From 1a0631ac08baf31be77e121d661a91cbc7800d40 Mon Sep 17 00:00:00 2001 From: JVictorRS <2150695@my.ipleiria.pt> Date: Tue, 19 Jun 2018 20:51:49 +0100 Subject: [PATCH] added different aritfact for differen types of logs --- findLogFilesGUI.py | 139 +++++++++++++++++++++++++++------------------ 1 file changed, 84 insertions(+), 55 deletions(-) diff --git a/findLogFilesGUI.py b/findLogFilesGUI.py index c0bbbf4..72e279d 100644 --- a/findLogFilesGUI.py +++ b/findLogFilesGUI.py @@ -155,7 +155,16 @@ def get_ip_type(self, ip): return "Link-local" if ip_addr.is_reserved(): return "Reserved" - return "Public" + return "Public" + + def create_artifact(self, logDesc, art_name, art_desc, skCase): + try: + self.log(Level.INFO, logDesc) + return skCase.addBlackboardArtifactType( + art_name, art_desc) + except: + self.log(Level.INFO, "Artifacts creation error, type ==> " + art_desc) + return skCase.getArtifactType(art_name) # Where any setup and configuration is done def startUp(self, context): @@ -167,31 +176,20 @@ def startUp(self, context): skCase = Case.getCurrentCase().getSleuthkitCase() # Create new artifact types - try: - self.log(Level.INFO, "Create new Artifact Log File") - self.art_log_file = skCase.addBlackboardArtifactType( - "TSK_LFA_LOG_FILES", "Log files") - except: - self.log(Level.INFO, "Artifacts creation error, Log file ==> ") - self.art_log_file = skCase.getArtifactType("TSK_LFA_LOG_FILES") - - try: - self.log(Level.INFO, "Create new Artifact Reported Program") - self.art_reported_program = skCase.addBlackboardArtifactType( - "TSK_LFA_REPORTED_PROGRAMS", "Reported programs") - except: - self.log(Level.INFO, "Artifacts creation error, Reported program ==> ") - self.art_reported_program = skCase.getArtifactType( - "TSK_LFA_REPORTED_PROGRAMS") - - try: - self.log(Level.INFO, "Create new Artifact Logged IP") - self.art_logged_ip = skCase.addBlackboardArtifactType( - "TSK_LFA_LOG_FILE_IP", "Logged IP addresses") - except: - self.log(Level.INFO, "Artifacts creation error, Log file IP ==> ") - self.art_logged_ip = skCase.getArtifactType("TSK_LFA_LOG_FILE_IP") - + self.art_log_file = self.create_artifact( + "Create new Artifact Log File", "TSK_LFA_LOG_FILES", "Ad hoc log files", skCase) + self.art_reported_program = self.create_artifact( + "Create new Artifact Reported Programs", "TSK_LFA_REPORTED_PROGRAMS", "Reported programs", skCase) + self.art_logged_ip = self.create_artifact( + "Create new Artifact Logged IP", "TSK_LFA_LOG_FILE_IP", "Logged IP addresses", skCase) + self.art_etl_file = self.create_artifact( + "Create new Artifact ETL File", "TSK_LFA_ETL_FILES", "Event Trace Log files", skCase) + self.art_dmp_file = self.create_artifact( + "Create new Artifact Dmp File", "TSK_LFA_DMP_FILES", "Dmp files", skCase) + self.art_evt_file = self.create_artifact( + "Create new Artifact EVT File", "TSK_LFA_EVT_FILES", "EVT/EVTX files", skCase) + self.art_wer_file = self.create_artifact( + "Create new Artifact WER File", "TSK_LFA_WER_FILES", "WER files", skCase) # Create the attribute type Log size, if it already exists, catch error # Log size shows the size of the file in bytes @@ -343,18 +341,28 @@ def process(self, file): # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() - + file_name = file.getName().lower() # Is file of certain extension AND its checkbox is checked? - if ((file.getName().lower().endswith(".etl") and self.local_settings.getCheckETL()) or - ((file.getName().lower().endswith(".wer")) and self.local_settings.getCheckWER()) or - (file.getName().lower().endswith(".dmp") and self.local_settings.getCheckDmp()) or - (file.getName().lower().endswith(".evtx") and self.local_settings.getCheckEVTx()) or - (file.getName().lower().endswith(".log") and self.local_settings.getCheckLog())): + if ((file_name.endswith(".etl") and self.local_settings.getCheckETL()) or + ((file_name.endswith(".wer")) and self.local_settings.getCheckWER()) or + (file_name.endswith(".dmp") and self.local_settings.getCheckDmp()) or + (file_name.endswith(".evtx") and self.local_settings.getCheckEVTx()) or + (file_name.endswith(".log") and self.local_settings.getCheckLog())): - # Get all artifacts of TSK_LFA_LOG_FILE + # Get all file artifacts skCase = Case.getCurrentCase().getSleuthkitCase() - artifact_list = skCase.getBlackboardArtifacts( - self.art_log_file.getTypeID()) + #get one list at a time and append them + werList = skCase.getBlackboardArtifacts(self.art_wer_file.getTypeID()) if skCase.getBlackboardArtifacts(self.art_wer_file.getTypeID()) is not None else [] + dmpList = skCase.getBlackboardArtifacts(self.art_dmp_file.getTypeID()) if skCase.getBlackboardArtifacts(self.art_dmp_file.getTypeID()) is not None else [] + evtList = skCase.getBlackboardArtifacts(self.art_evt_file.getTypeID()) if skCase.getBlackboardArtifacts(self.art_evt_file.getTypeID()) is not None else [] + logList = skCase.getBlackboardArtifacts(self.art_log_file.getTypeID()) if skCase.getBlackboardArtifacts(self.art_log_file.getTypeID()) is not None else [] + etlList = skCase.getBlackboardArtifacts(self.art_etl_file.getTypeID()) if skCase.getBlackboardArtifacts(self.art_etl_file.getTypeID()) is not None else [] + werList.extend(dmpList) + werList.extend(evtList) + werList.extend(logList) + werList.extend(etlList) + artifact_list = werList + file_path = file.getDataSource().getName() + file.getParentPath() + file.getName() for artifact in artifact_list: # Check if file is already an artifact @@ -364,20 +372,32 @@ def process(self, file): return IngestModule.ProcessResult.OK self.filesFound += 1 - - ######################################################################### - # _ _ _ __ _ # - # | | /\ | | (_) / _| | | # - # | | ___ __ _ / \ _ __ | |_ _ | |_ __ _ ___ | |_ # - # | | / _ \ / _` | / /\ \ | '__|| __|| || _|/ _` | / __|| __| # - # | |____| (_) || (_| | / ____ \ | | | |_ | || | | (_| || (__ | |_ # - # |______|\___/ \__, | /_/ \_\|_| \__||_||_| \__,_| \___| \__| # - # __/ | # - # |___/ # - ######################################################################### + + ######################################################## + # _ _ __ _ _ _ # + # | | | / _(_) | | | # + # __ _| | | | |_ _| | ___ | |_ _ _ _ __ ___ ___ # + # / _` | | | | _| | |/ _ \ | __| | | | '_ \ / _ \/ __|# + #| (_| | | | | | | | | __/ | |_| |_| | |_) | __/\__ \# + # \__,_|_|_| |_| |_|_|\___| \__|\__, | .__/ \___||___/# + # __/ | | # + # |___/|_| # + # ###################################################### + + # workaround to sort in which artifact to be insterted + if(file_name.endswith(".wer")): + generic_art = self.art_wer_file + elif(file_name.endswith(".log")): + generic_art = self.art_log_file + elif(file_name.endswith(".dmp")): + generic_art = self.art_dmp_file + elif(file_name.endswith(".etl")): + generic_art = self.art_etl_file + elif(file_name.endswith(".evtx")): + generic_art = self.art_evt_file # Make an artifact - art = file.newArtifact(self.art_log_file.getTypeID()) + art = file.newArtifact(generic_art.getTypeID()) # Register log file size art.addAttribute(BlackboardAttribute( @@ -410,7 +430,7 @@ def process(self, file): # Fire an event to notify the UI and others that there is a new log artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, - self.art_log_file, None)) + generic_art, None)) ##################################################################################################### # _____ _ _ __ _ # @@ -423,7 +443,7 @@ def process(self, file): # |___/ # ##################################################################################################### - if file.getName().lower().endswith(".wer"): + if file_name.endswith(".wer"): # Save the file locally in the temp folder and use file id as name to reduce collisions self.temp_wer_path = os.path.join( self.temp_dir + WER_FOLDER_PATH, str(file.getId())) @@ -514,7 +534,7 @@ def process(self, file): # |___/ # ################################################# - if file.getName().lower().endswith(".log"): + if file_name.endswith(".log"): # Save the file locally in the temp folder and use file id as name to reduce collisions self.temp_log_path = os.path.join( self.temp_dir + LOG_FOLDER_PATH, str(file.getId())) @@ -542,21 +562,26 @@ def process(self, file): for (ip, counter) in log_info.iteritems(): # Create artifact ip_art = file.newArtifact(self.art_logged_ip.getTypeID()) - self.log(Level.INFO, "Created new artifact of type art_logged_ip for file of id " + str(file.getId())) + self.log( + Level.INFO, "Created new artifact of type art_logged_ip for file of id " + str(file.getId())) # Add IP type ip_type = self.get_ip_type(ip) - ip_art.addAttribute(BlackboardAttribute(self.att_ip_type, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, ip_type)) + ip_art.addAttribute(BlackboardAttribute( + self.att_ip_type, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, ip_type)) # Add IP version ip_version = "IPv" + str(netaddr.IPAddress(ip).version) - ip_art.addAttribute(BlackboardAttribute(self.att_ip_version, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, ip_version)) + ip_art.addAttribute(BlackboardAttribute( + self.att_ip_version, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, ip_version)) # Add IP to artifact - ip_art.addAttribute(BlackboardAttribute(self.att_ip_address, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, str(ip))) + ip_art.addAttribute(BlackboardAttribute( + self.att_ip_address, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, str(ip))) # Add counter to artifact - ip_art.addAttribute(BlackboardAttribute(self.att_ip_counter, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, str(counter))) + ip_art.addAttribute(BlackboardAttribute( + self.att_ip_counter, LogForensicsForAutopsyFileIngestModuleWithUIFactory.moduleName, str(counter))) # Add file path to artifact ip_art.addAttribute(BlackboardAttribute( @@ -591,6 +616,8 @@ def shutDown(self): # Stores the settings that can be changed for each ingest job # All fields in here must be serializable. It will be written to disk. + + class LogForensicsForAutopsyFileIngestModuleWithUISettings(IngestModuleIngestJobSettings): serialVersionUID = 1L @@ -631,6 +658,8 @@ def setCheckEVTx(self, checkEVTx): self.checkEVTx = checkEVTx # UI that is shown to user for each ingest job so they can configure the job. + + class LogForensicsForAutopsyFileIngestModuleWithUISettingsPanel(IngestModuleIngestJobSettingsPanel): # Note, we can't use a self.settings instance variable. # Rather, self.local_settings is used.