def main(): parser = OptionParser(usage="emf_decrypter.py disk_image.bin") parser.add_option("-w", "--nowrite", dest="write", action="store_false", default=True, help="disable modifications of input file, for testing") (options, args) = parser.parse_args() if len(args) < 1: parser.print_help() return device_infos = None if len(args) >= 2: device_infos = plistlib.readPlist(args[1]) p = FileBlockDevice(args[0], 0, options.write) v = EMFVolume(p, device_infos) if not v.keybag.unlocked: print "Keybag locked, protected files won't be decrypted, continue anyway ?" if raw_input() == "n": return if options.write: print "WARNING ! This tool will modify the hfs image and possibly wreck it if something goes wrong !" print "Make sure to backup the image before proceeding" print "You can use the --nowrite option to do a dry run instead" else: print "Test mode : the input file will not be modified" print "Press a key to continue or CTRL-C to abort" raw_input() v.decryptAllFiles()
def getPartitionVolume(self, partNum, key=None): bdev = self.getPartitionBlockDevice(partNum, key) if partNum == 0: return HFSVolume(bdev) elif partNum == 1: self.device_infos["dataVolumeOffset"] = self.getPartitionTable()[partNum].first_lba return EMFVolume(bdev, self.device_infos)
def main(): parser = OptionParser(usage="emf_decrypter.py disk_image.bin") parser.add_option("-w", "--nowrite", dest="write", action="store_false", default=True, help="disable modifications of input file, for testing") (options, args) = parser.parse_args() if len(args) < 1: parser.print_help() return v = EMFVolume(args[0], write=options.write) if options.write: print "WARNING ! This tool will modify the hfs image and possibly wreck it if something goes wrong !" print "Make sure to backup the image before proceeding" print "You can use the --nowrite option to do a dry run instead" else: print "Test mode : the input file will not be modified" print "Press a key to continue or CTRL-C to abort" raw_input() v.decryptAllFiles()
def main(): parser = OptionParser(usage="emf_decrypter.py disk_image.bin") parser.add_option("-w", "--nowrite", dest="write", action="store_false", default=True, help="disable modifications of input file, for testing") (options, args) = parser.parse_args() if len(args) < 1: parser.print_help() return v = EMFVolume(args[0], write=options.write) ''' if options.write: print "WARNING ! This tool will modify the hfs image and possibly wreck it if something goes wrong !" print "Make sure to backup the image before proceeding" print "You can use the --nowrite option to do a dry run instead" else: print "Test mode : the input file will not be modified" print "Press a key to continue or CTRL-C to abort" raw_input() ''' v.decryptAllFiles()
#!/usr/bin/python import os import sys from hfs.emf import EMFVolume from hfs.journal import do_emf_carving from util.bdev import FileBlockDevice if __name__ == "__main__": if len(sys.argv) < 2: print "Usage: emf_undelete.py disk_image.bin" sys.exit(0) filename = sys.argv[1] volume = EMFVolume(FileBlockDevice(filename), None) dirname = os.path.dirname(filename) if dirname == "": dirname = "." outdir = dirname + "/" + volume.volumeID().encode("hex") + "_" + os.path.basename(filename) carveokdir = outdir + "/undelete/" carvenokdir = outdir + "/junk/" try: os.makedirs(carveokdir) os.makedirs(carvenokdir) except: pass do_emf_carving(volume, carveokdir, carvenokdir)
import os import sys from hfs.emf import EMFVolume from hfs.journal import do_emf_carving from util.bdev import FileBlockDevice if __name__ == "__main__": if len(sys.argv) < 2: print "Usage: emf_undelete.py disk_image.bin" sys.exit(0) filename = sys.argv[1] volume = EMFVolume(FileBlockDevice(filename), None) dirname = os.path.dirname(filename) if dirname == "": dirname = "." outdir = dirname + "/" + volume.volumeID().encode( "hex") + "_" + os.path.basename(filename) carveokdir = outdir + "/undelete/" carvenokdir = outdir + "/junk/" try: os.makedirs(carveokdir) os.makedirs(carvenokdir) except: pass do_emf_carving(volume, carveokdir, carvenokdir)
import os import sys from hfs.emf import EMFVolume from hfs.journal import do_emf_carving if __name__ == "__main__": if len(sys.argv) < 2: print "Usage: emf_undelete.py disk_image.bin" sys.exit(0) filename = sys.argv[1] volume = EMFVolume(filename) dirname = os.path.dirname(filename) if dirname == "": dirname = "." outdir = dirname + "/" + volume.volumeID().encode("hex") + "_" + os.path.basename(filename) carveokdir = outdir + "/undelete/" carvenokdir = outdir + "/junk/" try: os.makedirs(carveokdir) os.makedirs(carvenokdir) except: pass do_emf_carving(volume, carveokdir, carvenokdir)