def identifyURN(urn, resolver=None):
if resolver == None:
if data_store.HAS_HDT:
resolver = data_store.HDTAssistedDataStore(lexicon.standard)
else:
resolver = data_store.MemoryDataStore(lexicon.standard)
with resolver as resolver:
with zip.ZipFile.NewZipFile(resolver, Version(0,1,"pyaff4"), urn) as zip_file:
if len(list(zip_file.members.keys())) == 0:
# it's a new zipfile
raise IOError("Not an AFF4 Volume")
try:
with zip_file.OpenZipSegment("version.txt") as version_segment:
# AFF4 Std v1.0 introduced the version file
versionTxt = version_segment.ReadAll()
#resolver.Close(version)
version = parseProperties(versionTxt.decode("utf-8"))
version = Version.create(version)
if version.is11():
return (version, lexicon.standard11)
else:
return (version, lexicon.standard)
except:
if str(resolver.aff4NS) == lexicon.AFF4_NAMESPACE:
# Rekall defined the new AFF4 namespace post the Wirespeed paper
return (Version(1,0,"pyaff4"), lexicon.scudette)
else:
# Wirespeed (Evimetry) 1.x and Evimetry 2.x stayed with the original namespace
return (Version(0,1,"pyaff4"), lexicon.legacy)
def openURNtoContainer(urn, mode=None):
if data_store.HAS_HDT:
resolver = data_store.HDTAssistedDataStore(lexicon.standard)
else:
resolver = data_store.MemoryDataStore(lexicon.standard)
(version, lex) = Container.identifyURN(urn, resolver=resolver)
resolver.lexicon = lex
if mode != None and mode == "+":
resolver.Set(lexicon.transient_graph, urn, lexicon.AFF4_STREAM_WRITE_MODE,
rdfvalue.XSDString("random"))
with zip.ZipFile.NewZipFile(resolver, version, urn) as zip_file:
with resolver.AFF4FactoryOpen(zip_file.backing_store_urn) as backing_store:
volumeURN = zip_file.urn
if lex == lexicon.standard or lex == lexicon.standard11:
images = list(resolver.QueryPredicateObject(volumeURN, lexicon.AFF4_TYPE, lex.Image))
if len(images) > 0:
imageURN = images[0]
datastreams = list(resolver.QuerySubjectPredicate(volumeURN, imageURN, lex.dataStream))
if len(datastreams) > 0:
# it is a disk image or a memory image
for stream in datastreams:
if lex.map in resolver.QuerySubjectPredicate(volumeURN, stream, lexicon.AFF4_TYPE):
dataStream = resolver.AFF4FactoryOpen(stream)
image = aff4.Image(resolver, urn=imageURN)
dataStream.parent = image
return PhysicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex, image, dataStream)
else:
# it is a logical image
if version.is11():
# AFF4 logical images are defined at version 1.1
if mode != None and mode == "+":
return WritableHashBasedImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
else:
return LogicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
else:
# scudette's winpmem pre-std implementation is at 1.0
lex = lexicon.pmemlogical
return PreStdLogicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
else:
# no images
encryptedStreams = list(resolver.QueryPredicateObject(volumeURN, lexicon.AFF4_TYPE, lexicon.standard11.EncryptedStream))
if len(encryptedStreams) == 1:
encryptedBlockStreamARN = encryptedStreams[0]
return EncryptedImageContainer(backing_store, zip_file, version, volumeURN, resolver, lexicon.standard11, encryptedBlockStreamARN, mode)
else:
return LogicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex)
elif lex == lexicon.scudette:
m = next(resolver.QueryPredicateObject(volumeURN, lexicon.AFF4_TYPE, lex.map))
cat = next(resolver.QuerySubjectPredicate(volumeURN, m, lex.category))
if cat == lex.memoryPhysical:
dataStream = resolver.AFF4FactoryOpen(m)
image = aff4.Image(resolver, urn=m)
dataStream.parent = image
legacyYamlInfoURI = dataStream.urn.Append("information.yaml")
try:
with resolver.AFF4FactoryOpen(legacyYamlInfoURI) as fd:
txt = fd.read(10000000)
dt = yaml.safe_load(txt)
CR3 = dt["Registers"]["CR3"]
resolver.Add(dataStream.parent.urn, lexicon.standard.memoryPageTableEntryOffset, rdfvalue.XSDInteger(CR3))
kaslr_slide = dt["kaslr_slide"]
resolver.Add(dataStream.parent.urn, lexicon.standard.OSXKALSRSlide, rdfvalue.XSDInteger(kaslr_slide))
except:
pass
return PhysicalImageContainer(backing_store, zip_file, version, volumeURN, resolver, lex, image, dataStream)