def EnumerateFilesystemsFromClient(args): """List all local filesystems mounted on this system.""" del args # Unused. for fs_struct in client_utils_osx.GetFileSystems(): yield rdf_client_fs.Filesystem( device=fs_struct.f_mntfromname, mount_point=fs_struct.f_mntonname, type=fs_struct.f_fstypename) drive_re = re.compile("r?disk[0-9].*") for drive in os.listdir("/dev"): if not drive_re.match(drive): continue path = os.path.join("/dev", drive) try: img_inf = pytsk3.Img_Info(path) # This is a volume or a partition - we send back a TSK device. yield rdf_client_fs.Filesystem(device=path) vol_inf = pytsk3.Volume_Info(img_inf) for volume in vol_inf: if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC: offset = volume.start * vol_inf.info.block_size yield rdf_client_fs.Filesystem( device="{path}:{offset}".format(path=path, offset=offset), type="partition") except (IOError, RuntimeError): continue
def __init__(self, url): # parse out the different volumes self.url = url self.img = pytsk3.Img_Info(url=self.url) self.VOL_INFO = pytsk3.Volume_Info(self.img) self.vol_to_se = {} self.VOLUMES = [] self.VOLUME_BOUNDARIES = [] # print out some info about the disk image logger.debug("--- Volume info ---") logger.debug("Current: %d" % self.VOL_INFO.current) logger.debug("VS Type: %d" % self.VOL_INFO.info.vstype) logger.debug("Offset: %d" % self.VOL_INFO.info.offset) logger.debug("Block Size: %d" % self.VOL_INFO.info.block_size) logger.debug("Endian: %d" % self.VOL_INFO.info.endian) logger.debug("Partition List: %s" % self.VOL_INFO.info.part_list) logger.debug("Parition Count: %d" % self.VOL_INFO.info.part_count) logger.debug("--- Volume info ---") # Add each volume for vol in self.VOL_INFO: #print part.addr, part.desc, part.start, part.len self.add_volume(vol)
def exportHIVE(vol): if os.path.isdir('./export') == False: os.mkdir('./export') img = pytsk3.Img_Info('\\\\.\\' + vol) fs_info = pytsk3.FS_Info(img) userprofile = os.path.expandvars("%userprofile%") ntuser_ = cvtPath(userprofile + "\\NTUSER.DAT") usrclass_ = cvtPath(userprofile + "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat") exportList = [] exportList.append(ntuser_) exportList.append(usrclass_) for p in exportList: f = fs_info.open(p) name = f.info.name.name.decode('utf-8') offset = 0 if f.info.meta == None: continue size = f.info.meta.size BUFF_SIZE = 1024 * 1024 data = open('./export/' + name, 'wb') while offset < size: av_to_read = min(BUFF_SIZE, size - offset) d = f.read_random(offset, av_to_read) if not d: break data.write(d) offset += len(d) print "\nExport Completed\n"
def main(image, img_type, offset): try: print("[+] Opening {}".format(image)) if img_type == "ewf": print("jammer") else: img_info = pytsk3.Img_Info(image) # Get Filesystem Handle try: fs = pytsk3.FS_Info(img_info, offset) except IOError: _, e, _ = sys.exc_info() print("[-] Unable to open FS:\n {}".format(e)) exit() root_dir = fs.open_dir(path="/") table = [["Name", "Type", "Size", "Create Date", "Modify Date"]] for f in root_dir: name = f.info.name.name if f.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR: f_type = "DIR" else: f_type = "FILE" size = f.info.meta.size create = f.info.meta.crtime modify = f.info.meta.mtime table.append([name, f_type, size, create, modify]) print(tabulate(table, headers="firstrow")) except IOError: print("No such file1")
def iterate_image(self, image, img_type, output, part_type): volume = None print("[+] Opening {}".format(image)) if img_type == "ewf": try: #image = image.split('/') #image = image[len(image) - 1] image = image.replace('/', '\\') print(image) filenames = pyewf.glob(image) except IOError: _, e, _ = sys.exc_info() print("[-] Invalid EWF format:\n {}".format(e)) sys.exit(2) ewf_handle = pyewf.handle() ewf_handle.open(filenames) print(filenames) # Open PYTSK3 handle on EWF Image img_info = EWFImgInfo(ewf_handle) else: img_info = pytsk3.Img_Info(image) print(img_info) try: if part_type is not None: attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type) volume = pytsk3.Volume_Info(img_info, attr_id) print(volume) else: volume = pytsk3.Volume_Info(img_info) print(volume) except IOError: _, e, _ = sys.exc_info() print("[-] Unable to read partition table:\n {}".format(e)) image_stored_list.open_fs(self, volume, img_info, output)
def main(): #TODO move image loading to a method or util class imagefile = './forensic_image/AssignmentImage.dmg' imagehandle = pytsk3.Img_Info(imagefile) partitionTable = pytsk3.Volume_Info(imagehandle) print_partition_table(partitionTable) filesystemObject = pytsk3.FS_Info(imagehandle, offset=512) #print dir(filesystemObject) walk_file_system(filesystemObject) print 'The lenght of the dictionary is %d' % len(hashMap) rev_multidict = {} for key, value in hashMap.items(): rev_multidict.setdefault(value, set()).add(key) for v in [ values for key, values in rev_multidict.items() if len(values) > 1 ]: print list(v) print '========' fileobject = filesystemObject.open_dir("/") for a_file in fileobject: if a_file.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR: print ''
def __init__(self, file, hash_val): self.__file = file self.img = pytsk3.Img_Info(self.__file) self.__partition_list = list() self.__vol = pytsk3.Volume_Info(self.img) self.__hash_val = [hash_val] self.__cal_hash()
def initialise_block_db(image_path, image_hash, case): """Creates a new image database. Args: image_path: Path to image file image_hash: MD5 of the image case: Case ID Returns: Boolean value to indicate whether the image has already been processed """ img = pytsk3.Img_Info(image_path) block_db = PostgresqlDataStore(autocommit=True) image_exists = check_tracking_database(block_db, image_path, image_hash, case) if not image_exists: db_name = ''.join(('fs', image_hash)) block_db.execute('CREATE DATABASE {0:s}'.format(db_name)) block_db.switch_database(db_name=db_name) populate_block_db(img, block_db, batch_size=1500) return image_exists
def main(image, img_type, hashes, part_type=None, pbar_total=0): hash_list, hash_type = read_hashes(hashes) volume = None print("[+] Opening {}".format(image)) if img_type == "ewf": try: filenames = pyewf.glob(image) except IOError: _, e, _ = sys.exc_info() print("[-] Invalid EWF format:\n {}".format(e)) sys.exit(2) ewf_handle = pyewf.handle() ewf_handle.open(filenames) # Open PYTSK3 handle on EWF Image img_info = EWFImgInfo(ewf_handle) else: img_info = pytsk3.Img_Info(image) try: if part_type is not None: attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type) volume = pytsk3.Volume_Info(img_info, attr_id) else: volume = pytsk3.Volume_Info(img_info) except IOError: _, e, _ = sys.exc_info() print("[-] Unable to read partition table:\n {}".format(e)) open_fs(volume, img_info, hash_list, hash_type, pbar_total)
def Main(): args_parser = argparse.ArgumentParser(description=("Lists a file system in a storage media image or device.")) args_parser.add_argument("images", nargs="+", metavar="IMAGE", action="store", type=str, default=None, help=("Storage media images or devices.")) options = args_parser.parse_args() img = pytsk3.Img_Info(options.images) ## Step 2: Open the filesystem fs = pytsk3.FS_Info(img) ## Step 3: Open the file using the inode f = fs.open_meta(inode = 0) ## Step 4: Read all the data and print to stdout offset = 0 size = f.info.meta.size file_name= "$MFT" output_path="./" file_2 = open(output_path + file_name,"w") while offset < size: available_to_read = min(BUFF_SIZE, size - offset) data = f.read_random(offset, available_to_read,1) if not data: break offset += len(data) file_2.write(data) file_2.close()
def open_vol(self): sys.stderr.write("[+] Opening {}\n".format(self.evidence)) # Handle EWF/Raw Images if self.image_type == "ewf": try: filenames = pyewf.glob(self.evidence) except IOError: _, e, _ = sys.exc_info() sys.stderr.write("[-] Invalid EWF format:\n {}\n".format(e)) raise IOError ewf_handle = pyewf.handle() ewf_handle.open(filenames) # Open PYTSK3 handle on EWF Image self.image_handle = EWFImgInfo(ewf_handle) else: self.image_handle = pytsk3.Img_Info(self.evidence) # Open volume from image try: self.vol = pytsk3.Volume_Info(self.image_handle) except IOError: _, e, _ = sys.exc_info() sys.stderr.write("[-] Unable to read partition table. Possible logical image:\n {}\n".format(e))
def main(image, img_type, offset): print("[+] Opening {}".format(image)) if img_type == "ewf": try: filenames = pyewf.glob(image) except IOError: _, e, _ = sys.exc_info() print("[-] Invalid EWF format:\n {}".format(e)) sys.exit(2) ewf_handle = pyewf.handle() ewf_handle.open(filenames) # Open PYTSK3 handle on EWF Image img_info = EWFImgInfo(ewf_handle) else: img_info = pytsk3.Img_Info(image) # Get Filesystem Handle try: fs = pytsk3.FS_Info(img_info, offset) except IOError: _, e, _ = sys.exc_info() print("[-] Unable to open FS:\n {}".format(e)) exit() root_dir = fs.open_dir(path="/") table = [["Name", "Type", "Size", "Create Date", "Modify Date"]] for f in root_dir: name = f.info.name.name if f.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR: f_type = "DIR" else: f_type = "FILE" size = f.info.meta.size create = f.info.meta.crtime modify = f.info.meta.mtime table.append([name, f_type, size, create, modify]) print(tabulate(table, headers="firstrow"))
def extract_a_file(self, img_path, name, inode): ## Now open and read the file specified ## Step 1: get an IMG_INFO object (url can be any URL that AFF4 can handle) img = pytsk3.Img_Info(img_path) ## Step 2: Open the filesystem fs = pytsk3.FS_Info(img, offset=self._offset) ## Step 3: Open the file using the inode f = fs.open_meta(inode=inode) ## Step 4: Read all the data and print to stdout offset = 0 size = f.info.meta.size if type(name) is None: file_name = str(inode) else: file_name = name entry_info = [] #print(file_name) for i in f: if (i.info.type == pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA): #print(i.info.name) #print(i.info.size) if i.info.name is None: entry_info.append([file_name, i.info.size]) for entry in entry_info: file_2 = open(self._output_path + entry[0], "wb") while offset < entry[1]: available_to_read = min(BUFF_SIZE, entry[1] - offset) data = f.read_random(offset, available_to_read, 1) if not data: break offset += len(data) file_2.write(data) file_2.close()
def main(): args = parser.parse_args() image = args.image partition_starts = [] # Check if the user provided image format is ewf. If so, use the libewf developer's provided class to extend # the capabilities of pytsk3 to include the ewf format. If the image format is not ewf then pytsk3 can handle the image natively. try: if args.format == "ewf": files = pyewf.glob(args.image) ewf_handle = pyewf.handle() ewf_handle.open(files) image_handle = ewf_Img_Info(ewf_handle) else: image_handle = pytsk3.Img_Info(url=image) # Once a handle to the image has been established print all of the detected partitions to the user and allow them to pick the partition of # interest to be scanned. print "Which partition should be scanned?" volume = pytsk3.Volume_Info(image_handle) for partition in volume: print partition.addr, partition.desc, "%s(%s)" % ( partition.start, partition.start * 512), partition.len partition_starts.append(int(partition.start)) except IOError, error: print error
def GetVolumes(self, phyDrive="\\\\.\\PhysicalDrive0"): list_fs_info = [] # contain the file system object block_size = 512 # by default block size is 512 try: img = pytsk3.Img_Info(phyDrive) # open the physical drive volume = pytsk3.Volume_Info(img) # get volume information except OSError as e: if "file not found" in str(e): raise Exception("PHYSICAL_DRIVE_NOT_FOUND") else: raise Exception(str(e)) # for each volume in the drive, check if it is NTFS and open object to handle it for part in volume: try: self.logging( "INFO", "Check partition: desc{0:s}, offset{1:d}, size:{2:d}". format(part.desc.decode('utf-8'), part.start, part.len)) fs_info = pytsk3.FS_Info(img, offset=part.start * block_size) # check if file system is NTFS if fs_info.info.ftype in [ pytsk3.TSK_FS_TYPE_NTFS, pytsk3.TSK_FS_TYPE_NTFS_DETECT ]: list_fs_info.append(fs_info) except Exception as e: pass return list_fs_info
def __init__(self, volume): try: self.volume='\\\\.\\'+str(volume) self.img=pytsk3.Img_Info(self.volume) self.fs=pytsk3.FS_Info(self.img) except: return "none"
def Run(self, unused_args): """List all local filesystems mounted on this system.""" for fs_struct in client_utils_osx.GetFileSystems(): self.SendReply( rdf_client.Filesystem(device=fs_struct.f_mntfromname, mount_point=fs_struct.f_mntonname, type=fs_struct.f_fstypename)) drive_re = re.compile("r?disk[0-9].*") for drive in os.listdir("/dev"): if not drive_re.match(drive): continue path = os.path.join("/dev", drive) try: img_inf = pytsk3.Img_Info(path) # This is a volume or a partition - we send back a TSK device. self.SendReply(rdf_client.Filesystem(device=path)) vol_inf = pytsk3.Volume_Info(img_inf) for volume in vol_inf: if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC: offset = volume.start * vol_inf.info.block_size self.SendReply( rdf_client.Filesystem(device=path + ":" + str(offset), type="partition")) except (IOError, RuntimeError): continue
def image_read(image, img_type, part_type): print("[+] Opening {}".format(image)) if img_type == "ewf": try: filenames = pyewf.glob(image) except IOError: _, e, _ = sys.exc_info() print("[-] Invalid EWF format:\n {}".format(e)) sys.exit(2) ewf_handle = pyewf.handle() ewf_handle.open(filenames) e01_metadata(ewf_handle) # Open PYTSK3 handle on EWF Image img_info = EWFImgInfo(ewf_handle) else: img_info = pytsk3.Img_Info(image) try: if part_type is not None: attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type) volume = pytsk3.Volume_Info(img_info, attr_id) else: volume = pytsk3.Volume_Info(img_info) except IOError: _, e, _ = sys.exc_info() print("[-] Unable to read partition table:\n {}".format(e)) sys.exit(3) part_metadata(volume)
def get_tsk_inodes(volume, root): try: # open the extX file system (e.g. /dev/sda1) img = pytsk3.Img_Info(volume) # FS_Info used as a handle for more detailed file system analysis. Check if file system of volume is of extX try: fs = pytsk3.FS_Info(img) except OSError as e: print(e) sys.exit( "Error: file system of " + volume + " is not supported by hidden-inode-detector.py. Only ext2/ext3/ext4 file systems are supported." ) # goes to tsk_walk_path(). root is / # first time scan to collect inodes in same (root) dir my_inodes, my_inodes_dir = tsk_walk_path(fs=fs, inode=root) except (OSError) as e: print(e) sys.exit("Error: " + volume + " is not a valid mount point") # This part tries to go through each dir found the first tsk_walk_path scan, and so on. seen = my_inodes_dir.copy() active = my_inodes_dir.copy() while active: next_active = set() for current_inode_dir in active: test = tsk_walk_path(fs=fs, inode=current_inode_dir) for result in test[1]: if result not in seen: seen.add(result) next_active.add(result) active = next_active return my_inodes
def main(imgs): global FLIST fout = open("report.csv",'w') fout.write("File Name,MD5 Sum,Meta Data,...,Exif Data,...\n") rec = create_dir("./recovered/") (con, cur) = open_db() for i in imgs: if os.path.exists(i): print "Processing file - %s" % i print "MD5 sum - %s" % hashlib.md5(open(i,'rb').read()).hexdigest() img = pytsk3.Img_Info(i) fs = pytsk3.FS_Info(img) fs_walk('/', fs) for (fname, md5, meta) in FLIST: # Write file information out to report.csv fout.write(fname+","+md5+","+meta+'\n') # Enter file informatino into DB cur.execute('''INSERT INTO recovered VALUES (NULL, ?, ?, ?)''', (unicode(fname, errors='replace'), md5, meta)) con.commit() FLIST = [] # Clear the global files listing. else: print "Unable to find %s" % i print "###################################################################" print "Completed processing images. Recovered files saved in ./recovered/" print "\tReport written out to report.csv and recovered.db" print "###################################################################" con.close() fout.close()
def __init__(self, url): # parse out the different volumes logger.info("Initializing Semantic Engine") self.url = url self.img = pytsk3.Img_Info(url=self.url) self.VOL_INFO = pytsk3.Volume_Info(self.img) self.vol_to_se = {} self.VOLUMES = [] self.VOLUME_BOUNDARIES = [] # print out some info about the disk image ''' print("--- Volume info ---") print("Current: %d" % self.VOL_INFO.current) print("VS Type: %d" % self.VOL_INFO.info.vstype) print("Offset: %d" % self.VOL_INFO.info.offset) print("Block Size: %d" % self.VOL_INFO.info.block_size) print("Endian: %d" % self.VOL_INFO.info.endian) print("Partition List: %s" % self.VOL_INFO.info.part_list) print("Parition Count: %d" % self.VOL_INFO.info.part_count) print("--- Volume info ---") ''' # Add each volume for vol in self.VOL_INFO: self.add_volume(vol)
def justCopy(srcPath, dstPath): try: driveLetter = srcPath.split("\\")[0] imagefile, offset = GetPhysicalDisk(driveLetter) imagehandle = pytsk3.Img_Info(imagefile) drive = pytsk3.FS_Info(imagehandle, offset=int(offset)) parsedname = os.path.abspath(srcPath).replace(driveLetter, "").replace("\\", "/") fileobject = drive.open(parsedname) OutFileName = fileobject.info.name.name if not os.path.exists(dstPath): os.makedirs(dstPath) FinalFilePath = os.path.join(dstPath, OutFileName) OutFile = open(FinalFilePath, 'wb') if fileobject.info.meta.size > 0: logging.info("[+] Copying the file \"{}\" ".format(srcPath)) filedata = fileobject.read_random(0, fileobject.info.meta.size) OutFile.write(filedata) OutFile.close() logging.info( "[+] Successfully copied the file '{}' !".format(srcPath)) else: filedata = b"" logging.warning( "[!] Unable to copy the file \"{}\" . The file is Not Found / Empty!" .format(srcPath)) except Exception as e: logging.error("[!] Unable to copy the file \"{}\" .".format(srcPath)) logging.error("[X] Exception : ", exc_info=True)
def _find_volumes(self, volume_system, vstype='detect'): """Finds all volumes based on the pytsk3 library.""" try: # noinspection PyUnresolvedReferences import pytsk3 except ImportError: logger.error("pytsk3 not installed, could not detect volumes") raise ModuleNotFoundError("pytsk3") baseimage = None try: # ewf raw image is now available on base mountpoint # either as ewf1 file or as .dd file raw_path = volume_system.parent.get_raw_path() # noinspection PyBroadException try: baseimage = pytsk3.Img_Info(raw_path) except Exception: logger.error( "Failed retrieving image info (possible empty image).", exc_info=True) return [] try: volumes = pytsk3.Volume_Info( baseimage, getattr(pytsk3, 'TSK_VS_TYPE_' + vstype.upper()), volume_system.parent.offset // volume_system.disk.block_size) volume_system.volume_source = 'multi' return volumes except Exception as e: # some bug in sleuthkit makes detection sometimes difficult, so we hack around it: if "(GPT or DOS at 0)" in str(e) and vstype != 'gpt': volume_system.vstype = 'gpt' # noinspection PyBroadException try: logger.warning( "Error in retrieving volume info: TSK couldn't decide between GPT and DOS, " "choosing GPT for you. Use --vstype=dos to force DOS.", exc_info=True) volumes = pytsk3.Volume_Info( baseimage, getattr(pytsk3, 'TSK_VS_TYPE_GPT')) volume_system.volume_source = 'multi' return volumes except Exception as e: logger.exception( "Failed retrieving image info (possible empty image)." ) raise SubsystemError(e) else: logger.exception( "Failed retrieving image info (possible empty image).") raise SubsystemError(e) finally: if baseimage: baseimage.close() del baseimage
def main(image, img_type, offset, hashListFile, evidence_Dir, part_Type, pbar_total=0): matched_Hash_Files = {} hash_List, type_of_Hash = get_Hash_Type(hashListFile) volume = None print("[+] Opening {}".format(image)) if img_type == "ewf": try: filenames = pyewf.glob(image) except IOError: _, e, _ = sys.exc_info() print("[-] Invalid EWF format:\n {}".format(e)) sys.exit(2) ewf_handle = pyewf.handle() ewf_handle.open(filenames) # Open PYTSK3 handle on EWF Image img_info = EWFImgInfo(ewf_handle) else: img_info = pytsk3.Img_Info(image) # The above code is taken from the "Combining pyewf with pytsk3" section of # the python development page for pyewf try: if part_Type is not None: attr_ID = getattr(pytsk3, "TSK_VS_TYPE_" + part_Type) volume = pytsk3.Volume_Info(img_info, attr_ID) else: volume = pytsk3.Volume_Info(img_info) except IOError: _, e, _ = sys.exc_info() print("[-] Unable to read partition table:\n {}".format(e)) exit() finished_fileDict = open_FS(volume, img_info, hash_List, type_of_Hash, matched_Hash_Files, evidence_Dir, pbar_total) for hash_Value in hash_List: if hash_Value in finished_fileDict: print("value for %r in finished_fileDict: %r" % (hash_Value, finished_fileDict[hash_Value])) else: continue finished_evidenceDict = os_Hash_Check(evidence_Dir, hash_List, type_of_Hash) for hash_Value in hash_List: if hash_Value in finished_fileDict: print("value for %r in finished_evidenceDict: %r" % (hash_Value, finished_evidenceDict[hash_Value])) else: continue
def main(imgpath): img = pytsk3.Img_Info(imgpath) vol = pytsk3.Volume_Info(img) bs = vol.info.block_size for part in vol: try: mount(imgpath, part, bs) except Exception as e: print(e)
def main(imgs): for i in imgs: if os.path.exists(i): img = pytsk3.Img_Info(i) fs = pytsk3.FS_Info(img) fs_walk("/", fs) else: print "Unable to find %s" % i
def extractFile(imageFile,filenames): # vhdi_file = pyvhdi.file() # vhdi_file.open(imageFile) # img_info = vhdi_Img_Info(vhdi_file) # partitionTable = pytsk3.Volume_Info(img_info) if "vhd" in imageFile: vhdi_file = pyvhdi.file() vhdi_file.open(imageFile) img_info = vhdi_Img_Info(vhdi_file) partitionTable = pytsk3.Volume_Info(img_info) else: img_info = pytsk3.Img_Info(imageFile) partitionTable = pytsk3.Volume_Info(img_info) for partition in partitionTable: print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len # try: if 'NTFS' in partition.desc: filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512)) print "File System Type Dectected ",filesystemObject.info.ftype directoryObject = filesystemObject.open_dir(path=dirPath) print "Directory:",dirPath elif 'FAT32' in partition.desc: # Use DFIR tutorial example to deal with other partitions later on. filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512)) print "File System Type Dectected ",filesystemObject.info.ftype directoryObject = filesystemObject.open_dir(path=dirPath) print "Directory:",dirPath outputPath = 'Evidence_Package' for filename in filenames: if not os.path.exists(outputPath): os.makedirs(outputPath) if not os.path.isdir(str(filename)): try: # ex_path = ('%s/%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/') # ex_path = outputPath + os.sep + os.path.basename(str(filename)) ex_path = ('%s\%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/') extractFile = open(ex_path,'w') fileobject = filesystemObject.open(str(filename)) filedata = fileobject.read_random(0,fileobject.info.meta.size) extractFile.write(filedata) extractFile.close except IOError: print('cannot open', str(filename))
def parse_logical(options): tsk_img = pytsk3.Img_Info( options.source ) processor = VolumeProcessor( tsk_img, description=options.source, temp_location=options.temp_dir, output_template=options.output_template, dump_db=options.dump_db ) processor.process()
def get_partitions(self): partitions = [] with open(self.file_path) as imageFile: image_handle = pytsk3.Img_Info(imageFile.name) partition_table = pytsk3.Volume_Info(image_handle) for partition in partition_table: #print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len partitions.add(Partition(partition.addr, partition.desc, partition.start, partition.len))
def SelectImage(img_type, files): if img_type == "raw": if len(files) == 1: # For a single file this is faster. return pytsk3.Img_Info(files[0]) else: return SplitImage(*files) elif img_type == "ewf": # Instantiate our special image object return EWFImgInfo(*files)