-
Notifications
You must be signed in to change notification settings - Fork 9
/
TotalRecall_v1.py
144 lines (127 loc) · 5.25 KB
/
TotalRecall_v1.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#Volatility Script
#By sk3tchymoos3
#Much thanks to Tom Goldsmith, Dani F., and a Canadian guy for the guidance!
import os
import sys
import argparse
import hashlib
import time
import subprocess
import csv
import sqlite3
import basicParse
import investigationParse
import timelineParse
#<--- Declare variables here --->
volatilityPath = "/home/remnux/svn/trunk/vol.py"
# <--- BEGIN FUNCTIONS --->
def md5sum(filename):
md5 = hashlib.md5()
with open(filename, 'rb') as f:
for chunk in iter(lambda: f.read(128 * md5.block_size), b''):
md5.update(chunk)
return md5.hexdigest()
#<--- END FUNCTIONS --->
parser = argparse.ArgumentParser(description='Grabs information from a memory dump')
parser.add_argument('-d', '--directory', metavar="PATH", help='Directory to save the output of the commands to.',
required=True)
parser.add_argument('-f', '--filename', help='The memory dump you wish to analyse.', required=True)
parser.add_argument('-p', '--profile', help='The profile of the memory dump being analysed', required=True)
parser.add_argument('-v', '--volatility', help='The full path to vol.py, default is to usr/bin/vol.py')
parser.add_argument('-i', '--investigation', action="store_true",
help='Enable investigation of dumped items with yara and clamav')
parser.add_argument('-t', '--timeline', action="store_true", help="Attempt to pull timeline artefacts")
args = vars(parser.parse_args())
localtime = time.localtime(time.time())
print "Start time :", localtime
#ensure path to vol.py is valid
if args['volatility']:
volatilityPath = args['volatility']
if not os.path.exists(volatilityPath):
print "vol.py does not exist at location, trying default."
volatilityPath = "/usr/local/bin/vol.py"
if not os.path.exists(volatilityPath):
print "vol.py does not exist at default, check path."
sys.exit()
#ensure the file to be parsed exists!
filename = args['filename']
if not os.path.exists(filename):
print "File does not exist... try again!"
sys.exit()
#ensure the directory where the output is going exists, if not, create it
directory = args['directory']
if not os.path.exists(directory):
os.makedirs(directory)
#grab profile
memProfile = args['profile']
output = os.path.join(directory)
output = os.path.abspath(output)
print "File to be analysed: ", filename
print "[+] Saving to: ", os.path.abspath(output)
#check to see if the DB already exists, we are using the hash of the memoryDump as the DB name
hash=md5sum(filename)
print "MD5 of the memory dump is " + hash +". Checking to see if it already exists..."
SQLdb= os.path.join(output, hash)
#if the DB is found, query the info table to see what has been done before
if os.path.isfile(SQLdb):
conn = sqlite3.connect(SQLdb)
c = conn.cursor()
c.execute("SELECT * FROM info")
rows = c.fetchall()
for i in rows:
investigationToggle=i[0]
timelineToggle=i[1]
profileToggle=str(i[2])
basicToggle=i[3]
if basicToggle == 1:
if args['investigation'] and (investigationToggle == 1):
print "We already did the investigation piece for this... please change your parameters"
sys.exit()
if args['investigation'] and (investigationToggle != 1):
print "Updating info table for investigation..."
c.execute("update info set investigation=1 where basic=1")
conn.commit()
c.close()
print "We are in investigation loop... output is ", output
investigationParse.investigationCommands(output, volatilityPath, filename, memProfile, SQLdb)
if args['timeline'] and (timelineToggle == 1):
print "We already did the timeline piece for this... please change your parameters"
sys.exit()
if args['timeline'] and (timelineToggle != 1):
print "Updating info table for timeline...."
c.execute("update info set timeline=1 where basic=1")
conn.commit()
c.close()
timelineParse.timelineCommands(output, volatilityPath, filename, memProfile, SQLdb)
else:
print "We already did the basics piece..."
sys.exit()
conn.commit()
c.close()
#New memory dump is given...
else:
print "Database does not exist, creating!"
conn = sqlite3.connect(SQLdb)
c = conn.cursor()
c.execute('create table info (investigation integer, timeline integer, profile text, basic integer)')
c.execute('insert into info (basic) values (1)')
test="""update info set profile=('%s') where basic=1""" % memProfile
c.execute(test)
conn.commit()
print "Database created in location: " + SQLdb + ". Moving on...."
basicParse.basicCommands (output, volatilityPath, filename, memProfile,SQLdb)
if args['investigation']:
c.execute("update info set investigation=1 where basic=1")
conn.commit()
conn.close()
investigationParse.investigationCommands (output, volatilityPath, filename, memProfile, SQLdb)
if args['timeline']:
c.execute("update info set timeline=1 where basic=1")
conn.commit()
c.close()
timelineParse.timelineCommands(output, volatilityPath, filename, memProfile, SQLdb)
else:
print "Done!"
localtime = time.localtime(time.time())
print "End Time :", localtime
sys.exit()