Commit 923b56eee33380a00e64150aabe93f49d7b62f0e
1 parent
dd26853c
Implemented manifest creation
Showing
9 changed files
with
36 additions
and
13 deletions
.idea/gravedigger.iml
... | ... | @@ -2,7 +2,7 @@ |
2 | 2 | <module type="PYTHON_MODULE" version="4"> |
3 | 3 | <component name="NewModuleRootManager"> |
4 | 4 | <content url="file://$MODULE_DIR$" /> |
5 | - <orderEntry type="inheritedJdk" /> | |
5 | + <orderEntry type="jdk" jdkName="Python 3.5.2+ (/usr/bin/python3.5)" jdkType="Python SDK" /> | |
6 | 6 | <orderEntry type="sourceFolder" forTests="false" /> |
7 | 7 | </component> |
8 | 8 | <component name="TestRunnerService"> | ... | ... |
.idea/misc.xml
... | ... | @@ -10,5 +10,5 @@ |
10 | 10 | <ConfirmationsSetting value="0" id="Add" /> |
11 | 11 | <ConfirmationsSetting value="0" id="Remove" /> |
12 | 12 | </component> |
13 | - <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.2 (/usr/bin/python3.4)" project-jdk-type="Python SDK" /> | |
13 | + <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.5.2+ (/usr/bin/python3.5)" project-jdk-type="Python SDK" /> | |
14 | 14 | </project> |
15 | 15 | \ No newline at end of file | ... | ... |
digger.py
... | ... | @@ -18,6 +18,8 @@ import logger |
18 | 18 | from consolelogger import ConsoleLogger |
19 | 19 | from filelogger import FileLogger |
20 | 20 | from hashlib import sha256 |
21 | +import types | |
22 | +import xml.etree.ElementTree | |
21 | 23 | |
22 | 24 | def getModules(): |
23 | 25 | choiceList = [] |
... | ... | @@ -54,7 +56,12 @@ def sha256sum(file): |
54 | 56 | |
55 | 57 | def bagAndTag(): |
56 | 58 | tombPath = tomb.getPath() |
57 | - hashes = open(tombPath + "hashes.txt",'a+') | |
59 | + if os.path.isfile(tombPath + "MANIFEST.XML"): | |
60 | + tree = xml.etree.ElementTree.parse("MANIFEST.XML") | |
61 | + root = tree.getroot() | |
62 | + else: | |
63 | + root = xml.etree.ElementTree.Element("Manifest") | |
64 | + tree = xml.etree.ElementTree.ElementTree(root) | |
58 | 65 | |
59 | 66 | boneList = [] |
60 | 67 | |
... | ... | @@ -62,17 +69,22 @@ def bagAndTag(): |
62 | 69 | for dir in dirnames: |
63 | 70 | for subroot, subdirnames, subfilenames in os.walk(tombPath + dir): |
64 | 71 | for filename in subfilenames: |
65 | - boneList.append(subroot + "/" + filename) | |
72 | + boneList.append({"path" : subroot + "/" + filename, "type": dir}) | |
66 | 73 | |
67 | 74 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) |
68 | 75 | boneCount = 0 |
76 | + evidenceList = root.find("EvidenceList") | |
69 | 77 | for bone in boneList: |
78 | + if evidenceList.find("./Evidence[@path='" + bone + "']") != None: | |
79 | + continue | |
80 | + hash = sha256sum(bone) | |
81 | + date = os.path.getmtime(bone["path"]) | |
82 | + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date)) | |
70 | 83 | d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) |
71 | - hashes.write(sha256sum(bone) + " " + bone + "\n") | |
72 | 84 | boneCount += 1 |
73 | 85 | d.gauge_update(text="Complete!",percent=100,update_text=True) |
74 | 86 | time.sleep(1) |
75 | - hashes.close() | |
87 | + tree.write(tombPath + "MANIFEST.XML") | |
76 | 88 | |
77 | 89 | def finish(allSuccessful): |
78 | 90 | bagAndTag() | ... | ... |
modules/edb.py
... | ... | @@ -6,7 +6,7 @@ import winver |
6 | 6 | from modules.module import Module |
7 | 7 | from mount import mount,umount |
8 | 8 | from runcmd import runProcess |
9 | - | |
9 | +import datetime | |
10 | 10 | |
11 | 11 | def getInstance(): |
12 | 12 | return RegistryModule() |
... | ... | @@ -43,7 +43,7 @@ class RegistryModule(Module): |
43 | 43 | else: |
44 | 44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] |
45 | 45 | |
46 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | |
46 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) | |
47 | 47 | try: |
48 | 48 | umount(mntid) |
49 | 49 | except: | ... | ... |
modules/evt.py
... | ... | @@ -6,6 +6,7 @@ import winver |
6 | 6 | from modules.module import Module |
7 | 7 | from mount import mount,umount |
8 | 8 | from runcmd import runProcess |
9 | +import datetime | |
9 | 10 | |
10 | 11 | |
11 | 12 | def getInstance(): |
... | ... | @@ -46,7 +47,7 @@ class RegistryModule(Module): |
46 | 47 | else: |
47 | 48 | files += [windir + "/System32/winevt/Logs" ] |
48 | 49 | |
49 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | |
50 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) | |
50 | 51 | try: |
51 | 52 | umount(mntid) |
52 | 53 | except: | ... | ... |
modules/info.py
... | ... | @@ -3,6 +3,7 @@ import os |
3 | 3 | import tomb |
4 | 4 | from modules.module import Module |
5 | 5 | from runcmd import runProcess |
6 | +import datetime | |
6 | 7 | |
7 | 8 | |
8 | 9 | def getInstance(): |
... | ... | @@ -21,11 +22,11 @@ class INFOModule(Module): |
21 | 22 | if(not os.path.exists(path)): |
22 | 23 | os.mkdir(path) |
23 | 24 | output,code = runProcess("lshw") |
24 | - lshw = open(path + "lshw.txt", 'wb') | |
25 | + lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb') | |
25 | 26 | lshw.write(output) |
26 | 27 | lshw.close() |
27 | 28 | |
28 | 29 | output,code = runProcess("dmidecode") |
29 | - lshw = open(path + "dmidecode.txt", 'wb') | |
30 | + lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb') | |
30 | 31 | lshw.write(output) |
31 | 32 | lshw.close() |
32 | 33 | \ No newline at end of file | ... | ... |
modules/mft.py
... | ... | @@ -5,6 +5,7 @@ import tomb |
5 | 5 | from modules.module import Module |
6 | 6 | from runcmd import runProcess |
7 | 7 | import pytsk3 |
8 | +import datetime | |
8 | 9 | |
9 | 10 | |
10 | 11 | def getInstance(): |
... | ... | @@ -46,5 +47,5 @@ class MFTModule(Module): |
46 | 47 | os.mkdir(path) |
47 | 48 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
48 | 49 | for vol in self.vars['ntfsvol'].value: |
49 | - self.dumpMFT("/dev/" + vol,path + vol + ".bin") | |
50 | + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin") | |
50 | 51 | ... | ... |
modules/winreg.py
... | ... | @@ -6,6 +6,7 @@ import winver |
6 | 6 | from modules.module import Module |
7 | 7 | from mount import mount,umount |
8 | 8 | from runcmd import runProcess |
9 | +import datetime | |
9 | 10 | |
10 | 11 | |
11 | 12 | def getInstance(): |
... | ... | @@ -64,7 +65,7 @@ class RegistryModule(Module): |
64 | 65 | #Vista+ |
65 | 66 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] |
66 | 67 | |
67 | - runProcess(["tar","-czvf",path + "winreg_" + vol + ".tar.gz"] + files) | |
68 | + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files) | |
68 | 69 | try: |
69 | 70 | umount(mntid) |
70 | 71 | except: | ... | ... |