Merge pull request #132 from steffenfritz/110-change-report-on-existe…

…nce-of-xattrs 110 change report on existence of xattrs
steffenfritz · Jan 4, 2025 · 36179b7 · 36179b7
2 parents 39d2c98 + f1bb154
commit 36179b7
Show file tree

Hide file tree

Showing 20 changed files with 1,345 additions and 25 deletions.
diff --git a/cmd/admftrove/Makefile b/cmd/admftrove/Makefile
@@ -1,7 +1,7 @@
 ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 
 BINARY=admftrove
-VERSION=1.0.0-BETA-1
+VERSION=1.0.0-BETA-4
 BUILD=`git rev-parse --short HEAD`
 PLATFORMS=darwin linux windows
 ARCHITECTURES=amd64

diff --git a/cmd/admftrove/main.go b/cmd/admftrove/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"log/slog"
 	"os"
 	"time"
@@ -10,7 +11,7 @@ import (
 )
 
 // Version holds the version of FileTrove and is set by the build system
-var Version string = "v1.0.0-DEV-16"
+var Version string = "v1.0.0-RANDOM"
 
 // Build is not used anymore since DEV-11
 // Build holds the sha1 fingerprint of the build and is set by the build system
@@ -26,9 +27,14 @@ func main() {
 	createNSRL := flag.String("creatensrl", "", "Create or update a BoltDB file from a text file. A source file MUST be provided.")
 	nsrlversion := flag.String("nsrlversion", "", "NSRL version flag. This string will be used for ftrove's session information.")
 	updateDB := flag.String("updatedb", "", "Update a filetrove sqlite database to the next version. Expects the directory of the database file.")
+	version := flag.Bool("version", false, "Show version")
 
 	flag.Parse()
 
+	if *version {
+		fmt.Println("admftrove supports FileTrove version: " + Version)
+	}
+
 	if len(*createNSRL) != 0 {
 		err := ft.CreateNSRLBoltDB(*createNSRL, *nsrlversion, "nsrl.db")
 		if err != nil {
@@ -300,5 +306,59 @@ func main() {
 
 		}
 
+		// Update version 1.0.0-BETA-3 --> 1.0.0-BETA-4
+		if instversion == "1.0.0-BETA-3" {
+			_, err = ftdb.Exec("UPDATE filetrove SET version = '1.0.0-BETA-4' where version = '1.0.0-BETA-3'")
+			if err != nil {
+				logger.Error("Could not update database", slog.String("error", err.Error()))
+				return
+			}
+			_, err = ftdb.Exec("CREATE TABLE xattr(xattruuid TEXT, sessionuuid TEXT, fileuuid TEXT, xattrname TEXT,xattrvalue TEXT)")
+			if err != nil {
+				logger.Error("Could not update database", slog.String("error", err.Error()))
+				return
+			}
+
+			_, err = ftdb.Exec("CREATE TABLE ntfsads(ntfsadsuuid TEXT, sessionuuid TEXT, fileuuid TEXT, adsname TEXT, adsvalue TEXT)")
+			if err != nil {
+				logger.Error("Could not update database", slog.String("error", err.Error()))
+				return
+			}
+
+			_, err = ftdb.Exec("CREATE TABLE sessionsmd_beta4(uuid TEXT, starttime TEXT, endtime TEXT, project TEXT, archivistname TEXT, mountpoint TEXT, pathseparator TEXT, exifflag TEXT, dublincoreflag TEXT, yaraflag TEXT, yarasource TEXT, xattrflag TEXT, ntfsadsflag TEXT, filetroveversion TEXT, filetrovedbversion TEXT, nsrlversion TEXT, siegfriedversion TEXT, goversion TEXT)")
+			if err != nil {
+				logger.Error("Could not create new session table", slog.String("error", err.Error()))
+				return
+			}
+
+			_, err = ftdb.Exec("INSERT INTO sessionsmd_beta4 (uuid, starttime, endtime, project, archivistname, mountpoint, pathseparator, exifflag, dublincoreflag, yaraflag, yarasource, filetroveversion, filetrovedbversion, nsrlversion, siegfriedversion, goversion) SELECT uuid, starttime, endtime, project, archivistname, mountpoint, pathseparator, exifflag, dublincoreflag, yaraflag, yarasource, filetroveversion, filetrovedbversion, nsrlversion, siegfriedversion, goversion  from sessionsmd")
+			if err != nil {
+				logger.Error("Could not copy old sessions table to transition table", slog.String("error", err.Error()))
+				return
+			}
+
+			_, err = ftdb.Exec("ALTER TABLE sessionsmd RENAME TO sessionsmd_beta3")
+			if err != nil {
+				logger.Error("Could not rename old sessions table", slog.String("error", err.Error()))
+				return
+			}
+
+			_, err = ftdb.Exec("ALTER TABLE sessionsmd_beta4 RENAME TO sessionsmd")
+			if err != nil {
+				logger.Error("Could not rename new sessions table", slog.String("error", err.Error()))
+				return
+			}
+
+			updatetime := time.Now().Format(time.RFC3339)
+			_, err = ftdb.Exec("UPDATE filetrove SET lastupdate = ?", updatetime)
+			if err != nil {
+				logger.Error("Could not update last update time.", slog.String("error", err.Error()))
+				return
+			}
+			logger.Info("FileTrove database updated to version 1.0.0-BETA-4.")
+			return
+
+		}
+
 	}
 }
diff --git a/cmd/ftrove/Taskfile.yml b/cmd/ftrove/Taskfile.yml
@@ -1,6 +1,6 @@
 version: '3'
 env:
-  VERSION: 1.0.0-BETA-3
+  VERSION: 1.0.0-BETA-4
   CGO_ENABLED: "1"
 
 tasks:

diff --git a/cmd/ftrove/main.go b/cmd/ftrove/main.go
@@ -59,6 +59,7 @@ func main() {
 	// updateFT := flag.BoolP("update-all", "u", false, "Update FileTrove, siegfried and NSRL.")
 	printversion := flag.BoolP("version", "v", false, "Show version and build.")
 	verbose := flag.BoolP("verbose", "V", false, "Print messages also to the terminal (stdout).")
+	xattrcheck := flag.BoolP("xattr", "x", false, "Read extended attributes (xattr) from files if available")
 
 	flag.Parse()
 
@@ -113,6 +114,9 @@ func main() {
 		sessionmd.Yaraflag = "True"
 		sessionmd.Yarasource = *grepYARA
 	}
+	if *xattrcheck {
+		sessionmd.XattrFlag = "True"
+	}
 
 	// Print banner or version on startup
 	ft.PrintBanner()
@@ -247,6 +251,10 @@ func main() {
 		dcFlagSet := sessionValues[8]
 		// DOC: Value 9 MUST be the flag result of YARA. We translate for clarity.
 		yaraFlagSet := sessionValues[9]
+		// DOC: Value 11 MUST be the flag result of XATTR.
+		xattrFlagSet := sessionValues[11]
+		// DOC: Value 12 MUST be the flag result of NTFS ADS.
+		// ntfsadsFlagSet := sessionValues[12]
 
 		err = ft.ExportSessionFilesTSV(*exportSessionToTSV)
 		if err != nil {
@@ -282,7 +290,14 @@ func main() {
 				logger.Error("Error while exporting YARA identified files from session to TSV file.", slog.String("error", err.Error()))
 				os.Exit(1)
 			}
+		}
 
+		if xattrFlagSet == "True" {
+			err = ft.ExportXATTRTSV(*exportSessionToTSV)
+			if err != nil {
+				logger.Error("Error while exporting extended attributes from session to TSV file.", slog.String("error", err.Error()))
+				os.Exit(1)
+			}
 		}
 
 		logger.Info("Export successful.")
@@ -368,6 +383,7 @@ func main() {
 		nsrlcount = ri.NSRLFiles
 
 		// ToDo: Get Yara information for resuming sessions
+		// ToDo: Read all flags from session table and overwrite flags
 	}
 
 	// Prepare statement to add file scan results to database
@@ -442,6 +458,12 @@ func main() {
 		}
 	}
 
+	// Prepare Xattr insert statement, used later
+	prepXattrInsert, err := ft.PrepInsertXattr(ftdb)
+	if err != nil {
+		logger.Error("Could not prepare an insert statement for XATTR.", slog.String("error", err.Error()))
+	}
+
 	// Inspect every file in filelist
 	// Set up the progress bar
 	bar := progressbar.Default(int64(len(filelist)))
@@ -595,6 +617,25 @@ func main() {
 
 		}
 
+		// Check for XATTR
+		if *xattrcheck {
+			filexattrmap, err := ft.GetXattr(file)
+			if err != nil {
+				logger.Warn("Could not read Extended Attributes (xattr)", slog.String("warn", err.Error()))
+			}
+
+			for k, v := range filexattrmap {
+				xattruuid, err := ft.CreateUUID()
+				if err != nil {
+					logger.Warn("Could not create UUID for Extended Attributes", slog.String("error", err.Error()))
+				}
+				_, err = prepXattrInsert.Exec(xattruuid, sessionmd.UUID, fileuuid, k, v)
+				if err != nil {
+					logger.Error("Could not add Extended Attributes to database", slog.String("error", err.Error()))
+				}
+			}
+		}
+
 		filecount += 1
 		bar.Add(1)
 	}

diff --git a/database_schema.dbml b/database_schema.dbml
@@ -42,7 +42,8 @@ TABLE dublincore{
   coverage TEXT
 }
 
-TABLE files {fileuuid TEXT
+TABLE files {
+  fileuuid TEXT
   sessionuuid TEXT
   filename TEXT
   filepath TEXT
@@ -101,10 +102,30 @@ TABLE yara{
   rulename TEXT
 }
 
+TABLE xattr{
+  xattruuid TEXT
+  sessionuuid TEXT
+  fileuuid TEXT
+  xattrname TEXT
+  xattrvalue TEXT
+}
+
+TABLE ntfsads{
+  ntfsadsuuid TEXT
+  sessionuuid TEXT
+  fileuuid TEXT
+  adsname TEXT
+  adsvalue TEXT
+}
+
 Ref: files.sessionuuid > sessionsmd.uuid
 Ref: exif.sessionuuid > sessionsmd.uuid
 Ref: exif.fileuuid > files.fileuuid
 Ref: directories.sessionuuid > sessionsmd.uuid
 Ref: dublincore.sessionuuid > sessionsmd.uuid
 Ref: yara.sessionuuid > sessionsmd.uuid
 Ref: yara.fileuuid > files.fileuuid
+Ref: xattr.sessionuuid > sessionsmd.uuid
+Ref: xattr.fileuuid > files.fileuuid
+Ref: ntfsads.sessionuuid > sessionsmd.uuid
+Ref: ntfsads.fileuuid > files.fileuuid