Ejemplo n.º 1
0
    def test03MultipleSources(self):
        """ Test that multiple images can be loaded on the same VFS """
        pyflagsh.shell_execv(command="execute",
                             argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case,
                                   "iosource=second_image",
                                   "subsys=EWF",
                                   "filename=ntfs_image.e01" ,
                                   ])
        pyflagsh.shell_execv(command="execute",
                             argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case,
                                   "iosource=second_image",
                                   "fstype=Sleuthkit",
                                   "mount_point=/ntfsimage/"])

        ## Try to read a file from the first source:
        fsfd = DBFS(self.test_case)
        fd = fsfd.open("/stdimage/dscf1081.jpg")
        m = hashlib.md5()
        m.update(fd.read())
        self.assertEqual(m.hexdigest(),'11bec410aebe0c22c14f3eaaae306f46')

        ## Try to read a file from the second source:
        fd = fsfd.open("/ntfsimage/Books/80day11.txt")
        m = hashlib.md5()
        m.update(fd.read())
        self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')
Ejemplo n.º 2
0
    def test03MultipleSources(self):
        """ Test that multiple images can be loaded on the same VFS """
        pyflagsh.shell_execv(
            command="execute",
            argv=[
                "Load Data.Load IO Data Source",
                "case=%s" % self.test_case,
                "iosource=second_image",
                "subsys=EWF",
                "filename=ntfs_image.e01",
            ],
        )
        pyflagsh.shell_execv(
            command="execute",
            argv=[
                "Load Data.Load Filesystem image",
                "case=%s" % self.test_case,
                "iosource=second_image",
                "fstype=Sleuthkit",
                "mount_point=/ntfsimage/",
            ],
        )

        ## Try to read a file from the first source:
        fsfd = DBFS(self.test_case)
        fd = fsfd.open("/stdimage/dscf1081.jpg")
        m = hashlib.md5()
        m.update(fd.read())
        self.assertEqual(m.hexdigest(), "11bec410aebe0c22c14f3eaaae306f46")

        ## Try to read a file from the second source:
        fd = fsfd.open("/ntfsimage/Books/80day11.txt")
        m = hashlib.md5()
        m.update(fd.read())
        self.assertEqual(m.hexdigest(), "f5b394b5d0ca8c9ce206353e71d1d1f2")
Ejemplo n.º 3
0
    def test01RunScanners(self):
        """ Running Logical Index Scanner """
        ## Make sure the word secret is in there.
        pdbh = DB.DBO()
        pdbh.execute("select * from dictionary where word='secret' limit 1")
        row = pdbh.fetch()
        if not row:
            pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'})
        
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'IndexScan'])

        dbh = DB.DBO(self.test_case)
        dbh2 = DB.DBO(self.test_case)
        fsfd = DBFS(self.test_case)
        dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB))
        count = 0
        for row in dbh:
            count += 1
            path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id'])
            fd = fsfd.open(inode=inode)
            fd.overread = True
            fd.slack = True
            fd.seek(row['offset'])
            data = fd.read(row['length'])
            print "Looking for %s: Found in %s at offset %s length %s %r" % (
                row['word'], inode, row['offset'], row['length'],data)
            self.assertEqual(data.lower(), row['word'].lower())

        ## Did we find all the secrets?
        self.assertEqual(count,2)
Ejemplo n.º 4
0
    def run(self,case, inode, scanners, *args):
        factories = Scanner.get_factories(case, scanners.split(","))

        if factories:
            ddfs = DBFS(case)
            fd = ddfs.open(inode = inode)
            Scanner.scanfile(ddfs, fd, factories)
            fd.close()
Ejemplo n.º 5
0
class SKFSTests2(tests.FDTest):
    """ Test Sleuthkit file like object for compressed files """
    test_case = "PyFlagNTFSTestCase"
    test_file = "/Books/80day11.txt"

    def setUp(self):
        self.fs = DBFS(self.test_case)
        self.fd = self.fs.open(self.test_file)
Ejemplo n.º 6
0
def get_evidence_tz_name(case, fd):
    """ return the name of the timezone for the given piece of evidence """
    try:
        tz = fd.gettz()
        return tz
    except AttributeError:
        pass

    ## fd is not an a File descendant, it could be a cached file
    ddfs = DBFS(case)
    fd2 = ddfs.open(inode = basename(fd.name))
    return fd2.gettz()
Ejemplo n.º 7
0
class FDTest(unittest.TestCase):
    ## These must be overridden with a file which is at least 100
    ## bytes long
    test_case = ""
    test_inode = ""

    def setUp(self):
        self.fs = DBFS(self.test_case)
        self.fd = self.fs.open(inode=self.test_inode)

    def test01HaveValidSize(self):
        """ Test for valid size """
        self.assert_(self.fd, "No fd found")
        size = self.fd.size
        ## Go to the end:
        self.fd.seek(0, 2)
        self.assert_(size != 0, "Size is zero")
        self.assertEqual(self.fd.tell(), size,
                         "Seek to end of file does not agree with size")

    def test02ReadingTests(self):
        """ Test reading ranges """
        ## Note we assume the file is at least 100 bytes long...
        self.fd.seek(0)
        data = self.fd.read(100)
        self.assertEqual(
            len(data), 100,
            "Data length read does not agree with read - or file too short?")
        self.assertEqual(self.fd.tell(), 100, "Seek after read does not agree")

        ## Check seeking and reading:
        self.fd.seek(50, 0)
        self.assertEqual(self.fd.tell(), 50)
        self.assertEqual(data[50:], self.fd.read(50),
                         "Seek and read does not agree")

    def test03SeekingTests(self):
        """ Test seeking """
        self.fd.seek(50)
        self.assertEqual(self.fd.tell(), 50,
                         "Absolute Seek does not agree with tell")

        ## Relative seeking:
        self.fd.seek(50, 1)
        self.assertEqual(self.fd.tell(), 100, "Relative seek does not agree")

        ## Seeking before the start of file should raise
        self.assertRaises(IOError, lambda: self.fd.seek(-5000, 1))

        ## Check that a read at the end returns zero:
        self.fd.seek(0, 2)
        self.assertEqual(self.fd.read(), '', "Read data past end of file")
Ejemplo n.º 8
0
class FDTest(unittest.TestCase):
    ## These must be overridden with a file which is at least 100
    ## bytes long
    test_case = ""
    test_inode = ""
    
    def setUp(self):
        self.fs = DBFS(self.test_case)
        self.fd = self.fs.open(inode=self.test_inode)

    def test01HaveValidSize(self):
        """ Test for valid size """
        self.assert_(self.fd,"No fd found")
        size=self.fd.size
        ## Go to the end:
        self.fd.seek(0,2)
        self.assert_(size != 0, "Size is zero")
        self.assertEqual(self.fd.tell(),size,"Seek to end of file does not agree with size")

    def test02ReadingTests(self):
        """ Test reading ranges """
        ## Note we assume the file is at least 100 bytes long...
        self.fd.seek(0)
        data = self.fd.read(100)
        self.assertEqual(len(data),100, "Data length read does not agree with read - or file too short?")
        self.assertEqual(self.fd.tell(),100, "Seek after read does not agree")

        ## Check seeking and reading:
        self.fd.seek(50,0)
        self.assertEqual(self.fd.tell(), 50)
        self.assertEqual(data[50:], self.fd.read(50), "Seek and read does not agree")

    def test03SeekingTests(self):
        """ Test seeking """
        self.fd.seek(50)
        self.assertEqual(self.fd.tell(),50,"Absolute Seek does not agree with tell")

        ## Relative seeking:
        self.fd.seek(50,1)
        self.assertEqual(self.fd.tell(),100,"Relative seek does not agree")

        ## Seeking before the start of file should raise
        self.assertRaises(IOError, lambda : self.fd.seek(-5000,1))
        
        ## Check that a read at the end returns zero:
        self.fd.seek(0,2)
        self.assertEqual(self.fd.read(),'', "Read data past end of file")
Ejemplo n.º 9
0
class NTFSTests(unittest.TestCase):
    """ Sleuthkit NTFS Support """
    order = 1
    test_case = "PyFlagNTFSTestCase"
    def test01LoadNTFSFileSystem(self):
        """ Test Loading of NTFS Filesystem """
        pyflagsh.shell_execv(command="execute",
                             argv=["Case Management.Remove case",'remove_case=%s' % self.test_case])

        pyflagsh.shell_execv(command="execute",
                             argv=["Case Management.Create new case",'create_case=%s' % self.test_case])

        pyflagsh.shell_execv(command="execute",
                             argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case,
                                   "iosource=test",
                                   "subsys=EWF",
                                   "filename=ntfs_image.e01",
                                   ])
        pyflagsh.shell_execv(command="execute",
                             argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case,
                                   "iosource=test",
                                   "fstype=Sleuthkit",
                                   "mount_point=/"])
        
        dbh = DB.DBO(self.test_case)
        dbh.execute("select count(*) as count from inode")
        row = dbh.fetch()
        self.assertEqual(row['count'],140)
        dbh.execute("select count(*) as count from file")
        row = dbh.fetch()
        self.assertEqual(row['count'],153)

    def test02ReadNTFSFile(self):
        """ Test reading a regular NTFS file """
        self.fsfd = DBFS(self.test_case)
        ## This file is Images/250px-Holmes_by_Paget.jpg
        fd = self.fsfd.open(inode='Itest|K33-128-4')
        data = fd.read()
        m = hashlib.md5()
        m.update(data)
        self.assertEqual(m.hexdigest(),'f9c4ea83dfcdcf5eb441e130359f4a0d')
        
    def test03ReadNTFSCompressed(self):
        """ Test reading a compressed NTFS file """
        self.fsfd = DBFS(self.test_case)
        fd = self.fsfd.open("/Books/80day11.txt")
        m = hashlib.md5()
        m.update(fd.read())
        self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')

    def test04LocatingNTFS_ADS(self):
        """ Test for finding ADS files """
        ## Do type scanning:
        env = pyflagsh.environment(case=self.test_case)
        pyflagsh.shell_execv(env=env, command="scan",
                             argv=["*",'TypeScan'])

        dbh = DB.DBO(self.test_case)
        dbh.execute('select type.type from type,inode where type.inode_id=inode.inode_id and type like "%executable%" and inode.inode like "%33-128-7%"')
        row = dbh.fetch()

        self.assert_(row, "Executable within ADS was not found???")