forked from anthonybm/Orion
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
162 lines (144 loc) · 5.4 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
package main
import (
"fmt"
"os"
"runtime"
"sort"
"strconv"
"strings"
"time"
"github.com/anthonybm/Orion/engine"
"github.com/anthonybm/Orion/instance"
"go.uber.org/zap"
"github.com/akamensky/argparse"
)
func main() {
var (
orionRuntime = "Orion_" + strings.Replace(time.Now().UTC().Format(time.RFC3339), ":", "_", -1)
orionVersion = "0.2.0-alpha"
)
// Argument parsing
parser := argparse.NewParser("Orion", "Orion framework for triage of relevant incident response and forensics artifacts from various operating systems")
var (
listmodules *bool = parser.Flag("", "list", &argparse.Options{
Required: false,
Help: "List available modules.",
})
loglevel *string = parser.Selector("l" /*short arg name*/, "log-level" /*long arg name*/, []string{"none", "info", "debug", "error"}, &argparse.Options{
Required: false,
Help: "Set the logging level, or set it to none.",
Default: "info",
})
mode *string = parser.Selector("m", "mode", []string{"mac", "windows"}, &argparse.Options{
Required: true,
Help: "Set the mode for Orion, used for config parsing and module selection.",
})
noMultithreading *bool = parser.Flag("M", "no-multithread", &argparse.Options{
Required: false,
Default: false,
Help: "If flag is enabled, multithreading is disabled.",
})
outputformat *string = parser.Selector("f", "output-format", []string{"csv", "json", "sqlite", "xlsx"}, &argparse.Options{
Required: false,
Default: "csv",
Help: "Set the output format file type.",
})
outputPath *string = parser.String("o", "output-dir", &argparse.Options{
Required: false,
Default: "Output/",
Help: "Set the output directory for files generated by Orion.",
})
configpath *string = parser.String("c", "config", &argparse.Options{
Required: true,
Help: "Set the config path",
})
testingMode *bool = parser.Flag("T", "testing-mode", &argparse.Options{
Required: false,
Default: false,
Help: "Enable testing mode for development purposes only.",
})
forensicMode *bool = parser.Flag("F", "forensic", &argparse.Options{
Required: false,
Default: false,
Help: "Enable Forensic mode - safer artifact parsing where applicable and can treat target path as Mounted Volume/Mounted Evidence",
})
targetPath *string = parser.String("t", "target", &argparse.Options{
Required: false,
Default: "/",
Help: "Specify the root target path to reference artifacts from - i.e. <target>/pathToPlist.plist",
})
)
// Return immediately if failed to parse args
err := parser.Parse(os.Args)
if err != nil {
fmt.Fprintf(os.Stderr, "[Main] Failed to parse command line arguments: %s", err)
fmt.Print(parser.Usage(err))
return
}
// Instantiate new Orion instance and handle any errors
inst, err := instance.NewInstance(*targetPath, *outputformat, *outputPath, orionRuntime, *loglevel, *configpath, *mode, *noMultithreading, *forensicMode)
if err != nil {
fmt.Fprintf(os.Stderr, "[Main] Failed to instantiate Orion instance: %s\n", err)
return
}
// Handle flags that return immediatly
if *listmodules {
// Grab string list of modules to execute from config, throw error if field does not exist
modulesToExecute, err := inst.GetOrionModules()
if err != nil {
fmt.Fprintf(os.Stderr, "[Main] Failed to grab Orion modules from config file: %s", err)
return
}
if len(modulesToExecute) == 0 {
fmt.Fprint(os.Stderr, "[Main] No Orion modules were grabbed from config file")
return
}
sort.Strings(modulesToExecute)
fmt.Fprintf(os.Stdout, "[Main] Running the following modules: \n")
for _, moduleName := range modulesToExecute {
fmt.Fprintf(os.Stdout, "\t%s\n", moduleName)
}
return
}
// Check that Orion was run with root permissions
if os.Geteuid() != 0 && *testingMode == false {
fmt.Fprintf(os.Stderr, "[Main] Root/Admin required, please run Orion with Root/Admin requiremen")
return
} else if *testingMode == true {
zap.L().Warn(strings.ToUpper("Bypassing Root/Admin requirement via Testing Mode Flag"))
}
// Check if Orion was run in forensic mode
if inst.ForensicMode() {
zap.L().Info("Running Orion in Forensic mode targeting '" + inst.GetTargetPath() + "'")
}
// [BEGIN] Final debug statements before execution
procs := strconv.FormatInt(int64(runtime.GOMAXPROCS(0)), 10)
zap.L().Debug("Orion Version: " + orionVersion)
zap.L().Debug("GOMAXPROCS: " + procs)
zap.L().Debug("Target Path: " + inst.GetTargetPath())
if *testingMode { // print some testing information
fmt.Fprint(os.Stdout, "Multithreading enabled is:", !*noMultithreading, "\n")
// Grab string list of modules to execute from config, throw error if field does not exist
modulesToExecute, err := inst.GetOrionModules()
if err != nil {
fmt.Fprintf(os.Stderr, "Failed to grab Orion modules from config file: %s", err)
return
}
if len(modulesToExecute) == 0 {
fmt.Fprint(os.Stderr, "No Orion modules were grabbed from config file")
return
}
fmt.Fprintf(os.Stdout, "Running the following '"+inst.GetOrionMode()+"' modules: \n")
for _, moduleName := range modulesToExecute {
fmt.Fprintf(os.Stdout, "\t%s\n", strings.Split(moduleName, strings.Title(strings.ToLower(inst.GetOrionMode())))[1])
}
}
zap.L().Info("Finished Orion setup. Begining main execution")
// [END] Final debug statements before execution
// Execute modules
err = engine.Execute(inst)
if err != nil {
zap.L().Error(err.Error())
}
return
}