From f9a5f9bafa3942ff07fe20a89032b66f9257fabf Mon Sep 17 00:00:00 2001 From: Expressitoo Date: Fri, 14 Apr 2023 22:23:27 +0200 Subject: [PATCH] Add support for yaml file with regex search --- pyproject.toml | 2 +- theforensicator/artefacts/browser.yaml | 0 theforensicator/artefacts/browser_chrome.yaml | 4 ++++ theforensicator/artefacts/browser_edge.yaml | 3 +++ .../artefacts/browser_firefox.yaml | 8 +++++++ theforensicator/artefacts/browser_ie.yaml | 8 +++++++ theforensicator/artefacts/events_logs.yaml | 5 ++++ theforensicator/artefacts/prefetch.yaml | 4 ++++ theforensicator/artefacts/registry.yaml | 9 -------- .../artefacts/registry_system.yaml | 9 ++++++++ theforensicator/artefacts/registry_user.yaml | 4 ++++ theforensicator/cli.py | 3 ++- theforensicator/fs/gpt.py | 4 +++- theforensicator/fs/ntfs.py | 23 ++++++++++++++----- 14 files changed, 68 insertions(+), 18 deletions(-) delete mode 100644 theforensicator/artefacts/browser.yaml create mode 100644 theforensicator/artefacts/browser_chrome.yaml create mode 100644 theforensicator/artefacts/browser_edge.yaml create mode 100644 theforensicator/artefacts/browser_firefox.yaml create mode 100644 theforensicator/artefacts/browser_ie.yaml create mode 100644 theforensicator/artefacts/events_logs.yaml create mode 100644 theforensicator/artefacts/prefetch.yaml delete mode 100644 theforensicator/artefacts/registry.yaml create mode 100644 theforensicator/artefacts/registry_system.yaml create mode 100644 theforensicator/artefacts/registry_user.yaml diff --git a/pyproject.toml b/pyproject.toml index 0866ea7..fbe555d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,7 +1,7 @@ [tool] [tool.poetry] name = "theforensicator" -version = "0.1.1" +version = "0.1.2" homepage = "https://github.com/ValekoZ/theforensicator" description = "School project for forensic investigations." authors = [ diff --git a/theforensicator/artefacts/browser.yaml b/theforensicator/artefacts/browser.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/theforensicator/artefacts/browser_chrome.yaml b/theforensicator/artefacts/browser_chrome.yaml new file mode 100644 index 0000000..11e2682 --- /dev/null +++ b/theforensicator/artefacts/browser_chrome.yaml @@ -0,0 +1,4 @@ +dirname: BROWSER/CHROME +files: +- C:\\Users\\.+\\AppData\\Local\\Google\\Chrome\\User Data\\.*\\Bookmarks* +- C:\\Users\\.+\\AppData\\Local\\Google\\Chrome\\User Data\\.*\\(Bookmarks|Cookies|Current Session|Current Tabs|DownloadMetadata|Extension Cookies|Favicons|History|Last Session|Last Tabs|Login Data|Media History|Network Action Predictor|Network Persistent State|Preferences|QuotaManager|Reporting and NEL|Shortcuts|Top Sites|Trust Tokens|Visited Links|Web Data)* diff --git a/theforensicator/artefacts/browser_edge.yaml b/theforensicator/artefacts/browser_edge.yaml new file mode 100644 index 0000000..baea078 --- /dev/null +++ b/theforensicator/artefacts/browser_edge.yaml @@ -0,0 +1,3 @@ +dirname: BROWSER/EDGE +files: +- C:\\Users\\.+\\AppData\\Local\\Packages\\Microsoft\.MicrosoftEdge_8wekyb3d8bbwe\\.+ \ No newline at end of file diff --git a/theforensicator/artefacts/browser_firefox.yaml b/theforensicator/artefacts/browser_firefox.yaml new file mode 100644 index 0000000..e8edfd3 --- /dev/null +++ b/theforensicator/artefacts/browser_firefox.yaml @@ -0,0 +1,8 @@ +dirname: BROWSER/FIREFOX +files: +- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\addons\.sqlite* +- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\weave\\bookmarks\.sqlite* +- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\(cookies|firefox_cookies|downloads|favicons|formhistory|permissions|places|protections|search|signons|webappstore|storage-sync)\.sqlite* +- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\(extensions|logins)\.json* +- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\key*.+\.db +- C:\\Users\\.+\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.+\\prefs\.js$ \ No newline at end of file diff --git a/theforensicator/artefacts/browser_ie.yaml b/theforensicator/artefacts/browser_ie.yaml new file mode 100644 index 0000000..2fa7faf --- /dev/null +++ b/theforensicator/artefacts/browser_ie.yaml @@ -0,0 +1,8 @@ +dirname: BROWSER/IE +files: +- C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\index\.dat$ +- C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+\\index\.dat$ +- C:\\Documents and Settings\\.+\\Cookies\\index\.dat$ +- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\History\\.+ +- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\Cookies\\.+ +- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\IEDownloadHistory\\.+ \ No newline at end of file diff --git a/theforensicator/artefacts/events_logs.yaml b/theforensicator/artefacts/events_logs.yaml new file mode 100644 index 0000000..5344d42 --- /dev/null +++ b/theforensicator/artefacts/events_logs.yaml @@ -0,0 +1,5 @@ +dirname: EVENTS +files: +- C:\\Windows\\System32\\config\\.+\.evt$ +- C:\\Windows\\System32\\winevt\\Logs\\.+\.evtx$ +- C:\\Windows.old\\System32\\winevt\\Logs\\.+\.evtx$ \ No newline at end of file diff --git a/theforensicator/artefacts/prefetch.yaml b/theforensicator/artefacts/prefetch.yaml new file mode 100644 index 0000000..ad8cf2a --- /dev/null +++ b/theforensicator/artefacts/prefetch.yaml @@ -0,0 +1,4 @@ +dirname: PREFETCH +files: +- C:\\Windows\\Prefetch\\.+\.pf$ +- C:\\Windows.old\\Prefetch\\.+\.pf$ \ No newline at end of file diff --git a/theforensicator/artefacts/registry.yaml b/theforensicator/artefacts/registry.yaml deleted file mode 100644 index f24fc65..0000000 --- a/theforensicator/artefacts/registry.yaml +++ /dev/null @@ -1,9 +0,0 @@ -dirname: REGISTRY -files: -- C:\Windows\System32\config\SYSTEM -- C:\Windows\System32\config\SYSTEM.LOG -- C:\Windows\System32\config\SAM -- C:\Windows\System32\config\SAM.LOG -- C:\Windows\System32\config\SOFTWARE -- C:\Windows\System32\config\SOFTWARE.LOG -- C:\Windows\System32\config\systemprofile\NTUSER.DAT \ No newline at end of file diff --git a/theforensicator/artefacts/registry_system.yaml b/theforensicator/artefacts/registry_system.yaml new file mode 100644 index 0000000..fb0aa64 --- /dev/null +++ b/theforensicator/artefacts/registry_system.yaml @@ -0,0 +1,9 @@ +dirname: REGISTRY_SYSTEM +files: +- C:\\Windows\\System32\\config\\SAM* +- C:\\Windows\\System32\\config\\SYSTEM* +- C:\\Windows\\System32\\config\\SOFTWARE* +- C:\\Windows\\System32\\config\\SECURITY* +- C:\\Windows\\System32\\config\\DEFAULT* +- C:\\Windows\\System32\\config\\systemprofile\\NTUSER\.DAT* +- C:\\Windows\\ServiceProfiles\\LocalService\\NTUSER\.DAT* \ No newline at end of file diff --git a/theforensicator/artefacts/registry_user.yaml b/theforensicator/artefacts/registry_user.yaml new file mode 100644 index 0000000..81a37ff --- /dev/null +++ b/theforensicator/artefacts/registry_user.yaml @@ -0,0 +1,4 @@ +dirname: REGISTRY_USER +files: +- C:\\Users\\.+\\AppData\\Local\\Microsoft\\Windows\\UsrClass\.dat* +- C:\\Users\\.+\\NTUSER.DAT* \ No newline at end of file diff --git a/theforensicator/cli.py b/theforensicator/cli.py index c1f2c92..730ef2c 100644 --- a/theforensicator/cli.py +++ b/theforensicator/cli.py @@ -51,7 +51,8 @@ def cmd(ewf_file: str, dump_dir: str = None, resolve_mft_file: str = None, dmp_f if not exists(out_dir): Path(out_dir).mkdir(parents=True, exist_ok=True) - ewf.dump_file(data["files"], normpath(f"{dump_dir}/{data['dirname']}")) + ewf.dump_file(data["files"], normpath(out_dir)) + _artefact.close() def main(): fire.Fire(cmd) diff --git a/theforensicator/fs/gpt.py b/theforensicator/fs/gpt.py index c48139d..ecc2676 100644 --- a/theforensicator/fs/gpt.py +++ b/theforensicator/fs/gpt.py @@ -116,4 +116,6 @@ def _print_gpt_info(self): PARTITION_TYPE_GUID[partition["partition_type_guid"]], partition["first_lba"], (partition["last_lba"] - partition["first_lba"] + 1) - )) \ No newline at end of file + )) + + print("=" * 89) \ No newline at end of file diff --git a/theforensicator/fs/ntfs.py b/theforensicator/fs/ntfs.py index dc66f9d..034f616 100644 --- a/theforensicator/fs/ntfs.py +++ b/theforensicator/fs/ntfs.py @@ -2,6 +2,7 @@ import datetime import json +import re from struct import unpack, unpack_from from os.path import normpath, isfile from os import unlink @@ -130,14 +131,16 @@ def __init__(self, ewf_image: "theforensicator.app.EWFImage", partition) -> None * self.ntfs_header["sectors_per_cluster"] ) + print("[+] NTFS partition at sector %#x" % (self._start)) + if self.verbose: - self._pretty_print() + pass + #self._pretty_print() self.mft = {} def _pretty_print(self): """Prints additionnal informations about the partition""" - print("[+] NTFS partition at sector %#x" % (self._start)) for header_name in self.ntfs_header.keys(): if type(self.ntfs_header[header_name]) is bytes or str: @@ -435,13 +438,19 @@ def _dump_data(self, lcn_dict: dict) -> bytes: buf = b"" + if lcn_dict["size"] == 0 and len(raw_data) == 0: + return b"" + + if type(raw_data) is str: + return bytes.fromhex(raw_data) + for lcn in raw_data: for idx in range(lcn["lcn_length"]): buf += self._read_cluster(lcn["lcn_offset"] + idx) return buf[: lcn_dict["init_size"]] - def write_to_file(self, dump_dir: str, filename: str, data: bytes): + def write_to_file(self, dump_dir, filename: str, data: bytes): if dump_dir and type(dump_dir) is str: out_filename = normpath(dump_dir + "/dump_" + filename.replace('\\', '_').replace(':', '')) else: @@ -462,7 +471,11 @@ def dump_file(self, filenames: list, dump_dir: str) -> bytes: Returns: The file content """ + + files_list_match = '(?:%s)' % '|'.join(filenames) + for key in self.resolved_mft: + obj_type = self.resolved_mft[key]["type"] if obj_type not in ["FILE", "ORPHAN_FILE"]: @@ -471,16 +484,14 @@ def dump_file(self, filenames: list, dump_dir: str) -> bytes: info = self.resolved_mft[key]["info"] for file in info: - if file["file_name"] in filenames: + if re.match(files_list_match, file["file_name"], flags=re.IGNORECASE): data = self.resolved_mft[key]["data"] - print(file["file_name"], data) if data: self.write_to_file( dump_dir, file["file_name"], self._dump_data(data) ) - print("yoyo") def _analyze_registry(self): print("[?] Analyzing registries")