Commit dcc62414073c77b75d05fb804876323afb55f4c0

Authored by Imanol-Mikel Barba Sabariego
1 parent ab37d6aa

Removed dependencies for sleuthkit and pev

README.md
@@ -3,7 +3,7 @@ REQUIRED PACKAGES @@ -3,7 +3,7 @@ REQUIRED PACKAGES
3 3
4 * python3 4 * python3
5 * python3-dialog 5 * python3-dialog
6 -* sleuthkit  
7 -* pev 6 +* pytsk3
  7 +* python-pefile
8 * ntfs-3g 8 * ntfs-3g
9 * lshw 9 * lshw
10 \ No newline at end of file 10 \ No newline at end of file
modules/mft.py
@@ -4,6 +4,7 @@ import logger @@ -4,6 +4,7 @@ import logger
4 import tomb 4 import tomb
5 from modules.module import Module 5 from modules.module import Module
6 from runcmd import runProcess 6 from runcmd import runProcess
  7 +import pytsk3
7 8
8 9
9 def getInstance(): 10 def getInstance():
@@ -17,14 +18,33 @@ class MFTModule(Module): @@ -17,14 +18,33 @@ class MFTModule(Module):
17 self.requiredVars = ["ntfsvol"] 18 self.requiredVars = ["ntfsvol"]
18 self.vars = {} 19 self.vars = {}
19 20
  21 + def dumpMFT(self,ntfsvol,file):
  22 + img = pytsk3.Img_Info(url=ntfsvol)
  23 + fs = pytsk3.FS_Info(img)
  24 + file_entry = fs.open_meta(inode=0)
  25 + offset = 0
  26 + size = file_entry.info.meta.size
  27 + BUFF_SIZE = 1024*1024
  28 + mft = open(file,'wb')
  29 +
  30 + while offset < size:
  31 + available_to_read = min(BUFF_SIZE, size - offset)
  32 + data = file_entry.read_random(offset, available_to_read)
  33 + if not data:
  34 + break
  35 +
  36 + offset += len(data)
  37 + mft.write(data)
  38 +
  39 + mft.close()
  40 + img.close()
  41 +
  42 +
20 def execute(self): 43 def execute(self):
21 path = tomb.getPath() + self.name + "/" 44 path = tomb.getPath() + self.name + "/"
22 if(not os.path.exists(path)): 45 if(not os.path.exists(path)):
23 os.mkdir(path) 46 os.mkdir(path)
24 logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO) 47 logger.msgLog("Extracting MFT from volumes: " + repr(self.vars['ntfsvol'].value), "mft", logger.TYPE_INFO)
25 for vol in self.vars['ntfsvol'].value: 48 for vol in self.vars['ntfsvol'].value:
26 - result,code = runProcess(["icat","/dev/" + vol,"0"])  
27 - mftbin = open(path + vol + ".bin",'wb')  
28 - mftbin.write(result)  
29 - mftbin.close() 49 + self.dumpMFT("/dev/" + vol,path + vol + ".bin")
30 50
winver.py
1 import os 1 import os
2 from runcmd import runProcess 2 from runcmd import runProcess
3 import re 3 import re
  4 +import pefile
4 5
5 _WIN_9x = 0 6 _WIN_9x = 0
6 _WIN_ME = 1 7 _WIN_ME = 1
@@ -22,26 +23,32 @@ _WIN_10 = 10 @@ -22,26 +23,32 @@ _WIN_10 = 10
22 23
23 def getWindowsVersion(path): 24 def getWindowsVersion(path):
24 if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")): 25 if(os.path.isfile(getWindowsDirectory(path) + "/System32/ntdll.dll")):
25 - output,code = runProcess(["pev","-p",getWindowsDirectory(path) + "/System32/ntdll.dll"])  
26 - version = output.decode("utf-8")  
27 - if re.match("(3|4)\.",version) != None:  
28 - return _WIN_NT  
29 - elif re.match("5\.0",version) != None:  
30 - return _WIN_2k  
31 - elif re.match("5\.1", version) != None:  
32 - return _WIN_XP  
33 - elif re.match("5\.2", version) != None:  
34 - return _WIN_2k3  
35 - elif re.match("6\.0", version) != None:  
36 - return _WIN_VISTA  
37 - elif re.match("6\.1", version) != None:  
38 - return _WIN_7  
39 - elif re.match("6\.2", version) != None:  
40 - return _WIN_8  
41 - elif re.match("6\.3", version) != None:  
42 - return _WIN_81  
43 - elif re.match("10\.", version) != None:  
44 - return _WIN_10 26 + version = ""
  27 + pe = pefile.PE(getWindowsDirectory(path) + "/System32/ntdll.dll")
  28 + for entry in pe.FileInfo:
  29 + if hasattr(entry, 'StringTable'):
  30 + for st in entry.StringTable:
  31 + for k, v in st.entries.items():
  32 + if k == "ProductVersion":
  33 + version = v
  34 + if re.match("(3|4)\.",version) != None:
  35 + return _WIN_NT
  36 + elif re.match("5\.0", version) != None:
  37 + return _WIN_2k
  38 + elif re.match("5\.1", version) != None:
  39 + return _WIN_XP
  40 + elif re.match("5\.2", version) != None:
  41 + return _WIN_2k3
  42 + elif re.match("6\.0", version) != None:
  43 + return _WIN_VISTA
  44 + elif re.match("6\.1", version) != None:
  45 + return _WIN_7
  46 + elif re.match("6\.2", version) != None:
  47 + return _WIN_8
  48 + elif re.match("6\.3", version) != None:
  49 + return _WIN_81
  50 + elif re.match("10\.", version) != None:
  51 + return _WIN_10
45 else: 52 else:
46 if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")): 53 if(os.path.isfile(getWindowsDirectory(path) + "/CLASSES.DAT")):
47 return _WIN_ME 54 return _WIN_ME