diff --git a/.github/ISSUE_TEMPLATE/bug-fix.md b/.github/ISSUE_TEMPLATE/bug-fix.md new file mode 100644 index 0000000..71955ba --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug-fix.md @@ -0,0 +1,19 @@ +--- +name: Bug fix +about: Contribute a bug fix! +title: '' +labels: bug-fix +assignees: '' + +--- + +### Identify the Bug +* Link to the issue describing the bug that you're fixing +* If there is not yet an issue for your bug, please open a new issue and then link to that issue in your pull request + +### Describe the Change(s) +A clear and concise description of what changes you are making and how they resolve the bug. + +### Release Notes +Describe your changes in a single line that explains this improvement in +terms that an end-user can understand. This text will be used in the release notes. diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..6262cef --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,32 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. macOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 10.15.5] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/documentation-change.md b/.github/ISSUE_TEMPLATE/documentation-change.md new file mode 100644 index 0000000..e1e5f51 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/documentation-change.md @@ -0,0 +1,15 @@ +--- +name: Documentation change +about: Contributing Documentation +title: '' +labels: documentation +assignees: '' + +--- + +### Describe the Change(s) +A clear and concise description of what the change is. + +### Release Notes +Describe your changes in a single line that explains this improvement in +terms that an end-user can understand. This text will be used in the release notes. diff --git a/.github/ISSUE_TEMPLATE/feature-change.md b/.github/ISSUE_TEMPLATE/feature-change.md new file mode 100644 index 0000000..0317a35 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-change.md @@ -0,0 +1,21 @@ +--- +name: Feature change +about: Add, change, or remove a feature! +title: '' +labels: enhancement +assignees: '' + +--- + +### Describe the Change +A clear and concise description of what the change is and why it is needed. + +### Possible Drawbacks +What are the possible side-effects or negative impacts of the code change on the end-user? + +### Verification Process +How did you verify that your change has the desired effects? + +### Release Notes +Describe your changes in a single line that explains this improvement in +terms that an end-user can understand. This text will be used in the release notes. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..8bf9ec3 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,143 @@ +# Contributing to Orion + +🙏:tada: Thank you for being interested in contributing! :tada:🙏 + +Orion is an open source project and contributions from the community will always be considered! There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests or writing code which can be incorporated into the framework! + +## Table Of Contents + +* [Code of Conduct](#code-of-conduct) +* [Before Getting Started](#before-getting-started) +* [Why Should I Contribute?](#why-should-i-contribute) +* [How Can I Contribute?](#how-can-i-contribute) +* [Where do I Start?](#where-do-i-start) +* [Styleguides](#styleguides) + +## Code of Conduct +This project and everyone participating in it is governed by the [Code of Conduct](https://github.com/anthonybm/Orion/blob/master/CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. + +## Before Getting Started +Orion is an artifact triage tool framework that facilitates independent modules to run and collect whatever forensic artifact is specified. Orion allows contributers to add functionality to parse and triage unimplemented forensic artifacts in the form of "modules", which essentially are packages in Go that contain the required constructs and supplementary functionality to parse the artifacts. + +This ease of adding functionality in the form of a single file and few lines of change was inspired by other existing open source tools already written in Python. The benefit of Orion over others is that it compiles down to a single binary that utilizes a config file, rather than requiring various source and third-party code to be copied when you want to utilize the tool. + +### Conventions +* Preferred editor is [Visual Studio Code](https://code.visualstudio.com/) +* Orion follows the [Gitflow Workflow methodology](https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow). Check it out :smile: +* Apply [build constraints](https://golang.org/cmd/go/#hdr-Build_constraints) where required + +## Why Should I Contribute? +* You think this project is awesome but could be something more! +* You want to help the DFIR community! +* You think something is being done wrong! + +## How Can I Contribute? +* Report bugs +* Suggest Features +* Create or update documentation +* Create or update a module + +## Where do I Start? +The following sections describe how you actually go about contributing :) +### Pre-requisites + +* [Go version 1.14](https://golang.org/dl/) installed and configured +* C compiler for cgo modules [such as this for Windows](https://jmeubank.github.io/tdm-gcc/download/) +* Access to macOS system for writing Mac modules or building Mac binary +* Access to Windows system for writing Windows modules or building Windows binary +* Have a feature in mind either from the existing issues list or something entirely new! Make sure you know what the artifact(s) is used for, where it is located on the filesystem, and document anything else as you see fit. It will be helpful to look at the feature change template to see what information is suggested to have. +* **All of your suggested changes should go into a specific `feature branch`, which should be based off of the `develop` branch** + +1) Fork the Orion repository. Follow the [GitHub Help instructions](https://help.github.com/articles/fork-a-repo/) on how to fork a repo if you're not sure how. +2) Clone it to your local machine and navigate to the directory where you've cloned the source code +3) Make sure you sync and [fetch all remote branches](https://www.atlassian.com/git/tutorials/syncing/git-fetch) (or just the `develop` branch) +3) You should create a feature branch based off of the `develop` branch following the name convention of `feature_windows_modulenamehere` (where you replace windows with the operating system you are writing for and replace modulenamehere with a unique module name). +4) See one of the sections below for specific contribution instructions + +### Writing a new module +see example code :wink: +#### What do I need to touch? +To add a new module to Orion, you will need to touch/create code in the following places: +* the os specific folder (i.e. `windows/` or `mac/` ) +* the `util/` folder if you are adding a general purpose utility (i.e. a Chrome timestamp converter function, common structure traversal function) +#### How do I go about this? +0) Prior to writing code, determine where on the filesystem the artifact resides, how it is manually parsed, and what the artifact is used for +1) Follow the gitflow methodology [here](https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow) to create an appropriate Feature Branch following name convention of 'feature/**operating_system**/**feature_name**' +2) Under the appropriate OS source folder (i.e. `windows/` or `mac/` ), create a package for the module and in that package create a file for the module code following the convention of "modulename.go" +3) You are required to have a "ModuleNameModule" struct type that implements a Start() function +``` +// +build darwin + +package macsample +// ... omitted supporting code +type MacSampleModule struct { +} + +func (m MacSampleModule) Start(inst instance.Instance) error { + err := m.osVersion(inst) + if err != nil { + zap.L().Error("Error running MacSampleModule: " + err.Error()) + } + return err +} +// ... omitted supporting code +``` +4) You are required to add the "ModuleNameModule" struct to the type registry in `engine/module_*.go` +``` +func init() { + registerType((*macsample.MacSampleModule)(nil)) + // ... +} +``` +5) You are required to add the module struct name to the config file if you want it to execute when you run Orion +``` +modules = [ # Comment out what you do not need + "MacSampleModule", + // ... omitted other module lines +] +``` +6) Convention suggests that your module produce output! +Your module's output will be written to a file `orionRuntime + "_" + module + "." + outputtype`. +``` +// This line should be at the start of your module's entry function (in this example, the func (m MacSampleModule) osVersion(inst instance.Instance)) +dw, err := datawriter.NewOrionWriter(moduleName, inst.GetOrionRuntime(), inst.GetOrionOutputFormat(), inst.GetOrionOutputFilepath()) +... omitted module functionality +// Write to output :) (error checks omitted for brevity) +err = mw.WriteHeader(header) +err = mw.WriteAll(values) +err = mw.Close() +``` + +7) See the SampleModule for other conventions + +## Styleguides +### Git Commit Messages + +* Use the present tense ("Add feature" not "Added feature") +* Use the imperative mood ("Move cursor to..." not "Moves cursor to...") +* Limit the first line to 72 characters or less +* Reference issues and pull requests liberally +* When only changing documentation, include `[ci skip]` in the commit description +* Consider starting the commit message with an applicable emoji: + * :art: `:art:` when improving the format/structure of the code + * :cake: `:cake:` when edit templates or/and css styles + * :rocket: `:rocket:` when improving performance + * :memo: `:memo:` when writing docs + * :bug: `:bug:` when fixing a bug + * :fire: `:fire:` when removing code or files + * :green_heart: `:green_heart:` when fixing the CI build + * :white_check_mark: `:white_check_mark:` when adding tests + * :lock: `:lock:` when dealing with security + * :arrow_up: `:arrow_up:` when upgrading dependencies + * :arrow_down: `:arrow_down:` when downgrading dependencies + * :dolphin: `:dolphin:` when add new migrations + * :shirt: `:shirt:` when removing linter warnings + * :watermelon: `:watermelon:` when you add or edit translations. + * :gem: `:gem:` when you creating new release + * :bookmark: `:bookmark:` when creating new tag + * :ambulance: `:ambulance:` when you adding critical hotfix + +### Branches +* Latest Release - master +* Upcoming Release - bug fixes and documentation -> release/ +* Feature - branches from develop -> feature/_ diff --git a/README.md b/README.md index c8bc1b7..e9ebb59 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,105 @@ # Orion - a framework for triage of relevant incident response and forensics artifacts from various operating systems + an open-source framework for triage collection of relevant incident response and forensics artifacts from various operating systems -[![Latest version](https://img.shields.io/badge/version-v0.2.0-blue)](https://github.com/tonythetiger06/goMass/releases/tag/v0.2.0-alpha) -[![status](https://img.shields.io/badge/status-alpha-red)] -[MIT](https://choosealicense.com/licenses/mit/) +[![MIT](https://img.shields.io/badge/license-MIT-blue)](https://choosealicense.com/licenses/mit/) +[![Latest version](https://img.shields.io/badge/version-v0.2.0-blue)](https://github.com/anthonybm/goMass/releases/tag/v0.2.0-alpha) +![status](https://img.shields.io/badge/status-alpha-red) + +## Purpose +Orion is an artifact triage tool framework that facilitates independent modules to run and collect whatever forensic artifact is specified. Orion allows contributers to add functionality to parse and triage unimplemented forensic artifacts in the form of "modules", which essentially are packages in Go that contain the required constructs and supplementary functionality to parse the artifacts. + +This ease of adding functionality in the form of a single file and few lines of change was inspired by other existing open source tools already written in Python. The benefit of Orion over others is that it compiles down to a single binary that utilizes a config file, rather than requiring various source and third-party code to be copied when you want to utilize the tool. ### Usage -This is an alpha - work in progress! Please read all documentation and review before running on your own system. Of note: +This is an alpha - work in progress! Its at a stage now where I am ready to show others the work done and possible - **all existing modules are runnable, they will produce output :smile: Please read all documentation and review before running on your own system.** Of note: +- At the moment you will have to build executables on your own system, they will be included in future releases + - Take consideration that you may have to set the execution permissions of the binary on some systems - The configs/ folder contains a mac and windows config sample, all present keys are required - The modules listed in each are what exist at this time, comments will denote WIP/experimental work +- At this time, output format is restricted to CSV for modules and JSON for logging + +``` +usage: Orion [-h|--help] [--list] [-l|--log-level (none|info|debug|error)] + -m|--mode (mac|windows) [-M|--no-multithread] [-f|--output-format + (csv|json|sqlite|xlsx)] [-o|--output-dir ""] -c|--config + "" [-T|--testing-mode] [-F|--forensic] [-t|--target + ""] -### Testing usage example -./Orion -m mac -f csv -o output -c configs/mac.toml -l debug -T + Orion framework for triage of relevant incident response and + forensics artifacts from various operating systems -### Actual usage +Arguments: + + -h --help Print help information + --list List available modules. + -l --log-level Set the logging level, or set it to none.. Default: + info + -m --mode Set the mode for Orion, used for config parsing and + module selection. + -M --no-multithread If flag is enabled, multithreading is disabled.. + Default: false + -f --output-format Set the output format file type.. Default: csv + -o --output-dir Set the output directory for files generated by Orion.. + Default: Output/ + -c --config Set the config path + -T --testing-mode Enable testing mode for development purposes only.. + Default: false + -F --forensic Enable Forensic mode - safer artifact parsing where + applicable and can treat target path as Mounted + Volume/Mounted Evidence. Default: false + -t --target Specify the root target path to reference artifacts + from - i.e. /pathToPlist.plist. Default: / +``` +> **Note:** Interrupting with SIGINT ```ctrl + c``` once will signal Orion to try to package modules before aborting +#### Testing usage example + ./Orion -m mac -f csv -o output -c configs/mac.toml -l debug -T + Will run modules specified in the TOML config on macOS in testing mode with debug level output + +#### Actual usage sudo ./Orion -m mac -f csv -o output -c path_to/mac.toml -l info +### Building +#### Pre-requisites +* [Go version 1.14](https://golang.org/dl/) installed and configured +* C compiler for cgo modules [such as this for Windows](https://jmeubank.github.io/tdm-gcc/download/) +* Access to macOS for building Mac binary +* Access to Windows for building Windows binary + +1) Fork the Orion repository. Follow the [GitHub Help instructions](https://help.github.com/articles/fork-a-repo/) on how to fork a repo. +2) Clone it to your local machine and navigate to the directory where you've cloned the source code +4) ```go build``` will generate an Orion binary which you can use along with a valid config file + Orion currently has functionality to - - Create and integrate modules for MacOS (many written) and Windows (one example file system walk written) + - Create and integrate modules for macOS (many written) and Windows (one example file system walk written) - Log errors, debug, warning, and input statements - Output logs in JSON format - Output for modules in CSV format - Tested on OSX 10.15.5 and Windows 10 + +## But how does it work? +Glad you asked :wink: +* The Orion binary requires a few command line arguments to determine how it will run, such as use of a specifically configured [TOML](https://github.com/toml-lang/toml) config file that lists modules to run and configurations for specifc modules. +``` +... +modules = [ + "MacSampleModule", + ... +] +... +# other module specific parameters +... +``` +* Orion reads the command line arguments and specific config file to determine what to run. Modules must be registered in the typeRegistry (ex. `registerType((*macsample.MacSampleModule)(nil))`) in order to run +* Orion will execute each module found as its own [goroutine](https://tour.golang.org/concurrency/1) by calling its `Start()` function (within Start, you specify the module structure) +* Each module should write output to a file with a name constructed by `orionRuntime + "_" + module + "." + outputtype` +* If a non-fatal module error occurs along the way, Orion will log it ## Roadmap - Testing :) - Ensure documentation is sufficient - Graceful exit on SIGINT - - More modules for MacOS - - Sign for MacOS? + - More modules for macOS + - Sign for macOS? - More modules for Windows - Support Linux module writing - Support no-logging mode @@ -37,19 +108,19 @@ Orion currently has functionality to - Support for uploading module output ## Contributing -Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. - -Please make sure to create/update tests as appropriate. +Thank you for being interested in contributing to Orion! -## Module Development -### tl;dr; see example code -- Prior to writing code, determine where on the filesystem the artifact resides, how it is manually parsed, and what the artifact is used for -- Follow the gitflow methodology [here](https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow) to create an appropriate Feature Branch following name convention of 'feature/**operating_system**/**feature_name**' -- Under the appropriate OS source folder, create a package for the module and in that package create a file for the module code following the convention of "modulename.go" -- You are required to have a "ModuleNameModule" struct type that implements a Start() function -- You are required to add the "ModuleNameModule" struct to the type registry in module.go -- You are required to add the module struct name to the config file -- Follow the SampleModule for conventions +Please see [CONTRIBUTING.md](https://github.com/anthonybm/Orion/blob/master/CONTRIBUTING.md) for all of the details. ## License -This project is licensed under the terms of the MIT license. See LICENSE for details. \ No newline at end of file +This project is licensed under the terms of the MIT license. See [LICENSE](https://github.com/anthonybm/Orion/blob/master/LICENSE) for details. + +## Code of Conduct +This project adheres to the [Contributor Covenant code of conduct](https://github.com/anthonybm/Orion/blob/master/CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. + +See licenses/ for credits to other projects I referenced and took inspiration from :smile: + +## Why Orion? +"represented by the figure of a hunter with belt and sword" +* We're threat hunters :wink: +* The framework and modules are the tools and sword to go hunting :smile: diff --git a/configs/mac.toml b/configs/mac.toml index 013b49c..23143e8 100644 --- a/configs/mac.toml +++ b/configs/mac.toml @@ -37,12 +37,12 @@ modules = [ # Comment out what you do not need # ============================= -# Modules TODO -# From automactc -# "MacCoreAnalyticsModule" - 8 -# "MacQuicklookModule" - 6 -# "MacSafariModule" - 4 -# From mac_apt +# Modules TODO these are suggested ideas for future modules based on existing tools +# From automactc by CrowdStrike +# "MacCoreAnalyticsModule" +# "MacQuicklookModule" +# "MacSafariModule" +# From mac_apt by ydkhatri # "MacAppListModule" /Users/*/Library/Application Support/com.apple.spotlight/appList.dat # "MacAppleRemoteManagementModule" /private/var/db/RemoteManagement/caches/... 1) UserAcct.tmp 2) AppUsage.plist 3) AppUsage.tmp # "MacBluetoothModule" /Library/Preferences/com.apple.Bluetooth.plist @@ -67,9 +67,9 @@ modules = [ # Comment out what you do not need # Dirlist Configuration DirlistRootWalkDir = "/" -DirlistExcludedDirs = ["/System/Volumes/Data/Users/amartinez/Box", "/Users/amartinez/Box", ".fseventsd",".DocumentRevisions-V100",".Spotlight-V100"] +DirlistExcludedDirs = [".fseventsd",".DocumentRevisions-V100",".Spotlight-V100"] # Recommend adding cloud storage paths here for exclusion DirlistExcludedExts = [".app", ".framework",".lproj",".plugin",".kext",".osax",".bundle",".driver",".wdgt"] DirlistHashSizeLimitBytes = 10485760 # ~10.486 MB - 10,485,760 B -- ~10x faster than if you hash every file DirlistDoHashMD5 = true DirlistDoHashSHA256 = true -DirlistVerbose = false \ No newline at end of file +DirlistVerbose = false diff --git a/configs/windows.toml b/configs/windows.toml index 4535d45..50f04dc 100644 --- a/configs/windows.toml +++ b/configs/windows.toml @@ -1,9 +1,10 @@ # Common usage: # ./Orion -m windows -f csv -o output -c configs/windows.toml -l debug -T -forensicMode = false +forensicMode = false # does nothing unless you use it in the module ;) -modules = ["WindowsDirlistModule"] +# Specify modules to run (comma separated) +modules = ["WindowsDirlistModule"] # WIP/example # ============================= # ============================= @@ -15,4 +16,4 @@ DirlistExcludedExts = [".app", ".framework",".lproj",".plugin",".kext",".osax"," DirlistHashSizeLimitBytes = 15000 # 10485760 # ~10.486 MB - 10,485,760 B -- ~10x faster than if you hash every file DirlistDoHashMD5 = true DirlistDoHashSHA256 = true -DirlistVerbose = false \ No newline at end of file +DirlistVerbose = false diff --git a/engine/module_darwin.go b/engine/module_darwin.go index b7e020a..8d72d2b 100644 --- a/engine/module_darwin.go +++ b/engine/module_darwin.go @@ -14,31 +14,31 @@ import ( "sync" "time" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/mac/modules/macapplesystemlog" - "github.com/tonythetiger06/Orion/mac/modules/macauditlog" - "github.com/tonythetiger06/Orion/mac/modules/macautoruns" - "github.com/tonythetiger06/Orion/mac/modules/macbash" - "github.com/tonythetiger06/Orion/mac/modules/macchrome" - "github.com/tonythetiger06/Orion/mac/modules/maccookies" - "github.com/tonythetiger06/Orion/mac/modules/macdirlist" - "github.com/tonythetiger06/Orion/mac/modules/maceventtaps" - "github.com/tonythetiger06/Orion/mac/modules/macfirefox" - "github.com/tonythetiger06/Orion/mac/modules/macinstallhistory" - "github.com/tonythetiger06/Orion/mac/modules/maclivelsof" - "github.com/tonythetiger06/Orion/mac/modules/maclivenetstat" - "github.com/tonythetiger06/Orion/mac/modules/maclivepslist" - "github.com/tonythetiger06/Orion/mac/modules/macmru" - "github.com/tonythetiger06/Orion/mac/modules/macnetconfig" - "github.com/tonythetiger06/Orion/mac/modules/macquarantines" - "github.com/tonythetiger06/Orion/mac/modules/macsample" - "github.com/tonythetiger06/Orion/mac/modules/macspotlight" - "github.com/tonythetiger06/Orion/mac/modules/macssh" - "github.com/tonythetiger06/Orion/mac/modules/macsysteminfo" - "github.com/tonythetiger06/Orion/mac/modules/macsystemlog" - "github.com/tonythetiger06/Orion/mac/modules/macterminalstate" - "github.com/tonythetiger06/Orion/mac/modules/macusers" - "github.com/tonythetiger06/Orion/mac/modules/macutmpx" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/mac/modules/macapplesystemlog" + "github.com/anthonybm/Orion/mac/modules/macauditlog" + "github.com/anthonybm/Orion/mac/modules/macautoruns" + "github.com/anthonybm/Orion/mac/modules/macbash" + "github.com/anthonybm/Orion/mac/modules/macchrome" + "github.com/anthonybm/Orion/mac/modules/maccookies" + "github.com/anthonybm/Orion/mac/modules/macdirlist" + "github.com/anthonybm/Orion/mac/modules/maceventtaps" + "github.com/anthonybm/Orion/mac/modules/macfirefox" + "github.com/anthonybm/Orion/mac/modules/macinstallhistory" + "github.com/anthonybm/Orion/mac/modules/maclivelsof" + "github.com/anthonybm/Orion/mac/modules/maclivenetstat" + "github.com/anthonybm/Orion/mac/modules/maclivepslist" + "github.com/anthonybm/Orion/mac/modules/macmru" + "github.com/anthonybm/Orion/mac/modules/macnetconfig" + "github.com/anthonybm/Orion/mac/modules/macquarantines" + "github.com/anthonybm/Orion/mac/modules/macsample" + "github.com/anthonybm/Orion/mac/modules/macspotlight" + "github.com/anthonybm/Orion/mac/modules/macssh" + "github.com/anthonybm/Orion/mac/modules/macsysteminfo" + "github.com/anthonybm/Orion/mac/modules/macsystemlog" + "github.com/anthonybm/Orion/mac/modules/macterminalstate" + "github.com/anthonybm/Orion/mac/modules/macusers" + "github.com/anthonybm/Orion/mac/modules/macutmpx" "go.uber.org/zap" ) diff --git a/engine/module_windows.go b/engine/module_windows.go index f33553e..017ce50 100644 --- a/engine/module_windows.go +++ b/engine/module_windows.go @@ -13,8 +13,8 @@ import ( "sync" "time" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/windows/modules/windowsdirlist" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/windows/modules/windowsdirlist" "go.uber.org/zap" ) diff --git a/go.mod b/go.mod index 5fe9967..fe8fce8 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/tonythetiger06/Orion +module github.com/anthonybm/Orion go 1.14 diff --git a/instance/instance.go b/instance/instance.go index 90339c7..9006a18 100644 --- a/instance/instance.go +++ b/instance/instance.go @@ -4,8 +4,8 @@ import ( "errors" "os" - "github.com/tonythetiger06/Orion/configs" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/configs" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" ) diff --git a/licenses/atom-atom-LICENSE b/licenses/atom-atom-LICENSE new file mode 100644 index 0000000..eba851a --- /dev/null +++ b/licenses/atom-atom-LICENSE @@ -0,0 +1,7 @@ +Copyright (c) 2011-2020 GitHub Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/mac/modules/macapplesystemlog/asl.go b/mac/modules/macapplesystemlog/asl.go index 80da5ed..35bf723 100644 --- a/mac/modules/macapplesystemlog/asl.go +++ b/mac/modules/macapplesystemlog/asl.go @@ -12,8 +12,8 @@ import ( "strconv" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" "go.uber.org/zap" ) @@ -99,10 +99,6 @@ func (m MacAppleSystemLogModule) asl(inst instance.Instance) error { } func (m MacAppleSystemLogModule) parseAslFile(fp string) ([][]string, error) { - // fnull, err := os.OpenFile(os.DevNull, os.O_WRONLY, 0755) - // if err != nil { - // return [][]string{}, err - // } aslCmd := exec.Command("syslog", "-f", fp, "-T", "utc.3") aslOut, outerr := aslCmd.StdoutPipe() aslErr, errerr := aslCmd.StderrPipe() @@ -138,13 +134,11 @@ func (m MacAppleSystemLogModule) parseAslFile(fp string) ([][]string, error) { return [][]string{}, errors.New(fmt.Sprintf("could not parse '%s'. Invalid Data Store error reported - file may be corrupted.", fp)) } - // logdata := strings.Split(aslOutString, '\n') cont, err := m.openAslFileFromSyslog(aslOutString) if err != nil { return [][]string{}, err } var entries [][]string - // text := string(cont) count := 0 for i, item := range cont { diff --git a/mac/modules/macauditlog/auditlog.go b/mac/modules/macauditlog/auditlog.go index 64deb8f..b463edd 100644 --- a/mac/modules/macauditlog/auditlog.go +++ b/mac/modules/macauditlog/auditlog.go @@ -10,10 +10,10 @@ import ( "strconv" "strings" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "github.com/beevik/etree" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" "go.uber.org/zap" ) diff --git a/mac/modules/macautoruns/autoruns.go b/mac/modules/macautoruns/autoruns.go index 6e0fe65..72e8df7 100644 --- a/mac/modules/macautoruns/autoruns.go +++ b/mac/modules/macautoruns/autoruns.go @@ -13,10 +13,10 @@ import ( "os" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) @@ -257,7 +257,6 @@ func (m MacAutorunsModule) kernelExtentions(inst instance.Instance) ([][]string, // Parse plist/bplist data, err := machelpers.DecodePlist(path, inst.GetTargetPath()) if err != nil { - // return [][]string{}, errors.New("failed to decode '" + path + "': " + err.Error()) zap.L().Error("could not parse plist '"+path+"': "+err.Error(), zap.String("module", moduleName)) continue } @@ -320,7 +319,6 @@ func (m MacAutorunsModule) launchAgentsDaemons(inst instance.Instance) ([][]stri // Parse plist/bplist data, err := machelpers.DecodePlist(path, inst.GetTargetPath()) if err != nil { - // return [][]string{}, errors.New("failed to decode '" + path + "': " + err.Error()) zap.L().Error("could not parse plist '"+path+"': "+err.Error(), zap.String("module", moduleName)) continue } @@ -336,7 +334,6 @@ func (m MacAutorunsModule) launchAgentsDaemons(inst instance.Instance) ([][]stri if val, ok := item["ProgramArguments"].([]interface{}); ok { if len(val) > 1 { valmap["program_arguments"] = fmt.Sprint(val[1:]) - // fmt.Println(val[1:]) } } @@ -382,7 +379,6 @@ func (m MacAutorunsModule) loginItems(inst instance.Instance) ([][]string, error // Parse plist/bplist data, err := machelpers.DecodePlist(path, inst.GetTargetPath()) if err != nil { - // return [][]string{}, errors.New("failed to decode '" + path + "': " + err.Error()) zap.L().Error("could not parse plist '"+path+"': "+err.Error(), zap.String("module", moduleName)) continue } diff --git a/mac/modules/macbash/bash.go b/mac/modules/macbash/bash.go index e0bfd2a..1d11f5f 100644 --- a/mac/modules/macbash/bash.go +++ b/mac/modules/macbash/bash.go @@ -8,10 +8,10 @@ import ( "strconv" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) @@ -80,7 +80,6 @@ func (m MacBashModule) bash(inst instance.Instance) error { for _, fp := range files { user := util.GetUsernameFromPath(fp) userlist = append(userlist, user) - // zap.L().Debug("Parsing bash and other history for "+user, zap.String("module", moduleName)) // parse files fileMetadata, err := machelpers.FileMetadata(fp, moduleName) @@ -98,17 +97,6 @@ func (m MacBashModule) bash(inst instance.Instance) error { for scanner.Scan() { line := scanner.Text() - // header := []string{ - // "mtime", - // "atime", - // "ctime", - // "btime", - // "src_file", - // "user", - // "item_index", - // "cmd", - // } - entry := []string{ fileMetadata["mtime"], fileMetadata["atime"], diff --git a/mac/modules/macchrome/chrome.go b/mac/modules/macchrome/chrome.go index aa9a4bb..c0a2909 100644 --- a/mac/modules/macchrome/chrome.go +++ b/mac/modules/macchrome/chrome.go @@ -10,9 +10,9 @@ import ( "strings" "time" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" ) diff --git a/mac/modules/maccookies/cookies.go b/mac/modules/maccookies/cookies.go index 2b945f1..09f20d5 100644 --- a/mac/modules/maccookies/cookies.go +++ b/mac/modules/maccookies/cookies.go @@ -6,9 +6,9 @@ import ( "path/filepath" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" ) diff --git a/mac/modules/macdirlist/dirlist.go b/mac/modules/macdirlist/dirlist.go index a64e457..1a5877f 100644 --- a/mac/modules/macdirlist/dirlist.go +++ b/mac/modules/macdirlist/dirlist.go @@ -12,11 +12,11 @@ import ( "strings" "time" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "github.com/karrick/godirwalk" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/maceventtaps/eventtaps.go b/mac/modules/maceventtaps/eventtaps.go index 1fe87ed..2671133 100644 --- a/mac/modules/maceventtaps/eventtaps.go +++ b/mac/modules/maceventtaps/eventtaps.go @@ -12,9 +12,9 @@ import ( "time" "unsafe" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" ) diff --git a/mac/modules/macfirefox/firefox.go b/mac/modules/macfirefox/firefox.go index ace0af3..df41029 100644 --- a/mac/modules/macfirefox/firefox.go +++ b/mac/modules/macfirefox/firefox.go @@ -11,9 +11,9 @@ import ( "strings" "time" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" ) diff --git a/mac/modules/macinstallhistory/installhistory.go b/mac/modules/macinstallhistory/installhistory.go index 0fde2e8..5b2b999 100644 --- a/mac/modules/macinstallhistory/installhistory.go +++ b/mac/modules/macinstallhistory/installhistory.go @@ -6,9 +6,9 @@ import ( "fmt" "time" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/maclivelsof/lsof.go b/mac/modules/maclivelsof/lsof.go index 20d769a..63f27ba 100644 --- a/mac/modules/maclivelsof/lsof.go +++ b/mac/modules/maclivelsof/lsof.go @@ -9,8 +9,8 @@ import ( "os/exec" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" "go.uber.org/zap" ) diff --git a/mac/modules/maclivenetstat/netstat.go b/mac/modules/maclivenetstat/netstat.go index edb8c2d..972db6f 100644 --- a/mac/modules/maclivenetstat/netstat.go +++ b/mac/modules/maclivenetstat/netstat.go @@ -10,8 +10,8 @@ import ( "regexp" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" "go.uber.org/zap" ) diff --git a/mac/modules/maclivepslist/pslist.go b/mac/modules/maclivepslist/pslist.go index 474ccca..daf8e1c 100644 --- a/mac/modules/maclivepslist/pslist.go +++ b/mac/modules/maclivepslist/pslist.go @@ -10,8 +10,8 @@ import ( "regexp" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" "go.uber.org/zap" ) diff --git a/mac/modules/macmru/mru.go b/mac/modules/macmru/mru.go index 63bdb47..27fa04d 100644 --- a/mac/modules/macmru/mru.go +++ b/mac/modules/macmru/mru.go @@ -14,10 +14,10 @@ import ( "strings" "unsafe" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/macnetconfig/netconfig.go b/mac/modules/macnetconfig/netconfig.go index 850f418..fee9ec7 100644 --- a/mac/modules/macnetconfig/netconfig.go +++ b/mac/modules/macnetconfig/netconfig.go @@ -8,10 +8,10 @@ import ( "strconv" "time" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/macquarantines/quarantines.go b/mac/modules/macquarantines/quarantines.go index 4dca790..f5c3b42 100644 --- a/mac/modules/macquarantines/quarantines.go +++ b/mac/modules/macquarantines/quarantines.go @@ -7,9 +7,9 @@ import ( "os" "strconv" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" "howett.net/plist" ) diff --git a/mac/modules/macsample/sample.go b/mac/modules/macsample/sample.go index 9da7c0a..9391c74 100644 --- a/mac/modules/macsample/sample.go +++ b/mac/modules/macsample/sample.go @@ -6,8 +6,8 @@ import ( "os" "path/filepath" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" "go.uber.org/zap" "howett.net/plist" diff --git a/mac/modules/macspotlight/spotlight_shortcuts.go b/mac/modules/macspotlight/spotlight_shortcuts.go index 0ad29a8..26e42ad 100644 --- a/mac/modules/macspotlight/spotlight_shortcuts.go +++ b/mac/modules/macspotlight/spotlight_shortcuts.go @@ -6,10 +6,10 @@ import ( "errors" "fmt" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/macssh/ssh.go b/mac/modules/macssh/ssh.go index 15b3ee5..5ff07d1 100644 --- a/mac/modules/macssh/ssh.go +++ b/mac/modules/macssh/ssh.go @@ -10,9 +10,9 @@ import ( "strconv" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" ) diff --git a/mac/modules/macsysteminfo/systeminfo.go b/mac/modules/macsysteminfo/systeminfo.go index 7c0e5a3..1091eaa 100644 --- a/mac/modules/macsysteminfo/systeminfo.go +++ b/mac/modules/macsysteminfo/systeminfo.go @@ -5,10 +5,10 @@ package macsysteminfo import ( "errors" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/macsystemlog/syslog.go b/mac/modules/macsystemlog/syslog.go index a3e7af7..d229056 100644 --- a/mac/modules/macsystemlog/syslog.go +++ b/mac/modules/macsystemlog/syslog.go @@ -12,8 +12,8 @@ import ( "strconv" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" "go.uber.org/zap" ) @@ -103,18 +103,6 @@ func (m MacSystemLogModule) systemLog(inst instance.Instance) error { func (m MacSystemLogModule) parseSystemLogFile(fp string) ([][]string, error) { var entries [][]string - // scanner, err := m.openSystemLogFile(fp) - // if err != nil { - // return [][]string{}, err - // } - - // for scanner.Scan() { - // item := scanner.Text() - // zap.L().Debug("parsed item from "+fp, zap.String("module", moduleName), zap.String("contents", item)) - // entries = append(entries, m.parseSystemLogEntry(item, fp)) - // } - - // cont, err := ioutil.ReadFile(fp) cont, err := m.openSystemLogFileIntoMemory(fp) if err != nil { return [][]string{}, err diff --git a/mac/modules/macterminalstate/terminalstate.go b/mac/modules/macterminalstate/terminalstate.go index 367fb2e..c956438 100644 --- a/mac/modules/macterminalstate/terminalstate.go +++ b/mac/modules/macterminalstate/terminalstate.go @@ -15,10 +15,10 @@ import ( "strconv" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/macusers/users.go b/mac/modules/macusers/users.go index 0302719..cedae8e 100644 --- a/mac/modules/macusers/users.go +++ b/mac/modules/macusers/users.go @@ -10,10 +10,10 @@ import ( "reflect" "strings" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/machelpers" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/machelpers" "go.uber.org/zap" ) diff --git a/mac/modules/macutmpx/utmpx.go b/mac/modules/macutmpx/utmpx.go index 5a1ac0b..f97ac08 100644 --- a/mac/modules/macutmpx/utmpx.go +++ b/mac/modules/macutmpx/utmpx.go @@ -13,9 +13,9 @@ import ( "strings" "time" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" "go.uber.org/zap" ) diff --git a/main.go b/main.go index ecb66e3..7af0752 100644 --- a/main.go +++ b/main.go @@ -9,8 +9,8 @@ import ( "strings" "time" - "github.com/tonythetiger06/Orion/engine" - "github.com/tonythetiger06/Orion/instance" + "github.com/anthonybm/Orion/engine" + "github.com/anthonybm/Orion/instance" "go.uber.org/zap" "github.com/akamensky/argparse" diff --git a/windows/modules/windowsdirlist/dirlist.go b/windows/modules/windowsdirlist/dirlist.go index 67ff10d..a804234 100644 --- a/windows/modules/windowsdirlist/dirlist.go +++ b/windows/modules/windowsdirlist/dirlist.go @@ -13,11 +13,11 @@ import ( "syscall" "time" + "github.com/anthonybm/Orion/datawriter" + "github.com/anthonybm/Orion/instance" + "github.com/anthonybm/Orion/util" + "github.com/anthonybm/Orion/util/windowshelpers" "github.com/karrick/godirwalk" - "github.com/tonythetiger06/Orion/datawriter" - "github.com/tonythetiger06/Orion/instance" - "github.com/tonythetiger06/Orion/util" - "github.com/tonythetiger06/Orion/util/windowshelpers" "go.uber.org/zap" )