def mmls_popup(query,result): result.decoration = "naked" my_offset = 0 last_offset = 0 done = False try: del query[offset] except: pass io = self.create(None, query.get('case'), query) #This loops through the disk looking for a partition table. #If it finds a block with the appropriate magic numbers, it #tries to create a mmls object. If it fails, it moves to the #next block. while(1): io.seek(last_offset) while(1): my_offset = io.tell()#Starting position of this next read; if it works, this will be the partition table offset foobarbaz = re.sub('=','',binascii.b2a_qp(io.partial_read(512))) last_offset=io.tell()#This is the offset we will resume our search at if this table doesn't work. if len(foobarbaz) == 0:#If we've reached the end of the RAID, we're done. done = True if re.search('0UAA$',foobarbaz) != None:#Check for magic numbers of DOS partition table break io.seek(0) try: print "trying"+str(my_offset) parts = sk.mmls(io,my_offset) except IOError, e: if done:#If we've reached the end without finding a partition table, we give up. result.heading("No Partitions found") result.text("TESTFUNC %d Sleuthkit returned: %s" % (my_offset,e)) return else:#If we created mmls object without error, we're done searching, so break break
def mmls_popup(query,result): result.decoration = "naked" try: del query[offset] except: pass io = self.create(None, query.get('case'), query) try: parts = sk.mmls(io) except IOError, e: result.heading("No Partitions found") result.text("Sleuthkit returned: %s" % e) return
def mmls_popup(query, result): result.decoration = "naked" try: del query[offset] except: pass io = self.create(None, query.get('case'), query) try: parts = sk.mmls(io) except IOError, e: result.heading("No Partitions found") result.text("Sleuthkit returned: %s" % e) return
def mmls_popup(query, result): result.decoration = "naked" my_offset = 0 last_offset = 0 done = False try: del query[offset] except: pass io = self.create(None, query.get('case'), query) #This loops through the disk looking for a partition table. #If it finds a block with the appropriate magic numbers, it #tries to create a mmls object. If it fails, it moves to the #next block. while (1): io.seek(last_offset) while (1): my_offset = io.tell( ) #Starting position of this next read; if it works, this will be the partition table offset foobarbaz = re.sub('=', '', binascii.b2a_qp(io.partial_read(512))) last_offset = io.tell( ) #This is the offset we will resume our search at if this table doesn't work. if len( foobarbaz ) == 0: #If we've reached the end of the RAID, we're done. done = True if re.search( '0UAA$', foobarbaz ) != None: #Check for magic numbers of DOS partition table break io.seek(0) try: print "trying" + str(my_offset) parts = sk.mmls(io, my_offset) except IOError, e: if done: #If we've reached the end without finding a partition table, we give up. result.heading("No Partitions found") result.text("TESTFUNC %d Sleuthkit returned: %s" % (my_offset, e)) return else: #If we created mmls object without error, we're done searching, so break break
def scan(self, fd, scanners, type, mime, cookie, scores=None, **args): if 'x86 boot sector' in type: try: parts = sk.mmls(fd) except IOError, e: print e return for part in parts: ## Make a unique and sensible name for this partition name = "%s @ 0x%X" % (part[2], part[0]) ## Add new maps for each partition map = CacheManager.AFF4_MANAGER.create_cache_map( fd.case, "%s/%s" % (fd.urn.parser.query, name)) map.write_from(fd.urn, SECTOR_SIZE * part[0], SECTOR_SIZE * part[1]) map.close() ## Now we recursively scan each object fsfd = FileSystem.DBFS(fd.case) new_fd = fsfd.open(inode_id=map.inode_id) try: fs = sk.skfs(new_fd) fs.close() ## Lets add a hint Magic.set_magic(fd.case, inode_id=map.inode_id, mime="application/filesystem", magic="Filesystem") except: pass Scanner.scan_inode_distributed(fd.case, map.inode_id, scanners, cookie)
def scan(self, fd, scanners, type, mime, cookie, scores=None, **args): if 'x86 boot sector' in type: try: parts = sk.mmls(fd) except IOError,e: print e return for part in parts: ## Make a unique and sensible name for this partition name = "%s @ 0x%X" % (part[2], part[0]) ## Add new maps for each partition map = CacheManager.AFF4_MANAGER.create_cache_map( fd.case, "%s/%s" % (fd.urn.parser.query, name)) map.write_from(fd.urn, SECTOR_SIZE * part[0], SECTOR_SIZE * part[1]) map.close() ## Now we recursively scan each object fsfd = FileSystem.DBFS(fd.case) new_fd = fsfd.open(inode_id = map.inode_id) try: fs = sk.skfs(new_fd) fs.close() ## Lets add a hint Magic.set_magic(fd.case, inode_id = map.inode_id, mime = "application/filesystem", magic = "Filesystem") except: pass Scanner.scan_inode_distributed(fd.case, map.inode_id, scanners, cookie)