def _attributes(self):
attr = VMap()
attr.thisown = False
nstart = Variant(self.startOff)
nstart.thisown = False
attr["start offset"] = nstart
return attr
def _attributes(self):
attr = VMap()
attr.thisown = False
for i in xrange(0, 2):
vmap = VMap()
vmap.thisown = False
name = ["segment 0 (norfs)", "segment 1 (nandfs)"]
vstart = Variant(self.boot.segment[i].start)
vstart.thisown = False
vmap["start offset"] = vstart
vend = Variant(self.boot.segment[i].end)
vend.thisown = False
vmap["end offset"] = vend
vsize = Variant(self.boot.segment[i].size)
vsize.thisown = False
vmap["size"] = vsize
verasesize = Variant(self.boot.segment[i].erasesize)
verasesize.thisown = False
vmap["erse block size"] = verasesize
vblocksize = Variant(self.boot.segment[i].blocksize)
vblocksize.thisown = False
vmap["block size"] = vblocksize
v = Variant(vmap)
v.thisown = False
attr[name[i]] = v
return attr
def _attributes(self):
vt = vtime(long(self.timestamp/1e6), TIME_UNIX)
vt.thisown = False
v_vt = Variant(vt)
#v_profile_dir = Variant(self.profile_dir())
v_data = Variant(self.data)
v_data1 = Variant(self.data1)
v_data2 = Variant(self.data2)
v_data3 = Variant(self.data3)
v_data4 = Variant(self.data4)
v_vt.thisown = False
#v_profile_dir.thisown = False
v_data.thisown = False
v_data1.thisown = False
v_data2.thisown = False
v_data3.thisown = False
v_data4.thisown = False
attr = VMap()
attr.thisown = False
#attr["profile directory"] = v_profile_dir
if (self.browser == 'firefox'):
if(self.extract == 'history'):
attr['accessed'] = v_vt
attr['visit count'] = v_data
attr['typed'] = v_data1
return attr
elif(self.extract == 'cookies'):
attr['name'] = v_data2
attr['cookie'] = v_data3
attr['accessed'] = v_vt
return attr
elif(self.extract == 'downloads'):
attr['url'] = v_data2
attr['location'] = v_data3
#attr['start'] = v_data2
attr['finished'] = v_vt
return attr
elif(self.extract == 'signons'):
attr['username'] = v_data2
attr['password'] = v_data3
return attr
elif(self.extract == 'formhistory'):
attr['input'] = v_data2
attr['times used'] = v_data3
attr['last used'] = v_vt
return attr
def getKeyAttributes(self, attr):
vmap = VMap()
vmap.thisown = False
try:
self.hive.seek(self.keyoffset)
keybuff = self.hive.read(0x50)
except vfsError, e:
print "Base block read Magic ERROR"
def attributes(self, node):
m = VMap()
hashes = self.calculatedHash[long(node.this)]
for h in hashes.iterkeys():
v = Variant(hashes[str(h)])
v.thisown = False
m[str(h)] = v
m.thisown = False
return m
def _attributes(self):
vt = vtime(long(self.timestamp / 1e6), TIME_UNIX)
vt.thisown = False
v_vt = Variant(vt)
#v_profile_dir = Variant(self.profile_dir())
v_data = Variant(self.data)
v_data1 = Variant(self.data1)
v_data2 = Variant(self.data2)
v_data3 = Variant(self.data3)
v_data4 = Variant(self.data4)
v_vt.thisown = False
#v_profile_dir.thisown = False
v_data.thisown = False
v_data1.thisown = False
v_data2.thisown = False
v_data3.thisown = False
v_data4.thisown = False
attr = VMap()
attr.thisown = False
#attr["profile directory"] = v_profile_dir
if (self.browser == 'firefox'):
if (self.extract == 'history'):
attr['accessed'] = v_vt
attr['visit count'] = v_data
attr['typed'] = v_data1
return attr
elif (self.extract == 'cookies'):
attr['name'] = v_data2
attr['cookie'] = v_data3
attr['accessed'] = v_vt
return attr
elif (self.extract == 'downloads'):
attr['url'] = v_data2
attr['location'] = v_data3
#attr['start'] = v_data2
attr['finished'] = v_vt
return attr
elif (self.extract == 'signons'):
attr['username'] = v_data2
attr['password'] = v_data3
return attr
elif (self.extract == 'formhistory'):
attr['input'] = v_data2
attr['times used'] = v_data3
attr['last used'] = v_vt
return attr
def _attributes(self):
attr = VMap()
attr.thisown = False
self.getKeyAttributes(attr)
self.getValuesAttributes(attr)
vt = Variant(self.createdTime())
vt.thisown = False
attr['created'] = vt
return attr
def _attributes(self):
attr = VMap()
attr.thisown = False
ps = Variant(self.pageSize)
ps.thisown = False
attr["page size"] = ps
sps = Variant(self.spareSize)
sps.thisown = False
attr["spare size"] = sps
return attr
def _attributes(self):
attr = VMap()
attr.thisown = False
fatstart = Variant(self.partTable.start)
fatstart.thisown = False
attr["partition start"] = fatstart
blocksize = Variant(self.partTable.blocksize)
blocksize.thisown = False
attr["blocksize"] = blocksize
size = Variant(self.partTable.size)
size.thisown = False
attr["size in block"] = size
return attr
def attributes(self, node): #metaexif.status(decoding exif')
attr = VMap()
attr.thisown = False
file = node.open()
tags = EXIF.process_file(file)
if len(tags) == 0:
v = Variant("no exif")
v.thisown = 0
attr["info"] = v
return attr
else:
sortedTags = {}
for tag in tags.keys():
if tag not in ('JPEGThumbnail', 'TIFFThumbnail', 'Filename', 'EXIF MakerNote'):
spaceidx = tag.find(" ")
ifd = tag[:spaceidx].strip()
if ifd == "Image":
ifd = "IFD 0 (Image)"
if ifd == "Thumbnail":
ifd = "IFD 1 (Thumbnail)"
key = tag[spaceidx:].strip()
val = None
if tags[tag].tag in dateTimeTags:
# Try converting from usual string format to vtime, or to string
# if it fails.
try:
vt = time.strptime(str(tags[tag]), '%Y:%m:%d %H:%M:%S')
val = vtime(vt.tm_year, vt.tm_mon, vt.tm_mday, vt.tm_hour, vt.tm_min, vt.tm_sec, 0)
val.thisown = False
except ValueError:
pass
if not val:
try:
val = str(tags[tag])
except:
val = "cannot be decoded"
if ifd not in sortedTags.keys():
sortedTags[ifd] = []
sortedTags[ifd].append((key, val))
for ifd in sortedTags.keys():
m = VMap()
m.thisown = 0
for res in sortedTags[ifd]:
v = Variant(res[1])
v.thisown = False
m[res[0]] = v
vv = Variant(m)
vv.thisown = False
attr[ifd] = vv
return attr
def _attributes(self):
i = 1
attr = VMap()
attr.thisown = False
vlist = VList()
vlist.thisown = False
for f in self.files:
node = f.value()
cattr = Variant(node.absolute())
cattr.thisown = False
vlist.append(cattr)
vvlist = Variant(vlist)
vvlist.thisown = False
attr["concatanated files (ordered)"] = vvlist
return attr
def _attributes(self):
attr = VMap()
attr.thisown = False
vmap = VMap()
vmap.thisown = False
for t in self.tables.map:
v = Variant(hex(self.tables.map[t].write))
v.thisown = False
vmap[hex(t)] = v
m = Variant(vmap)
m.thisown = False
attr["tables"] = m
al = Variant(self.aalloc)
al.thisown = False
attr["reallocated blocks"] = al
return attr
def __split(self, root, chunksize):
nodesize = self.origin.size()
chunks = nodesize / chunksize
vchunks = Variant(chunks)
vchunks.thisown = False
vmap = VMap()
vmap.thisown = False
vmap["complete chunks"] = vchunks
for idx in xrange(0, chunks * chunksize, chunksize):
snode = SplitNode(self, root, self.origin, idx, chunksize)
lastchunk = nodesize % chunksize
if lastchunk != 0:
snode = SplitNode(self, root, self.origin, self.origin.size() - lastchunk, lastchunk)
vtruncated = Variant(lastchunk)
vtruncated.thisown = False
vmap["truncated chunk (size)"] = vtruncated
vvmap = Variant(vmap)
vvmap.thisown = False
self.res[str(chunksize) + " bytes split"] = vvmap
def readSKBuffer(self, secmap, size):
try:
skcontentbuff = self.hive.read(20)
skstruct = struct.unpack("<BBHIIII", skcontentbuff)
skmap = VMap()
skmap.thisown = False
vrev = Variant(skstruct[0])
vrev.thisown = False
skmap["Revision"] = vrev
vsbz = Variant(skstruct[1])
vsbz.thisown = False
skmap["SBZ"] = vsbz
vcontrol = Variant(skstruct[2])
vcontrol.thisown = False
skmap["Control"] = vcontrol
vowneroff = Variant(skstruct[3])
vowneroff.thisown = False
skmap["Owner offset"] = vowneroff
vgroupoff = Variant(skstruct[4])
vgroupoff.thisown = False
skmap["Group offset"] = vgroupoff
vsacloff = Variant(skstruct[5])
vsacloff.thisown = False
skmap["SACL offset"] = vsacloff
vdacloff = Variant(skstruct[6])
vdacloff.thisown = False
skmap["DACL offset"] = vdacloff
skdata = size - 20
#TODO read & parse skdata
v = Variant(skmap)
v.thisown = False
secmap["SK data header"] = v
except vfsError, e:
print "Base block read Magic ERROR"
def readSecurityDescriptor(self, offset, vmap):
try:
self.hive.seek(offset)
skbuff = self.hive.read(24)
skstruct = struct.unpack("<IHHIIII", skbuff)
secmap = VMap()
secmap.thisown = False
vhead = Variant(skstruct[0])
vhead.thisown = False
secmap["head"] = vhead
vmagic = Variant(skstruct[1])
vmagic.thisown = False
secmap["magic"] = vmagic
vuk = Variant(skstruct[2])
vuk.thisown = False
secmap["Unknown"] = vuk
vprevsk = Variant(skstruct[3])
vprevsk.thisown = False
secmap["Point to previous SK"] = vprevsk
vnextsk = Variant(skstruct[4])
vnextsk.thisown = False
secmap["Point to next SK"] = vnextsk
vrefcount = Variant(skstruct[5])
vrefcount.thisown = False
secmap["Reference count"] = vrefcount
vsksize = Variant(skstruct[6])
vsksize.thisown = False
secmap["Size"] = vsksize
self.readSKBuffer(secmap, skstruct[6])
v = Variant(secmap)
v.thisown = False
vmap["Security descriptor"] = v
except vfsError, e:
print "Base block read Magic ERROR"
def startCarving(self):
selected = self.selector.selectedItems()
patterns = self.createContext(selected)
args = VMap()
args.thisown = False
args["patterns"] = patterns
args["file"] = self.vnode
startoff = Variant(self.offsetSpinBox.value(), typeId.UInt64)
startoff.thisown = False
args["start-offset"] = startoff
factor = round(float(self.filesize) / 2147483647)
self.startButton.setEnabled(False)
self.stopButton.setEnabled(True)
self.stopButton.setDown(False)
if factor == 0:
factor = 1
proc = self.tm.add("carver", args, ["gui", "thread"])
if proc:
self.doJob(self.filesize, factor, self.offsetSpinBox.value())
self.stateLayout.setEnabled(True)
self.connection(proc.inst)
proc.inst.connection(self)
def _attributes(self):
attr = VMap()
attr.thisown = False
if self.pid != None:
pidattr = Variant(self.pid)
pidattr.thisown = False
attr["pid"] = pidattr
if self.active_threads:
atattr = Variant(self.active_threads)
atattr.thisown = False
attr["threads"] = atattr
if self.inherited_from:
ifattr = Variant(self.inherited_from)
ifattr.thisown = False
attr["ppid"] = ifattr
if self.handle_count:
hcattr = Variant(self.handle_count)
hcattr.thisown = False
attr["handle count"] = hcattr
if self.connections:
cnattr = Variant(self.connections)
cnattr.thisown = False
attr["connection"] = cnattr
if self.create_time:
at = vtime()
at.thisown = False
d = datetime.fromtimestamp(self.create_time).timetuple()
at.year = d[0]
at.month = d[1]
at.day = d[2]
at.hour = d[3]
at.minute = d[4]
at.second = d[5]
at.usecond = 0
vat = Variant(at)
vat.thisown = False
attr["creation"] = vat
return attr
def readClassName(self, offset, classnamelen, vmap):
try:
self.hive.seek(offset)
head = self.hive.read(4)
cname = self.hive.read(classnamelen)
classmap = VMap()
classmap.thisown = False
vhead = Variant(head)
vhead.thisown = False
classmap["head"] = vhead
vname = Variant(cname)
vname.thisown = False
classmap["Name"] = vname
v = Variant(classmap)
v.thisown = False
vmap["Class name"] = v
except vfsError, e:
print "Base block read Magic ERROR"
def createContext(self, selected):
lpatterns = VList()
lpatterns.thisown = False
for filetype in selected.iterkeys():
patterns = selected[filetype][0]
aligned = selected[filetype][1]
for pattern in patterns:
vpattern = VMap()
vpattern.thisown = False
vfiletype = Variant(filetype, typeId.String)
vfiletype.thisown = False
vpattern["filetype"] = vfiletype
header = VMap()
header.thisown = False
val = Variant(pattern[0], typeId.String)
val.thisown = False
header["needle"] = val
val = Variant(len(pattern[0]), typeId.UInt32)
val.thisown = False
header["size"] = val
footer = VMap()
footer.thisown = False
val = Variant(pattern[1], typeId.String)
val.thisown = False
footer["needle"] = val
val = Variant(len(pattern[1]), typeId.UInt32)
val.thisown = False
footer["size"] = val
vheader = Variant(header)
vheader.thisown = False
vpattern["header"] = vheader
vfooter = Variant(footer)
vfooter.thisown = False
vpattern["footer"] = vfooter
vwindow = Variant(int(pattern[2]), typeId.UInt32)
vwindow.thisown = False
vpattern["window"] = vwindow
val = Variant(aligned, typeId.Bool)
val.thisown = False
vpattern["aligned"] = val
lpatterns.append(vpattern)
vpatterns = Variant(lpatterns)
vpatterns.thisown = False
return vpatterns
self.hive.seek(offset)
vbuff = self.hive.read(24)
except vfsError, e:
print "Base block read Magic ERROR"
vstruct = struct.unpack('<IHHHHIIHH', vbuff)
if vstruct[2] == 0:
name = "Default"
else:
try:
name = self.hive.read(vstruct[2])
except vfsError, e:
print "Base block read Magic ERROR"
vmap = VMap()
vmap.thisown = False
voffset = Variant(offset)
voffset.thisown = False
vmap["offset"] = voffset
vhead = Variant(vstruct[0])
vhead.thisown = False
vmap["head"] = vhead
vmagic = Variant(vstruct[1])
vmagic.thisown = False
vmap["magic"] = vmagic
vnamelen = Variant(vstruct[2])
vnamelen.thisown = False
def start(self, args):
patterns = VList()
patterns.thisown = False
if args.has_key("start-offset"):
startoff = args["start-offset"].value()
else:
startoff = 0
if args.has_key("block-aligned"):
aligned = True
else:
aligned = False
for mimetype in filetypes.keys():
if mimetype in args:
vsubtypes = args[mimetype].value()
for subtype in filetypes[mimetype].keys():
if subtype in vsubtypes:
pattern = VMap()
pattern.thisown = False
descr = filetypes[mimetype][subtype]
filetype = Variant(subtype, typeId.String)
filetype.thisown = False
for p in descr:
pattern["filetype"] = filetype
header = VMap()
header.thisown = False
val = Variant(p[0], typeId.String)
val.thisown = False
header["needle"] = val
val = Variant(len(p[0]), typeId.UInt32)
val.thisown = False
header["size"] = val
footer = VMap()
footer.thisown = False
val = Variant(p[1], typeId.String)
val.thisown = False
footer["needle"] = val
val = Variant(len(p[1]), typeId.UInt32)
val.thisown = False
footer["size"] = val
vheader = Variant(header)
vheader.thisown = False
pattern["header"] = vheader
vfooter = Variant(footer)
vfooter.thisown = False
pattern["footer"] = vfooter
pattern["window"] = Variant(int(p[2]), typeId.UInt32)
if aligned:
val = Variant(True, typeId.Bool)
val.thisown = False
pattern["aligned"] = val
else:
val = Variant(False, typeId.Bool)
val.thisown = False
pattern["aligned"] = val
patterns.append(pattern)
vpatterns = Variant(patterns)
vpatterns.thisown = False
margs = VMap()
margs.thisown = False
margs["patterns"] = vpatterns
margs["file"] = args["file"]
vstartoff = Variant(startoff, typeId.UInt64)
vstartoff.thisown = False
margs["start-offset"] = vstartoff
proc = self.tm.add("carver", margs, ["console"])
if proc:
proc.event.wait()
def _attributes(self):
vm = VMap()
vm.thisown = False
return vm