Implemented edb module. Improved continue dialog on module var fail. Small fixes

Imanol-Mikel Barba Sabariego
1 parent cf2de849
Showing 6 changed files with 99 additions and 30 deletions
digger.py
logger/filelogger.py
modules/edb.py
modules/evt.py
vars/ntfsvol.py
vars/winvol.py
@@ -60,11 +60,16 @@ def showFinishDialog(allSuccessful):
         elif tag == "Reboot":
             sp.call("reboot", shell=True)
+    logger.msgLog("Finished excavation of tomb: " + tomb.getPath(),"digger",logger.TYPE_INFO)
     exit(0)
 def showContinueDialog(d,msg):
-    ans = d.yesno(msg + "\n\nDo you want to continue execution without the module?")
-    return ans == d.OK
+    code, tag = d.menu(msg + "\n\nDo you want to retry module configuration or continue execution without the module?",
+                       choices=[("retry", "Retry configuration"),
+                                ("continue", "Continue without module")])
+    if code != d.OK:
+        return "abort"
+    return tag
 if __name__ == "__main__":
     locale.setlocale(locale.LC_ALL, '')
@@ -77,6 +82,7 @@ if __name__ == &quot;__main__&quot;:
         tomb._MACHINE_NAME= value
         logger.logSystems.append(ConsoleLogger())
         logger.logSystems.append(FileLogger(tomb.getPath() + "log.txt"))
+        logger.msgLog("Beginning excavation of tomb: " + tomb.getPath(),"digger",logger.TYPE_INFO)
         d.set_background_title("Gravedigger - " + value)
         code, tags = d.checklist("Select modules to execute",
                              choices=moduleList + [("all","Execute all modules",False)],
@@ -84,27 +90,41 @@ if __name__ == &quot;__main__&quot;:
         if code == d.OK:
             runlist = []
             if "all" in tags:
+                logger.msgLog("Selected modules: " + repr(moduleList), "digger", logger.TYPE_INFO)
                 for module in moduleList:
-                    try:
-                        mod = prepareModule(module[0])
-                        runlist.append(mod)
-                    except Exception as e:
-                        msg = "Exception raised while preparing module \"" + module[0] + "\": " + str(e)
-                        logger.msgLog(msg, module[0], logger.TYPE_ERROR)
-                        #logger.msgLog(traceback.format_exc(), module[0],  logger.TYPE_ERROR)
-                        if(not showContinueDialog(d,msg)):
-                            showFinishDialog(False)
+                    while True:
+                        try:
+                            mod = prepareModule(module[0])
+                            runlist.append(mod)
+                            break
+                        except Exception as e:
+                            msg = "Exception raised while preparing module \"" + module[0] + "\": " + str(e)
+                            logger.msgLog(msg, module[0], logger.TYPE_ERROR)
+                            #logger.msgLog(traceback.format_exc(), module[0],  logger.TYPE_ERROR)
+                            ans = showContinueDialog(d,msg)
+                            if ans == "abort":
+                                showFinishDialog(False)
+                            elif ans == "continue":
+                                logger.msgLog("Skipping module " + module, "digger", logger.TYPE_INFO)
+                                break
             else:
+                logger.msgLog("Selected modules: " + repr(tags), "digger", logger.TYPE_INFO)
                 for tag in tags:
-                    try:
-                        mod = prepareModule(tag)
-                        runlist.append(mod)
-                    except Exception as e:
-                        msg = "Exception raised while preparing module \"" + tag + "\": " + str(e)
-                        logger.msgLog(msg,tag,logger.TYPE_ERROR)
-                        #logger.msgLog(traceback.format_exc(), tag logger.TYPE_ERROR)
-                        if(not showContinueDialog(d,msg)):
-                            showFinishDialog(False)
+                    while True:
+                        try:
+                            mod = prepareModule(tag)
+                            runlist.append(mod)
+                            break
+                        except Exception as e:
+                            msg = "Exception raised while preparing module \"" + tag + "\": " + str(e)
+                            logger.msgLog(msg,tag,logger.TYPE_ERROR)
+                            #logger.msgLog(traceback.format_exc(), tag logger.TYPE_ERROR)
+                            ans = showContinueDialog(d, msg)
+                            if ans == "abort":
+                                showFinishDialog(False)
+                            elif ans == "continue":
+                                logger.msgLog("Skipping module " + tag, "digger", logger.TYPE_INFO)
+                                break
             sp.call('clear', shell=True)
             for module in runlist:
@@ -116,6 +136,4 @@ if __name__ == &quot;__main__&quot;:
                     #logger.msgLog(traceback.format_exc(), module.name, logger.TYPE_ERROR)
-            showFinishDialog(True)
-
-
+            showFinishDialog(True)
 \ No newline at end of file
@@ -5,7 +5,7 @@ class FileLogger(LogSystem):
     def __init__(self,filename):
         self.file = filename
-        f = open(filename,"w+")
+        f = open(filename,"a+")
         f.close()
     def writeLog(self,message,module,type = None):
+import os
+
+import logger
+import tomb
+import winver
+from modules.module import Module
+from mount import mount,umount
+from runcmd import runProcess
+
+
+def getInstance():
+    return RegistryModule()
+
+class RegistryModule(Module):
+
+    def __init__(self):
+        self.name = "edb"
+        self.description = "Extracts Windows EDB file"
+        self.requiredVars = ["winvol"]
+        self.vars = {}
+
+    def run(self):
+        path = tomb.getPath() + self.name + "/"
+        if(not os.path.exists(path)):
+            os.mkdir(path)
+        logger.msgLog("Extracting Windows EDB from volumes: " + repr(self.vars['winvol'].value), "edb", logger.TYPE_INFO)
+        for vol in self.vars['winvol'].value:
+            mntpoint = "/mnt/"
+            try:
+                mntid = mount("/dev/" + vol)
+            except:
+                raise
+            mntpoint += mntid
+            files = []
+            if winver.getWindowsDirectory(mntpoint) == None:
+                raise Exception("No Windows installation present")
+            version = winver.getWindowsVersion(mntpoint)
+
+            if version < winver._WIN_XP:
+                raise Exception("No Windows Search EDB file in versions prior to Windows 2000")
+            elif version < winver._WIN_VISTA:
+                files += [mntpoint + "/Documents and Settings/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
+            else:
+                files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
+
+            runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files)
+            try:
+                umount(mntid)
+            except:
+                raise
@@ -23,7 +23,7 @@ class RegistryModule(Module):
         path = tomb.getPath() + self.name + "/"
         if(not os.path.exists(path)):
             os.mkdir(path)
-        logger.msgLog("Extracting Windows Event Logs from volumes: " + repr(self.vars['winvol'].value), "winreg", logger.TYPE_INFO)
+        logger.msgLog("Extracting Windows Event Logs from volumes: " + repr(self.vars['winvol'].value), "evt", logger.TYPE_INFO)
         for vol in self.vars['winvol'].value:
             mntpoint = "/mnt/"
             try:
 from dialog import Dialog
-
+import logger
 from runcmd import runProcess
 from vars.modulevar import Modulevar
@@ -21,7 +21,7 @@ class NTFSVol(Modulevar):
         volumes = []
         for res in resultlst:
             output,code = runProcess(["ntfslabel","/dev/" + res])
-            volumes.append((res,output.decode("utf-8")))
+            volumes.append((res,output.decode("utf-8").rstrip()))
         return volumes
     def query(self):
@@ -30,6 +30,7 @@ class NTFSVol(Modulevar):
         volumes = self.getNTFSVolumes()
         if(len(volumes) == 0):
             raise Exception("[" + self.name + "] No NTFS Volumes found")
+        logger.msgLog("Detected NTFS volumes in " + repr(volumes), "ntfsvol", logger.TYPE_INFO)
         volumeList = []
         for vol in volumes:
             volumeList.append((vol[0],vol[1], False))
@@ -24,7 +24,7 @@ class WinVol(Modulevar):
         volumes = []
         for res in resultlst:
             output,code = runProcess(["ntfslabel","/dev/" + res])
-            volumes.append((res,output.decode("utf-8")))
+            volumes.append((res,output.decode("utf-8").rstrip()))
         return volumes
     def getFATVolumes(self):
@@ -33,7 +33,7 @@ class WinVol(Modulevar):
         volumes = []
         for res in resultlst:
             output,code = runProcess(["dosfslabel","/dev/" + res])
-            volumes.append((res,output.decode("utf-8")))
+            volumes.append((res,output.decode("utf-8").rstrip()))
         return volumes
     def getWindowsVolumes(self):
@@ -52,9 +52,9 @@ class WinVol(Modulevar):
         d = Dialog(dialog="dialog", autowidgetsize=True)
         d.set_background_title("[" + self.parentModule + "] Setting variable: winvol")
         volumes = self.getWindowsVolumes()
-        logger.msgLog("Detected Windows volumes in " + repr(volumes),"winvol",logger.TYPE_INFO)
         if(len(volumes) == 0):
             raise Exception("[" + self.name + "] No Windows Volumes found")
+        logger.msgLog("Detected Windows volumes in " + repr(volumes), "winvol", logger.TYPE_INFO)
         volumeList = []
         for vol in volumes:
             volumeList.append((vol[0],vol[1], False))