registry decoder 1.2

504ensicsLabs · Feb 2, 2012 · cafd8d5 · cafd8d5
1 parent 0550ebf
commit cafd8d5
Show file tree

Hide file tree

Showing 13 changed files with 233 additions and 38 deletions.
diff --git a/GUI/filetab.py b/GUI/filetab.py
@@ -266,7 +266,7 @@ def place_last_written(self, node):
         path = self.tapi.full_path_node_to_root(node)
 
         lastwrite = node.timestamps[self.fileid]
-        lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S UTC')
+        lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S')
 
         self.filetab.currentPath.clear()
         self.filetab.currentPath.insert(path + " -- " + lastwrite)

diff --git a/GUI/generate_forms.py b/GUI/generate_forms.py
@@ -113,6 +113,7 @@ def search_plugin_export_form(self, ref_obj, fileid, tab_name, label_text, resul
         # register signals
         if is_diff:
             ref_obj.gui.connect(createReportPushButton, SIGNAL("clicked()"), ref_obj.gcommon.createDiffReport)
+            new_tab.diff_tab = 1
         else:
             ref_obj.gui.connect(createReportPushButton, SIGNAL("clicked()"), ref_obj.createReportClicked)  
 

diff --git a/GUI/guicommon.py b/GUI/guicommon.py
@@ -85,18 +85,25 @@ def __cmp__(self, other):
     def __hash__(self):
         return hash(str(self.results))
 # get the users date in the form of mm/dd/yyyy
-def parse_date(self, dateStr):
+def parse_date(self, dateStr, datetype):
 
-    ents = [int(x) for x in dateStr.split("/")]
+    e = [x for x in dateStr.split("/")]
 
-    if len(ents) != 3:
-        self.gui.msgBox("Invalid start date given.")
-        ret = []
+    if len(e) != 3:
+        self.gui.msgBox("Invalid %s date given." % datetype)
+        ret = None
     else:
-        # v1 way -- didn't make sense since last write time in browse were different format
-        #(month, day, year) = ents
-        (year, month, day) = ents
-        ret = QDate(year, month, day)
+
+        try:
+            ents = [int(x) for x in e]
+        except:
+            self.gui.msgBox("Invalid %s date given." % datetype)
+            ret = None
+        else:
+            # v1 way -- didn't make sense since last write time in browse were different format
+            #(month, day, year) = ents
+            (year, month, day) = ents
+            ret = QDate(year, month, day)
 
     return ret
 
@@ -107,16 +114,16 @@ def filter_results(self, results, fileid, startStr, endStr):
     ret = []
 
     if startStr:
-        start = parse_date(self, startStr)
-        if not start:
-            return []
+        start = parse_date(self, startStr, "start")
+        if start == None:
+            return None
     else:
         start = ""
 
     if endStr:
-        end = parse_date(self, endStr)
-        if not end:
-            return []
+        end = parse_date(self, endStr, "end")
+        if end == None:
+            return None
     else:
         end = ""
 

diff --git a/GUI/pathtab.py b/GUI/pathtab.py
@@ -147,7 +147,7 @@ def get_report_vals(self, results, fileid):
             r = results[row]
 
             lastwrite = r.node.timestamps[fileid]
-            lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S UTC')
+            lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S')
 
             # add the path and its last write time
             ret.append([self.tapi.full_path_node_to_root(r.node), lastwrite])

diff --git a/GUI/reportfuncs.py b/GUI/reportfuncs.py
@@ -120,7 +120,16 @@ def exportAll(self):
         if len(extabs) == 0: 
             self.gui.msgBox("Export All clicked when no tabs were active")
             return
+
+        # don't export diff tabs
+        remove = []
+        for tab in extabs:
+            if hasattr(tab, "diff_tab"):
+                remove.append(tab)
 
+        for t in remove:
+            del extabs[t]
+
         report     = self.get_plugin_export_format(currentTab.cbox)
 
         i = 0

diff --git a/GUI/searchtab.py b/GUI/searchtab.py
@@ -109,8 +109,24 @@ def get_search_params(self):
 
         startDate    = self.gui.searchStartDateLineEdit.text()
         endDate      = self.gui.searchEndDateLlineEdit.text()
-
-        return search_params(searchterms, searchfile, partialsearch, searchKeys, searchNames, searchData, startDate, endDate) 
+
+        if startDate != "":
+            s = self.gcommon.parse_date(self, startDate, "start")
+        else:
+            s = 1
+
+        if endDate != "":
+           e = self.gcommon.parse_date(self, endDate, "end")
+        else:
+           e = 1
+
+        # input error
+        if s == None or e == None:
+            ret = None
+        else:
+            ret = search_params(searchterms, searchfile, partialsearch, searchKeys, searchNames, searchData, startDate, endDate) 
+
+        return ret
 
     # get results for the given search term(s) and fileid
     def do_get_search_results(self, sp, fileid):
@@ -262,7 +278,7 @@ def viewTree(self):
 
         sp = self.get_search_params()
 
-        if not sp:
+        if not sp or sp == None:
             return
 
         perform_diff = self.gui.performSearchDiffCheckBox.isChecked()
@@ -334,7 +350,7 @@ def get_report_vals(self, results, fileid):
             r = results[row]
 
             lastwrite = r.node.timestamps[fileid]
-            lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S UTC')
+            lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S')
 
             vals  = [lastwrite, r.node.fullpath, r.name, r.data]
 

diff --git a/GUI/timelinetab.py b/GUI/timelinetab.py
@@ -73,9 +73,25 @@ def get_timeline_params(self):
 
         startDate    = self.gui.timelineStartDateLineEdit.text()
         endDate      = self.gui.timelineEndDateLlineEdit_2.text()
-
-        return timeline_params(fd, outputfile, startDate, endDate)
-
+
+        if startDate != "":
+            s = self.gcommon.parse_date(self, startDate, "start")
+        else:
+            s = 1
+
+        if endDate != "":
+           e = self.gcommon.parse_date(self, endDate, "end")
+        else:
+           e = 1
+
+        # input error
+        if s == None or e == None:
+            ret = None
+        else:
+            ret = timeline_params(fd, outputfile, startDate, endDate)
+
+        return ret
+
     def run_timeline(self, fileid, sp):
 
         filepath = self.gcommon.get_file_info(self.info_hash, fileid)[0]
@@ -106,18 +122,24 @@ def run_timeline(self, fileid, sp):
                 if len(res) == 1:
 
                     path      = self.tapi.full_path_node_to_root(node)
+
                     lastwrite = node.timestamps[fileid] 
-                    #lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S UTC')
-
-                    # taken from regtime.pl
-                    sp.fd.write("0|%s:%s|0|0|0|0|0|0|%d|0|0\n" % (filepath, path, lastwrite))
+
+                    if self.gui.excelRadioButton.isChecked():
+                        lastwrite = datetime.datetime.fromtimestamp(lastwrite).strftime('%Y/%m/%d %H:%M:%S')
+                        sp.fd.write("%s\t%s\t%s\n" % (filepath, path, lastwrite))
+
+                    else:
+                        # these three lines will write out autopsy format, regtime.pl
+                        filepath = filepath.replace("|", ",")
+                        sp.fd.write("0|%s:%s|0|0|0|0|0|0|%d|0|0\n" % (filepath, path, lastwrite))
 
     # called when 'timeline' is clicked
     def viewTree(self):
 
         sp = self.get_timeline_params()
 
-        if not sp:
+        if not sp or sp == None:
             return
 
         self.gcommon.run_cb_on_tree(self, self.run_timeline, sp, "timelineTreeWidget")  

diff --git a/GUI/uifiles/registrydecoder.ui b/GUI/uifiles/registrydecoder.ui
@@ -1339,13 +1339,34 @@
                 <item row="3" column="2">
                  <widget class="QLineEdit" name="timelineEndDateLlineEdit_2"/>
                 </item>
-                <item row="4" column="1">
+                <item row="5" column="1">
                  <widget class="QPushButton" name="timelinePushButton">
                   <property name="text">
                    <string>Timeline</string>
                   </property>
                  </widget>
                 </item>
+                <item row="4" column="1">
+                 <widget class="QRadioButton" name="excelRadioButton">
+                  <property name="text">
+                   <string>Excel</string>
+                  </property>
+                 </widget>
+                </item>
+                <item row="4" column="2">
+                 <widget class="QRadioButton" name="mactimeRadioButton">
+                  <property name="text">
+                   <string>mactime</string>
+                  </property>
+                 </widget>
+                </item>
+                <item row="4" column="0">
+                 <widget class="QLabel" name="label_26">
+                  <property name="text">
+                   <string>Timeline Format</string>
+                  </property>
+                 </widget>
+                </item>
                </layout>
               </item>
               <item row="2" column="1">

diff --git a/GUI/uifiles/registrydecoder_ui.py b/GUI/uifiles/registrydecoder_ui.py
@@ -2,7 +2,7 @@
 
 # Form implementation generated from reading ui file 'GUI/uifiles/registrydecoder.ui'
 #
-# Created: Thu Oct 27 12:47:23 2011
+# Created: Thu Feb  2 01:19:53 2012
 #      by: PyQt4 UI code generator 4.7.2
 #
 # WARNING! All changes made in this file will be lost!
@@ -527,7 +527,16 @@ def setupUi(self, registrydecoder):
         self.gridLayout_26.addWidget(self.timelineEndDateLlineEdit_2, 3, 2, 1, 1)
         self.timelinePushButton = QtGui.QPushButton(self.timelineTab)
         self.timelinePushButton.setObjectName("timelinePushButton")
-        self.gridLayout_26.addWidget(self.timelinePushButton, 4, 1, 1, 1)
+        self.gridLayout_26.addWidget(self.timelinePushButton, 5, 1, 1, 1)
+        self.excelRadioButton = QtGui.QRadioButton(self.timelineTab)
+        self.excelRadioButton.setObjectName("excelRadioButton")
+        self.gridLayout_26.addWidget(self.excelRadioButton, 4, 1, 1, 1)
+        self.mactimeRadioButton = QtGui.QRadioButton(self.timelineTab)
+        self.mactimeRadioButton.setObjectName("mactimeRadioButton")
+        self.gridLayout_26.addWidget(self.mactimeRadioButton, 4, 2, 1, 1)
+        self.label_26 = QtGui.QLabel(self.timelineTab)
+        self.label_26.setObjectName("label_26")
+        self.gridLayout_26.addWidget(self.label_26, 4, 0, 1, 1)
         self.gridLayout_27.addLayout(self.gridLayout_26, 1, 1, 1, 1)
         spacerItem34 = QtGui.QSpacerItem(498, 20, QtGui.QSizePolicy.Expanding, QtGui.QSizePolicy.Minimum)
         self.gridLayout_27.addItem(spacerItem34, 2, 1, 1, 1)
@@ -666,6 +675,9 @@ def retranslateUi(self, registrydecoder):
         self.label_24.setText(QtGui.QApplication.translate("registrydecoder", "End Date", None, QtGui.QApplication.UnicodeUTF8))
         self.label_23.setText(QtGui.QApplication.translate("registrydecoder", "Filter (yyyy/mm/dd)", None, QtGui.QApplication.UnicodeUTF8))
         self.timelinePushButton.setText(QtGui.QApplication.translate("registrydecoder", "Timeline", None, QtGui.QApplication.UnicodeUTF8))
+        self.excelRadioButton.setText(QtGui.QApplication.translate("registrydecoder", "Excel", None, QtGui.QApplication.UnicodeUTF8))
+        self.mactimeRadioButton.setText(QtGui.QApplication.translate("registrydecoder", "mactime", None, QtGui.QApplication.UnicodeUTF8))
+        self.label_26.setText(QtGui.QApplication.translate("registrydecoder", "Timeline Format", None, QtGui.QApplication.UnicodeUTF8))
         self.analysisTabWidget.setTabText(self.analysisTabWidget.indexOf(self.timelineTab), QtGui.QApplication.translate("registrydecoder", "Timeline", None, QtGui.QApplication.UnicodeUTF8))
         self.toolBar_1.setWindowTitle(QtGui.QApplication.translate("registrydecoder", "File", None, QtGui.QApplication.UnicodeUTF8))
         self.toolBar_2.setWindowTitle(QtGui.QApplication.translate("registrydecoder", "toolBar_2", None, QtGui.QApplication.UnicodeUTF8))

diff --git a/guimain.py b/guimain.py
@@ -480,7 +480,7 @@ def handleAnalysisTabClose(self, index):
             remove = 1
 
         # bulk export tabs
-        elif hasattr(closed_tab, "is_bulk"):
+        elif hasattr(closed_tab, "is_bulk") or hasattr(closed_tab, "diff_tab"):
             remove = 1
 
         if remove == 1: 

diff --git a/reporting/report_formats/commasep.py b/reporting/report_formats/commasep.py
@@ -0,0 +1,108 @@
+#
+# Registry Decoder
+# Copyright (c) 2011 Digital Forensics Solutions, LLC
+#
+# Contact email:  registrydecoder@digitalforensicssolutions.com
+#
+# Authors:
+# Andrew Case       - andrew@digitalforensicssolutions.com
+# Lodovico Marziale - vico@digitalforensicssolutions.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details. 
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
+#
+# creates HTML formatted output
+
+import codecs
+
+def get_instance():
+
+    return csvReport()
+
+class csvReport:
+
+    def __init__(self):
+        self.name       = "CSV"
+        self.extension  = "csv"
+        self.fileoutput = 1
+
+    def set_file(self, filename):
+
+        self.fd = codecs.open(filename, "a+", encoding="UTF-8")
+
+    def set_table_size(self, rowmax, colmax):
+        pass
+
+    def start_output(self):
+        pass
+
+    def start_table(self):
+        pass
+
+    def start_column(self):
+        pass
+
+    def end_column(self):
+        pass
+
+    def write_number_column(self):
+        pass
+
+    def write_table_headers(self, header_list):
+        pass
+
+    def write_data_list(self, data_list, print_row, bold=-1):
+
+        row = 1
+
+        # don't write out case info & headers
+        if print_row == 0:
+            return
+
+        for outer_list in data_list:
+
+            if print_row:
+                self.fd.write("%d," % row)
+
+            vidx = 0
+
+            # actual report items
+            for val in outer_list:
+
+                if not val or val == "":
+                    val = ""
+
+                val = val.replace(",", "<COMMA>")
+
+                self.fd.write("%s," % val)
+
+                vidx = vidx + 1
+
+            self.fd.write("\n")        
+
+            row = row + 1                
+
+    def end_table(self):
+        pass
+
+    def end_output(self):
+        pass
+
+    def close_report(self):
+        self.fd.close()
+
+
+
+
+