Add support for yaml file with regex search

ValekoZ · Apr 14, 2023 · f9a5f9b · f9a5f9b
1 parent b665abc
commit f9a5f9b
Show file tree

Hide file tree

Showing 14 changed files with 68 additions and 18 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,7 +1,7 @@
 [tool]
 [tool.poetry]
 name = "theforensicator"
-version = "0.1.1"
+version = "0.1.2"
 homepage = "https://github.com/ValekoZ/theforensicator"
 description = "School project for forensic investigations."
 authors = [

diff --git a/theforensicator/artefacts/browser.yaml b/theforensicator/artefacts/browser.yaml
diff --git a/theforensicator/artefacts/browser_chrome.yaml b/theforensicator/artefacts/browser_chrome.yaml
@@ -0,0 +1,4 @@
+dirname: BROWSER/CHROME
+files:
+- C:\\Users\\.+\\AppData\\Local\\Google\\Chrome\\User Data\\.*\\Bookmarks*
+- C:\\Users\\.+\\AppData\\Local\\Google\\Chrome\\User Data\\.*\\(Bookmarks|Cookies|Current Session|Current Tabs|DownloadMetadata|Extension Cookies|Favicons|History|Last Session|Last Tabs|Login Data|Media History|Network Action Predictor|Network Persistent State|Preferences|QuotaManager|Reporting and NEL|Shortcuts|Top Sites|Trust Tokens|Visited Links|Web Data)*
diff --git a/theforensicator/artefacts/browser_edge.yaml b/theforensicator/artefacts/browser_edge.yaml
@@ -0,0 +1,3 @@
+dirname: BROWSER/EDGE
+files:
+- C:\\Users\\.+\\AppData\\Local\\Packages\\Microsoft\.MicrosoftEdge_8wekyb3d8bbwe\\.+
diff --git a/theforensicator/artefacts/browser_firefox.yaml b/theforensicator/artefacts/browser_firefox.yaml
@@ -0,0 +1,8 @@
+dirname: BROWSER/FIREFOX
+files:
+- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\addons\.sqlite*
+- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\weave\\bookmarks\.sqlite*
+- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\(cookies|firefox_cookies|downloads|favicons|formhistory|permissions|places|protections|search|signons|webappstore|storage-sync)\.sqlite*
+- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\(extensions|logins)\.json*
+- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\key*.+\.db
+- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\prefs\.js$
diff --git a/theforensicator/artefacts/browser_ie.yaml b/theforensicator/artefacts/browser_ie.yaml
@@ -0,0 +1,8 @@
+dirname: BROWSER/IE
+files:
+- C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\index\.dat$
+- C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+\\index\.dat$
+- C:\\Documents and Settings\\.+\\Cookies\\index\.dat$
+- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\History\\.+
+- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\Cookies\\.+
+- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\IEDownloadHistory\\.+
diff --git a/theforensicator/artefacts/events_logs.yaml b/theforensicator/artefacts/events_logs.yaml
@@ -0,0 +1,5 @@
+dirname: EVENTS
+files:
+- C:\\Windows\\System32\\config\\.+\.evt$
+- C:\\Windows\\System32\\winevt\\Logs\\.+\.evtx$
+- C:\\Windows.old\\System32\\winevt\\Logs\\.+\.evtx$
diff --git a/theforensicator/artefacts/prefetch.yaml b/theforensicator/artefacts/prefetch.yaml
@@ -0,0 +1,4 @@
+dirname: PREFETCH
+files:
+- C:\\Windows\\Prefetch\\.+\.pf$
+- C:\\Windows.old\\Prefetch\\.+\.pf$
diff --git a/theforensicator/artefacts/registry.yaml b/theforensicator/artefacts/registry.yaml
diff --git a/theforensicator/artefacts/registry_system.yaml b/theforensicator/artefacts/registry_system.yaml
@@ -0,0 +1,9 @@
+dirname: REGISTRY_SYSTEM
+files:
+- C:\\Windows\\System32\\config\\SAM*
+- C:\\Windows\\System32\\config\\SYSTEM*
+- C:\\Windows\\System32\\config\\SOFTWARE*
+- C:\\Windows\\System32\\config\\SECURITY*
+- C:\\Windows\\System32\\config\\DEFAULT*
+- C:\\Windows\\System32\\config\\systemprofile\\NTUSER\.DAT*
+- C:\\Windows\\ServiceProfiles\\LocalService\\NTUSER\.DAT*
diff --git a/theforensicator/artefacts/registry_user.yaml b/theforensicator/artefacts/registry_user.yaml
@@ -0,0 +1,4 @@
+dirname: REGISTRY_USER
+files:
+- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\UsrClass\.dat*
+- C:\\Users\\.+\\NTUSER.DAT*
diff --git a/theforensicator/cli.py b/theforensicator/cli.py
@@ -51,7 +51,8 @@ def cmd(ewf_file: str, dump_dir: str = None, resolve_mft_file: str = None, dmp_f
                     if not exists(out_dir):
                         Path(out_dir).mkdir(parents=True, exist_ok=True)
 
-                    ewf.dump_file(data["files"], normpath(f"{dump_dir}/{data['dirname']}"))
+                    ewf.dump_file(data["files"], normpath(out_dir))
+                    _artefact.close()
 
 def main():
     fire.Fire(cmd)

diff --git a/theforensicator/fs/gpt.py b/theforensicator/fs/gpt.py
@@ -116,4 +116,6 @@ def _print_gpt_info(self):
                 PARTITION_TYPE_GUID[partition["partition_type_guid"]],
                 partition["first_lba"],
                 (partition["last_lba"] - partition["first_lba"] + 1)
-            ))
+            ))
+
+        print("=" * 89)
diff --git a/theforensicator/fs/ntfs.py b/theforensicator/fs/ntfs.py
@@ -2,6 +2,7 @@
 
 import datetime
 import json
+import re
 from struct import unpack, unpack_from
 from os.path import normpath, isfile
 from os import unlink
@@ -130,14 +131,16 @@ def __init__(self, ewf_image: "theforensicator.app.EWFImage", partition) -> None
             * self.ntfs_header["sectors_per_cluster"]
         )
 
+        print("[+] NTFS partition at sector %#x" % (self._start))
+
         if self.verbose:
-            self._pretty_print()
+            pass
+            #self._pretty_print()
 
         self.mft = {}
 
     def _pretty_print(self):
         """Prints additionnal informations about the partition"""
-        print("[+] NTFS partition at sector %#x" % (self._start))
 
         for header_name in self.ntfs_header.keys():
             if type(self.ntfs_header[header_name]) is bytes or str:
@@ -435,13 +438,19 @@ def _dump_data(self, lcn_dict: dict) -> bytes:
 
         buf = b""
 
+        if lcn_dict["size"] == 0 and len(raw_data) == 0:
+            return b""
+
+        if type(raw_data) is str:
+            return bytes.fromhex(raw_data)
+
         for lcn in raw_data:
             for idx in range(lcn["lcn_length"]):
                 buf += self._read_cluster(lcn["lcn_offset"] + idx)
 
         return buf[: lcn_dict["init_size"]]
 
-    def write_to_file(self, dump_dir: str, filename: str, data: bytes):
+    def write_to_file(self, dump_dir, filename: str, data: bytes):
         if dump_dir and type(dump_dir) is str:
             out_filename = normpath(dump_dir + "/dump_" + filename.replace('\\', '_').replace(':', ''))
         else:
@@ -462,7 +471,11 @@ def dump_file(self, filenames: list, dump_dir: str) -> bytes:
         Returns:
             The file content
         """
+
+        files_list_match = '(?:%s)' % '|'.join(filenames)
+
         for key in self.resolved_mft:
+
             obj_type = self.resolved_mft[key]["type"]
 
             if obj_type not in ["FILE", "ORPHAN_FILE"]:
@@ -471,16 +484,14 @@ def dump_file(self, filenames: list, dump_dir: str) -> bytes:
             info = self.resolved_mft[key]["info"]
 
             for file in info:
-                if file["file_name"] in filenames:
+                if re.match(files_list_match, file["file_name"], flags=re.IGNORECASE):
                     data = self.resolved_mft[key]["data"]
-                    print(file["file_name"], data)
                     if data:
                         self.write_to_file(
                             dump_dir,
                             file["file_name"],
                             self._dump_data(data)
                         )
-                    print("yoyo")
 
     def _analyze_registry(self):
         print("[?] Analyzing registries")