crowdstrike / automactc Goto Github PK
View Code? Open in Web Editor NEWAutoMacTC: Automated Mac Forensic Triage Collector
License: Other
AutoMacTC: Automated Mac Forensic Triage Collector
License: Other
automactc:
ERROR
mod_chrome_v102 failed:
['Traceback (most recent call last):\n File "../automactc.py", line 351, in modExec\n import_module(modImport)\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/init.py", line 37, in import_module\n import(name)\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 298, in \n module(chrome_location)\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 282, in module\n pull_visit_history(history_db, user, profile, urls_output, urls_headers)\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 114, in pull_visit_history\n u_cnames = get_column_headers(history_db, 'urls')\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 53, in get_column_headers\n col_headers = sqlite3.connect(db).cursor().execute('SELECT * from {0}'.format(column))\nOperationalError: no such table: urls\n']
Hello,
We are attempting to use automactc through crowdstrike remotely and it works really well.
However we are running into a problem when automactc is attempting to parse the Chrome databases if the user has Chrome opened.
For the currently logged user we run into the following errors
functions[78819] - DEBUG - error accessing database /Users/currentlyloggeduser/Library/Application Support/Google/Chrome/Default/History: database is locked
chrome[78819] - DEBUG - Visit History required table 'visits' not found
functions[78819] - DEBUG - error accessing database /Users/currentlyloggeduser/Library/Application Support/Google/Chrome/Default/History: database is locked
chrome[78819] - DEBUG - Download History required table 'downloads' not found.
I assume it is because it is attempting to access those files directly for parsing. Would copying the history file temporarily, parsing the copied file and removing it after help fix that issue or there is another way?
Thanks,
I don't believe the all of the modules actually require root (sudo
), yet the script will exist immediately if not being executed as root.
foo
, bar
, etc modules will be skipped when executed as non-root user.macOS High Sierra migrated Login Items (some of which are exposed in the Users & Groups preferences UI) in a new location/format as described in the Objective-See blog:
2018-07-23 https://objective-see.org/blog/blog_0x31.html
automactc supports the older file (com.apple.loginitems.plist
), but not this new jazz.
The location of this data is ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm
.
The file is still a binary plist, although it has also undergone a change in that data is stored in Apple's "Bookmark" format. It seems that bookmark.py may implement a parser for this. Alternatively, this project also implements a parser for the file.
automactc : ERROR mod_firefox_v102 failed: ['Traceback (most recent call last):\n File "automactc.py", line 351, in modExec\n import_module(modImport)\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/init.py", line 37, in import_module\n import(name)\n File "/Users/PATH_TO/automactc/modules/mod_firefox_v102.py", line 241, in \n module(firefox_location)\n File "/Users/PATH_TO/automactc/modules/mod_firefox_v102.py", line 215, in module\n get_firefox_version(c)\n File "/Users/PATH_TO/automactc/modules/mod_firefox_v102.py", line 56, in get_firefox_version\n ver = config.get('Compatibility','lastversion')\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", line 607, in get\n raise NoSectionError(section)\nNoSectionError: No section: 'Compatibility'\n']
nitpick:
If this is meant to be deployed to remote endpoints, it would be nice to have 0 external dependencies or at least have a list of possible dependencies outside of the base 2.7 python libs.
Noticed couple of errors -
automactc : ERROR mod_syslog_v100 failed: ['Traceback (most recent call last):\n File "automactc.py", line 299, in modExec\n import_module(modImport)\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/init.py", line 37, in import_module\n import(name)\n File "/Users/user/automactc/modules/mod_syslog_v100.py", line 119, in \n module()\n File "/Users/user/automactc/modules/mod_syslog_v100.py", line 112, in module\n syslog_parse(c_syslog, go_syslog, headers, output)\n File "/Users/user/automactc/modules/mod_syslog_v100.py", line 86, in syslog_parse\n record['timestamp'] = str(m.group('month') + " " + m.group('day') + " " + m.group('time'))\nAttributeError: 'NoneType' object has no attribute 'group'\n']
safari : ERROR Module fatal error: necessary table doesn't exist in database.
Sorry, but what does the following message mean ? Thanks!
/Users/user/.ssh/authorized_keys is not a public key file.
Hi,
I encountered some issues with automactc when dealing with Unicode data in browser history. For instance in runtime logs:
2021-05-00T00:00:00+0000 - browser_safari_history[46558] - DEBUG - Could not write line [SKIPPED] | ['Traceback (most recent call last):\n File "automactc.py", line 300, in write_entry\n writer.writerow(data)\nUnicodeEncodeError: \'ascii\' codec can\'t encode character u\'\\u0142\' in position 2: ordinal not in range(128)\n']
The problem seems to happens with browser_safari_history, browser_chrome_downloads, browser_chrome_history when there is a unicode character in a page title, or in a filename. I am not familiar with automactc code base, but if plugins can return data with unicode characters in it, it make sense that the csv writer would fail here. There is an attempt to fix that L293 to L299 that was commented out.
Is there a guide that outlines making contributions to automactc
? I'd be happy to open a pull request, but I did not see anything to onboard new contributors.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.