From ad274817badab9e188a239cd6936895ca7f9d8ed Mon Sep 17 00:00:00 2001 From: Imanol-Mikel Barba Sabariego Date: Thu, 27 Oct 2016 15:20:37 +0200 Subject: [PATCH] Implemented edb module. Improved continue dialog on module var fail. Small fixes --- digger.py | 64 +++++++++++++++++++++++++++++++++++++++++----------------------- logger/filelogger.py | 2 +- modules/edb.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ modules/evt.py | 2 +- vars/ntfsvol.py | 5 +++-- vars/winvol.py | 6 +++--- 6 files changed, 99 insertions(+), 30 deletions(-) create mode 100644 modules/edb.py diff --git a/digger.py b/digger.py index 1f65f0d..e8f7e98 100644 --- a/digger.py +++ b/digger.py @@ -60,11 +60,16 @@ def showFinishDialog(allSuccessful): elif tag == "Reboot": sp.call("reboot", shell=True) + logger.msgLog("Finished excavation of tomb: " + tomb.getPath(),"digger",logger.TYPE_INFO) exit(0) def showContinueDialog(d,msg): - ans = d.yesno(msg + "\n\nDo you want to continue execution without the module?") - return ans == d.OK + code, tag = d.menu(msg + "\n\nDo you want to retry module configuration or continue execution without the module?", + choices=[("retry", "Retry configuration"), + ("continue", "Continue without module")]) + if code != d.OK: + return "abort" + return tag if __name__ == "__main__": locale.setlocale(locale.LC_ALL, '') @@ -77,6 +82,7 @@ if __name__ == "__main__": tomb._MACHINE_NAME= value logger.logSystems.append(ConsoleLogger()) logger.logSystems.append(FileLogger(tomb.getPath() + "log.txt")) + logger.msgLog("Beginning excavation of tomb: " + tomb.getPath(),"digger",logger.TYPE_INFO) d.set_background_title("Gravedigger - " + value) code, tags = d.checklist("Select modules to execute", choices=moduleList + [("all","Execute all modules",False)], @@ -84,27 +90,41 @@ if __name__ == "__main__": if code == d.OK: runlist = [] if "all" in tags: + logger.msgLog("Selected modules: " + repr(moduleList), "digger", logger.TYPE_INFO) for module in moduleList: - try: - mod = prepareModule(module[0]) - runlist.append(mod) - except Exception as e: - msg = "Exception raised while preparing module \"" + module[0] + "\": " + str(e) - logger.msgLog(msg, module[0], logger.TYPE_ERROR) - #logger.msgLog(traceback.format_exc(), module[0], logger.TYPE_ERROR) - if(not showContinueDialog(d,msg)): - showFinishDialog(False) + while True: + try: + mod = prepareModule(module[0]) + runlist.append(mod) + break + except Exception as e: + msg = "Exception raised while preparing module \"" + module[0] + "\": " + str(e) + logger.msgLog(msg, module[0], logger.TYPE_ERROR) + #logger.msgLog(traceback.format_exc(), module[0], logger.TYPE_ERROR) + ans = showContinueDialog(d,msg) + if ans == "abort": + showFinishDialog(False) + elif ans == "continue": + logger.msgLog("Skipping module " + module, "digger", logger.TYPE_INFO) + break else: + logger.msgLog("Selected modules: " + repr(tags), "digger", logger.TYPE_INFO) for tag in tags: - try: - mod = prepareModule(tag) - runlist.append(mod) - except Exception as e: - msg = "Exception raised while preparing module \"" + tag + "\": " + str(e) - logger.msgLog(msg,tag,logger.TYPE_ERROR) - #logger.msgLog(traceback.format_exc(), tag logger.TYPE_ERROR) - if(not showContinueDialog(d,msg)): - showFinishDialog(False) + while True: + try: + mod = prepareModule(tag) + runlist.append(mod) + break + except Exception as e: + msg = "Exception raised while preparing module \"" + tag + "\": " + str(e) + logger.msgLog(msg,tag,logger.TYPE_ERROR) + #logger.msgLog(traceback.format_exc(), tag logger.TYPE_ERROR) + ans = showContinueDialog(d, msg) + if ans == "abort": + showFinishDialog(False) + elif ans == "continue": + logger.msgLog("Skipping module " + tag, "digger", logger.TYPE_INFO) + break sp.call('clear', shell=True) for module in runlist: @@ -116,6 +136,4 @@ if __name__ == "__main__": #logger.msgLog(traceback.format_exc(), module.name, logger.TYPE_ERROR) - showFinishDialog(True) - - + showFinishDialog(True) \ No newline at end of file diff --git a/logger/filelogger.py b/logger/filelogger.py index ac10dfb..1900af7 100644 --- a/logger/filelogger.py +++ b/logger/filelogger.py @@ -5,7 +5,7 @@ class FileLogger(LogSystem): def __init__(self,filename): self.file = filename - f = open(filename,"w+") + f = open(filename,"a+") f.close() def writeLog(self,message,module,type = None): diff --git a/modules/edb.py b/modules/edb.py new file mode 100644 index 0000000..b3de6b8 --- /dev/null +++ b/modules/edb.py @@ -0,0 +1,50 @@ +import os + +import logger +import tomb +import winver +from modules.module import Module +from mount import mount,umount +from runcmd import runProcess + + +def getInstance(): + return RegistryModule() + +class RegistryModule(Module): + + def __init__(self): + self.name = "edb" + self.description = "Extracts Windows EDB file" + self.requiredVars = ["winvol"] + self.vars = {} + + def run(self): + path = tomb.getPath() + self.name + "/" + if(not os.path.exists(path)): + os.mkdir(path) + logger.msgLog("Extracting Windows EDB from volumes: " + repr(self.vars['winvol'].value), "edb", logger.TYPE_INFO) + for vol in self.vars['winvol'].value: + mntpoint = "/mnt/" + try: + mntid = mount("/dev/" + vol) + except: + raise + mntpoint += mntid + files = [] + if winver.getWindowsDirectory(mntpoint) == None: + raise Exception("No Windows installation present") + version = winver.getWindowsVersion(mntpoint) + + if version < winver._WIN_XP: + raise Exception("No Windows Search EDB file in versions prior to Windows 2000") + elif version < winver._WIN_VISTA: + files += [mntpoint + "/Documents and Settings/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/Windows.edb"] + else: + files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] + + runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) + try: + umount(mntid) + except: + raise diff --git a/modules/evt.py b/modules/evt.py index 809b71e..807d088 100644 --- a/modules/evt.py +++ b/modules/evt.py @@ -23,7 +23,7 @@ class RegistryModule(Module): path = tomb.getPath() + self.name + "/" if(not os.path.exists(path)): os.mkdir(path) - logger.msgLog("Extracting Windows Event Logs from volumes: " + repr(self.vars['winvol'].value), "winreg", logger.TYPE_INFO) + logger.msgLog("Extracting Windows Event Logs from volumes: " + repr(self.vars['winvol'].value), "evt", logger.TYPE_INFO) for vol in self.vars['winvol'].value: mntpoint = "/mnt/" try: diff --git a/vars/ntfsvol.py b/vars/ntfsvol.py index 306e84f..aa3fca8 100644 --- a/vars/ntfsvol.py +++ b/vars/ntfsvol.py @@ -1,5 +1,5 @@ from dialog import Dialog - +import logger from runcmd import runProcess from vars.modulevar import Modulevar @@ -21,7 +21,7 @@ class NTFSVol(Modulevar): volumes = [] for res in resultlst: output,code = runProcess(["ntfslabel","/dev/" + res]) - volumes.append((res,output.decode("utf-8"))) + volumes.append((res,output.decode("utf-8").rstrip())) return volumes def query(self): @@ -30,6 +30,7 @@ class NTFSVol(Modulevar): volumes = self.getNTFSVolumes() if(len(volumes) == 0): raise Exception("[" + self.name + "] No NTFS Volumes found") + logger.msgLog("Detected NTFS volumes in " + repr(volumes), "ntfsvol", logger.TYPE_INFO) volumeList = [] for vol in volumes: volumeList.append((vol[0],vol[1], False)) diff --git a/vars/winvol.py b/vars/winvol.py index fae170d..3a85a95 100644 --- a/vars/winvol.py +++ b/vars/winvol.py @@ -24,7 +24,7 @@ class WinVol(Modulevar): volumes = [] for res in resultlst: output,code = runProcess(["ntfslabel","/dev/" + res]) - volumes.append((res,output.decode("utf-8"))) + volumes.append((res,output.decode("utf-8").rstrip())) return volumes def getFATVolumes(self): @@ -33,7 +33,7 @@ class WinVol(Modulevar): volumes = [] for res in resultlst: output,code = runProcess(["dosfslabel","/dev/" + res]) - volumes.append((res,output.decode("utf-8"))) + volumes.append((res,output.decode("utf-8").rstrip())) return volumes def getWindowsVolumes(self): @@ -52,9 +52,9 @@ class WinVol(Modulevar): d = Dialog(dialog="dialog", autowidgetsize=True) d.set_background_title("[" + self.parentModule + "] Setting variable: winvol") volumes = self.getWindowsVolumes() - logger.msgLog("Detected Windows volumes in " + repr(volumes),"winvol",logger.TYPE_INFO) if(len(volumes) == 0): raise Exception("[" + self.name + "] No Windows Volumes found") + logger.msgLog("Detected Windows volumes in " + repr(volumes), "winvol", logger.TYPE_INFO) volumeList = [] for vol in volumes: volumeList.append((vol[0],vol[1], False)) -- libgit2 0.22.2