Created
March 22, 2013 17:26
-
-
Save udgover/5223142 to your computer and use it in GitHub Desktop.
Teaser demo module for DFF based on articles http://www.digital-forensic.org/en/blog/2013/dff-extract-needle-haystack-part-1-graphical-way/ and http://www.digital-forensic.org/en/blog/2013/dff-and-python-scripting/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from dff.api.types.libtypes import Parameter, Argument, typeId, Variant, VMap, VList | |
from dff.api.module.module import Module | |
from dff.api.module.script import Script | |
from dff.api.events.libevents import EventHandler | |
from dff.api.filters.libfilters import Filter | |
from dff.api.vfs.libvfs import ABSOLUTE_ATTR_NAME | |
class DemoExport(Script, EventHandler): | |
def __init__(self): | |
Script.__init__(self, "demoexport") | |
EventHandler.__init__(self) | |
self.__filter = Filter("demo exporter") | |
self.connection(self.__filter) | |
def start(self, args): | |
outfile = args["outfile"].value() | |
if args.has_key("query"): | |
query = args["query"].value() | |
else: | |
query = 'name matches /.*/' | |
root_node = args["root_node"].value() | |
print "sdf" | |
attributes = args["attributes"].value() | |
attributes = [attribute.toString() for attribute in attributes] | |
print "sdfsdf" | |
#for attr in attributes: | |
# print attr.toString() | |
self.__filter.compile(query) | |
self.__filter.process(root_node) | |
nodes = self.__filter.matchedNodes() | |
ofile = open(outfile, 'w') | |
headerlist = [] | |
for attribute in attributes: | |
attribute = attribute.replace('"', '""') | |
if attribute.find(",") != -1: | |
attribute = '"' + attribute + '"' | |
headerlist.append(attribute) | |
header = ",".join(["path", "filename", "filesize", "mime"] + headerlist) + "\n" | |
ofile.write(header) | |
for node in nodes: | |
attrlist = [self.__sanitizeField(str(node.path())), | |
self.__sanitizeField(str(node.name())), | |
self.__sanitizeField(str(node.size())), | |
ofile.close() | |
def Event(self, ev): | |
pass | |
def __sanitizeField(self, field): | |
field = field.replace('"', '""') | |
if field.find(",") != -1: | |
field = '"' + field + '"' | |
return field | |
class demo_export(Module): | |
"""This is a demo module that apply filter on a given node | |
then for each matched node extracts provided attributes""" | |
def __init__(self): | |
Module.__init__(self, "demo_export", DemoExport) | |
self.conf.addArgument({"name": "outfile", | |
"description": "name of the CSV file to create", | |
"input": Argument.Required|Argument.Single|typeId.String}) | |
self.conf.addArgument({"name": "root_node", | |
"description": "Root node from where to start filtering and extraction", | |
"input": Argument.Required|Argument.Single|typeId.Node}) | |
self.conf.addArgument({"name": "query", | |
"description": "Query used to search files", | |
"input": Argument.Optional|Argument.Single|typeId.String, | |
"parameters": {"type": Parameter.Editable, | |
"predefined": ["'name matches /.*/'"]} | |
}) | |
self.conf.addArgument({"name": "attributes", | |
"description": "Attributes to extract", | |
"input": Argument.Required|Argument.List|typeId.String, | |
"parameters": {"type": Parameter.Editable, | |
"predefined": ["ntfs.$FILE_NAME.Creation time", "ntfs.$FILE_NAME.File accessed time", | |
"ntfs.$FILE_NAME.File altered time", "ntfs.$FILE_NAME.MFT altered time"]} | |
}) | |
self.tags = "Demo" | |
self.icon = ":extract.png" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment