def read_disk(options):
# Setup our log files
dcap_filename = options.dcap_file
# read from the cap file in real time
reader = CaptureReader(options.dcap_file)
# Tailing or terminating?
reader_iter = reader
if options.tail_enable:
reader_iter = reader.tail()
# Loop over all of the dcap contents
for (timestamp, data) in reader_iter:
print timestamp
if options.sensor_type == G.MACHINE_TYPES.PHYSICAL:
sata_frame = SATAFrame(data)
print sata_frame
else:
disk_sensor_pkt = [DiskSensorPacket(data)]
print disk_sensor_pkt
def read_disk(options):
# Setup our log files
dcap_filename = options.dcap_file
# read from the cap file in real time
reader = CaptureReader(options.dcap_file)
# Tailing or terminating?
reader_iter = reader
if options.tail_enable:
reader_iter = reader.tail()
# Loop over all of the dcap contents
for (timestamp, data) in reader_iter:
print timestamp
if options.sensor_type == G.MACHINE_TYPES.PHYSICAL:
sata_frame = SATAFrame(data)
print sata_frame
else:
disk_sensor_pkt = [DiskSensorPacket(data)]
print disk_sensor_pkt
def run(self):
"""
This function will read a raw disk capture and use a scanned disk
image to reconstruct the recorded SATA traffic and output the
semantic output.
"""
# copy our disk image to a temporary working image
self.working_disk_img = os.path.join(self.output_dir, "disk.img.tmp")
print "* Creating temporary working image from disk scan. (%s)"%self.working_disk_img
# Delete, copy, chmod new file
try:
os.unlink(self.working_disk_img)
except:
pass
cmd = "cp --sparse=always %s %s" % (self.disk_img, self.working_disk_img)
subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read()
os.chmod(self.working_disk_img, 0755)
# Set up our semantic bridge
print "* Parsing disk image %s into our semantic engine... (This may take a while)" % self.working_disk_img
semantic_engine = SemanticEngineDisk(self.working_disk_img)
# Start processing our dcap
print "* Processing dcap file %s..." % self.dcap_filename
# SATA Interpreter
sata = SATAInterpreter()
"""
@TODO Extract sector size from PyTSK
"""
sata_reconstructor = SATAReconstructor(sector_size=G.SENSOR_DISK.DEFAULT_SECTOR_SIZE)
# read from the cap file in real time
reader = CaptureReader(self.dcap_filename)
# Tailing or terminating?
reader_iter = reader
if self.tail_enable:
reader_iter = reader.tail()
# Loop over all of the dcap contents
for (timestamp, data) in reader_iter:
if self.sensor_type == G.MACHINE_TYPES.PHYSICAL:
(header, data) = sata.extract_sata_data(data)
# deal with SATA NCQ reordering
disk_sensor_pkts = sata_reconstructor.process_packet(PhysicalPacket(header, data))
else:
disk_sensor_pkts = [DiskSensorPacket(data)]
# Process all of our disk packets
if disk_sensor_pkts:
for dsp in disk_sensor_pkts:
# Skip empty packets
if not dsp:
continue
try:
fs_operations = semantic_engine.get_access(dsp.sector,
dsp.num_sectors,
dsp.disk_operation,
dsp.data)
self.log_output(timestamp, fs_operations)
except:
logging.exception("Encountered error while trying to bridge semantic gap for this disk access.")
