def test03MultipleSources(self):
""" Test that multiple images can be loaded on the same VFS """
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case,
"iosource=second_image",
"subsys=EWF",
"filename=ntfs_image.e01" ,
])
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case,
"iosource=second_image",
"fstype=Sleuthkit",
"mount_point=/ntfsimage/"])
## Try to read a file from the first source:
fsfd = DBFS(self.test_case)
fd = fsfd.open("/stdimage/dscf1081.jpg")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(),'11bec410aebe0c22c14f3eaaae306f46')
## Try to read a file from the second source:
fd = fsfd.open("/ntfsimage/Books/80day11.txt")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')
def test03MultipleSources(self):
""" Test that multiple images can be loaded on the same VFS """
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load IO Data Source",
"case=%s" % self.test_case,
"iosource=second_image",
"subsys=EWF",
"filename=ntfs_image.e01",
],
)
pyflagsh.shell_execv(
command="execute",
argv=[
"Load Data.Load Filesystem image",
"case=%s" % self.test_case,
"iosource=second_image",
"fstype=Sleuthkit",
"mount_point=/ntfsimage/",
],
)
## Try to read a file from the first source:
fsfd = DBFS(self.test_case)
fd = fsfd.open("/stdimage/dscf1081.jpg")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(), "11bec410aebe0c22c14f3eaaae306f46")
## Try to read a file from the second source:
fd = fsfd.open("/ntfsimage/Books/80day11.txt")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(), "f5b394b5d0ca8c9ce206353e71d1d1f2")
def test01RunScanners(self):
""" Running Logical Index Scanner """
## Make sure the word secret is in there.
pdbh = DB.DBO()
pdbh.execute("select * from dictionary where word='secret' limit 1")
row = pdbh.fetch()
if not row:
pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'})
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'IndexScan'])
dbh = DB.DBO(self.test_case)
dbh2 = DB.DBO(self.test_case)
fsfd = DBFS(self.test_case)
dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB))
count = 0
for row in dbh:
count += 1
path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id'])
fd = fsfd.open(inode=inode)
fd.overread = True
fd.slack = True
fd.seek(row['offset'])
data = fd.read(row['length'])
print "Looking for %s: Found in %s at offset %s length %s %r" % (
row['word'], inode, row['offset'], row['length'],data)
self.assertEqual(data.lower(), row['word'].lower())
## Did we find all the secrets?
self.assertEqual(count,2)
def run(self,case, inode, scanners, *args):
factories = Scanner.get_factories(case, scanners.split(","))
if factories:
ddfs = DBFS(case)
fd = ddfs.open(inode = inode)
Scanner.scanfile(ddfs, fd, factories)
fd.close()
class SKFSTests2(tests.FDTest):
""" Test Sleuthkit file like object for compressed files """
test_case = "PyFlagNTFSTestCase"
test_file = "/Books/80day11.txt"
def setUp(self):
self.fs = DBFS(self.test_case)
self.fd = self.fs.open(self.test_file)
def get_evidence_tz_name(case, fd):
""" return the name of the timezone for the given piece of evidence """
try:
tz = fd.gettz()
return tz
except AttributeError:
pass
## fd is not an a File descendant, it could be a cached file
ddfs = DBFS(case)
fd2 = ddfs.open(inode = basename(fd.name))
return fd2.gettz()
class FDTest(unittest.TestCase):
## These must be overridden with a file which is at least 100
## bytes long
test_case = ""
test_inode = ""
def setUp(self):
self.fs = DBFS(self.test_case)
self.fd = self.fs.open(inode=self.test_inode)
def test01HaveValidSize(self):
""" Test for valid size """
self.assert_(self.fd, "No fd found")
size = self.fd.size
## Go to the end:
self.fd.seek(0, 2)
self.assert_(size != 0, "Size is zero")
self.assertEqual(self.fd.tell(), size,
"Seek to end of file does not agree with size")
def test02ReadingTests(self):
""" Test reading ranges """
## Note we assume the file is at least 100 bytes long...
self.fd.seek(0)
data = self.fd.read(100)
self.assertEqual(
len(data), 100,
"Data length read does not agree with read - or file too short?")
self.assertEqual(self.fd.tell(), 100, "Seek after read does not agree")
## Check seeking and reading:
self.fd.seek(50, 0)
self.assertEqual(self.fd.tell(), 50)
self.assertEqual(data[50:], self.fd.read(50),
"Seek and read does not agree")
def test03SeekingTests(self):
""" Test seeking """
self.fd.seek(50)
self.assertEqual(self.fd.tell(), 50,
"Absolute Seek does not agree with tell")
## Relative seeking:
self.fd.seek(50, 1)
self.assertEqual(self.fd.tell(), 100, "Relative seek does not agree")
## Seeking before the start of file should raise
self.assertRaises(IOError, lambda: self.fd.seek(-5000, 1))
## Check that a read at the end returns zero:
self.fd.seek(0, 2)
self.assertEqual(self.fd.read(), '', "Read data past end of file")
class FDTest(unittest.TestCase):
## These must be overridden with a file which is at least 100
## bytes long
test_case = ""
test_inode = ""
def setUp(self):
self.fs = DBFS(self.test_case)
self.fd = self.fs.open(inode=self.test_inode)
def test01HaveValidSize(self):
""" Test for valid size """
self.assert_(self.fd,"No fd found")
size=self.fd.size
## Go to the end:
self.fd.seek(0,2)
self.assert_(size != 0, "Size is zero")
self.assertEqual(self.fd.tell(),size,"Seek to end of file does not agree with size")
def test02ReadingTests(self):
""" Test reading ranges """
## Note we assume the file is at least 100 bytes long...
self.fd.seek(0)
data = self.fd.read(100)
self.assertEqual(len(data),100, "Data length read does not agree with read - or file too short?")
self.assertEqual(self.fd.tell(),100, "Seek after read does not agree")
## Check seeking and reading:
self.fd.seek(50,0)
self.assertEqual(self.fd.tell(), 50)
self.assertEqual(data[50:], self.fd.read(50), "Seek and read does not agree")
def test03SeekingTests(self):
""" Test seeking """
self.fd.seek(50)
self.assertEqual(self.fd.tell(),50,"Absolute Seek does not agree with tell")
## Relative seeking:
self.fd.seek(50,1)
self.assertEqual(self.fd.tell(),100,"Relative seek does not agree")
## Seeking before the start of file should raise
self.assertRaises(IOError, lambda : self.fd.seek(-5000,1))
## Check that a read at the end returns zero:
self.fd.seek(0,2)
self.assertEqual(self.fd.read(),'', "Read data past end of file")
class NTFSTests(unittest.TestCase):
""" Sleuthkit NTFS Support """
order = 1
test_case = "PyFlagNTFSTestCase"
def test01LoadNTFSFileSystem(self):
""" Test Loading of NTFS Filesystem """
pyflagsh.shell_execv(command="execute",
argv=["Case Management.Remove case",'remove_case=%s' % self.test_case])
pyflagsh.shell_execv(command="execute",
argv=["Case Management.Create new case",'create_case=%s' % self.test_case])
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case,
"iosource=test",
"subsys=EWF",
"filename=ntfs_image.e01",
])
pyflagsh.shell_execv(command="execute",
argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case,
"iosource=test",
"fstype=Sleuthkit",
"mount_point=/"])
dbh = DB.DBO(self.test_case)
dbh.execute("select count(*) as count from inode")
row = dbh.fetch()
self.assertEqual(row['count'],140)
dbh.execute("select count(*) as count from file")
row = dbh.fetch()
self.assertEqual(row['count'],153)
def test02ReadNTFSFile(self):
""" Test reading a regular NTFS file """
self.fsfd = DBFS(self.test_case)
## This file is Images/250px-Holmes_by_Paget.jpg
fd = self.fsfd.open(inode='Itest|K33-128-4')
data = fd.read()
m = hashlib.md5()
m.update(data)
self.assertEqual(m.hexdigest(),'f9c4ea83dfcdcf5eb441e130359f4a0d')
def test03ReadNTFSCompressed(self):
""" Test reading a compressed NTFS file """
self.fsfd = DBFS(self.test_case)
fd = self.fsfd.open("/Books/80day11.txt")
m = hashlib.md5()
m.update(fd.read())
self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')
def test04LocatingNTFS_ADS(self):
""" Test for finding ADS files """
## Do type scanning:
env = pyflagsh.environment(case=self.test_case)
pyflagsh.shell_execv(env=env, command="scan",
argv=["*",'TypeScan'])
dbh = DB.DBO(self.test_case)
dbh.execute('select type.type from type,inode where type.inode_id=inode.inode_id and type like "%executable%" and inode.inode like "%33-128-7%"')
row = dbh.fetch()
self.assert_(row, "Executable within ADS was not found???")
