Commit 923b56eee33380a00e64150aabe93f49d7b62f0e
1 parent
dd26853c
Implemented manifest creation
Showing
9 changed files
with
36 additions
and
13 deletions
.idea/gravedigger.iml
@@ -2,7 +2,7 @@ | @@ -2,7 +2,7 @@ | ||
2 | <module type="PYTHON_MODULE" version="4"> | 2 | <module type="PYTHON_MODULE" version="4"> |
3 | <component name="NewModuleRootManager"> | 3 | <component name="NewModuleRootManager"> |
4 | <content url="file://$MODULE_DIR$" /> | 4 | <content url="file://$MODULE_DIR$" /> |
5 | - <orderEntry type="inheritedJdk" /> | 5 | + <orderEntry type="jdk" jdkName="Python 3.5.2+ (/usr/bin/python3.5)" jdkType="Python SDK" /> |
6 | <orderEntry type="sourceFolder" forTests="false" /> | 6 | <orderEntry type="sourceFolder" forTests="false" /> |
7 | </component> | 7 | </component> |
8 | <component name="TestRunnerService"> | 8 | <component name="TestRunnerService"> |
.idea/misc.xml
@@ -10,5 +10,5 @@ | @@ -10,5 +10,5 @@ | ||
10 | <ConfirmationsSetting value="0" id="Add" /> | 10 | <ConfirmationsSetting value="0" id="Add" /> |
11 | <ConfirmationsSetting value="0" id="Remove" /> | 11 | <ConfirmationsSetting value="0" id="Remove" /> |
12 | </component> | 12 | </component> |
13 | - <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.2 (/usr/bin/python3.4)" project-jdk-type="Python SDK" /> | 13 | + <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.5.2+ (/usr/bin/python3.5)" project-jdk-type="Python SDK" /> |
14 | </project> | 14 | </project> |
15 | \ No newline at end of file | 15 | \ No newline at end of file |
digger.py
@@ -18,6 +18,8 @@ import logger | @@ -18,6 +18,8 @@ import logger | ||
18 | from consolelogger import ConsoleLogger | 18 | from consolelogger import ConsoleLogger |
19 | from filelogger import FileLogger | 19 | from filelogger import FileLogger |
20 | from hashlib import sha256 | 20 | from hashlib import sha256 |
21 | +import types | ||
22 | +import xml.etree.ElementTree | ||
21 | 23 | ||
22 | def getModules(): | 24 | def getModules(): |
23 | choiceList = [] | 25 | choiceList = [] |
@@ -54,7 +56,12 @@ def sha256sum(file): | @@ -54,7 +56,12 @@ def sha256sum(file): | ||
54 | 56 | ||
55 | def bagAndTag(): | 57 | def bagAndTag(): |
56 | tombPath = tomb.getPath() | 58 | tombPath = tomb.getPath() |
57 | - hashes = open(tombPath + "hashes.txt",'a+') | 59 | + if os.path.isfile(tombPath + "MANIFEST.XML"): |
60 | + tree = xml.etree.ElementTree.parse("MANIFEST.XML") | ||
61 | + root = tree.getroot() | ||
62 | + else: | ||
63 | + root = xml.etree.ElementTree.Element("Manifest") | ||
64 | + tree = xml.etree.ElementTree.ElementTree(root) | ||
58 | 65 | ||
59 | boneList = [] | 66 | boneList = [] |
60 | 67 | ||
@@ -62,17 +69,22 @@ def bagAndTag(): | @@ -62,17 +69,22 @@ def bagAndTag(): | ||
62 | for dir in dirnames: | 69 | for dir in dirnames: |
63 | for subroot, subdirnames, subfilenames in os.walk(tombPath + dir): | 70 | for subroot, subdirnames, subfilenames in os.walk(tombPath + dir): |
64 | for filename in subfilenames: | 71 | for filename in subfilenames: |
65 | - boneList.append(subroot + "/" + filename) | 72 | + boneList.append({"path" : subroot + "/" + filename, "type": dir}) |
66 | 73 | ||
67 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) | 74 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) |
68 | boneCount = 0 | 75 | boneCount = 0 |
76 | + evidenceList = root.find("EvidenceList") | ||
69 | for bone in boneList: | 77 | for bone in boneList: |
78 | + if evidenceList.find("./Evidence[@path='" + bone + "']") != None: | ||
79 | + continue | ||
80 | + hash = sha256sum(bone) | ||
81 | + date = os.path.getmtime(bone["path"]) | ||
82 | + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date)) | ||
70 | d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) | 83 | d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) |
71 | - hashes.write(sha256sum(bone) + " " + bone + "\n") | ||
72 | boneCount += 1 | 84 | boneCount += 1 |
73 | d.gauge_update(text="Complete!",percent=100,update_text=True) | 85 | d.gauge_update(text="Complete!",percent=100,update_text=True) |
74 | time.sleep(1) | 86 | time.sleep(1) |
75 | - hashes.close() | 87 | + tree.write(tombPath + "MANIFEST.XML") |
76 | 88 | ||
77 | def finish(allSuccessful): | 89 | def finish(allSuccessful): |
78 | bagAndTag() | 90 | bagAndTag() |
modules/edb.py
@@ -6,7 +6,7 @@ import winver | @@ -6,7 +6,7 @@ import winver | ||
6 | from modules.module import Module | 6 | from modules.module import Module |
7 | from mount import mount,umount | 7 | from mount import mount,umount |
8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
9 | - | 9 | +import datetime |
10 | 10 | ||
11 | def getInstance(): | 11 | def getInstance(): |
12 | return RegistryModule() | 12 | return RegistryModule() |
@@ -43,7 +43,7 @@ class RegistryModule(Module): | @@ -43,7 +43,7 @@ class RegistryModule(Module): | ||
43 | else: | 43 | else: |
44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] | 44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] |
45 | 45 | ||
46 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | 46 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) |
47 | try: | 47 | try: |
48 | umount(mntid) | 48 | umount(mntid) |
49 | except: | 49 | except: |
modules/evt.py
@@ -6,6 +6,7 @@ import winver | @@ -6,6 +6,7 @@ import winver | ||
6 | from modules.module import Module | 6 | from modules.module import Module |
7 | from mount import mount,umount | 7 | from mount import mount,umount |
8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
9 | +import datetime | ||
9 | 10 | ||
10 | 11 | ||
11 | def getInstance(): | 12 | def getInstance(): |
@@ -46,7 +47,7 @@ class RegistryModule(Module): | @@ -46,7 +47,7 @@ class RegistryModule(Module): | ||
46 | else: | 47 | else: |
47 | files += [windir + "/System32/winevt/Logs" ] | 48 | files += [windir + "/System32/winevt/Logs" ] |
48 | 49 | ||
49 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | 50 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) |
50 | try: | 51 | try: |
51 | umount(mntid) | 52 | umount(mntid) |
52 | except: | 53 | except: |
modules/info.py
@@ -3,6 +3,7 @@ import os | @@ -3,6 +3,7 @@ import os | ||
3 | import tomb | 3 | import tomb |
4 | from modules.module import Module | 4 | from modules.module import Module |
5 | from runcmd import runProcess | 5 | from runcmd import runProcess |
6 | +import datetime | ||
6 | 7 | ||
7 | 8 | ||
8 | def getInstance(): | 9 | def getInstance(): |
@@ -21,11 +22,11 @@ class INFOModule(Module): | @@ -21,11 +22,11 @@ class INFOModule(Module): | ||
21 | if(not os.path.exists(path)): | 22 | if(not os.path.exists(path)): |
22 | os.mkdir(path) | 23 | os.mkdir(path) |
23 | output,code = runProcess("lshw") | 24 | output,code = runProcess("lshw") |
24 | - lshw = open(path + "lshw.txt", 'wb') | 25 | + lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb') |
25 | lshw.write(output) | 26 | lshw.write(output) |
26 | lshw.close() | 27 | lshw.close() |
27 | 28 | ||
28 | output,code = runProcess("dmidecode") | 29 | output,code = runProcess("dmidecode") |
29 | - lshw = open(path + "dmidecode.txt", 'wb') | 30 | + lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb') |
30 | lshw.write(output) | 31 | lshw.write(output) |
31 | lshw.close() | 32 | lshw.close() |
32 | \ No newline at end of file | 33 | \ No newline at end of file |
modules/mft.py
@@ -5,6 +5,7 @@ import tomb | @@ -5,6 +5,7 @@ import tomb | ||
5 | from modules.module import Module | 5 | from modules.module import Module |
6 | from runcmd import runProcess | 6 | from runcmd import runProcess |
7 | import pytsk3 | 7 | import pytsk3 |
8 | +import datetime | ||
8 | 9 | ||
9 | 10 | ||
10 | def getInstance(): | 11 | def getInstance(): |
@@ -46,5 +47,5 @@ class MFTModule(Module): | @@ -46,5 +47,5 @@ class MFTModule(Module): | ||
46 | os.mkdir(path) | 47 | os.mkdir(path) |
47 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) | 48 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
48 | for vol in self.vars['ntfsvol'].value: | 49 | for vol in self.vars['ntfsvol'].value: |
49 | - self.dumpMFT("/dev/" + vol,path + vol + ".bin") | 50 | + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin") |
50 | 51 |
modules/winreg.py
@@ -6,6 +6,7 @@ import winver | @@ -6,6 +6,7 @@ import winver | ||
6 | from modules.module import Module | 6 | from modules.module import Module |
7 | from mount import mount,umount | 7 | from mount import mount,umount |
8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
9 | +import datetime | ||
9 | 10 | ||
10 | 11 | ||
11 | def getInstance(): | 12 | def getInstance(): |
@@ -64,7 +65,7 @@ class RegistryModule(Module): | @@ -64,7 +65,7 @@ class RegistryModule(Module): | ||
64 | #Vista+ | 65 | #Vista+ |
65 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] | 66 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] |
66 | 67 | ||
67 | - runProcess(["tar","-czvf",path + "winreg_" + vol + ".tar.gz"] + files) | 68 | + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files) |
68 | try: | 69 | try: |
69 | umount(mntid) | 70 | umount(mntid) |
70 | except: | 71 | except: |