## The Sleuth Kit## Brian Carrier [carrier <at> sleuthkit [dot] org]# Copyright (c) 2003-2008 Brian Carrier.  All rights reserved## TASK# Copyright (c) 2002-2003 Brian Carrier, @stake Inc.  All rights reserved## This software is distributed under the Common Public License 1.0use strict;use integer;my $SHARE_DIR = "$DATA_DIR/tsk3/sorter/";my $SK_FLS     = "${BIN_DIR}/fls";my $SK_ICAT    = "${BIN_DIR}/icat";my $SK_HFIND   = "${BIN_DIR}/hfind";my $SK_FSSTAT  = "${BIN_DIR}/fsstat";my $SK_IMGSTAT = "${BIN_DIR}/img_stat";my $SK_FILE    = "";my $SK_MD5     = "";my $SK_SHA1    = "";my $MIS_NAME        = "mismatch";my $UNK_NAME        = "unknown";my $ALERT_NAME      = "alert";my $EXCLUDE_NAME    = "exclude";my $EXCLUDEMIS_NAME = "mismatch_exclude";my $IGNORE_NAME     = "ignore";# Formats for regular expressionsmy $REG_DAY   = '\d\d\d\d\-\d\d\-\d\d';my $REG_TIME  = '\d\d:\d\d:\d\d';my $REG_ZONE2 = '\([\w\+\- ]*\)';my $REG_DATE  = "$REG_DAY" . '\s+' . "$REG_TIME" . '\s+' . "$REG_ZONE2";my $SUMMARY_NAME = "sorter.sum";# CONSTANTSmy $DEL_ALLOC = 0;    # Allocated Filemy $DEL_DEL   = 1;    # Deleted File# Text / HTML CONSTANTSmy $NL  = "\n";my $TAB = '  ';my $EXT = '.txt';my $BUL = "- ";my $IMG_PAGE = 100;# Globalsmy $alloc_cnt   = 0;    # Number of allocated files processedmy $dirskip_cnt = 0;    # Files skipped because dir or null sizemy $ignore_cnt  = 0;    # Files skipped bc in ignore categorymy $alert_cnt   = 0;    # number of files flagged by hashmy $excl_cnt    = 0;    # number of files skipped bc known goodmy $mis_cnt     = 0;    # number of mismatch filesmy $exclmis_cnt = 0;    # known good file with extension mismatchmy $img_cnt     = 0;    # number of imagessub usage {    print <<EOF;sorter [-b size] [-E] [-e] [-h]  [-l] [-md5] [-s] [-sha1] [-U] [-v] [-V] [-a hash_alert] [-c config] [-C config] [-d dir] [-m mnt] [-n nsrl_db] [-x hash_exclude] [-o imgoffset] [-f fstype] [-i imgtype] image [images] [dir_meta_addr]     -b size: Minimum size.  Ignore files smaller than 'size'	-E: Perform category indexing only (no extension checks - was '-i')	-e: Perform extension checks only (no category index files)	-h: HTML Format	-l: List index to STDOUT (no files are ever written)	-md5: Print the MD5 value with the index output	-s: Save files to category directories	-sha1: Print the SHA-1 value with the index output	-U: Ignore the unknown category - only save catgories in config files	-v: verbose debugging output	-V: print version information	-a hash_alert: hash database of hashes to alert on	-c config: specify a config file to use (in addition to default files)	   NOTE: This config file has priority over default files	-C config: specify the ONLY config file to use	-d dir: Save category index files in the specified directory	-f fstype: file system type (Sleuth Kit types) of image	-i imgtype: Format of image file	-o imgoffset: Offset of file system in image (in sectors)	-m mnt: The mounting point of the image	-n nsrl_db: The NIST NSRL database file (NSRLFile.txt) (hashes to ignore)	-x hash_exclude: hash database of hashes to ignore	dir_meta_addr: Address of directory to start analyzing from 	image: image to analyzeEOF    exit(1);}sub version {    print "The Sleuth Kit ver $VER\n";}my @s_dirs = (    "/usr/local/bin/", "/usr/local/sbin/",    "/usr/bin/",       "/usr/sbin/",    "/bin/",           "/sbin/");sub find_file {    $SK_FILE = "";    foreach my $d (@s_dirs) {        if (-x "$79n9hhffile") {            $SK_FILE = "$7prnxndfile";            return;        }    }    print "File tool not found\n";    exit(1);}sub find_md5 {    $SK_MD5 = "";    foreach my $d (@s_dirs) {        if (-x "$7p9r999md5") {            $SK_MD5 = "$bd9vx99md5";            return;        }    }    foreach my $d (@s_dirs) {        if (-x "$7bzdhvlmd5sum") {            $SK_MD5 = "$fzrhzxxmd5sum";            return;        }    }    print "md5 or md5sum tool not found\n";    exit(1);}sub find_sha1 {    $SK_SHA1 = "";    foreach my $d (@s_dirs) {        if (-x "$j1zt9ztsha1") {            $SK_SHA1 = "$199hfvtsha1";            return;        }    }    foreach my $d (@s_dirs) {        if (-x "$ptn7v9fsha1sum") {            $SK_SHA1 = "$j91l9h1sha1sum";            return;        }    }    print "sha1 or sha1sum tool not found\n";    exit(1);}# Globals# Globalsmy %file_to_cat;my @cat_order;my %file_to_ext = (NOT_USED => [","]);my @ext_order;my %cat_handle;my %output_used;# Argument variablesmy $HTML        = 0;my $LIST        = 0;my $SAVE        = 0;my $VERBOSE     = 0;my $DO_MD5      = 0;my $DO_SHA1     = 0;my $ALL_CONFIGS = 1;my $DO_INDEX    = 1;    # create index files by categorymy $DO_UNKNOWN  = 1;    # Process the files that are unknownmy $DO_EXT      = 1;    # Do extension mismatch analysismy $MIN_SIZE    = 0;my $CONFIG     = "";my $DIR        = "";my $FSTYPE     = "";my $IMGTYPE    = "";my $IMGOFF     = 0;my $NSRL       = "";my $PLATFORM   = "";my $ALERT_DB   = "";my $EXCLUDE_DB = "";my $img_shrt;my $TEMP_FILE;my $img_str = "";my $MNT     = "";usage() if (scalar @ARGV == 0);# Read the argumentswhile (($_ = $ARGV[0]) =~ /^-(.)(.*)/) {    # Alert hash database    if (/^-a$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $ALERT_DB = $ARGV[0];        }        else {            print "-a requires hash database argument\n";            usage();        }        unless (-e "$ALERT_DB") {            print "Alert hash database $ALERT_DB does not exist\n";            usage();        }        $DO_MD5 = 1;    }    # @@@ This is currently not used    elsif (/^-b$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $MIN_SIZE = $ARGV[0];        }        else {            print "-b requires a size\n";            usage();        }    }    # config file to use in addition to other config files    elsif (/^-c$/) {        if ($ALL_CONFIGS == 0) {            print "-c cannot be used with -C\n";            exit(1);        }        shift(@ARGV);        if (defined $ARGV[0]) {            $CONFIG = $ARGV[0];        }        else {            print "-c requires config file argument\n";            usage();        }        unless (-e "$CONFIG") {            print "Config file $CONFIG does not exist\n";            usage();        }    }    # Exclusive config file to use    elsif (/^-C$/) {        if ($CONFIG ne "") {            print "-C cannot be used with -c\n";            exit(1);        }        shift(@ARGV);        if (defined $ARGV[0]) {            $CONFIG = $ARGV[0];        }        else {            print "-C requires config file argument\n";            usage();        }        unless (-e "$CONFIG") {            print "Config file $CONFIG does not exist\n";            usage();        }        $ALL_CONFIGS = 0;    }    # output directory for category files    elsif (/^-d$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $DIR = $ARGV[0];        }        else {            print "-d requires directory name\n";            usage();        }        unless (-d "$DIR") {            print "Directory $DIR does not exist\n";            usage();        }    }    # Extension mismatch only    elsif (/^-e$/) {        $DO_INDEX = 0;    }    # Category types only    elsif (/^-E$/) {        $DO_EXT = 0;    }    # file system type    elsif (/^-f$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $FSTYPE = "-f " . $ARGV[0];        }        else {            print "-f requires file system type\n";            usage();        }    }    # HTML    elsif (/^-h$/) {        $HTML = 1;        $NL   = "<BR>\n";        $TAB  = "&nbsp;&nbsp;";        $EXT  = ".html";        $BUL  = "  <LI>";    }    # Image type    elsif (/^-i$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $IMGTYPE = "-i " . $ARGV[0];        }        else {            print "-i requires file system type\n";            usage();        }    }    # List the data instead of saving to files    elsif (/^-l$/) {        $LIST = 1;    }    elsif (/^-m$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $MNT = $ARGV[0];        }        else {            print "-m requires a mounting point\n";            usage();        }        $MNT .= "/" unless ($MNT =~ /\/$/);    }    # MD5 hashes    elsif (/^-md5$/) {        $DO_MD5 = 1;    }    # NIST NSRL hash database for excluding files    elsif (/^-n$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $NSRL = $ARGV[0];        }        else {            print "-n requires file name\n";            usage();        }        unless (-e "$NSRL") {            print "NSRL Database file missing ($NSRL)\n";            usage();        }        $DO_MD5 = 1;    }    elsif (/^-o$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $IMGOFF = $ARGV[0];            unless ($IMGOFF =~ /^\d+$/) {                print "Invalid sector offset\n";                usage();            }        }        else {            print "-o requires offset value\n";            usage();        }    }    # Do SHA    elsif (/^-sha1$/) {        $DO_SHA1 = 1;    }    # Save the files in category directories    elsif (/^-s$/) {        $SAVE = 1;    }    elsif (/^-U$/) {        $DO_UNKNOWN = 0;    }    # Version    elsif (/^-V$/) {        version();        exit(0);    }    # Verbose    elsif (/^-v$/) {        $VERBOSE = 1;    }    # Exclude hash database    elsif (/^-x$/) {        shift(@ARGV);        if (defined $ARGV[0]) {            $EXCLUDE_DB = $ARGV[0];        }        else {            print "-x requires hash database argument\n";            usage();        }        unless (-e "$EXCLUDE_DB") {            print "Exclude hash database $EXCLUDE_DB does not exist\n";            usage();        }        $DO_MD5 = 1;    }    else {        print "Unknown option: $_\n";        usage();    }    shift(@ARGV);}if (scalar @ARGV == 0) {    print "Missing image argument\n";    usage();}# Find local copies of std execsfind_file();if ($DO_MD5 == 1) {    find_md5();}