Commit 923b56eee33380a00e64150aabe93f49d7b62f0e
1 parent
dd26853c
Implemented manifest creation
Showing
9 changed files
with
36 additions
and
13 deletions
.idea/gravedigger.iml
| ... | ... | @@ -2,7 +2,7 @@ |
| 2 | 2 | <module type="PYTHON_MODULE" version="4"> |
| 3 | 3 | <component name="NewModuleRootManager"> |
| 4 | 4 | <content url="file://$MODULE_DIR$" /> |
| 5 | - <orderEntry type="inheritedJdk" /> | |
| 5 | + <orderEntry type="jdk" jdkName="Python 3.5.2+ (/usr/bin/python3.5)" jdkType="Python SDK" /> | |
| 6 | 6 | <orderEntry type="sourceFolder" forTests="false" /> |
| 7 | 7 | </component> |
| 8 | 8 | <component name="TestRunnerService"> | ... | ... |
.idea/misc.xml
| ... | ... | @@ -10,5 +10,5 @@ |
| 10 | 10 | <ConfirmationsSetting value="0" id="Add" /> |
| 11 | 11 | <ConfirmationsSetting value="0" id="Remove" /> |
| 12 | 12 | </component> |
| 13 | - <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.2 (/usr/bin/python3.4)" project-jdk-type="Python SDK" /> | |
| 13 | + <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.5.2+ (/usr/bin/python3.5)" project-jdk-type="Python SDK" /> | |
| 14 | 14 | </project> |
| 15 | 15 | \ No newline at end of file | ... | ... |
digger.py
| ... | ... | @@ -18,6 +18,8 @@ import logger |
| 18 | 18 | from consolelogger import ConsoleLogger |
| 19 | 19 | from filelogger import FileLogger |
| 20 | 20 | from hashlib import sha256 |
| 21 | +import types | |
| 22 | +import xml.etree.ElementTree | |
| 21 | 23 | |
| 22 | 24 | def getModules(): |
| 23 | 25 | choiceList = [] |
| ... | ... | @@ -54,7 +56,12 @@ def sha256sum(file): |
| 54 | 56 | |
| 55 | 57 | def bagAndTag(): |
| 56 | 58 | tombPath = tomb.getPath() |
| 57 | - hashes = open(tombPath + "hashes.txt",'a+') | |
| 59 | + if os.path.isfile(tombPath + "MANIFEST.XML"): | |
| 60 | + tree = xml.etree.ElementTree.parse("MANIFEST.XML") | |
| 61 | + root = tree.getroot() | |
| 62 | + else: | |
| 63 | + root = xml.etree.ElementTree.Element("Manifest") | |
| 64 | + tree = xml.etree.ElementTree.ElementTree(root) | |
| 58 | 65 | |
| 59 | 66 | boneList = [] |
| 60 | 67 | |
| ... | ... | @@ -62,17 +69,22 @@ def bagAndTag(): |
| 62 | 69 | for dir in dirnames: |
| 63 | 70 | for subroot, subdirnames, subfilenames in os.walk(tombPath + dir): |
| 64 | 71 | for filename in subfilenames: |
| 65 | - boneList.append(subroot + "/" + filename) | |
| 72 | + boneList.append({"path" : subroot + "/" + filename, "type": dir}) | |
| 66 | 73 | |
| 67 | 74 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) |
| 68 | 75 | boneCount = 0 |
| 76 | + evidenceList = root.find("EvidenceList") | |
| 69 | 77 | for bone in boneList: |
| 78 | + if evidenceList.find("./Evidence[@path='" + bone + "']") != None: | |
| 79 | + continue | |
| 80 | + hash = sha256sum(bone) | |
| 81 | + date = os.path.getmtime(bone["path"]) | |
| 82 | + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date)) | |
| 70 | 83 | d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) |
| 71 | - hashes.write(sha256sum(bone) + " " + bone + "\n") | |
| 72 | 84 | boneCount += 1 |
| 73 | 85 | d.gauge_update(text="Complete!",percent=100,update_text=True) |
| 74 | 86 | time.sleep(1) |
| 75 | - hashes.close() | |
| 87 | + tree.write(tombPath + "MANIFEST.XML") | |
| 76 | 88 | |
| 77 | 89 | def finish(allSuccessful): |
| 78 | 90 | bagAndTag() | ... | ... |
modules/edb.py
| ... | ... | @@ -6,7 +6,7 @@ import winver |
| 6 | 6 | from modules.module import Module |
| 7 | 7 | from mount import mount,umount |
| 8 | 8 | from runcmd import runProcess |
| 9 | - | |
| 9 | +import datetime | |
| 10 | 10 | |
| 11 | 11 | def getInstance(): |
| 12 | 12 | return RegistryModule() |
| ... | ... | @@ -43,7 +43,7 @@ class RegistryModule(Module): |
| 43 | 43 | else: |
| 44 | 44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] |
| 45 | 45 | |
| 46 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | |
| 46 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) | |
| 47 | 47 | try: |
| 48 | 48 | umount(mntid) |
| 49 | 49 | except: | ... | ... |
modules/evt.py
| ... | ... | @@ -6,6 +6,7 @@ import winver |
| 6 | 6 | from modules.module import Module |
| 7 | 7 | from mount import mount,umount |
| 8 | 8 | from runcmd import runProcess |
| 9 | +import datetime | |
| 9 | 10 | |
| 10 | 11 | |
| 11 | 12 | def getInstance(): |
| ... | ... | @@ -46,7 +47,7 @@ class RegistryModule(Module): |
| 46 | 47 | else: |
| 47 | 48 | files += [windir + "/System32/winevt/Logs" ] |
| 48 | 49 | |
| 49 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | |
| 50 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) | |
| 50 | 51 | try: |
| 51 | 52 | umount(mntid) |
| 52 | 53 | except: | ... | ... |
modules/info.py
| ... | ... | @@ -3,6 +3,7 @@ import os |
| 3 | 3 | import tomb |
| 4 | 4 | from modules.module import Module |
| 5 | 5 | from runcmd import runProcess |
| 6 | +import datetime | |
| 6 | 7 | |
| 7 | 8 | |
| 8 | 9 | def getInstance(): |
| ... | ... | @@ -21,11 +22,11 @@ class INFOModule(Module): |
| 21 | 22 | if(not os.path.exists(path)): |
| 22 | 23 | os.mkdir(path) |
| 23 | 24 | output,code = runProcess("lshw") |
| 24 | - lshw = open(path + "lshw.txt", 'wb') | |
| 25 | + lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb') | |
| 25 | 26 | lshw.write(output) |
| 26 | 27 | lshw.close() |
| 27 | 28 | |
| 28 | 29 | output,code = runProcess("dmidecode") |
| 29 | - lshw = open(path + "dmidecode.txt", 'wb') | |
| 30 | + lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb') | |
| 30 | 31 | lshw.write(output) |
| 31 | 32 | lshw.close() |
| 32 | 33 | \ No newline at end of file | ... | ... |
modules/mft.py
| ... | ... | @@ -5,6 +5,7 @@ import tomb |
| 5 | 5 | from modules.module import Module |
| 6 | 6 | from runcmd import runProcess |
| 7 | 7 | import pytsk3 |
| 8 | +import datetime | |
| 8 | 9 | |
| 9 | 10 | |
| 10 | 11 | def getInstance(): |
| ... | ... | @@ -46,5 +47,5 @@ class MFTModule(Module): |
| 46 | 47 | os.mkdir(path) |
| 47 | 48 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
| 48 | 49 | for vol in self.vars['ntfsvol'].value: |
| 49 | - self.dumpMFT("/dev/" + vol,path + vol + ".bin") | |
| 50 | + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin") | |
| 50 | 51 | ... | ... |
modules/winreg.py
| ... | ... | @@ -6,6 +6,7 @@ import winver |
| 6 | 6 | from modules.module import Module |
| 7 | 7 | from mount import mount,umount |
| 8 | 8 | from runcmd import runProcess |
| 9 | +import datetime | |
| 9 | 10 | |
| 10 | 11 | |
| 11 | 12 | def getInstance(): |
| ... | ... | @@ -64,7 +65,7 @@ class RegistryModule(Module): |
| 64 | 65 | #Vista+ |
| 65 | 66 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] |
| 66 | 67 | |
| 67 | - runProcess(["tar","-czvf",path + "winreg_" + vol + ".tar.gz"] + files) | |
| 68 | + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files) | |
| 68 | 69 | try: |
| 69 | 70 | umount(mntid) |
| 70 | 71 | except: | ... | ... |