diff --git a/types.py b/bonetypes.py index bc4f5dd..bc4f5dd 100644 --- a/types.py +++ b/bonetypes.py diff --git a/digger.py b/digger.py index 49ae963..f479552 100644 --- a/digger.py +++ b/digger.py @@ -18,7 +18,7 @@ import logger from consolelogger import ConsoleLogger from filelogger import FileLogger from hashlib import sha256 -import types +import bonetypes import xml.etree.ElementTree def getModules(): @@ -57,11 +57,15 @@ def sha256sum(file): def bagAndTag(): tombPath = tomb.getPath() if os.path.isfile(tombPath + "MANIFEST.XML"): - tree = xml.etree.ElementTree.parse("MANIFEST.XML") - root = tree.getroot() + etree = xml.etree.ElementTree.parse("MANIFEST.XML") + xmlroot = tree.getroot() else: - root = xml.etree.ElementTree.Element("Manifest") - tree = xml.etree.ElementTree.ElementTree(root) + xmlroot = xml.etree.ElementTree.Element("Manifest") + newElem = xml.etree.ElementTree.Element("Case") + newElem.text = tomb.__getTomb__() + xmlroot.insert(0,newElem) + xmlroot.insert(1,xml.etree.ElementTree.Element("EvidenceList")) + etree = xml.etree.ElementTree.ElementTree(xmlroot) boneList = [] @@ -73,18 +77,18 @@ def bagAndTag(): d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) boneCount = 0 - evidenceList = root.find("EvidenceList") + evidenceList = xmlroot.find("EvidenceList") for bone in boneList: - if evidenceList.find("./Evidence[@path='" + bone + "']") != None: + if evidenceList.find("./Evidence[@path='" + bone["path"] + "']") != None: continue - hash = sha256sum(bone) - date = os.path.getmtime(bone["path"]) - evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date)) - d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) + hash = sha256sum(bone["path"]) + date = str(int(os.path.getmtime(bone["path"])*1000)) + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"][len(tombPath):],type=bone["type"],date=date)) + d.gauge_update(text=bone["path"],percent=int(boneCount*100/len(boneList)),update_text=True) boneCount += 1 d.gauge_update(text="Complete!",percent=100,update_text=True) time.sleep(1) - tree.write(tombPath + "MANIFEST.XML") + etree.write(tombPath + "MANIFEST.XML") def finish(allSuccessful): bagAndTag() @@ -143,7 +147,7 @@ if __name__ == "__main__": except Exception as e: msg = "Exception raised while preparing module \"" + module[0] + "\": " + str(e) logger.msgLog(msg, module[0], logger.TYPE_ERROR) - #logger.msgLog(traceback.format_exc(), module[0], logger.TYPE_ERROR) + logger.msgLog(traceback.format_exc(), module[0], logger.TYPE_ERROR) ans = showContinueDialog(d,msg) if ans == "abort": finish(False) @@ -161,7 +165,7 @@ if __name__ == "__main__": except Exception as e: msg = "Exception raised while preparing module \"" + tag + "\": " + str(e) logger.msgLog(msg,tag,logger.TYPE_ERROR) - #logger.msgLog(traceback.format_exc(), tag logger.TYPE_ERROR) + logger.msgLog(traceback.format_exc(), tag, logger.TYPE_ERROR) ans = showContinueDialog(d, msg) if ans == "abort": finish(False) @@ -177,7 +181,7 @@ if __name__ == "__main__": module.execute() except Exception as e: logger.msgLog("Exception raised while running \"" + module.name + "\": " + str(e), module.name, logger.TYPE_ERROR) - #logger.msgLog(traceback.format_exc(), module.name, logger.TYPE_ERROR) + logger.msgLog(traceback.format_exc(), module.name, logger.TYPE_ERROR) finish(True) diff --git a/modules/edb.py b/modules/edb.py index 1784274..2db5d0a 100644 --- a/modules/edb.py +++ b/modules/edb.py @@ -6,7 +6,7 @@ import winver from modules.module import Module from mount import mount,umount from runcmd import runProcess -import datetime +import time def getInstance(): return RegistryModule() @@ -43,7 +43,7 @@ class RegistryModule(Module): else: files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] - runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(int(time.time())) + ".tar.gz"] + files) try: umount(mntid) except: diff --git a/modules/evt.py b/modules/evt.py index e77a959..aa6642d 100644 --- a/modules/evt.py +++ b/modules/evt.py @@ -6,7 +6,7 @@ import winver from modules.module import Module from mount import mount,umount from runcmd import runProcess -import datetime +import time def getInstance(): @@ -47,7 +47,7 @@ class RegistryModule(Module): else: files += [windir + "/System32/winevt/Logs" ] - runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(int(time.time())) + ".tar.gz"] + files) try: umount(mntid) except: diff --git a/modules/info.py b/modules/info.py index 65be8bd..9b70f0e 100644 --- a/modules/info.py +++ b/modules/info.py @@ -3,7 +3,7 @@ import os import tomb from modules.module import Module from runcmd import runProcess -import datetime +import time def getInstance(): @@ -22,11 +22,11 @@ class INFOModule(Module): if(not os.path.exists(path)): os.mkdir(path) output,code = runProcess("lshw") - lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb') + lshw = open(path + "lshw_" + str(int(time.time())) + ".txt", 'wb') lshw.write(output) lshw.close() output,code = runProcess("dmidecode") - lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb') + lshw = open(path + "dmidecode_" + str(int(time.time())) + ".txt", 'wb') lshw.write(output) - lshw.close() \ No newline at end of file + lshw.close() diff --git a/modules/mft.py b/modules/mft.py index e990928..ccbd6f5 100644 --- a/modules/mft.py +++ b/modules/mft.py @@ -5,7 +5,7 @@ import tomb from modules.module import Module from runcmd import runProcess import pytsk3 -import datetime +import time def getInstance(): @@ -47,5 +47,5 @@ class MFTModule(Module): os.mkdir(path) logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) for vol in self.vars['ntfsvol'].value: - self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin") + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(int(time.time())) + ".bin") diff --git a/modules/winreg.py b/modules/winreg.py index dab0b5e..bb6f41f 100644 --- a/modules/winreg.py +++ b/modules/winreg.py @@ -6,7 +6,7 @@ import winver from modules.module import Module from mount import mount,umount from runcmd import runProcess -import datetime +import time def getInstance(): @@ -65,7 +65,7 @@ class RegistryModule(Module): #Vista+ files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] - runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files) + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(int(time.time())) + ".tar.gz"] + files) try: umount(mntid) except: diff --git a/scripts/digger.sh b/scripts/digger.sh index 4daa053..ae420fb 100755 --- a/scripts/digger.sh +++ b/scripts/digger.sh @@ -7,4 +7,4 @@ GD_PATH="/opt/gravedigger" pushd $GD_PATH > /dev/null /usr/bin/env python3 digger.py -popd > /dev/null \ No newline at end of file +popd > /dev/null