last linux commit before bug grep

GUI/createcase.py

@@ -373,7 +373,10 @@ def startProcessingButtonClicked(self):
         # an invalid file was given for processing
         except RegAcquireError, e:
             self.handle_parse_error(e)
-
+
+        except RegBadEvidenceError, e:
+            self.handle_parse_error(e)      
+
         # everything added, lets do some forensics!
         else:
             # delete all our scratch files / databases
@@ -384,7 +387,6 @@ def handle_parse_error(self, e):
         print "error: %s" % str(e)
         traceback.print_exc(file=sys.stdout)
 
-
         self.caseInformationButtonClicked(1)
         self.gui.stackedWidget.setCurrentIndex(common.ADD_EVIDENCE)    
 

GUI/guicommon.py

@@ -390,7 +390,7 @@ def get_reg_fileids(self, treename):
 
     return ret
 
-def get_path_popup(self, userpath):
+def get_tree_node(self, userpath=""):
 
     ret = None
 
@@ -411,17 +411,14 @@ def get_path_popup(self, userpath):
         if path[-1] == "\\":
             path = path[:-1]
 
-        ret = unicode(self.tapi.get_path(path))
+        fullpath = unicode(self.tapi.get_path(path))
+
+        ret = get_path_node(self, fullpath)
 
     return ret
 
-def get_tree_node(self, userpath=""):
+def get_path_node(self, path):
 
-    path = get_path_popup(self, userpath)
-
-    if not path:
-        return None
-
     nodes = self.tapi.root_path_node(path)     
 
     if nodes:
@@ -667,7 +664,7 @@ def on_action_fileview(self):
                 bad = 1
                 break
 
-        if not bad:
+        if not bad and index:
             tree.setCurrentIndex(index)
         else:
             self.ref_obj.gui.msgBox("The given path could not be found in the tree.")    

GUI/searchtab.py

@@ -312,12 +312,6 @@ def get_current_row_node(self):
 
         return node
 
-    def get_tree_node(self):
-
-        node  = self.get_current_row_node()
-
-        return node
-
     # gets all the search hits into a list of searchmatch objects
     def get_search_hits(self, searchterm, partialsearch, searchKeys, searchNames, searchData):
 

acquirefiles/acquire_files.py

@@ -169,7 +169,8 @@ def open_hive(self, fs, directory, fname, raiseex=1):
                 f = fs.open(path=fpath)
             except:
                 if raiseex:
-                    raise RDError("BUG: could not find a valid name for %s" % fpath)
+                    print "BUG: could not find a valid name for %s" % fpath
+                    #raise RDError("BUG: could not find a valid name for %s" % fpath)
 
                 f = None
 
@@ -339,7 +340,7 @@ def parse_system_restore(self, fs, directory, group_id):
             if fname.startswith("RP"):
 
                 # only process still allocated restore points
-                if subdir.info.meta and subdir.info.meta.flags == 1: 
+                if subdir.info.meta and (int(subdir.info.meta.flags) & 1) == 1: 
                     subdir = fs.open_dir(inode=subdir.info.meta.addr)
 
                     for f in subdir:
@@ -350,7 +351,14 @@ def parse_system_restore(self, fs, directory, group_id):
 
                             # grab the registry files
                             self.parse_rp_folder(fs, f, fname, group_id)
+                else:
+                    if not subdir.info.meta:
+                        flags = -42
+                    else:
+                        flags = subdir.info.meta.flags
 
+                    print "skipping dir %s | %d" % (fname, flags)
+
 
     def handle_sys_restore(self, fs):
 
@@ -417,7 +425,14 @@ def is_e01file(self, filepath):
 
         return  re.search('^(.E\d{1,})$', ext)
 
-    def get_e01names(self, filepath):
+    def is_splitfile(self, filepath):
+
+        base, ext = os.path.splitext(filepath)
+
+        return  re.search('^(.\d{1,})$', ext)
+
+
+    def get_names(self, filepath, func):
 
         dirname = os.path.dirname(filepath)
 
@@ -428,11 +443,10 @@ def get_e01names(self, filepath):
 
             for filename in filenames:
 
-                if self.is_e01file(filename):
+                if func(filename):
 
                     files.append(os.path.join(dirname, filename))
 
-
         # so ugly that this is done in-place
         files.sort()
 
@@ -444,19 +458,20 @@ def get_img_info(self, filepath):
         if self.is_e01file(filepath):
 
             # we need to grab all the files of type this
-            files = self.get_e01names(filepath)
+            files = self.get_names(filepath, self.is_e01file)
 
-            try:
-                img = EWFImgInfo(*files)
-            except Exception, e:
-                # TODO
-                print "BUG: Unable to open EWF file: %s | %s" % (filepath, str(e))
+            img = EWFImgInfo(*files)
 
-            print "e01 image -> %s" % filepath
+        # split
+        elif self.is_splitfile(filepath):
+
+            files = self.get_names(filepath, self.is_splitfile)
+
+            img = SplitImage(*files)
 
+        # regular dd/raw
         else:
             img = pytsk3.Img_Info(filepath)
-            print "normal dd -> %s" % filepath
 
         return img
 
@@ -470,7 +485,6 @@ def get_offsets(self, img):
             # volume info (partitions) 
             volinfo = pytsk3.Volume_Info(img)
         except Exception, e:
-            print "cant open as volume: %s" % str(e)
             return [(0, 0)]
 
         block_size = volinfo.info.block_size

errorclasses.py

@@ -62,6 +62,14 @@ def __init__(self, value):
     def __str__(self):
         return self.value
 
+class RegBadEvidenceError(Exception):
+
+    def __init__(self, value):
+        self.value = value
+
+    def __str__(self):
+        return self.value
+
 
 
 

initial_processing/acquire_files.py

@@ -137,6 +137,16 @@ def determine_type_sig(self, evidence_file):
 
         return ret                
 
+    def continuebox(self, evidence_file, gui_ref):
+
+        cont = gui_ref.gui.yesNoDialog("Unable to process %s" % evidence_file, "Would you like to skip this file?") 
+
+        if cont:
+            return -1
+        else:
+            gui_ref.gui.msgBox("Unable to process evidence file %s. Exiting." % evidence_file)
+            raise RegAcquireError(evidence_file)
+
     # this gathers the evidence from input files for second stange processing
     def acquire_from_file(self, evidence_file, gui_ref):
 
@@ -146,15 +156,9 @@ def acquire_from_file(self, evidence_file, gui_ref):
             evidence_type = self.determine_type_sig(evidence_file)
 
         if evidence_type[0] == UNKNOWN:
-
-            cont = gui_ref.gui.yesNoDialog("Unable to process %s" % evidence_file, "Would you like to skip this file?") 
-
-            if cont:
-                evidence_type = -1  
-            else:
-                gui_ref.gui.msgBox("Unable to process evidence file %s. Exiting." % evidence_file)
-                raise RegAcquireError(evidence_file)
-
+
+            evidence_type = self.continuebox(evidence_file, gui_ref)
+
         elif evidence_type[0] == DD:
             # pytsk3
             ac = aqfile.acquire_files(gui_ref.directory, gui_ref)
@@ -167,7 +171,11 @@ def acquire_from_file(self, evidence_file, gui_ref):
                 acq_current = gui_ref.gui.acquire_current
                 acq_backup  = gui_ref.gui.acquire_backups
 
-            ac.acquire_files(evidence_file, acq_current, acq_backup)
+            # this hits on a broken filesystem
+            try:
+                ac.acquire_files(evidence_file, acq_current, acq_backup)
+            except:
+                evidence_type = self.continuebox(evidence_file, gui_ref)                    
 
         elif evidence_type[0] == SINGLEFILE:
             self.add_single_file(evidence_file, evidence_type[1], gui_ref)            

initial_processing/evidence_database.py

@@ -125,7 +125,8 @@ def fill_db_info(self, hive_name, fullpath, hashit=1):
             evidence_type = self.guess_type(hive_name)
 
         if not evidence_type and hive_name:
-            raise MsgBoxError("Couldnt find type for %s -> %s" % (hive_name, fullpath))
+            print "Couldnt find type for %s -> %s" % (hive_name, fullpath)
+            #raise MsgBoxError("Couldnt find type for %s -> %s" % (hive_name, fullpath))
 
         return (md5, mtime, evidence_type)
 

opencase.py

@@ -22,7 +22,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 #
-import sys, os, struct, cPickle, sqlite3
+import sys, os, struct, cPickle, sqlite3, getopt
 
 from datastructures.tree.paralleltree import *
 
@@ -139,27 +139,41 @@ def opencaseobj(self):
         self.case_directory = self.directory
 
 
+
+def usage():
+
+    print "python openmain.py <case directory> <plugin name> <file id> <extra plugin directory (optional)>"
+    print "See the instructions file for complete description"
+    sys.exit(1)
+
 def main():
 
-    case_dir = sys.argv[1]
 
-    o = opencase(case_dir)
-
-    o.current_fileid = int(sys.argv[3])
+    try:
+        case_dir    = sys.argv[1]
+        plugin_name = sys.argv[2]
+        fileid      = int(sys.argv[3])
+    except:
+        usage()
 
-    root = o.tree.rootnode(o.current_fileid)
+    try:
+        extra = sys.argv[4]
+        extra = extra.split(";") 
+    except:
+        extra = []
+
+    # open the case and get the tree
+    o = opencase(case_dir)
+    o.current_fileid = fileid
 
     tm = tmmod.TemplateManager()
-    tm.load_templates(o)
+    tm.load_templates(o, extra)
 
     templates = tm.get_loaded_templates()
 
-    plugin_name = sys.argv[2]
-
     ran = 0
 
     for t in templates:
-        #print t.name
         if t.pluginname == plugin_name:
             t.run_me()
             ran = 1

start_processing.py

@@ -35,6 +35,8 @@
 from datastructures.tree.paralleltree import *
 from datastructures.strings.stringtable import *
 from guicontroller import *
+from errorclasses import *
+
 import common, opencase
 
 # whether to profile the run through command line
@@ -187,7 +189,7 @@ def perform_processing(self, gui_ref):
 
             # user chose not to skip file, need to force re-adding of evidence
             elif etype == -2:
-                return False                
+                raise RegBadEvidenceError(evidence_file)
 
             else:
                 etype = etype[0]
@@ -198,11 +200,10 @@ def perform_processing(self, gui_ref):
         # remove files that could not be processed
         gui_ref.evidence_list = [item for idx,item in enumerate(gui_ref.evidence_list) if idx not in skip_indexes]
 
-
         # check if any valid files were added
         if len(gui_ref.evidence_list) == 0:
             gui_ref.gui.msgBox("No valid files were added as evidence. Cannot Proceed.")
-            return False
+            raise RegBadEvidenceError("No valid files")
 
         # write out evidence information to evidence_database.db
         self.evidence_db.write_evidence_database(gui_ref, ehash, case_obj)