mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Greg DiCristofaro 2021-04-20 21:45:26 -04:00
parent 9d30b40846
commit 6b86cb53b1
1 changed files with 32 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
test/script/tskdbdiff.py
View File

@ -169,12 +169,29 @@ class TskDbDiff(object):
# create file path for gold files inside output folder. In case of diff, both gold and current run files # create file path for gold files inside output folder. In case of diff, both gold and current run files
# are available in the report output folder. Prefix Gold- is added to the filename. # are available in the report output folder. Prefix Gold- is added to the filename.
gold_file_in_output_dir = output_file[:output_file.rfind("/")] + "/Gold-" + output_file[output_file.rfind("/")+1:] gold_file_in_output_dir = os.path.join(os.path.dirname(output_file), "Gold-" + os.path.basename(output_file))
shutil.copy(gold_file, gold_file_in_output_dir) shutil.copy(gold_file, gold_file_in_output_dir)
return False return False
@staticmethod
def _get_associated_artifact_type(cur, artifact_id, isMultiUser):
if isMultiUser:
cur.execute(
"SELECT tsk_files.parent_path, blackboard_artifact_types.display_name FROM blackboard_artifact_types INNER JOIN blackboard_artifacts ON blackboard_artifact_types.artifact_type_id = blackboard_artifacts.artifact_type_id INNER JOIN tsk_files ON tsk_files.obj_id = blackboard_artifacts.obj_id WHERE artifact_id=%s",
[artifact_id])
else:
cur.execute(
"SELECT tsk_files.parent_path, blackboard_artifact_types.display_name FROM blackboard_artifact_types INNER JOIN blackboard_artifacts ON blackboard_artifact_types.artifact_type_id = blackboard_artifacts.artifact_type_id INNER JOIN tsk_files ON tsk_files.obj_id = blackboard_artifacts.obj_id WHERE artifact_id=?",
[artifact_id])
info = cur.fetchone()
return "File path: " + info[0] + " Artifact Type: " + info[1]
@staticmethod
def _dump_output_db_bb(db_file, bb_dump_file, isMultiUser, pgSettings, id_obj_path_table): def _dump_output_db_bb(db_file, bb_dump_file, isMultiUser, pgSettings, id_obj_path_table):
"""Dumps sorted text results to the given output location. """Dumps sorted text results to the given output location.
@ -270,7 +287,7 @@ class TskDbDiff(object):
elif attr["value_type"] == 5: elif attr["value_type"] == 5:
attr_value_as_string = str(attr["value_int64"]) attr_value_as_string = str(attr["value_int64"])
if attr["display_name"] == "Associated Artifact": if attr["display_name"] == "Associated Artifact":
attr_value_as_string = getAssociatedArtifactType(attribute_cursor, attr_value_as_string, isMultiUser) attr_value_as_string = TskDbDiff._get_associated_artifact_type(attribute_cursor, attr_value_as_string, isMultiUser)
patrn = re.compile("[\n\0\a\b\r\f]") patrn = re.compile("[\n\0\a\b\r\f]")
attr_value_as_string = re.sub(patrn, ' ', attr_value_as_string) attr_value_as_string = re.sub(patrn, ' ', attr_value_as_string)
if attr["source"] == "Keyword Search" and attr["display_name"] == "Keyword Preview": if attr["source"] == "Keyword Search" and attr["display_name"] == "Keyword Preview":
@ -310,7 +327,7 @@ class TskDbDiff(object):
srtcmdlst = ["sort", unsorted_dump, "-o", bb_dump_file] srtcmdlst = ["sort", unsorted_dump, "-o", bb_dump_file]
subprocess.call(srtcmdlst) subprocess.call(srtcmdlst)
@staticmethod
def _dump_output_db_nonbb(db_file, dump_file, isMultiUser, pgSettings): def _dump_output_db_nonbb(db_file, dump_file, isMultiUser, pgSettings):
"""Dumps a database to a text file. """Dumps a database to a text file.
@ -321,7 +338,7 @@ class TskDbDiff(object):
dump_file: a pathto_File, the location to dump the non-blackboard database items dump_file: a pathto_File, the location to dump the non-blackboard database items
""" """
conn, output_file = db_connect(db_file, isMultiUser, pgSettings) conn, backup_db_file = db_connect(db_file, isMultiUser, pgSettings)
guid_utils = TskGuidUtils.create(conn) guid_utils = TskGuidUtils.create(conn)
if isMultiUser: if isMultiUser:
@ -331,14 +348,15 @@ class TskDbDiff(object):
table_cols = get_sqlite_table_columns(conn) table_cols = get_sqlite_table_columns(conn)
schema = get_sqlite_schema(conn) schema = get_sqlite_schema(conn)
output_file.write(schema + "\n") with codecs.open(dump_file, "wb", "utf_8") as output_file:
for table, cols in sorted(table_cols.items(), key=lambda pr: pr[0]): output_file.write(schema + "\n")
normalizer = TABLE_NORMALIZATIONS[table] if table in TABLE_NORMALIZATIONS else None for table, cols in sorted(table_cols.items(), key=lambda pr: pr[0]):
write_normalized(guid_utils, output_file, conn, table, cols, normalizer) normalizer = TABLE_NORMALIZATIONS[table] if table in TABLE_NORMALIZATIONS else None
write_normalized(guid_utils, output_file, conn, table, cols, normalizer)
# Now sort the file # Now sort the file
# srtcmdlst = ["sort", dump_file, "-o", dump_file] srtcmdlst = ["sort", dump_file, "-o", dump_file]
# subprocess.call(srtcmdlst) subprocess.call(srtcmdlst)
conn.close() conn.close()
# cleanup the backup # cleanup the backup
@ -346,6 +364,10 @@ class TskDbDiff(object):
# os.remove(backup_db_file) # os.remove(backup_db_file)
return guid_utils.obj_id_guids return guid_utils.obj_id_guids
@staticmethod
def _get_tmp_file(base, ext):
time = datetime.datetime.now().time().strftime("%H%M%f")
return os.path.join(os.environ['TMP'], base + time + ext)
class TskDbDiffException(Exception): class TskDbDiffException(Exception):