SecureArtisan

My Road to Digital Forensics Excellence

Archive for August, 2010

Parsing Log Records

Posted by Paul Bobby on August 30, 2010

Although I like to use Log Records (they can contain more data than a bookmark), creating reports from them is problematic. I have a Yahoo Chat log parser that creates Log Records from chat logs, but of course producing a report was an issue. The following code snippet illustrates a simple loop through the Log Record structure based on selecting a parent bookmark.

       forall (BookmarkClass b in c.BookmarkRoot()) {
        if (b.IsSelected()) {
         if (b.BookmarkType() == "Log Record") {
           LogRecordClass recs();
           if (b.GetDataRoot(recs)) {
             forall (LogRecordClass rec in recs) {
               CLog.Debug(rec.Name()+","+rec.Created().GetString()+","+rec.Comment());
               local.WriteLine(rec.Name()+","+rec.Created().GetString()+","+rec.Comment());
        }}}}}

The key is the line “b.GetDataRoot(recs)” which returns TRUE if the bookmark is of type LogRecordClass. Once in the forall loop, you can do whatever you want with the Log Record data.

What is strange is that ‘recs’ is not initialized, and yet when it is used in the GetDataRoot() method, it has a value and can be iterated against. There’s probably a OOP reason for this, but bally if I know.

Advertisements

Posted in State of Affairs | Tagged: | 2 Comments »

GUI Template

Posted by Paul Bobby on August 16, 2010

I’ve been using a standard template of mine for some time now when writing Enscripts. But I’ve started digging in to the GUI dialogs available through Encase, and so here is an updated template that incorporates GUI elements.

The problem I had is multi-tab GUIs and having elements enabled/disabled based on choice. Geoff Black to the rescue, and thankfully he provided an enscript version of his Timeline Analysis enscript – he uses a concept of a MasterDialog class that simply passes the MainClass back and forth – all values are visible to my code because they are global. Works great.

Here’s the code:

 

   1: include "GSI_LogLib"

   2:  

   3: class MainClass;

   4:  

   5: class OptionsDialogClass: DialogClass {

   6:   MainClass         m;

   7:   StaticTextClass   Description;

   8:   CheckBoxClass     _Check1, _Check2;

   9:   

  10:   OptionsDialogClass(DialogClass parent, MainClass main):

  11:     DialogClass(parent, "Options"),

  12:     Description(this, "GUI Template: Purpose of this script", START, START, 0, 0, 0),

  13:     _Check1(this, "Checkbox 1", SAME, NEXT, DEFAULT, DEFAULT,0, m.Check1),

  14:     _Check2(this, "Checkbox 2", SAME, NEXT, DEFAULT, DEFAULT,0, m.Check2),

  15:     m = main

  16:     {

  17:     

  18:     }

  19:     

  20:     virtual void CheckControls() {

  21:       _Check2.Enable(_Check1.GetValue());

  22:     }

  23:     

  24:     virtual void ChildEvent(const WindowClass::EventClass &event) {

  25:       DialogClass::ChildEvent(event);

  26:       if (_Check1.Matches(event)) {

  27:         _Check2.Enable(_Check1.GetValue());

  28:       }

  29:     }

  30: }

  31:  

  32: class HelpDialogClass : DialogClass {

  33:   GroupBoxClass    helpGroup;

  34:   StaticTextClass  helpGroupText;

  35:   

  36:   HelpDialogClass(DialogClass parent):

  37:     DialogClass(parent, "Help"),

  38:     helpGroup(this, "Help", START, START, DEFAULT, DEFAULT,0),

  39:     helpGroupText(this,

  40:       "This is the help text\n\n" +

  41:       "Option 1:         Explanation\n\n" + 

  42:       "Option 2:         Explanation\n\n" + 

  43:       "Please submit comments via my blog at secureartisan.wordpress.com\n",

  44:       NEXT, SAME, DEFAULT, DEFAULT,0)

  45:     {}

  46: }

  47:  

  48: class MasterDialogClass : DialogClass {

  49:   // Thank you Geoff Black for this idea (see his Timeline Analysis enscript).

  50:   MainClass            mstrM;

  51:   OptionsDialogClass   First;

  52:   HelpDialogClass      Second;

  53:   

  54:   MasterDialogClass(MainClass mstrMain) :

  55:     DialogClass(null, "GUI Template"),

  56:     First(this, mstrM),

  57:     Second(this),

  58:     mstrM = mstrMain

  59:     {}

  60: }

  61:  

  62: class MainClass {

  63:   LogClass  CLog;

  64:  

  65:   // Case specific global variables

  66:   bool      Check1, Check2;

  67:   

  68:   MainClass():

  69:     Check1 = false,

  70:     Check2 = false

  71:     

  72:     {

  73:     

  74:     }

  75:     

  76:   void Main(CaseClass c) {

  77:    // Script startup

  78:    SystemClass::ClearConsole(1);

  79:     CLog = new LogClass("Template", LogClass::DEBUG, Console);

  80:     if(!c){

  81:       CLog.Fatal("You must have an open case");

  82:     }

  83:     if (!c.EntryRoot().FirstChild()) {

  84:       CLog.Fatal("Please add some evidence to your case");

  85:     }

  86:  

  87:     MasterDialogClass md(this);

  88:     if (md.Execute() == SystemClass::OK) {

  89:       // Script startup

  90:       DateClass now;

  91:       now.Now();

  92:       uint start = now.GetUnix();

  93:       CLog.Info("Script Started");

  94:       // End startup

  95:       

  96:       

  97:  

  98:       // Script shutdown

  99:       now.Now();

 100:       CLog.Info("Script Completed in " + (now.GetUnix() - start) + " seconds");

 101:     }  

 102:   }

 103: } 

Posted in EnCase | Tagged: | 1 Comment »