forked from ustayready/physical-analyzer-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpa_sqlite.py
70 lines (59 loc) · 1.9 KB
/
pa_sqlite.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
'''
Script Name: pa_sqlite.py
Version: 1
Revised Date: 10/30/2015
Python Version: 2
Description: A Cellebrite Physical Analyzer plugin to enumerate file systems looking for sqlite dbs.
Copyright: 2015 Mike Felch <mike@linux.edu>
URL: http://www.forensicpy.com/
--
- ChangeLog -
v1 - [10-30-2015]: Wrote original code
'''
from physical import *
import hashlib
import math
import glob
import os
import datetime
def entropy(data):
if not data:
return 0
e = 0
for x in range(256):
p_x = float(data.count(chr(x)))/len(data)
if p_x > 0:
e += -p_x*math.log(p_x, 2)
return e
local_dir = 'c:\\dbs\\'
file = open(local_dir + 'databases.log', 'w')
file.write('FileSystem\tPath\tFile\tSize\tEntropy\tStatus\tMD5\tCreated\tModified\tAccessed\n')
for fs in ds.FileSystems:
nodes = fs.GetAllNodes()
for f in nodes:
if f.AbsolutePath[-3:] == '.db':
db_data = f.Data.read()
with open(local_dir + f.Name, 'w') as db_file:
db_file.write(db_data)
if f.Size>0:
data = f.read()
else:
data = ''
e = entropy(data)
md5 = hashlib.md5()
md5.update(data)
md5hash = md5.hexdigest()
if isinstance(f.CreationTime, TimeStamp):
ct = str(f.CreationTime)
else:
ct = ''
if isinstance(f.ModifyTime, TimeStamp):
mt = str(f.ModifyTime)
else:
mt = ''
if isinstance(f.AccessTime, TimeStamp):
at = str(f.AccessTime)
else:
at = ''
file.write(fs.Name + '\t' + f.AbsolutePath + '\t' + f.Name + '\t' + str(f.Size) + '\t' + str(e) + '\t' + md5hash + '\t' + ct + '\t' + mt + '\t' + at + '\t' + '\r\n')
file.close()