<?
/*
PTK - DFLabs
Copyright (C) 2008 - DFLabs srl - All rights reserved
hide@address.com
*/
include("check_session.php");
include("sanitize.php");
/****************************************************************
Returns filesystem informations of an image (FSSTAT/MMLS)
****************************************************************/
function get_image_filesystem($path){
$path = sanitize($path,PARANOID);
include("../config/conf.php");
$result = shell_exec("$fsstat_bin -t $path");
if ($result==''){
$exec = shell_exec("$mmls_bin -b $path");
$exec = explode ("\n", $exec);
$arr = "var arr = new Array(";
foreach($exec as $a){
if(preg_match("/^(\d+:\s+[\d:]+\s+)(\d+)(\s+)(\d+)(\s+\d+\s+)(\s+)(\S+)(\s+)(\S.*)$/", $a, $out)){
$ret = shell_exec("$fsstat_bin -t -o ".$out[2]." $path");
if($ret!=''){
$ret = preg_replace("/\n/", "", $ret);
$arr .= "'$out[2]','$out[7]','$ret',";
}
}
}
$arr .= "'ARRAYEND');";
$result = $arr;
if($exec[0]==''){
$result='Cannot determine file system type';
}
}
return $result;
}
/****************************************************************
Returns raw image details (MMLS)
****************************************************************/
function get_raw_image_details($path){
$path = sanitize($path,PARANOID);
include("../config/conf.php");
$result = shell_exec("$mmls_bin -b $path");
$result = preg_replace("/\n/", "<br>", $result);
return $result;
}
/****************************************************************
Returns image details (FSSTAT)
****************************************************************/
function get_image_details($path, $offset){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$fsstat_bin $offset $path");
$result = preg_replace("/\n/", "<br>", $result);
return $result;
}
/****************************************************************
Returns folders of an image (FLS)
****************************************************************/
function get_folder_browsing($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$fls_bin -m / -D $offset $path $inode");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Checks if a folder contains subfolders (FLS)
****************************************************************/
function check_subfolders($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$fls_bin -m / -D $offset $path $inode");
if($result!='') return 1;
else return 0;
}
/****************************************************************
Gets folder's content (FLS)
****************************************************************/
function get_folder_content($path, $offset, $inode,$tz,$listall){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
$tz = preg_replace("/[^a-zA-Z0-9\/\_\-\+\|]/", "", $tz);
$listall = sanitize($listall,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
//$result = shell_exec("$fls_bin -z $tz -F -m / $offset $path $inode");
$result = shell_exec("$fls_bin $listall -l -z $tz -F $offset $path $inode");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Gets recursive folder's content (FLS)
****************************************************************/
function get_folder_recursive_content($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$fls_bin -F -r -m / $offset $path $inode");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Reverse a unix timestamp
****************************************************************/
function reverse_unix_timestamp($timestamp){
$timestamp = sanitize($timestamp,PARANOID);
include("../config/conf.php");
//$result = shell_exec("$date_bin -d @$timestamp +\"%d-%m-%Y %H:%M:%S\"");
$result = shell_exec("$date_bin -d @$timestamp +\"%Y-%m-%d %H:%M:%S\"");
return $result;
}
/****************************************************************
Returns the type of a file (ICAT)
****************************************************************/
function get_file_type($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$icat_bin -r $offset $path $inode | $file_bin -zb -");
if(preg_match("/(image data)|(PC bitmap data)/", $result)){
$_SESSION['is_graphic'] = 1;
}
return $result;
}
/****************************************************************
Returns ASCII content of a file (ICAT)
****************************************************************/
function get_file_content_ascii($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$icat_bin -r $offset $path $inode");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Returns ASCII content of a file (ICAT)
****************************************************************/
function get_live_file_content_ascii($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$dcat_bin $offset $path $inode");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Returns HEX content of a file (ICAT + HEXDUMP)
****************************************************************/
function get_file_content_hex($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$icat_bin -r $offset $path $inode | $hexdump_bin -C");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Returns HEX content of a file (DCAT)
****************************************************************/
function get_live_file_content_hex($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$dcat_bin -h $offset $path $inode");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Returns ASCIISTRINGS content of a file (ICAT + SRCH_STRINGS)
****************************************************************/
function get_file_content_asciistrings($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$icat_bin -r $offset $path $inode | $srch_strings_bin -a");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Returns ASCIISTRINGS content of a file (DCAT + SRCH_STRINGS)
****************************************************************/
function get_live_file_content_asciistrings($path, $offset, $inode){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$dcat_bin $offset $path $inode | $srch_strings_bin -a");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Returns content of graphic files
****************************************************************/
function get_file_content_image($offset, $inode, $name){
$name = sanitize($name,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
include("../config/conf.php");
$name = charset_decode_utf_8($name);
$name = preg_replace("/\s/", "_", $name);
$name = ereg_replace("\.[\.]+", "", $name);
$name = ereg_replace("^[\/]+", "", $name);
$path = $_SESSION['image_path'];
$path = sanitize($path,PARANOID);
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
shell_exec("$icat_bin -r $offset $path $inode > $INSTALLDIR/temp/$name");
$rh = fopen ("$INSTALLDIR/temp/$name", "r");
while(!feof($rh)){
$pb .= fread($rh, 8192);
}
fclose($rh);
$pc = bin2hex($pb);
unlink("$INSTALLDIR/temp/$name");
return ($pc);
}
/****************************************************************
Returns content of graphic files from bookmarks
****************************************************************/
function get_file_content_image_bookmark($offset, $inode, $name, $path){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
$name = charset_decode_utf_8($name);
$name = sanitize($name,PARANOID);
$name = ereg_replace("\.[\.]+", "", $name);
$name = ereg_replace("^[\/]+", "", $name);
include("../config/conf.php");
$name = preg_replace("/\s/", "_", $name);
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
shell_exec("$icat_bin -r $offset $path $inode > $INSTALLDIR/temp/$name");
$rh = fopen ("$INSTALLDIR/temp/$name", "r");
while(!feof($rh)){
$pb .= fread($rh, 8192);
}
fclose($rh);
$pc = bin2hex($pb);
unlink("$INSTALLDIR/temp/$name");
return ($pc);
}
/****************************************************************
Exports a file (ICAT)
****************************************************************/
function export_file($path, $offset, $inode, $name){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
$name = sanitize($name,PARANOID);
include("loggerClass.php");
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
new Log($_SESSION['ip'], $_SESSION['user'], "File $name of image $path exported");
shell_exec("$icat_bin -r $offset $path $inode > '$INSTALLDIR/temp/$name'");
}
/****************************************************************
Returns result sector size
****************************************************************/
function get_sector_size($path,$offset){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
include ("../config/conf.php");
if ($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset ="-o $offset";
}
$result = shell_exec("$dcat_bin -s $offset $path");
preg_match_all ("/(\d+): Size of Addressable Unit/",$result,$matches);
return $matches[1][0];
}
/****************************************************************
Returns result sector info
****************************************************************/
function get_sector_info($path,$offset,$sector){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
include ("../config/conf.php");
if ($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset ="-o $offset";
}
$inode = shell_exec("$ifind_bin -d $sector $offset $path");
$inode = preg_replace("/\n/", "", $inode);
$inode = sanitize($inode,PARANOID);
if ($inode != "Inode not found"){
$result = shell_exec("$istat_bin $offset $path $inode");
$result = preg_replace("/\n/", "<br>", $result);
}else{
$result = "File not allocated";
}
return $result;
}
/****************************************************************
Returns result of live search
****************************************************************/
function get_live_search($path, $offset, $string,$regexp,$case_s,$src_unicode,$src_ascii,$part_id){
$path = sanitize($path,PARANOID);
$case_s = sanitize($case_s,PARANOID);
$src_unicode = sanitize($src_unicode,PARANOID);
$src_ascii = sanitize($src_ascii,PARANOID);
$offset = preg_replace("/[^0-9\|]/", "", $offset);
$part_id = preg_replace("/[^0-9\|]/", "", $part_id);
include("../config/conf.php");
$output = array();
$string = stripslashes($string);
if ($case_s == 'false'){
$grep_case ='-i';
}else{
$grep_case ='';
}
if ($regexp == 'false'){
$string = str_replace(".","\\.",$string);
$string = str_replace("[","\\[",$string);
$string = str_replace("^","\\^",$string);
$string = str_replace("$","\\$",$string);
$string = str_replace("*","\\*",$string);
$string = str_replace("'","\\'",$string);
$string = '\''.$string.'\'';
}
if($offset == 'null' || $offset == '' || $offset == '0'){
$sector_size = get_sector_size($path,$offset);
if ($regexp == 'false') {
$result = '';
if ($src_ascii == 'true'){
$result = $result . shell_exec("$dls_bin -e $path | $srch_strings_bin -a -t d | $grep_bin $grep_case $string");
}
if ($src_unicode == 'true'){
$result = $result . shell_exec("$dls_bin -e $path | $srch_strings_bin -a -t d -e l | $grep_bin $grep_case $string");
}
}else{
$string = stripslashes($string);
$result = shell_exec($dls_bin." -e ".$path." | ".$srch_strings_bin." -a -t d | ".$grep_bin." -E '".$string."'");
}
$arr = preg_split("/\n/", $result);
for($j=0;$j<sizeof($arr);$j++){
$arr[$j] = preg_replace("/^\s*/", "", $arr[$j]);
if(preg_match("/^(\d+)\s*(.+)/", $arr[$j], $out)){
$sector = floor($out[1]/$sector_size);
$offset_l = $out[1] % $sector_size;
$output[$j][0] = $sector;
$output[$j][1] = $offset_l;
$inode = shell_exec("$ifind_bin -d $sector $path");
$inode = preg_replace("/\n/", "", $inode);
if ($inode != "Inode not found"){
$filename = shell_exec("$istat_bin $path $inode | grep -m 1 \"Name:\"");
$not_allocated = shell_exec("$istat_bin $path $inode | grep -m 1 \"Not Allocated\"");
$filename = preg_replace("/\n/", "", $filename);
$not_allocated = preg_replace("/\n/", "", $not_allocated);
$filename = substr($filename,6);
if ($filename == ''){
$output[$j][2] = "inode/meta: $inode";
$output[$j][3] = '';
$output[$j][5]= false;
}else{
$filename = strtolower($filename);
$output[$j][2] = $filename;
$output[$j][3] = $inode;
$output[$j][5] = false;
if ($not_allocated == 'Not Allocated'){
$output[$j][5] = true;
}
}
}else{
$output[$j][2] = 'Not allocated';
$output[$j][3] = '';
$output[$j][5]= false;
}
$output[$j][4] = 'null';
$output[$j][6] = $part_id;
}
}
}else{
$offset = explode("|", $offset);
$part_id = explode("|", $part_id);
$indx_output = 0;
for($i=0; $i<sizeof($offset); $i++){
$arr = array();
if($offset[$i]!=''){
$sector_size = get_sector_size($path,$offset[$i]);
if ($regexp == 'false') {
$result = '';
if ($src_ascii == 'true'){
$result = $result . shell_exec("$dls_bin -e -o ".$offset[$i]." $path | $srch_strings_bin -a -t d | $grep_bin $grep_case $string");
}
if ($src_unicode == 'true'){
$result = $result . shell_exec("$dls_bin -e -o ".$offset[$i]." $path | $srch_strings_bin -a -t d -e l | $grep_bin $grep_case $string");
}
}else{
$string = stripslashes($string);
$result = shell_exec($dls_bin." -e -o ".$offset[$i]." ".$path." | ".$srch_strings_bin." -a -t d | ".$grep_bin." -E '".$string."'");
}
$arr = preg_split("/\n/", $result);
for($j=0;$j<sizeof($arr);$j++){
$arr[$j] = preg_replace("/^\s*/", "", $arr[$j]);
if(preg_match("/^(\d+)\s*(.+)/", $arr[$j], $out)){
$sector = floor($out[1]/$sector_size);
$offset_l = $out[1] % $sector_size;
$output[$indx_output][4] = $offset[$i];
$output[$indx_output][0] = $sector;
$output[$indx_output][1] = $offset_l;
$inode = shell_exec("$ifind_bin -d $sector -o ".$offset[$i]." $path");
$inode = preg_replace("/\n/", "", $inode);
if ($inode != "Inode not found"){
$filename = shell_exec("$istat_bin -o ".$offset[$i]." $path $inode | grep -m 1 \"Name:\"");
$not_allocated = shell_exec("$istat_bin -o ".$offset[$i]." $path $inode | grep -m 1 \"Not Allocated\"");
$filename = preg_replace("/\n/", "", $filename);
$not_allocated = preg_replace("/\n/", "", $not_allocated);
$filename = substr($filename,6);
if ($filename == ''){
$output[$indx_output][2] = "inode/meta: $inode";
$output[$indx_output][3] = '';
$output[$indx_output][5]= false;
}else{
$filename = strtolower($filename);
$output[$indx_output][2] = $filename;
$output[$indx_output][3] = $inode;
$output[$indx_output][5] = false;
if ($not_allocated == 'Not Allocated'){
$output[$indx_output][5] = true;
}
}
}else{
$output[$indx_output][2] = 'Not allocated';
$output[$indx_output][3] = '';
$output[$indx_output][5]= false;
}
$output[$indx_output][6] = $part_id[$i];
$indx_output = $indx_output +1;
}
}
}
}
}
return $output;
}
/****************************************************************
Returns allocation list (DLS)
****************************************************************/
function get_allocation_list($path, $offset, $range){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$range = sanitize($range,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
$result = shell_exec("$dls_bin -el $offset $path $range");
return $result;
}
/****************************************************************
Get content from sector in ASCII (DCAT)
****************************************************************/
function get_sector_content_ascii($path, $offset, $sector, $total){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$sector = sanitize($sector,PARANOID);
$total = sanitize($sector,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}
elseif($offset == 'raw'){
$offset = "-f raw";
}
else{
$offset = "-o $offset";
}
$result = shell_exec("$dcat_bin -a $offset $path $sector $total");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Get content from sector in HEX(DCAT)
****************************************************************/
function get_sector_content_hex($path, $offset, $sector, $total){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$sector = sanitize($sector,PARANOID);
$total = sanitize($total,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}
elseif($offset == 'raw'){
$offset = "-f raw";
}
else{
$offset = "-o $offset";
}
$result = shell_exec("$dcat_bin -h $offset $path $sector $total");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Get content from sector in ASCII STRINGS(DCAT)
****************************************************************/
function get_sector_content_asciistrings($path, $offset, $sector, $total){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$sector = sanitize($sector,PARANOID);
$total = sanitize($total,PARANOID);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}
elseif($offset == 'raw'){
$offset = "-f raw";
}
else{
$offset = "-o $offset";
}
$result = shell_exec("$dcat_bin $offset $path $sector $total | $srch_strings_bin -a");
$result = htmlspecialchars($result);
return $result;
}
/****************************************************************
Exports sectors content (DCAT)
****************************************************************/
function export_sector($path, $offset, $sector, $total, $name){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$sector = sanitize($sector,INT);
$total = sanitize($total,PARANOID);
$name = sanitize($name,PARANOID);
include ("loggerClass.php");
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}
elseif($offset == 'raw'){
$offset = "-f raw";
}
else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
new Log($_SESSION['ip'], $_SESSION['user'], "Sector $name of image $path exported");
shell_exec("$dcat_bin $offset $path $sector $total > $INSTALLDIR/temp/$name");
}
/****************************************************************
Analyze volatile images (RAM dump)
****************************************************************/
function get_ram_info($path){
$path = sanitize($path,PARANOID);
include("../config/conf.php");
$result = shell_exec("python $INSTALLDIR/Volatility-1.3_Beta/volatility ident -f $path");
if(preg_match("/(VM\sType:\s)(\S+)\n/", $result, $out)){
$_SESSION['ram_type'] = $out[2];
}
if(preg_match("/(DTB:\s)(\S+)\n/", $result, $out)){
$_SESSION['ram_offset'] = $out[2];
}
$result = preg_replace("/\n/", "<br>", $result);
return $result;
}
function get_ram_analysis($path, $command, $start, $end, $slow, $format, $offset, $file){
$path = sanitize($path,PARANOID);
$command = sanitize($command,PARANOID);
$start = sanitize($start,PARANOID);
$end = sanitize($end,PARANOID);
$slow = sanitize($slow,PARANOID);
$format = sanitize($format,PARANOID);
$offset = sanitize($offset,PARANOID);
$file = sanitize($file,PARANOID);
include("../config/conf.php");
if($command=='ident'){
$result = shell_exec("python $INSTALLDIR/Volatility-1.3_Beta/volatility ident -f $path");
}
elseif(($command=='connscan')or($command=='psscan')or($command=='sockscan')or($command=='thrdscan')){
if($start!='') $start = "-s $start";
if($end!='') $end = "-e $end";
if($slow!='') $slow = "-l";
$result = shell_exec("python $INSTALLDIR/Volatility-1.3_Beta/volatility $command -f $path -b ".$_SESSION['ram_offset']." -t ".$_SESSION['ram_type']." $start $end $slow");
}
elseif(($command=='vadinfo')or($command=='vaddump')){
if($offset!='') $offset = "-o $offset";
$result = shell_exec("python $INSTALLDIR/Volatility-1.3_Beta/volatility $command -f $path -b ".$_SESSION['ram_offset']." -t ".$_SESSION['ram_type']." $offset");
}
elseif($command=='vadwalk'){
switch($format){
case 'table': $format = "-l"; break;
case 'tree': $format = "-e"; break;
case 'DOT': $format = "-d"; break;
}
if($offset!='') $offset = "-o $offset";
$result = shell_exec("python $INSTALLDIR/Volatility-1.3_Beta/volatility $command -f $path -b ".$_SESSION['ram_offset']." -t ".$_SESSION['ram_type']." $format $offset");
}
elseif($command=='strings'){
$file = "-s $file";
$result = shell_exec("python $INSTALLDIR/Volatility-1.3_Beta/volatility $command -f $path -b ".$_SESSION['ram_offset']." -t ".$_SESSION['ram_type']." $file");
}
else{
$result = shell_exec("python $INSTALLDIR/Volatility-1.3_Beta/volatility $command -f $path -b ".$_SESSION['ram_offset']." -t ".$_SESSION['ram_type']);
}
$result = preg_replace("/\n/", "<br>", $result);
if($result=='') $result='No output for this command';
return $result;
}
/****************************************************************
Live keyword search on RAM dump
****************************************************************/
function ram_live_search($path, $string, $regexp, $ascii, $unicode){
$path = sanitize($path,PARANOID);
$string = sanitize($string,PARANOID);
$ascii = sanitize($ascii,PARANOID);
$unicode = sanitize($unicode,PARANOID);
include("../config/conf.php");
if($regexp=='true'){
if($ascii=='true')
$result = shell_exec("$srch_strings_bin -a -t x $path | $grep_bin -E \"$string\""); //ascii strings
if($unicode=='true')
$result .= shell_exec("$srch_strings_bin -e l -a -t x $path | $grep_bin -E \"$string\""); //unicode strings
}else{
if($ascii=='true')
$result = shell_exec("$srch_strings_bin -a -t x $path | $grep_bin $string"); //ascii strings
if($unicode=='true')
$result .= shell_exec("$srch_strings_bin -e l -a -t x $path | $grep_bin $string"); //unicode strings
}
$result = htmlspecialchars($result);
$result = preg_replace("/\n/", "<br>", $result);
if($result=='') $result='No output for this command';
return $result;
}
/****************************************************************
Timeline indexing (FLS+MACTIME)
****************************************************************/
function indx_timeline($path, $offset, $part_id, $tz){
$path = sanitize($path,PARANOID);
$offset = preg_replace("/[^a-z0-9\|]/", "", $offset);
$part_id = preg_replace("/[^0-9\|]/", "", $part_id);
$tz = preg_replace("/[^a-zA-Z0-9\/\_\-\+\|]/", "", $tz);
include("loggerClass.php");
include("../config/conf.php");
include("../config/config.inc.php");
if($offset == 'null'){
$result = shell_exec("$fls_bin -z $tz -m / -r $path | $mactime_bin -b - -y -m -z $tz | $INSTALLDIR/scripts/indx_timeline $part_id $db_host $db_name $db_user '$db_password'");
}else{
$offset = explode("|", $offset);
$part_id = explode("|", $part_id);
$time_zone = explode("|", $tz);
for($i=0; $i<sizeof($offset); $i++){
if($offset [$i]!='')
$result = shell_exec("$fls_bin -z $time_zone[$i] -m / -r -o ".$offset[$i]." $path | $mactime_bin -b - -y -m -z $time_zone[$i] | $INSTALLDIR/scripts/indx_timeline ".$part_id[$i]." $db_host $db_name $db_user '$db_password'");
}
}
if(preg_match("/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})/", $result, $o)){
$date = $o[1]."-".$o[2]."-".$o[3]." ".$o[4].":".$o[5].":".$o[6];
}
new Log($_SESSION['ip'], $_SESSION['user'], "Timeline indexing launched on image $path");
return $date;
}
/****************************************************************
Filetype indexing (FLS)
****************************************************************/
function indx_filetype($path, $offset, $part_id){
$path = sanitize($path,PARANOID);
$offset = preg_replace("/[^a-z0-9\|]/", "", $offset);
$part_id = preg_replace("/[^0-9\|]/", "", $part_id); include("loggerClass.php");
include("../config/conf.php");
include("../config/config.inc.php");
if($offset == 'null'){
$result = shell_exec("$fls_bin -m / -r $path | $INSTALLDIR/scripts/indx_filetype 0 '$path' $part_id $db_host $db_name $db_user '$db_password'");
}else{
$offset = explode("|", $offset);
$part_id = explode("|", $part_id);
for($i=0; $i<sizeof($offset); $i++){
if($offset [$i]!='')
$result = shell_exec("$fls_bin -m / -r -o ".$offset[$i]." $path | $INSTALLDIR/scripts/indx_filetype ".$offset[$i]." '$path' ".$part_id[$i]." $db_host $db_name $db_user '$db_password'");
}
}
if(preg_match("/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})/", $result, $o)){
$date = $o[1]."-".$o[2]."-".$o[3]." ".$o[4].":".$o[5].":".$o[6];
}
new Log($_SESSION['ip'], $_SESSION['user'], "File type indexing launched on image $path");
return $date;
}
/****************************************************************
Indexing (FLS) for MD5, SHA1 and Keywords
****************************************************************/
function indx_multi($path, $offset, $part_id, $options){
$path = sanitize($path,PARANOID);
$offset = preg_replace("/[^a-z0-9\|]/", "", $offset);
$part_id = preg_replace("/[^0-9\|]/", "", $part_id);
$options = sanitize($options,PARANOID);
include("loggerClass.php");
include("../config/conf.php");
include("../config/config.inc.php");
$path = preg_replace("/\s+$/", "", $path);
if($offset == 'null'){
$result = shell_exec("$fls_bin -m / -r $path | ../scripts/ptk_script 0 \"$path\" $part_id $options $db_host $db_name $db_user '$db_password'");
}else{
$offset = explode("|", $offset);
$part_id = explode("|", $part_id);
for($i=0; $i<sizeof($offset); $i++){
if($offset [$i]!='')
$result = shell_exec("$fls_bin -m / -r -o ".$offset[$i]." $path | ../scripts/ptk_script ".$offset[$i]." \"$path\" ".$part_id[$i]." ".$options." $db_host $db_name $db_user '$db_password'");
}
}
if(preg_match("/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})/", $result, $o)){
$date = $o[1]."-".$o[2]."-".$o[3]." ".$o[4].":".$o[5].":".$o[6];
}
new Log($_SESSION['ip'], $_SESSION['user'], "Multiple indexing launched on image $path");
return $date;
}
/****************************************************************
Returns content of graphic files from bookmarks
****************************************************************/
function get_file_content_image_report($offset, $inode, $name, $path){
$path = sanitize($path,PARANOID);
$offset = sanitize($offset,INT);
$inode = sanitize($inode,PARANOID);
$name = sanitize($name,PARANOID);
$name = sha1($name.$inode);
include("../config/conf.php");
if($offset == 'null' || $offset == '0'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
shell_exec("$icat_bin -r $offset $path $inode > $INSTALLDIR/temp/$name");
return ("$INSTALLDIR/temp/$name");
}
?>