def testIsVirtual(self): """Test the IsVirtual functions.""" test_location = ( '\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ) path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_entry=38, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertFalse(file_entry.IsVirtual()) path_spec = ntfs_path_spec.NTFSPathSpec( location='\\System Volume Information', mft_entry=36, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertFalse(file_entry.IsVirtual()) path_spec = ntfs_path_spec.NTFSPathSpec(location='\\', parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertFalse(file_entry.IsVirtual())
def testGetFileEntryByPathSpec(self): """Tests the GetFileEntryByPathSpec function.""" file_system = ntfs_file_system.NTFSFileSystem(self._resolver_context) self.assertIsNotNone(file_system) file_system.Open(self._ntfs_path_spec) path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) # There is no way to determine the file_entry.name without a location string # in the path_spec or retrieving the file_entry from its parent. path_spec = ntfs_path_spec.NTFSPathSpec(location='\\password.txt', mft_entry=41, parent=self._qcow_path_spec) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.name, 'password.txt') path_spec = ntfs_path_spec.NTFSPathSpec(location='\\bogus.txt', mft_entry=19, parent=self._qcow_path_spec) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNone(file_entry) file_system.Close()
def testGetDataStream(self): """Tests the GetDataStream function.""" test_location = ( '\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ) path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_entry=38, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) data_stream_name = '' data_stream = file_entry.GetDataStream(data_stream_name) self.assertIsNotNone(data_stream) self.assertEqual(data_stream.name, data_stream_name) data_stream = file_entry.GetDataStream('bogus') self.assertIsNone(data_stream) test_location = '\\$Extend\\$RmMetadata\\$Repair' path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_entry=28, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) data_stream_name = '$Config' data_stream = file_entry.GetDataStream(data_stream_name) self.assertIsNotNone(data_stream) self.assertEqual(data_stream.name, data_stream_name)
def testComparable(self): """Tests the path specification comparable property.""" path_spec = ntfs_path_spec.NTFSPathSpec(location=u'\\test', parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join( [u'type: TEST', u'type: NTFS, location: \\test', u'']) self.assertEqual(path_spec.comparable, expected_comparable) path_spec = ntfs_path_spec.NTFSPathSpec(data_stream=u'test', location=u'\\test', parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join([ u'type: TEST', u'type: NTFS, data stream: test, location: \\test', u'' ]) self.assertEqual(path_spec.comparable, expected_comparable) path_spec = ntfs_path_spec.NTFSPathSpec(mft_entry=1, parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join( [u'type: TEST', u'type: NTFS, MFT entry: 1', u'']) self.assertEqual(path_spec.comparable, expected_comparable) path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=3, mft_entry=1, parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join([ u'type: TEST', u'type: NTFS, MFT attribute: 3, MFT entry: 1', u'' ]) self.assertEqual(path_spec.comparable, expected_comparable) path_spec = ntfs_path_spec.NTFSPathSpec(location=u'\\test', mft_entry=1, parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join([ u'type: TEST', u'type: NTFS, location: \\test, MFT entry: 1', u'' ]) self.assertEqual(path_spec.comparable, expected_comparable)
def testIsFunctions(self): """Test the Is? functions.""" test_location = ( u'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ) path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_entry=38, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertFalse(file_entry.IsRoot()) self.assertFalse(file_entry.IsVirtual()) self.assertTrue(file_entry.IsAllocated()) self.assertFalse(file_entry.IsDevice()) self.assertFalse(file_entry.IsDirectory()) self.assertTrue(file_entry.IsFile()) self.assertFalse(file_entry.IsLink()) self.assertFalse(file_entry.IsPipe()) self.assertFalse(file_entry.IsSocket()) path_spec = ntfs_path_spec.NTFSPathSpec( location=u'\\System Volume Information', mft_entry=36, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertFalse(file_entry.IsRoot()) self.assertFalse(file_entry.IsVirtual()) self.assertTrue(file_entry.IsAllocated()) self.assertFalse(file_entry.IsDevice()) self.assertTrue(file_entry.IsDirectory()) self.assertFalse(file_entry.IsFile()) self.assertFalse(file_entry.IsLink()) self.assertFalse(file_entry.IsPipe()) self.assertFalse(file_entry.IsSocket()) path_spec = ntfs_path_spec.NTFSPathSpec(location=u'\\', parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertTrue(file_entry.IsRoot()) self.assertFalse(file_entry.IsVirtual()) self.assertTrue(file_entry.IsAllocated()) self.assertFalse(file_entry.IsDevice()) self.assertTrue(file_entry.IsDirectory()) self.assertFalse(file_entry.IsFile()) self.assertFalse(file_entry.IsLink()) self.assertFalse(file_entry.IsPipe()) self.assertFalse(file_entry.IsSocket())
def testDataStream(self): """Tests the data streams properties.""" test_location = ( '\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ) path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_entry=38, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.number_of_data_streams, 1) data_stream_names = [] for data_stream in file_entry.data_streams: data_stream_names.append(data_stream.name) self.assertEqual(data_stream_names, ['']) path_spec = ntfs_path_spec.NTFSPathSpec( location='\\System Volume Information', mft_entry=36, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.number_of_data_streams, 0) data_stream_names = [] for data_stream in file_entry.data_streams: data_stream_names.append(data_stream.name) self.assertEqual(data_stream_names, []) test_location = '\\$Extend\\$RmMetadata\\$Repair' path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_entry=28, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.number_of_data_streams, 2) data_stream_names = [] for data_stream in file_entry.data_streams: data_stream_names.append(data_stream.name) self.assertEqual(sorted(data_stream_names), sorted(['', '$Config']))
def testReadADS(self): """Test the read functionality on an alternate data stream (ADS).""" path_spec = ntfs_path_spec.NTFSPathSpec(data_stream='$SDS', location='\\$Secure', mft_attribute=2, mft_entry=9, parent=self._qcow_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context) file_object.open(path_spec=path_spec) expected_buffer = ( b'H\n\x80\xb9\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00') read_buffer = file_object.read(size=16) self.assertEqual(read_buffer, expected_buffer) file_object.seek(0x00040000, os.SEEK_SET) read_buffer = file_object.read(size=16) self.assertEqual(read_buffer, expected_buffer) file_object.seek(0x000401a0, os.SEEK_SET) expected_buffer = ( b'\xc3\xb4\xb1\x34\x03\x01\x00\x00\xa0\x01\x00\x00\x00\x00\x00\x00' ) read_buffer = file_object.read(size=16) self.assertEqual(read_buffer, expected_buffer)
def GetLinkedFileEntry(self): """Retrieves the linked file entry, e.g. for a symbolic link. Returns: NTFSFileEntry: linked file entry or None. """ link = self._GetLink() if not link: return # TODO: is there a way to determine the MFT entry here? link_mft_entry = None parent_path_spec = getattr(self.path_spec, u'parent', None) path_spec = ntfs_path_spec.NTFSPathSpec(location=link, parent=parent_path_spec) if (link == self._file_system.LOCATION_ROOT or link_mft_entry == self._file_system.MFT_ENTRY_ROOT_DIRECTORY): is_root = True else: is_root = False return NTFSFileEntry(self._resolver_context, self._file_system, path_spec, is_root=is_root)
def testOpenCloseLocation(self): """Test the open and close functionality using a location.""" path_spec = ntfs_path_spec.NTFSPathSpec(location='\\passwords.txt', parent=self._os_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context) self._TestOpenCloseLocation(path_spec, file_object)
def testGetStat(self): """Tests the GetStat function.""" test_location = ( '\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ) path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_entry=38, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) stat_object = file_entry.GetStat() self.assertIsNotNone(stat_object) self.assertEqual(stat_object.fs_type, 'NTFS') self.assertEqual(stat_object.type, stat_object.TYPE_FILE) self.assertEqual(stat_object.size, 65536) self.assertEqual(stat_object.atime, 1386052509) self.assertEqual(stat_object.atime_nano, 5023783) self.assertEqual(stat_object.ctime, 1386052509) self.assertEqual(stat_object.ctime_nano, 5179783) self.assertEqual(stat_object.crtime, 1386052509) self.assertEqual(stat_object.crtime_nano, 5023783) self.assertEqual(stat_object.mtime, 1386052509) self.assertEqual(stat_object.mtime_nano, 5179783)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._resolver_context = context.Context() test_file = self._GetTestFilePath(['vsstest.qcow2']) path_spec = os_path_spec.OSPathSpec(location=test_file) self._qcow_path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) self._ntfs_path_spec = ntfs_path_spec.NTFSPathSpec( location='\\', parent=self._qcow_path_spec)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._resolver_context = context.Context() test_file = os.path.join(u'test_data', u'vsstest.qcow2') path_spec = os_path_spec.OSPathSpec(location=test_file) self._qcow_path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) self._ntfs_path_spec = ntfs_path_spec.NTFSPathSpec( location=u'\\', parent=self._qcow_path_spec)
def testFileEntryExistsByPathSpec(self): """Test the file entry exists by path specification functionality.""" file_system = ntfs_file_system.NTFSFileSystem(self._resolver_context) self.assertIsNotNone(file_system) file_system.Open(self._ntfs_path_spec) path_spec = ntfs_path_spec.NTFSPathSpec( location=u'\\password.txt', mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) self.assertTrue(file_system.FileEntryExistsByPathSpec(path_spec)) path_spec = ntfs_path_spec.NTFSPathSpec( location=u'\\bogus.txt', mft_entry=19, parent=self._qcow_path_spec) self.assertFalse(file_system.FileEntryExistsByPathSpec(path_spec)) file_system.Close()
def testGetFileEntryByPathSpec(self): """Tests the GetFileEntryByPathSpec function.""" path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry)
def testModificationTime(self): """Test the modification_time property.""" path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertIsNotNone(file_entry.modification_time)
def testOpenCloseMFTEntry(self): """Test the open and close functionality using a MFT entry.""" path_spec = ntfs_path_spec.NTFSPathSpec( mft_attribute=1, mft_entry=self._MFT_ENTRY_PASSWORDS_TXT, parent=self._os_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context, path_spec) self._TestOpenCloseMFTEntry(file_object)
def testSeek(self): """Test the seek functionality.""" path_spec = ntfs_path_spec.NTFSPathSpec( location='\\a_directory\\another_file', mft_attribute=2, mft_entry=self._MFT_ENTRY_ANOTHER_FILE, parent=self._os_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context, path_spec) self._TestSeek(file_object)
def GetRootFileEntry(self): """Retrieves the root file entry. Returns: NTFSFileEntry: file entry. """ path_spec = ntfs_path_spec.NTFSPathSpec( location=self.LOCATION_ROOT, mft_entry=self.MFT_ENTRY_ROOT_DIRECTORY, parent=self._path_spec.parent) return self.GetFileEntryByPathSpec(path_spec)
def testReadADS(self): """Test the read functionality on an alternate data stream (ADS).""" path_spec = ntfs_path_spec.NTFSPathSpec(data_stream='$SDS', location='\\$Secure', mft_attribute=2, mft_entry=9, parent=self._os_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context, path_spec) self._TestReadADS(file_object)
def testRead(self): """Test the read functionality.""" path_spec = ntfs_path_spec.NTFSPathSpec( location='\\passwords.txt', mft_attribute=2, mft_entry=self._MFT_ENTRY_PASSWORDS_TXT, parent=self._os_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context, path_spec) self._TestRead(file_object)
def testIsDefault(self): """Test the IsDefault function.""" path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) data_streams = list(file_entry.data_streams) self.assertNotEqual(len(data_streams), 0) self.assertTrue(data_streams[0].IsDefault())
def GetParentFileEntry(self): """Retrieves the parent file entry. Returns: NTFSFileEntry: parent file entry or None. Raises: BackEndError: if the pyfsntfs file entry is missing. """ fsntfs_file_entry = self.GetNTFSFileEntry() if not fsntfs_file_entry: raise errors.BackEndError(u'Missing pyfsntfs file entry.') location = getattr(self.path_spec, u'location', None) if location is not None: parent_location = self._file_system.DirnamePath(location) if parent_location == u'': parent_location = self._file_system.PATH_SEPARATOR parent_file_reference = None mft_attribute = getattr(self.path_spec, u'mft_attribute', None) if mft_attribute is not None: parent_file_reference = ( fsntfs_file_entry.get_parent_file_reference_by_attribute_index( mft_attribute)) else: parent_file_reference = fsntfs_file_entry.get_parent_file_reference( ) if parent_file_reference is None: return parent_mft_entry = (parent_file_reference & _FILE_REFERENCE_MFT_ENTRY_BITMASK) parent_path_spec = getattr(self.path_spec, u'parent', None) # TODO: determine and pass the mft_attribute of the parent # for a faster resolve of the file entry. path_spec = ntfs_path_spec.NTFSPathSpec(location=parent_location, mft_entry=parent_mft_entry, parent=parent_path_spec) # TODO: handle parent correctly use attribute index? if (parent_location == self._file_system.LOCATION_ROOT or parent_mft_entry == self._file_system.MFT_ENTRY_ROOT_DIRECTORY): is_root = True else: is_root = False return NTFSFileEntry(self._resolver_context, self._file_system, path_spec, is_root=is_root)
def testName(self): """Test the name property.""" path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) data_streams = list(file_entry.data_streams) self.assertNotEqual(len(data_streams), 0) self.assertEqual(data_streams[0].name, '')
def testOpenCloseMFTEntry(self): """Test the open and close functionality using a MFT entry.""" path_spec = ntfs_path_spec.NTFSPathSpec( mft_attribute=1, mft_entry=self._MFT_ENTRY_PASSWORDS_TXT, parent=self._qcow_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context) file_object.open(path_spec=path_spec) self.assertEqual(file_object.get_size(), 116) file_object.close()
def testAttributeType(self): """Test the attribute_type property.""" path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) fsntfs_attribute = file_entry._fsntfs_file_entry.get_attribute(0) ntfs_attribute = ntfs_file_entry.NTFSAttribute(fsntfs_attribute) self.assertEqual(ntfs_attribute.attribute_type, 0x00000010)
def testInitialize(self): """Tests the path specification initialization.""" path_spec = ntfs_path_spec.NTFSPathSpec(location=u'\\test', parent=self._path_spec) self.assertIsNotNone(path_spec) path_spec = ntfs_path_spec.NTFSPathSpec(data_stream=u'test', location=u'\\test', parent=self._path_spec) self.assertIsNotNone(path_spec) path_spec = ntfs_path_spec.NTFSPathSpec(mft_entry=1, parent=self._path_spec) self.assertIsNotNone(path_spec) path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=3, mft_entry=1, parent=self._path_spec) self.assertIsNotNone(path_spec) path_spec = ntfs_path_spec.NTFSPathSpec(location=u'\\test', mft_entry=1, parent=self._path_spec) self.assertIsNotNone(path_spec) with self.assertRaises(ValueError): _ = ntfs_path_spec.NTFSPathSpec(location=u'\\test', parent=None) with self.assertRaises(ValueError): _ = ntfs_path_spec.NTFSPathSpec(location=None, parent=self._path_spec) with self.assertRaises(ValueError): _ = ntfs_path_spec.NTFSPathSpec(mft_entry=None, parent=self._path_spec) with self.assertRaises(ValueError): _ = ntfs_path_spec.NTFSPathSpec(location=u'\\test', parent=self._path_spec, bogus=u'BOGUS')
def testIntialize(self): """Tests the __init__ function.""" path_spec = ntfs_path_spec.NTFSPathSpec(mft_attribute=1, mft_entry=41, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) fsntfs_attribute = file_entry._fsntfs_file_entry.get_attribute(0) ntfs_attribute = ntfs_file_entry.NTFSAttribute(fsntfs_attribute) self.assertIsNotNone(ntfs_attribute) with self.assertRaises(errors.BackEndError): ntfs_file_entry.NTFSAttribute(None)
def testOpenCloseLocation(self): """Test the open and close functionality using a location.""" path_spec = ntfs_path_spec.NTFSPathSpec(location='\\passwords.txt', parent=self._os_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context, path_spec) self._TestOpenCloseLocation(file_object) # Try open with a path specification that has no parent. path_spec.parent = None file_object = ntfs_file_io.NTFSFile(self._resolver_context, path_spec) with self.assertRaises(errors.PathSpecError): self._TestOpenCloseLocation(file_object)
def testOpenCloseLocation(self): """Test the open and close functionality using a location.""" path_spec = ntfs_path_spec.NTFSPathSpec(location='\\password.txt', parent=self._qcow_path_spec) file_object = ntfs_file_io.NTFSFile(self._resolver_context) file_object.open(path_spec=path_spec) self.assertEqual(file_object.get_size(), 116) file_object.close() # Try open with a path specification that has no parent. path_spec.parent = None with self.assertRaises(errors.PathSpecError): self._TestOpenCloseLocation(path_spec)
def testGetParentFileEntry(self): """Tests the GetParentFileEntry function.""" test_location = ( '\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ) path_spec = ntfs_path_spec.NTFSPathSpec(location=test_location, mft_attribute=2, mft_entry=38, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) parent_file_entry = file_entry.GetParentFileEntry() self.assertIsNotNone(parent_file_entry) self.assertEqual(parent_file_entry.name, 'System Volume Information')