From 56f61c694e305abc0b1aa37b772be3109faf9c32 Mon Sep 17 00:00:00 2001 From: digitalsleuth Date: Mon, 18 Nov 2024 04:22:32 +0000 Subject: [PATCH 1/2] Update python3 states, add mac_apt, move old python scripts --- .ci/dev-state.sh | 2 +- sift/files/java-idx-parser/idx_parser.py | 338 ++++++++++++++++ sift/files/jobparser/jobparser.py | 387 +++++++++++++++++++ sift/files/pdf-tools/make-pdf-helloworld.py | 68 ++-- sift/files/sorter/windows.sort.bak | 278 ------------- sift/include-server.sls | 4 +- sift/packages/ewf-tools.sls | 2 + sift/packages/init.sls | 68 ++-- sift/packages/libbz2-dev.sls | 2 + sift/packages/libgtk-3-dev.sls | 2 + sift/packages/mtd-utils.sls | 2 + sift/packages/python3-magic.sls | 2 + sift/packages/python3-wxgtk4.sls | 2 + sift/packages/sleuthkit.sls | 12 +- sift/packages/squashfs-tools.sls | 2 + sift/packages/zlib1g-dev.sls | 2 + sift/{scripts => python3-packages}/4n6.sls | 73 +++- sift/python3-packages/analyzemft.sls | 27 +- sift/python3-packages/argparse.sls | 9 - sift/python3-packages/bitstring.sls | 9 - sift/python3-packages/capstone.sls | 10 - sift/python3-packages/colorama.sls | 9 - sift/python3-packages/defang.sls | 28 +- sift/python3-packages/geoip2.sls | 9 - sift/python3-packages/ijson.sls | 9 - sift/python3-packages/imagemounter.sls | 60 ++- sift/python3-packages/indxparse.sls | 47 ++- sift/python3-packages/init.sls | 60 ++- sift/python3-packages/ioc-writer.sls | 34 ++ sift/python3-packages/ioc_writer.sls | 13 - sift/python3-packages/java-idx-parser.sls | 44 +++ sift/python3-packages/job-parser.sls | 42 ++ sift/python3-packages/keyrings-alt.sls | 9 - sift/python3-packages/lxml.sls | 13 - sift/python3-packages/mac-apt.sls | 78 ++++ sift/python3-packages/machinae.sls | 40 +- sift/python3-packages/packerid.sls | 48 +++ sift/python3-packages/page-brute.sls | 39 ++ sift/python3-packages/pdf-tools.sls | 31 ++ sift/python3-packages/pe-carver.sls | 25 +- sift/python3-packages/pe-scanner.sls | 27 +- sift/python3-packages/pefile.sls | 10 - sift/python3-packages/pillow.sls | 9 - sift/python3-packages/pip.sls | 2 +- sift/python3-packages/pyhindsight.sls | 83 ++-- sift/python3-packages/python-dateutil.sls | 9 - sift/python3-packages/python-evtx.sls | 44 ++- sift/python3-packages/python-magic.sls | 9 - sift/python3-packages/python-registry.sls | 9 - sift/python3-packages/s2sphere.sls | 10 - sift/python3-packages/setuptools-rust.sls | 9 - sift/python3-packages/six.sls | 10 - sift/python3-packages/sqlite-carver.sls | 29 ++ sift/python3-packages/stix-validator.sls | 32 +- sift/python3-packages/stix.sls | 11 - sift/python3-packages/usbdeviceforensics.sls | 30 +- sift/python3-packages/usnparser.sls | 26 +- sift/python3-packages/virustotal-api.sls | 9 - sift/python3-packages/volatility3.sls | 33 ++ sift/python3-packages/windowsprefetch.sls | 25 +- sift/python3-packages/yara-python.sls | 9 - sift/scripts/cyberchef.sls | 4 +- sift/scripts/init.sls | 6 - sift/scripts/packerid.sls | 30 -- sift/scripts/page-brute.sls | 6 - sift/scripts/sift.sls | 2 +- 66 files changed, 1674 insertions(+), 748 deletions(-) create mode 100644 sift/files/java-idx-parser/idx_parser.py create mode 100644 sift/files/jobparser/jobparser.py delete mode 100644 sift/files/sorter/windows.sort.bak create mode 100644 sift/packages/ewf-tools.sls create mode 100644 sift/packages/libbz2-dev.sls create mode 100644 sift/packages/libgtk-3-dev.sls create mode 100644 sift/packages/mtd-utils.sls create mode 100644 sift/packages/python3-magic.sls create mode 100644 sift/packages/python3-wxgtk4.sls create mode 100644 sift/packages/squashfs-tools.sls create mode 100644 sift/packages/zlib1g-dev.sls rename sift/{scripts => python3-packages}/4n6.sls (54%) delete mode 100644 sift/python3-packages/argparse.sls delete mode 100644 sift/python3-packages/bitstring.sls delete mode 100644 sift/python3-packages/capstone.sls delete mode 100644 sift/python3-packages/colorama.sls delete mode 100644 sift/python3-packages/geoip2.sls delete mode 100644 sift/python3-packages/ijson.sls create mode 100644 sift/python3-packages/ioc-writer.sls delete mode 100644 sift/python3-packages/ioc_writer.sls create mode 100644 sift/python3-packages/java-idx-parser.sls create mode 100644 sift/python3-packages/job-parser.sls delete mode 100644 sift/python3-packages/keyrings-alt.sls delete mode 100644 sift/python3-packages/lxml.sls create mode 100644 sift/python3-packages/mac-apt.sls create mode 100644 sift/python3-packages/packerid.sls create mode 100644 sift/python3-packages/page-brute.sls create mode 100644 sift/python3-packages/pdf-tools.sls delete mode 100644 sift/python3-packages/pefile.sls delete mode 100644 sift/python3-packages/pillow.sls delete mode 100644 sift/python3-packages/python-dateutil.sls delete mode 100644 sift/python3-packages/python-magic.sls delete mode 100644 sift/python3-packages/python-registry.sls delete mode 100644 sift/python3-packages/s2sphere.sls delete mode 100644 sift/python3-packages/setuptools-rust.sls delete mode 100644 sift/python3-packages/six.sls create mode 100644 sift/python3-packages/sqlite-carver.sls delete mode 100644 sift/python3-packages/stix.sls delete mode 100644 sift/python3-packages/virustotal-api.sls create mode 100644 sift/python3-packages/volatility3.sls delete mode 100644 sift/python3-packages/yara-python.sls delete mode 100644 sift/scripts/packerid.sls delete mode 100644 sift/scripts/page-brute.sls diff --git a/.ci/dev-state.sh b/.ci/dev-state.sh index d23c451..a439f3b 100755 --- a/.ci/dev-state.sh +++ b/.ci/dev-state.sh @@ -6,5 +6,5 @@ DISTRO=${DISTRO:="focal"} SALT=${SALT:="3005"} STATE=$1 -docker run -it --rm --name="sift-state-${STATE}" -p 8080:80 -v `pwd`/sift:/srv/salt/sift --cap-add SYS_ADMIN ghcr.io/teamdfir/sift-saltstack-tester:${SALT}-${DISTRO} \ +docker run -it --rm --name="sift-state-${STATE}" -p 8080:80 -v `pwd`/sift:/srv/salt/sift --cap-add SYS_ADMIN ghcr.io/teamdfir/sift-saltstack-tester:${DISTRO}-${SALT} \ /bin/bash diff --git a/sift/files/java-idx-parser/idx_parser.py b/sift/files/java-idx-parser/idx_parser.py new file mode 100644 index 0000000..b566d23 --- /dev/null +++ b/sift/files/java-idx-parser/idx_parser.py @@ -0,0 +1,338 @@ +#! /usr/bin/env python3 +# Java Cache IDX parser +# Version 1.0 - 12 Jan 13: @bbaskin +# Version 1.1 - 22 Jan 13: +# Now supports all IDX file versions +# Version 1.2 - 29 Jan 13: +# Now supports parsing more section 1 data and section 3 manifest +# Version 1.3 - 8 Feb 13: +# Rewrote section 2 parsing. Removed all interpretive code (parse and print) +# Rewrote into subs, added very basic Java Serialization parsing +# Added CSV output to display all values. If you want fields, too, search +# this file for 'CSVEDIT' and follow instructions +# Version 1.4 - 17 Jul 13: +# Fixed a few bugs from Section 1, now displays Section 1 data. +# This is mostly useless, as it is also contained in Section 2, but is used +# to validate data shown in cases of tampering. +# Version 1.5 - 2 Dec 13: +# Fix data structure for 6.02 samples, removed 'hack' and handled it properly +# General cleanup to better Python standards +# Put in error handling for truncated data, based on a sample data submitted +# by Kristinn Gudjonsson + +# * Parsing based off source: http://jdk-source-code.googlecode.com/svn/trunk/jdk6u21_src/deploy/src/common/share/classes/com/sun/deploy/cache/CacheEntry.java +# * Some updates based off research by Mark Woan (@woanwave) - https://github.com/woanware/javaidx/tree/master/Documents +# * Thanks to Corey Harrell for providing a version 6.03 file for testing and for initial inspiration: +# http://journeyintoir.blogspot.com/2011/02/almost-cooked-up-some-java.html + +# Views cached Java download history files +# Typically located in %AppData%\LocalLow\Sun\Java\Deployment\Cache +# These files hold critical details for malware infections, especially Java related ones, e.g. BlackHole. + +""" +Output example: +E:\Development\Java_IDX_Parser>idx_parser.py Samples\malware\1c20de82-1678cc50.idx +Java IDX Parser -- version 1.5 -- by @bbaskin + +IDX file: Samples\malware\1c20de82-1678cc50.idx (IDX File Version 6.05) + +[*] Section 1 (Metadata) found: +Content length: 7162 +Last modified date: Thu, 26 Jul 2001 05:00:00 GMT (epoch: 996123600) +Section 2 length: 365 +Section 3 length: 167 +Section 4 length: 15 + +[*] Section 2 (Download History) found: +URL: http://803c146.gssewsf.su:82/forum/dare.php?hsh=5&key=b30a14e1c59215d593d3f03bd1ab +IP: 30.7.219.70 +: HTTP/1.1 200 OK +content-length: 7162 +last-modified: Mon, 26 Jul 2001 05:00:00 GMT +content-type: application/x-java-archive +date: Sun, 13 Jan 2013 16:22:01 GMT +server: nginx/1.0.15 +deploy-request-content-type: application/x-java-archive + +[*] Section 3 (Jar Manifest) found: +Manifest-Version: 1.0 +Ant-Version: Apache Ant 1.8.3 +X-COMMENT: Main-Class will be added automatically by build +Class-Path: +Created-By: 1.7.0_07-b11 (Oracle Corporation) + +[*] Section 4 (Code Signer) found: +[*] Found: Data block. Length: 4 +Data: Hex: 00000000 +[*] Found: Data block. Length: 3 +Data: 0 Hex: 300d0a +""" + +import os +import struct +import sys +import time +import zlib + +__VERSION__ = '1.5' +__CSV__ = False + + +def sec2_parse(): + """Parse Section Two from 6.03 and greater files. + + Section two contains all download history data + """ + csv_body = '' + data.seek(128) + if data.tell() >= filesize: + print('[!] Error! Truncated file. Section 2 is missing.') + return + + len_URL = struct.unpack('>l', data.read(4))[0] + data_URL = data.read(len_URL) + + len_IP = struct.unpack('>l', data.read(4))[0] + data_IP = data.read(len_IP) + sec2_fields = struct.unpack('>l', data.read(4))[0] + + print('\n[*] Section 2 (Download History) found:') + print('URL: %s' % (data_URL)) + print('IP: %s' % (data_IP)) + if __CSV__: + csv_body = fname + ',' + data_URL + ',' + data_IP + for i in range(0, sec2_fields): + len_field = struct.unpack('>h', data.read(2))[0] + field = data.read(len_field) + len_value = struct.unpack('>h', data.read(2))[0] + value = data.read(len_value) + print('%s: %s' % (field, value)) + if __CSV__: + #CSVEDIT: If you want both Field and Value in CSV output, uncomment + #next line and comment line after. + #csv_body += ',' + field + ',' + value + csv_body += ',' + value + if __CSV__: + global csvfile + csvfile = fname + '.csv' + open(csvfile, 'w').write(csv_body) + + +def sec2_parse_602(): + """Parse Section Two from 6.02 files. + + Section two contains all download history data. However, this version + does not store IP addresses. + """ + data.seek(32) + if data.tell() >= filesize: + print('Truncated file') + len_URL = struct.unpack('b', data.read(1))[0] + data_URL = data.read(len_URL) + namespace_len = struct.unpack('>h', data.read(2))[0] + namespace = data.read(namespace_len) + sec2_fields = struct.unpack('>l', data.read(4))[0] + + print('\n[*] Section 2 (Download History) found:') + print('URL: %s' % (data_URL)) + if __CSV__: + csv_body = fname + ',' + data_URL + + for i in range(0, sec2_fields): + len_field = struct.unpack('>h', data.read(2))[0] + field = data.read(len_field) + len_value = struct.unpack('>h', data.read(2))[0] + value = data.read(len_value) + print('%s: %s' % (field, value)) + if __CSV__: + #CSVEDIT: If you want both Field and Value in CSV output, uncomment + #next line and comment line after. + #csv_body += ',' + field + ',' + value + csv_body += ',' + value + + if __CSV__: + global csvfile + csvfile = fname + '.csv' + open(csvfile, 'w').write(csv_body) + + # See if section 3 exists + if data.tell()+3 < filesize: + sec3_magic, sec3_ver = struct.unpack('>HH', data.read(4)) + print('\n[*] Section 3 (Additional Data) found:') + if sec3_magic == 0xACED: + print('[*] Serialized data found of type:') + sec3_type = struct.unpack('b', data.read(1))[0] + if sec3_type == 0x77: #Data block + print('Data Block') + throwaway = data.read(1) + block_len = struct.unpack('>l', data.read(4))[0] + block_raw = data.read(block_len) + if block_raw[0:3] == '\x1F\x8B\x08': # Valid GZIP header + print('[*] Compressed data found') + sec3_unc = zlib.decompress(block_raw, 15+32) # Trick to force bitwindow size + print(sec3_unc) + else: + print('Unknown serialization opcode found') + return + + +def sec3_parse(): + """Parse Section three of the file. + + Section three contains a copy of the JAR manifest data. + """ + data.seek (128+sec2_len) + sec3_data = data.read(sec3_len) + + if sec3_data[0:3] == '\x1F\x8B\x08': # Valid GZIP header + sec3_unc = zlib.decompress(sec3_data, 15+32) # Trick to force bitwindow size + print(sec3_unc.strip()) + + +def sec4_parse(): + """Parse Section four of the file. + + Section four contains Code Signer details + Written from docs at: + http://docs.oracle.com/javase/6/docs/platform/serialization/spec/protocol.html + """ + unknowns = 0 + data.seek (128 + sec2_len + sec3_len) + sec4_magic, sec4_ver = struct.unpack('>HH', data.read(4)) + if sec4_magic == 0xACED: # Magic number for Java serialized data, version always appears to be 5 + while not data.tell() == filesize: # If current offset isn't at end of file yet + if unknowns > 5: + print('Too many unrecognized bytes. Exiting.') + return + sec4_type = struct.unpack('B', data.read(1))[0] + if sec4_type == 0x77: #Data block ... + #This _should_ parse for 0x78 (ENDDATABLOCK) but Oracle didn't follow their own specs for IDX files. + print('[*] Found: Data block. ') + block_len = struct.unpack('b', data.read(1))[0] + block_raw = data.read(block_len) + if block_raw[0:3] == '\x1F\x8B\x08': # Valid GZIP header + sec4_unc = zlib.decompress(block_raw, 15+32) # Trick to force bitwindow size + print(sec4_unc.encode('hex')) + else: + print('Length: %-2d\nData: %-10s\tHex: %s' % (block_len, block_raw.strip(), block_raw.encode('hex'))) + elif sec4_type == 0x73: #Object + print('[*] Found: Object\n->') + continue + elif sec4_type == 0x72: #Class Description + print('[*] Found: Class Description:') + block_len = struct.unpack('>h', data.read(2))[0] + block_raw = data.read(block_len) + print(block_raw) + else: + print('Unknown serialization opcode found: 0x%X' % sec4_type) + unknowns += 1 + return + + +if __name__ == '__main__': + """Main process function. + + Display help, handle command line arguments, read initial header to determine + which functions to call. + """ + print('Java IDX Parser -- version %s -- by @bbaskin\n' % __VERSION__) + try: + if sys.argv[1] in ['-c', '-C']: + __CSV__ = True + fname = sys.argv[2] + else: + fname = sys.argv[1] + except: + print('Usage: idx_parser.py ') + print('\nTo generate a CSV output file:') + print(' : idx_parser.py -c ') + sys.exit() + try: + data = open(fname, 'rb') + except: + print('File not found: %s' % fname) + sys.exit() + + filesize = os.path.getsize(fname) + + busy_byte = data.read(1) + complete_byte = data.read(1) + cache_ver = struct.unpack('>i', data.read(4))[0] + + if cache_ver not in (602, 603, 604, 605, 606): + print('Invalid IDX header found') + print('Found: 0x%s' % cache_ver) + sys.exit() + print('IDX file: %s (IDX File Version %d.%02d)' % (fname, cache_ver / 100, cache_ver - 600)) + + # Different IDX cache versions have data in different offsets + if cache_ver in [602, 603, 604, 605]: + if cache_ver in [602, 603, 604]: + data.seek(8) + elif cache_ver == 605: + data.seek(6) + is_shortcut_img = data.read(1) + content_len = struct.unpack('>l', data.read(4))[0] + last_modified_date = struct.unpack('>q', data.read(8))[0]/1000 + expiration_date = struct.unpack('>q', data.read(8))[0]/1000 + validation_date = struct.unpack('>q', data.read(8))[0]/1000 + + print('\n[*] Section 1 (Metadata) found:') + print('Content length: %d' % content_len) + print('Last modified date: %s (epoch: %d)' % (time.strftime('%a, %d %b %Y %X GMT', time.gmtime(last_modified_date)), last_modified_date)) + if expiration_date: + print('Expiration date: %s (epoch: %d)' % (time.strftime('%a, %d %b %Y %X GMT', time.gmtime(expiration_date)), expiration_date)) + if validation_date: + print('Validation date: %s (epoch: %d)' % (time.strftime('%a, %d %b %Y %X GMT', time.gmtime(validation_date)), validation_date)) + + if cache_ver == 602: + sec2_len = 1 + sec3_len = 0 + sec4_len = 0 + sec5_len = 0 + elif cache_ver in [603, 604, 605]: + known_to_be_signed = data.read(1) + sec2_len = struct.unpack('>i', data.read(4))[0] + sec3_len = struct.unpack('>i', data.read(4))[0] + sec4_len = struct.unpack('>i', data.read(4))[0] + sec5_len = struct.unpack('>i', data.read(4))[0] + + blacklist_timestamp = struct.unpack('>q', data.read(8))[0]/1000 + cert_expiration_date = struct.unpack('>q', data.read(8))[0]/1000 + class_verification_status = data.read(1) + reduced_manifest_length = struct.unpack('>l', data.read(4))[0] + + print('Section 2 length: %d' % sec2_len) + if sec3_len: + print('Section 3 length: %d' % sec3_len) + if sec4_len: + print('Section 4 length: %d' % sec4_len) + if sec5_len: + print('Section 4 length: %d' % sec5_len) + if expiration_date: + print('Blacklist Expiration date: %s (epoch: %d)' % (time.strftime('%a, %d %b %Y %X GMT', time.gmtime(blacklist_timestamp)), blacklist_timestamp)) + if cert_expiration_date: + print('Certificate Expiration date: %s (epoch: %d)' % (time.strftime('%a, %d %b %Y %X GMT', time.gmtime(cert_expiration_date)), cert_expiration_date)) + else: + print('Current file version, %d, is not supported at this time.' % cache_ver) + sys.exit() + + if sec2_len: + if cache_ver == 602: + sec2_parse_602() + else: + sec2_parse() + + if sec3_len: + print('\n[*] Section 3 (Jar Manifest) found:') + sec3_parse() + + if sec4_len: + print('\n[*] Section 4 (Code Signer) found:') + sec4_parse() + + if sec5_len: + print('\n[*] Section 5 found (offset 0x%X, length %d bytes)' % (128 + sec2_len + sec3_len + sec4_len, sec5_len)) + + if __CSV__: + print('\n\n[*] CSV file written to %s' % csvfile) diff --git a/sift/files/jobparser/jobparser.py b/sift/files/jobparser/jobparser.py new file mode 100644 index 0000000..4473d5b --- /dev/null +++ b/sift/files/jobparser/jobparser.py @@ -0,0 +1,387 @@ +#!/usr/bin/env python3 +import sys +import os +import getopt +import struct + +""" +Author: Gleeda + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version +2 of the License, or (at your option) any later version. + +jobparser.py + Parses job files created from `at` commands + + -f + -d +""" + + +# http://msdn.microsoft.com/en-us/library/2d1fbbab-fe6c-4ae5-bdf5-41dc526b2439%28v=prot.13%29#id11 +products = { + 0x400: "Windows NT 4.0", + 0x500: "Windows 2000", + 0x501: "Windows XP", + 0x600: "Windows Vista", + 0x601: "Windows 7", + 0x602: "Windows 8", + 0x603: "Windows 8.1", + 0xA00: "Windows 10", +} + +# http://winforensicaanalysis.googlecode.com/files/jobparse.pl +task_status = { + 0x41300: "Task is ready to run", + 0x41301: "Task is running", + 0x41302: "Task is disabled", + 0x41303: "Task has not run", + 0x41304: "No more scheduled runs", + 0x41305: "Properties not set", + 0x41306: "Last run terminated by user", + 0x41307: "No triggers/triggers disabled", + 0x41308: "Triggers do not have set run times", +} + +weekdays = { + 0x0: "Sunday", + 0x1: "Monday", + 0x2: "Tuesday", + 0x3: "Wednesday", + 0x4: "Thursday", + 0x5: "Friday", + 0x6: "Saturday", +} + +months = { + 0x1: "Jan", + 0x2: "Feb", + 0x3: "Mar", + 0x4: "Apr", + 0x5: "May", + 0x6: "Jun", + 0x7: "Jul", + 0x8: "Aug", + 0x9: "Sep", + 0xA: "Oct", + 0xB: "Nov", + 0xC: "Dec", +} + +# http://msdn.microsoft.com/en-us/library/cc248283%28v=prot.10%29 +flags = { + 0x1: "TASK_APPLICATION_NAME", + 0x200000: "TASK_FLAG_RUN_ONLY_IF_LOGGED_ON", + 0x100000: "TASK_FLAG_SYSTEM_REQUIRED", + 0x80000: "TASK_FLAG_RESTART_ON_IDLE_RESUME", + 0x40000: "TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET", + 0x20000: "TASK_FLAG_HIDDEN", + 0x10000: "TASK_FLAG_RUN_ONLY_IF_DOCKED", + 0x80000000: "TASK_FLAG_KILL_IF_GOING_ON_BATTERIES", + 0x40000000: "TASK_FLAG_DONT_START_IF_ON_BATTERIES", + 0x20000000: "TASK_FLAG_KILL_ON_IDLE_END", + 0x10000000: "TASK_FLAG_START_ONLY_IF_IDLE", + 0x4000000: "TASK_FLAG_DISABLED", + 0x2000000: "TASK_FLAG_DELETE_WHEN_DONE", + 0x1000000: "TASK_FLAG_INTERACTIVE", +} + +# http://msdn.microsoft.com/en-us/library/cc248286%28v=prot.10%29.aspx +priorities = { + 0x20000000: "NORMAL_PRIORITY_CLASS", + 0x40000000: "IDLE_PRIORITY_CLASS", + 0x80000000: "HIGH_PRIORITY_CLASS", + 0x100000: "REALTIME_PRIORITY_CLASS", +} + + +class JobDate: + def __init__(self, data, scheduled=False): + # scheduled is the time the job was scheduled to run + self.scheduled = scheduled + self.Year = struct.unpack("H", data[8:10])[0] + self.UUID4 = struct.unpack(">H", data[10:12])[0] + self.UUID5 = struct.unpack(">H", data[12:14])[0] + self.UUID6 = struct.unpack(">H", data[14:16])[0] + + def __repr__(self): + return ( + "{" + + "{0:08X}-{1:04X}-{2:04X}-{3:04X}-{4:02X}{5:02X}{6:02X}".format( + self.UUID0, + self.UUID1, + self.UUID2, + self.UUID3, + self.UUID4, + self.UUID5, + self.UUID6, + ) + + "}" + ) + + +# http://msdn.microsoft.com/en-us/library/cc248285%28PROT.10%29.aspx +class Job: + def __init__(self, data): + """ + Fixed length section + http://msdn.microsoft.com/en-us/library/cc248286%28v=prot.13%29.aspx + """ + self.ProductInfo = struct.unpack("I", data[32:36])[0] + self.MaxRunTime = struct.unpack("I", data[48:52])[0] + self.RunDate = JobDate(data[52:68]) + """ + Variable length section + http://msdn.microsoft.com/en-us/library/cc248287%28v=prot.10%29.aspx + """ + self.RunningInstanceCount = struct.unpack(" 0: + self.Name = data[72 : self.cursor].replace("\x00", "") + self.ParameterSize = struct.unpack(" 0: + self.Parameter = data[ + self.cursor : self.cursor + self.ParameterSize * 2 + ].replace("\x00", "") + self.cursor += self.ParameterSize * 2 + self.WorkingDirectorySize = struct.unpack( + " 0: + self.WorkingDirectory = data[ + self.cursor : self.cursor + (self.WorkingDirectorySize * 2) + ].replace("\x00", "") + self.cursor += self.WorkingDirectorySize * 2 + self.UserSize = struct.unpack(" 0: + self.User = data[self.cursor : self.cursor + self.UserSize * 2].replace( + "\x00", "" + ) + self.cursor += self.UserSize * 2 + self.CommentSize = struct.unpack(" 0: + self.Comment = data[ + self.cursor : self.cursor + self.CommentSize * 2 + ].replace("\x00", "") + self.cursor += self.CommentSize * 2 + # this is probably User Data + Reserved Data: + self.UserData = data[self.cursor : self.cursor + 18] + self.cursor += 18 + # This isn't really documented, but this is the time the job was scheduled to run: + self.ScheduledDate = JobDate( + data[self.cursor : self.cursor + 20], scheduled=True + ) + + def _get_job_info(self): + lines = [] + lines.append( + "Product Info: {0}".format( + products.get(self.ProductInfo, "Unknown Version") + ) + ) + lines.append("File Version: {0}".format(self.FileVersion)) + lines.append("UUID: {0}".format(self.UUID)) + priority = "" + for p in priorities: + if self.Priority & p == p: + priority += priorities[p] + ", " + if priority != "": + lines.append("Priorities: {0}".format(priority.rstrip(", "))) + hours, ms = divmod(self.MaxRunTime, 3600000) + minutes, ms = divmod(ms, 60000) + seconds = ms / 1000 + lines.append( + "Maximum Run Time: {0:02}:{1:02}:{2:02}.{3} (HH:MM:SS.MS)".format( + hours, minutes, seconds, ms + ) + ) + lines.append("Exit Code: {0}".format(self.ExitCode)) + lines.append( + "Status: {0}".format(task_status.get(self.Status, "Unknown Status")) + ) + theflags = "" + for flag in flags: + if self.Flags & flag == flag: + theflags += flags[flag] + ", " + lines.append("Flags: {0}".format(theflags.rstrip(", "))) + lines.append("Date Run: {0}".format(self.RunDate)) + lines.append("Running Instances: {0}".format(self.RunningInstanceCount)) + lines.append("Application: {0}".format(self.Name)) + if self.Parameter != "": + lines.append("Parameters: {0}".format(self.Parameter)) + lines.append("Working Directory: {0}".format(self.WorkingDirectory)) + lines.append("User: {0}".format(self.User)) + lines.append("Comment: {0}".format(self.Comment)) + lines.append("Scheduled Date: {0}".format(self.ScheduledDate)) + return lines + + def __repr__(self): + lines = "" + lines += "Product Info: {0}\n".format(products.get(self.ProductInfo, "None")) + lines += "File Version: {0}\n".format(self.FileVersion) + lines += "UUID: {0}\n".format(self.UUID) + priority = "" + for p in priorities: + if self.Priority & p == p: + priority += priorities[p] + ", " + if priority != "": + lines += "Priorities: {0}\n".format(priority.rstrip(", ")) + hours, ms = divmod(self.MaxRunTime, 3600000) + minutes, ms = divmod(ms, 60000) + seconds = ms / 1000 + lines += "Maximum Run Time: {0:02}:{1:02}:{2:02}.{3} (HH:MM:SS.MS)\n".format( + hours, minutes, seconds, ms + ) + lines += "Exit Code: {0}\n".format(self.ExitCode) + lines += "Status: {0}\n".format(task_status.get(self.Status, "Unknown Status")) + theflags = "" + for flag in flags: + if self.Flags & flag == flag: + theflags += flags[flag] + ", " + lines += "Flags: {0}\n".format(theflags.rstrip(", ")) + lines += "Date Run: {0}\n".format(self.RunDate) + lines += "Running Instances: {0}\n".format(self.RunningInstanceCount) + lines += "Application: {0}\n".format(self.Name) + if self.Parameter != "": + lines += "Parameters: {0}\n".format(self.Parameter) + lines += "Working Directory: {0}\n".format(self.WorkingDirectory) + lines += "User: {0}\n".format(self.User) + lines += "Comment: {0}\n".format(self.Comment) + lines += "Scheduled Date: {0}\n".format(self.ScheduledDate) + return lines + + +def usage(): + print("jobparser.py:\n") + print(" -f ") + print(" -d ") + + +def main(): + file = None + dir = None + try: + opts, args = getopt.getopt(sys.argv[1:], "hf:d:", ["help", "file=", "dir="]) + except getopt.GetoptError as err: + print(str(err)) + sys.exit(2) + for o, a in opts: + if o in ("-h", "--help"): + usage() + sys.exit(2) + elif o in ("-f", "--file"): + if os.path.isfile(a): + file = open(a, "rb") + else: + print(a + " is not a file") + usage() + return + elif o in ("-d", "--dir"): + dir = a + else: + assert False, "unhandled option\n\n" + sys.exit(2) + + if file == None and dir == None: + usage() + return + + if dir != None and os.path.isdir(dir): + for fname in os.listdir(dir): + if fname.endswith(".job") and os.path.isfile(os.path.join(dir, fname)): + file = open(os.path.join(dir, fname), "rb") + try: + job = Job(file.read(0x2000)) + print("*" * 72) + print("File: " + os.path.join(dir, fname)) + print(job) + print("*" * 72) + except: + print("Unable to process file: " + os.path.join(dir, fname)) + + file = None + + # I'm not sure what's the largest a job file can be, but I'm setting a limit + # just to avoid accidental imports of large files + elif file != None: + data = file.read(0x2000) + job = Job(data) + print(job) + + +if __name__ == "__main__": + main() diff --git a/sift/files/pdf-tools/make-pdf-helloworld.py b/sift/files/pdf-tools/make-pdf-helloworld.py index 0a1cf11..65a7fcd 100644 --- a/sift/files/pdf-tools/make-pdf-helloworld.py +++ b/sift/files/pdf-tools/make-pdf-helloworld.py @@ -1,34 +1,34 @@ -#!/usr/bin/env python3 -#20080518 -#20080519 - -import mPDF -import time -import zlib -import sys - -if len(sys.argv) != 2: - print("Usage: make-pdf-helloworld pdf-file") - print(" ") - print(" Source code put in the public domain by Didier Stevens, no Copyright") - print(" Use at your own risk") - print(" https://DidierStevens.com") - -else: - pdffile = sys.argv[1] - - oPDF = mPDF.cPDF(pdffile) - - oPDF.header() - - oPDF.template1() - - #oPDF.stream(5, 0, "BT /F1 24 Tf 100 700 Td (Hello World) Tj ET") - oPDF.stream(5, 0, """BT /F1 12 Tf 100 700 Td 15 TL -(Hello World) Tj -(Second Line) ' -(Third Line) ' -ET -100 712 100 -100 re S""") - - oPDF.xrefAndTrailer("1 0 R") +#!/usr/bin/env python3 +#20080518 +#20080519 + +import mPDF +import time +import zlib +import sys + +if len(sys.argv) != 2: + print("Usage: make-pdf-helloworld pdf-file") + print(" ") + print(" Source code put in the public domain by Didier Stevens, no Copyright") + print(" Use at your own risk") + print(" https://DidierStevens.com") + +else: + pdffile = sys.argv[1] + + oPDF = mPDF.cPDF(pdffile) + + oPDF.header() + + oPDF.template1() + + #oPDF.stream(5, 0, "BT /F1 24 Tf 100 700 Td (Hello World) Tj ET") + oPDF.stream(5, 0, """BT /F1 12 Tf 100 700 Td 15 TL +(Hello World) Tj +(Second Line) ' +(Third Line) ' +ET +100 712 100 -100 re S""") + + oPDF.xrefAndTrailer("1 0 R") diff --git a/sift/files/sorter/windows.sort.bak b/sift/files/sorter/windows.sort.bak deleted file mode 100644 index 1897bf6..0000000 --- a/sift/files/sorter/windows.sort.bak +++ /dev/null @@ -1,278 +0,0 @@ -# -# config file for Sleuth Kit sorter -# -# Windows Platform -# -# To make custom modifications, you can also use a file named -# windows.lcl.sort - -########################################################################## -# Multimedia -########################################################################## -# Audio -category audio Playlist -# Audio -category audio Winamp -ext avs Winamp plug in -category audio WAVE audio -ext wav WAVE audio -category audio Microsoft ASF -ext wmv Microsoft ASF -ext wma Microsoft ASF -category audio MPEG ADTS -ext WAV MPEG ADTS, layer I, v1 -ext wav MPEG ADTS, layer I, v1 -category audio AVI -ext avi AVI -category audio Playlist -ext wpl Windows Media Player Playlist -category midi MIDI -ext mid,rmi MIDI -category MP3 MP3 -ext mp3 MP3 -category SQLite SQLite -# Images -category JPEG JPEG image -ext jpg,jpeg,jpe JPEG image -category GIF GIF image -ext gif GIF image -category TIF TIFF image -ext tif TIFF image -category PNG PNG image -ext png PNG image -category BMP PC bitmap -ext bmp PC bitmap -category Fonts font -ext ttf true type font -# Video -category video RealMedia -ext rm RealMedia -category video Macromedia Flash data -ext swf Macromedia Flash data -category ICM Microsoft ICM Color Profile -ext icm Microsoft ICM Color Profile -########################################################################## -# archive & compression -########################################################################## -category ZIP Zip -ext zip,jar Zip archive data -ext wmz Zip archive data -category TAR tar -ext tar tar archive -category MSCab Cabinet -ext cab Microsoft Cabinet File -category archive archive -category database DB -ext db Berkeley DB -########################################################################## -# compression -########################################################################## -category compress compress -ext gz,tgz gzip compressed data -ext Z compress'd data -########################################################################## -# Executables -########################################################################## -category exec MS\-DOS executable -ext exe,dll,com MS\-DOS executable -ext ocx,sys,tlb MS\-DOS executable -ext drv,cpl,scr MS\-DOS executable -ext ax MS\-DOS executable -ext 386,acm,flt MS\-DOS executable -ext fon,lrc,vxd MS\-DOS executable -ext x32 MS\-DOS executable -category exec executable MS\-DOS -ext exe MZ executable MS\-DOS -ext com MZ executable MS\-DOS -category exec PE executable MS Windows -ext exe,dll,com PE executable MS Windows -ext ocx,sys,acm PE executable MS Windows -ext tlb,drv,scr PE executable MS Windows -ext cpl,ax,vdx PE executable MS Windows -ext fon,rll,tsp PE executable MS Windows -category exec NE executable MS Windows -ext exe,dll,com NE executable MS Windows -ext ocx,sys,acm NE executable MS Windows -ext tlb,drv,scr NE executable MS Windows -ext cpl,ax,vxd NE executable MS Windows -ext fon,tsp NE executable MS Windows -category exec relocatable -ext dll relocatable -category exec batch file -ext bat batch file -ext bat ASCII text -ext bat ASCII English text -ext nt DOS batch file -ext cmd DOS batch file -# source code -category exec MSVC program database -ext pdb MSVC program database -category exec \sscript -########################################################################## -# Java -category exec class data -ext class Java class data -########################################################################## -category exec object -ext o object -category exec python compiled -category lnk MS Windows shortcut -ext lnk shortcut -#########################################################################y -# Images -category icon icon resource -ext ico ms\-windows icon resource -category cursor cursor -ext cur ms\-cursor -ext ani animated cursor -########################################################################## -category MSmbox Outlook binary email folder -ext pst Outlook binary email folder -category MSdocs Microsoft Office Document -ext doc,dot,docx Microsoft Office Document -ext msc,pcb Microsoft Office Document -ext ppt,pot,pptx Microsoft Office Document -ext xls,xlsx Microsoft Office Document -ext msi Microsoft Office Document -category MSdocs Microsoft Word Document -ext doc Microsoft Word Document -category MSdocs conversion doc -ext wpc conversion doc -category MSdocs conversion doc -category MSdocs Microsoft Excel Worksheet -ext xls,xlt,xlsx Microsoft Excel Worksheet -ext cvs Microsoft Excel Worksheet -# MS Access DB -category MSdb Microsoft Access Database -ext mdb Microsoft Access Database -category PNF PNF -ext pnf PNF -ext PNF PNF -ext pnf PNF Windows -category documents Rich Text Format -ext rtf Rich Text Format -category documents document -ext ps,eps PostScript document -category InternetExplorer Internet Explorer cache file -ext dat Internet Explorer cache file -# Corel & Word Perfect -category Coreldocs Corel\/WP -ext wpg,wpd,shw Corel\/WP -# Lotus -category Lotus Lotus 1\-2\-3 -ext wb2 Lotus 1\-2\-3 -ext wk4 Lotus 1\-2\-3 -# Adobe -category AdobePDF PDF document -ext pdf PDF document -######################################################################### -#Unicode -######################################################################### -category unicode UniCode -ext mof MOF,MLF UniCode File -ext mfl MOF,MLF UniCode File -########################################################################## -# HTML -########################################################################## -category html HTML document text -ext hhk HTML document text -ext htm,hta HTML document text -ext html,css HTML document text -########################################################################## -# Text -########################################################################## -category text ASCII(.*?)text -ext txt ASCII(.*?)text -ext log ASCII(.*?)text -ext h ASCII(.*?)text -ext sh,csh ASCII(.*?)text -ext conf ASCII(.*?)text -ext inc ASCII(.*?)text -ext wpl ASCII(.*?)text -ext xdr ASCII(.*?)text -ext js ASCII(.*?)text -ext sam ASCII(.*?)text -ext scf ASCII(.*?)text -ext scp ASCII(.*?)text -ext gpd ASCII(.*?)text -ext dun ASCII(.*?)text -ext isp ASCII(.*?)text -ext XML ASCII(.*?)text -ext DTD ASCII(.*?)text -ext reg ASCII(.*?)text -ext asp ASCII(.*?)text -ext vbs ASCII(.*?)text -ext xdr ASCII(.*?)text -ext xsl ASCII(.*?)text -ext c,cpp,h,js ASCII(.*?)text -ext mof ASCII(.*?)text -ext sql ASCII(.*?)text -ext htt ASCII(.*?)text -ext hxx ASCII(.*?)text -ext cpx ASCII(.*?)text -ext obe ASCII(.*?)text -ext ini,inf ASCII(.*?)text -ext srg,dep ASCII(.*?)text -ext htm ASCII(.*?)text -ext htm,css ASCII(.*?)text -ext css ASCII(.*?)text -category text character data -ext txt character data -category text ISO\-8859(.*?)text -ext txt ISO\-8859(.*?)text -ext ini ISO\-8859(.*?)text -ext inf ISO\-8859(.*?)text -category text exported SGML document text -ext htm exported SGML document text -category text \ssource -########################################################################## -# INF -########################################################################## -category inf Lisp -ext inf Lisp/Scheme program text -########################################################################## -# XML -########################################################################## -category XML XML -ext xml XML Template -ext xml XML Mapping -ext xml XML Document -ext xdr XML document text -ext xsl XML document text -ext msc XML document text -ext manifest XML document text -ext dtd XML document text -ext Policy XML document text -########################################################################## -# Other -########################################################################## -# Disk -category disk boot sector -category disk filesystem data -# Crypto -category crypto PGP -ext asc PGP armored -# Postscript Printer Description -category system PPD file -ext ppd PPD file -# 'file' reports 'data' for all unknown binary files -# do not bother with extensions with this -category data ^data$ -# category ignore raw G3 data, byte\-padded -########################################################################## -# System -category helpfiles Help Data -ext hlp Windows Help Data -ext chm Windows Help File -category helpfiles MS Windows 3.x help file -ext hlp MS Windows 3.x help file -category registry Registry file -ext dat Registry file -category lnk MS\-Windows shortcut -ext lnk MS\-Windows shortcut -category browser Internet shortcut -ext url Internet shortcut -category system hyperterm -ext ht hyperterm -category MOF Little-endian UTF-16 Unicode C++ program text -ext mof Little-endian UTF-16 Unicode C++ program text diff --git a/sift/include-server.sls b/sift/include-server.sls index adc224a..f23144c 100644 --- a/sift/include-server.sls +++ b/sift/include-server.sls @@ -1,7 +1,7 @@ include: - sift.repos - - sift.packages - sift.python3-packages + - sift.packages - sift.perl-packages - sift.scripts @@ -10,7 +10,7 @@ sift-server-include: - name: sift-server-include - require: - sls: sift.repos - - sls: sift.packages - sls: sift.python3-packages + - sls: sift.packages - sls: sift.perl-packages - sls: sift.scripts diff --git a/sift/packages/ewf-tools.sls b/sift/packages/ewf-tools.sls new file mode 100644 index 0000000..72c00d3 --- /dev/null +++ b/sift/packages/ewf-tools.sls @@ -0,0 +1,2 @@ +ewf-tools: + pkg.installed diff --git a/sift/packages/init.sls b/sift/packages/init.sls index f72df38..e757726 100644 --- a/sift/packages/init.sls +++ b/sift/packages/init.sls @@ -1,13 +1,13 @@ include: - sift.packages.dbus-x11 - sift.packages.aeskeyfind - - sift.packages.afflib-tools +# - sift.packages.afflib-tools - sift.packages.aircrack-ng - sift.packages.apache2 - sift.packages.arp-scan - sift.packages.autopsy - sift.packages.aws-cli - - sift.packages.avfs +# - sift.packages.avfs - sift.packages.bless - sift.packages.blt - sift.packages.build-essential @@ -24,7 +24,7 @@ include: - sift.packages.dc3dd - sift.packages.dcfldd - sift.packages.default-jre - - sift.packages.disktype +# - sift.packages.disktype - sift.packages.dislocker - sift.packages.docker - sift.packages.driftnet @@ -69,7 +69,7 @@ include: - sift.packages.libafflib - sift.packages.libbcprov-java - sift.packages.libbde - - sift.packages.libbde-tools +# - sift.packages.libbde-tools - sift.packages.libcommons-lang3-java - sift.packages.libdatetime-perl - sift.packages.libesedb @@ -78,10 +78,10 @@ include: - sift.packages.libevt-tools - sift.packages.libevtx - sift.packages.libevtx-tools - - sift.packages.libewf - - sift.packages.libewf-dev +# - sift.packages.libewf +# - sift.packages.libewf-dev - sift.packages.libewf-python3 - - sift.packages.libewf-tools +# - sift.packages.libewf-tools - sift.packages.libext2fs2 - sift.packages.libffi-dev - sift.packages.libfsapfs-tools @@ -107,7 +107,7 @@ include: - sift.packages.libvshadow - sift.packages.libvshadow-dev - sift.packages.libvshadow-python3 - - sift.packages.libvshadow-tools +# - sift.packages.libvshadow-tools - sift.packages.libxml2-dev - sift.packages.libxslt-dev - sift.packages.magnus @@ -121,7 +121,7 @@ include: - sift.packages.nfdump - sift.packages.ngrep - sift.packages.nikto - - sift.packages.ntfs-3g +# - sift.packages.ntfs-3g - sift.packages.okular - sift.packages.onboard - sift.packages.open-iscsi @@ -146,10 +146,10 @@ include: - sift.packages.python3-dev - sift.packages.python3-dfvfs - sift.packages.python3-fuse - - sift.packages.python3-pefile +# - sift.packages.python3-pefile - sift.packages.python3-pip - sift.packages.python3-pypff - - sift.packages.python3-pytsk3 +# - sift.packages.python3-pytsk3 - sift.packages.python3-pyqt5 - sift.packages.python3-redis - sift.packages.python3-tk @@ -158,7 +158,7 @@ include: - sift.packages.python3-yara - sift.packages.pst-utils - sift.packages.qemu - - sift.packages.qemu-utils +# - sift.packages.qemu-utils - sift.packages.radare2 - sift.packages.rar - sift.packages.rsakeyfind @@ -167,7 +167,7 @@ include: - sift.packages.samdump2 - sift.packages.scalpel - sift.packages.silversearcher-ag - - sift.packages.sleuthkit +# - sift.packages.sleuthkit - sift.packages.socat - sift.packages.ssdeep - sift.packages.ssldump @@ -182,7 +182,7 @@ include: - sift.packages.tcptrace - sift.packages.tcptrack - sift.packages.tcpxtract - - sift.packages.testdisk +# - sift.packages.testdisk - sift.packages.tofrodos - sift.packages.transmission - sift.packages.unrar @@ -191,13 +191,13 @@ include: - sift.packages.vbindiff - sift.packages.vim - sift.packages.virtuoso-minimal - - sift.packages.vmfs-tools +# - sift.packages.vmfs-tools - sift.packages.winbind - sift.packages.wine - sift.packages.wireshark - sift.packages.xdot - - sift.packages.xfsprogs - - sift.packages.xmount +# - sift.packages.xfsprogs +# - sift.packages.xmount - sift.packages.zenity - sift.packages.python3-debian @@ -207,13 +207,13 @@ sift-packages: - require: - sls: sift.packages.dbus-x11 - sls: sift.packages.aeskeyfind - - sls: sift.packages.afflib-tools +# - sls: sift.packages.afflib-tools - sls: sift.packages.aircrack-ng - sls: sift.packages.apache2 - sls: sift.packages.arp-scan - sls: sift.packages.autopsy - sls: sift.packages.aws-cli - - sls: sift.packages.avfs +# - sls: sift.packages.avfs - sls: sift.packages.bless - sls: sift.packages.blt - sls: sift.packages.build-essential @@ -230,7 +230,7 @@ sift-packages: - sls: sift.packages.dc3dd - sls: sift.packages.dcfldd - sls: sift.packages.default-jre - - sls: sift.packages.disktype +# - sls: sift.packages.disktype - sls: sift.packages.dislocker - sls: sift.packages.docker - sls: sift.packages.driftnet @@ -275,7 +275,7 @@ sift-packages: - sls: sift.packages.libafflib - sls: sift.packages.libbcprov-java - sls: sift.packages.libbde - - sls: sift.packages.libbde-tools +# - sls: sift.packages.libbde-tools - sls: sift.packages.libcommons-lang3-java - sls: sift.packages.libdatetime-perl - sls: sift.packages.libesedb @@ -284,10 +284,10 @@ sift-packages: - sls: sift.packages.libevt-tools - sls: sift.packages.libevtx - sls: sift.packages.libevtx-tools - - sls: sift.packages.libewf - - sls: sift.packages.libewf-dev +# - sls: sift.packages.libewf +# - sls: sift.packages.libewf-dev - sls: sift.packages.libewf-python3 - - sls: sift.packages.libewf-tools +# - sls: sift.packages.libewf-tools - sls: sift.packages.libext2fs2 - sls: sift.packages.libffi-dev - sls: sift.packages.libfsapfs-tools @@ -313,7 +313,7 @@ sift-packages: - sls: sift.packages.libvshadow - sls: sift.packages.libvshadow-dev - sls: sift.packages.libvshadow-python3 - - sls: sift.packages.libvshadow-tools +# - sls: sift.packages.libvshadow-tools - sls: sift.packages.libxml2-dev - sls: sift.packages.libxslt-dev - sls: sift.packages.magnus @@ -327,7 +327,7 @@ sift-packages: - sls: sift.packages.nfdump - sls: sift.packages.ngrep - sls: sift.packages.nikto - - sls: sift.packages.ntfs-3g +# - sls: sift.packages.ntfs-3g - sls: sift.packages.okular - sls: sift.packages.onboard - sls: sift.packages.open-iscsi @@ -352,10 +352,10 @@ sift-packages: - sls: sift.packages.python3-dev - sls: sift.packages.python3-dfvfs - sls: sift.packages.python3-fuse - - sls: sift.packages.python3-pefile +# - sls: sift.packages.python3-pefile - sls: sift.packages.python3-pip - sls: sift.packages.python3-pypff - - sls: sift.packages.python3-pytsk3 +# - sls: sift.packages.python3-pytsk3 - sls: sift.packages.python3-pyqt5 - sls: sift.packages.python3-redis - sls: sift.packages.python3-tk @@ -364,7 +364,7 @@ sift-packages: - sls: sift.packages.python3-yara - sls: sift.packages.pst-utils - sls: sift.packages.qemu - - sls: sift.packages.qemu-utils +# - sls: sift.packages.qemu-utils - sls: sift.packages.radare2 - sls: sift.packages.rar - sls: sift.packages.rsakeyfind @@ -373,7 +373,7 @@ sift-packages: - sls: sift.packages.samdump2 - sls: sift.packages.scalpel - sls: sift.packages.silversearcher-ag - - sls: sift.packages.sleuthkit +# - sls: sift.packages.sleuthkit - sls: sift.packages.socat - sls: sift.packages.ssdeep - sls: sift.packages.ssldump @@ -388,7 +388,7 @@ sift-packages: - sls: sift.packages.tcptrace - sls: sift.packages.tcptrack - sls: sift.packages.tcpxtract - - sls: sift.packages.testdisk +# - sls: sift.packages.testdisk - sls: sift.packages.tofrodos - sls: sift.packages.transmission - sls: sift.packages.unity-control-center @@ -397,12 +397,12 @@ sift-packages: - sls: sift.packages.vbindiff - sls: sift.packages.vim - sls: sift.packages.virtuoso-minimal - - sls: sift.packages.vmfs-tools +# - sls: sift.packages.vmfs-tools - sls: sift.packages.winbind - sls: sift.packages.wine - sls: sift.packages.wireshark - sls: sift.packages.xdot - - sls: sift.packages.xfsprogs - - sls: sift.packages.xmount +# - sls: sift.packages.xfsprogs +# - sls: sift.packages.xmount - sls: sift.packages.zenity - sls: sift.packages.python3-debian diff --git a/sift/packages/libbz2-dev.sls b/sift/packages/libbz2-dev.sls new file mode 100644 index 0000000..d33d282 --- /dev/null +++ b/sift/packages/libbz2-dev.sls @@ -0,0 +1,2 @@ +libbz2-dev: + pkg.installed diff --git a/sift/packages/libgtk-3-dev.sls b/sift/packages/libgtk-3-dev.sls new file mode 100644 index 0000000..247d0a2 --- /dev/null +++ b/sift/packages/libgtk-3-dev.sls @@ -0,0 +1,2 @@ +libgtk-3-dev: + pkg.installed diff --git a/sift/packages/mtd-utils.sls b/sift/packages/mtd-utils.sls new file mode 100644 index 0000000..45f4996 --- /dev/null +++ b/sift/packages/mtd-utils.sls @@ -0,0 +1,2 @@ +mtd-utils: + pkg.installed diff --git a/sift/packages/python3-magic.sls b/sift/packages/python3-magic.sls new file mode 100644 index 0000000..9b13493 --- /dev/null +++ b/sift/packages/python3-magic.sls @@ -0,0 +1,2 @@ +python3-magic: + pkg.installed diff --git a/sift/packages/python3-wxgtk4.sls b/sift/packages/python3-wxgtk4.sls new file mode 100644 index 0000000..85e4322 --- /dev/null +++ b/sift/packages/python3-wxgtk4.sls @@ -0,0 +1,2 @@ +python3-wxgtk4.0: + pkg.installed diff --git a/sift/packages/sleuthkit.sls b/sift/packages/sleuthkit.sls index 07d07f1..045c28a 100644 --- a/sift/packages/sleuthkit.sls +++ b/sift/packages/sleuthkit.sls @@ -1,10 +1,10 @@ -include: - - sift.repos.gift - - sift.repos.sift +#include: +# - sift.repos.gift +# - sift.repos.sift sift-package-sleuthkit: pkg.latest: - name: sleuthkit - - require: - - sls: sift.repos.sift - - sls: sift.repos.gift +# - require: +# - sls: sift.repos.sift +# - sls: sift.repos.gift diff --git a/sift/packages/squashfs-tools.sls b/sift/packages/squashfs-tools.sls new file mode 100644 index 0000000..2fd59d3 --- /dev/null +++ b/sift/packages/squashfs-tools.sls @@ -0,0 +1,2 @@ +squashfs-tools: + pkg.installed diff --git a/sift/packages/zlib1g-dev.sls b/sift/packages/zlib1g-dev.sls new file mode 100644 index 0000000..d5c9b85 --- /dev/null +++ b/sift/packages/zlib1g-dev.sls @@ -0,0 +1,2 @@ +zlib1g-dev: + pkg.installed diff --git a/sift/scripts/4n6.sls b/sift/python3-packages/4n6.sls similarity index 54% rename from sift/scripts/4n6.sls rename to sift/python3-packages/4n6.sls index 35e6bb8..056f2f0 100644 --- a/sift/scripts/4n6.sls +++ b/sift/python3-packages/4n6.sls @@ -1,6 +1,6 @@ {% set files = [('Android', ['fbmsg-extractor.py','imgcache-parse-mod.py','imgcache-parse.py','print_apk_perms.py','wwf-chat-parser.py']), ('Ford', ['sync3-unisearch.py','sync3-unisearch2kml.py']), - ('Google_Takeout_Records', ['gRecordsActivity_json_date.py']), + ('Google_Takeout_Records', ['gRecordsActivity_ijson_date.py']), ('Samsung_Gallery3d_2022', ['java-hashcode.py','samsung_gallery3d_filesysmon_parser_v11.py','samsung_gallery3d_log_parser_v10.py','samsung_gallery3d_log_parser_v11.py','samsung_gallery3d_trash_parser_v10.py']), ('WindowsPhone8', ['WP8_AppPerms.py','wp8-1-callhistory.py','wp8-1-contacts.py','wp8-1-mms-filesort.py','wp8-1-mms.py','wp8-1-sms.py','wp8-callhistory.py','wp8-contacts.py','wp8-fb-msg.py','wp8-sha256-pin-finder.py','wp8-sms.py']), ('iOS', ['ios14_maps_history.py','vmail-db-2-html.pl']), @@ -8,15 +8,9 @@ ('utilities', ['chunkymonkey.py','dextract.def','dextract.py','google-ei-time.py','msoffice-pic-extractor.py','parse_garmin56LM.py','plist2db.py','s2-cellid2latlong.py','s2-latlong2cellid.py','sqlite-base64-decode.py','sqlite-blob-dumper.py','sqlite-parser.pl','squirrelgripper-README.txt','squirrelgripper.pl','timediff32.pl']) ] %} -{% set noshebang = ['sqlite-base64-decode.py','sqlite-blob-dumper.py','wp8-sha256-pin-finder.py'] %} -{% set fixshebangpy2 = ['fbmsg-extractor.py','imgcache-parse-mod.py','imgcache-parse.py','print_apk_perms.py','wwf-chat-parser.py','WP8_AppPerms.py','wp8-1-callhistory.py','wp8-1-contacts.py','wp8-1-mms-filesort.py','wp8-1-mms.py','wp8-1-sms.py','wp8-callhistory.py','wp8-contacts.py','wp8-fb-msg.py','wp8-sms.py','chunkymonkey.py','dextract.py','google-ei-time.py','msoffice-pic-extractor.py','s2-cellid2latlong.py','s2-latlong2cellid.py'] %} -{% set fixshebangpy3 = ['sync3-unisearch.py','sync3-unisearch2kml.py','gLocationHistoryActivity.py','gRecordsActivity_ijson_date.py','java-hashcode.py','samsung_gallery3d_filesysmon_parser_v11.py','samsung_gallery3d_log_parser_v10.py','samsung_gallery3d_log_parser_v11.py','samsung_gallery3d_trash_parser_v10.py'] %} - include: - - sift.python3-packages.ijson - - sift.python3-packages.s2sphere + - sift.packages.python3-virtualenv - sift.packages.git - - sift.packages.python3 - sift.perl-packages.exiftool - sift.perl-packages.cgi - sift.perl-packages.xpath @@ -25,7 +19,20 @@ include: - sift.perl-packages.dbi - sift.perl-packages.datecalc -sift-scripts-4n6-git: +sift-python3-package-4n6-scripts-venv: + virtualenv.managed: + - name: /opt/4n6-scripts + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - ijson + - s2sphere + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-4n6-scripts-git: git.latest: - name: https://github.com/digitalsleuth/4n6-scripts.git - target: /usr/local/src/4n6-scripts @@ -35,18 +42,56 @@ sift-scripts-4n6-git: - force_reset: True - require: - sls: sift.packages.git - - sls: sift.packages.python3 {% for folder, file_list in files %} -{% for file in file_list %} -sift-scripts-4n6-{{ file }}: +{% for file in file_list %} +{% if file.split('.')[1] == "py" %} + +sift-python3-package-4n6-scripts-copy-{{ file }}: + file.copy: + - name: /opt/4n6-scripts/bin/{{ file }} + - source: /usr/local/src/4n6-scripts/{{ folder }}/{{ file }} + - force: True + - mode: 755 + - require: + - git: sift-python3-package-4n6-scripts-git + +sift-python3-package-4n6-scripts-shebang-{{ file }}: + file.replace: + - name: /opt/4n6-scripts/bin/{{ file }} + - pattern: '#! /usr/bin/env python3' + - repl: '#!/opt/4n6-scripts/bin/python3' + - count: 1 + - require: + - file: sift-python3-package-4n6-scripts-copy-{{ file }} + +sift-python3-package-4n6-scripts-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/4n6-scripts/bin/{{ file }} + - makedirs: False + - require: + - file: sift-python3-package-4n6-scripts-shebang-{{ file }} + +sift-python3-package-4n6-scripts-remove-{{ file }}-bak: + file.absent: + - name: /opt/4n6-scripts/bin/{{ file }}.bak + - require: + - file: sift-python3-package-4n6-scripts-symlink-{{ file }} + +{% else %} + +sift-python3-package-4n6-scripts-copy-{{ file }}: file.copy: - name: /usr/local/bin/{{ file }} - source: /usr/local/src/4n6-scripts/{{ folder }}/{{ file }} - force: True - mode: 755 - - watch: - - git: sift-scripts-4n6-git + - require: + - git: sift-python3-package-4n6-scripts-git + +{% endif %} {% endfor %} {% endfor %} + diff --git a/sift/python3-packages/analyzemft.sls b/sift/python3-packages/analyzemft.sls index 0395982..b76d02e 100644 --- a/sift/python3-packages/analyzemft.sls +++ b/sift/python3-packages/analyzemft.sls @@ -1,10 +1,29 @@ include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv -analyzemft: +sift-python3-package-analyzemft-virtualenv: + virtualenv.managed: + - name: /opt/analyzemft + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-analyzemft: pip.installed: - name: analyzeMFT - - bin_env: /usr/bin/python3 + - bin_env: /opt/analyzemft/bin/python3 - upgrade: True - require: - - sls: sift.python3-packages.core + - virtualenv: sift-python3-package-analyzemft-virtualenv + +sift-python3-package-analyzemft-symlink: + file.symlink: + - name: /usr/local/bin/analyzemft + - target: /opt/analyzemft/bin/analyzemft + - makedirs: False + - require: + - pip: sift-python3-package-analyzemft diff --git a/sift/python3-packages/argparse.sls b/sift/python3-packages/argparse.sls deleted file mode 100644 index 1921d08..0000000 --- a/sift/python3-packages/argparse.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-argparse: - pip.installed: - - name: argparse - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/bitstring.sls b/sift/python3-packages/bitstring.sls deleted file mode 100644 index 7d5ca3b..0000000 --- a/sift/python3-packages/bitstring.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-bitstring: - pip.installed: - - name: bitstring - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/capstone.sls b/sift/python3-packages/capstone.sls deleted file mode 100644 index f5eda6e..0000000 --- a/sift/python3-packages/capstone.sls +++ /dev/null @@ -1,10 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-package-capstone: - pip.installed: - - name: capstone - - bin_env: /usr/bin/python3 - - upgrade: True - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/colorama.sls b/sift/python3-packages/colorama.sls deleted file mode 100644 index 2b985b2..0000000 --- a/sift/python3-packages/colorama.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-colorama: - pip.installed: - - name: colorama - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/defang.sls b/sift/python3-packages/defang.sls index 74e31cb..6cd8838 100644 --- a/sift/python3-packages/defang.sls +++ b/sift/python3-packages/defang.sls @@ -1,11 +1,31 @@ # WEBSITE: https://github.com/HurricaneLabs/machinae # LICENSE: MIT include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv -sift-python3-packages-defang: +sift-python3-package-defang-venv: + virtualenv.managed: + - name: /opt/defang + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-defang: pip.installed: - name: defang - - bin_env: /usr/bin/python3 + - bin_env: /opt/defang/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-defang-venv + +sift-python3-package-defang-symlink: + file.symlink: + - name: /usr/local/bin/defang + - target: /opt/defang/bin/defang + - makedirs: False - require: - - sls: sift.python3-packages.core + - pip: sift-python3-package-defang diff --git a/sift/python3-packages/geoip2.sls b/sift/python3-packages/geoip2.sls deleted file mode 100644 index 0d4224a..0000000 --- a/sift/python3-packages/geoip2.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-geoip2: - pip.installed: - - name: geoip2 - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/ijson.sls b/sift/python3-packages/ijson.sls deleted file mode 100644 index 7558c4e..0000000 --- a/sift/python3-packages/ijson.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-ijson: - pip.installed: - - name: ijson - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/imagemounter.sls b/sift/python3-packages/imagemounter.sls index 478aab0..4822ac3 100644 --- a/sift/python3-packages/imagemounter.sls +++ b/sift/python3-packages/imagemounter.sls @@ -1,13 +1,13 @@ include: - - sift.python3-packages.core - - sift.python3-packages.python-magic + - sift.packages.python3-virtualenv - sift.packages.afflib-tools - sift.packages.avfs - sift.packages.disktype - sift.packages.libbde-tools - - sift.packages.libewf - - sift.packages.libewf-dev - - sift.packages.libewf-tools +# - sift.packages.libewf +# - sift.packages.libewf-dev +# - sift.packages.libewf-tools + - sift.packages.ewf-tools - sift.packages.libvshadow-tools - sift.packages.ntfs-3g - sift.packages.python3-pytsk3 @@ -18,21 +18,33 @@ include: - sift.packages.xfsprogs - sift.packages.xmount - sift.packages.libguestfs-tools + - sift.packages.mtd-utils + - sift.packages.squashfs-tools + - sift.packages.git + - sift.packages.build-essential + - sift.packages.python3-dev -sift-python3-packages-imagemounter: - pip.installed: - - name: imagemounter - - bin_env: /usr/bin/python3 +sift-python3-package-imagemounter-venv: + virtualenv.managed: + - name: /opt/imagemounter + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - python-magic + - pytsk3 - require: - - sls: sift.python3-packages.core - - sls: sift.python3-packages.python-magic + - sls: sift.packages.python3-virtualenv + - sls: sift.packages.build-essential - sls: sift.packages.afflib-tools - sls: sift.packages.avfs - sls: sift.packages.disktype - sls: sift.packages.libbde-tools - - sls: sift.packages.libewf - - sls: sift.packages.libewf-dev - - sls: sift.packages.libewf-tools +# - sls: sift.packages.libewf +# - sls: sift.packages.libewf-dev +# - sls: sift.packages.libewf-tools + - sls: sift.packages.ewf-tools - sls: sift.packages.libvshadow-tools - sls: sift.packages.ntfs-3g - sls: sift.packages.python3-pytsk3 @@ -43,3 +55,23 @@ sift-python3-packages-imagemounter: - sls: sift.packages.xfsprogs - sls: sift.packages.xmount - sls: sift.packages.libguestfs-tools + - sls: sift.packages.mtd-utils + - sls: sift.packages.squashfs-tools + - sls: sift.packages.git + - sls: sift.packages.python3-dev + +sift-python3-package-imagemounter: + pip.installed: + - name: git+https://github.com/ralphje/imagemounter.git + - bin_env: /opt/imagemounter/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-imagemounter-venv + +sift-python3-package-imagemounter-symlink: + file.symlink: + - name: /usr/local/bin/imount + - target: /opt/imagemounter/bin/imount + - makedirs: False + - require: + - pip: sift-python3-package-imagemounter diff --git a/sift/python3-packages/indxparse.sls b/sift/python3-packages/indxparse.sls index 0a26978..e0982ef 100644 --- a/sift/python3-packages/indxparse.sls +++ b/sift/python3-packages/indxparse.sls @@ -1,16 +1,51 @@ -{%- set user = salt['pillar.get']('sift_user', 'sansforensics') -%} {%- set commit = "038e8ec836cf23600124db74b40757b7184c08c5" -%} +{% set files = ['INDXParse.py','MFTINDX.py','MFTView.py','SDS_get_index.py','extract_mft_record_slack.py','fuse-mft.py','get_file_info.py','list_mft.py','tree_mft.py'] %} include: + - sift.packages.python3-virtualenv - sift.packages.git - - sift.packages.python3-pip - sift.packages.python3-dev + - sift.packages.libgtk-3-dev + - sift.packages.pkg-config + - sift.packages.build-essential + - sift.packages.libfuse-dev + - sift.packages.python3-wxgtk4 -sift-python-packages-indxparse: +sift-python3-package-indxparse-venv: + virtualenv.managed: + - name: /opt/indxparse + - venv_bin: /usr/bin/virtualenv + - system_site_packages: True + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - fuse-python + - importlib_metadata>=8.0.0 + - require: + - sls: sift.packages.python3-virtualenv + - sls: sift.packages.python3-dev + - sls: sift.packages.libgtk-3-dev + - sls: sift.packages.pkg-config + - sls: sift.packages.build-essential + - sls: sift.packages.libfuse-dev + - sls: sift.packages.python3-wxgtk4 + +sift-python3-package-indxparse: pip.installed: - name: git+https://github.com/williballenthin/INDXParse.git@{{ commit }} - - bin_env: /usr/bin/python3 + - bin_env: /opt/indxparse/bin/python3 + - upgrade: True - require: + - virtualenv: sift-python3-package-indxparse-venv - sls: sift.packages.git - - sls: sift.packages.python3-pip - - sls: sift.packages.python3-dev + +{% for file in files %} +sift-python3-package-indxparse-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/indxparse/bin/{{ file }} + - makedirs: False + - require: + - pip: sift-python3-package-indxparse +{% endfor %} diff --git a/sift/python3-packages/init.sls b/sift/python3-packages/init.sls index fde068c..1785d96 100644 --- a/sift/python3-packages/init.sls +++ b/sift/python3-packages/init.sls @@ -1,66 +1,54 @@ include: - - sift.python3-packages.pip - sift.python3-packages.python3-keyring - sift.python3-packages.analyzemft - - sift.python3-packages.argparse - - sift.python3-packages.bitstring - - sift.python3-packages.colorama - - sift.python3-packages.geoip2 - - sift.python3-packages.ioc_writer + - sift.python3-packages.defang + - sift.python3-packages.ioc-writer - sift.python3-packages.imagemounter - - sift.python3-packages.keyrings-alt - - sift.python3-packages.lxml - sift.python3-packages.machinae - - sift.python3-packages.pefile - - sift.python3-packages.pillow + - sift.python3-packages.packerid - sift.python3-packages.pyhindsight - - sift.python3-packages.python-dateutil - sift.python3-packages.python-evtx - - sift.python3-packages.python-magic - - sift.python3-packages.python-registry - - sift.python3-packages.setuptools-rust - - sift.python3-packages.six - sift.python3-packages.stix-validator - - sift.python3-packages.stix - - sift.python3-packages.virustotal-api - - sift.python3-packages.yara-python - sift.python3-packages.indxparse - sift.python3-packages.pe-carver + - sift.python3-packages.pe-scanner + - sift.python3-packages.page-brute + - sift.python3-packages.sqlite-carver - sift.python3-packages.usbdeviceforensics - sift.python3-packages.usnparser - sift.python3-packages.windowsprefetch + - sift.python3-packages.4n6 + - sift.python3-packages.pdf-tools + - sift.python3-packages.volatility3 + - sift.python3-packages.mac-apt + - sift.python3-packages.java-idx-parser + - sift.python3-packages.job-parser sift-python3-packages: test.nop: - name: sift-python3-packages - require: - - sls: sift.python3-packages.pip - sls: sift.python3-packages.python3-keyring - sls: sift.python3-packages.analyzemft - - sls: sift.python3-packages.argparse - - sls: sift.python3-packages.bitstring - - sls: sift.python3-packages.colorama - - sls: sift.python3-packages.geoip2 - - sls: sift.python3-packages.ioc_writer + - sls: sift.python3-packages.defang + - sls: sift.python3-packages.ioc-writer - sls: sift.python3-packages.imagemounter - - sls: sift.python3-packages.keyrings-alt - - sls: sift.python3-packages.lxml - sls: sift.python3-packages.machinae - - sls: sift.python3-packages.pefile - - sls: sift.python3-packages.pillow + - sls: sift.python3-packages.packerid - sls: sift.python3-packages.pyhindsight - - sls: sift.python3-packages.python-dateutil - sls: sift.python3-packages.python-evtx - - sls: sift.python3-packages.python-magic - - sls: sift.python3-packages.python-registry - - sls: sift.python3-packages.setuptools-rust - - sls: sift.python3-packages.six - sls: sift.python3-packages.stix-validator - - sls: sift.python3-packages.stix - - sls: sift.python3-packages.virustotal-api - - sls: sift.python3-packages.yara-python - sls: sift.python3-packages.indxparse - sls: sift.python3-packages.pe-carver + - sls: sift.python3-packages.pe-scanner + - sls: sift.python3-packages.page-brute + - sls: sift.python3-packages.sqlite-carver - sls: sift.python3-packages.usbdeviceforensics - sls: sift.python3-packages.usnparser - sls: sift.python3-packages.windowsprefetch + - sls: sift.python3-packages.4n6 + - sls: sift.python3-packages.pdf-tools + - sls: sift.python3-packages.volatility3 + - sls: sift.python3-packages.mac-apt + - sls: sift.python3-packages.java-idx-parser + - sls: sift.python3-packages.job-parser diff --git a/sift/python3-packages/ioc-writer.sls b/sift/python3-packages/ioc-writer.sls new file mode 100644 index 0000000..15b2d8e --- /dev/null +++ b/sift/python3-packages/ioc-writer.sls @@ -0,0 +1,34 @@ +include: + - sift.packages.python3-virtualenv + - sift.packages.libxml2-dev + - sift.packages.libxslt-dev + +sift-python3-package-ioc-writer-venv: + virtualenv.managed: + - name: /opt/ioc_writer + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - lxml + - require: + - sls: sift.packages.python3-virtualenv + - sls: sift.packages.libxml2-dev + - sls: sift.packages.libxslt-dev + +sift-python3-package-ioc-writer: + pip.installed: + - name: ioc_writer + - bin_env: /opt/ioc_writer/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-ioc-writer-venv + +sift-python3-package-ioc-writer-symlink: + file.symlink: + - name: /usr/local/bin/ioc_writer + - target: /opt/ioc_writer/bin/ioc_writer + - makedirs: False + - require: + - pip: sift-python3-package-ioc-writer diff --git a/sift/python3-packages/ioc_writer.sls b/sift/python3-packages/ioc_writer.sls deleted file mode 100644 index 0c27174..0000000 --- a/sift/python3-packages/ioc_writer.sls +++ /dev/null @@ -1,13 +0,0 @@ -include: - - sift.python3-packages.core - - sift.python3-packages.lxml - - sift.python3-packages.yara-python - -sift-python3-packages-ioc-writer: - pip.installed: - - name: ioc_writer - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core - - sls: sift.python3-packages.lxml - - sls: sift.python3-packages.yara-python diff --git a/sift/python3-packages/java-idx-parser.sls b/sift/python3-packages/java-idx-parser.sls new file mode 100644 index 0000000..ebc24ee --- /dev/null +++ b/sift/python3-packages/java-idx-parser.sls @@ -0,0 +1,44 @@ +# source=https://github.com/Rurik/Java_IDX_Parser +# license=apache2.0 +# license_source=https://github.com/Rurik/Java_IDX_Parser#copyright-and-license +# notes=Modified for python3, file stored locally at github.com/teamdfir/sift-saltstack + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-java-idx-parser-venv: + virtualenv.managed: + - name: /opt/java-idx-parser + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-java-idx-parser-copy: + file.managed: + - name: /opt/java-idx-parser/bin/idx_parser.py + - source: salt://sift/files/java-idx-parser/idx_parser.py + - replace: True + - mode: 755 + - require: + - virtualenv: sift-python3-package-java-idx-parser-venv + +sift-python3-package-java-idx-parser-shebang: + file.replace: + - name: /opt/java-idx-parser/bin/idx_parser.py + - pattern: '#! /usr/bin/env python3' + - repl: '#! /opt/java-idx-parser/bin/python3' + - count: 1 + - watch: + - file: sift-python3-package-java-idx-parser-copy + +sift-python3-package-java-idx-parser-symlink: + file.symlink: + - name: /usr/local/bin/idx_parser.py + - target: /opt/java-idx-parser/bin/idx_parser.py + - makedirs: False + - require: + - file: sift-python3-package-java-idx-parser-shebang diff --git a/sift/python3-packages/job-parser.sls b/sift/python3-packages/job-parser.sls new file mode 100644 index 0000000..f91b682 --- /dev/null +++ b/sift/python3-packages/job-parser.sls @@ -0,0 +1,42 @@ +# source=https://github.com/gleeda/misc-scripts +# license=gplv2 + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-job-parser-venv: + virtualenv.managed: + - name: /opt/job-parser + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-job-parser-copy: + file.managed: + - name: /opt/job-parser/bin/jobparser.py + - source: salt://sift/files/jobparser/jobparser.py + - replace: True + - mode: 755 + - require: + - virtualenv: sift-python3-package-job-parser-venv + +sift-python3-package-job-parser-shebang: + file.replace: + - name: /opt/job-parser/bin/jobparser.py + - pattern: '#!/usr/bin/env python3' + - repl: '#!/opt/job-parser/bin/python3' + - count: 1 + - watch: + - file: sift-python3-package-job-parser-copy + +sift-python3-package-job-parser-symlink: + file.symlink: + - name: /usr/local/bin/jobparser.py + - target: /opt/job-parser/bin/jobparser.py + - makedirs: False + - require: + - file: sift-python3-package-job-parser-shebang diff --git a/sift/python3-packages/keyrings-alt.sls b/sift/python3-packages/keyrings-alt.sls deleted file mode 100644 index 6f96b9b..0000000 --- a/sift/python3-packages/keyrings-alt.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-keyrings-alt: - pip.installed: - - name: keyrings.alt - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/lxml.sls b/sift/python3-packages/lxml.sls deleted file mode 100644 index af9c360..0000000 --- a/sift/python3-packages/lxml.sls +++ /dev/null @@ -1,13 +0,0 @@ -include: - - sift.python3-packages.core - - sift.packages.libxml2-dev - - sift.packages.libxslt-dev - -sift-python3-packages-lxml: - pip.installed: - - name: lxml - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core - - sls: sift.packages.libxml2-dev - - sls: sift.packages.libxslt-dev diff --git a/sift/python3-packages/mac-apt.sls b/sift/python3-packages/mac-apt.sls new file mode 100644 index 0000000..acaf8a9 --- /dev/null +++ b/sift/python3-packages/mac-apt.sls @@ -0,0 +1,78 @@ +{% set files = ['mac_apt.py','mac_apt_artifact_only.py','mac_apt_mounted_sys_data.py','ios_apt.py','extract_apfs_fs.py'] %} + +include: + - sift.packages.python3-virtualenv + - sift.packages.python3-dev + - sift.packages.libbz2-dev + - sift.packages.zlib1g-dev + - sift.packages.git + +sift-python3-package-mac-apt-venv: + virtualenv.managed: + - name: /opt/mac-apt + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - pybindgen==0.21.0 + - require: + - sls: sift.packages.python3-virtualenv + - sls: sift.packages.python3-dev + - sls: sift.packages.libbz2-dev + - sls: sift.packages.zlib1g-dev + +sift-python3-package-mac-apt-git: + git.latest: + - name: https://github.com/ydkhatri/mac_apt.git + - target: /opt/mac-apt/bin/mac_apt_git/ + - user: root + - rev: master + - force_clone: True + - force_reset: True + - require: + - sls: sift.packages.git + - virtualenv: sift-python3-package-mac-apt-venv + +sift-python3-package-mac-apt-requirements: + pip.installed: + - bin_env: /opt/mac-apt/bin/python3 + - requirements: /opt/mac-apt/bin/mac_apt_git/requirements.txt + - upgrade: False + - cwd: /opt/mac-apt/bin/mac_apt_git/ + - require: + - git: sift-python3-package-mac-apt-git + +{% for file in files %} + +sift-python3-package-mac-apt-chmod-{{ file }}: + file.managed: + - name: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - mode: 755 + - require: + - pip: sift-python3-package-mac-apt-requirements + +sift-python3-package-mac-apt-prepend-{{ file }}: + file.prepend: + - name: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - text: '#!/opt/mac-apt/bin/python3' + - watch: + - file: sift-python3-package-mac-apt-chmod-{{ file }} + +sift-python3-package-mac-apt-fix-crlf-{{ file }}: + file.replace: + - name: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - pattern: '\r' + - repl: '' + - require: + - file: sift-python3-package-mac-apt-prepend-{{ file }} + +sift-python3-package-mac-apt-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/mac-apt/bin/mac_apt_git/{{ file }} + - makedirs: False + - require: + - file: sift-python3-package-mac-apt-fix-crlf-{{ file }} + +{% endfor %} diff --git a/sift/python3-packages/machinae.sls b/sift/python3-packages/machinae.sls index 8a43b89..d1c5dcc 100644 --- a/sift/python3-packages/machinae.sls +++ b/sift/python3-packages/machinae.sls @@ -1,13 +1,41 @@ # WEBSITE: https://github.com/HurricaneLabs/machinae # LICENSE: MIT + include: - - sift.python3-packages.core - - sift.python3-packages.defang + - sift.packages.python3-virtualenv + +sift-python3-package-machinae-venv: + virtualenv.managed: + - name: /opt/machinae + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - defang + - require: + - sls: sift.packages.python3-virtualenv -sift-python3-packages-machinae: +sift-python3-package-machinae: pip.installed: - name: machinae - - bin_env: /usr/bin/python3 + - bin_env: /opt/machinae/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-machinae-venv + +sift-python3-package-machinae-symlink: + file.symlink: + - name: /usr/local/bin/machinae + - target: /opt/machinae/bin/machinae + - makedirs: False + - require: + - pip: sift-python3-package-machinae + +sift-python3-package-machine-config: + file.managed: + - name: /etc/machinae.yml + - source: https://raw.githubusercontent.com/HurricaneLabs/machinae/refs/heads/master/machinae.yml + - skip_verify: True - require: - - sls: sift.python3-packages.core - - sls: sift.python3-packages.defang + - file: sift-python3-package-machinae-symlink diff --git a/sift/python3-packages/packerid.sls b/sift/python3-packages/packerid.sls new file mode 100644 index 0000000..47923eb --- /dev/null +++ b/sift/python3-packages/packerid.sls @@ -0,0 +1,48 @@ +# source=https://github.com/sooshie/packerid +# license=Unknown + +{% set commit = "bc54e6d5204ebe83db8d87125d677035d9f456a7" -%} +{% set hash = "sha256=417830ccbf357e8e2b7d9cf47ee4a63a481151fc8cdf03c40b5538aecf96d15d" -%} + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-packerid-venv: + virtualenv.managed: + - name: /opt/packerid + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - pefile + - capstone + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-packerid: + file.managed: + - name: /opt/packerid/bin/packerid.py + - source: https://raw.githubusercontent.com/sooshie/packerid/{{ commit }}/packerid.py + - source_hash: {{ hash }} + - mode: 755 + - require: + - virtualenv: sift-python3-package-packerid-venv + +sift-python3-package-packerid-shebang: + file.replace: + - name: /opt/packerid/bin/packerid.py + - pattern: '#!/usr/local/bin/python' + - repl: '#!/opt/packerid/bin/python3' + - count: 1 + - watch: + - file: sift-python3-package-packerid + +sift-python3-package-packerid-symlink: + file.symlink: + - name: /usr/local/bin/packerid.py + - target: /opt/packerid/bin/packerid.py + - makedirs: False + - require: + - file: sift-python3-package-packerid + diff --git a/sift/python3-packages/page-brute.sls b/sift/python3-packages/page-brute.sls new file mode 100644 index 0000000..69dd32d --- /dev/null +++ b/sift/python3-packages/page-brute.sls @@ -0,0 +1,39 @@ +include: + - sift.packages.python3-virtualenv + +sift-python3-package-page-brute-venv: + virtualenv.managed: + - name: /opt/page-brute + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - yara-python + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-page-brute: + file.recurse: + - name: /opt/page-brute/bin/ + - source: salt://sift/files/page-brute + - file_mode: 755 + - require: + - virtualenv: sift-python3-package-page-brute-venv + +sift-python3-package-page-brute-shebang: + file.replace: + - name: /opt/page-brute/bin/page_brute-BETA.py + - pattern: '#!/usr/bin/env python3' + - repl: '#!/opt/page-brute/bin/python3' + - count: 1 + - require: + - file: sift-python3-package-page-brute + +sift-python3-package-page-brute-symlink: + file.symlink: + - name: /usr/local/bin/page_brute-BETA.py + - target: /opt/page-brute/bin/page_brute-BETA.py + - makedirs: False + - require: + - file: sift-python3-package-page-brute-shebang diff --git a/sift/python3-packages/pdf-tools.sls b/sift/python3-packages/pdf-tools.sls new file mode 100644 index 0000000..39a6a45 --- /dev/null +++ b/sift/python3-packages/pdf-tools.sls @@ -0,0 +1,31 @@ +{% set files = ['make-pdf-embedded.py','make-pdf-helloworld.py','make-pdf-javascript.py','mPDF.py','pdfid.py','pdf-parser.py','pdftool.py','plugin_embeddedfile.py','plugin_nameobfuscation.py','plugin_triage.py'] %} + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-pdf-tools-venv: + virtualenv.managed: + - name: /opt/pdf-tools + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-pdf-tools: + file.recurse: + - name: /opt/pdf-tools/bin/ + - source: salt://sift/files/pdf-tools + - file_mode: 755 + +{% for file in files %} +sift-python3-package-pdf-tools-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/pdf-tools/bin/{{ file }} + - makedirs: False + - require: + - file: sift-python3-package-pdf-tools +{% endfor %} diff --git a/sift/python3-packages/pe-carver.sls b/sift/python3-packages/pe-carver.sls index 6a31c16..50aa07c 100644 --- a/sift/python3-packages/pe-carver.sls +++ b/sift/python3-packages/pe-carver.sls @@ -2,12 +2,31 @@ # license=apache2.0 include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv + +sift-python3-package-pe-carver-venv: + virtualenv.managed: + - name: /opt/pe-carver + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv sift-python3-package-pe-carver: pip.installed: - name: pe-carver - - bin_env: /usr/bin/python3 + - bin_env: /opt/pe-carver/bin/python3 - upgrade: True - require: - - sls: sift.python3-packages.core + - virtualenv: sift-python3-package-pe-carver-venv + +sift-python3-package-pe-carver-symlink: + file.symlink: + - name: /usr/local/bin/pe-carver + - target: /opt/pe-carver/bin/pe-carver + - makedirs: False + - require: + - pip: sift-python3-package-pe-carver diff --git a/sift/python3-packages/pe-scanner.sls b/sift/python3-packages/pe-scanner.sls index 23cd138..de8c83a 100644 --- a/sift/python3-packages/pe-scanner.sls +++ b/sift/python3-packages/pe-scanner.sls @@ -2,14 +2,35 @@ # license=gplv3.0 include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv - sift.packages.git + - sift.packages.python3-magic + +sift-python3-package-pe-scanner-venv: + virtualenv.managed: + - name: /opt/pe-scanner + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv sift-python3-package-pe-scanner: pip.installed: - name: git+https://github.com/digitalsleuth/pe-scanner.git - - bin_env: /usr/bin/python3 + - bin_env: /opt/pe-scanner/bin/python3 - upgrade: True - require: - - sls: sift.python3-packages.core + - virtualenv: sift-python3-package-pe-scanner-venv - sls: sift.packages.git + - sls: sift.packages.python3-magic + +sift-python3-package-pe-scanner-symlink: + file.symlink: + - name: /usr/local/bin/pe-scanner + - target: /opt/pe-scanner/bin/pe-scanner + - makedirs: False + - require: + - pip: sift-python3-package-pe-scanner diff --git a/sift/python3-packages/pefile.sls b/sift/python3-packages/pefile.sls deleted file mode 100644 index ef69bdb..0000000 --- a/sift/python3-packages/pefile.sls +++ /dev/null @@ -1,10 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-pefile: - pip.installed: - - name: pefile - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core - diff --git a/sift/python3-packages/pillow.sls b/sift/python3-packages/pillow.sls deleted file mode 100644 index 6bc3c3e..0000000 --- a/sift/python3-packages/pillow.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-pillow: - pip.installed: - - name: pillow - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/pip.sls b/sift/python3-packages/pip.sls index 845b4d6..f893359 100644 --- a/sift/python3-packages/pip.sls +++ b/sift/python3-packages/pip.sls @@ -5,7 +5,7 @@ sift-python3-packages-pip: cmd.run: - names: - /usr/bin/python3 -m pip install --upgrade pip - - /usr/bin/python3 -m pip install setuptools==70.0.0 + - /usr/bin/python3 -m pip install --upgrade setuptools - /usr/bin/python3 -m pip install --upgrade wheel - require: - sls: sift.packages.python3-pip diff --git a/sift/python3-packages/pyhindsight.sls b/sift/python3-packages/pyhindsight.sls index 9aab70f..77bc351 100644 --- a/sift/python3-packages/pyhindsight.sls +++ b/sift/python3-packages/pyhindsight.sls @@ -1,55 +1,52 @@ +{% if grains['oscodename'] != 'focal' %} + +{% set files = ['hindsight.py','hindsight_gui.py'] %} include: - - sift.python3-packages.core - - sift.python3-packages.setuptools-rust - - sift.python3-packages.keyrings-alt - -sift-python3-packages-pyhindsight: + - sift.packages.python3-virtualenv + +sift-python3-package-pyhindsight-venv: + virtualenv.managed: + - name: /opt/pyhindsight + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - setuptools_rust + - keyrings.alt + - git+https://github.com/cclgroupltd/ccl_chromium_reader.git + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-pyhindsight: pip.installed: - name: pyhindsight - - bin_env: /usr/bin/python3 + - bin_env: /opt/pyhindsight/bin/python3 + - upgrade: True - require: - - sls: sift.python3-packages.core - - sls: sift.python3-packages.setuptools-rust - - sls: sift.python3-packages.keyrings-alt - -sift-python3-packages-pyhindsight-encoding: - file.replace: - - name: /usr/local/bin/hindsight.py - - pattern: '\r' - - repl: '' + - virtualenv: sift-python3-package-pyhindsight-venv + +{% for file in files %} +sift-python3-package-pyhindsight-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/pyhindsight/bin/{{ file }} + - makedirs: False - require: - - pip: sift-python3-packages-pyhindsight + - pip: sift-python3-package-pyhindsight -sift-python3-packages-pyhindsight-chmod: +sift-python3-package-pyhindsight-chmod-{{ file }}: file.managed: - - name: /usr/local/bin/hindsight.py + - name: /opt/pyhindsight/bin/{{ file }} - mode: 755 - - watch: - - file: sift-python3-packages-pyhindsight-encoding - -sift-python3-packages-pyhindsight-gui-encoding: - file.replace: - - name: /usr/local/bin/hindsight_gui.py - - pattern: '\r' - - repl: '' - require: - - pip: sift-python3-packages-pyhindsight - -sift-python3-packages-pyhindsight-gui-prepend: - file.replace: - - name: /usr/local/bin/hindsight_gui.py - - pattern: '#!/usr/bin/env python3' - - repl: '#!/usr/bin/env python3' - - prepend_if_not_found: True - - count: 1 - - require: - - pip: sift-python3-packages-pyhindsight + - file: sift-python3-package-pyhindsight-symlink-{{ file }} -sift-python3-packages-pyhindsight-gui-chmod: - file.managed: - - name: /usr/local/bin/hindsight_gui.py - - mode: 755 - - watch: - - file: sift-python3-packages-pyhindsight-gui-prepend +{% endfor %} + +{% else %} +pyhindsight requirements no longer support Python 3.8 - not installing: + test.nop +{% endif %} diff --git a/sift/python3-packages/python-dateutil.sls b/sift/python3-packages/python-dateutil.sls deleted file mode 100644 index 33f989a..0000000 --- a/sift/python3-packages/python-dateutil.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-python-dateutil: - pip.installed: - - name: python-dateutil - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/python-evtx.sls b/sift/python3-packages/python-evtx.sls index 23a8c23..39f4eac 100644 --- a/sift/python3-packages/python-evtx.sls +++ b/sift/python3-packages/python-evtx.sls @@ -6,14 +6,48 @@ # License: Apache License 2.0 (https://github.com/williballenthin/python-evtx/blob/master/LICENSE.TXT) # Notes: evtx_dates.py, evtx_dump.py, evtx_dump_chunk_slack.py, evtx_dump_json.py, evtx_info.py +{% set files = ['evtx_dump.py','evtx_dump_chunk_slack.py','evtx_dump_json.py','evtx_eid_record_numbers.py','evtx_extract_record.py','evtx_filter_records.py','evtx_info.py','evtx_record_structure.py','evtx_structure.py','evtx_templates.py'] %} + include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv - sift.packages.git -sift-python3-packages-python-evtx: +sift-python3-package-python-evtx-venv: + virtualenv.managed: + - name: /opt/python-evtx + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - xmltodict + - lxml + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-python-evtx: pip.installed: - name: git+https://github.com/williballenthin/python-evtx.git - - bin_env: /usr/bin/python3 + - bin_env: /opt/python-evtx/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-python-evtx-venv + +sift-python3-package-python-evtx-import-fix: + file.replace: + - name: /opt/python-evtx/bin/evtx_eid_record_numbers.py + - pattern: 'from filter_records' + - repl: 'from evtx_filter_records' + - count: 1 + - require: + - pip: sift-python3-package-python-evtx + +{% for file in files %} +sift-python3-package-python-evtx-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/python-evtx/bin/{{ file }} + - makedirs: False - require: - - sls: sift.python3-packages.core - - sls: sift.packages.git + - pip: sift-python3-package-python-evtx +{% endfor %} diff --git a/sift/python3-packages/python-magic.sls b/sift/python3-packages/python-magic.sls deleted file mode 100644 index f83ab01..0000000 --- a/sift/python3-packages/python-magic.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-python-magic: - pip.installed: - - name: python-magic - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/python-registry.sls b/sift/python3-packages/python-registry.sls deleted file mode 100644 index 5024633..0000000 --- a/sift/python3-packages/python-registry.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-python-registry: - pip.installed: - - name: python-registry - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/s2sphere.sls b/sift/python3-packages/s2sphere.sls deleted file mode 100644 index 5c9831a..0000000 --- a/sift/python3-packages/s2sphere.sls +++ /dev/null @@ -1,10 +0,0 @@ -include: - - sift.packages.python3-pip - -sift-python-packages-s2sphere: - pip.installed: - - name: s2sphere - - bin_env: /usr/bin/python3 - - upgrade: True - - require: - - sls: sift.packages.python3-pip diff --git a/sift/python3-packages/setuptools-rust.sls b/sift/python3-packages/setuptools-rust.sls deleted file mode 100644 index 97b31ab..0000000 --- a/sift/python3-packages/setuptools-rust.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-setuptools-rust: - pip.installed: - - name: setuptools_rust - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/six.sls b/sift/python3-packages/six.sls deleted file mode 100644 index 45fdb73..0000000 --- a/sift/python3-packages/six.sls +++ /dev/null @@ -1,10 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-six: - pip.installed: - - name: six - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core - diff --git a/sift/python3-packages/sqlite-carver.sls b/sift/python3-packages/sqlite-carver.sls new file mode 100644 index 0000000..7d293eb --- /dev/null +++ b/sift/python3-packages/sqlite-carver.sls @@ -0,0 +1,29 @@ +include: + - sift.packages.python3-virtualenv + +sift-python3-package-sqlite-carver-venv: + virtualenv.managed: + - name: /opt/sqlite-carver + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-sqlite-carver: + pip.installed: + - name: sqlite-carver + - bin_env: /opt/sqlite-carver/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-sqlite-carver-venv + +sift-python3-package-sqlite-carver-symlink: + file.symlink: + - name: /usr/local/bin/sqlite-carver + - target: /opt/sqlite-carver/bin/sqlite-carver + - makedirs: False + - require: + - pip: sift-python3-package-sqlite-carver diff --git a/sift/python3-packages/stix-validator.sls b/sift/python3-packages/stix-validator.sls index f840a90..bf1978d 100644 --- a/sift/python3-packages/stix-validator.sls +++ b/sift/python3-packages/stix-validator.sls @@ -1,11 +1,31 @@ include: - - sift.python3-packages.core - - sift.python3-packages.stix + - sift.packages.python3-virtualenv -sift-python3-packages-stix-validator: +sift-python3-package-stix-validator-venv: + virtualenv.managed: + - name: /opt/stix-validator + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - lxml + - stix + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-stix-validator: pip.installed: - name: stix-validator - - bin_env: /usr/bin/python3 + - bin_env: /opt/stix-validator/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-stix-validator-venv + +sift-python3-package-stix-validator-symlink: + file.symlink: + - name: /usr/local/bin/stix-validator + - target: /opt/stix-validator/bin/stix-validator + - makedirs: False - require: - - sls: sift.python3-packages.core - - sls: sift.python3-packages.stix + - pip: sift-python3-package-stix-validator diff --git a/sift/python3-packages/stix.sls b/sift/python3-packages/stix.sls deleted file mode 100644 index eb94e49..0000000 --- a/sift/python3-packages/stix.sls +++ /dev/null @@ -1,11 +0,0 @@ -include: - - sift.python3-packages.core - - sift.python3-packages.lxml - -sift-python3-packages-stix: - pip.installed: - - name: stix - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core - - sls: sift.python3-packages.lxml diff --git a/sift/python3-packages/usbdeviceforensics.sls b/sift/python3-packages/usbdeviceforensics.sls index 68c62bf..976191c 100644 --- a/sift/python3-packages/usbdeviceforensics.sls +++ b/sift/python3-packages/usbdeviceforensics.sls @@ -2,14 +2,38 @@ # license=unknown include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv - sift.packages.git + - sift.packages.python3-dev + +sift-python3-package-usbdeviceforensics-venv: + virtualenv.managed: + - name: /opt/usbdeviceforensics + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - python-registry + - enum34 + - require: + - sls: sift.packages.python3-virtualenv sift-python3-package-usbdeviceforensics: pip.installed: - name: git+https://github.com/digitalsleuth/usbdeviceforensics.git - - bin_env: /usr/bin/python3 + - bin_env: /opt/usbdeviceforensics/bin/python3 + - upgrade: True - require: - - sls: sift.python3-packages.core + - virtualenv: sift-python3-package-usbdeviceforensics-venv - sls: sift.packages.git + - sls: sift.packages.python3-dev + +sift-python3-package-usbdeviceforensics-symlink: + file.symlink: + - name: /usr/local/bin/usbdeviceforensics + - target: /opt/usbdeviceforensics/bin/usbdeviceforensics + - makedirs: False + - require: + - pip: sift-python3-package-usbdeviceforensics diff --git a/sift/python3-packages/usnparser.sls b/sift/python3-packages/usnparser.sls index 80d04c7..42343bf 100644 --- a/sift/python3-packages/usnparser.sls +++ b/sift/python3-packages/usnparser.sls @@ -1,9 +1,29 @@ include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv + +sift-python3-package-usnparser-venv: + virtualenv.managed: + - name: /opt/usnparser + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv sift-python3-package-usnparser: pip.installed: - name: git+https://github.com/digitalsleuth/USN-Journal-Parser.git - - bin_env: /usr/bin/python3 + - bin_env: /opt/usnparser/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-usnparser-venv + +sift-python3-package-usnparser-symlink: + file.symlink: + - name: /usr/local/bin/usnparser + - target: /opt/usnparser/bin/usn.py + - makedirs: False - require: - - sls: sift.python3-packages.core + - pip: sift-python3-package-usnparser diff --git a/sift/python3-packages/virustotal-api.sls b/sift/python3-packages/virustotal-api.sls deleted file mode 100644 index 952eeef..0000000 --- a/sift/python3-packages/virustotal-api.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-virustotal-api: - pip.installed: - - name: virustotal-api - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/python3-packages/volatility3.sls b/sift/python3-packages/volatility3.sls new file mode 100644 index 0000000..c165cd3 --- /dev/null +++ b/sift/python3-packages/volatility3.sls @@ -0,0 +1,33 @@ +{% set files = ['vol','volshell'] %} + +include: + - sift.packages.python3-virtualenv + +sift-python3-package-volatility3-venv: + virtualenv.managed: + - name: /opt/volatility3 + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv + +sift-python3-package-volatility3: + pip.installed: + - name: volatility3 + - bin_env: /opt/volatility3/bin/python3 + - upgrade: True + - require: + - virtualenv: sift-python3-package-volatility3-venv + +{% for file in files %} +sift-python3-package-volatility3-symlink-{{ file }}: + file.symlink: + - name: /usr/local/bin/{{ file }} + - target: /opt/volatility3/bin/{{ file }} + - makedirs: False + - require: + - pip: sift-python3-package-volatility3 +{% endfor %} diff --git a/sift/python3-packages/windowsprefetch.sls b/sift/python3-packages/windowsprefetch.sls index 32266f0..c7f6d49 100644 --- a/sift/python3-packages/windowsprefetch.sls +++ b/sift/python3-packages/windowsprefetch.sls @@ -1,10 +1,29 @@ include: - - sift.python3-packages.core + - sift.packages.python3-virtualenv + +sift-python3-package-windowsprefetch-venv: + virtualenv.managed: + - name: /opt/windowsprefetch + - venv_bin: /usr/bin/virtualenv + - pip_pkgs: + - pip>=24.1.3 + - setuptools>=70.0.0 + - wheel>=0.38.4 + - require: + - sls: sift.packages.python3-virtualenv sift-python3-package-windowsprefetch: pip.installed: - name: windowsprefetch - - bin_env: /usr/bin/python3 + - bin_env: /opt/windowsprefetch/bin/python3 - upgrade: True - require: - - sls: sift.python3-packages.core + - virtualenv: sift-python3-package-windowsprefetch-venv + +sift-python3-package-windowsprefetch-symlink: + file.symlink: + - name: /usr/local/bin/prefetch.py + - target: /opt/windowsprefetch/bin/prefetch.py + - makedirs: False + - require: + - pip: sift-python3-package-windowsprefetch diff --git a/sift/python3-packages/yara-python.sls b/sift/python3-packages/yara-python.sls deleted file mode 100644 index 9e6affb..0000000 --- a/sift/python3-packages/yara-python.sls +++ /dev/null @@ -1,9 +0,0 @@ -include: - - sift.python3-packages.core - -sift-python3-packages-yara-python: - pip.installed: - - name: yara-python - - bin_env: /usr/bin/python3 - - require: - - sls: sift.python3-packages.core diff --git a/sift/scripts/cyberchef.sls b/sift/scripts/cyberchef.sls index a170fad..764c14a 100644 --- a/sift/scripts/cyberchef.sls +++ b/sift/scripts/cyberchef.sls @@ -2,8 +2,8 @@ # license=apache2 # license_source=https://github.com/gchq/CyberChef/blob/master/LICENSE -{% set version = "9.55.0" -%} -{% set hash = "DA55ADC790D011F6BF3740E7E704D340351F7E1C8EBD8E7D9DD24AA46562307C" -%} +{% set version = "10.19.4" -%} +{% set hash = "3788b29ffb54f5784968fcf998286f0f75670be8a92e40eb683743ebaab97510" -%} include: - sift.packages.apache2 diff --git a/sift/scripts/init.sls b/sift/scripts/init.sls index a92f4fb..7b27820 100644 --- a/sift/scripts/init.sls +++ b/sift/scripts/init.sls @@ -1,13 +1,10 @@ include: - - sift.scripts.4n6 - sift.scripts.afterglow - sift.scripts.cyberchef - sift.scripts.densityscout - sift.scripts.dumbpig - sift.scripts.dump-mft-entry - sift.scripts.keydet-tools - - sift.scripts.packerid - - sift.scripts.page-brute - sift.scripts.pdf-tools - sift.scripts.regripper - sift.scripts.screen-scale @@ -19,15 +16,12 @@ sift-scripts: test.nop: - name: sift-scripts - require: - - sls: sift.scripts.4n6 - sls: sift.scripts.afterglow - sls: sift.scripts.cyberchef - sls: sift.scripts.densityscout - sls: sift.scripts.dumbpig - sls: sift.scripts.dump-mft-entry - sls: sift.scripts.keydet-tools - - sls: sift.scripts.packerid - - sls: sift.scripts.page-brute - sls: sift.scripts.pdf-tools - sls: sift.scripts.regripper - sls: sift.scripts.screen-scale diff --git a/sift/scripts/packerid.sls b/sift/scripts/packerid.sls deleted file mode 100644 index 776be67..0000000 --- a/sift/scripts/packerid.sls +++ /dev/null @@ -1,30 +0,0 @@ -# source=https://github.com/sooshie/packerid -# license=Unknown - -{% set commit = "7b2ee6ef57db903bf356fd342c8ca998abdb68cd" -%} -{% set hash = "sha256=be589d4cbe70ecdc3424a6da48d8fc24630d51a6ebf92e5328b36e39423eb038" -%} - -include: - - sift.python3-packages.core - - sift.python3-packages.pefile - - sift.python3-packages.capstone - -sift-scripts-packerid: - file.managed: - - name: /usr/local/bin/packerid.py - - source: https://raw.githubusercontent.com/sooshie/packerid/{{ commit }}/packerid.py - - source_hash: {{ hash }} - - mode: 755 - - require: - - sls: sift.python3-packages.core - - sls: sift.python3-packages.pefile - - sls: sift.python3-packages.capstone - -sift-scripts-packerid-shebang: - file.replace: - - name: /usr/local/bin/packerid.py - - pattern: '#!/usr/local/bin/python' - - repl: '#!/usr/bin/env python3' - - count: 1 - - watch: - - file: sift-scripts-packerid diff --git a/sift/scripts/page-brute.sls b/sift/scripts/page-brute.sls deleted file mode 100644 index 0f12ccb..0000000 --- a/sift/scripts/page-brute.sls +++ /dev/null @@ -1,6 +0,0 @@ -sift-scripts-page-brute: - file.recurse: - - name: /usr/local/bin - - source: salt://sift/files/page-brute - - file_mode: 755 - - include_pat: '*.py' diff --git a/sift/scripts/sift.sls b/sift/scripts/sift.sls index f43b4a6..7a44f7b 100644 --- a/sift/scripts/sift.sls +++ b/sift/scripts/sift.sls @@ -4,7 +4,7 @@ scripts-sift-resources-{{ folder }}: - name: /usr/share/sift/{{ folder }} - user: root - group: root - - makedirs: true + - makedirs: True - require_in: - file: sift-resources {% endfor -%} From 35169c0b12e1568332b6af625060a8cf1087192e Mon Sep 17 00:00:00 2001 From: digitalsleuth Date: Mon, 18 Nov 2024 04:32:24 +0000 Subject: [PATCH 2/2] Restore sleuthkit package to normal --- sift/packages/sleuthkit.sls | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sift/packages/sleuthkit.sls b/sift/packages/sleuthkit.sls index 045c28a..07d07f1 100644 --- a/sift/packages/sleuthkit.sls +++ b/sift/packages/sleuthkit.sls @@ -1,10 +1,10 @@ -#include: -# - sift.repos.gift -# - sift.repos.sift +include: + - sift.repos.gift + - sift.repos.sift sift-package-sleuthkit: pkg.latest: - name: sleuthkit -# - require: -# - sls: sift.repos.sift -# - sls: sift.repos.gift + - require: + - sls: sift.repos.sift + - sls: sift.repos.gift