Commit 923b56eee33380a00e64150aabe93f49d7b62f0e

Authored by Imanol-Mikel Barba Sabariego
1 parent dd26853c

Implemented manifest creation

.idea/gravedigger.iml
... ... @@ -2,7 +2,7 @@
2 2 <module type="PYTHON_MODULE" version="4">
3 3 <component name="NewModuleRootManager">
4 4 <content url="file://$MODULE_DIR$" />
5   - <orderEntry type="inheritedJdk" />
  5 + <orderEntry type="jdk" jdkName="Python 3.5.2+ (/usr/bin/python3.5)" jdkType="Python SDK" />
6 6 <orderEntry type="sourceFolder" forTests="false" />
7 7 </component>
8 8 <component name="TestRunnerService">
... ...
.idea/misc.xml
... ... @@ -10,5 +10,5 @@
10 10 <ConfirmationsSetting value="0" id="Add" />
11 11 <ConfirmationsSetting value="0" id="Remove" />
12 12 </component>
13   - <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.2 (/usr/bin/python3.4)" project-jdk-type="Python SDK" />
  13 + <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.5.2+ (/usr/bin/python3.5)" project-jdk-type="Python SDK" />
14 14 </project>
15 15 \ No newline at end of file
... ...
digger.py
... ... @@ -18,6 +18,8 @@ import logger
18 18 from consolelogger import ConsoleLogger
19 19 from filelogger import FileLogger
20 20 from hashlib import sha256
  21 +import types
  22 +import xml.etree.ElementTree
21 23  
22 24 def getModules():
23 25 choiceList = []
... ... @@ -54,7 +56,12 @@ def sha256sum(file):
54 56  
55 57 def bagAndTag():
56 58 tombPath = tomb.getPath()
57   - hashes = open(tombPath + "hashes.txt",'a+')
  59 + if os.path.isfile(tombPath + "MANIFEST.XML"):
  60 + tree = xml.etree.ElementTree.parse("MANIFEST.XML")
  61 + root = tree.getroot()
  62 + else:
  63 + root = xml.etree.ElementTree.Element("Manifest")
  64 + tree = xml.etree.ElementTree.ElementTree(root)
58 65  
59 66 boneList = []
60 67  
... ... @@ -62,17 +69,22 @@ def bagAndTag():
62 69 for dir in dirnames:
63 70 for subroot, subdirnames, subfilenames in os.walk(tombPath + dir):
64 71 for filename in subfilenames:
65   - boneList.append(subroot + "/" + filename)
  72 + boneList.append({"path" : subroot + "/" + filename, "type": dir})
66 73  
67 74 d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10)
68 75 boneCount = 0
  76 + evidenceList = root.find("EvidenceList")
69 77 for bone in boneList:
  78 + if evidenceList.find("./Evidence[@path='" + bone + "']") != None:
  79 + continue
  80 + hash = sha256sum(bone)
  81 + date = os.path.getmtime(bone["path"])
  82 + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date))
70 83 d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True)
71   - hashes.write(sha256sum(bone) + " " + bone + "\n")
72 84 boneCount += 1
73 85 d.gauge_update(text="Complete!",percent=100,update_text=True)
74 86 time.sleep(1)
75   - hashes.close()
  87 + tree.write(tombPath + "MANIFEST.XML")
76 88  
77 89 def finish(allSuccessful):
78 90 bagAndTag()
... ...
modules/edb.py
... ... @@ -6,7 +6,7 @@ import winver
6 6 from modules.module import Module
7 7 from mount import mount,umount
8 8 from runcmd import runProcess
9   -
  9 +import datetime
10 10  
11 11 def getInstance():
12 12 return RegistryModule()
... ... @@ -43,7 +43,7 @@ class RegistryModule(Module):
43 43 else:
44 44 files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
45 45  
46   - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files)
  46 + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files)
47 47 try:
48 48 umount(mntid)
49 49 except:
... ...
modules/evt.py
... ... @@ -6,6 +6,7 @@ import winver
6 6 from modules.module import Module
7 7 from mount import mount,umount
8 8 from runcmd import runProcess
  9 +import datetime
9 10  
10 11  
11 12 def getInstance():
... ... @@ -46,7 +47,7 @@ class RegistryModule(Module):
46 47 else:
47 48 files += [windir + "/System32/winevt/Logs" ]
48 49  
49   - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files)
  50 + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files)
50 51 try:
51 52 umount(mntid)
52 53 except:
... ...
modules/info.py
... ... @@ -3,6 +3,7 @@ import os
3 3 import tomb
4 4 from modules.module import Module
5 5 from runcmd import runProcess
  6 +import datetime
6 7  
7 8  
8 9 def getInstance():
... ... @@ -21,11 +22,11 @@ class INFOModule(Module):
21 22 if(not os.path.exists(path)):
22 23 os.mkdir(path)
23 24 output,code = runProcess("lshw")
24   - lshw = open(path + "lshw.txt", 'wb')
  25 + lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb')
25 26 lshw.write(output)
26 27 lshw.close()
27 28  
28 29 output,code = runProcess("dmidecode")
29   - lshw = open(path + "dmidecode.txt", 'wb')
  30 + lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb')
30 31 lshw.write(output)
31 32 lshw.close()
32 33 \ No newline at end of file
... ...
modules/mft.py
... ... @@ -5,6 +5,7 @@ import tomb
5 5 from modules.module import Module
6 6 from runcmd import runProcess
7 7 import pytsk3
  8 +import datetime
8 9  
9 10  
10 11 def getInstance():
... ... @@ -46,5 +47,5 @@ class MFTModule(Module):
46 47 os.mkdir(path)
47 48 logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO)
48 49 for vol in self.vars['ntfsvol'].value:
49   - self.dumpMFT("/dev/" + vol,path + vol + ".bin")
  50 + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin")
50 51  
... ...
modules/winreg.py
... ... @@ -6,6 +6,7 @@ import winver
6 6 from modules.module import Module
7 7 from mount import mount,umount
8 8 from runcmd import runProcess
  9 +import datetime
9 10  
10 11  
11 12 def getInstance():
... ... @@ -64,7 +65,7 @@ class RegistryModule(Module):
64 65 #Vista+
65 66 files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"]
66 67  
67   - runProcess(["tar","-czvf",path + "winreg_" + vol + ".tar.gz"] + files)
  68 + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files)
68 69 try:
69 70 umount(mntid)
70 71 except:
... ...
types.py 0 → 100644
  1 +typeDefinitions = {
  2 + "mft": 0x00,
  3 + "winreg": 0x01,
  4 + "evt": 0x02,
  5 + "edb": 0x03,
  6 + "info": 0x04
  7 +}
0 8 \ No newline at end of file
... ...