public ActionResult Invoke(FileExtractionViewModel viewModel)
{
if (ModelState.IsValid)
{
try
{
string protocol = "\"http://";
if (Request.IsSecureConnection)
{
protocol = "\"https://";
}
string url = protocol + Request.Headers["Host"] + "/forensics/file-extraction/receiver\"";
PSRemoting ps = new PSRemoting(viewModel.ComputerName, config.FALCON_FORENSICS_USERNAME, config.FALCON_FORENSICS_PASSWORD, config.FALCON_FORENSICS_DOMAIN);
FileExtraction extraction = new FileExtraction(ps);
Dictionary <string, string> mapper = new Dictionary <string, string>();
mapper.Add("{{FilePath}}", "\"" + viewModel.FilePath + "\"");
mapper.Add("{{URL}}", url);
var model = GetFileMetadata(mapper, extraction);
this.UploadFile(mapper, extraction);
ViewBag.FileName = viewModel.FilePath.Split('\\').Last();
return(PartialView("~/Areas/Forensics/Views/FileExtraction/_DownloadLink.cshtml", model));
}
catch (Exception e)
{
ModelState.AddModelError(String.Empty, e.Message);
}
}
List <string> errors = ModelState.Where(x => x.Value.Errors.Count > 0).SelectMany(x => x.Value.Errors).Select(x => x.ErrorMessage).ToList();
return(PartialView("_ValidationError", errors));
}
public ActionResult InvokeFromDetection(string computerName, string filePath)
{
try
{
string protocol = "\"http://";
if (Request.IsSecureConnection)
{
protocol = "\"https://";
}
string url = protocol + Request.Headers["Host"] + "/forensics/file-extraction/receiver\"";
PSRemoting ps = new PSRemoting(computerName, config.FALCON_FORENSICS_USERNAME, config.FALCON_FORENSICS_PASSWORD, config.FALCON_FORENSICS_DOMAIN);
FileExtraction extraction = new FileExtraction(ps);
////When submitted from a detection edit view, you need to convert the full device path to the appropriate drive letter first
string command = System.IO.File.ReadAllText(Server.MapPath("~/App_Data/Scripts/Get-DevicePath.ps1"));
Dictionary <string, string> map = extraction.GetDevicePaths(command);
string driveLetter = map[string.Join("\\", filePath.Split('\\').Take(3).ToArray())];
string path = driveLetter + "\\" + string.Join("\\", filePath.Split('\\').Skip(3).ToArray());
Dictionary <string, string> mapper = new Dictionary <string, string>();
mapper.Add("{{FilePath}}", "\"" + path + "\"");
mapper.Add("{{URL}}", url);
this.UploadFile(mapper, extraction);
return(new EmptyResult());
}
catch (Exception e)
{
ModelState.AddModelError(String.Empty, e.Message);
List <string> errors = ModelState.Where(x => x.Value.Errors.Count > 0).SelectMany(x => x.Value.Errors).Select(x => x.ErrorMessage).ToList();
return(PartialView("_ValidationError", errors));
}
}
private FileMetadata GetFileMetadata(Dictionary <string, string> mapping, FileExtraction extraction)
{
string command = System.IO.File.ReadAllText(Server.MapPath("~/App_Data/Scripts/Get-FileAttributes.ps1"));
command = PSRemoting.CommandMapping(command, mapping);
return(extraction.GetFileMetadata(command));
}
private void UploadFile(Dictionary <string, string> mapping, FileExtraction extraction)
{
string command = System.IO.File.ReadAllText(Server.MapPath("~/App_Data/Scripts/Get-RemoteFile.ps1"));
command = PSRemoting.CommandMapping(command, mapping);
extraction.UploadFile(command);
}
public ActionResult InvokeFromBrowser(string computerName, string filePath)
{
try
{
string protocol = "\"http://";
if (Request.IsSecureConnection)
{
protocol = "\"https://";
}
string url = protocol + Request.Headers["Host"] + "/forensics/file-extraction/receiver\"";
PSRemoting ps = new PSRemoting(computerName, config.FALCON_FORENSICS_USERNAME, config.FALCON_FORENSICS_PASSWORD, config.FALCON_FORENSICS_DOMAIN);
FileExtraction extraction = new FileExtraction(ps);
Dictionary <string, string> mapper = new Dictionary <string, string>();
mapper.Add("{{FilePath}}", "\"" + filePath + "\"");
mapper.Add("{{URL}}", url);
this.UploadFile(mapper, extraction);
return(new EmptyResult());
}
catch (Exception e)
{
ModelState.AddModelError(String.Empty, e.Message);
List <string> errors = ModelState.Where(x => x.Value.Errors.Count > 0).SelectMany(x => x.Value.Errors).Select(x => x.ErrorMessage).ToList();
return(PartialView("_ValidationError", errors));
}
}
private void WriteToFileCsv(StreamWriter writer)
{
if (this is FileNode file)
{
var info = file.FileInformation;
if (info.region)
{
for (int i = 0; i < 14; i++)
{
info = new FileInformation(file.ArcPath, i);
writer.WriteLine($"{FileExtraction.GetRegionalPath(FullPath)},{info.ArcOffset},{info.CompressedSize:X},{info.DecompressedSize:X}");
}
}
else
{
writer.WriteLine($"{FullPath},{info.ArcOffset},{info.CompressedSize:X},{info.DecompressedSize:X}");
}
}
if (GetType() == typeof(FolderNode))
{
foreach (var s in SubNodes)
{
s.WriteToFileCsv(writer);
}
}
}
private void ExtractFileInformation()
{
int index = 1;
foreach (var file in toExtract)
{
string path = file.FullPath.Replace(":", "");
Directory.CreateDirectory(Path.GetDirectoryName(path) + "\\");
bool regional = MainForm.ArcFile.IsRegional(file.ArcPath);
if (regional && MainForm.SelectedRegion == 14)
{
FileExtraction.ExtractAllRegions(path, file.ArcPath, DecompressFiles, UseOffsetName);
}
else
{
if (regional)
{
path = path.Replace(Path.GetExtension(path), FileExtraction.RegionTags[MainForm.SelectedRegion] + Path.GetExtension(path));
}
FileExtraction.SaveFile(path, file.ArcPath, MainForm.SelectedRegion, DecompressFiles, UseOffsetName);
}
UpdateProgress(GetPercentage(index, toExtract.Length), path);
index++;
}
UpdateProgress(100, "Done");
// Make sure the completion message stays on screen long enough to be read.
Thread.Sleep(500);
UpdateProgress(101, "Done");
}
