Worked on script to check artifact definitions (#8)

ForensicArtifacts · Mar 12, 2022 · 5f29245 · 5f29245
1 parent 0418143
commit 5f29245
Show file tree

Hide file tree

Showing 14 changed files with 228 additions and 102 deletions.
diff --git a/.github/workflows/test_docker.yml b/.github/workflows/test_docker.yml
@@ -17,7 +17,7 @@ jobs:
     - name: Install dependencies
       run: |
         dnf copr -y enable @gift/dev
-        dnf install -y @development-tools python3 python3-devel libbde-python3 libcreg-python3 libevt-python3 libevtx-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwevt-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-cffi python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-idna python3-pytsk3 python3-pyxattr python3-pyyaml python3-setuptools
+        dnf install -y @development-tools python3 python3-devel libbde-python3 libcreg-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-artifacts python3-cffi python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-idna python3-pytsk3 python3-pyxattr python3-pyyaml python3-setuptools
     - name: Run tests
       env:
         LANG: C.utf8
@@ -57,7 +57,7 @@ jobs:
       run: |
         add-apt-repository -y ppa:gift/dev
         apt-get update -q
-        apt-get install -y build-essential python3 python3-dev libbde-python3 libcreg-python3 libevt-python3 libevtx-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwevt-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-cffi-backend python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-distutils python3-dtfabric python3-idna python3-pytsk3 python3-pyxattr python3-setuptools python3-yaml
+        apt-get install -y build-essential python3 python3-dev libbde-python3 libcreg-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-artifacts python3-cffi-backend python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-distutils python3-dtfabric python3-idna python3-pytsk3 python3-pyxattr python3-setuptools python3-yaml
     - name: Run tests
       env:
         LANG: en_US.UTF-8

diff --git a/.github/workflows/test_docs.yml b/.github/workflows/test_docs.yml
@@ -35,7 +35,7 @@ jobs:
         add-apt-repository -y ppa:deadsnakes/ppa
         add-apt-repository -y ppa:gift/dev
         apt-get update -q
-        apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcreg-python3 libevt-python3 libevtx-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwevt-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-cffi-backend python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-distutils python3-dtfabric python3-idna python3-pip python3-pytsk3 python3-pyxattr python3-setuptools python3-yaml
+        apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcreg-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-artifacts python3-cffi-backend python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-distutils python3-dtfabric python3-idna python3-pip python3-pytsk3 python3-pyxattr python3-setuptools python3-yaml
     - name: Install tox
       run: |
         python3 -m pip install tox

diff --git a/.github/workflows/test_tox.yml b/.github/workflows/test_tox.yml
@@ -24,7 +24,7 @@ jobs:
         - python-version: '3.10'
           toxenv: 'py310'
         - python-version: '3.8'
-          toxenv: 'pylint'
+          toxenv: 'lint'
     container:
       image: ubuntu:20.04
     steps:
@@ -45,7 +45,7 @@ jobs:
         add-apt-repository -y ppa:deadsnakes/ppa
         add-apt-repository -y ppa:gift/dev
         apt-get update -q
-        apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcreg-python3 libevt-python3 libevtx-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwevt-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-cffi-backend python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-distutils python3-dtfabric python3-idna python3-pip python3-pytsk3 python3-pyxattr python3-setuptools python3-yaml
+        apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcreg-python3 libewf-python3 libexe-python3 libfsapfs-python3 libfsext-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 libwrc-python3 python3-artifacts python3-cffi-backend python3-cryptography python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-distutils python3-dtfabric python3-idna python3-pip python3-pytsk3 python3-pyxattr python3-setuptools python3-yaml
     - name: Install tox
       run: |
         python3 -m pip install tox

diff --git a/.pylintrc b/.pylintrc
@@ -7,7 +7,7 @@
 # A comma-separated list of package or module names from where C extensions may
 # be loaded. Extensions are loading into the active Python interpreter and may
 # run arbitrary code.
-extension-pkg-allow-list=pybde,pycreg,pyevt,pyevtx,pyewf,pyexe,pyfsapfs,pyfsext,pyfshfs,pyfsntfs,pyfsxfs,pyfvde,pyfwnt,pyluksde,pymodi,pyqcow,pyregf,pysigscan,pysmdev,pysmraw,pytsk3,pyvhdi,pyvmdk,pyvsgpt,pyvshadow,pyvslvm,pywrc,xattr
+extension-pkg-allow-list=pybde,pycreg,pyewf,pyexe,pyfsapfs,pyfsext,pyfshfs,pyfsntfs,pyfsxfs,pyfvde,pyfwnt,pyluksde,pymodi,pyphdi,pyqcow,pyregf,pysigscan,pysmdev,pysmraw,pytsk3,pyvhdi,pyvmdk,pyvsgpt,pyvshadow,pyvslvm,pywrc,xattr
 
 # A comma-separated list of package or module names from where C extensions may
 # be loaded. Extensions are loading into the active Python interpreter and may

diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -0,0 +1,8 @@
+extends: default
+
+rules:
+  line-length: disable
+  indentation:
+    spaces: consistent
+    indent-sequences: false
+    check-multi-line-strings: true
diff --git a/artifactsrc/formats.yaml b/artifactsrc/formats.yaml
@@ -1,9 +1,18 @@
-# Known data formats.
+# dtFabric format specification.
 #
 # The check_artifacts.py scrips uses the format definitions below to detect
 # known data formats. To add a new format define format definition and in its
 # "layout" attribute map to corresponding header or footer structure definition.
-#
+---
+name: binary_plist
+type: format
+description: Binary property list fomat
+attributes:
+  byte_order: little-endian
+layout:
+- data_type: binary_plist_file_header
+  offset: 0
+---
 name: esedb
 type: format
 description: Extensible Storage Engine (ESE) Database File (EDB) format
@@ -74,6 +83,13 @@ attributes:
   size: 1
   units: bytes
 ---
+name: char
+type: integer
+attributes:
+  format: signed
+  size: 1
+  units: bytes
+---
 name: uint16
 type: integer
 attributes:
@@ -132,6 +148,21 @@ members:
 - name: milliseconds
   data_type: uint16
 ---
+name: binary_plist_file_header
+type: structure
+description: Binary property list file header
+members:
+- name: signature
+  type: stream
+  element_data_type: byte
+  elements_data_size: 6
+  value: "bplist"
+- name: format_version
+  type: string
+  encoding: ascii
+  element_data_type: char
+  elements_data_size: 2
+---
 name: esedb_file_header
 type: structure
 description: Extensible Storage Engine (ESE) Database File (EDB) file header

diff --git a/artifactsrc/volume_scanner.py b/artifactsrc/volume_scanner.py
@@ -45,6 +45,34 @@ class ArtifactDefinitionsVolumeScanner(dfvfs_volume_scanner.VolumeScanner):
   # at run-time.
   _DEFINITION_FILES_PATH = os.path.dirname(__file__)
 
+  _SYSTEM_DIRECTORY_FIND_SPECS = [
+      dfvfs_file_system_searcher.FindSpec(
+          case_sensitive=False, location='/sbin',
+          location_separator='/'),
+      dfvfs_file_system_searcher.FindSpec(
+          case_sensitive=False, location='/System/Library',
+          location_separator='/'),
+      dfvfs_file_system_searcher.FindSpec(
+          case_sensitive=False, location='\\Windows\\System32',
+          location_separator='\\'),
+      dfvfs_file_system_searcher.FindSpec(
+          case_sensitive=False, location='\\WINNT\\System32',
+          location_separator='\\'),
+      dfvfs_file_system_searcher.FindSpec(
+          case_sensitive=False, location='\\WINNT35\\System32',
+          location_separator='\\'),
+      dfvfs_file_system_searcher.FindSpec(
+          case_sensitive=False, location='\\WTSRV\\System32',
+          location_separator='\\')]
+
+  # We need to check for both forward and backward slashes since the path
+  # specification will be dfVFS back-end dependent.
+  _WINDOWS_SYSTEM_DIRECTORIES = set([
+      '/windows/system32', '\\windows\\system32',
+      '/winnt/system32', '\\winnt\\system32',
+      '/winnt35/system32', '\\winnt35\\system32',
+      '/wtsrv/system32', '\\wtsrv\\system32'])
+
   _WINDOWS_DIRECTORIES = frozenset([
       'C:\\Windows',
       'C:\\WINNT',
@@ -53,6 +81,7 @@ class ArtifactDefinitionsVolumeScanner(dfvfs_volume_scanner.VolumeScanner):
   ])
 
   _FORMAT_VERSION_STRING = {
+      'bplist': 'bplist 0x{format_version:s}',
       'esedb': 'esedb 0x{format_version:x}',
       'evt': 'evt {major_format_version:d}.{minor_format_version:d}',
       'evtx': 'evtx {major_format_version:d}.{minor_format_version:d}',
@@ -347,40 +376,58 @@ def ScanForOperatingSystemVolumes(self, source_path, options=None):
       else:
         mount_point = path_spec.parent
 
-      path_resolver = dfvfs_windows_path_resolver.WindowsPathResolver(
+      file_system_searcher = dfvfs_file_system_searcher.FileSystemSearcher(
           file_system, mount_point)
 
-      windows_directory = None
-      for windows_path in self._WINDOWS_DIRECTORIES:
-        windows_path_spec = path_resolver.ResolvePath(windows_path)
-        if windows_path_spec is not None:
-          windows_directory = windows_path
-          break
+      system_directories = []
+      for system_directory_path_spec in file_system_searcher.Find(
+          find_specs=self._SYSTEM_DIRECTORY_FIND_SPECS):
+        relative_path = file_system_searcher.GetRelativePath(
+            system_directory_path_spec)
+        if relative_path:
+          system_directories.append(relative_path.lower())
 
-      if windows_directory:
-        path_resolver.SetEnvironmentVariable('SystemRoot', windows_directory)
-        path_resolver.SetEnvironmentVariable('WinDir', windows_directory)
+      if system_directories:
+        self._file_system_searcher = file_system_searcher
+        self._file_system = file_system
+        self._mount_point = mount_point
 
-        registry_file_reader = (
-            windows_registry.StorageMediaImageWindowsRegistryFileReader(
-                file_system, path_resolver))
-        winregistry = dfwinreg_registry.WinRegistry(
-            registry_file_reader=registry_file_reader)
+      if self._WINDOWS_SYSTEM_DIRECTORIES.intersection(set(system_directories)):
+        path_resolver = dfvfs_windows_path_resolver.WindowsPathResolver(
+            file_system, mount_point)
 
-        collector = environment_variables.WindowsEnvironmentVariablesCollector()
+        # TODO: determine Windows directory based on system directories.
+        windows_directory = None
+        for windows_path in self._WINDOWS_DIRECTORIES:
+          windows_path_spec = path_resolver.ResolvePath(windows_path)
+          if windows_path_spec is not None:
+            windows_directory = windows_path
+            break
 
-        self._environment_variables = list(collector.Collect(winregistry))
-        self._file_system = file_system
-        self._mount_point = mount_point
-        self._path_resolver = path_resolver
-        self._windows_directory = windows_directory
-        self._windows_registry = winregistry
+        if windows_directory:
+          path_resolver.SetEnvironmentVariable('SystemRoot', windows_directory)
+          path_resolver.SetEnvironmentVariable('WinDir', windows_directory)
+
+          registry_file_reader = (
+              windows_registry.StorageMediaImageWindowsRegistryFileReader(
+                  file_system, path_resolver))
+          winregistry = dfwinreg_registry.WinRegistry(
+              registry_file_reader=registry_file_reader)
+
+          collector = (
+              environment_variables.WindowsEnvironmentVariablesCollector())
+
+          self._environment_variables = list(collector.Collect(winregistry))
+          self._path_resolver = path_resolver
+          self._windows_directory = windows_directory
+          self._windows_registry = winregistry
+
+      if system_directories:
+        # TODO: on Mac OS prevent detecting the Recovery volume.
+        break
 
     self._filter_generator = (
         artifact_filters.ArtifactDefinitionFiltersGenerator(
             self._artifacts_registry, self._environment_variables, []))
 
-    self._file_system_searcher = dfvfs_file_system_searcher.FileSystemSearcher(
-        self._file_system, self._mount_point)
-
     return True
diff --git a/config/appveyor/install.ps1 b/config/appveyor/install.ps1
@@ -1,6 +1,6 @@
 # Script to set up tests on AppVeyor Windows.
 
-$Dependencies = "PyYAML cffi cryptography dfdatetime dfimagetools dfvfs dfwinreg dtfabric idna libbde libcreg libevt libevtx libewf libexe libfsapfs libfsext libfshfs libfsntfs libfsxfs libfvde libfwevt libfwnt libluksde libmodi libqcow libregf libsigscan libsmdev libsmraw libvhdi libvmdk libvsgpt libvshadow libvslvm libwrc pytsk3 xattr"
+$Dependencies = "PyYAML artifacts cffi cryptography dfdatetime dfimagetools dfvfs dfwinreg dtfabric idna libbde libcreg libewf libexe libfsapfs libfsext libfshfs libfsntfs libfsxfs libfvde libfwnt libluksde libmodi libphdi libqcow libregf libsigscan libsmdev libsmraw libvhdi libvmdk libvsgpt libvshadow libvslvm libwrc pytsk3 xattr"
 $Dependencies = ${Dependencies} -split " "
 
 $Output = Invoke-Expression -Command "git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools 2>&1"

diff --git a/data/checks.yaml b/data/checks.yaml
@@ -1,4 +1,41 @@
 # Artifact checks.
+---
+name: MacOSBluetoothPlistFile
+formats: ['binary_plist']
+---
+name: MacOSDockPlistFile
+formats: ['binary_plist']
+---
+name: MacOSGlobalPreferencesPlistFile
+formats: ['binary_plist']
+---
+name: MacOSKeyboardLayoutPlistFile
+formats: ['binary_plist']
+---
+name: MacOSLaunchAgentsPlistFiles
+formats: ['binary_plist']
+---
+name: MacOSLaunchDaemonsPlistFiles
+formats: ['binary_plist']
+---
+name: MacOSLoginWindowPlistFile
+formats: ['binary_plist']
+---
+name: MacOSSystemConfigurationPreferencesPlistFile
+formats: ['binary_plist']
+---
+name: MacOSSystemPreferencesPlistFiles
+formats: ['binary_plist']
+---
+name: MacOSSystemVersionPlistFile
+formats: ['binary_plist']
+---
+name: MacOSTimeMachinePlistFile
+formats: ['binary_plist']
+---
+name: MacOSUserPasswordHashesPlistFiles
+formats: ['binary_plist']
+---
 name: WindowsAMCacheHveFile
 document: windows/AMCache.md
 formats: ['regf']