def process(self, file): # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().lower().endswith(".txt"): self.log(Level.INFO, "Found a text file: " + file.getName()) self.filesFound += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artifact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( SampleJythonFileIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)) # For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added # by other modules. We then iterate over its attributes. We'll just print them, but you would probably # want to do something with them. artifactList = file.getArtifacts( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) for artifact in artifactList: attributeList = artifact.getAttributes() for attrib in attributeList: self.log(Level.INFO, attrib.toString()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def process(self, file): # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().find(".txt") != -1: self.logger.logp(Level.INFO, SampleJythonFileIngestModule.__name__, "process", "Found a text file: " + file.getName()) self.filesFound += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) return IngestModule.ProcessResult.OK
def process(self, file): # If the file has a txt extension, post an artifact to the blackboard. if file.getName().find("test") != -1: art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files") art.addAttribute(att) # Read the contents of the file. inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while (len != -1): totLen = totLen + len len = inputStream.read(buffer) # Send the size of the file to the ingest messages in box. msgText = "Size of %s is %d bytes" % ((file.getName(), totLen)) message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText) ingestServices = IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar): if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK # we don't know how much work there is yet progressBar.switchToIndeterminate() autopsyCase = Case.getCurrentCase() sleuthkitCase = autopsyCase.getSleuthkitCase() services = Services(sleuthkitCase) fileManager = services.getFileManager() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0 for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage( IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK
def process(self, file): def luhnChecksumIsValid(cardNumber): # check to make sure that the card passes a luhn mod-10 checksum total = 0 oddTotal = 0 evenTotal = 0 reversedCardNumber = cardNumber[::-1] oddDigits = reversedCardNumber[0::2] evenDigits = reversedCardNumber[1::2] for count in range(0, len(oddDigits)): oddTotal += int(oddDigits[count]) for count in range(0, len(evenDigits)): evenDigit = int(evenDigits[count]) evenDigit = evenDigit * 2 if evenDigit > 9: evenDigit = evenDigit - 9 evenTotal += evenDigit total = oddTotal + evenTotal return (total % 10 == 0) # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK inputStream = ReadContentInputStream(file) text = IOUtils.toString(inputStream, StandardCharsets.UTF_8) if self.skipBinaries: if b'\x00' in text: return IngestModule.ProcessResult.OK initialCCPattern = '[1-6](?:\d[ -]*?){13,23}' possibleCCs = re.findall(initialCCPattern, text, re.IGNORECASE) self.fileFlagged = 0 if possibleCCs: for cc in possibleCCs: delim_regex = "\D+" cc = re.sub(delim_regex, '', cc) if luhnChecksumIsValid(cc): if self.fileFlagged == 0: self.filesFound += 1 art = file.newArtifact( BlackboardArtifact.ARTIFACT_TYPE. TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME. getTypeID(), PaymentCardFileIngestModuleFactory.moduleName, "Files With Possible Payment Card Numbers") art.addAttribute(att) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( PaymentCardFileIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE. TSK_INTERESTING_FILE_HIT, None)) self.fileFlagged = 1 return IngestModule.ProcessResult.OK
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_TV = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_TV) names = [] skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if file.getName() == "80000000000000d1": artifactList = file.getArtifacts(ARTID_NS_TV) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(2048, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() names = names + re.findall("EdidBlock.*?\\\\xfc\\\\x00(.*?)\\\\n.*?EdidExtensionBlock", repr(currentBuffer)) noduplicatesnames = list(set(names)) for tvname in noduplicatesnames: # Don't add to blackboard if the artifact already exists for artifact in artifactList: artifactName = artifact.getAttribute(self.NS_DISPLAY_ATTRIBUTES["Name"][3]) if artifactName.getValueString() == tvname: return IngestModule.ProcessResult.OK art = file.newArtifact(ARTID_NS_TV) art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), ConnectedDisplayIngestModuleFactory.moduleName, "Nintendo Switch - Connected TV")) for attribute in self.NS_DISPLAY_ATTRIBUTES.keys(): art.addAttribute(BlackboardAttribute(self.NS_DISPLAY_ATTRIBUTES[attribute][3], ConnectedDisplayIngestModuleFactory.moduleName, str(tvname))) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ConnectedDisplayIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_TV), None)) return IngestModule.ProcessResult.OK
def create_hash(self, f_target, algorithm): time_start = time.time() hash_creator = hashlib.new(algorithm) inputStream = ReadContentInputStream(f_target) buffer = jarray.zeros(BLOCKSIZE, "b") len = inputStream.read(buffer) while (len != -1): hash_creator.update(buffer) len = inputStream.read(buffer) time_consumed = time.time()-time_start return (hash_creator.hexdigest(),time_consumed)
def getUsersFromFile(self, file): inputStream = ReadContentInputStream(file) users = [] buffer = jarray.zeros(1024, "b") totLen = 0 len = inputStream.read(buffer) while len != -1: totLen = totLen + len len = inputStream.read(buffer) currentBuffer = buffer.tostring() x = re.search("^\{.*\"gender\".*\}", currentBuffer) if x: result = x.string.replace("\x00", "") d = json.loads(result) users.append(d) return users
def process(self, dataSource, progressBar): # we don't know how much work there is yet progressBar.switchToIndeterminate() # This will work in 4.0.1 and beyond # Use blackboard class to index blackboard artifacts for keyword search # blackboard = Case.getCurrentCase().getServices().getBlackboard() # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "%test%") numFiles = len(files) self.log(Level.INFO, "found " + str(numFiles) + " files") progressBar.switchToDeterminate(numFiles) fileCount = 0; for file in files: # Check if the user pressed cancel while we were busy if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of # artfiact. Refer to the developer docs for other examples. art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) # This will work in 4.0.1 and beyond #try: # # index the artifact for keyword search # blackboard.indexArtifact(art) #except Blackboard.BlackboardException as e: # self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) buffer = jarray.zeros(1024, "b") totLen = 0 readLen = inputStream.read(buffer) while (readLen != -1): totLen = totLen + readLen readLen = inputStream.read(buffer) # Update the progress bar progressBar.progress(fileCount) #Post a message to the ingest messages in box. message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK;
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_POWER_STATE = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_POWER_STATE) power_states = [] skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if (file.getName().lower() == "80000000000000a1"): artifactList = file.getArtifacts(ARTID_NS_POWER_STATE) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(8192, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() regex = "nc_started_at.(?P<datetime>[0-9: -]{19}).power_state_start.(?P<state_start>[a-zA-Z]+).power_state_end.(?P<state_end>[a-zA-Z]+)" x = re.finditer(regex, currentBuffer) for state_change in x: timestamp = datetime.strptime(state_change.group('datetime'), '%Y-%m-%d %H:%M:%S') state_start = state_change.group('state_start') state_end = state_change.group('state_end') power_states.append((timestamp, state_start, state_end)) for (timestamp, state_start, state_end) in power_states: # Don't add to blackboard if the artifact already exists self.log(Level.INFO, str(len(artifactList))) for artifact in artifactList: artifact_time = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["time"][3]) artifact_state_start = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_start"][3]) artifact_state_end = artifact.getAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_end"][3]) if artifact_time.getValueString() == str(timestamp): if artifact_state_start.getValueString() == state_start: if artifact_state_end.getValueString() == state_end: return IngestModule.ProcessResult.OK art = file.newArtifact(ARTID_NS_POWER_STATE) art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), PowerStateChangeIngestModuleFactory.moduleName, "Nintendo Switch - Power State Changes")) art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["time"][3], PowerStateChangeIngestModuleFactory.moduleName, str(timestamp))) art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_start"][3], PowerStateChangeIngestModuleFactory.moduleName, state_start)) art.addAttribute(BlackboardAttribute(self.NS_POWER_STATE_ATTRIBUTES["state_end"][3], PowerStateChangeIngestModuleFactory.moduleName, state_end)) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(PowerStateChangeIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_POWER_STATE), None)) return IngestModule.ProcessResult.OK
def generateReport(self, baseReportDir, progressBar): # Open the output file. fileName = os.path.join(baseReportDir, self.getRelativeFilePath()) report = open(fileName, 'w') # Query the database for the files (ignore the directories) sleuthkitCase = Case.getCurrentCase().getSleuthkitCase() files = sleuthkitCase.findAllFilesWhere( "NOT meta_type = " + str(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getValue())) # Setup progress Indicator progressBar.setIndeterminate(False) progressBar.start() progressBar.setMaximumProgress(len(files)) for file in files: # For this script I will limit the processing # to files with .txt extensions only if file.getName().lower().endswith(".txt"): # Setup to Read the contents of the file. # Create a Python string to hold the file contents # for processing fileStringBuffer = '' # Setup an inputStream to read the file inputStream = ReadContentInputStream(file) # Setup a jarry buffer to read chunks of the file # we will read 1024 byte chunks buffer = jarray.zeros(1024, "b") # Attempt to read in the first Chunk bytesRead = inputStream.read(buffer) # Continue reading until finished reading # the file indicated by -1 return from # the inputStream.read() method while (bytesRead != -1): for eachItem in buffer: # Now extract only potential ascii characters from the # buffer and build the final Python string # that we will process. if eachItem >= 0 and eachItem <= 255: fileStringBuffer = fileStringBuffer + chr(eachItem) # Read the next file Chunk bytesRead = inputStream.read(buffer) # Once the complete file has been read and the # possible ASCII characters have been extracted # The ExtractProperNames Function # will process the contents of the file # the result will be returned as a Python # dictionary object properNamesDictionary = ExtractProperNames(fileStringBuffer) # For each file processed # Write the information to the Report # File Name, along with each possible proper name # found, with highest occurring words order report.write("\n\nProcessing File: " + file.getUniquePath() + "\n\n") report.write("Possible Name Occurrences \n") report.write("-------------------------------- \n") for eachName in sorted(properNamesDictionary, key=properNamesDictionary.get, reverse=True): theName = '{:20}'.format(eachName) theCnt = '{:5d}'.format(properNamesDictionary[eachName]) report.write(theName + theCnt + "\n") # Increment the progress bar for each # file processed progressBar.increment() # Process the Next File # Close the report and post ProgressBar Complete progressBar.complete(ReportStatus.COMPLETE) report.close() # Add the report to the Case Case.getCurrentCase().addReport(fileName, self.moduleName, "Prop Report")
def process(self, file): skCase = Case.getCurrentCase().getSleuthkitCase() ARTID_NS_WIFI = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_WIFI) networks = {} skCase = Case.getCurrentCase().getSleuthkitCase() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() is False)): return IngestModule.ProcessResult.OK blackboard = Case.getCurrentCase().getServices().getBlackboard() if (file.getName().lower() == "8000000000000050"): artifactList = file.getArtifacts(ARTID_NS_WIFI) self.log(Level.INFO, "Found the file" + file.getName()) self.filesFound += 1 inputStream = ReadContentInputStream(file) buffer = jarray.zeros(8192, "b") totLen = 0 lengthofbuffer = inputStream.read(buffer) while lengthofbuffer != -1: totLen = totLen + lengthofbuffer lengthofbuffer = inputStream.read(buffer) currentBuffer = buffer.tostring() regex = "\x00[^\x00]{16}\x03(?:[^\x20-\x7f]+)(?P<ssid>[\x20-\x7f]+?)\x00(?:[^\x20-\x7f]+)(?P<pass>[\x20-\x7f]+?)\x00" x = re.finditer(regex, currentBuffer) for network in x: networks[network.group('ssid')] = network.group('pass') for ssid, psk in networks.items(): self.log(Level.INFO, ssid) # Don't add to blackboard if the artifact already exists for artifact in artifactList: artifactSSID = artifact.getAttribute( self.NS_WIFI_ATTRIBUTES["SSID"][3]) if artifactSSID.getValueString() == ssid: pass art = file.newArtifact(ARTID_NS_WIFI) art.addAttribute( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME. getTypeID(), WiFiIngestModuleFactory.moduleName, "Nintendo Switch - Wireless Credentials")) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["SSID"][3], WiFiIngestModuleFactory.moduleName, ssid)) art.addAttribute( BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["PSK"][3], WiFiIngestModuleFactory.moduleName, psk)) try: # index the artifact for keyword search blackboard.indexArtifact(art) except Blackboard.BlackboardException: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( WiFiIngestModuleFactory.moduleName, skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_WIFI), None)) return IngestModule.ProcessResult.OK