def startUp(self, context):
self.context = context
#Show parameters that are passed in
self.log(Level.INFO, "Username =====>" + str(self.userName))
self.log(Level.INFO, "password =====>" + str(self.password))
self.log(Level.INFO, "IP Address =====>" + str(self.IP_Address))
self.log(Level.INFO, "Port_Number =====>" + str(self.Port_Number))
self.log(Level.INFO, "Sketch Name =====> " + str(self.sketchName))
self.log(Level.INFO, "sketch Description =====> " + str(self.sketchDescription))
# Check to see if the file to execute exists, if it does not then raise an exception and log error
# data is taken from the UI
if PlatformUtil.isWindowsOS():
self.path_to_Timesketch_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "timesketch_autopsy.exe")
if not os.path.exists(self.path_to_Timesketch_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_Timesketch_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Timesketch_Autopsy")
if not os.path.exists(self.path_to_Timesketch_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "Export_EVTX")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux executable was not found in module folder")
if self.local_settings.getFlag():
self.List_Of_Events.append('ALL')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
else:
if self.local_settings.getFlag4():
#self.List_Of_Events.append('Other')
Event_List = self.local_settings.getArea().split()
self.log(Level.INFO, "Event List ==> " + str(Event_List))
for evt in Event_List:
self.List_Of_Events.append(str(evt))
#self.Event_Id_List = "','".join(self.List_Of_Events)
self.Event_Id_List = self.local_settings.getArea().replace(',','\',\'')
self.Event_Id_List.replace(',','\',\'')
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_jl_ad.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"EXE was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'Export_JL_Ad')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
self.path_to_app_id_db = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"Jump_List_App_Ids.db3")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
#Show parameters that are passed in
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"fseparser_v2.1.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "FSEParser_V2.1")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
self.MacFSEvents_Executable = self.path_to_exe
self.log(Level.INFO,
"MacFSEvents Executable ==> " + self.MacFSEvents_Executable)
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
# Determine if user configured a flag in UI
if self.local_settings.getFlag():
self.stanpl = True
else:
self.stanpl = False
# Counters
self.jobId = context.getJobId()
self.filesFound = 0
self.dbFound = 0
self.picFound = 0
self.jsonFound = 0
self.lastFile_rep = ''
self.el_rep = None
self.lastFile = ''
self.el = None
# Inits the xml element
self.root = et.Element("androidgeodata")
self.root_report = et.Element("report")
# File where the xml is stored
self.xmlname = os.path.join( Case.getCurrentCase().getReportDirectory(), Case.getCurrentCase().getName()+"_"+str(self.jobId))
# Checks whether the JSON file exists, if not the module doesn't run
path_to_dict = os.path.dirname(os.path.abspath(__file__)) + '/dictionary.json'
if not os.path.exists(path_to_dict):
raise IngestModuleException("The dictionary file was not found in module folder")
else:
try:
self.dict = json.load( open(path_to_dict) )
except:
raise IngestModuleException("The dictionary file was not loaded")
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"amcache_parser.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'amcache_parser')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
if self.local_settings.getSetting('associateFileEntries') == 'true':
self.List_Of_tables.append('associated_file_entries')
if self.local_settings.getSetting('programEntries') == 'true':
self.List_Of_tables.append('program_entries')
if self.local_settings.getSetting('unassociatePrograms') == 'true':
self.List_Of_tables.append('unassociated_programs')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(
Level.INFO,
str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables)))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to executable based on where this script is run from.
# Assumes executable is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_esedb.exe")
if not os.path.exists(self.pathToExe):
raise IngestModuleException(
"export_esedb.exe was not found in module folder")
if not os.path.exists(
os.path.join(os.path.dirname(os.path.abspath(__file__)),
"export_esedb_records.exe")):
raise IngestModuleException(
"export_esedb_records.exe was not found in module folder")
else:
self.pathToExe2 = os.path.dirname(os.path.abspath(__file__))
self.pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_esedb")
if not os.path.exists(self.pathToExe):
raise IngestModuleException(
"export_esedb was not found in module folder")
if not os.path.exists(
os.path.join(os.path.dirname(os.path.abspath(__file__)),
"export_esedb_records")):
raise IngestModuleException(
"export_esedb_records was not found in module folder")
def startUp(self, context):
self.context = context
if not PlatformUtil.isWindowsOS():
raise IngestModuleException("Not running on Windows")
self.EXE_PATH = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
"w10-facemessenger.exe")
if not os.path.exists(self.EXE_PATH):
raise IngestModuleException(
"w10-facemessenger.exe was not found in module folder")
self.CSV_DELIMITER = "\x1E" # ASCII non-printing character 30 (Record Separator)
self._startUpAttributeTypes()
def startUp(self, context):
self.context = context
#Show parameters that are passed in
self.log(
Level.INFO,
"Plaso directory ==> " + self.local_settings.getPlaso_Directory())
self.log(
Level.INFO, "Plaso Storage File ==> " +
self.local_settings.getPlaso_Storage_File())
self.exclude_file_sources = self.local_settings.getExclude_File_Sources(
)
if self.local_settings.getExclude_File_Sources():
self.log(Level.INFO,
"Exclude File Information from import process")
else:
self.log(Level.INFO, "Include File Information in import process")
# Create path to plaso storage file
if self.local_settings.getRun_Plaso():
self.log(Level.INFO, "This is a plaso run")
self.run_plaso = True
self.vss_opt = self.local_settings.getComboBox()
if (self.vss_opt == "VSS Only"):
self.vss_option = "--vss_only"
elif (self.vss_opt == "No VSS"):
self.vss_option = "--no_vss"
else:
self.vss_option = "--vss_stores"
else:
self.run_plaso = False
self.log(Level.INFO, "This is a plaso import run")
self.log(Level.INFO, self.local_settings.getPlaso_Storage_File())
self.path_to_storage_file = self.local_settings.getPlaso_Storage_File(
)
# Check to see if the file to execute exists, if it does not then raise an exception and log error
# data is taken from the UI
self.path_to_exe_psort = os.path.join(
self.local_settings.getPlaso_Directory(), "psort.exe")
if not os.path.exists(self.path_to_exe_psort):
raise IngestModuleException(
"Psort File to Run/execute does not exist.")
self.path_to_exe_log2t = os.path.join(
self.local_settings.getPlaso_Directory(), "log2timeline.exe")
if not os.path.exists(self.path_to_exe_log2t):
raise IngestModuleException(
"log2timeline File to Run/execute does not exist.")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_SRUDB.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "Export_SRUDB")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
if self.local_settings.getSetting('all') == 'true':
self.List_Of_SRUDB.append('application_resource_usage')
self.List_Of_SRUDB.append('energy_estimation_provider')
self.List_Of_SRUDB.append('energy_usage_data')
self.List_Of_SRUDB.append('network_connectivity')
self.List_Of_SRUDB.append('network_usage')
self.List_Of_SRUDB.append('windows_push_notification')
#self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", "All Events CHecked")
else:
#self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", "No Boxes Checked")
if self.local_settings.getSetting(
'application_resource_usage') == 'true':
self.List_Of_SRUDB.append('application_resource_usage')
if self.local_settings.getSetting(
'energy_estimation_provider') == 'true':
self.List_Of_SRUDB.append('energy_estimation_provider')
if self.local_settings.getSetting('energy_usage_data') == 'true':
self.List_Of_SRUDB.append('energy_usage_data')
if self.local_settings.getSetting(
'network_connectivity') == 'true':
self.List_Of_SRUDB.append('network_connectivity')
if self.local_settings.getSetting('network_usage') == 'true':
self.List_Of_SRUDB.append('network_usage')
if self.local_settings.getSetting(
'windows_push_notification') == 'true':
self.List_Of_SRUDB.append('windows_push_notification')
#self.logger.logp(Level.INFO, Parse_SRUDBWithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(Level.INFO, str(self.List_Of_SRUDB))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "export_Webcache.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'Export_Webcache')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
def startUp(self, context):
self.context = context
if PlatformUtil.isWindowsOS():
self.pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "fb_chat.exe")
if not os.path.exists(self.pathToExe):
raise IngestModuleException(
"fb_chat.exe was not found in module folder")
else:
self.pathToExe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "fb_chat")
if not os.path.exists(self.pathToExe):
raise IngestModuleException(
"fb_chat was not found in module folder")
def startUp(self, context):
self.context = context
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "appxreg.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Windows Executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), 'Appxreg')
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux Executable was not found in module folder")
pass
def startUp(self, context):
self.context = context
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "appxreg.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "amcache_parser.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
if self.local_settings.getFlag():
self.List_Of_tables.append('associated_file_entries')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
if self.local_settings.getFlag1():
self.List_Of_tables.append('program_entries')
if self.local_settings.getFlag2():
self.List_Of_tables.append('unassociated_programs')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(
Level.INFO,
str(self.List_Of_tables) + " >> " + str(len(self.List_Of_tables)))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
if self.local_settings.getFlag():
self.List_Of_Events.append('ALL')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
else:
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "No Boxes Checked")
if self.local_settings.getFlag1():
self.List_Of_Events.append('Application.Evtx')
if self.local_settings.getFlag2():
self.List_Of_Events.append('Security.Evtx')
if self.local_settings.getFlag3():
self.List_Of_Events.append('System.Evtx')
if self.local_settings.getFlag4():
self.List_Of_Events.append('Other')
Event_List = self.local_settings.getArea().split()
for evt in Event_List:
self.List_Of_Events.append(str(evt))
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
self.log(Level.INFO, str(self.List_Of_Events))
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
self.API_Key = self.local_settings.getAPI_Key()
self.Private = self.local_settings.getPrivate()
self.root_file_exists = 0
self.root_file_count = 0
self.inventory_application_file_exists = 0
self.inventory_application_file_count = 0
self.count = 0
self.sum = 0
#Record Parameters
self.log(Level.INFO, "API_Key: " + str(self.API_Key))
self.log(Level.INFO, "Private: " + str(self.Private))
self.my_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "amcache2sqlite.exe")
if not os.path.exists(self.my_exe):
raise IngestModuleException("EXE was not found in module folder")
#create my tables
self.List_Of_tables.append('root_file')
self.List_Of_tables.append('root_programs')
self.List_Of_tables.append('inventory_application_file')
self.List_Of_tables.append('inventory_device_container')
self.List_Of_tables.append('inventory_device_pnp')
self.List_Of_tables.append('inventory_driver_binary')
self.List_Of_tables.append('inventory_driver_package')
self.List_Of_tables.append('inventory_application_shortcut')
#self.List_Of_tables.append('inventory_application_framework')
self.List_Of_tables.append('root_file_virustotal_scan')
self.List_Of_tables.append('inventory_application_file_virustotal_scan')
def startUp(self, context):
self.context = context
#Show parameters that are passed in
self.log(
Level.INFO,
"Plaso directory ==> " + self.local_settings.getPlaso_Directory())
self.log(
Level.INFO, "Plaso Storage File ==> " +
self.local_settings.getPlaso_Storage_File())
self.exclude_file_sources = self.local_settings.getExclude_File_Sources(
)
if self.local_settings.getExclude_File_Sources():
self.log(Level.INFO,
"Exclude File Information from import process")
else:
self.log(Level.INFO, "Include File Information in import process")
# Create path to plaso storage file
self.path_to_storage_file = self.local_settings.getPlaso_Storage_File()
# Check to see if the file to execute exists, if it does not then raise an exception and log error
# data is taken from the UI
self.path_to_exe = os.path.join(
self.local_settings.getPlaso_Directory(), "psort.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Psort File to Run/execute does not exist.")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
#Show parameters that are passed in
self.MacFSEvents_Executable = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "fseparser_v2.0.exe")
self.Plugins = self.local_settings.getPluginListBox()
self.log(Level.INFO,
"MacFSEvents Executable ==> " + self.MacFSEvents_Executable)
self.log(Level.INFO,
"MacFSEvents Plugins to use ==> " + str(self.Plugins))
# for plugin in self.Plugins:
# if plugin in self.Plugins_for_SQL:
# self.Plugins_for_SQL(plugin)
# if plugin_count < len(self.Plugins):
# plugin_count = 0
# for plugin in self.Plugins_for_SQL:
# self.Plugin_Like_Stmt = self.Plugin_Like_Stmt + " mask like '%" + plugin + "%' "
# if plugin_count < len(self.Plugins):
# self.Plugin_Like_Stmt = Self.Plugin_Like_Stmt + " or "
# Check to see if the file to execute exists, if it does not then raise an exception and log error
# data is taken from the UI
if not os.path.exists(self.MacFSEvents_Executable):
raise IngestModuleException(
"FSEvents File to Run/execute does not exist.")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
"""Where module setup and configuration is done
Args:
context (IngestJobContext): Context of the ingest module
"""
self.log(Level.INFO, "GBoard Data Source Ingest Module is starting up...")
# setup the current context
self.context = context
# check if executable exists
module_path = os.path.dirname(os.path.abspath(__file__))
exe_ext = '.exe' if 'win' in System.getProperty("os.name").encode('ascii','ignore').lower() else ''
self.path_to_exe = os.path.join(module_path, 'gboard-forensics' + exe_ext)
if not os.path.exists(self.path_to_exe):
raise IngestModuleException('Executable file not found!')
try:
current_case = Case.getCurrentCaseThrows()
# create artifacts
self.dictionary_art_type = self.createCustomArtifactType(current_case, self.GBOARD_DICTIONARY_ARTIFACT, 'Gboard Dictionary')
self.tc_history_timeline_art_type = self.createCustomArtifactType(current_case, self.GBOARD_TC_HISTORY_TIMELINE_ARTIFACT, 'Gboard History Timeline')
self.tc_raw_assembled_timeline_art_type = self.createCustomArtifactType(current_case, self.GBOARD_TC_RAW_ASSEMBLED_TIMELINE_ARTIFACT, 'Gboard Assembled Timeline')
self.tc_processed_history_art_type = self.createCustomArtifactType(current_case, self.GBOARD_TC_PROCESSED_HISTORY_ARTIFACT, 'Gboard Processed History')
self.emojis_art_type = self.createCustomArtifactType(current_case, self.GBOARD_EMOJIS_ARTIFACT, 'Gboard Expression History: Emojis')
self.emoticons_art_type = self.createCustomArtifactType(current_case, self.GBOARD_EMOTICONS_ARTIFACT, 'Gboard Expression History: Emoticons')
self.translate_art_type = self.createCustomArtifactType(current_case, self.GBOARD_TRANSLATE_ARTIFACT, 'Gboard Translate Cache')
# emojis and emoticons attributes
self.expression_shares_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_EXPRESSION_SHARES_ATTRIBUTE, 'Shares')
self.expression_emoji_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_EXPRESSION_EMOJI_ATTRIBUTE, 'Emoji')
self.expression_base_emoji_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_EXPRESSION_BASE_EMOJI_ATTRIBUTE, 'Base Emoji')
self.expression_emoticon_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_EXPRESSION_EMOTICON_ATTRIBUTE, 'Emoticon')
# training cache attributes
self.tc_delete_flag_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_TC_DELETE_FLAG_ATTRIBUTE, 'Deleted?')
# clipboard attributes
self.clipboard_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_CLIPBOARD_ATTRIBUTE, 'Gboard Clipboard')
self.clipboard_html_text_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_CLIPBOARD_HTML_TEXT_ATTRIBUTE, 'HTML Text')
# dictionary attributes
self.dictionary_word_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_DICTIONARY_WORD_ATTRIBUTE, 'Word')
self.dictionary_shortcut_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_DICTIONARY_SHORTCUT_ATTRIBUTE, 'Shortcut')
self.dictionary_locale_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_DICTIONARY_LOCALE_ATTRIBUTE, 'Locale')
# translation cache attributes
self.translate_original_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_TRANSLATE_ORIGINAL_ATTRIBUTE, 'Original Text')
self.translate_translated_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_TRANSLATE_TRANSLATED_ATTRIBUTE, 'Translated Text')
self.translate_from_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_TRANSLATE_FROM_ATTRIBUTE, 'From Language')
self.translate_to_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_TRANSLATE_TO_ATTRIBUTE, 'To Language')
self.translate_url_attr_type = self.createCustomAttributeType(current_case, self.GBOARD_TRANSLATE_URL_ATTRIBUTE, 'Request URL')
except NoCurrentCaseException as ex:
self.log(Level.WARNING, "No case currently open. " + ex)
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"EXE was not found in module folder")
else:
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "Export_EVTX")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"Linux executable was not found in module folder")
if self.local_settings.getFlag():
self.List_Of_Events.append('ALL')
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "All Events CHecked")
else:
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", "No Boxes Checked")
if self.local_settings.getFlag1():
self.List_Of_Events.append('Application.Evtx')
if self.local_settings.getFlag2():
self.List_Of_Events.append('Security.Evtx')
if self.local_settings.getFlag3():
self.List_Of_Events.append('System.Evtx')
if self.local_settings.getFlag4():
self.List_Of_Events.append('Other')
Event_List = self.local_settings.getArea().split()
for evt in Event_List:
self.List_Of_Events.append(str(evt))
#self.logger.logp(Level.INFO, Process_EVTX1WithUI.__name__, "startUp", str(self.List_Of_Events))
# self.log(Level.INFO, "List Of Events ==> " + str(self.List_Of_Events) + " <== Number of Events ==> " + str(len(self.List_Of_Events)))
# if len(self.List_Of_Events) < 1:
# message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ParseEvtx", " No Event Logs Selected to Parse " )
# IngestServices.getInstance().postMessage(message)
# raise IngestModuleException("No Events were Selected")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def process(self, file):
skCase = Case.getCurrentCase().getSleuthkitCase()
artID_ns_ss = skCase.getArtifactType("TSK_ART_NS_SCREENSHOTS")
artID_ns_ss_id = skCase.getArtifactTypeID("TSK_ART_NS_SCREENSHOTS")
attID_ns_gid = skCase.getAttributeType("TSK_ATT_NS_GAME")
attID_ns_ts = skCase.getAttributeType("TSK_ATT_NS_TIMESTAMP")
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)):
return IngestModule.ProcessResult.OK
# Flag files with .jpg in the name and make a blackboard artifact.
if file.getName().lower().endswith(".jpg") or file.getName().lower().endswith(".mp4") or file.getName().lower().endswith(".png"):
if re.match(r"[0-9]{16}-[0-9a-fA-F]{32}\.(jpg|png|mp4)", file.getName()):
self.log(Level.INFO, "Found a Switch screenshot: " + file.getName())
self.filesFound += 1
self.path_to_data = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'game_hash_ids.json')
if not os.path.exists(self.path_to_data):
raise IngestModuleException("game_ids was not found in module folder")
filename = file.getName().upper()
timestamp = filename.split("-")[0]
parsed_ts = datetime.strptime(timestamp, "%Y%m%d%H%M%S%f").strftime('%H:%M %d/%m/%Y')
gameID = filename.split("-")[1].split(".")[0]
with open(self.path_to_data, "r") as data_file:
gids = json.load(data_file)
if gameID in gids:
game = gids[gameID]
else:
game = "Unknown gameID"
# Don't add to blackboard if the artifact already exists
artifactList = file.getArtifacts(artID_ns_ss_id)
for artifact in artifactList:
dupe_test = artifact.getAttribute(attID_ns_gid)
if dupe_test:
return IngestModule.ProcessResult.OK
art = file.newArtifact(artID_ns_ss_id)
art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), FindScreenshotsIngestModuleFactory.moduleName, "Nintendo Switch - Screenshots"))
art.addAttribute(BlackboardAttribute(attID_ns_gid, FindScreenshotsIngestModuleFactory.moduleName, game))
art.addAttribute(BlackboardAttribute(attID_ns_ts, FindScreenshotsIngestModuleFactory.moduleName, parsed_ts))
# Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(FindScreenshotsIngestModuleFactory.moduleName, artID_ns_ss, None))
return IngestModule.ProcessResult.OK
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "img_stat.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
if PlatformUtil.isWindowsOS():
self.path_to_recentApps_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "show_ccm_recentlyusedapps.exe")
if not os.path.exists(self.path_to_recentApps_exe):
raise IngestModuleException("Windows executable was not found in module folder")
elif PlatformUtil.getOSName() == 'Linux':
self.path_to_recentApps_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "show_CCM_RecentlyUsedApps")
if not os.path.exists(self.path_to_recentApps_exe):
raise IngestModuleException("Linux Executable was not found in module folder")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def getIngestJobSettingsPanel(self, settings):
if not isinstance(settings,
AutopsyImageClassificationModuleWithUISettings):
err_1 = "Expected 'settings' argument to be" \
"'AutopsyImageClassificationModuleWithUISettings'"
raise IngestModuleException(err_1)
self.settings = settings
return AutopsyImageClassificationModuleWithUISettingsPanel(
self.settings)
def startUp(self, context):
self.context = context
#Show parameters that are passed in
self.Volatility_Executable = self.local_settings.getSetting(
'Volatility_Directory')
Plugins = self.local_settings.getSetting('PluginListBox')
Plugins = Plugins.replace("[", "")
Plugins = Plugins.replace("]", "")
Plugins = Plugins.replace(" ", "")
self.Plugins = Plugins.split(",")
self.log(Level.INFO, "List Box Entry Starts here =====>")
self.log(Level.INFO, str(self.Plugins))
for num in range(0, len(self.Plugins)):
self.log(Level.INFO, str(self.Plugins[num]))
self.log(Level.INFO, "<====== List Box Entry Ends here")
self.Profile = self.local_settings.getSetting('Profile')
self.Volatility_Version = self.local_settings.getSetting('Version')
#self.Process_Ids_To_Dump = self.local_settings.getProcessIDs()
Pids = self.local_settings.getSetting('ProcessIDs')
if Pids == None:
pass
else:
self.Process_Ids_To_Dump = Pids.split(",")
if self.Profile == 'Autodetect':
self.isAutodetect = True
else:
self.isAutodetect = False
self.log(
Level.INFO, "Volatility Executable ==> " +
self.local_settings.getSetting('Volatility_Directory'))
self.log(Level.INFO, "Volatility Profile to use ==> " + self.Profile)
self.log(Level.INFO,
"Volatility Plugins to use ==> " + str(self.Plugins))
self.log(
Level.INFO,
"Additional Parms ==> " + str(self.Process_Ids_To_Dump) + "<<")
self.log(Level.INFO, "Additional Parms ==> " + Pids + "<<")
# Check to see if the file to execute exists, if it does not then raise an exception and log error
# data is taken from the UI
if 'vol.py' in self.Volatility_Executable:
self.Python_Program = True
if not os.path.exists(self.Volatility_Executable):
raise IngestModuleException(
"Volatility File to Run/execute does not exist.")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
#raise IngestModuleException(IngestModule(), "Oh No!")
pass
def startUp(self, context):
self.context = context
# Get path to EXE based on where this script is run from.
# Assumes EXE is in same folder as script
# Verify it is there before any ingest starts
absolute_path = os.path.dirname(os.path.abspath(__file__))
self.path_to_exe = absolute_path + "\\atpr_exe\\ATPR.exe"
self.log(Level.INFO, self.path_to_exe)
#self.path_to_exe = os.path.join(os.path.dirname(os.path.abspath(__file__)), "\\atpr_exe\\ATPR.exe")
if not os.path.exists(self.path_to_exe):
raise IngestModuleException("EXE was not found in module folder")
#self.path_to_dirs = os.path.join(os.path.dirname(os.path.abspath(__file__)), "\\dicts\\")
self.path_to_dirs = absolute_path + "\\dicts\\"
if not os.path.exists(self.path_to_dirs):
raise IngestModuleException(
"Dicts were not found in module folder")
def startUp(self, context):
self.context = context
# Check if the arser for .evtx is in place - i.e., the export_evtx.exe
if PlatformUtil.isWindowsOS():
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "export_EVTX.exe")
if not os.path.exists(self.path_to_exe):
# stop ingest module and return error
raise IngestModuleException(
"EXE was not found in module folder")
def getSettings(self):
if not os.path.isfile(self.config_location):
self.log(
Level.INFO,
"Configuration file not found, loading the default configuration"
)
self.local_settings.setServerHost(DEFAULT_HOST)
self.local_settings.setServerPort(DEFAULT_PORT)
self.local_settings.setImageFormats(DEFAULT_IMAGES_FORMAT)
self.local_settings.setMinFileSize(DEFAULT_MIN_FILE_SIZE)
self.local_settings.setMinProbability(DEFAULT_MIN_PROBABILITY)
self.local_settings.setClassesOfInterest(
json.loads(DEFAULT_CLASSES_OF_INTEREST))
# self.saveSettings(None)
return self.local_settings
else:
if not os.access(self.config_location, os.R_OK):
err_string = "Cannot access configuration file, please review the file permissions"
raise IngestModuleException(err_string)
with io.open(self.config_location, 'r', encoding='utf-8') as f:
self.log(Level.INFO, "Configuration file read")
json_configs = json.load(f)
self.local_settings.setServerHost(json_configs['server']['host'])
self.local_settings.setServerPort(json_configs['server']['port'])
image_formats = json_configs['imageFormats']
if not isinstance(image_formats, list) or len(image_formats) == 0:
err_string = "Invalid list of image formats given"
raise IngestModuleException(err_string)
self.local_settings.setImageFormats(image_formats)
self.local_settings.setMinFileSize(json_configs['minFileSize'])
self.local_settings.setMinProbability(
json_configs['minProbability'])
self.local_settings.setClassesOfInterest(
json_configs['classesOfInterest'])
return self.local_settings
def get_input_dir(self, file_manager):
files = file_manager.findFiles("%" + GBOARD_PACKAGE_NAME + "%")
for file in files:
if file.isFile():
path = file.getLocalAbsPath()
if not path:
continue
return find_first_folder(path, GBOARD_PACKAGE_NAME)
raise IngestModuleException('Folder ' + GBOARD_PACKAGE_NAME + ' not found in current case!')
