2021-07-16 06:05:01 +00:00
|
|
|
# Mobile Verification Toolkit (MVT)
|
2021-08-01 19:11:08 +00:00
|
|
|
# Copyright (c) 2021 The MVT Project Authors.
|
|
|
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
|
|
|
# https://license.mvt.re/1.1/
|
2021-07-16 06:05:01 +00:00
|
|
|
|
|
|
|
|
import datetime
|
2021-07-30 09:40:09 +00:00
|
|
|
import os
|
2021-07-16 06:05:01 +00:00
|
|
|
|
|
|
|
|
from mvt.common.utils import convert_timestamp_to_iso
|
|
|
|
|
|
2021-08-15 11:14:18 +00:00
|
|
|
from ..base import IOSExtraction
|
2021-07-16 06:05:01 +00:00
|
|
|
|
2021-07-30 09:40:09 +00:00
|
|
|
|
2021-07-16 06:05:01 +00:00
|
|
|
class Filesystem(IOSExtraction):
|
|
|
|
|
"""This module extracts creation and modification date of files from a
|
2021-09-10 13:18:13 +00:00
|
|
|
full file-system dump.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"""
|
2021-07-16 06:05:01 +00:00
|
|
|
|
|
|
|
|
def __init__(self, file_path=None, base_folder=None, output_folder=None,
|
|
|
|
|
fast_mode=False, log=None, results=[]):
|
|
|
|
|
super().__init__(file_path=file_path, base_folder=base_folder,
|
|
|
|
|
output_folder=output_folder, fast_mode=fast_mode,
|
|
|
|
|
log=log, results=results)
|
|
|
|
|
|
|
|
|
|
def serialize(self, record):
|
|
|
|
|
return {
|
|
|
|
|
"timestamp": record["modified"],
|
|
|
|
|
"module": self.__class__.__name__,
|
2021-10-15 12:58:50 +00:00
|
|
|
"event": "entry_modified",
|
|
|
|
|
"data": record["path"],
|
2021-07-16 06:05:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
def check_indicators(self):
|
|
|
|
|
if not self.indicators:
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
for result in self.results:
|
2021-10-15 12:58:50 +00:00
|
|
|
if self.indicators.check_file(result["path"]):
|
|
|
|
|
self.log.warning("Found a known malicious file at path: %s", result["path"])
|
2021-07-16 06:05:01 +00:00
|
|
|
self.detected.append(result)
|
|
|
|
|
|
2021-10-15 12:58:50 +00:00
|
|
|
# If we are instructed to run fast, we skip this.
|
|
|
|
|
if self.fast_mode:
|
|
|
|
|
self.log.info("Flag --fast was enabled: skipping extended search for suspicious files/processes")
|
|
|
|
|
else:
|
|
|
|
|
for ioc in self.indicators.ioc_processes:
|
|
|
|
|
parts = result["path"].split("/")
|
|
|
|
|
if ioc in parts:
|
|
|
|
|
self.log.warning("Found a known malicious file/process at path: %s", result["path"])
|
|
|
|
|
self.detected.append(result)
|
|
|
|
|
|
2021-07-16 06:05:01 +00:00
|
|
|
def run(self):
|
|
|
|
|
for root, dirs, files in os.walk(self.base_folder):
|
2021-10-15 12:58:50 +00:00
|
|
|
for dir_name in dirs:
|
|
|
|
|
try:
|
|
|
|
|
dir_path = os.path.join(root, dir_name)
|
|
|
|
|
result = {
|
|
|
|
|
"path": os.path.relpath(dir_path, self.base_folder),
|
|
|
|
|
"modified": convert_timestamp_to_iso(datetime.datetime.utcfromtimestamp(os.stat(dir_path).st_mtime)),
|
|
|
|
|
}
|
2021-11-19 14:27:51 +00:00
|
|
|
except Exception:
|
2021-10-15 12:58:50 +00:00
|
|
|
continue
|
|
|
|
|
else:
|
|
|
|
|
self.results.append(result)
|
|
|
|
|
|
2021-07-16 06:05:01 +00:00
|
|
|
for file_name in files:
|
|
|
|
|
try:
|
|
|
|
|
file_path = os.path.join(root, file_name)
|
|
|
|
|
result = {
|
2021-10-15 12:58:50 +00:00
|
|
|
"path": os.path.relpath(file_path, self.base_folder),
|
2021-07-16 06:05:01 +00:00
|
|
|
"modified": convert_timestamp_to_iso(datetime.datetime.utcfromtimestamp(os.stat(file_path).st_mtime)),
|
|
|
|
|
}
|
2021-11-19 14:27:51 +00:00
|
|
|
except Exception:
|
2021-07-16 06:05:01 +00:00
|
|
|
continue
|
|
|
|
|
else:
|
|
|
|
|
self.results.append(result)
|
