def _get_info(self, binary: bytes):
cert = self._load_certificate(binary)
if cert is None:
return {"error": "invalid certificate"}
return {
"serial_number":
str(cert.serial_number),
"version":
cert.version.name,
"extensions":
self._parse_extensions(cert.extensions._extensions),
"nor_valid_after":
Time.change_output_date_format_from_epoch(
cert.not_valid_after.timestamp()),
"nor_valid_before":
Time.change_output_date_format_from_epoch(
cert.not_valid_before.timestamp()),
"issuer":
cert.issuer.rfc4514_string(),
"subject":
cert.subject.rfc4514_string(),
"signature":
cert.signature.hex(),
"signature_algorithm_hash":
cert.signature_hash_algorithm.name,
"signature_algorithm":
cert.signature_algorithm_oid._name,
"key_size":
cert.public_key().key_size,
"public_key":
self._parse_dict_value(cert.public_key().public_numbers().__dict__)
}
def get_stat_info(self):
stat = os.stat(self._path)
result = {}
result["st_atime"] = Time.change_output_date_format_from_epoch(stat.st_atime)
result["st_ctime"] = Time.change_output_date_format_from_epoch(stat.st_ctime)
result["st_mtime"] = Time.change_output_date_format_from_epoch(stat.st_mtime)
result["st_gid"] = stat.st_gid
result["st_uid"] = stat.st_uid
result["st_size"] = stat.st_size
result["st_mode"] = stat.st_mode
result["st_device"] = stat.st_dev
try:
#it depends on SO
result["st_blocks"] = stat.st_blocks
except:
pass
try:
#it depends on SO
result["st_blksize"] = stat.st_blksize
except:
pass
try:
#it depends on SO
result["st_birthtime"] = stat.st_birthtime
except:
pass
try:
#it depends on SO
result["st_flags"] = stat.st_flags
except:
pass
return result
def __init__(self, **kwargs):
self.path = kwargs.get("path")
self.browser = kwargs.get("browser")
self.site_url = kwargs.get("site_url", None)
self.tab_url = kwargs.get("tab_url", None)
self.target_path = kwargs.get("target_path", None)
self.start_time = Time.change_output_date_format_from_epoch(kwargs.get("start_time", None))
self.end_time = Time.change_output_date_format_from_epoch(kwargs.get("end_time", None))
self.mime_type = kwargs.get("mime_type", None)
self.received_bytes = kwargs.get("received_bytes", None)
self.total_bytes = kwargs.get("total_bytes", None)
def _get_system_info(self, parsed):
event_id = parsed["Event"]["System"]["EventID"]
if isinstance(event_id, OrderedDict):
id = int(event_id["#text"])
else:
id = int(event_id)
timestamp = parsed["Event"]["System"]["TimeCreated"]["@SystemTime"]
try:
timestamp_parsed = datetime.datetime.strptime(
timestamp, '%Y-%m-%d %H:%M:%S.%f UTC')
except:
try:
timestamp_parsed = datetime.datetime.strptime(
timestamp, '%Y-%m-%d %H:%M:%S UTC')
except:
return {"error": "invalid timestamp:" + timestamp}
return {
"EventID":
id,
"EventRecordID":
parsed["Event"]["System"]["EventRecordID"],
"Timestamp":
Time.change_output_date_format_from_epoch(
timestamp_parsed.timestamp()),
"Level":
parsed["Event"]["System"]["Level"],
"Channel":
parsed["Event"]["System"]["Channel"],
"Computer":
parsed["Event"]["System"]["Computer"],
}
def _parse_prefecth_file(self, path: str):
scca = pyscca.open(path)
all_strings = []
for entry_index, file_metrics in enumerate(scca.file_metrics_entries):
all_strings.append(file_metrics.filename)
last_run_times = []
for exe_timestamp in range(scca.run_count):
try:
if scca.get_last_run_time_as_integer(exe_timestamp) > 0:
time = Time.change_output_date_format_from_epoch(
scca.get_last_run_time(exe_timestamp).replace(
tzinfo=timezone.utc).timestamp())
last_run_times.append(time)
except OSError:
# No hay mas fechas de ejecucion guardadas
break
volume_serial_number = []
volume_device_path = []
volume_timestamp = []
for volume_information in iter(scca.volumes):
volume_serial_number.append(
format(volume_information.serial_number, 'x').upper())
volume_device_path.append(str(volume_information.device_path))
volume_timestamp.append(
Time.change_output_date_format_from_epoch(
volume_information.creation_time.replace(
tzinfo=timezone.utc).timestamp()))
return {
"version": scca.format_version,
"executable_file_name": str(scca.executable_filename),
"hash": format(scca.prefetch_hash, 'x').upper(),
"number_of_files_accessed": scca.number_of_file_metrics_entries,
"directories_accessed": all_strings,
"number_of_volumes": scca.number_of_volumes,
"run_counts": scca.run_count,
"last_run_times": last_run_times,
"volume_timestamp": volume_timestamp,
"volume_device_path": volume_device_path,
"volume_serial_number": volume_serial_number
}
def _get_computer_name(self, reg: RegistryHive):
names = []
for subkey_path in reg.get_control_sets(
r'Control\ComputerName\ComputerName'):
subkey = reg.get_key(subkey_path)
try:
names.append({
'name':
subkey.get_value('ComputerName'),
'timestamp':
Time.change_output_date_format_from_epoch(
subkey.header.last_modified)
})
except RegistryValueNotFoundException as ex:
continue
return names
def _get_usbstorage(self, reg: RegistryHive):
usbs = []
try:
for subkey_path in reg.get_control_sets(r'Enum\USBSTOR'):
subkey = reg.get_key(subkey_path)
for usb in subkey.iter_subkeys():
usbs.append({
'device':
usb.name,
'timestamp':
Time.change_output_date_format_from_epoch(
usb.header.last_modified)
})
except:
return None
return usbs
def _get_recursive(self, pypff_folder: pypff.folder,
target_file: TargetFile) -> List:
result = []
for item in pypff_folder.sub_items:
if isinstance(item, pypff.folder):
n_messages = item.get_number_of_sub_messages()
if n_messages > 0:
index = 0
while index < n_messages:
item_message = item.get_sub_message(index)
message = {}
try:
message["path"] = target_file.get_path()
message["folder"] = item.name
message[
"identifier"] = item_message.get_identifier()
message["subject"] = item_message.get_subject()
message[
"creation_time"] = Time.change_output_date_format_from_epoch(
item_message.get_creation_time().timestamp(
))
message[
"delivery_time"] = Time.change_output_date_format_from_epoch(
item_message.get_delivery_time().timestamp(
))
message[
"client_submit_time"] = Time.change_output_date_format_from_epoch(
item_message.get_client_submit_time(
).timestamp())
message[
"sender_name"] = item_message.get_sender_name(
)
message[
"headers"] = item_message.get_transport_headers(
)
message["html_body"] = item_message.get_html_body().decode() \
if item_message.get_html_body() is not None else ""
message["plain_text_body"] = item_message.get_plain_text_body().decode() \
if item_message.get_plain_text_body() is not None else ""
message[
"n_attachments"] = item_message.get_number_of_attachments(
)
if item_message.get_number_of_attachments() > 0:
message["attachments"] = []
for i in range(
0,
item_message.get_number_of_attachments(
)):
base_path_to_save = message[
"folder"] + "/" + str(
message["identifier"]
) + "/attachment/" + str(i)
file_size = item_message.get_attachment(
i).get_size()
binary = item_message.get_attachment(
i).read_buffer(file_size)
path_saved = Safe.create_file(
os.path.join("./pstostparser",
base_path_to_save),
binary)
message["attachments"].append(path_saved)
result.append(message)
except:
pass
index += 1
result.extend(self._get_recursive(item, target_file))
return result
def preprocess_element(self, element: dict):
if element:
now = Time.get_utc_timestamp()
element[
"timestamp_indexed"] = Time.change_output_date_format_from_epoch(
now)
def _get_interesing_info(self, record):
mft_object = {}
if 'baad' in record:
mft_object["error"] = "BAAD MFT Record"
return mft_object
mft_object["filename"] = record['filename']
mft_object["size"] = record["size"]
if mft_object["size"] == 0:
return None
mft_object["alloc_sizef"] = record["alloc_sizef"]
if "recordnum" in record:
mft_object["recordnum"] = record['recordnum']
if "flags" in record:
mft_object["active"] = record['flags'] & 0x0001
mft_object["folder"] = True if int(
record['flags']) & 0x0002 else False
mft_object["file"] = not mft_object["folder"]
if 'corrupt' in record:
mft_object["error"] = "Corrupt MFT Record"
return mft_object
if "seq" in record:
mft_object["seq"] = record['seq']
mft_object["sicrtime"] = None
mft_object["simtime"] = None
mft_object["siatime"] = None
mft_object["sictime"] = None
mft_object["fncrtime"] = None
mft_object["fnmtime"] = None
mft_object["fnatime"] = None
mft_object["fnctime"] = None
if 'si' in record:
mft_object["sicrtime"] = Time.change_output_date_format_from_epoch(
record['si']['crtime'])
mft_object["simtime"] = Time.change_output_date_format_from_epoch(
record['si']['mtime'])
mft_object["siatime"] = Time.change_output_date_format_from_epoch(
record['si']['atime'])
mft_object["sictime"] = Time.change_output_date_format_from_epoch(
record['si']['ctime'])
if record['fncnt'] > 0:
mft_object["fncrtime"] = Time.change_output_date_format_from_epoch(
record['fn', 0]['crtime'])
mft_object["fnmtime"] = Time.change_output_date_format_from_epoch(
record['fn', 0]['mtime'])
mft_object["fnatime"] = Time.change_output_date_format_from_epoch(
record['fn', 0]['atime'])
mft_object["fnctime"] = Time.change_output_date_format_from_epoch(
record['fn', 0]['ctime'])
if 'objid' in record:
mft_object["objid"] = record['objid']['objid']
mft_object["orig_volid"] = record['objid']['orig_volid']
mft_object["orig_objid"] = record['objid']['orig_objid']
mft_object["orig_domid"] = record['objid']['orig_domid']
if 'notes' in record: # Log of abnormal activity related to this record
mft_object["notes"] = record['notes']
mft_object["ads"] = record['ads']
return mft_object