Commit 923b56eee33380a00e64150aabe93f49d7b62f0e

Authored by Imanol-Mikel Barba Sabariego
1 parent dd26853c

Implemented manifest creation

.idea/gravedigger.iml
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
2 <module type="PYTHON_MODULE" version="4"> 2 <module type="PYTHON_MODULE" version="4">
3 <component name="NewModuleRootManager"> 3 <component name="NewModuleRootManager">
4 <content url="file://$MODULE_DIR$" /> 4 <content url="file://$MODULE_DIR$" />
5 - <orderEntry type="inheritedJdk" /> 5 + <orderEntry type="jdk" jdkName="Python 3.5.2+ (/usr/bin/python3.5)" jdkType="Python SDK" />
6 <orderEntry type="sourceFolder" forTests="false" /> 6 <orderEntry type="sourceFolder" forTests="false" />
7 </component> 7 </component>
8 <component name="TestRunnerService"> 8 <component name="TestRunnerService">
.idea/misc.xml
@@ -10,5 +10,5 @@ @@ -10,5 +10,5 @@
10 <ConfirmationsSetting value="0" id="Add" /> 10 <ConfirmationsSetting value="0" id="Add" />
11 <ConfirmationsSetting value="0" id="Remove" /> 11 <ConfirmationsSetting value="0" id="Remove" />
12 </component> 12 </component>
13 - <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.2 (/usr/bin/python3.4)" project-jdk-type="Python SDK" /> 13 + <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.5.2+ (/usr/bin/python3.5)" project-jdk-type="Python SDK" />
14 </project> 14 </project>
15 \ No newline at end of file 15 \ No newline at end of file
digger.py
@@ -18,6 +18,8 @@ import logger @@ -18,6 +18,8 @@ import logger
18 from consolelogger import ConsoleLogger 18 from consolelogger import ConsoleLogger
19 from filelogger import FileLogger 19 from filelogger import FileLogger
20 from hashlib import sha256 20 from hashlib import sha256
  21 +import types
  22 +import xml.etree.ElementTree
21 23
22 def getModules(): 24 def getModules():
23 choiceList = [] 25 choiceList = []
@@ -54,7 +56,12 @@ def sha256sum(file): @@ -54,7 +56,12 @@ def sha256sum(file):
54 56
55 def bagAndTag(): 57 def bagAndTag():
56 tombPath = tomb.getPath() 58 tombPath = tomb.getPath()
57 - hashes = open(tombPath + "hashes.txt",'a+') 59 + if os.path.isfile(tombPath + "MANIFEST.XML"):
  60 + tree = xml.etree.ElementTree.parse("MANIFEST.XML")
  61 + root = tree.getroot()
  62 + else:
  63 + root = xml.etree.ElementTree.Element("Manifest")
  64 + tree = xml.etree.ElementTree.ElementTree(root)
58 65
59 boneList = [] 66 boneList = []
60 67
@@ -62,17 +69,22 @@ def bagAndTag(): @@ -62,17 +69,22 @@ def bagAndTag():
62 for dir in dirnames: 69 for dir in dirnames:
63 for subroot, subdirnames, subfilenames in os.walk(tombPath + dir): 70 for subroot, subdirnames, subfilenames in os.walk(tombPath + dir):
64 for filename in subfilenames: 71 for filename in subfilenames:
65 - boneList.append(subroot + "/" + filename) 72 + boneList.append({"path" : subroot + "/" + filename, "type": dir})
66 73
67 d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) 74 d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10)
68 boneCount = 0 75 boneCount = 0
  76 + evidenceList = root.find("EvidenceList")
69 for bone in boneList: 77 for bone in boneList:
  78 + if evidenceList.find("./Evidence[@path='" + bone + "']") != None:
  79 + continue
  80 + hash = sha256sum(bone)
  81 + date = os.path.getmtime(bone["path"])
  82 + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date))
70 d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) 83 d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True)
71 - hashes.write(sha256sum(bone) + " " + bone + "\n")  
72 boneCount += 1 84 boneCount += 1
73 d.gauge_update(text="Complete!",percent=100,update_text=True) 85 d.gauge_update(text="Complete!",percent=100,update_text=True)
74 time.sleep(1) 86 time.sleep(1)
75 - hashes.close() 87 + tree.write(tombPath + "MANIFEST.XML")
76 88
77 def finish(allSuccessful): 89 def finish(allSuccessful):
78 bagAndTag() 90 bagAndTag()
modules/edb.py
@@ -6,7 +6,7 @@ import winver @@ -6,7 +6,7 @@ import winver
6 from modules.module import Module 6 from modules.module import Module
7 from mount import mount,umount 7 from mount import mount,umount
8 from runcmd import runProcess 8 from runcmd import runProcess
9 - 9 +import datetime
10 10
11 def getInstance(): 11 def getInstance():
12 return RegistryModule() 12 return RegistryModule()
@@ -43,7 +43,7 @@ class RegistryModule(Module): @@ -43,7 +43,7 @@ class RegistryModule(Module):
43 else: 43 else:
44 files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] 44 files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
45 45
46 - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) 46 + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files)
47 try: 47 try:
48 umount(mntid) 48 umount(mntid)
49 except: 49 except:
modules/evt.py
@@ -6,6 +6,7 @@ import winver @@ -6,6 +6,7 @@ import winver
6 from modules.module import Module 6 from modules.module import Module
7 from mount import mount,umount 7 from mount import mount,umount
8 from runcmd import runProcess 8 from runcmd import runProcess
  9 +import datetime
9 10
10 11
11 def getInstance(): 12 def getInstance():
@@ -46,7 +47,7 @@ class RegistryModule(Module): @@ -46,7 +47,7 @@ class RegistryModule(Module):
46 else: 47 else:
47 files += [windir + "/System32/winevt/Logs" ] 48 files += [windir + "/System32/winevt/Logs" ]
48 49
49 - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) 50 + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files)
50 try: 51 try:
51 umount(mntid) 52 umount(mntid)
52 except: 53 except:
modules/info.py
@@ -3,6 +3,7 @@ import os @@ -3,6 +3,7 @@ import os
3 import tomb 3 import tomb
4 from modules.module import Module 4 from modules.module import Module
5 from runcmd import runProcess 5 from runcmd import runProcess
  6 +import datetime
6 7
7 8
8 def getInstance(): 9 def getInstance():
@@ -21,11 +22,11 @@ class INFOModule(Module): @@ -21,11 +22,11 @@ class INFOModule(Module):
21 if(not os.path.exists(path)): 22 if(not os.path.exists(path)):
22 os.mkdir(path) 23 os.mkdir(path)
23 output,code = runProcess("lshw") 24 output,code = runProcess("lshw")
24 - lshw = open(path + "lshw.txt", 'wb') 25 + lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb')
25 lshw.write(output) 26 lshw.write(output)
26 lshw.close() 27 lshw.close()
27 28
28 output,code = runProcess("dmidecode") 29 output,code = runProcess("dmidecode")
29 - lshw = open(path + "dmidecode.txt", 'wb') 30 + lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb')
30 lshw.write(output) 31 lshw.write(output)
31 lshw.close() 32 lshw.close()
32 \ No newline at end of file 33 \ No newline at end of file
modules/mft.py
@@ -5,6 +5,7 @@ import tomb @@ -5,6 +5,7 @@ import tomb
5 from modules.module import Module 5 from modules.module import Module
6 from runcmd import runProcess 6 from runcmd import runProcess
7 import pytsk3 7 import pytsk3
  8 +import datetime
8 9
9 10
10 def getInstance(): 11 def getInstance():
@@ -46,5 +47,5 @@ class MFTModule(Module): @@ -46,5 +47,5 @@ class MFTModule(Module):
46 os.mkdir(path) 47 os.mkdir(path)
47 logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) 48 logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO)
48 for vol in self.vars['ntfsvol'].value: 49 for vol in self.vars['ntfsvol'].value:
49 - self.dumpMFT("/dev/" + vol,path + vol + ".bin") 50 + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin")
50 51
modules/winreg.py
@@ -6,6 +6,7 @@ import winver @@ -6,6 +6,7 @@ import winver
6 from modules.module import Module 6 from modules.module import Module
7 from mount import mount,umount 7 from mount import mount,umount
8 from runcmd import runProcess 8 from runcmd import runProcess
  9 +import datetime
9 10
10 11
11 def getInstance(): 12 def getInstance():
@@ -64,7 +65,7 @@ class RegistryModule(Module): @@ -64,7 +65,7 @@ class RegistryModule(Module):
64 #Vista+ 65 #Vista+
65 files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] 66 files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"]
66 67
67 - runProcess(["tar","-czvf",path + "winreg_" + vol + ".tar.gz"] + files) 68 + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files)
68 try: 69 try:
69 umount(mntid) 70 umount(mntid)
70 except: 71 except:
types.py 0 → 100644
  1 +typeDefinitions = {
  2 + "mft": 0x00,
  3 + "winreg": 0x01,
  4 + "evt": 0x02,
  5 + "edb": 0x03,
  6 + "info": 0x04
  7 +}
0 \ No newline at end of file 8 \ No newline at end of file