1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
/*
** The Sleuth Kit
**
** Brian Carrier [carrier <at> sleuthkit [dot] org]
** Copyright (c) 2010-2019 Brian Carrier. All Rights reserved
**
** This software is distributed under the Common Public License 1.0
**
*/
/**
* \file LogicalImagerConfiguration.h
* Contains the class definitions for the Logicial Imager Rule Configuration.
*/
#include <fstream>
#include <iostream>
#include <iterator>
#include <map>
#include <sstream>
#include <locale>
#include <iomanip>
#include <exception>
#include "LogicalImagerConfiguration.h"
#include "LogicalImagerRuleSet.h"
#include "Version.h"
/**
* Implement the logical imager configuration.
*
*/
LogicalImagerConfiguration::~LogicalImagerConfiguration() {
for (std::vector<LogicalImagerRuleSet *>::const_iterator iter = m_ruleSets.begin(); iter != m_ruleSets.end(); ++iter) {
delete *iter;
}
}
/*
* Construct the LogicalImagerRuleSet based on a configuration filename
* The configuration file is in JSON format.
* It has the following key and values.
* "finalize_image_writer" is optional. Default is false. If true, it will finalize the image writer by writing the
* remaing sectors to the sparse_image.vhd file.
* "rule-sets" is required. It is a list of rule-set.
* A rule set is has a "set-name" (required) and a list of "rules"
* A rule is has the following key/value pairs:
"name" - name of the rule (required)
"description" - rule description (required)
"shouldSave" is optional. Default is true. If true, any matched files will be save to the sparse_image.vhd.
"shouldAlert" is optional. Default is false. If true, an alert record will be send to the console and the alert file.
An example:
{
"finalize-image-writer": false,
"rule-sets": [
{
"set-name": "rule-set-full-paths",
"rules": [
{
"name": "rule-1",
"description": "a full path rule",
"shouldSave": true,
"shouldAlert": true,
"full-paths": [
"Documents and Settings/All Users/Documents/My Pictures/Sample Pictures/Sunset.jpg",
"Documents and Settings/All Users/Documents/My Pictures/Sample Pictures/WINTER.JPG",
"/Documents and Settings/All Users/Documents/My Pictures/Sample Pictures/Blue hills.jpg"
]
}
]
},
{
"set-name": "rule-set-full-paths-2",
"rules": [
{
"name": "rule-2",
"description": "a full path rule 2",
"shouldSave": true,
"shouldAlert": true,
"full-paths": [
"Documents and Settings/All Users/Documents/My Pictures/Sample Pictures/Sunset.jpg",
"/AUTOEXEC.BAT"
]
}
]
},
{
"set-name": "rule-set-1",
"rules": [
{
"name": "example-rule-1",
"description": "find file with extension png",
"shouldSave": true,
"shouldAlert": true,
"extensions": [
"png",
"gif"
],
"folder-names": [
"Google"
]
},
{
"name": "example-rule-2",
"description": "Find all 'readme.txt' and 'autoexec.bat' files",
"shouldSave": true,
"shouldAlert": true,
"file-names": [
"readme.txt",
"autoexec.bat"
]
},
{
"name": "example-rule-3",
"description": "find files newer than 2012-03-22",
"shouldSave": false,
"shouldAlert": true,
"date-range": {
"min": "2012-03-22"
}
},
{
"name": "example-rule-4",
"shouldAlert": false,
"shouldSave": true,
"description": "find files newer than 30 days",
"date-range": {
"min-days": 30
}
},
{
"name": "example-rule-5",
"description": "find all png files under the user folder",
"shouldSave": true,
"shouldAlert": true,
"extensions": [
"png"
],
"folder-names": [
"[USER_FOLDER]/My Documents/Downloads"
]
}
]
},
{
"set-name": "rule-set-3",
"rules": [
{
"name": "rule-1",
"description": "find file with extension jpg",
"shouldSave": true,
"shouldAlert": true,
"extensions": [
"jpg"
],
"folder-names": [
"My Pictures"
]
}
]
},
{
"set-name": "encryption-rule",
"rules": [
{
"name": "encryption-rule",
"description": "find encryption programs",
"shouldSave": true,
"shouldAlert": true,
"file-names": [
"truecrypt.exe"
]
}
]
}
]
}
* @param configFilename Configuration filename of the rule set
* @param callbackFunc A callback function when a file matches.
* @throws std::logic_error if there is any error
*/
LogicalImagerConfiguration::LogicalImagerConfiguration(const std::string &configFilename, LogicalImagerRuleSet::matchCallback callbackFunc) :
m_callbackFunc(callbackFunc)
{
std::ifstream file(configFilename);
if (!file) {
throw std::logic_error("ERROR: failed to open configuration file " + configFilename);
}
std::stringstream buffer;
buffer << file.rdbuf();
file.close();
std::string str = buffer.str();
nlohmann::json configJson;
try {
configJson = nlohmann::json::parse(str);
}
catch (std::exception &e) {
throw std::logic_error("ERROR: parsing configuration file " + configFilename + "\n" + e.what());
}
bool hasError = false;
std::string errorStr;
const std::string newline("\n");
for (auto it = configJson.begin(); it != configJson.end(); it++) {
if (it.key() == "rule-sets") {
for (auto ruleSetIter = it.value().begin(); ruleSetIter != it.value().end(); ++ruleSetIter) {
nlohmann::json ruleSetValue = ruleSetIter.value();
std::vector<std::pair<const MatchedRuleInfo *, std::vector<LogicalImagerRuleBase *>>> rules;
LogicalImagerRuleSet *ruleSet = new LogicalImagerRuleSet();
ruleSet->constructRuleSet(ruleSetValue, rules);
m_ruleSets.push_back(ruleSet);
}
}
else if (it.key() == "create-VHD") {
it.value().get_to(m_createVHD);
}
else if (it.key() == "finalize-image-writer") {
it.value().get_to(m_finalizeImageWriter);
}
else if (it.key() == "prompt-before-exit") {
it.value().get_to(m_promptBeforeExit);
}
else if (it.key() == "version") {
it.value().get_to(m_version);
}
}
if (hasError) {
throw std::logic_error("ERROR: parsing configuration file " + configFilename + newline + errorStr);
}
// check version
Version currentVersion(m_currentVersion);
Version version(m_version);
if (!(version == currentVersion || version < currentVersion)) {
throw std::logic_error("ERROR: unsupported configuration version " + m_version
+ ". Supported version is "
+ m_currentVersion + " or less.");
}
}
/**
* Given a file and its path, match it using the logical imager rule set.
* All rules in a single set must matched (ANDed)
* May extract and/or alert depending on the rule setting.
*
* @param fs_file TSK_FS_FILE containing the filename
* @param path parent path to fs_file
* @returns TSK_RETVAL_ENUM TSK_OK if match has no errors.
*/
TSK_RETVAL_ENUM LogicalImagerConfiguration::matches(TSK_FS_FILE *fs_file, const char *path) const {
for (std::vector<LogicalImagerRuleSet *>::const_iterator iter = m_ruleSets.begin(); iter != m_ruleSets.end(); ++iter) {
(void)(*iter)->matches(fs_file, path, m_callbackFunc);
}
return TSK_OK;
}
/**
* Return a list of full-paths rule sets in the Logical Imager Configuration
* @returns each element in the list consists of a MatchedRuleInfo and a list of full-paths.
*/
const std::vector<std::pair<const MatchedRuleInfo *, std::list<std::string>>> LogicalImagerConfiguration::getFullFilePaths() const
{
std::vector<std::pair<const MatchedRuleInfo *, std::list<std::string>>> vector;
for (std::vector<LogicalImagerRuleSet *>::const_iterator iter = m_ruleSets.begin(); iter != m_ruleSets.end(); ++iter) {
vector.push_back((*iter)->getFullFilePaths());
}
return vector;
}
|
