def GetFileEntryByPathSpec(self, path_spec):
"""Retrieves a file entry for a path specification.
Args:
path_spec (PathSpec): path specification.
Returns:
VShadowFileEntry: file entry or None if not available.
"""
store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec)
# The virtual root file has not corresponding store index but
# should have a location.
if store_index is None:
location = getattr(path_spec, 'location', None)
if location is None or location != self.LOCATION_ROOT:
return
return vshadow_file_entry.VShadowFileEntry(self._resolver_context,
self,
path_spec,
is_root=True,
is_virtual=True)
if store_index < 0 or store_index >= self._vshadow_volume.number_of_stores:
return
return vshadow_file_entry.VShadowFileEntry(self._resolver_context,
self, path_spec)
def _Open(self, path_spec=None, mode='rb'):
"""Opens the file-like object defined by path specification.
Args:
path_spec: optional path specification (instance of path.PathSpec).
The default is None.
mode: optional file access mode. The default is 'rb' read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file-like object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec:
raise ValueError(u'Missing path specfication.')
store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec)
if store_index is None:
raise errors.PathSpecError(
u'Unable to retrieve store index from path specification.')
self._file_system = resolver.Resolver.OpenFileSystem(
path_spec, resolver_context=self._resolver_context)
vshadow_volume = self._file_system.GetVShadowVolume()
if (store_index < 0 or store_index >= vshadow_volume.number_of_stores):
raise errors.PathSpecError(
(u'Unable to retrieve VSS store: {0:d} from path '
u'specification.').format(store_index))
self._vshadow_store = vshadow_volume.get_store(store_index)
def _Open(self, mode='rb'):
"""Opens the file-like object defined by path specification.
Args:
mode (Optional[str]): file access mode.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file-like object could not be opened.
OSError: if the file-like object could not be opened.
PathSpecError: if the path specification is incorrect.
"""
store_index = vshadow.VShadowPathSpecGetStoreIndex(self._path_spec)
if store_index is None:
raise errors.PathSpecError(
'Unable to retrieve store index from path specification.')
self._file_system = resolver.Resolver.OpenFileSystem(
self._path_spec, resolver_context=self._resolver_context)
vshadow_volume = self._file_system.GetVShadowVolume()
if (store_index < 0 or store_index >= vshadow_volume.number_of_stores):
raise errors.PathSpecError(
('Unable to retrieve VSS store: {0:d} from path '
'specification.').format(store_index))
vshadow_store = vshadow_volume.get_store(store_index)
if not vshadow_store.has_in_volume_data():
raise IOError(
('Unable to open VSS store: {0:d} without in-volume stored '
'data.').format(store_index))
self._vshadow_store = vshadow_store
def GetVShadowStore(self):
"""Retrieves the VSS store object (instance of pyvshadow.store)."""
store_index = vshadow.VShadowPathSpecGetStoreIndex(self.path_spec)
if store_index is None:
return
vshadow_volume = self._file_system.GetVShadowVolume()
return vshadow_volume.get_store(store_index)
def GetParentFileEntry(self):
"""Retrieves the parent file entry.
Returns:
FileEntry: parent file entry or None if not available.
"""
store_index = vshadow.VShadowPathSpecGetStoreIndex(self.path_spec)
if store_index is None:
return None
return self._file_system.GetRootFileEntry()
def GetParentFileEntry(self):
"""Retrieves the parent file entry.
Returns:
The parent file entry (instance of FileEntry) or None.
"""
store_index = vshadow.VShadowPathSpecGetStoreIndex(self.path_spec)
if store_index is None:
return
return self._file_system.GetRootFileEntry()
def GetVShadowStoreByPathSpec(self, path_spec):
"""Retrieves a VSS store for a path specification.
Args:
path_spec (PathSpec): path specification.
Returns:
pyvshadow.store: a VSS store or None if not available.
"""
store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec)
if store_index is not None:
return self._vshadow_volume.get_store(store_index)
def _ScanDisk(self, scan_context, scan_node, disk_info):
"""Scan Disk internal
Args:
scan_context (SourceScannerContext): the source scanner context.
scan_node (SourceScanNode): the scan node.
"""
if not scan_node:
return
if scan_node.path_spec.IsVolumeSystem(
) and not scan_node.path_spec.IsVolumeSystemRoot():
file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec)
if scan_node.type_indicator == definitions.TYPE_INDICATOR_TSK_PARTITION:
tsk_volumes = file_system.GetTSKVolume()
vol_part, _ = tsk_partition.GetTSKVsPartByPathSpec(
tsk_volumes, scan_node.path_spec)
if tsk_partition.TSKVsPartIsAllocated(vol_part):
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(
vol_part)
length = tsk_partition.TSKVsPartGetNumberOfSectors(
vol_part)
start_sector = tsk_partition.TSKVsPartGetStartSector(
vol_part)
vol_name = getattr(scan_node.path_spec, 'location',
None)[1:]
#vol_name = self.prefix + str(scan_node.path_spec.part_index)
base_path_spec = scan_node.path_spec
disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \
"length" : length * bytes_per_sector, "bytes_per_sector" : bytes_per_sector, "start_sector" : start_sector, \
"vol_name" : vol_name, "identifier" : None})
elif scan_node.type_indicator == definitions.TYPE_INDICATOR_VSHADOW:
vss_volumes = file_system.GetVShadowVolume()
store_index = vshadow.VShadowPathSpecGetStoreIndex(
scan_node.path_spec)
vss_part = list(vss_volumes.stores)[store_index]
length = vss_part.volume_size
identifier = getattr(vss_part, 'identifier', None)
vol_name = getattr(scan_node.path_spec, 'location', None)[1:]
base_path_spec = scan_node.path_spec
disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \
"length" : length, "bytes_per_sector" : None, "start_sector" : None, "vol_name" : vol_name, \
"identifier" : identifier})
for sub_scan_node in scan_node.sub_nodes:
self._ScanDisk(scan_context, sub_scan_node, disk_info)
def FileEntryExistsByPathSpec(self, path_spec):
"""Determines if a file entry for a path specification exists.
Args:
path_spec (PathSpec): path specification.
Returns:
bool: True if the file entry exists.
"""
store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec)
# The virtual root file has no corresponding store index but
# should have a location.
if store_index is None:
location = getattr(path_spec, 'location', None)
return location is not None and location == self.LOCATION_ROOT
return 0 <= store_index < self._vshadow_volume.number_of_stores
def InsertImageInformation(self):
if not self._source_path_specs:
logger.error('source is empty')
return
disk_info = []
for path_spec in self._source_path_specs:
filesystem_type = None
if not path_spec.parent:
return False
if path_spec.parent.IsVolumeSystem():
if path_spec.IsFileSystem():
fs = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
fs_info = fs.GetFsInfo()
filesystem_type = getattr(fs_info.info, 'ftype', None)
path_spec = path_spec.parent
file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION:
tsk_volumes = file_system.GetTSKVolume()
vol_part, _ = dfvfs_partition.GetTSKVsPartByPathSpec(
tsk_volumes, path_spec)
if dfvfs_partition.TSKVsPartIsAllocated(vol_part):
bytes_per_sector = dfvfs_partition.TSKVolumeGetBytesPerSector(
vol_part)
length = dfvfs_partition.TSKVsPartGetNumberOfSectors(
vol_part)
start_sector = dfvfs_partition.TSKVsPartGetStartSector(
vol_part)
par_label = getattr(vol_part, 'desc', None)
try:
temp = par_label.decode('ascii')
par_label = temp
except UnicodeDecodeError:
par_label = par_label.decode('utf-8')
volume_name = getattr(path_spec, 'location', None)[1:]
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": length * bytes_per_sector,
"bytes_per_sector": bytes_per_sector,
"start_sector": start_sector,
"vol_name": volume_name,
"identifier": None,
"par_label": par_label,
"filesystem": filesystem_type
})
elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK:
#elif path_spec.IsFileSystem():
file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
fs_info = file_system.GetFsInfo()
block_size = getattr(fs_info.info, 'block_size', 0)
block_count = getattr(fs_info.info, 'block_count', 0)
filesystem = getattr(fs_info.info, 'ftype', None)
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": block_count * block_size,
"bytes_per_sector": block_size,
"start_sector": 0,
"vol_name": 'p1',
"identifier": None,
"par_label": None,
"filesystem": filesystem
})
elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_VSHADOW:
vss_volumes = file_system.GetVShadowVolume()
store_index = dfvfs_vshadow.VShadowPathSpecGetStoreIndex(
path_spec)
vss_part = list(vss_volumes.stores)[store_index]
length = vss_part.volume_size
identifier = getattr(vss_part, 'identifier', None)
volume_name = getattr(path_spec, 'location', None)[1:]
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": length,
"bytes_per_sector": None,
"start_sector": None,
"vol_name": volume_name,
"identifier": identifier,
"par_label": None,
"filesystem": None
})
self._InsertDiskInfo(disk_info)
