Commit 2f2e7affcd43f8200ca08a9c85f1493e005fc22a
1 parent
923b56ee
Fixed various errors on last commit
Showing
8 changed files
with
32 additions
and
28 deletions
types.py renamed to bonetypes.py
digger.py
@@ -18,7 +18,7 @@ import logger | @@ -18,7 +18,7 @@ import logger | ||
18 | from consolelogger import ConsoleLogger | 18 | from consolelogger import ConsoleLogger |
19 | from filelogger import FileLogger | 19 | from filelogger import FileLogger |
20 | from hashlib import sha256 | 20 | from hashlib import sha256 |
21 | -import types | 21 | +import bonetypes |
22 | import xml.etree.ElementTree | 22 | import xml.etree.ElementTree |
23 | 23 | ||
24 | def getModules(): | 24 | def getModules(): |
@@ -57,11 +57,15 @@ def sha256sum(file): | @@ -57,11 +57,15 @@ def sha256sum(file): | ||
57 | def bagAndTag(): | 57 | def bagAndTag(): |
58 | tombPath = tomb.getPath() | 58 | tombPath = tomb.getPath() |
59 | if os.path.isfile(tombPath + "MANIFEST.XML"): | 59 | if os.path.isfile(tombPath + "MANIFEST.XML"): |
60 | - tree = xml.etree.ElementTree.parse("MANIFEST.XML") | ||
61 | - root = tree.getroot() | 60 | + etree = xml.etree.ElementTree.parse("MANIFEST.XML") |
61 | + xmlroot = tree.getroot() | ||
62 | else: | 62 | else: |
63 | - root = xml.etree.ElementTree.Element("Manifest") | ||
64 | - tree = xml.etree.ElementTree.ElementTree(root) | 63 | + xmlroot = xml.etree.ElementTree.Element("Manifest") |
64 | + newElem = xml.etree.ElementTree.Element("Case") | ||
65 | + newElem.text = tomb.__getTomb__() | ||
66 | + xmlroot.insert(0,newElem) | ||
67 | + xmlroot.insert(1,xml.etree.ElementTree.Element("EvidenceList")) | ||
68 | + etree = xml.etree.ElementTree.ElementTree(xmlroot) | ||
65 | 69 | ||
66 | boneList = [] | 70 | boneList = [] |
67 | 71 | ||
@@ -73,18 +77,18 @@ def bagAndTag(): | @@ -73,18 +77,18 @@ def bagAndTag(): | ||
73 | 77 | ||
74 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) | 78 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) |
75 | boneCount = 0 | 79 | boneCount = 0 |
76 | - evidenceList = root.find("EvidenceList") | 80 | + evidenceList = xmlroot.find("EvidenceList") |
77 | for bone in boneList: | 81 | for bone in boneList: |
78 | - if evidenceList.find("./Evidence[@path='" + bone + "']") != None: | 82 | + if evidenceList.find("./Evidence[@path='" + bone["path"] + "']") != None: |
79 | continue | 83 | continue |
80 | - hash = sha256sum(bone) | ||
81 | - date = os.path.getmtime(bone["path"]) | ||
82 | - evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date)) | ||
83 | - d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) | 84 | + hash = sha256sum(bone["path"]) |
85 | + date = str(int(os.path.getmtime(bone["path"])*1000)) | ||
86 | + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"][len(tombPath):],type=bone["type"],date=date)) | ||
87 | + d.gauge_update(text=bone["path"],percent=int(boneCount*100/len(boneList)),update_text=True) | ||
84 | boneCount += 1 | 88 | boneCount += 1 |
85 | d.gauge_update(text="Complete!",percent=100,update_text=True) | 89 | d.gauge_update(text="Complete!",percent=100,update_text=True) |
86 | time.sleep(1) | 90 | time.sleep(1) |
87 | - tree.write(tombPath + "MANIFEST.XML") | 91 | + etree.write(tombPath + "MANIFEST.XML") |
88 | 92 | ||
89 | def finish(allSuccessful): | 93 | def finish(allSuccessful): |
90 | bagAndTag() | 94 | bagAndTag() |
@@ -143,7 +147,7 @@ if __name__ == "__main__": | @@ -143,7 +147,7 @@ if __name__ == "__main__": | ||
143 | except Exception as e: | 147 | except Exception as e: |
144 | msg = "Exception raised while preparing module \"" + module[0] + "\": " + str(e) | 148 | msg = "Exception raised while preparing module \"" + module[0] + "\": " + str(e) |
145 | logger.msgLog(msg, module[0], logger.TYPE_ERROR) | 149 | logger.msgLog(msg, module[0], logger.TYPE_ERROR) |
146 | - #logger.msgLog(traceback.format_exc(), module[0], logger.TYPE_ERROR) | 150 | + logger.msgLog(traceback.format_exc(), module[0], logger.TYPE_ERROR) |
147 | ans = showContinueDialog(d,msg) | 151 | ans = showContinueDialog(d,msg) |
148 | if ans == "abort": | 152 | if ans == "abort": |
149 | finish(False) | 153 | finish(False) |
@@ -161,7 +165,7 @@ if __name__ == "__main__": | @@ -161,7 +165,7 @@ if __name__ == "__main__": | ||
161 | except Exception as e: | 165 | except Exception as e: |
162 | msg = "Exception raised while preparing module \"" + tag + "\": " + str(e) | 166 | msg = "Exception raised while preparing module \"" + tag + "\": " + str(e) |
163 | logger.msgLog(msg,tag,logger.TYPE_ERROR) | 167 | logger.msgLog(msg,tag,logger.TYPE_ERROR) |
164 | - #logger.msgLog(traceback.format_exc(), tag logger.TYPE_ERROR) | 168 | + logger.msgLog(traceback.format_exc(), tag, logger.TYPE_ERROR) |
165 | ans = showContinueDialog(d, msg) | 169 | ans = showContinueDialog(d, msg) |
166 | if ans == "abort": | 170 | if ans == "abort": |
167 | finish(False) | 171 | finish(False) |
@@ -177,7 +181,7 @@ if __name__ == "__main__": | @@ -177,7 +181,7 @@ if __name__ == "__main__": | ||
177 | module.execute() | 181 | module.execute() |
178 | except Exception as e: | 182 | except Exception as e: |
179 | logger.msgLog("Exception raised while running \"" + module.name + "\": " + str(e), module.name, logger.TYPE_ERROR) | 183 | logger.msgLog("Exception raised while running \"" + module.name + "\": " + str(e), module.name, logger.TYPE_ERROR) |
180 | - #logger.msgLog(traceback.format_exc(), module.name, logger.TYPE_ERROR) | 184 | + logger.msgLog(traceback.format_exc(), module.name, logger.TYPE_ERROR) |
181 | 185 | ||
182 | 186 | ||
183 | finish(True) | 187 | finish(True) |
modules/edb.py
@@ -6,7 +6,7 @@ import winver | @@ -6,7 +6,7 @@ import winver | ||
6 | from modules.module import Module | 6 | from modules.module import Module |
7 | from mount import mount,umount | 7 | from mount import mount,umount |
8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
9 | -import datetime | 9 | +import time |
10 | 10 | ||
11 | def getInstance(): | 11 | def getInstance(): |
12 | return RegistryModule() | 12 | return RegistryModule() |
@@ -43,7 +43,7 @@ class RegistryModule(Module): | @@ -43,7 +43,7 @@ class RegistryModule(Module): | ||
43 | else: | 43 | else: |
44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] | 44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] |
45 | 45 | ||
46 | - runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) | 46 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(int(time.time())) + ".tar.gz"] + files) |
47 | try: | 47 | try: |
48 | umount(mntid) | 48 | umount(mntid) |
49 | except: | 49 | except: |
modules/evt.py
@@ -6,7 +6,7 @@ import winver | @@ -6,7 +6,7 @@ import winver | ||
6 | from modules.module import Module | 6 | from modules.module import Module |
7 | from mount import mount,umount | 7 | from mount import mount,umount |
8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
9 | -import datetime | 9 | +import time |
10 | 10 | ||
11 | 11 | ||
12 | def getInstance(): | 12 | def getInstance(): |
@@ -47,7 +47,7 @@ class RegistryModule(Module): | @@ -47,7 +47,7 @@ class RegistryModule(Module): | ||
47 | else: | 47 | else: |
48 | files += [windir + "/System32/winevt/Logs" ] | 48 | files += [windir + "/System32/winevt/Logs" ] |
49 | 49 | ||
50 | - runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) | 50 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(int(time.time())) + ".tar.gz"] + files) |
51 | try: | 51 | try: |
52 | umount(mntid) | 52 | umount(mntid) |
53 | except: | 53 | except: |
modules/info.py
@@ -3,7 +3,7 @@ import os | @@ -3,7 +3,7 @@ import os | ||
3 | import tomb | 3 | import tomb |
4 | from modules.module import Module | 4 | from modules.module import Module |
5 | from runcmd import runProcess | 5 | from runcmd import runProcess |
6 | -import datetime | 6 | +import time |
7 | 7 | ||
8 | 8 | ||
9 | def getInstance(): | 9 | def getInstance(): |
@@ -22,11 +22,11 @@ class INFOModule(Module): | @@ -22,11 +22,11 @@ class INFOModule(Module): | ||
22 | if(not os.path.exists(path)): | 22 | if(not os.path.exists(path)): |
23 | os.mkdir(path) | 23 | os.mkdir(path) |
24 | output,code = runProcess("lshw") | 24 | output,code = runProcess("lshw") |
25 | - lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb') | 25 | + lshw = open(path + "lshw_" + str(int(time.time())) + ".txt", 'wb') |
26 | lshw.write(output) | 26 | lshw.write(output) |
27 | lshw.close() | 27 | lshw.close() |
28 | 28 | ||
29 | output,code = runProcess("dmidecode") | 29 | output,code = runProcess("dmidecode") |
30 | - lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb') | 30 | + lshw = open(path + "dmidecode_" + str(int(time.time())) + ".txt", 'wb') |
31 | lshw.write(output) | 31 | lshw.write(output) |
32 | - lshw.close() | ||
33 | \ No newline at end of file | 32 | \ No newline at end of file |
33 | + lshw.close() |
modules/mft.py
@@ -5,7 +5,7 @@ import tomb | @@ -5,7 +5,7 @@ import tomb | ||
5 | from modules.module import Module | 5 | from modules.module import Module |
6 | from runcmd import runProcess | 6 | from runcmd import runProcess |
7 | import pytsk3 | 7 | import pytsk3 |
8 | -import datetime | 8 | +import time |
9 | 9 | ||
10 | 10 | ||
11 | def getInstance(): | 11 | def getInstance(): |
@@ -47,5 +47,5 @@ class MFTModule(Module): | @@ -47,5 +47,5 @@ class MFTModule(Module): | ||
47 | os.mkdir(path) | 47 | os.mkdir(path) |
48 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) | 48 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
49 | for vol in self.vars['ntfsvol'].value: | 49 | for vol in self.vars['ntfsvol'].value: |
50 | - self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin") | 50 | + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(int(time.time())) + ".bin") |
51 | 51 |
modules/winreg.py
@@ -6,7 +6,7 @@ import winver | @@ -6,7 +6,7 @@ import winver | ||
6 | from modules.module import Module | 6 | from modules.module import Module |
7 | from mount import mount,umount | 7 | from mount import mount,umount |
8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
9 | -import datetime | 9 | +import time |
10 | 10 | ||
11 | 11 | ||
12 | def getInstance(): | 12 | def getInstance(): |
@@ -65,7 +65,7 @@ class RegistryModule(Module): | @@ -65,7 +65,7 @@ class RegistryModule(Module): | ||
65 | #Vista+ | 65 | #Vista+ |
66 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] | 66 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] |
67 | 67 | ||
68 | - runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files) | 68 | + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(int(time.time())) + ".tar.gz"] + files) |
69 | try: | 69 | try: |
70 | umount(mntid) | 70 | umount(mntid) |
71 | except: | 71 | except: |
scripts/digger.sh
@@ -7,4 +7,4 @@ GD_PATH="/opt/gravedigger" | @@ -7,4 +7,4 @@ GD_PATH="/opt/gravedigger" | ||
7 | 7 | ||
8 | pushd $GD_PATH > /dev/null | 8 | pushd $GD_PATH > /dev/null |
9 | /usr/bin/env python3 digger.py | 9 | /usr/bin/env python3 digger.py |
10 | -popd > /dev/null | ||
11 | \ No newline at end of file | 10 | \ No newline at end of file |
11 | +popd > /dev/null |