def _Parse(self):
"""Extracts attributes and extents from the volume."""
tsk_vs_part = self._file_entry.GetTSKVsPart()
tsk_addr = getattr(tsk_vs_part, 'addr', None)
if tsk_addr is not None:
address = volume_system.VolumeAttribute('address', tsk_addr)
self._AddAttribute(address)
tsk_desc = getattr(tsk_vs_part, 'desc', None)
if tsk_desc is not None:
# pytsk3 returns an UTF-8 encoded byte string.
try:
tsk_desc = tsk_desc.decode('utf8')
self._AddAttribute(volume_system.VolumeAttribute(
'description', tsk_desc))
except UnicodeError:
pass
start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part)
number_of_sectors = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs_part)
volume_extent = volume_system.VolumeExtent(
start_sector * self._bytes_per_sector,
number_of_sectors * self._bytes_per_sector)
self._extents.append(volume_extent)
def _Parse(self):
"""Extracts sections and volumes from the volume system."""
root_file_entry = self._file_system.GetRootFileEntry()
tsk_volume = self._file_system.GetTSKVolume()
self.bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(
tsk_volume)
for sub_file_entry in root_file_entry.sub_file_entries:
tsk_vs_part = sub_file_entry.GetTSKVsPart()
start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part)
number_of_sectors = tsk_partition.TSKVsPartGetNumberOfSectors(
tsk_vs_part)
if start_sector is None or number_of_sectors is None:
continue
if tsk_partition.TSKVsPartIsAllocated(tsk_vs_part):
volume = TSKVolume(sub_file_entry, self.bytes_per_sector)
self._AddVolume(volume)
volume_extent = volume_system.VolumeExtent(
start_sector * self.bytes_per_sector,
number_of_sectors * self.bytes_per_sector)
self._sections.append(volume_extent)
def _Open(self, path_spec=None, mode='rb'):
"""Opens the file-like object defined by path specification.
Args:
path_spec: optional path specification (instance of path.PathSpec).
The default is None.
mode: optional file access mode. The default is 'rb' read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file-like object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec:
raise ValueError(u'Missing path specfication.')
if not path_spec.HasParent():
raise errors.PathSpecError(
u'Unsupported path specification without parent.')
self._file_system = resolver.Resolver.OpenFileSystem(
path_spec, resolver_context=self._resolver_context)
tsk_volume = self._file_system.GetTSKVolume()
tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec(tsk_volume, path_spec)
if tsk_vs is None:
raise errors.PathSpecError(
u'Unable to retrieve TSK volume system part from path '
u'specification.')
range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs)
range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs)
if range_offset is None or range_size is None:
raise errors.PathSpecError(
u'Unable to retrieve TSK volume system part data range from path '
u'specification.')
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)
range_offset *= bytes_per_sector
range_size *= bytes_per_sector
self.SetRange(range_offset, range_size)
self._file_object = resolver.Resolver.OpenFileObject(
path_spec.parent, resolver_context=self._resolver_context)
self._file_object_set_in_init = True
# pylint: disable=protected-access
super(TSKPartitionFile, self)._Open(path_spec=path_spec, mode=mode)
def _ScanDisk(self, scan_context, scan_node, disk_info):
"""Scan Disk internal
Args:
scan_context (SourceScannerContext): the source scanner context.
scan_node (SourceScanNode): the scan node.
"""
if not scan_node:
return
if scan_node.path_spec.IsVolumeSystem(
) and not scan_node.path_spec.IsVolumeSystemRoot():
file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec)
if scan_node.type_indicator == definitions.TYPE_INDICATOR_TSK_PARTITION:
tsk_volumes = file_system.GetTSKVolume()
vol_part, _ = tsk_partition.GetTSKVsPartByPathSpec(
tsk_volumes, scan_node.path_spec)
if tsk_partition.TSKVsPartIsAllocated(vol_part):
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(
vol_part)
length = tsk_partition.TSKVsPartGetNumberOfSectors(
vol_part)
start_sector = tsk_partition.TSKVsPartGetStartSector(
vol_part)
vol_name = getattr(scan_node.path_spec, 'location',
None)[1:]
#vol_name = self.prefix + str(scan_node.path_spec.part_index)
base_path_spec = scan_node.path_spec
disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \
"length" : length * bytes_per_sector, "bytes_per_sector" : bytes_per_sector, "start_sector" : start_sector, \
"vol_name" : vol_name, "identifier" : None})
elif scan_node.type_indicator == definitions.TYPE_INDICATOR_VSHADOW:
vss_volumes = file_system.GetVShadowVolume()
store_index = vshadow.VShadowPathSpecGetStoreIndex(
scan_node.path_spec)
vss_part = list(vss_volumes.stores)[store_index]
length = vss_part.volume_size
identifier = getattr(vss_part, 'identifier', None)
vol_name = getattr(scan_node.path_spec, 'location', None)[1:]
base_path_spec = scan_node.path_spec
disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \
"length" : length, "bytes_per_sector" : None, "start_sector" : None, "vol_name" : vol_name, \
"identifier" : identifier})
for sub_scan_node in scan_node.sub_nodes:
self._ScanDisk(scan_context, sub_scan_node, disk_info)
def _EntriesGenerator(self):
"""Retrieves directory entries.
Since a directory can contain a vast number of entries using
a generator is more memory efficient.
Yields:
A path specification (instance of path.TSKPartitionPathSpec).
"""
# Only the virtual root file has directory entries.
part_index = getattr(self.path_spec, u'part_index', None)
start_offset = getattr(self.path_spec, u'start_offset', None)
if part_index is not None or start_offset is not None:
return
location = getattr(self.path_spec, u'location', None)
if location is None or location != self._file_system.LOCATION_ROOT:
return
tsk_volume = self._file_system.GetTSKVolume()
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)
part_index = 0
partition_index = 0
# pytsk3 does not handle the Volume_Info iterator correctly therefore
# the explicit list is needed to prevent the iterator terminating too
# soon or looping forever.
for tsk_vs_part in list(tsk_volume):
kwargs = {}
if tsk_partition.TSKVsPartIsAllocated(tsk_vs_part):
partition_index += 1
kwargs[u'location'] = u'/p{0:d}'.format(partition_index)
kwargs[u'part_index'] = part_index
part_index += 1
start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part)
if start_sector is not None:
kwargs[u'start_offset'] = start_sector * bytes_per_sector
kwargs[u'parent'] = self.path_spec.parent
yield tsk_partition_path_spec.TSKPartitionPathSpec(**kwargs)
def _Open(self, mode='rb'):
"""Opens the file-like object defined by path specification.
Args:
mode (Optional[str]): file access mode.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file-like object could not be opened.
OSError: if the file-like object could not be opened.
PathSpecError: if the path specification is incorrect.
"""
if not self._path_spec.HasParent():
raise errors.PathSpecError(
'Unsupported path specification without parent.')
self._file_system = resolver.Resolver.OpenFileSystem(
self._path_spec, resolver_context=self._resolver_context)
tsk_volume = self._file_system.GetTSKVolume()
tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec(
tsk_volume, self._path_spec)
if tsk_vs is None:
raise errors.PathSpecError(
'Unable to retrieve TSK volume system part from path '
'specification.')
range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs)
range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs)
if range_offset is None or range_size is None:
raise errors.PathSpecError(
'Unable to retrieve TSK volume system part data range from path '
'specification.')
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)
range_offset *= bytes_per_sector
range_size *= bytes_per_sector
self._SetRange(range_offset, range_size)
self._file_object = resolver.Resolver.OpenFileObject(
self._path_spec.parent, resolver_context=self._resolver_context)
def _Parse(self):
"""Extracts attributes and extents from the volume."""
tsk_vs_part = self._file_entry.GetTSKVsPart()
tsk_addr = getattr(tsk_vs_part, u'addr', None)
if tsk_addr is not None:
self._AddAttribute(
volume_system.VolumeAttribute(u'address', tsk_addr))
tsk_desc = getattr(tsk_vs_part, u'desc', None)
if tsk_desc is not None:
self._AddAttribute(
volume_system.VolumeAttribute(u'description', tsk_desc))
start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part)
number_of_sectors = tsk_partition.TSKVsPartGetNumberOfSectors(
tsk_vs_part)
self._extents.append(
volume_system.VolumeExtent(
start_sector * self._bytes_per_sector,
number_of_sectors * self._bytes_per_sector))
def InsertImageInformation(self):
if not self._source_path_specs:
logger.error('source is empty')
return
disk_info = []
for path_spec in self._source_path_specs:
filesystem_type = None
if not path_spec.parent:
return False
if path_spec.parent.IsVolumeSystem():
if path_spec.IsFileSystem():
fs = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
fs_info = fs.GetFsInfo()
filesystem_type = getattr(fs_info.info, 'ftype', None)
path_spec = path_spec.parent
file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION:
tsk_volumes = file_system.GetTSKVolume()
vol_part, _ = dfvfs_partition.GetTSKVsPartByPathSpec(
tsk_volumes, path_spec)
if dfvfs_partition.TSKVsPartIsAllocated(vol_part):
bytes_per_sector = dfvfs_partition.TSKVolumeGetBytesPerSector(
vol_part)
length = dfvfs_partition.TSKVsPartGetNumberOfSectors(
vol_part)
start_sector = dfvfs_partition.TSKVsPartGetStartSector(
vol_part)
par_label = getattr(vol_part, 'desc', None)
try:
temp = par_label.decode('ascii')
par_label = temp
except UnicodeDecodeError:
par_label = par_label.decode('utf-8')
volume_name = getattr(path_spec, 'location', None)[1:]
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": length * bytes_per_sector,
"bytes_per_sector": bytes_per_sector,
"start_sector": start_sector,
"vol_name": volume_name,
"identifier": None,
"par_label": par_label,
"filesystem": filesystem_type
})
elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK:
#elif path_spec.IsFileSystem():
file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
fs_info = file_system.GetFsInfo()
block_size = getattr(fs_info.info, 'block_size', 0)
block_count = getattr(fs_info.info, 'block_count', 0)
filesystem = getattr(fs_info.info, 'ftype', None)
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": block_count * block_size,
"bytes_per_sector": block_size,
"start_sector": 0,
"vol_name": 'p1',
"identifier": None,
"par_label": None,
"filesystem": filesystem
})
elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_VSHADOW:
vss_volumes = file_system.GetVShadowVolume()
store_index = dfvfs_vshadow.VShadowPathSpecGetStoreIndex(
path_spec)
vss_part = list(vss_volumes.stores)[store_index]
length = vss_part.volume_size
identifier = getattr(vss_part, 'identifier', None)
volume_name = getattr(path_spec, 'location', None)[1:]
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": length,
"bytes_per_sector": None,
"start_sector": None,
"vol_name": volume_name,
"identifier": identifier,
"par_label": None,
"filesystem": None
})
self._InsertDiskInfo(disk_info)
