_mb=memory_in_mb, region=self.analysis_region, dst_profile=self.analysis_profile_name, )