def testDataStreams(self):
"""Tests the data streams functionality."""
test_location = '/a_directory/another_file'
path_spec = tsk_path_spec.TSKPathSpec(inode=16,
location=test_location,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.number_of_data_streams, 1)
data_stream_names = []
for data_stream in file_entry.data_streams:
data_stream_names.append(data_stream.name)
self.assertEqual(data_stream_names, [''])
test_location = '/a_directory'
path_spec = tsk_path_spec.TSKPathSpec(inode=12,
location=test_location,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.number_of_data_streams, 0)
data_stream_names = []
for data_stream in file_entry.data_streams:
data_stream_names.append(data_stream.name)
self.assertEqual(data_stream_names, [])
def testGetDataStream(self):
"""Tests the retrieve data stream functionality."""
test_location = (
'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
)
path_spec = tsk_path_spec.TSKPathSpec(inode=38,
location=test_location,
parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
data_stream_name = ''
data_stream = file_entry.GetDataStream(data_stream_name)
self.assertIsNotNone(data_stream)
self.assertEqual(data_stream.name, data_stream_name)
data_stream = file_entry.GetDataStream('bogus')
self.assertIsNone(data_stream)
test_location = '\\$Extend\\$RmMetadata\\$Repair'
path_spec = tsk_path_spec.TSKPathSpec(inode=28,
location=test_location,
parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
data_stream_name = '$Config'
data_stream = file_entry.GetDataStream(data_stream_name)
self.assertIsNotNone(data_stream)
self.assertEqual(data_stream.name, data_stream_name)
def testGetFileEntryByPathSpec(self):
"""Tests the GetFileEntryByPathSpec function."""
file_system = tsk_file_system.TSKFileSystem(self._resolver_context)
self.assertIsNotNone(file_system)
file_system.Open(self._tsk_path_spec)
path_spec = tsk_path_spec.TSKPathSpec(inode=15, parent=self._os_path_spec)
file_entry = file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
# There is no way to determine the file_entry.name without a location string
# in the path_spec or retrieving the file_entry from its parent.
path_spec = tsk_path_spec.TSKPathSpec(
inode=15, location='/password.txt', parent=self._os_path_spec)
file_entry = file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.name, 'password.txt')
path_spec = tsk_path_spec.TSKPathSpec(
inode=19, location='/bogus.txt', parent=self._os_path_spec)
file_entry = file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNone(file_entry)
file_system.Close()
def testIsFunctions(self):
"""Tests the Is? functions."""
test_location = '/a_directory/another_file'
path_spec = tsk_path_spec.TSKPathSpec(inode=16,
location=test_location,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertFalse(file_entry.IsRoot())
self.assertFalse(file_entry.IsVirtual())
self.assertTrue(file_entry.IsAllocated())
self.assertFalse(file_entry.IsDevice())
self.assertFalse(file_entry.IsDirectory())
self.assertTrue(file_entry.IsFile())
self.assertFalse(file_entry.IsLink())
self.assertFalse(file_entry.IsPipe())
self.assertFalse(file_entry.IsSocket())
test_location = '/a_directory'
path_spec = tsk_path_spec.TSKPathSpec(inode=12,
location=test_location,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertFalse(file_entry.IsRoot())
self.assertFalse(file_entry.IsVirtual())
self.assertTrue(file_entry.IsAllocated())
self.assertFalse(file_entry.IsDevice())
self.assertTrue(file_entry.IsDirectory())
self.assertFalse(file_entry.IsFile())
self.assertFalse(file_entry.IsLink())
self.assertFalse(file_entry.IsPipe())
self.assertFalse(file_entry.IsSocket())
path_spec = tsk_path_spec.TSKPathSpec(location='/',
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertTrue(file_entry.IsRoot())
self.assertFalse(file_entry.IsVirtual())
self.assertTrue(file_entry.IsAllocated())
self.assertFalse(file_entry.IsDevice())
self.assertTrue(file_entry.IsDirectory())
self.assertFalse(file_entry.IsFile())
self.assertFalse(file_entry.IsLink())
self.assertFalse(file_entry.IsPipe())
self.assertFalse(file_entry.IsSocket())
def testDataStream(self):
"""Tests the number_of_data_streams and data_streams properties."""
test_location = (
'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
)
path_spec = tsk_path_spec.TSKPathSpec(inode=38,
location=test_location,
parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.number_of_data_streams, 1)
data_stream_names = []
for data_stream in file_entry.data_streams:
data_stream_names.append(data_stream.name)
self.assertEqual(data_stream_names, [''])
path_spec = tsk_path_spec.TSKPathSpec(
inode=36,
location='\\System Volume Information',
parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.number_of_data_streams, 0)
data_stream_names = []
for data_stream in file_entry.data_streams:
data_stream_names.append(data_stream.name)
self.assertEqual(data_stream_names, [])
test_location = '\\$Extend\\$RmMetadata\\$Repair'
path_spec = tsk_path_spec.TSKPathSpec(inode=28,
location=test_location,
parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.number_of_data_streams, 2)
data_stream_names = []
for data_stream in file_entry.data_streams:
data_stream_names.append(data_stream.name)
self.assertEqual(sorted(data_stream_names), sorted(['', '$Config']))
def testSubFileEntries(self):
"""Test the sub file entries iteration functionality."""
path_spec = tsk_path_spec.TSKPathSpec(
location=u'/', parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.number_of_sub_file_entries, 5)
# Note that passwords.txt~ is currently ignored by dfvfs, since
# its directory entry has no pytsk3.TSK_FS_META object.
expected_sub_file_entry_names = [
u'a_directory',
u'a_link',
u'lost+found',
u'passwords.txt',
u'$OrphanFiles']
sub_file_entry_names = []
for sub_file_entry in file_entry.sub_file_entries:
sub_file_entry_names.append(sub_file_entry.name)
self.assertEqual(
len(sub_file_entry_names), len(expected_sub_file_entry_names))
self.assertEqual(
sorted(sub_file_entry_names), sorted(expected_sub_file_entry_names))
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._resolver_context = context.Context()
test_file = self._GetTestFilePath(['ímynd.dd'])
self._os_path_spec = os_path_spec.OSPathSpec(location=test_file)
self._tsk_path_spec = tsk_path_spec.TSKPathSpec(
location='/', parent=self._os_path_spec)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
test_file = os.path.join(u'test_data', u'image.qcow2')
self._os_path_spec = os_path_spec.OSPathSpec(location=test_file)
self._qcow_path_spec = qcow_path_spec.QcowPathSpec(
parent=self._os_path_spec)
self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec(
store_index=1, parent=self._qcow_path_spec)
self._tsk_path_spec = tsk_path_spec.TSKPathSpec(
inode=16,
location=u'/a_directory/another_file',
parent=self._vshadow_path_spec)
test_path = os.path.abspath(test_file).encode(u'utf8')
test_path_length = len(test_path)
if test_path_length < 228:
self._proto_string = (
b'\n{0:s}\n{1:s}\n{2:s}'
b'\x12\x02OS2{3:s}{4:s}'
b'\x12\x04QCOW'
b'\x12\x07VSHADOWX\x01'
b'\x12\x03TSK(\x102\x19/a_directory/another_file').format(
chr(test_path_length + 27), chr(test_path_length + 14),
chr(test_path_length + 6), chr(test_path_length),
test_path)
self._proto = transmission_pb2.PathSpec()
self._proto.ParseFromString(self._proto_string)
def testReadADS(self):
"""Test the read functionality on an alternate data stream (ADS)."""
test_file = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_file)
path_spec = os_path_spec.OSPathSpec(location=test_file)
path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec)
path_spec = tsk_path_spec.TSKPathSpec(data_stream='$SDS',
inode=9,
location='\\$Secure',
parent=path_spec)
file_object = tsk_file_io.TSKFile(self._resolver_context)
file_object.open(path_spec=path_spec)
expected_buffer = (
b'H\n\x80\xb9\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
read_buffer = file_object.read(size=16)
self.assertEqual(read_buffer, expected_buffer)
file_object.seek(0x00040000, os.SEEK_SET)
read_buffer = file_object.read(size=16)
self.assertEqual(read_buffer, expected_buffer)
file_object.seek(0x000401a0, os.SEEK_SET)
expected_buffer = (
b'\xc3\xb4\xb1\x34\x03\x01\x00\x00\xa0\x01\x00\x00\x00\x00\x00\x00'
)
read_buffer = file_object.read(size=16)
self.assertEqual(read_buffer, expected_buffer)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
test_file = os.path.join(u'test_data', u'image.qcow2')
self._os_path_spec = os_path_spec.OSPathSpec(location=test_file)
self._qcow_path_spec = qcow_path_spec.QcowPathSpec(
parent=self._os_path_spec)
self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec(
store_index=1, parent=self._qcow_path_spec)
self._tsk_path_spec = tsk_path_spec.TSKPathSpec(
inode=16,
location=u'/a_directory/another_file',
parent=self._vshadow_path_spec)
test_path = os.path.abspath(test_file).encode(u'utf8')
self._json_dict = {
u'__type__': u'PathSpec',
u'type_indicator': u'TSK',
u'location': u'/a_directory/another_file',
u'inode': 16,
u'parent': {
u'__type__': u'PathSpec',
u'type_indicator': u'VSHADOW',
u'store_index': 1,
u'parent': {
u'__type__': u'PathSpec',
u'type_indicator': u'QCOW',
u'parent': {
u'__type__': u'PathSpec',
u'type_indicator': u'OS',
u'location': test_path
}
}
}
}
def GetParentFileEntry(self):
"""Retrieves the parent file entry.
Returns:
TSKFileEntry: parent file entry or None.
"""
location = getattr(self.path_spec, u'location', None)
if location is None:
return
parent_inode = self._parent_inode
parent_location = self._file_system.DirnamePath(location)
if parent_inode is None and parent_location is None:
return
if parent_location == u'':
parent_location = self._file_system.PATH_SEPARATOR
root_inode = self._file_system.GetRootInode()
if (parent_location == self._file_system.LOCATION_ROOT
or (parent_inode is not None and root_inode is not None
and parent_inode == root_inode)):
is_root = True
else:
is_root = False
parent_path_spec = getattr(self.path_spec, u'parent', None)
path_spec = tsk_path_spec.TSKPathSpec(inode=parent_inode,
location=parent_location,
parent=parent_path_spec)
return TSKFileEntry(self._resolver_context,
self._file_system,
path_spec,
is_root=is_root)
def testOpenCloseMFTEntry(self):
"""Test the open and close functionality using a MFT entry."""
path_spec = tsk_path_spec.TSKPathSpec(
inode=self._MFT_ENTRY_PASSWORDS_TXT, parent=self._os_path_spec)
file_object = tsk_file_io.TSKFile(self._resolver_context)
self._TestOpenCloseMFTEntry(path_spec, file_object)
def testGetFileEntryByPathSpec(self):
"""Tests the GetFileEntryByPathSpec function."""
path_spec = tsk_path_spec.TSKPathSpec(inode=15,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
def testGetBasePathSpecsRAW(self):
"""Tests the GetBasePathSpecs function on a RAW image."""
test_file = self._GetTestFilePath([u'ímynd.dd'])
test_scanner = volume_scanner.VolumeScanner()
test_os_path_spec = os_path_spec.OSPathSpec(location=test_file)
test_raw_path_spec = raw_path_spec.RawPathSpec(
parent=test_os_path_spec)
test_tsk_path_spec = tsk_path_spec.TSKPathSpec(
location=u'/', parent=test_raw_path_spec)
expected_base_path_specs = [test_tsk_path_spec.comparable]
base_path_specs = test_scanner.GetBasePathSpecs(test_file)
base_path_specs = [
base_path_spec.comparable for base_path_spec in base_path_specs
]
self.assertEqual(base_path_specs, expected_base_path_specs)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner.GetBasePathSpecs(None)
with self.assertRaises(errors.ScannerError):
test_scanner.GetBasePathSpecs(u'/bogus')
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._resolver_context = context.Context()
test_file = os.path.join(u'test_data', u'ímynd.dd')
self._os_path_spec = os_path_spec.OSPathSpec(location=test_file)
self._tsk_path_spec = tsk_path_spec.TSKPathSpec(
location=u'/', parent=self._os_path_spec)
def testGetStat(self):
"""Tests the GetStat function."""
test_location = (
'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
)
path_spec = tsk_path_spec.TSKPathSpec(inode=38,
location=test_location,
parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
stat_object = file_entry.GetStat()
self.assertIsNotNone(stat_object)
self.assertEqual(stat_object.type, stat_object.TYPE_FILE)
self.assertEqual(stat_object.size, 65536)
self.assertEqual(stat_object.mode, 365)
self.assertEqual(stat_object.uid, 0)
self.assertEqual(stat_object.gid, 0)
self.assertEqual(stat_object.atime, 1386052509)
self.assertEqual(stat_object.atime_nano, 5023783)
self.assertEqual(stat_object.ctime, 1386052509)
self.assertEqual(stat_object.ctime_nano, 5179783)
self.assertEqual(stat_object.crtime, 1386052509)
self.assertEqual(stat_object.crtime_nano, 5023783)
self.assertEqual(stat_object.mtime, 1386052509)
self.assertEqual(stat_object.mtime_nano, 5179783)
def _TestRead(self, parent_path_spec):
"""Test the read functionality.
Args:
parent_path_spec (PathSpec): parent path specification.
"""
path_spec = tsk_path_spec.TSKPathSpec(inode=self._INODE_PASSWORDS_TXT,
location='/passwords.txt',
parent=parent_path_spec)
file_object = tsk_file_io.TSKFile(self._resolver_context)
file_object.open(path_spec=path_spec)
read_buffer = file_object.read()
expected_buffer = (b'place,user,password\n'
b'bank,joesmith,superrich\n'
b'alarm system,-,1234\n'
b'treasure chest,-,1111\n'
b'uber secret laire,admin,admin\n')
self.assertEqual(read_buffer, expected_buffer)
# TODO: add boundary scenarios.
file_object.close()
def testFileEntryExistsByPathSpec(self):
"""Test the file entry exists by path specification functionality."""
file_system = tsk_file_system.TSKFileSystem(self._resolver_context)
self.assertIsNotNone(file_system)
file_system.Open(self._tsk_path_spec)
path_spec = tsk_path_spec.TSKPathSpec(
inode=15, location='/password.txt', parent=self._os_path_spec)
self.assertTrue(file_system.FileEntryExistsByPathSpec(path_spec))
path_spec = tsk_path_spec.TSKPathSpec(
inode=19, location='/bogus.txt', parent=self._os_path_spec)
self.assertFalse(file_system.FileEntryExistsByPathSpec(path_spec))
file_system.Close()
def testGetStat(self):
"""Tests the GetStat function."""
test_location = '/a_directory/another_file'
path_spec = tsk_path_spec.TSKPathSpec(inode=16,
location=test_location,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
stat_object = file_entry.GetStat()
self.assertIsNotNone(stat_object)
self.assertEqual(stat_object.type, stat_object.TYPE_FILE)
self.assertEqual(stat_object.size, 22)
self.assertEqual(stat_object.mode, 384)
self.assertEqual(stat_object.uid, 151107)
self.assertEqual(stat_object.gid, 5000)
self.assertEqual(stat_object.atime, 1337961563)
self.assertFalse(hasattr(stat_object, 'atime_nano'))
self.assertEqual(stat_object.ctime, 1337961563)
self.assertFalse(hasattr(stat_object, 'ctime_nano'))
# EXT2 has no crtime timestamp.
self.assertFalse(hasattr(stat_object, 'crtime'))
self.assertFalse(hasattr(stat_object, 'crtime_nano'))
self.assertEqual(stat_object.mtime, 1337961563)
self.assertFalse(hasattr(stat_object, 'mtime_nano'))
def GetLinkedFileEntry(self):
"""Retrieves the linked file entry, e.g. for a symbolic link.
Returns:
TSKFileEntry: linked file entry or None.
"""
link = self._GetLink()
if not link:
return
# TODO: is there a way to determine the link inode number here?
link_inode = None
parent_path_spec = getattr(self.path_spec, u'parent', None)
path_spec = tsk_path_spec.TSKPathSpec(location=link,
parent=parent_path_spec)
root_inode = self._file_system.GetRootInode()
if (link == self._file_system.LOCATION_ROOT
or (link_inode is not None and root_inode is not None
and link_inode == root_inode)):
is_root = True
else:
is_root = False
return TSKFileEntry(self._resolver_context,
self._file_system,
path_spec,
is_root=is_root)
def testOpenCloseLocation(self):
"""Test the open and close functionality using a location."""
path_spec = tsk_path_spec.TSKPathSpec(location='/passwords.txt',
parent=self._os_path_spec)
file_object = tsk_file_io.TSKFile(self._resolver_context)
self._TestOpenCloseLocation(path_spec, file_object)
def testBackupTime(self):
"""Test the backup_time property."""
test_location = '/a_directory/another_file'
path_spec = tsk_path_spec.TSKPathSpec(inode=self._INODE_ANOTHER_FILE,
location=test_location,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNone(file_entry.backup_time)
def testDeletionTime(self):
"""Test the deletion_time property."""
test_location = '/a_directory/another_file'
path_spec = tsk_path_spec.TSKPathSpec(inode=16,
location=test_location,
parent=self._os_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry.deletion_time)
def testSeek(self):
"""Test the seek functionality."""
path_spec = tsk_path_spec.TSKPathSpec(
location='/a_directory/another_file',
inode=self._MFT_ENTRY_ANOTHER_FILE,
parent=self._os_path_spec)
file_object = tsk_file_io.TSKFile(self._resolver_context)
self._TestSeek(path_spec, file_object)
def testRead(self):
"""Test the read functionality."""
path_spec = tsk_path_spec.TSKPathSpec(
location='/passwords.txt',
inode=self._MFT_ENTRY_PASSWORDS_TXT,
parent=self._os_path_spec)
file_object = tsk_file_io.TSKFile(self._resolver_context)
self._TestRead(path_spec, file_object)
def testReadADS(self):
"""Test the read functionality on an alternate data stream (ADS)."""
path_spec = tsk_path_spec.TSKPathSpec(data_stream='$SDS',
location='/$Secure',
inode=9,
parent=self._os_path_spec)
file_object = tsk_file_io.TSKFile(self._resolver_context)
self._TestReadADS(path_spec, file_object)
def testComparable(self):
"""Tests the path specification comparable property."""
path_spec = tsk_path_spec.TSKPathSpec(location=u'/test',
parent=self._path_spec)
self.assertNotEqual(path_spec, None)
expected_comparable = u'\n'.join(
[u'type: TEST', u'type: TSK, location: /test', u''])
self.assertEqual(path_spec.comparable, expected_comparable)
path_spec = tsk_path_spec.TSKPathSpec(data_stream=u'test',
location=u'/test',
parent=self._path_spec)
self.assertNotEqual(path_spec, None)
expected_comparable = u'\n'.join([
u'type: TEST', u'type: TSK, data stream: test, location: /test',
u''
])
self.assertEqual(path_spec.comparable, expected_comparable)
path_spec = tsk_path_spec.TSKPathSpec(inode=1, parent=self._path_spec)
self.assertNotEqual(path_spec, None)
expected_comparable = u'\n'.join(
[u'type: TEST', u'type: TSK, inode: 1', u''])
self.assertEqual(path_spec.comparable, expected_comparable)
path_spec = tsk_path_spec.TSKPathSpec(location=u'/test',
inode=1,
parent=self._path_spec)
self.assertNotEqual(path_spec, None)
expected_comparable = u'\n'.join(
[u'type: TEST', u'type: TSK, inode: 1, location: /test', u''])
self.assertEqual(path_spec.comparable, expected_comparable)
def testDeletionTime(self):
"""Test the deletion_time property."""
test_location = (
'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
)
path_spec = tsk_path_spec.TSKPathSpec(inode=38,
location=test_location,
parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNone(file_entry.deletion_time)
def testAttributes(self):
"""Test the attributes functionality."""
test_location = (
u'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}')
path_spec = tsk_path_spec.TSKPathSpec(
inode=38, location=test_location, parent=self._qcow_path_spec)
file_entry = self._file_system.GetFileEntryByPathSpec(path_spec)
self.assertIsNotNone(file_entry)
self.assertEqual(file_entry.number_of_attributes, 4)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._resolver_context = context.Context()
test_file = os.path.join(u'test_data', u'vsstest.qcow2')
path_spec = os_path_spec.OSPathSpec(location=test_file)
self._qcow_path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec)
self._tsk_path_spec = tsk_path_spec.TSKPathSpec(
location=u'\\', parent=self._qcow_path_spec)
self._file_system = tsk_file_system.TSKFileSystem(self._resolver_context)
self._file_system.Open(self._tsk_path_spec)