diff --git a/trunk/autogen.sh b/trunk/autogen.sh index f2d8888..509ce66 100755 --- a/trunk/autogen.sh +++ b/trunk/autogen.sh @@ -1,328 +1,328 @@ #!/bin/bash # ----------------------------------------------------------------------------- # Default command line options. # ----------------------------------------------------------------------------- DEFOPT_CREATE_PACKAGE=0 DEFOPT_JOBS=1 DEFOPT_ONLY_BOOTSTRAP=0 DEFOPT_PLATFORM="linux" DEFOPT_STATIC_HIVEX=0 DEFOPT_LINUX_QMAKE=`which qmake` DEFOPT_WIN32_COMPILER_SUFFIX="i686-w64-mingw32" DEFOPT_WIN32_QMAKE="/opt/qt-4.8.4-mingw/bin/qmake" #DEFOPT_WIN32_DLL_PATH="/usr/i686-w64-mingw32/bin" DEFOPT_WIN32_QTDLL_PATH="/opt/qt-4.8.4-mingw/bin" # ----------------------------------------------------------------------------- # ------------------ DO NOT CHANGE ANYTHING BELOW THIS LINE ------------------- # ----------------------------------------------------------------------------- WIN32_DLLS="libgcc_s_sjlj-1.dll libstdc++-6.dll libiconv-2.dll" WIN32_QTDLLS="QtCore4.dll QtGui4.dll QtScript4.dll QtWebKit4.dll QtNetwork4.dll QtWebKit4.dll" # Try to make somehow sure we are running in bash and not some other shell if [ -z "$BASH_VERSION" ]; then echo "ERROR: This script must be run in a bash shell! Try using \"bash $0\"" exit 1 fi # ----------------------------------------------------------------------------- # Function declarations # ----------------------------------------------------------------------------- # Print usage and exit PrintUsage() { echo echo "Usage:" echo " $0 [options]" echo echo "Options:" echo " --create-package[=0..1] (Def.: $DEFOPT_CREATE_PACKAGE) : Package fred after building (Only supported on Debian/Ubuntu and Win32)." echo " --help: Print this help message." echo " --jobs= (Def.: $DEFOPT_JOBS) : Specify how many make jobs should be run simultaneously." echo " --linux-qmake= (Def.: $DEFOPT_LINUX_QMAKE) : Specify the linux qmake binary to use." echo " --only-bootstrap[=0..1] (Def.: $DEFOPT_ONLY_BOOTSTRAP) : Only bootstrap, but do not compile fred." echo " --platform= (Def.: $DEFOPT_PLATFORM) : Specify the platform fred should be build for. Available platforms are 'linux' and 'win32'." echo " --static-hivex[=0..1] (Def.: $DEFOPT_STATIC_HIVEX): Build and link in-tree hivex statically." echo " --win32-compiler-suffix= (Def.: $DEFOPT_WIN32_COMPILER_SUFFIX) : Specify the win32 crosscompiler suffix to use." # echo " --win32-dll-path= (Def.: $DEFOPT_WIN32_DLL_PATH) : Specify path to mingw dll's" echo " --win32-qmake= (Def.: $DEFOPT_WIN32_QMAKE) : Specify the win32 qmake binary to use." echo " --win32-qtdll-path= (Def.: $DEFOPT_WIN32_QTDLL_PATH) : Specify path to Qt dll's" echo exit 1 } # Extract argument value get_arg_val() { local TMP=`echo "$1" | cut -d= -f2` if [ "$1" = "$TMP" ]; then # No arg specified for option, assume 1 echo 1 else if [[ -z "$TMP" || $(echo -n "$TMP" | sed 's/[0-9]//g' | wc -c) -ne 0 ]]; then echo "ERROR: Non-integer arg for option '$1' specified!" 1>&2 exit 1 fi echo $TMP fi } # ----------------------------------------------------------------------------- # Parse command line args # ----------------------------------------------------------------------------- # Load defaults OPT_CREATE_PACKAGE=$DEFOPT_CREATE_PACKAGE OPT_JOBS=$DEFOPT_JOBS OPT_ONLY_BOOTSTRAP=$DEFOPT_ONLY_BOOTSTRAP OPT_PLATFORM="$DEFOPT_PLATFORM" OPT_STATIC_HIVEX=$DEFOPT_STATIC_HIVEX OPT_LINUX_QMAKE="$DEFOPT_LINUX_QMAKE" OPT_WIN32_COMPILER_SUFFIX="$DEFOPT_WIN32_COMPILER_SUFFIX" OPT_WIN32_QMAKE="$DEFOPT_WIN32_QMAKE" #OPT_WIN32_DLL_PATH="$DEFOPT_WIN32_DLL_PATH" OPT_WIN32_QTDLL_PATH="$DEFOPT_WIN32_QTDLL_PATH" # Parse specified options shopt extglob &>/dev/null EXTGLOB=$? shopt -s extglob &>/dev/null while :; do case "$1" in --create-package?(=[01])) OPT_CREATE_PACKAGE=$(get_arg_val "$1") || PrintUsage shift ;; --help) PrintUsage ;; --jobs=*) OPT_JOBS=$(get_arg_val "$1") || PrintUsage shift ;; --linux-qmake=*) TMP=`echo "$1" | cut -d= -f2` if [[ -z "$TMP" || "$1" = "$TMP" ]]; then echo "ERROR: No option arg for '$1' specified!" PrintUsage fi if [ ! -x "$TMP" ]; then echo "ERROR: The specified linux qmake binary '$TMP' does not exist or is not executable!" exit 1 fi OPT_LINUX_QMAKE="$TMP" shift ;; --only-bootstrap?(=[01])) OPT_ONLY_BOOTSTRAP=$(get_arg_val "$1") || PrintUsage shift ;; --platform=*) TMP=`echo "$1" | cut -d= -f2` if [[ -z "$TMP" || "$1" = "$TMP" ]]; then echo "ERROR: No option arg for '$1' specified!" PrintUsage fi TMP=`echo "$TMP" | tr "[A-Z]" "[a-z]"` if [[ "$TMP" != "linux" && "$TMP" != "win32" ]]; then echo "ERROR: Unsupported platform '$TMP' specified!" PrintUsage fi OPT_PLATFORM="$TMP" shift ;; --static-hivex?(=[01])) OPT_STATIC_HIVEX=$(get_arg_val "$1") || PrintUsage shift ;; --win32-compiler-suffix=*) TMP=`echo "$1" | cut -d= -f2` if [[ -z "$TMP" || "$1" = "$TMP" ]]; then echo "ERROR: No option arg for '$1' specified!" PrintUsage fi if [[ ! -x "$(which \"${TMP}-gcc\")" || ! -x "$(which \"${TMP}-g++\")" ]]; then echo "ERROR: Couldn't find '${TMP}-gcc' or '${TMP}-g++'!" echo "ERROR: The specified win32 compiler suffix does not seem to be correct!" exit 1 fi OPT_WIN32_COMPILER_SUFFIX="$TMP" shift ;; --win32-qmake=*) TMP=`echo "$1" | cut -d= -f2` if [[ -z "$TMP" || "$1" = "$TMP" ]]; then echo "ERROR: No option arg for '$1' specified!" PrintUsage fi if [ ! -x "$TMP" ]; then echo "ERROR: The specified win32 qmake binary '$TMP' does not exist or is not executable!" exit 1 fi OPT_WIN32_QMAKE="$TMP" shift ;; --win32-qtdll-path=*) TMP=`echo "$1" | cut -d= -f2` if [[ -z "$TMP" || "$1" = "$TMP" ]]; then echo "ERROR: No option arg for '$1' specified!" PrintUsage fi if [ ! -d "$TMP" ]; then echo "ERROR: The specified Qt dll path '$TMP' does not exist or is not a directory!" exit 1 fi OPT_WIN32_QTDLL_PATH="$TMP" shift ;; --*) echo "ERROR: Unknown option / Wrong option arg '$1' specified!" 1>&2 PrintUsage ;; *) break ;; esac done if [ $EXTGLOB -ne 0 ]; then shopt -u extglob &>/dev/null fi # ----------------------------------------------------------------------------- # Check command line args # ----------------------------------------------------------------------------- if [ "$OPT_PLATFORM" = "linux" ]; then if [ ! -x "$OPT_LINUX_QMAKE" ]; then echo "ERROR: Couldn't find qmake! Consider specifying it with --linux-qmake." exit 1 fi fi if [ "$OPT_PLATFORM" = "win32" ]; then if [ ! -x "$OPT_WIN32_QMAKE" ]; then echo "ERROR: Couldn't find qmake! Consider specifying it with --win32-qmake." exit 1 fi fi # ----------------------------------------------------------------------------- # Build # ----------------------------------------------------------------------------- # Get script directory and cd to it SCRIPT_DIR=`dirname "$0"` ( cd "$SCRIPT_DIR" # When requested to build static, init, bootstrap, configure and make hivex if [ $OPT_STATIC_HIVEX -eq 1 ]; then echo "-----------------------------------------------------------------------------" echo "Bootstrapping fred" echo "-----------------------------------------------------------------------------" ( cd .. git submodule init git submodule update ) echo "-----------------------------------------------------------------------------" echo "Bootstrapping hivex" echo "-----------------------------------------------------------------------------" ( cd hivex if [ "$OPT_PLATFORM" = "linux" ]; then ./autogen.sh --disable-ocaml --disable-perl --disable-python --disable-ruby --disable-shared || exit 1 fi if [ "$OPT_PLATFORM" = "win32" ]; then ./autogen.sh --host=$OPT_WIN32_COMPILER_SUFFIX --disable-ocaml --disable-perl --disable-python --disable-ruby --disable-shared || exit 1 fi ) [ $? -ne 0 ] && exit 1 echo "-----------------------------------------------------------------------------" echo "Building hivex" echo "-----------------------------------------------------------------------------" ( cd hivex make clean &>/dev/null make -j$OPT_JOBS || exit 1 ) [ $? -ne 0 ] && [ "$OPT_PLATFORM" != "win32" ] && exit 1 fi # Exit if we had only to bootstrap [ $OPT_ONLY_BOOTSTRAP -eq 1 ] && exit 0 # Building is done while packaging on Linux if [[ ! ( "$OPT_PLATFORM" = "linux" && $OPT_CREATE_PACKAGE -eq 1 ) ]]; then echo "-----------------------------------------------------------------------------" echo "Building fred" echo "-----------------------------------------------------------------------------" make distclean &>/dev/null if [ "$OPT_PLATFORM" = "linux" ]; then if [ $OPT_STATIC_HIVEX -eq 0 ]; then - $OPT_LINUX_QMAKE || exit 1 + $OPT_LINUX_QMAKE -qt=qt4 || exit 1 else - $OPT_LINUX_QMAKE HIVEX_STATIC=1 || exit 1 + $OPT_LINUX_QMAKE -qt=qt4 HIVEX_STATIC=1 || exit 1 fi make clean &>/dev/null make -j$OPT_JOBS release || exit 1 fi if [ "$OPT_PLATFORM" = "win32" ]; then if [ $OPT_STATIC_HIVEX -eq 0 ]; then $OPT_WIN32_QMAKE || exit 1 else $OPT_WIN32_QMAKE HIVEX_STATIC=1 || exit 1 fi make clean &>/dev/null make -j$OPT_JOBS release || exit 1 fi fi # Exit if we don't need to package fred [ $OPT_CREATE_PACKAGE -eq 0 ] && exit 0 echo "-----------------------------------------------------------------------------" echo "Packaging fred" echo "-----------------------------------------------------------------------------" if [ "$OPT_PLATFORM" = "linux" ]; then if [ ! -x "$(which dpkg-buildpackage)" ]; then echo "ERROR: Couldn't find dpkg-buildpackage!" exit 1 fi dpkg-buildpackage -rfakeroot -b || exit 1 fi if [ "$OPT_PLATFORM" = "win32" ]; then # Delete old package directory if it exists and (re)create it rm -rf fred-win32 &>/dev/null mkdir fred-win32 # Copy fred.exe cp -v release/fred.exe fred-win32/ # Find and copy mingw dll's for F in $WIN32_DLLS; do find /usr -name "$F" -path "*/$OPT_WIN32_COMPILER_SUFFIX/*" -exec cp -v "{}" fred-win32/ \; || exit 1 done # Copy Qt dll's for F in $WIN32_QTDLLS; do cp -v "$OPT_WIN32_QTDLL_PATH/$F" fred-win32/ || exit 1 done # Copy report templates cp -rv report_templates fred-win32/ || exit 1 fi ) if [ $? -eq 0 ]; then echo "-----------------------------------------------------------------------------" echo "All done." echo "-----------------------------------------------------------------------------" else echo "-----------------------------------------------------------------------------" echo "An error occured while building! See output above for details." echo "-----------------------------------------------------------------------------" fi diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs index 3c13418..9e42186 100644 --- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs +++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs @@ -1,190 +1,199 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "USB storage devices", report_author : "Gillen Daniel, Voncken Guy", report_desc : "Dump USB storage devices", fred_api : 2, hive : "SYSTEM" }; return info; } var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12"; var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;"; function IsValid(val) { return (typeof val!=='undefined'); } function PrintTableHeaderCell(str) { println(" ",str,""); } function PrintTableDataCell(alignment,str) { var style=cell_style+" text-align:"+alignment+";"; println(" ",str,""); } function PrintTableDataRowSpanCell(alignment,rows,str) { var style=cell_style+" text-align: "+alignment+";"; println(" ",str,""); } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function GetKeyVal(path, key) { var val=GetRegistryKeyValue(path, key); return (IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""; } function fred_report_html() { // TODO: There is more here. // Check http://www.forensicswiki.org/wiki/USB_History_Viewing var val; println("

USB storage devices

"); // Preload MountedDevices to possibly identify mount points of USB storage // devices var mnt_keys=GetRegistryKeys("\\MountedDevices"); var mnt_values=new Array(); if(IsValid(mnt_keys)) { for(var i=0;i"); println(" "); // Are USB storage devices enabled? // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5 // Is this true for WinXP etc.. ??? var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start"); if(IsValid(val)) { val=RegistryKeyValueToString(val.value,val.type); val=parseInt(String(val).substr(2,8),10); switch(val) { case 3: println(" "); break; case 4: println(" "); break; default: println(" "); } } else { println(" "); } println("
Storage driver enabled:Yes
Storage driver enabled:No
Storage driver enabled:Unknown
Storage driver enabled:Unknown
"); println("

"); println("

"); var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR"); if(IsValid(storage_roots)) { println(" "); println(" "); PrintTableHeaderCell("Vendor Name"); PrintTableHeaderCell("Unique ID"); PrintTableHeaderCell("Class"); PrintTableHeaderCell("Friendly name"); PrintTableHeaderCell("Mount point(s)"); PrintTableHeaderCell("Parent ID"); PrintTableHeaderCell("Device description"); + PrintTableHeaderCell("First connection1"); + PrintTableHeaderCell("Last connection1"); println(" "); for(var i=0;i1) { println(" "); PrintTableDataRowSpanCell("left",mount_points,storage_roots[i]); PrintTableDataRowSpanCell("left",mount_points,device_id); PrintTableDataRowSpanCell("left",mount_points,device_class); PrintTableDataRowSpanCell("left",mount_points,device_friendly_name); PrintTableDataCell("left",device_mount_points[0]); PrintTableDataRowSpanCell("left",mount_points,device_parent_id); PrintTableDataRowSpanCell("left",mount_points,device_desc); + PrintTableDataRowSpanCell("left",mount_points,device_first_connection); + PrintTableDataRowSpanCell("left",mount_points,device_last_connection); println(" "); for(var iii=1;iii"); PrintTableDataCell("left",device_mount_points[iii]); println(" "); } } else { println(" "); PrintTableDataCell("left",storage_roots[i]); PrintTableDataCell("left",device_id); PrintTableDataCell("left",device_class); PrintTableDataCell("left",device_friendly_name); if(mount_points!=0) { PrintTableDataCell("left",device_mount_points[0]); } else { PrintTableDataCell("left","n/a"); } PrintTableDataCell("left",device_parent_id); PrintTableDataCell("left",device_desc); + PrintTableDataCell("left",device_first_connection); + PrintTableDataCell("left",device_last_connection); println(" "); } } } println("
"); + println("     1 Might be incorrect"); println("
"); } else { println(" This registry hive does not contain a list of attached USB storage devices!"); } println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } }