Skip to main content

Library to simplify process of gathering identifiable attributes about files

Project description

atklite

atklite is a library intended to help easily determine identifiable attributes about files under investigation. With a simple usage syntax, the following information can be determined by calling applications:

  • MD5 hash

  • SHA-1 hash

  • SHA-256 hash

  • CRC32 checksum

  • File size

  • File type (from magic bytes)

  • Fuzzy hash (CTPH) via ssdeep

atklite is primarily intended for use in analyzing malware samples but may be useful for anyone looking for a simple API for analyzing files.

Additionally, atklite can be used as a binary storage system, utilizing a standard filesystem to store the files in a sharded manner using the first n bytes of the hash that a user chooses to use (md5, sha1, sha256 or sha512).

Setup

Requirements

  • Python (tested with Python 2.7)

  • python-magic. On most systems this requires the libmagic library to be installed.

  • Python ssdeep wrapper, one of either:

Installing Prerequisites

Installing the prerequisites on an ubuntu system is fairly easy.

First we must install the prerequisites for python-ssdeep:

$ apt-get install cython ssdeep python-dev

Installation

Installation with pip is simple:

$ pip install atklite

If installing from source, unpack the distribution tarball and then install as follows:

$ python setup.py build
$ python setup.py install

Configuration and use

Usage:

From the cli using atk-info:
jpleger@jupiter:~$ atk-info ~/glyphicons-halflings-white.png
[-] Using binary store at: /home/jpleger/binary_store
-- glyphicons-halflings-white.png ----------------------------------------------
  Analyze time: Mon Jul 29 18:23:10 2013
  File name:    glyphicons-halflings-white.png
  File size:    8777
  File type:    PNG image data, 469 x 159, 8-bit colormap, non-interlaced
  CRC-32:       43808ba4
  MD5 hash:     9bbc6e9602998a385c2ea13df56470fd
  SHA1 hash:    a25c4705320fd63c33790e666872910e702b9bf6
  SHA256 hash:  f0e0d95a9c8abcdfabf46348e2d4285829bb0491f5f6af0e05af52bffb6324c4
  Fuzzy hash:   192:41MFu/STZChMGLw/LtI30ukSCeQm9F+xZdqdfQpTTTIyQY7thi7uWB:iMdZ/GLILBmWEiTTTIyQY5hi71
  Stored File:  /home/jpleger/binary_store/9/b/b/9bbc6e9602998a385c2ea13df56470fd
jpleger@jupiter:~$

From the python interpreter:
>>> import atklite
>>> file_analysis = atklite.FileAnalysis(filename='9ba57b128089f0a5a07b262511307f9c.exe')
>>> print file_analysis.dump()
sha1: 63738713f1e22425e06dd1f20e5cd22c630fd7d3
analyzetime: Sat Mar  2 00:57:50 2013
ftype: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
crc32: 9083b5e6
ttime: 1362211070.21
sha256: 04a191e1d7526025ee911f8a55d5c329af456cbd48d507dc2040b4ead1e4a525
ssdeep: 1536:o+I6XtaJU0ikjlcCGXM6ds6GGA2P+ly+Hmuh81HSR:o+fXtBYcCiX1xP0Hmk8s
md5: 9ba57b128089f0a5a07b262511307f9c
size: 77824

>>> analysis = file_analysis.return_analysis()
>>> analysis['analyzetime']
'Sat Mar  2 00:57:50 2013'
>>> print analysis['md5']
9ba57b128089f0a5a07b262511307f9c
>>> print analysis['sha1']
63738713f1e22425e06dd1f20e5cd22c630fd7d3
>>> print analysis['sha256']
04a191e1d7526025ee911f8a55d5c329af456cbd48d507dc2040b4ead1e4a525
>>> print analysis['size']
77824
>>> print analysis['crc32']
9083b5e6
>>> print analysis['ftype']
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
>>> print analysis['ssdeep']
1536:o+I6XtaJU0ikjlcCGXM6ds6GGA2P+ly+Hmuh81HSR:o+fXtBYcCiX1xP0Hmk8s

To Do

Nice to Have

  • Storing the reports with the files

  • Tagging within the saved reports

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

atklite-1.0-release.tar.gz (11.0 kB view details)

Uploaded Source

File details

Details for the file atklite-1.0-release.tar.gz.

File metadata

File hashes

Hashes for atklite-1.0-release.tar.gz
Algorithm Hash digest
SHA256 3c34c739dd5052ed7c229c2adc0c60fd7c0ad651934280412fc0a110bf6698ff
MD5 d8639a4b59f11703f7883886c7e73892
BLAKE2b-256 ace7b2c7e99640f821e0fe336a4b80d91c2dfb7f23bc61be5344f8617a902277

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page