How to use the pyhindsight.utils.friendly_date function in pyhindsight

To help you get started, we’ve selected a few pyhindsight examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github obsidianforensics / hindsight / pyhindsight / analysis.py View on Github external
w.write(row_number, 18, item.server_name, gray_value_format)  # Server name
                    w.write(row_number, 19, item.location, gray_value_format)  # Cached data location // data_2 [1542523]
                    w.write(row_number, 20, item.http_headers_str, gray_value_format)  # Cached data location // data_2 [1542523]

                elif item.row_type.startswith("local storage"):
                    w.write_string(row_number, 0, item.row_type, gray_type_format)  # record_type
                    w.write(row_number, 1, friendly_date(item.timestamp), gray_date_format)  # date
                    w.write_string(row_number, 2, item.url, gray_url_format)  # URL
                    w.write_string(row_number, 3, item.name, gray_field_format)  # cookie name
                    w.write_string(row_number, 4, item.value, gray_value_format)  # cookie value
                    w.write(row_number, 5, item.interpretation, gray_value_format)  # cookie interpretation
                    w.write(row_number, 6, item.profile, gray_value_format)  # Profile

                elif item.row_type.startswith("login"):
                    w.write_string(row_number, 0, item.row_type, red_type_format)  # record_type
                    w.write(row_number, 1, friendly_date(item.timestamp), red_date_format)  # date
                    w.write_string(row_number, 2, item.url, red_url_format)  # URL
                    w.write_string(row_number, 3, item.name, red_field_format)  # form field name
                    w.write_string(row_number, 4, item.value, red_value_format)  # username or pw value
                    w.write(row_number, 6, item.profile, red_value_format)  # Profile

                elif item.row_type.startswith("preference"):
                    w.write_string(row_number, 0, item.row_type, blue_type_format)  # record_type
                    w.write(row_number, 1, friendly_date(item.timestamp), blue_date_format)  # date
                    w.write_string(row_number, 2, item.url, blue_url_format)  # URL
                    w.write_string(row_number, 3, item.name, blue_field_format)  # form field name
                    w.write_string(row_number, 4, item.value, blue_value_format)  # username or pw value
                    w.write(row_number, 5, item.interpretation, blue_value_format)  # interpretation
                    w.write(row_number, 6, item.profile, blue_value_format)  # Profile

            except Exception, e:
                log.error("Failed to write row to XLSX: {}".format(e))
github obsidianforensics / hindsight / pyhindsight / plugins / google_analytics.py View on Github external
if item.name == u'__utmc':
                m = re.search(utmc_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | [Google Analytics Cookie]'.format(m.group(1))
                    parsedItems += 1
            if item.name == u'__utmv':
                m = re.search(utmv_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | Custom Values: {} | [Google Analytics Cookie]' \
                                          .format(m.group(1), urllib.unquote_plus(m.group(2)))
                    parsedItems += 1
            if item.name == u'__utmz':
                m = re.search(utmz_re, item.value)
                if m:
                    derived = u'Domain Hash: {} | Last Visit: {} | Sessions: {} | Sources: {} | ' \
                              .format(m.group(1), friendly_date(m.group(2)), m.group(3), m.group(4))
                    parsedItems += 1
                    p = re.search(utmz_parameters_re, item.value)

                    parameters = {}
                    raw_parameters = p.group(5)[3:]  # Strip off first 'utm' so later splitting will work
                    # print(raw_parameters)

                    #Parse out cookie fields
                    for pair in raw_parameters.split(u'|utm'):               # Split the cookie on the '|' delimiter
                        # print pair
                        rp = re.search(utmz_extract_parameters_re, pair)    # Split each parameter on the first '='
                        try:
                            parameters[rp.group(1)] = rp.group(2)           # Put the parameter name and value in hash
                        except AttributeError:
                            pass
                    if u'cmd' in parameters:
github obsidianforensics / hindsight / pyhindsight / plugins / google_analytics.py View on Github external
# TODO: consider adding in extra rows for each timestamp in cookie?
                m = re.search(utma_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | Unique Visitor ID: {} | First Visit: {} | ' \
                                          u'Previous Visit: {} | Last Visit: {} | Number of Sessions: {} | ' \
                                          u'[Google Analytics Cookie]'\
                        .format(m.group(1), m.group(2), friendly_date(m.group(3)),
                                friendly_date(m.group(4)), friendly_date(m.group(5)),
                                m.group(6))
                    parsedItems += 1
            if item.name == u'__utmb':
                m = re.search(utmb_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | Pages Viewed: {} | Last Visit: {} | ' \
                                          u'[Google Analytics Cookie]' \
                                          .format(m.group(1), m.group(2), friendly_date(m.group(3)))
                    parsedItems += 1
            if item.name == u'__utmc':
                m = re.search(utmc_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | [Google Analytics Cookie]'.format(m.group(1))
                    parsedItems += 1
            if item.name == u'__utmv':
                m = re.search(utmv_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | Custom Values: {} | [Google Analytics Cookie]' \
                                          .format(m.group(1), urllib.unquote_plus(m.group(2)))
                    parsedItems += 1
            if item.name == u'__utmz':
                m = re.search(utmz_re, item.value)
                if m:
                    derived = u'Domain Hash: {} | Last Visit: {} | Sessions: {} | Sources: {} | ' \
github obsidianforensics / hindsight / pyhindsight / plugins / generic_timestamps.py View on Github external
import re
    if analysis_session is None:
        return

    timestamp_re = re.compile(r'^(1(\d{9}|\d{12}|\d{16}))$')
    ls_timestamp_re = re.compile(r'timestamp.*?(\d{10,17})')
    global parsedItems
    parsedItems = 0

    for item in analysis_session.parsed_artifacts:
        if item.row_type.startswith(artifactTypes):
            if item.interpretation is None:
                m = re.search(timestamp_re, item.value)
                ls_m = re.search(ls_timestamp_re, item.value)
                if m:
                    item.interpretation = friendly_date(int(m.group(0))) + u' [potential timestamp]'
                    parsedItems += 1
                elif ls_m:
                    item.interpretation = friendly_date(int(ls_m.group(1))) + u' [potential timestamp]'
                    parsedItems += 1

    # Description of what the plugin did
    return u"{} timestamps parsed".format(parsedItems)
github obsidianforensics / hindsight / pyhindsight / analysis.py View on Github external
c.execute("INSERT INTO timeline (type, timestamp, title, value, interpretation, profile) "
                              "VALUES (?, ?, ?, ?, ?, ?)",
                              (item.row_type, friendly_date(item.timestamp), item.name, item.value, item.interpretation, item.profile))

                elif item.row_type.startswith("download"):
                    c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile, "
                              "interrupt_reason, danger_type, opened, etag, last_modified) "
                              "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
                              (item.row_type, friendly_date(item.timestamp), item.url, item.status_friendly, item.value,
                               item.interpretation, item.profile, item.interrupt_reason_friendly, item.danger_type_friendly,
                               item.opened, item.etag, item.last_modified))

                elif item.row_type.startswith("bookmark folder"):
                    c.execute("INSERT INTO timeline (type, timestamp, title, value, interpretation, profile) "
                              "VALUES (?, ?, ?, ?, ?, ?)",
                              (item.row_type, friendly_date(item.timestamp), item.name, item.value,
                               item.interpretation, item.profile))

                elif item.row_type.startswith("bookmark"):
                    c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile) "
                              "VALUES (?, ?, ?, ?, ?, ?, ?)",
                              (item.row_type, friendly_date(item.timestamp), item.url, item.name, item.value,
                               item.interpretation, item.profile))

                elif item.row_type.startswith("cookie"):
                    c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile) "
                              "VALUES (?, ?, ?, ?, ?, ?, ?)",
                              (item.row_type, friendly_date(item.timestamp), item.url, item.name, item.value,
                               item.interpretation, item.profile))

                elif item.row_type.startswith("local storage"):
                    c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile) "
github obsidianforensics / hindsight / pyhindsight / plugins / google_analytics.py View on Github external
ga_re = re.compile(r'GA1\.\d+\.(\d+)\.(\d{10})$')

    global parsedItems
    parsedItems = 0

    for item in analysis_session.parsed_artifacts:
        if item.row_type.startswith(artifactTypes):
            if item.name == u'__utma':
                # TODO: consider adding in extra rows for each timestamp in cookie?
                m = re.search(utma_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | Unique Visitor ID: {} | First Visit: {} | ' \
                                          u'Previous Visit: {} | Last Visit: {} | Number of Sessions: {} | ' \
                                          u'[Google Analytics Cookie]'\
                        .format(m.group(1), m.group(2), friendly_date(m.group(3)),
                                friendly_date(m.group(4)), friendly_date(m.group(5)),
                                m.group(6))
                    parsedItems += 1
            if item.name == u'__utmb':
                m = re.search(utmb_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | Pages Viewed: {} | Last Visit: {} | ' \
                                          u'[Google Analytics Cookie]' \
                                          .format(m.group(1), m.group(2), friendly_date(m.group(3)))
                    parsedItems += 1
            if item.name == u'__utmc':
                m = re.search(utmc_re, item.value)
                if m:
                    item.interpretation = u'Domain Hash: {} | [Google Analytics Cookie]'.format(m.group(1))
                    parsedItems += 1
            if item.name == u'__utmv':
                m = re.search(utmv_re, item.value)
github obsidianforensics / hindsight / pyhindsight / plugins / quantcast_cookies.py View on Github external
def plugin(analysis_session=None):
    from pyhindsight.utils import friendly_date
    import re
    if analysis_session is None:
        return

    timestamp_re = re.compile(r'^(P0)-(\d+)-(\d{10,13})$')
    global parsedItems
    parsedItems = 0

    for item in analysis_session.parsed_artifacts:
        if item.row_type in artifactTypes:
            if item.name == u'__qca':
                m = re.search(timestamp_re, item.value)
                if m:
                    item.interpretation = friendly_date(int(m.group(3))) \
                                          + u' [Quantcast Cookie Timestamp]'
                    parsedItems += 1

    # Description of what the plugin did
    return u"{} cookies parsed".format(parsedItems)