sift-bootstrap.sh

1. #!/bin/sh -
2. #===============================================================================
3. # vim: softtabstop=4 shiftwidth=4 expandtab fenc=utf-8 spell spelllang=en cc=81
4. #===============================================================================
5.  
6.  
7. #--- FUNCTION ----------------------------------------------------------------
8. # NAME: __function_defined
9. # DESCRIPTION: Checks if a function is defined within this scripts scope
10. # PARAMETERS: function name
11. # RETURNS: 0 or 1 as in defined or not defined
12. #-------------------------------------------------------------------------------
13. __function_defined() {
14.     FUNC_NAME=$1
15.     if [ "$(command -v $FUNC_NAME)x" != "x" ]; then
16.         echoinfo "Found function $FUNC_NAME"
17.         return 0
18.     fi
19.    
20.     echodebug "$FUNC_NAME not found...."
21.     return 1
22. }
23.  
24. #--- FUNCTION ----------------------------------------------------------------
25. # NAME: __strip_duplicates
26. # DESCRIPTION: Strip duplicate strings
27. #-------------------------------------------------------------------------------
28. __strip_duplicates() {
29.     echo $@ | tr -s '[:space:]' '\n' | awk '!x[$0]++'
30. }
31.  
32. #--- FUNCTION ----------------------------------------------------------------
33. # NAME: echoerr
34. # DESCRIPTION: Echo errors to stderr.
35. #-------------------------------------------------------------------------------
36. echoerror() {
37.     printf "${RC} * ERROR${EC}: $@\n" 1>&2;
38. }
39.  
40. #--- FUNCTION ----------------------------------------------------------------
41. # NAME: echoinfo
42. # DESCRIPTION: Echo information to stdout.
43. #-------------------------------------------------------------------------------
44. echoinfo() {
45.     printf "${GC} * INFO${EC}: %s\n" "$@";
46. }
47.  
48. #--- FUNCTION ----------------------------------------------------------------
49. # NAME: echowarn
50. # DESCRIPTION: Echo warning informations to stdout.
51. #-------------------------------------------------------------------------------
52. echowarn() {
53.     printf "${YC} * WARN${EC}: %s\n" "$@";
54. }
55.  
56. #--- FUNCTION ----------------------------------------------------------------
57. # NAME: echodebug
58. # DESCRIPTION: Echo debug information to stdout.
59. #-------------------------------------------------------------------------------
60. echodebug() {
61.     if [ $_ECHO_DEBUG -eq $BS_TRUE ]; then
62.         printf "${BC} * DEBUG${EC}: %s\n" "$@";
63.     fi
64. }
65.  
66. #---  FUNCTION  ----------------------------------------------------------------
67. #          NAME:  __apt_get_install_noinput
68. #   DESCRIPTION:  (DRY) apt-get install with noinput options
69. #-------------------------------------------------------------------------------
70. __apt_get_install_noinput() {
71.     apt-get install -y -o DPkg::Options::=--force-confold $@; return $?
72. }
73.  
74. #---  FUNCTION  ----------------------------------------------------------------
75. #          NAME:  __apt_get_upgrade_noinput
76. #   DESCRIPTION:  (DRY) apt-get upgrade with noinput options
77. #-------------------------------------------------------------------------------
78. __apt_get_upgrade_noinput() {
79.     apt-get upgrade -y -o DPkg::Options::=--force-confold $@; return $?
80. }
81.  
82. #---  FUNCTION  ----------------------------------------------------------------
83. #          NAME:  __pip_install_noinput
84. #   DESCRIPTION:  (DRY)
85. #-------------------------------------------------------------------------------
86. __pip_install_noinput() {
87.     pip install --upgrade $@; return $?
88. }
89.  
90.  
91. __enable_universe_repository() {
92.     if [ "x$(grep -R universe /etc/apt/sources.list /etc/apt/sources.list.d/ | grep -v '#')" != "x" ]; then
93.         # The universe repository is already enabled
94.         return 0
95.     fi
96.  
97.     echodebug "Enabling the universe repository"
98.  
99.     # Ubuntu versions higher than 12.04 do not live in the old repositories
100.     if [ $DISTRO_MAJOR_VERSION -gt 12 ] || ([ $DISTRO_MAJOR_VERSION -eq 12 ] && [ $DISTRO_MINOR_VERSION -gt 04 ]); then
101.         add-apt-repository -y "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe" || return 1
102.     elif [ $DISTRO_MAJOR_VERSION -lt 11 ] && [ $DISTRO_MINOR_VERSION -lt 10 ]; then
103.         # Below Ubuntu 11.10, the -y flag to add-apt-repository is not supported
104.         add-apt-repository "deb http://old-releases.ubuntu.com/ubuntu $(lsb_release -sc) universe" || return 1
105.     fi
106.  
107.     add-apt-repository -y "deb http://old-releases.ubuntu.com/ubuntu $(lsb_release -sc) universe" || return 1
108.  
109.     return 0
110. }
111.  
112. __check_unparsed_options() {
113.     shellopts="$1"
114.     # grep alternative for SunOS
115.     if [ -f /usr/xpg4/bin/grep ]; then
116.         grep='/usr/xpg4/bin/grep'
117.     else
118.         grep='grep'
119.     fi
120.     unparsed_options=$( echo "$shellopts" | ${grep} -E '(^|[[:space:]])[-]+[[:alnum:]]' )
121.     if [ "x$unparsed_options" != "x" ]; then
122.         usage
123.         echo
124.         echoerror "options are only allowed before install arguments"
125.         echo
126.         exit 1
127.     fi
128. }
129.  
130. configure_cpan() {
131.     (echo y;echo o conf prerequisites_policy follow;echo o conf commit)|cpan > /dev/null
132. }
133.  
134. usage() {
135.     echo "usage"
136.     exit 1
137. }
138.  
139. install_ubuntu_deps() {
140.     apt-get update
141.  
142.     __apt_get_install_noinput python-software-properties || return 1
143.  
144.     __enable_universe_repository || return 1
145.  
146.     add-apt-repository -y ppa:sift/$@ || return 1
147.  
148.     apt-get update
149.  
150.     __apt_get_upgrade_noinput || return 1
151.  
152.     return 0
153. }
154.  
155. install_ubuntu() {
156.     packages="sift sift-scripts 4n6time-static aeskeyfind afflib-tools afterglow aircrack-ng arp-scan autopsy binplist bitpim bitpim-lib bless blt build-essential bulk-extractor cabextract clamav cryptsetup dc3dd dconf-tools dff dumbpig e2fslibs-dev ent epic5 etherape exif extundelete f-spot fdupes flare flasm flex foremost fuse-utils g++ gcc gdb ghex gthumb hal hal-info hexedit honeyd htop hydra hydra-gtk ipython kdiff3 kpartx libafflib0 libafflib-dev libbde libbde-tools libesedb libesedb-tools libevt libevt-tools libevtx libevtx-tools libewf libewf-dev libewf-python libewf-tools libfuse-dev libfvde libfvde-tools liblightgrep libmsiecf libnet1 libolecf libparse-win32registry-perl libregf libregf-dev libregf-python libregf-tools libssl-dev libtext-csv-perl libvshadow libvshadow-dev libvshadow-python libvshadow-tools libxml2-dev maltegoce md5deep myunity nbd-client netcat netpbm nfdump ngrep ntopng okular openjdk-6-jdk p7zip-full phonon pv pyew python python-dev python-pip python-analyzemft python-flowgrep python-nids python-ntdsxtract python-pefile python-plaso python-qt4 python-tk pytsk3 rsakeyfind safecopy sleuthkit ssdeep ssldump stunnel4 tcl tcpflow tcpstat tcptrace tofrodos torsocks transmission unrar upx-ucl vbindiff virtuoso-minimal winbind wine wireshark xmount zenity regripper jd-gui cmospwd ophcrack ophcrack-cli bkhive samdump2 cryptcat outguess bcrypt ccrypt readpst ettercap-graphical driftnet tcpreplay tcpxtract tcptrack p0f netwox lft netsed socat knocker nikto nbtscan radare-gtk python-yara gzrt testdisk scalpel qemu qemu-utils gddrescue dcfldd vmfs-tools guymager mantaray python-fuse samba open-iscsi curl git system-config-samba libpff libpff-dev libpff-tools libpff-python xfsprogs gawk fuse-exfat exfat-utils"
157.  
158.     if [ "$@" = "dev" ]; then
159.         packages="$packages"
160.     elif [ "$@" = "stable" ]; then
161.         packages="$packages"
162.     fi
163.  
164.     __apt_get_install_noinput $packages || return 1
165.  
166.     return 0
167. }
168.  
169. install_pip_packages() {
170.     pip_packages="rekall docopt python-evtx python-registry"
171.  
172.     if [ "$@" = "dev" ]; then
173.         pip_packages="$pip_packages"
174.     elif [ "$@" = "stable" ]; then
175.         pip_packages="$pip_packages"
176.     fi
177.  
178.     __pip_install_noinput $pip_packages || return 1
179.  
180.     return 0
181. }
182.  
183. install_perl_modules() {
184.     # Required by macl.pl script
185.     perl -MCPAN -e "install Net::Wigle" > /dev/null
186. }
187.  
188. configure_ubuntu() {
189.     if [ ! -d /cases ]; then
190.         mkdir -p /cases
191.         chown $SUDO_USER:$SUDO_USER /cases
192.         chmod 775 /cases
193.         chmod g+s /cases
194.     fi
195.  
196.     for dir in usb vss shadow windows_mount e01 aff ewf bde iscsi
197.     do
198.         if [ ! -d /mnt/$dir ]; then
199.             mkdir -p /mnt/$dir
200.         fi
201.     done
202.  
203.     for NUM in 1 2 3 4 5
204.     do
205.         if [ ! -d /mnt/windows_mount$NUM ]; then
206.             mkdir -p /mnt/windows_mount$NUM
207.         fi
208.         if [ ! -d /mnt/ewf$NUM ]; then
209.             mkdir -p /mnt/ewf$NUM
210.         fi
211.     done
212.  
213.     for NUM in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
214.     do
215.         if [ ! -d /mnt/shadow/vss$NUM ]; then
216.             mkdir -p /mnt/shadow/vss$NUM
217.         fi
218.         if [ ! -d /mnt/shadow_mount/vss$NUM ]; then
219.             mkdir -p /mnt/shadow_mount/vss$NUM
220.         fi
221.     done
222.    
223.     if [ ! -L /usr/bin/vol.py ]; then
224.         ln -s /usr/bin/vol /usr/bin/vol.py
225.     fi
226.     if [ ! -L /usr/bin/log2timeline ]; then
227.         ln -s /usr/bin/log2timeline_legacy /usr/bin/log2timeline
228.     fi
229.     if [ ! -L /usr/bin/kedit ]; then
230.         ln -s /usr/bin/gedit /usr/bin/kedit
231.     fi
232.     if [ ! -L /usr/bin/mount_ewf.py ] && [ ! -e /usr/bin/mount_ewf.py ]; then
233.         ln -s /usr/bin/ewfmount /usr/bin/mount_ewf.py
234.     fi
235. }
236.  
237. configure_ubuntu_skin() {
238.     if [ ! -d /home/$SUDO_USER/.config/autostart ]; then
239.         sudo -u $SUDO_USER mkdir -p /home/$SUDO_USER/.config/autostart
240.     fi
241.  
242.     sudo -u $SUDO_USER gsettings set org.gnome.desktop.background picture-uri file:///usr/share/sift/images/forensics_blue.jpg
243.     sudo -u $SUDO_USER dconf write /desktop/unity/launcher/favorites "['nautilus.desktop', 'gnome-terminal.desktop', 'firefox.desktop', 'gnome-screenshot.desktop', 'gcalctool.desktop', 'bless.desktop', 'dff.desktop', 'autopsy.desktop', 'wireshark.desktop']"
244.  
245.     if [ ! -L /home/$SUDO_USER/Desktop/cases ]; then
246.         sudo -u $SUDO_USER ln -s /cases /home/$SUDO_USER/Desktop/cases
247.     fi
248.  
249.     if [ ! -L /home/$SUDO_USER/Desktop/mount_points ]; then
250.         sudo -u $SUDO_USER ln -s /mnt /home/$SUDO_USER/Desktop/mount_points
251.     fi
252.  
253.     # Clean up broken symlinks
254.     find -L /home/$SUDO_USER/Desktop -type l -delete
255.  
256.     for file in /usr/share/sift/resources/*.pdf
257.     do
258.         base=`basename $file`
259.         if [ ! -L /home/$SUDO_USER/Desktop/$base ]; then
260.             sudo -u $SUDO_USER ln -s $file /home/$SUDO_USER/Desktop/$base
261.         fi
262.     done
263.    
264.     if [ ! -L /home/$SUDO_USER/.config/autostart ]; then
265.         sudo -u $SUDO_USER cp /usr/share/sift/other/gnome-terminal.desktop /home/$SUDO_USER/.config/autostart
266.     fi
267.    
268.     if [ ! -e /usr/share/unity-greeter/logo.png.ubuntu ]; then
269.         sudo cp /usr/share/unity-greeter/logo.png /usr/share/unity-greeter/logo.png.ubuntu
270.         sudo cp /usr/share/sift/images/login_logo.png /usr/share/unity-greeter/logo.png
271.     fi
272.  
273.     gsettings set com.canonical.unity-greeter background file:///usr/share/sift/images/forensics_blue.jpg
274.  
275.     # Checkout code from sift-files and put these files into place
276.     CDIR=$(pwd)
277.     git clone https://github.com/sans-dfir/sift-files /tmp/sift-files
278.     cd /tmp/sift-files
279.     bash install.sh
280.     cd $CDIR
281.     rm -r -f /tmp/sift-files
282.  
283.     # Make sure we replace the SIFT_USER template with our actual
284.     # user so there is write permissions to samba.
285.     sed -i "s/SIFT_USER/$SUDO_USER/g" /etc/samba/smb.conf
286.  
287.     # Restart samba services
288.     service smbd restart
289.     service nmbd restart
290.  
291.     # Disable services
292.     update-rc.d tor disable
293.  
294.     # Make sure to remove all ^M from regripper plugins
295.     # Not sure why they are there in the first place ...
296.     dos2unix -ascii /usr/share/regripper/*
297.  
298.     OLD_HOSTNAME=$(hostname)
299.     sed -i "s/$OLD_HOSTNAME/siftworkstation/g" /etc/hosts
300.     echo "siftworkstation" > /etc/hostname
301.     hostname siftworkstation
302.  
303.     if ! grep -i "set -o noclobber" $HOME/.bashrc > /dev/null 2>&1
304.     then
305.         echo "set -o noclobber" >> $HOME/.bashrc
306.     fi
307.  
308.     if ! grep -i "alias mountwin" $HOME/.bash_aliases > /dev/null 2>&1
309.     then
310.         echo "alias mountwin='mount -o ro,loop,show_sys_files,streams_interface=windows'" >> $HOME/.bash_aliases
311.     fi
312.    
313.     # For SIFT VM, root is used frequently, set the alias there too.
314.     if ! grep -i "alias mountwin" /root/.bash_aliases > /dev/null 2>&1
315.     then
316.         echo "alias mountwin='mount -o ro,loop,show_sys_files,streams_interface=windows'" >> /root/.bash_aliases
317.     fi
318. }
319.  
320.  
321. complete_message() {
322.     echo
323.     echo "Installation Complete!"
324.     echo
325.     echo "The documentation included with the SIFT package is for the 2.14 version"
326.     echo "it is included as a reference, but please realize there may be things that"
327.     echo "do not apply"
328.     echo
329.     echo "New documentation is in the works."
330.     echo
331.     echo "http://sift.readthedocs.org"
332.     echo
333. }
334.  
335. complete_message_skin() {
336.     echo "The hostname was changed, you should relogin or reboot for it to take full effect."
337.     echo
338.     echo "sudo reboot"
339.     echo
340. }
341.  
342. CONFIGURE_ONLY=0
343. SKIN=0
344. INSTALL=1
345. YESTOALL=0
346.  
347. OS=$(lsb_release -si)
348. ARCH=$(uname -m | sed 's/x86_//;s/i[3-6]86/32/')
349. VER=$(lsb_release -sr)
350.  
351.  
352. if [ $OS != "Ubuntu" ]; then
353.     echo "SIFT is only installable on Ubuntu operating systems at this time."
354.     exit 1
355. fi
356.  
357. if [ $ARCH != "64" ]; then
358.     echo "SIFT is only installable on a 64 bit architecture at this time."
359.     exit 2
360. fi
361.  
362. if [ $VER != "12.04" ]; then
363.     echo "SIFT is only installable on Ubuntu 12.04 at this time."
364.     exit 3
365. fi
366.  
367. if [ `whoami` != "root" ]; then
368.     echo "SIFT Bootstrap must be run as root!"
369.     exit 3
370. fi
371.  
372. if [ "$SUDO_USER" = "" ]; then
373.     echo "The SUDO_USER variable doesn't seem to be set"
374.     exit 4
375. fi
376.  
377.  
378. while getopts ":hvcsiy" opt
379. do
380. case "${opt}" in
381.     h ) usage; exit 0 ;;  
382.     v ) echo "$0 -- Version $__ScriptVersion"; exit 0 ;;
383.     s ) SKIN=1 ;;
384.     i ) INSTALL=1 ;;
385.     c ) CONFIGURE_ONLY=1; INSTALL=0; SKIN=0; ;;
386.     y ) YESTOALL=1 ;;
387.     \?) echo
388.         echoerror "Option does not exist: $OPTARG"
389.         usage
390.         exit 1
391.         ;;
392. esac
393. done
394.  
395. shift $(($OPTIND-1))
396.  
397. if [ "$#" -eq 0 ]; then
398.     ITYPE="stable"
399. else
400.     __check_unparsed_options "$*"
401.     ITYPE=$1
402.     shift
403. fi
404.  
405. # Check installation type
406. if [ "$(echo $ITYPE | egrep '(dev|stable)')x" = "x" ]; then
407.     echoerror "Installation type \"$ITYPE\" is not known..."
408.     exit 1
409. fi
410.  
411.  
412. echo "Welcome to the SIFT Bootstrap"
413. echo "This script will now proceed to configure your system."
414.  
415. if [ "$YESTOALL" -eq 1 ]; then
416.     echo "You supplied the -y option, this script will not exit for any reason"
417. fi
418.  
419. if [ "$SKIN" -eq 1 ] && [ "$YESTOALL" -eq 0 ]; then
420.     echo
421.     echo "You have chosen to apply the SIFT skin to your ubuntu system."
422.     echo
423.     echo "You did not choose to say YES to all, so we are going to exit."
424.     echo
425.     echo "Your current user is: $SUDO_USER"
426.     echo
427.     echo "Re-run this command with the -y option"
428.     echo
429.     exit 10
430. fi
431.  
432. if [ "$INSTALL" -eq 1 ] && [ "$CONFIGURE_ONLY" -eq 0 ]; then
433.     install_ubuntu_deps $ITYPE
434.     install_ubuntu $ITYPE
435.     install_pip_packages $ITYPE
436.     configure_cpan
437.     install_perl_modules
438. fi
439.  
440. configure_ubuntu
441.  
442. if [ "$SKIN" -eq 1 ]; then
443.     configure_ubuntu_skin
444. fi
445.  
446. complete_message
447.  
448. if [ "$SKIN" -eq 1 ]; then
449.     complete_message_skin
450. fi