Commit 923b56eee33380a00e64150aabe93f49d7b62f0e
1 parent
dd26853c
Implemented manifest creation
Showing
9 changed files
with
36 additions
and
13 deletions
.idea/gravedigger.iml
| @@ -2,7 +2,7 @@ | @@ -2,7 +2,7 @@ | ||
| 2 | <module type="PYTHON_MODULE" version="4"> | 2 | <module type="PYTHON_MODULE" version="4"> |
| 3 | <component name="NewModuleRootManager"> | 3 | <component name="NewModuleRootManager"> |
| 4 | <content url="file://$MODULE_DIR$" /> | 4 | <content url="file://$MODULE_DIR$" /> |
| 5 | - <orderEntry type="inheritedJdk" /> | 5 | + <orderEntry type="jdk" jdkName="Python 3.5.2+ (/usr/bin/python3.5)" jdkType="Python SDK" /> |
| 6 | <orderEntry type="sourceFolder" forTests="false" /> | 6 | <orderEntry type="sourceFolder" forTests="false" /> |
| 7 | </component> | 7 | </component> |
| 8 | <component name="TestRunnerService"> | 8 | <component name="TestRunnerService"> |
.idea/misc.xml
| @@ -10,5 +10,5 @@ | @@ -10,5 +10,5 @@ | ||
| 10 | <ConfirmationsSetting value="0" id="Add" /> | 10 | <ConfirmationsSetting value="0" id="Add" /> |
| 11 | <ConfirmationsSetting value="0" id="Remove" /> | 11 | <ConfirmationsSetting value="0" id="Remove" /> |
| 12 | </component> | 12 | </component> |
| 13 | - <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.2 (/usr/bin/python3.4)" project-jdk-type="Python SDK" /> | 13 | + <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.5.2+ (/usr/bin/python3.5)" project-jdk-type="Python SDK" /> |
| 14 | </project> | 14 | </project> |
| 15 | \ No newline at end of file | 15 | \ No newline at end of file |
digger.py
| @@ -18,6 +18,8 @@ import logger | @@ -18,6 +18,8 @@ import logger | ||
| 18 | from consolelogger import ConsoleLogger | 18 | from consolelogger import ConsoleLogger |
| 19 | from filelogger import FileLogger | 19 | from filelogger import FileLogger |
| 20 | from hashlib import sha256 | 20 | from hashlib import sha256 |
| 21 | +import types | ||
| 22 | +import xml.etree.ElementTree | ||
| 21 | 23 | ||
| 22 | def getModules(): | 24 | def getModules(): |
| 23 | choiceList = [] | 25 | choiceList = [] |
| @@ -54,7 +56,12 @@ def sha256sum(file): | @@ -54,7 +56,12 @@ def sha256sum(file): | ||
| 54 | 56 | ||
| 55 | def bagAndTag(): | 57 | def bagAndTag(): |
| 56 | tombPath = tomb.getPath() | 58 | tombPath = tomb.getPath() |
| 57 | - hashes = open(tombPath + "hashes.txt",'a+') | 59 | + if os.path.isfile(tombPath + "MANIFEST.XML"): |
| 60 | + tree = xml.etree.ElementTree.parse("MANIFEST.XML") | ||
| 61 | + root = tree.getroot() | ||
| 62 | + else: | ||
| 63 | + root = xml.etree.ElementTree.Element("Manifest") | ||
| 64 | + tree = xml.etree.ElementTree.ElementTree(root) | ||
| 58 | 65 | ||
| 59 | boneList = [] | 66 | boneList = [] |
| 60 | 67 | ||
| @@ -62,17 +69,22 @@ def bagAndTag(): | @@ -62,17 +69,22 @@ def bagAndTag(): | ||
| 62 | for dir in dirnames: | 69 | for dir in dirnames: |
| 63 | for subroot, subdirnames, subfilenames in os.walk(tombPath + dir): | 70 | for subroot, subdirnames, subfilenames in os.walk(tombPath + dir): |
| 64 | for filename in subfilenames: | 71 | for filename in subfilenames: |
| 65 | - boneList.append(subroot + "/" + filename) | 72 | + boneList.append({"path" : subroot + "/" + filename, "type": dir}) |
| 66 | 73 | ||
| 67 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) | 74 | d.gauge_start(title="Hashing all collected artifacts...",width=60,height=10) |
| 68 | boneCount = 0 | 75 | boneCount = 0 |
| 76 | + evidenceList = root.find("EvidenceList") | ||
| 69 | for bone in boneList: | 77 | for bone in boneList: |
| 78 | + if evidenceList.find("./Evidence[@path='" + bone + "']") != None: | ||
| 79 | + continue | ||
| 80 | + hash = sha256sum(bone) | ||
| 81 | + date = os.path.getmtime(bone["path"]) | ||
| 82 | + evidenceList.insert(len(evidenceList),xml.etree.ElementTree.Element("Evidence", hash=hash,path=bone["path"],type=bone["type"],date=date)) | ||
| 70 | d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) | 83 | d.gauge_update(text=bone,percent=int(boneCount*100/len(boneList)),update_text=True) |
| 71 | - hashes.write(sha256sum(bone) + " " + bone + "\n") | ||
| 72 | boneCount += 1 | 84 | boneCount += 1 |
| 73 | d.gauge_update(text="Complete!",percent=100,update_text=True) | 85 | d.gauge_update(text="Complete!",percent=100,update_text=True) |
| 74 | time.sleep(1) | 86 | time.sleep(1) |
| 75 | - hashes.close() | 87 | + tree.write(tombPath + "MANIFEST.XML") |
| 76 | 88 | ||
| 77 | def finish(allSuccessful): | 89 | def finish(allSuccessful): |
| 78 | bagAndTag() | 90 | bagAndTag() |
modules/edb.py
| @@ -6,7 +6,7 @@ import winver | @@ -6,7 +6,7 @@ import winver | ||
| 6 | from modules.module import Module | 6 | from modules.module import Module |
| 7 | from mount import mount,umount | 7 | from mount import mount,umount |
| 8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
| 9 | - | 9 | +import datetime |
| 10 | 10 | ||
| 11 | def getInstance(): | 11 | def getInstance(): |
| 12 | return RegistryModule() | 12 | return RegistryModule() |
| @@ -43,7 +43,7 @@ class RegistryModule(Module): | @@ -43,7 +43,7 @@ class RegistryModule(Module): | ||
| 43 | else: | 43 | else: |
| 44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] | 44 | files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] |
| 45 | 45 | ||
| 46 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | 46 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) |
| 47 | try: | 47 | try: |
| 48 | umount(mntid) | 48 | umount(mntid) |
| 49 | except: | 49 | except: |
modules/evt.py
| @@ -6,6 +6,7 @@ import winver | @@ -6,6 +6,7 @@ import winver | ||
| 6 | from modules.module import Module | 6 | from modules.module import Module |
| 7 | from mount import mount,umount | 7 | from mount import mount,umount |
| 8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
| 9 | +import datetime | ||
| 9 | 10 | ||
| 10 | 11 | ||
| 11 | def getInstance(): | 12 | def getInstance(): |
| @@ -46,7 +47,7 @@ class RegistryModule(Module): | @@ -46,7 +47,7 @@ class RegistryModule(Module): | ||
| 46 | else: | 47 | else: |
| 47 | files += [windir + "/System32/winevt/Logs" ] | 48 | files += [windir + "/System32/winevt/Logs" ] |
| 48 | 49 | ||
| 49 | - runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) | 50 | + runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(datetime.datetime.now()) + ".tar.gz"] + files) |
| 50 | try: | 51 | try: |
| 51 | umount(mntid) | 52 | umount(mntid) |
| 52 | except: | 53 | except: |
modules/info.py
| @@ -3,6 +3,7 @@ import os | @@ -3,6 +3,7 @@ import os | ||
| 3 | import tomb | 3 | import tomb |
| 4 | from modules.module import Module | 4 | from modules.module import Module |
| 5 | from runcmd import runProcess | 5 | from runcmd import runProcess |
| 6 | +import datetime | ||
| 6 | 7 | ||
| 7 | 8 | ||
| 8 | def getInstance(): | 9 | def getInstance(): |
| @@ -21,11 +22,11 @@ class INFOModule(Module): | @@ -21,11 +22,11 @@ class INFOModule(Module): | ||
| 21 | if(not os.path.exists(path)): | 22 | if(not os.path.exists(path)): |
| 22 | os.mkdir(path) | 23 | os.mkdir(path) |
| 23 | output,code = runProcess("lshw") | 24 | output,code = runProcess("lshw") |
| 24 | - lshw = open(path + "lshw.txt", 'wb') | 25 | + lshw = open(path + "lshw_" + str(datetime.datetime.now()) + ".txt", 'wb') |
| 25 | lshw.write(output) | 26 | lshw.write(output) |
| 26 | lshw.close() | 27 | lshw.close() |
| 27 | 28 | ||
| 28 | output,code = runProcess("dmidecode") | 29 | output,code = runProcess("dmidecode") |
| 29 | - lshw = open(path + "dmidecode.txt", 'wb') | 30 | + lshw = open(path + "dmidecode_" + str(datetime.datetime.now()) + ".txt" 'wb') |
| 30 | lshw.write(output) | 31 | lshw.write(output) |
| 31 | lshw.close() | 32 | lshw.close() |
| 32 | \ No newline at end of file | 33 | \ No newline at end of file |
modules/mft.py
| @@ -5,6 +5,7 @@ import tomb | @@ -5,6 +5,7 @@ import tomb | ||
| 5 | from modules.module import Module | 5 | from modules.module import Module |
| 6 | from runcmd import runProcess | 6 | from runcmd import runProcess |
| 7 | import pytsk3 | 7 | import pytsk3 |
| 8 | +import datetime | ||
| 8 | 9 | ||
| 9 | 10 | ||
| 10 | def getInstance(): | 11 | def getInstance(): |
| @@ -46,5 +47,5 @@ class MFTModule(Module): | @@ -46,5 +47,5 @@ class MFTModule(Module): | ||
| 46 | os.mkdir(path) | 47 | os.mkdir(path) |
| 47 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) | 48 | logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) |
| 48 | for vol in self.vars['ntfsvol'].value: | 49 | for vol in self.vars['ntfsvol'].value: |
| 49 | - self.dumpMFT("/dev/" + vol,path + vol + ".bin") | 50 | + self.dumpMFT("/dev/" + vol,path + vol + "_" + str(datetime.datetime.now()) + ".bin") |
| 50 | 51 |
modules/winreg.py
| @@ -6,6 +6,7 @@ import winver | @@ -6,6 +6,7 @@ import winver | ||
| 6 | from modules.module import Module | 6 | from modules.module import Module |
| 7 | from mount import mount,umount | 7 | from mount import mount,umount |
| 8 | from runcmd import runProcess | 8 | from runcmd import runProcess |
| 9 | +import datetime | ||
| 9 | 10 | ||
| 10 | 11 | ||
| 11 | def getInstance(): | 12 | def getInstance(): |
| @@ -64,7 +65,7 @@ class RegistryModule(Module): | @@ -64,7 +65,7 @@ class RegistryModule(Module): | ||
| 64 | #Vista+ | 65 | #Vista+ |
| 65 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] | 66 | files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"] |
| 66 | 67 | ||
| 67 | - runProcess(["tar","-czvf",path + "winreg_" + vol + ".tar.gz"] + files) | 68 | + runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(datetime.datetime.now()) + ".tar.gz"] + files) |
| 68 | try: | 69 | try: |
| 69 | umount(mntid) | 70 | umount(mntid) |
| 70 | except: | 71 | except: |