Created
January 11, 2017 04:56
-
-
Save bunseokbot/24357c21ebb9a1c35d7b2c0e27b5058f to your computer and use it in GitHub Desktop.
스미싱 의심문자 간단탐지 오톱씨 플러그인
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import jarray | |
import inspect | |
import os | |
from java.lang import Class | |
from java.lang import System | |
from java.sql import DriverManager, SQLException | |
from java.util.logging import Level | |
from java.io import File | |
from org.sleuthkit.datamodel import SleuthkitCase | |
from org.sleuthkit.datamodel import AbstractFile | |
from org.sleuthkit.datamodel import ReadContentInputStream | |
from org.sleuthkit.datamodel import BlackboardArtifact | |
from org.sleuthkit.datamodel import BlackboardAttribute | |
from org.sleuthkit.autopsy.ingest import IngestModule | |
from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException | |
from org.sleuthkit.autopsy.ingest import DataSourceIngestModule | |
from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter | |
from org.sleuthkit.autopsy.ingest import IngestMessage | |
from org.sleuthkit.autopsy.ingest import IngestServices | |
from org.sleuthkit.autopsy.ingest import ModuleDataEvent | |
from org.sleuthkit.autopsy.coreutils import Logger | |
from org.sleuthkit.autopsy.casemodule import Case | |
from org.sleuthkit.autopsy.datamodel import ContentUtils | |
from org.sleuthkit.autopsy.casemodule.services import Services | |
from org.sleuthkit.autopsy.casemodule.services import FileManager | |
class SmishingIngestModuleFactory(IngestModuleFactoryAdapter): | |
moduleName = "Smishing suspicious sms tracker" | |
def getModuleDisplayName(self): | |
return self.moduleName | |
def getModuleDescription(self): | |
return "Smishing suspicious detection" | |
def getModuleVersionNumber(self): | |
return "1.0" | |
def isDataSourceIngestModuleFactory(self): | |
return True | |
def createDataSourceIngestModule(self, ingestOptions): | |
return SmishingIngestModule() | |
# Data Source-level ingest module. One gets created per data source. | |
class SmishingIngestModule(DataSourceIngestModule): | |
_logger = Logger.getLogger(SmishingIngestModuleFactory.moduleName) | |
def log(self, level, msg): | |
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) | |
def __init__(self): | |
self.context = None | |
def startUp(self, context): | |
self.context = context | |
def process(self, dataSource, progressBar): | |
progressBar.switchToIndeterminate() | |
fileManager = Case.getCurrentCase().getServices().getFileManager() | |
files = fileManager.findFiles(dataSource, "mmssms.db") | |
numFiles = len(files) | |
progressBar.switchToDeterminate(numFiles) | |
fileCount = 0; | |
for file in files: | |
if self.context.isJobCancelled(): | |
return IngestModule.ProcessResult.OK | |
self.log(Level.INFO, "Processing file: " + file.getName()) | |
fileCount += 1 | |
lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".db") | |
ContentUtils.writeToFile(file, File(lclDbPath)) | |
try: | |
Class.forName("org.sqlite.JDBC").newInstance() | |
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) | |
except SQLException as e: | |
self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")") | |
return IngestModule.ProcessResult.OK | |
try: | |
stmt = dbConn.createStatement() | |
resultSet = stmt.executeQuery("SELECT date, address, body FROM sms") | |
except SQLException as e: | |
self.log(Level.INFO, "Error querying database for contacts table (" + e.getMessage() + ")") | |
return IngestModule.ProcessResult.OK | |
while resultSet.next(): | |
try: | |
date = resultSet.getString("date") | |
address = resultSet.getString("address") | |
body = resultSet.getString("body") | |
except SQLException as e: | |
self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")") | |
if "http://" in body: | |
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE) | |
art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MSG_ID.getTypeID(), | |
SmishingIngestModuleFactory.moduleName, date)) | |
art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), | |
SmishingIngestModuleFactory.moduleName, address)) | |
art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), | |
SmishingIngestModuleFactory.moduleName, body)) | |
IngestServices.getInstance().fireModuleDataEvent( | |
ModuleDataEvent(SmishingIngestModuleFactory.moduleName, | |
BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE, None)) | |
# Clean up | |
stmt.close() | |
dbConn.close() | |
os.remove(lclDbPath) | |
# After all databases, post a message to the ingest messages in box. | |
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, | |
"ContactsDb Analyzer", "Found %d files" % fileCount) | |
IngestServices.getInstance().postMessage(message) | |
return IngestModule.ProcessResult.OK |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment