Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
w.write(row_number, 18, item.server_name, gray_value_format) # Server name
w.write(row_number, 19, item.location, gray_value_format) # Cached data location // data_2 [1542523]
w.write(row_number, 20, item.http_headers_str, gray_value_format) # Cached data location // data_2 [1542523]
elif item.row_type.startswith("local storage"):
w.write_string(row_number, 0, item.row_type, gray_type_format) # record_type
w.write(row_number, 1, friendly_date(item.timestamp), gray_date_format) # date
w.write_string(row_number, 2, item.url, gray_url_format) # URL
w.write_string(row_number, 3, item.name, gray_field_format) # cookie name
w.write_string(row_number, 4, item.value, gray_value_format) # cookie value
w.write(row_number, 5, item.interpretation, gray_value_format) # cookie interpretation
w.write(row_number, 6, item.profile, gray_value_format) # Profile
elif item.row_type.startswith("login"):
w.write_string(row_number, 0, item.row_type, red_type_format) # record_type
w.write(row_number, 1, friendly_date(item.timestamp), red_date_format) # date
w.write_string(row_number, 2, item.url, red_url_format) # URL
w.write_string(row_number, 3, item.name, red_field_format) # form field name
w.write_string(row_number, 4, item.value, red_value_format) # username or pw value
w.write(row_number, 6, item.profile, red_value_format) # Profile
elif item.row_type.startswith("preference"):
w.write_string(row_number, 0, item.row_type, blue_type_format) # record_type
w.write(row_number, 1, friendly_date(item.timestamp), blue_date_format) # date
w.write_string(row_number, 2, item.url, blue_url_format) # URL
w.write_string(row_number, 3, item.name, blue_field_format) # form field name
w.write_string(row_number, 4, item.value, blue_value_format) # username or pw value
w.write(row_number, 5, item.interpretation, blue_value_format) # interpretation
w.write(row_number, 6, item.profile, blue_value_format) # Profile
except Exception, e:
log.error("Failed to write row to XLSX: {}".format(e))
if item.name == u'__utmc':
m = re.search(utmc_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | [Google Analytics Cookie]'.format(m.group(1))
parsedItems += 1
if item.name == u'__utmv':
m = re.search(utmv_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | Custom Values: {} | [Google Analytics Cookie]' \
.format(m.group(1), urllib.unquote_plus(m.group(2)))
parsedItems += 1
if item.name == u'__utmz':
m = re.search(utmz_re, item.value)
if m:
derived = u'Domain Hash: {} | Last Visit: {} | Sessions: {} | Sources: {} | ' \
.format(m.group(1), friendly_date(m.group(2)), m.group(3), m.group(4))
parsedItems += 1
p = re.search(utmz_parameters_re, item.value)
parameters = {}
raw_parameters = p.group(5)[3:] # Strip off first 'utm' so later splitting will work
# print(raw_parameters)
#Parse out cookie fields
for pair in raw_parameters.split(u'|utm'): # Split the cookie on the '|' delimiter
# print pair
rp = re.search(utmz_extract_parameters_re, pair) # Split each parameter on the first '='
try:
parameters[rp.group(1)] = rp.group(2) # Put the parameter name and value in hash
except AttributeError:
pass
if u'cmd' in parameters:
# TODO: consider adding in extra rows for each timestamp in cookie?
m = re.search(utma_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | Unique Visitor ID: {} | First Visit: {} | ' \
u'Previous Visit: {} | Last Visit: {} | Number of Sessions: {} | ' \
u'[Google Analytics Cookie]'\
.format(m.group(1), m.group(2), friendly_date(m.group(3)),
friendly_date(m.group(4)), friendly_date(m.group(5)),
m.group(6))
parsedItems += 1
if item.name == u'__utmb':
m = re.search(utmb_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | Pages Viewed: {} | Last Visit: {} | ' \
u'[Google Analytics Cookie]' \
.format(m.group(1), m.group(2), friendly_date(m.group(3)))
parsedItems += 1
if item.name == u'__utmc':
m = re.search(utmc_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | [Google Analytics Cookie]'.format(m.group(1))
parsedItems += 1
if item.name == u'__utmv':
m = re.search(utmv_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | Custom Values: {} | [Google Analytics Cookie]' \
.format(m.group(1), urllib.unquote_plus(m.group(2)))
parsedItems += 1
if item.name == u'__utmz':
m = re.search(utmz_re, item.value)
if m:
derived = u'Domain Hash: {} | Last Visit: {} | Sessions: {} | Sources: {} | ' \
import re
if analysis_session is None:
return
timestamp_re = re.compile(r'^(1(\d{9}|\d{12}|\d{16}))$')
ls_timestamp_re = re.compile(r'timestamp.*?(\d{10,17})')
global parsedItems
parsedItems = 0
for item in analysis_session.parsed_artifacts:
if item.row_type.startswith(artifactTypes):
if item.interpretation is None:
m = re.search(timestamp_re, item.value)
ls_m = re.search(ls_timestamp_re, item.value)
if m:
item.interpretation = friendly_date(int(m.group(0))) + u' [potential timestamp]'
parsedItems += 1
elif ls_m:
item.interpretation = friendly_date(int(ls_m.group(1))) + u' [potential timestamp]'
parsedItems += 1
# Description of what the plugin did
return u"{} timestamps parsed".format(parsedItems)
c.execute("INSERT INTO timeline (type, timestamp, title, value, interpretation, profile) "
"VALUES (?, ?, ?, ?, ?, ?)",
(item.row_type, friendly_date(item.timestamp), item.name, item.value, item.interpretation, item.profile))
elif item.row_type.startswith("download"):
c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile, "
"interrupt_reason, danger_type, opened, etag, last_modified) "
"VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
(item.row_type, friendly_date(item.timestamp), item.url, item.status_friendly, item.value,
item.interpretation, item.profile, item.interrupt_reason_friendly, item.danger_type_friendly,
item.opened, item.etag, item.last_modified))
elif item.row_type.startswith("bookmark folder"):
c.execute("INSERT INTO timeline (type, timestamp, title, value, interpretation, profile) "
"VALUES (?, ?, ?, ?, ?, ?)",
(item.row_type, friendly_date(item.timestamp), item.name, item.value,
item.interpretation, item.profile))
elif item.row_type.startswith("bookmark"):
c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile) "
"VALUES (?, ?, ?, ?, ?, ?, ?)",
(item.row_type, friendly_date(item.timestamp), item.url, item.name, item.value,
item.interpretation, item.profile))
elif item.row_type.startswith("cookie"):
c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile) "
"VALUES (?, ?, ?, ?, ?, ?, ?)",
(item.row_type, friendly_date(item.timestamp), item.url, item.name, item.value,
item.interpretation, item.profile))
elif item.row_type.startswith("local storage"):
c.execute("INSERT INTO timeline (type, timestamp, url, title, value, interpretation, profile) "
ga_re = re.compile(r'GA1\.\d+\.(\d+)\.(\d{10})$')
global parsedItems
parsedItems = 0
for item in analysis_session.parsed_artifacts:
if item.row_type.startswith(artifactTypes):
if item.name == u'__utma':
# TODO: consider adding in extra rows for each timestamp in cookie?
m = re.search(utma_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | Unique Visitor ID: {} | First Visit: {} | ' \
u'Previous Visit: {} | Last Visit: {} | Number of Sessions: {} | ' \
u'[Google Analytics Cookie]'\
.format(m.group(1), m.group(2), friendly_date(m.group(3)),
friendly_date(m.group(4)), friendly_date(m.group(5)),
m.group(6))
parsedItems += 1
if item.name == u'__utmb':
m = re.search(utmb_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | Pages Viewed: {} | Last Visit: {} | ' \
u'[Google Analytics Cookie]' \
.format(m.group(1), m.group(2), friendly_date(m.group(3)))
parsedItems += 1
if item.name == u'__utmc':
m = re.search(utmc_re, item.value)
if m:
item.interpretation = u'Domain Hash: {} | [Google Analytics Cookie]'.format(m.group(1))
parsedItems += 1
if item.name == u'__utmv':
m = re.search(utmv_re, item.value)
def plugin(analysis_session=None):
from pyhindsight.utils import friendly_date
import re
if analysis_session is None:
return
timestamp_re = re.compile(r'^(P0)-(\d+)-(\d{10,13})$')
global parsedItems
parsedItems = 0
for item in analysis_session.parsed_artifacts:
if item.row_type in artifactTypes:
if item.name == u'__qca':
m = re.search(timestamp_re, item.value)
if m:
item.interpretation = friendly_date(int(m.group(3))) \
+ u' [Quantcast Cookie Timestamp]'
parsedItems += 1
# Description of what the plugin did
return u"{} cookies parsed".format(parsedItems)