📄 sorter.base
字号:
## The Sleuth Kit## Brian Carrier [carrier <at> sleuthkit [dot] org]# Copyright (c) 2003-2008 Brian Carrier. All rights reserved## TASK# Copyright (c) 2002-2003 Brian Carrier, @stake Inc. All rights reserved## This software is distributed under the Common Public License 1.0use strict;use integer;my $SHARE_DIR = "$DATA_DIR/tsk3/sorter/";my $SK_FLS = "${BIN_DIR}/fls";my $SK_ICAT = "${BIN_DIR}/icat";my $SK_HFIND = "${BIN_DIR}/hfind";my $SK_FSSTAT = "${BIN_DIR}/fsstat";my $SK_IMGSTAT = "${BIN_DIR}/img_stat";my $SK_FILE = "";my $SK_MD5 = "";my $SK_SHA1 = "";my $MIS_NAME = "mismatch";my $UNK_NAME = "unknown";my $ALERT_NAME = "alert";my $EXCLUDE_NAME = "exclude";my $EXCLUDEMIS_NAME = "mismatch_exclude";my $IGNORE_NAME = "ignore";# Formats for regular expressionsmy $REG_DAY = '\d\d\d\d\-\d\d\-\d\d';my $REG_TIME = '\d\d:\d\d:\d\d';my $REG_ZONE2 = '\([\w\+\- ]*\)';my $REG_DATE = "$REG_DAY" . '\s+' . "$REG_TIME" . '\s+' . "$REG_ZONE2";my $SUMMARY_NAME = "sorter.sum";# CONSTANTSmy $DEL_ALLOC = 0; # Allocated Filemy $DEL_DEL = 1; # Deleted File# Text / HTML CONSTANTSmy $NL = "\n";my $TAB = ' ';my $EXT = '.txt';my $BUL = "- ";my $IMG_PAGE = 100;# Globalsmy $alloc_cnt = 0; # Number of allocated files processedmy $dirskip_cnt = 0; # Files skipped because dir or null sizemy $ignore_cnt = 0; # Files skipped bc in ignore categorymy $alert_cnt = 0; # number of files flagged by hashmy $excl_cnt = 0; # number of files skipped bc known goodmy $mis_cnt = 0; # number of mismatch filesmy $exclmis_cnt = 0; # known good file with extension mismatchmy $img_cnt = 0; # number of imagessub usage { print <<EOF;sorter [-b size] [-E] [-e] [-h] [-l] [-md5] [-s] [-sha1] [-U] [-v] [-V] [-a hash_alert] [-c config] [-C config] [-d dir] [-m mnt] [-n nsrl_db] [-x hash_exclude] [-o imgoffset] [-f fstype] [-i imgtype] image [images] [dir_meta_addr] -b size: Minimum size. Ignore files smaller than 'size' -E: Perform category indexing only (no extension checks - was '-i') -e: Perform extension checks only (no category index files) -h: HTML Format -l: List index to STDOUT (no files are ever written) -md5: Print the MD5 value with the index output -s: Save files to category directories -sha1: Print the SHA-1 value with the index output -U: Ignore the unknown category - only save catgories in config files -v: verbose debugging output -V: print version information -a hash_alert: hash database of hashes to alert on -c config: specify a config file to use (in addition to default files) NOTE: This config file has priority over default files -C config: specify the ONLY config file to use -d dir: Save category index files in the specified directory -f fstype: file system type (Sleuth Kit types) of image -i imgtype: Format of image file -o imgoffset: Offset of file system in image (in sectors) -m mnt: The mounting point of the image -n nsrl_db: The NIST NSRL database file (NSRLFile.txt) (hashes to ignore) -x hash_exclude: hash database of hashes to ignore dir_meta_addr: Address of directory to start analyzing from image: image to analyzeEOF exit(1);}sub version { print "The Sleuth Kit ver $VER\n";}my @s_dirs = ( "/usr/local/bin/", "/usr/local/sbin/", "/usr/bin/", "/usr/sbin/", "/bin/", "/sbin/");sub find_file { $SK_FILE = ""; foreach my $d (@s_dirs) { if (-x "${d}file") { $SK_FILE = "${d}file"; return; } } print "File tool not found\n"; exit(1);}sub find_md5 { $SK_MD5 = ""; foreach my $d (@s_dirs) { if (-x "${d}md5") { $SK_MD5 = "${d}md5"; return; } } foreach my $d (@s_dirs) { if (-x "${d}md5sum") { $SK_MD5 = "${d}md5sum"; return; } } print "md5 or md5sum tool not found\n"; exit(1);}sub find_sha1 { $SK_SHA1 = ""; foreach my $d (@s_dirs) { if (-x "${d}sha1") { $SK_SHA1 = "${d}sha1"; return; } } foreach my $d (@s_dirs) { if (-x "${d}sha1sum") { $SK_SHA1 = "${d}sha1sum"; return; } } print "sha1 or sha1sum tool not found\n"; exit(1);}# Globals# Globalsmy %file_to_cat;my @cat_order;my %file_to_ext = (NOT_USED => [","]);my @ext_order;my %cat_handle;my %output_used;# Argument variablesmy $HTML = 0;my $LIST = 0;my $SAVE = 0;my $VERBOSE = 0;my $DO_MD5 = 0;my $DO_SHA1 = 0;my $ALL_CONFIGS = 1;my $DO_INDEX = 1; # create index files by categorymy $DO_UNKNOWN = 1; # Process the files that are unknownmy $DO_EXT = 1; # Do extension mismatch analysismy $MIN_SIZE = 0;my $CONFIG = "";my $DIR = "";my $FSTYPE = "";my $IMGTYPE = "";my $IMGOFF = 0;my $NSRL = "";my $PLATFORM = "";my $ALERT_DB = "";my $EXCLUDE_DB = "";my $img_shrt;my $TEMP_FILE;my $img_str = "";my $MNT = "";usage() if (scalar @ARGV == 0);# Read the argumentswhile (($_ = $ARGV[0]) =~ /^-(.)(.*)/) { # Alert hash database if (/^-a$/) { shift(@ARGV); if (defined $ARGV[0]) { $ALERT_DB = $ARGV[0]; } else { print "-a requires hash database argument\n"; usage(); } unless (-e "$ALERT_DB") { print "Alert hash database $ALERT_DB does not exist\n"; usage(); } $DO_MD5 = 1; } # @@@ This is currently not used elsif (/^-b$/) { shift(@ARGV); if (defined $ARGV[0]) { $MIN_SIZE = $ARGV[0]; } else { print "-b requires a size\n"; usage(); } } # config file to use in addition to other config files elsif (/^-c$/) { if ($ALL_CONFIGS == 0) { print "-c cannot be used with -C\n"; exit(1); } shift(@ARGV); if (defined $ARGV[0]) { $CONFIG = $ARGV[0]; } else { print "-c requires config file argument\n"; usage(); } unless (-e "$CONFIG") { print "Config file $CONFIG does not exist\n"; usage(); } } # Exclusive config file to use elsif (/^-C$/) { if ($CONFIG ne "") { print "-C cannot be used with -c\n"; exit(1); } shift(@ARGV); if (defined $ARGV[0]) { $CONFIG = $ARGV[0]; } else { print "-C requires config file argument\n"; usage(); } unless (-e "$CONFIG") { print "Config file $CONFIG does not exist\n"; usage(); } $ALL_CONFIGS = 0; } # output directory for category files elsif (/^-d$/) { shift(@ARGV); if (defined $ARGV[0]) { $DIR = $ARGV[0]; } else { print "-d requires directory name\n"; usage(); } unless (-d "$DIR") { print "Directory $DIR does not exist\n"; usage(); } } # Extension mismatch only elsif (/^-e$/) { $DO_INDEX = 0; } # Category types only elsif (/^-E$/) { $DO_EXT = 0; } # file system type elsif (/^-f$/) { shift(@ARGV); if (defined $ARGV[0]) { $FSTYPE = "-f " . $ARGV[0]; } else { print "-f requires file system type\n"; usage(); } } # HTML elsif (/^-h$/) { $HTML = 1; $NL = "<BR>\n"; $TAB = " "; $EXT = ".html"; $BUL = " <LI>"; } # Image type elsif (/^-i$/) { shift(@ARGV); if (defined $ARGV[0]) { $IMGTYPE = "-i " . $ARGV[0]; } else { print "-i requires file system type\n"; usage(); } } # List the data instead of saving to files elsif (/^-l$/) { $LIST = 1; } elsif (/^-m$/) { shift(@ARGV); if (defined $ARGV[0]) { $MNT = $ARGV[0]; } else { print "-m requires a mounting point\n"; usage(); } $MNT .= "/" unless ($MNT =~ /\/$/); } # MD5 hashes elsif (/^-md5$/) { $DO_MD5 = 1; } # NIST NSRL hash database for excluding files elsif (/^-n$/) { shift(@ARGV); if (defined $ARGV[0]) { $NSRL = $ARGV[0]; } else { print "-n requires file name\n"; usage(); } unless (-e "$NSRL") { print "NSRL Database file missing ($NSRL)\n"; usage(); } $DO_MD5 = 1; } elsif (/^-o$/) { shift(@ARGV); if (defined $ARGV[0]) { $IMGOFF = $ARGV[0]; unless ($IMGOFF =~ /^\d+$/) { print "Invalid sector offset\n"; usage(); } } else { print "-o requires offset value\n"; usage(); } } # Do SHA elsif (/^-sha1$/) { $DO_SHA1 = 1; } # Save the files in category directories elsif (/^-s$/) { $SAVE = 1; } elsif (/^-U$/) { $DO_UNKNOWN = 0; } # Version elsif (/^-V$/) { version(); exit(0); } # Verbose elsif (/^-v$/) { $VERBOSE = 1; } # Exclude hash database elsif (/^-x$/) { shift(@ARGV); if (defined $ARGV[0]) { $EXCLUDE_DB = $ARGV[0]; } else { print "-x requires hash database argument\n"; usage(); } unless (-e "$EXCLUDE_DB") { print "Exclude hash database $EXCLUDE_DB does not exist\n"; usage(); } $DO_MD5 = 1; } else { print "Unknown option: $_\n"; usage(); } shift(@ARGV);}if (scalar @ARGV == 0) { print "Missing image argument\n"; usage();}# Find local copies of std execsfind_file();if ($DO_MD5 == 1) { find_md5();}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -