def test_select(self, out_dir, data):
store = forensicstore.open(data +
"/forensicstore/example1.forensicstore")
assert len(list(store.select([{"type": "file"}]))) == 2
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_all(self, out_dir, data):
store = forensicstore.open(data +
"/forensicstore/example1.forensicstore")
assert len(list(store.all())) == 7
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_add_column(self, out_dir, data):
store = forensicstore.open(data +
"/forensicstore/example1.forensicstore")
store.update("process--920d7c41-0fef-4cf8-bce2-ead120f6b506",
{"new_column": "foo"})
assert len(list(store.all())) == 7
first = store.get("process--920d7c41-0fef-4cf8-bce2-ead120f6b506")
assert first == {
"id": "process--920d7c41-0fef-4cf8-bce2-ead120f6b506",
"artifact": "IPTablesRules",
"type": "process",
"name": "iptables",
"created_time": "2016-01-20T14:11:25.550Z",
"cwd": "/root/",
"command_line": "/sbin/iptables -L -n -v",
"stdout_path": "IPTablesRules/stdout",
"stderr_path": "IPTablesRules/stderr",
"return_code": 0,
"new_column": "foo"
}
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def run(self):
# do we have a key list for decryption?
encryption_keys = []
if self.args.keyfile:
try:
with open(self.args.keyfile, 'r') as keyfile:
encryption_keys = encryption_handlers.read_key_list(
keyfile)
except OSError as err:
LOGGER.error("Could not open key file: %s", err.strerror)
extractor = None
store_file = self.args.output_store
print("Using output forensicstore:", store_file)
store = forensicstore.open(store_file)
try:
handler = encryption_handlers.ConsoleEncryptionHandler(
encryption_keys)
extractor = ArtifactExtractor(self.args.input_evidence, store,
self.artifact_registry, handler,
self.args.zip_mode)
to_extract = [
a.strip() for a in self.args.artifact_names.split(',')
]
for artifact in to_extract:
print("Extract %s" % artifact)
extractor.extract_artifact(artifact)
except Exception as error:
LOGGER.exception("Uncaught exception during job: %s", error)
finally:
store.close()
if extractor:
extractor.clean_up()
def main(url):
print(json.dumps({"header": ["Name", "Command", "SID", "Key"]}))
store = forensicstore.open(url)
hklmsw = "HKEY_LOCAL_MACHINE\\Software\\"
hkusw = "HKEY_USERS\\%\\Software\\"
conditions = [
{'key': hklmsw + r"Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"},
{'key': hklmsw + r"Microsoft\Windows\CurrentVersion\Run"},
{'key': hklmsw + r"Microsoft\Windows\CurrentVersion\RunOnce"},
{'key': hklmsw + r"Microsoft\Windows\CurrentVersion\RunOnce\Setup"},
{'key': hklmsw + r"Microsoft\Windows\CurrentVersion\RunOnceEx"},
{'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Run"},
{'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"},
{'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup"},
{'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx"},
{'key': hklmsw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"},
{'key': hkusw + r"Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"},
{'key': hkusw + r"Microsoft\Windows\CurrentVersion\Run"},
{'key': hkusw + r"Microsoft\Windows\CurrentVersion\RunOnce"},
{'key': hkusw + r"Microsoft\Windows\CurrentVersion\RunOnce\Setup"},
{'key': hkusw + r"Microsoft\Windows\CurrentVersion\RunOnceEx"},
{'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"},
{'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\Run"},
{'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"},
{'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup"},
{'key': hkusw + r"Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx"}
]
items = store.select(conditions)
for result in transform(items):
print(json.dumps(result))
store.close()
def __init__(self, forensicstore_path: str):
"""
Initializes forensicstore wrapper class.
:param forensicstore_path: Path to an existing forensicstore.
"""
self.forensicstore_path = forensicstore_path
self._fs_store = forensicstore.open(self.forensicstore_path)
def main(url):
LOGGER.debug("process usb")
store = forensicstore.open(url)
usb_usage_data = USBForensicStoreExtractor(store).get_usb_usage_data()
for result in usb_usage_data:
result["type"] = "usb-device"
print(json.dumps(result))
store.close()
def main(url):
store = forensicstore.open(url)
conditions = [{
'key':
"HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Services\\%"
}]
items = list(store.select(conditions))
for result in transform(items):
print(json.dumps(result))
store.close()
def __init__(self, url, sigmaconfig):
if not os.path.exists(sigmaconfig):
raise FileNotFoundError(sigmaconfig)
if not os.path.exists(url):
raise FileNotFoundError(url)
self.table = "elements"
self.store = forensicstore.open(url)
self.config = SigmaConfiguration(open(sigmaconfig))
self.SQL = ForensicStoreBackend(self.config)
def test_query_fts(self, out_dir, data):
store = forensicstore.open(data +
"/forensicstore/example1.forensicstore")
res = list(
store.query(
'SELECT json FROM elements WHERE elements MATCH (\'"IPTablesRules" OR "powershell"\')'
))
assert len(res) == 2
print(res[0].keys())
assert res[0]['id'] == "process--920d7c41-0fef-4cf8-bce2-ead120f6b506"
assert res[1]['id'] == "process--9da4aa39-53b8-412e-b3cd-6b26c772ad4d"
def main(url):
store = forensicstore.open(url)
conditions = [{
'key':
"HKEY_LOCAL_MACHINE\\System\\%ControlSet%\\Control\\Session Manager\\AppCompat%"
}]
items = store.select(conditions)
for item in items:
results = transform(item)
for result in results:
print(json.dumps(result))
store.close()
def Open(self):
"""Connects to the database and creates the required tables.
Raises:
IOError: if the specified output file already exists.
OSError: if the specified output file already exists.
ValueError: if the filename is not set.
"""
if not self._filename:
raise ValueError('Missing filename.')
self._store = forensicstore.open(self._filename)
def main(url):
print(json.dumps({
"header": ['Name', 'Description', 'DisplayName', 'Group', 'Start Mode',
'Service Type', 'ImagePath', 'Service DLL',
'Service Key Changed', 'Parameters Key Changed', 'Source Key']}))
store = forensicstore.open(url)
conditions = [{'key': "HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Services\\%"}]
items = list(store.select(conditions))
for result in transform(items):
print(json.dumps(result))
store.close()
def test_import_image(tmp):
return
client = docker.from_env()
# build image
image_tag = "test_artifacts"
image, _ = client.images.build(path="import-image/", tag=image_tag)
store = forensicstore.new(os.path.join(tmp, "input.forensicstore"))
store.close()
# run image
store_path = os.path.abspath(tmp)
store_path_unix = to_unix_path(store_path)
import_path = os.path.abspath(os.path.join(tmp, INPUT_IMAGE_SUBDIR))
import_path_unix = to_unix_path(import_path)
volumes = {
store_path_unix: {
'bind': '/input',
'mode': 'rw'
},
import_path_unix: {
'bind': '/input/' + INPUT_IMAGE_SUBDIR,
'mode': 'ro'
}
}
container = client.containers.run(
image_tag,
command=["--input-file", "win10_mock.vhd"],
volumes=volumes,
detach=True,
)
result = container.wait()
out = container.logs()
container.remove()
print(out.decode("utf-8"))
assert result["StatusCode"] == 0
# test results
store = forensicstore.open(os.path.join(store_path, "input.forensicstore"))
items = list(store.all())
store.close()
# shutil.copyfile(os.path.join(store_path, "input.forensicstore"), "./input.forensicstore")
assert len(items) == 1832
# cleanup
try:
shutil.rmtree(tmp)
except PermissionError:
pass
def __init__(self, source_paths: List[str], url: str,
artifact_registry: Registry,
encryption_handler: dfvfs_helper.EncryptionHandler):
self.dfvfs_list = []
self.artifact_registry = artifact_registry
self.tmp_dir = None
new_source_path = source_paths[0]
self.dfvfs_list = [
dfvfs_helper.DFVFSHelper(new_source_path, encryption_handler)
]
self.encryption_handler = encryption_handler
# noinspection PyTypeChecker
self.store = forensicstore.open(url)
def main(url):
store = forensicstore.open(url)
conditions = [{
'key':
r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%"
}, {
'key':
r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Services\Tcpip\Parameters\Interfaces\%"
}]
items = store.select(conditions)
for result in transform(items):
print(json.dumps(result))
store.close()
def main(url):
store = forensicstore.open(url)
conditions = [{
'key':
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%"
}, {
'key':
"HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%"
}]
for item in store.select(conditions):
results = transform(item)
for result in results:
print(json.dumps(result))
store.close()
def main(url):
print(json.dumps({"header": ["Hotfix", "Installed", "Source", "Component"]}))
LOGGER.debug("search for hotfixes")
store = forensicstore.open(url)
hklmsw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\"
conditions = [
{'key': hklmsw + "Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\%"},
{'key': hklmsw + "WOW6432Node\\Microsoft\\Updates\\%\\%"},
{'key': hklmsw + "Microsoft\\Updates\\%\\%"}
]
for item in store.select(conditions):
for result in transform(item):
print(json.dumps(result))
store.close()
def test_insert(self, out_dir, data):
store = forensicstore.open(data +
"/forensicstore/example1.forensicstore")
assert len(list(store.all())) == 7
store.insert({
"type": "foo",
"id": "foo--2cd66ab1-9b85-4110-8d77-4b6906819693"
})
assert len(list(store.all())) == 8
assert store.get("foo--2cd66ab1-9b85-4110-8d77-4b6906819693") == {
"type": "foo",
"id": "foo--2cd66ab1-9b85-4110-8d77-4b6906819693"
}
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def main(url):
print(json.dumps({
"header": ["Name", "Version", "Publisher", "InstallDate",
"Source", "Location", "Uninstall", "Key", "Key Timestamp"]}))
store = forensicstore.open(url)
conditions = [{
'key': "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%"
}, {
'key': "HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%"
}]
for item in store.select(conditions):
results = transform(item)
for result in results:
print(json.dumps(result))
store.close()
def test_add_type_add_column(self, out_dir, data):
store = forensicstore.open(data +
"/forensicstore/example1.forensicstore")
element_id = store.insert({"type": "foo"})
store.update(element_id, {"new_column": '"foo"'})
first = store.get(element_id)
assert first == {
"id": element_id,
"new_column": '"foo"',
"type": "foo",
}
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def main(url):
print(
json.dumps({
"header": [
"vendor_name", "product_name", "usb_revision", "usb_uid",
"volume_guid", "user_sid"
],
}))
LOGGER.debug("process usb")
store = forensicstore.open(url)
usb_usage_data = USBForensicStoreExtractor(store).get_usb_usage_data()
for result in usb_usage_data:
result["type"] = "usb-device"
print(json.dumps(result))
store.close()
def test_docker(tmp):
client = docker.from_env()
# build image
image_tag = "test_artifacts"
image, _ = client.images.build(path="import-image/", tag=image_tag)
store = forensicstore.new(os.path.join(tmp, "input.forensicstore"))
store.close()
# run image
store_path = os.path.abspath(tmp)
store_path_unix = to_unix_path(store_path)
import_path = os.path.abspath(os.path.join(tmp, "in"))
import_path_unix = to_unix_path(import_path)
volumes = {
store_path_unix: {
'bind': '/store',
'mode': 'rw'
},
import_path_unix: {
'bind': '/data',
'mode': 'ro'
}
}
out = client.containers.run(image_tag,
command=["input.forensicstore"],
volumes=volumes,
stderr=True).decode("ascii")
# print(out)
# test results
store = forensicstore.open(os.path.join(store_path, "input.forensicstore"))
items = list(store.all())
store.close()
shutil.copyfile(os.path.join(store_path, "input.forensicstore"),
"./input.forensicstore")
# assert len(items) == 8
# cleanup
try:
shutil.rmtree(tmp)
except PermissionError:
pass
def main():
parser = argparse.ArgumentParser(
description='parse key pairs into a dictionary')
parser.add_argument("--filter",
dest="filter",
action=StoreDictKeyPair,
metavar="type=file,name=System.evtx...")
args, _ = parser.parse_known_args(sys.argv[1:])
if args.filter is None:
args.filter = [{"type": "file"}]
store = forensicstore.open("/elementary/input.forensicstore")
files = []
tmpdir = tempfile.mkdtemp()
selected = list(store.select(args.filter))
for item in selected:
if "export_path" in item:
dst_path = os.path.join(tmpdir, item["export_path"].strip("/"))
os.makedirs(os.path.dirname(dst_path), exist_ok=True)
with store.load_file(item["export_path"]) as src, open(
dst_path, "wb") as dest:
dest.write(src.read())
files.append(dst_path)
store.close()
os.makedirs("Plaso", exist_ok=True)
for file in files:
subprocess.run([
"log2timeline.py", "--status_view", "none", "--logfile",
"test.log", "Plaso/events.plaso", file
],
check=True)
# TODO: add logfile to forensicstore
subprocess.run([
"psort.py", "--status_view", "none", "-o", "forensicstore", "-w",
"/elementary/input.forensicstore", "Plaso/events.plaso"
],
check=True)
def main(rules_dir):
paths = {}
for rule in os.listdir(rules_dir):
if rule.endswith(".yar") or rule.endswith(".yara"):
paths[rule] = os.path.join(rules_dir, rule)
rules = yara.compile(filepaths=paths)
store = forensicstore.open("/input/input.forensicstore")
for path in store.fs.walk.files():
with store.fs.open(path, mode='rb') as io:
data = io.read()
for match in rules.match(data=data):
print(
json.dumps({
"type": "alert",
"subtype": "yara",
"file": path,
"name": match.rule
}))
store.close()
def main(url):
print(
json.dumps({
"header": [
"GUID", "DHCP", "IPs", "SubNetMask", "NameServer",
"IP Key Changed", "Network Key Changed", "Friendly Name"
]
}))
store = forensicstore.open(url)
conditions = [{
'key':
r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%"
}, {
'key':
r"HKEY_LOCAL_MACHINE\SYSTEM\%ControlSet%\Services\Tcpip\Parameters\Interfaces\%"
}]
items = store.select(conditions)
for result in transform(items):
print(json.dumps(result))
store.close()
def test_docker(data):
client = docker.from_env()
# build image
image_tag = "test_docker"
image, _ = client.images.build(path="plaso/", tag=image_tag)
# run image
store_path = os.path.abspath(os.path.join(data, "input.forensicstore"))
store_path_unix = store_path
if store_path[1] == ":":
store_path_unix = "/" + store_path.lower()[0] + store_path[2:].replace(
"\\", "/")
volumes = {
store_path_unix: {
'bind': '/elementary/input.forensicstore',
'mode': 'rw'
}
}
output = client.containers.run(image_tag,
command=[
"--filter",
"artifact=WindowsDeviceSetup",
"input.forensicstore"
],
volumes=volumes,
stderr=True,
stdout=True)
print(output)
# test results
store = forensicstore.open(store_path)
items = list(store.select([{"type": "event"}]))
store.close()
assert len(items) == 69
# cleanup
try:
shutil.rmtree(data)
except PermissionError:
pass
def test_save(self, out_dir, data):
store = forensicstore.open(data +
"/forensicstore/example1.forensicstore")
store.close()
shutil.rmtree(out_dir)
shutil.rmtree(data)
def test_get_not_existing(self, out_dir, data):
with pytest.raises(forensicstore.forensicstore.StoreNotExitsError):
forensicstore.open(data + "/non_existing.forensicstore")
shutil.rmtree(out_dir)
shutil.rmtree(data)
def main():
root_parser = argparse.ArgumentParser(description='Handle forensicstores')
root_subparsers = root_parser.add_subparsers(dest='root_command')
root_subparsers.required = True
create_parser = root_subparsers.add_parser("create")
create_parser.add_argument('store')
import_parser = root_subparsers.add_parser("import")
import_parser.add_argument('url')
import_parser.add_argument('store')
validate_parser = root_subparsers.add_parser("validate")
validate_parser.add_argument('store')
validate_parser.add_argument('--no-fail',
action='store_true',
dest="nofail")
element_parser = root_subparsers.add_parser("element")
element_subparsers = element_parser.add_subparsers(dest='command')
element_subparsers.required = True
get_parser = element_subparsers.add_parser("get")
get_parser.add_argument('id')
get_parser.add_argument('store')
select_parser = element_subparsers.add_parser("select")
select_parser.add_argument('type')
select_parser.add_argument('store')
all_parser = element_subparsers.add_parser("all")
all_parser.add_argument('store')
insert_parser = element_subparsers.add_parser("insert")
insert_parser.add_argument('json')
insert_parser.add_argument('store')
update_parser = element_subparsers.add_parser("update")
update_parser.add_argument('id')
update_parser.add_argument('json')
update_parser.add_argument('store')
args = root_parser.parse_args()
if args.root_command == "create":
store = forensicstore.new(args.store)
store.close()
elif args.root_command == "validate":
store = forensicstore.open(args.store)
errors = store.validate()
if errors:
print(json.dumps(errors))
if args.nofail:
sys.exit(0)
sys.exit(len(errors))
elif args.root_command == "element":
if args.command == "get":
store = forensicstore.open(args.store)
element = store.get(args.id)
print(json.dumps(element))
store.close()
elif args.command == "select":
store = forensicstore.open(args.store)
elements = list(store.select([{"type": args.type}]))
print(json.dumps(elements))
store.close()
elif args.command == "all":
store = forensicstore.open(args.store)
elements = list(store.all())
print(json.dumps(elements))
store.close()
elif args.command == "insert":
store = forensicstore.open(args.store)
element = store.insert(json.loads(args.json))
print(json.dumps(element))
store.close()
elif args.command == "update":
store = forensicstore.open(args.store)
print(args.json)
element = store.update(args.id, json.loads(args.json))
print(json.dumps(element))
store.close()
else:
NotImplementedError("Sub command %s does not exist" % args.command)
else:
NotImplementedError("Command %s does not exist" % args.root_command)
