How to use the turbinia.evidence function in turbinia

To help you get started, we’ve selected a few turbinia examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github google / turbinia / tests / evidence.py View on Github external
def testEvidenceSerializationNoTypeAttribute(self):
    """Test that evidence_decode throws error on dict with no type attribute."""
    test = {1: 2, 3: 4}
    self.assertRaises(TurbiniaException, evidence.evidence_decode, test)
github google / turbinia / turbinia / turbiniactl.py View on Github external
name=args.name, source_path=source_path, source=args.source)
  elif args.command == 'compressedirectory':
    archive.ValidateTarFile(args.source_path)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.CompressedDirectory(
        name=args.name, source_path=source_path, source=args.source)
  elif args.command == 'googleclouddisk':
    args.name = args.name if args.name else args.disk_name
    evidence_ = evidence.GoogleCloudDisk(
        name=args.name, disk_name=args.disk_name, project=args.project,
        mount_partition=args.mount_partition, zone=args.zone,
        source=args.source)
  elif args.command == 'googleclouddiskembedded':
    args.name = args.name if args.name else args.disk_name
    parent_evidence_ = evidence.GoogleCloudDisk(
        name=args.name, disk_name=args.disk_name, project=args.project,
        mount_partition=args.mount_partition, zone=args.zone,
        source=args.source)
    evidence_ = evidence.GoogleCloudDiskRawEmbedded(
        name=args.name, disk_name=args.disk_name, project=args.project,
        mount_partition=args.mount_partition, zone=args.zone,
        embedded_path=args.embedded_path,
        embedded_partition=args.embedded_mount_partition)
    evidence_.parent_evidence = parent_evidence_
  elif args.command == 'hindsight':
    if args.format not in ['xlsx', 'sqlite', 'jsonl']:
      log.error('Invalid output format.')
      sys.exit(1)
    if args.browser_type not in ['Chrome', 'Brave']:
      log.error('Browser type not supported.')
      sys.exit(1)
github google / turbinia / turbinia / turbiniactl.py View on Github external
if args.project and args.project != config.TURBINIA_PROJECT:
      new_disk = libcloudforensics.create_disk_copy(
          args.project, config.TURBINIA_PROJECT, None, config.TURBINIA_ZONE,
          args.disk_name)
      args.disk_name = new_disk.name
      if args.copy_only:
        log.info('--copy_only specified, so not processing with Turbinia')
        sys.exit(0)

  # Start Evidence configuration
  evidence_ = None
  if args.command == 'rawdisk':
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.RawDisk(
        name=args.name, source_path=source_path,
        mount_partition=args.mount_partition, source=args.source)
  elif args.command == 'apfs':
    if not args.password and not args.recovery_key:
      log.error('Neither recovery key nor password is specified.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.APFSEncryptedDisk(
        name=args.name, source_path=source_path, recovery_key=args.recovery_key,
        password=args.password, source=args.source)
  elif args.command == 'bitlocker':
    if not args.password and not args.recovery_key:
      log.error('Neither recovery key nor password is specified.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
github google / turbinia / turbinia / turbiniactl.py View on Github external
evidence_ = evidence.GoogleCloudDiskRawEmbedded(
        name=args.name, disk_name=args.disk_name, project=args.project,
        mount_partition=args.mount_partition, zone=args.zone,
        embedded_path=args.embedded_path,
        embedded_partition=args.embedded_mount_partition)
    evidence_.parent_evidence = parent_evidence_
  elif args.command == 'hindsight':
    if args.format not in ['xlsx', 'sqlite', 'jsonl']:
      log.error('Invalid output format.')
      sys.exit(1)
    if args.browser_type not in ['Chrome', 'Brave']:
      log.error('Browser type not supported.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.ChromiumProfile(
        name=args.name, source_path=source_path, output_format=args.format,
        browser_type=args.browser_type)
  elif args.command == 'rawmemory':
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.RawMemory(
        name=args.name, source_path=source_path, profile=args.profile,
        module_list=args.module_list)
  elif args.command == 'psqworker':
    # Set up root logger level which is normally set by the psqworker command
    # which we are bypassing.
    logger.setup()
    worker = TurbiniaPsqWorker(
        jobs_blacklist=args.jobs_blacklist, jobs_whitelist=args.jobs_whitelist)
    worker.start()
  elif args.command == 'celeryworker':
github google / turbinia / turbinia / turbiniactl.py View on Github external
# Start Evidence configuration
  evidence_ = None
  if args.command == 'rawdisk':
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.RawDisk(
        name=args.name, source_path=source_path,
        mount_partition=args.mount_partition, source=args.source)
  elif args.command == 'apfs':
    if not args.password and not args.recovery_key:
      log.error('Neither recovery key nor password is specified.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.APFSEncryptedDisk(
        name=args.name, source_path=source_path, recovery_key=args.recovery_key,
        password=args.password, source=args.source)
  elif args.command == 'bitlocker':
    if not args.password and not args.recovery_key:
      log.error('Neither recovery key nor password is specified.')
      sys.exit(1)
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.BitlockerDisk(
        name=args.name, source_path=source_path, recovery_key=args.recovery_key,
        password=args.password, source=args.source)
  elif args.command == 'directory':
    args.name = args.name if args.name else args.source_path
    source_path = os.path.abspath(args.source_path)
    evidence_ = evidence.Directory(
        name=args.name, source_path=source_path, source=args.source)
github google / turbinia / turbinia / task_manager.py View on Github external
"""Generates the Tasks to finalize the given request ID.

    Args:
      job (TurbiniaJob): The last Job that was run for this request.
    """
    request_id = job.request_id
    final_job = jobs_manager.JobsManager.GetJobInstance('FinalizeRequestJob')
    final_job.request_id = request_id
    final_job.evidence.config = job.evidence.config
    log.debug(
        'Request {0:s} done, but not finalized, creating FinalizeRequestJob '
        '{1:s}'.format(request_id, final_job.id))

    # Finalize tasks use EvidenceCollection with all evidence created by the
    # request or job.
    final_evidence = evidence.EvidenceCollection()
    final_evidence.request_id = request_id
    self.running_jobs.append(final_job)

    # Gather evidence created by every Job in the request.
    for running_job in self.running_jobs:
      if running_job.request_id == request_id:
        final_evidence.collection.extend(running_job.evidence.collection)

    for finalize_task in final_job.create_tasks([final_evidence]):
      self.add_task(finalize_task, final_job, final_evidence)