Merge branch 'master' into master

2025-04-21 07:16:17 -04:00 · 2024-02-04 00:45:33 +00:00 · 2024-02-04 00:45:33 +00:00 · c3b89efd9a
commit c3b89efd9a
parent ac18b74e66 0f3cd72dd3
23 changed files with 264 additions and 68 deletions
--- a/src/core/operations/CTPH.mjs
+++ b/src/core/operations/CTPH.mjs
@ -21,7 +21,7 @@ class CTPH extends Operation {
        this.name = "CTPH";
        this.module = "Crypto";
        this.description = "Context Triggered Piecewise Hashing, also called Fuzzy Hashing, can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.<br><br>CTPH was originally based on the work of Dr. Andrew Tridgell and a spam email detector called SpamSum. This method was adapted by Jesse Kornblum and published at the DFRWS conference in 2006 in a paper 'Identifying Almost Identical Files Using Context Triggered Piecewise Hashing'.";
-        this.infoURL = "https://forensicswiki.xyz/wiki/index.php?title=Context_Triggered_Piecewise_Hashing";
+        this.infoURL = "https://forensics.wiki/context_triggered_piecewise_hashing/";
        this.inputType = "string";
        this.outputType = "string";
        this.args = [];
--- a/src/core/operations/CompareCTPHHashes.mjs
+++ b/src/core/operations/CompareCTPHHashes.mjs
@ -24,7 +24,7 @@ class CompareCTPHHashes extends Operation {
        this.name = "Compare CTPH hashes";
        this.module = "Crypto";
        this.description = "Compares two Context Triggered Piecewise Hashing (CTPH) fuzzy hashes to determine the similarity between them on a scale of 0 to 100.";
-        this.infoURL = "https://forensicswiki.xyz/wiki/index.php?title=Context_Triggered_Piecewise_Hashing";
+        this.infoURL = "https://forensics.wiki/context_triggered_piecewise_hashing/";
        this.inputType = "string";
        this.outputType = "Number";
        this.args = [
--- a/src/core/operations/CompareSSDEEPHashes.mjs
+++ b/src/core/operations/CompareSSDEEPHashes.mjs
@ -24,7 +24,7 @@ class CompareSSDEEPHashes extends Operation {
        this.name = "Compare SSDEEP hashes";
        this.module = "Crypto";
        this.description = "Compares two SSDEEP fuzzy hashes to determine the similarity between them on a scale of 0 to 100.";
-        this.infoURL = "https://forensicswiki.xyz/wiki/index.php?title=Ssdeep";
+        this.infoURL = "https://forensics.wiki/ssdeep/";
        this.inputType = "string";
        this.outputType = "Number";
        this.args = [
--- a/src/core/operations/ExtractFiles.mjs
+++ b/src/core/operations/ExtractFiles.mjs
@ -39,7 +39,7 @@ class ExtractFiles extends Operation {
                ${supportedExts.join("</li><li>")}
                </li>
            </ul>Minimum File Size can be used to prune small false positives.`;
-        this.infoURL = "https://forensicswiki.xyz/wiki/index.php?title=File_Carving";
+        this.infoURL = "https://forensics.wiki/file_carving";
        this.inputType = "ArrayBuffer";
        this.outputType = "List<File>";
        this.presentType = "html";
--- a/src/core/operations/ExtractIPAddresses.mjs
+++ b/src/core/operations/ExtractIPAddresses.mjs
@ -66,7 +66,7 @@ class ExtractIPAddresses extends Operation {
    run(input, args) {
        const [includeIpv4, includeIpv6, removeLocal, displayTotal, sort, unique] = args,
            ipv4 = "(?:(?:\\d|[01]?\\d\\d|2[0-4]\\d|25[0-5])\\.){3}(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d|\\d)(?:\\/\\d{1,2})?",
-            ipv6 = "((?=.*::)(?!.*::.+::)(::)?([\\dA-F]{1,4}:(:|\\b)|){5}|([\\dA-F]{1,4}:){6})((([\\dA-F]{1,4}((?!\\3)::|:\\b|(?![\\dA-F])))|(?!\\2\\3)){2}|(((2[0-4]|1\\d|[1-9])?\\d|25[0-5])\\.?\\b){4})";
+            ipv6 = "((?=.*::)(?!.*::.+::)(::)?([\\dA-F]{1,4}:(:|\\b)|){5}|([\\dA-F]{1,4}:){6})(([\\dA-F]{1,4}((?!\\3)::|:\\b|(?![\\dA-F])))|(?!\\2\\3)){2}";
        let ips  = "";

        if (includeIpv4 && includeIpv6) {
--- a/src/core/operations/LZNT1Decompress.mjs
+++ b/src/core/operations/LZNT1Decompress.mjs
@ -0,0 +1,41 @@
+/**
+ * @author 0xThiebaut [thiebaut.dev]
+ * @copyright Crown Copyright 2023
+ * @license Apache-2.0
+ */
+
+import Operation from "../Operation.mjs";
+import {decompress} from "../lib/LZNT1.mjs";
+
+/**
+ * LZNT1 Decompress operation
+ */
+class LZNT1Decompress extends Operation {
+
+    /**
+     * LZNT1 Decompress constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "LZNT1 Decompress";
+        this.module = "Compression";
+        this.description = "Decompresses data using the LZNT1 algorithm.<br><br>Similar to the Windows API <code>RtlDecompressBuffer</code>.";
+        this.infoURL = "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xca/5655f4a3-6ba4-489b-959f-e1f407c52f15";
+        this.inputType = "byteArray";
+        this.outputType = "byteArray";
+        this.args = [];
+    }
+
+    /**
+     * @param {byteArray} input
+     * @param {Object[]} args
+     * @returns {byteArray}
+     */
+    run(input, args) {
+        return decompress(input);
+    }
+
+}
+
+export default LZNT1Decompress;
--- a/src/core/operations/ParseASN1HexString.mjs
+++ b/src/core/operations/ParseASN1HexString.mjs
@ -20,7 +20,7 @@ class ParseASN1HexString extends Operation {

        this.name = "Parse ASN.1 hex string";
        this.module = "PublicKey";
-        this.description = "Abstract Syntax Notation One (ASN.1) is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking.<br><br>This operation parses arbitrary ASN.1 data and presents the resulting tree.";
+        this.description = "Abstract Syntax Notation One (ASN.1) is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking.<br><br>This operation parses arbitrary ASN.1 data (encoded as an hex string: use the 'To Hex' operation if necessary) and presents the resulting tree.";
        this.infoURL = "https://wikipedia.org/wiki/Abstract_Syntax_Notation_One";
        this.inputType = "string";
        this.outputType = "string";
--- a/src/core/operations/RegularExpression.mjs
+++ b/src/core/operations/RegularExpression.mjs
@ -83,6 +83,10 @@ class RegularExpression extends Operation {
                        name: "Strings",
                        value: "[A-Za-z\\d/\\-:.,_$%\\x27\"()<>= !\\[\\]{}@]{4,}"
                    },
+                    {
+                        name: "UUID (any version)",
+                        value: "[0-9a-fA-F]{8}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{12}"
+                    },
                ],
                "target": 1
            },
--- a/src/core/operations/SSDEEP.mjs
+++ b/src/core/operations/SSDEEP.mjs
@ -21,7 +21,7 @@ class SSDEEP extends Operation {
        this.name = "SSDEEP";
        this.module = "Crypto";
        this.description = "SSDEEP is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.<br><br>SSDEEP hashes are now widely used for simple identification purposes (e.g. the 'Basic Properties' section in VirusTotal). Although 'better' fuzzy hashes are available, SSDEEP is still one of the primary choices because of its speed and being a de facto standard.<br><br>This operation is fundamentally the same as the CTPH operation, however their outputs differ in format.";
-        this.infoURL = "https://forensicswiki.xyz/wiki/index.php?title=Ssdeep";
+        this.infoURL = "https://forensics.wiki/ssdeep";
        this.inputType = "string";
        this.outputType = "string";
        this.args = [];