def testDataStreams(self): """Test the data streams functionality.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.number_of_data_streams, 1) data_stream_names = [] for data_stream in file_entry.data_streams: data_stream_names.append(data_stream.name) self.assertEqual(data_stream_names, ['']) path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.number_of_data_streams, 0) data_stream_names = [] for data_stream in file_entry.data_streams: data_stream_names.append(data_stream.name) self.assertEqual(data_stream_names, [])
def testIsFunctions(self): """Test the Is? functions.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertFalse(file_entry.IsRoot()) self.assertFalse(file_entry.IsVirtual()) self.assertTrue(file_entry.IsAllocated()) self.assertFalse(file_entry.IsDevice()) self.assertFalse(file_entry.IsDirectory()) self.assertTrue(file_entry.IsFile()) self.assertFalse(file_entry.IsLink()) self.assertFalse(file_entry.IsPipe()) self.assertFalse(file_entry.IsSocket()) path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertTrue(file_entry.IsRoot()) self.assertTrue(file_entry.IsVirtual()) self.assertTrue(file_entry.IsAllocated()) self.assertFalse(file_entry.IsDevice()) self.assertTrue(file_entry.IsDirectory()) self.assertFalse(file_entry.IsFile()) self.assertFalse(file_entry.IsLink()) self.assertFalse(file_entry.IsPipe()) self.assertFalse(file_entry.IsSocket())
def testComparable(self): """Tests the path specification comparable property.""" path_spec = vshadow_path_spec.VShadowPathSpec(parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join([ u'type: TEST', u'type: VSHADOW', u'']) self.assertEqual(path_spec.comparable, expected_comparable) path_spec = vshadow_path_spec.VShadowPathSpec( location=u'/vss2', parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join([ u'type: TEST', u'type: VSHADOW, location: /vss2', u'']) self.assertEqual(path_spec.comparable, expected_comparable) path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join([ u'type: TEST', u'type: VSHADOW, store index: 1', u'']) self.assertEqual(path_spec.comparable, expected_comparable) path_spec = vshadow_path_spec.VShadowPathSpec( location=u'/vss2', store_index=1, parent=self._path_spec) self.assertIsNotNone(path_spec) expected_comparable = u'\n'.join([ u'type: TEST', u'type: VSHADOW, location: /vss2, store index: 1', u'']) self.assertEqual(path_spec.comparable, expected_comparable)
def setUp(self): """Sets up the needed objects used throughout the test.""" test_file = os.path.join(u'test_data', u'image.qcow2') self._os_path_spec = os_path_spec.OSPathSpec(location=test_file) self._qcow_path_spec = qcow_path_spec.QcowPathSpec( parent=self._os_path_spec) self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=self._qcow_path_spec) self._tsk_path_spec = tsk_path_spec.TSKPathSpec( inode=16, location=u'/a_directory/another_file', parent=self._vshadow_path_spec) test_path = os.path.abspath(test_file).encode(u'utf8') self._json_dict = { u'__type__': u'PathSpec', u'type_indicator': u'TSK', u'location': u'/a_directory/another_file', u'inode': 16, u'parent': { u'__type__': u'PathSpec', u'type_indicator': u'VSHADOW', u'store_index': 1, u'parent': { u'__type__': u'PathSpec', u'type_indicator': u'QCOW', u'parent': { u'__type__': u'PathSpec', u'type_indicator': u'OS', u'location': test_path } } } }
def setUp(self): """Sets up the needed objects used throughout the test.""" test_file = os.path.join(u'test_data', u'vsstest.qcow2') path_spec = os_path_spec.OSPathSpec(location=test_file) path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec( location=u'/', parent=path_spec)
def setUp(self): """Sets up the needed objects used throughout the test.""" test_file = self._GetTestFilePath(['vsstest.qcow2']) path_spec = os_path_spec.OSPathSpec(location=test_file) path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=path_spec)
def _EntriesGenerator(self): """Retrieves directory entries. Since a directory can contain a vast number of entries using a generator is more memory efficient. Yields: A path specification (instance of path.VShadowPathSpec). """ # Only the virtual root file has directory entries. store_index = getattr(self.path_spec, u'store_index', None) if store_index is not None: return location = getattr(self.path_spec, u'location', None) if location is None or location != self._file_system.LOCATION_ROOT: return vshadow_volume = self._file_system.GetVShadowVolume() for store_index in range(0, vshadow_volume.number_of_stores): yield vshadow_path_spec.VShadowPathSpec( location=u'/vss{0:d}'.format(store_index + 1), store_index=store_index, parent=self.path_spec.parent)
def setUp(self): """Sets up the needed objects used throughout the test.""" test_file = os.path.join(u'test_data', u'image.qcow2') self._os_path_spec = os_path_spec.OSPathSpec(location=test_file) self._qcow_path_spec = qcow_path_spec.QcowPathSpec( parent=self._os_path_spec) self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=self._qcow_path_spec) self._tsk_path_spec = tsk_path_spec.TSKPathSpec( inode=16, location=u'/a_directory/another_file', parent=self._vshadow_path_spec) test_path = os.path.abspath(test_file).encode(u'utf8') test_path_length = len(test_path) if test_path_length < 228: self._proto_string = ( b'\n{0:s}\n{1:s}\n{2:s}' b'\x12\x02OS2{3:s}{4:s}' b'\x12\x04QCOW' b'\x12\x07VSHADOWX\x01' b'\x12\x03TSK(\x102\x19/a_directory/another_file').format( chr(test_path_length + 27), chr(test_path_length + 14), chr(test_path_length + 6), chr(test_path_length), test_path) self._proto = transmission_pb2.PathSpec() self._proto.ParseFromString(self._proto_string)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._resolver_context = context.Context() test_file = self._GetTestFilePath([u'vsstest.qcow2']) path_spec = os_path_spec.OSPathSpec(location=test_file) self._qcow_path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec( location=u'/', parent=self._qcow_path_spec)
def testGetParentFileEntry(self): """Tests the GetParentFileEntry function.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) parent_file_entry = file_entry.GetParentFileEntry() self.assertIsNotNone(parent_file_entry) path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) parent_file_entry = file_entry.GetParentFileEntry() self.assertIsNone(parent_file_entry)
def GetRootFileEntry(self): """Retrieves the root file entry. Returns: A file entry (instance of vfs.FileEntry). """ path_spec = vshadow_path_spec.VShadowPathSpec( location=self.LOCATION_ROOT, parent=self._path_spec.parent) return self.GetFileEntryByPathSpec(path_spec)
def GetRootFileEntry(self): """Retrieves the root file entry. Returns: VShadowFileEntry: file entry or None if not available. """ path_spec = vshadow_path_spec.VShadowPathSpec( location=self.LOCATION_ROOT, parent=self._path_spec.parent) return self.GetFileEntryByPathSpec(path_spec)
def testGetStat(self): """Test the get stat functionality.""" path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) stat_object = file_entry.GetStat() self.assertNotEqual(stat_object, None) self.assertEqual(stat_object.type, stat_object.TYPE_FILE)
def testGetParentFileEntry(self): """Test the get parent file entry functionality.""" path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertNotEqual(file_entry, None) parent_file_entry = file_entry.GetParentFileEntry() self.assertEqual(parent_file_entry, None)
def testOpenClose(self): """Test the open and close functionality.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_object = vshadow_file_io.VShadowFile(self._resolver_context, path_spec) file_object.Open() self.assertEqual(file_object.get_size(), 0x40000000) path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=13) file_object = vshadow_file_io.VShadowFile(self._resolver_context, path_spec) with self.assertRaises(errors.PathSpecError): file_object.Open() path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss1', parent=self._qcow_path_spec) file_object = vshadow_file_io.VShadowFile(self._resolver_context, path_spec) file_object.Open() self.assertEqual(file_object.get_size(), 0x40000000) path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss0', parent=self._qcow_path_spec) file_object = vshadow_file_io.VShadowFile(self._resolver_context, path_spec) with self.assertRaises(errors.PathSpecError): file_object.Open() path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss13', parent=self._qcow_path_spec) file_object = vshadow_file_io.VShadowFile(self._resolver_context, path_spec) with self.assertRaises(errors.PathSpecError): file_object.Open()
def testGetFileSystemTypeIndicators(self): """Tests the GetFileSystemTypeIndicators function on a .qcow2 file.""" test_file = self._GetTestFilePath(['vsstest.qcow2']) path_spec = os_path_spec.OSPathSpec(location=test_file) path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) path_spec = vshadow_path_spec.VShadowPathSpec(store_index=1, parent=path_spec) expected_type_indicators = [definitions.PREFERRED_NTFS_BACK_END] type_indicators = analyzer.Analyzer.GetFileSystemTypeIndicators( path_spec) self.assertEqual(type_indicators, expected_type_indicators)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._resolver_context = context.Context() test_file = os.path.join(u'test_data', u'vsstest.qcow2') path_spec = os_path_spec.OSPathSpec(location=test_file) self._qcow_path_spec = qcow_path_spec.QcowPathSpec(parent=path_spec) self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec( location=u'/', parent=self._qcow_path_spec) self._file_system = vshadow_file_system.VShadowFileSystem( self._resolver_context) self._file_system.Open(path_spec=self._vshadow_path_spec)
def testGetFileSystemTypeIndicators(self): """Function to test the get file system type indicators function.""" test_file = os.path.join(u'test_data', u'vsstest.qcow2') path_spec = os_path_spec.OSPathSpec(location=test_file) path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) path_spec = vshadow_path_spec.VShadowPathSpec(store_index=1, parent=path_spec) expected_type_indicators = [definitions.PREFERRED_NTFS_BACK_END] type_indicators = analyzer.Analyzer.GetFileSystemTypeIndicators( path_spec) self.assertEqual(type_indicators, expected_type_indicators)
def testFileEntryExistsByPathSpec(self): """Test the file entry exists by path specification functionality.""" file_system = vshadow_file_system.VShadowFileSystem(self._resolver_context) self.assertIsNotNone(file_system) file_system.Open(self._vshadow_path_spec) path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=self._qcow_path_spec) self.assertTrue(file_system.FileEntryExistsByPathSpec(path_spec)) path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) self.assertTrue(file_system.FileEntryExistsByPathSpec(path_spec)) path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss2', parent=self._qcow_path_spec) self.assertTrue(file_system.FileEntryExistsByPathSpec(path_spec)) path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=9) self.assertFalse(file_system.FileEntryExistsByPathSpec(path_spec)) path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss0', parent=self._qcow_path_spec) self.assertFalse(file_system.FileEntryExistsByPathSpec(path_spec)) path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss9', parent=self._qcow_path_spec) self.assertFalse(file_system.FileEntryExistsByPathSpec(path_spec)) file_system.Close()
def testInitialize(self): """Tests the path specification initialization.""" path_spec = vshadow_path_spec.VShadowPathSpec(parent=self._path_spec) self.assertIsNotNone(path_spec) path_spec = vshadow_path_spec.VShadowPathSpec( location=u'/vss2', parent=self._path_spec) self.assertIsNotNone(path_spec) path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=self._path_spec) self.assertIsNotNone(path_spec) path_spec = vshadow_path_spec.VShadowPathSpec( location=u'/vss2', store_index=1, parent=self._path_spec) self.assertIsNotNone(path_spec) with self.assertRaises(ValueError): _ = vshadow_path_spec.VShadowPathSpec(parent=None) with self.assertRaises(ValueError): _ = vshadow_path_spec.VShadowPathSpec( parent=self._path_spec, bogus=u'BOGUS')
def testScanForFileSystemVSS(self): """Test the ScanForFileSystem function on VSS.""" test_file = self._GetTestFilePath([u'vsstest.qcow2']) source_path_spec = os_path_spec.OSPathSpec(location=test_file) source_path_spec = qcow_path_spec.QCOWPathSpec(parent=source_path_spec) source_path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=source_path_spec) path_spec = self._source_scanner.ScanForFileSystem(source_path_spec) self.assertIsNotNone(path_spec) expected_type_indicator = definitions.PREFERRED_NTFS_BACK_END self.assertEqual(path_spec.type_indicator, expected_type_indicator)
def testRead(self): """Test the read functionality.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_object = vshadow_file_io.VShadowFile(self._resolver_context, path_spec) file_object.Open() self.assertEqual(file_object.get_size(), 0x40000000) file_object.seek(0x18e) expected_data = b'A disk read error occurred\x00\r\nBOOTMGR is missing' self.assertEqual(file_object.read(47), expected_data)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._resolver_context = context.Context() test_file = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_file) path_spec = os_path_spec.OSPathSpec(location=test_file) self._qcow_path_spec = qcow_path_spec.QCOWPathSpec(parent=path_spec) self._vshadow_path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=self._qcow_path_spec) self._file_system = vshadow_file_system.VShadowFileSystem( self._resolver_context) self._file_system.Open(self._vshadow_path_spec)
def testGetDataStream(self): """Tests the GetDataStream function.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) data_stream_name = '' data_stream = file_entry.GetDataStream(data_stream_name) self.assertIsNotNone(data_stream) self.assertEqual(data_stream.name, data_stream_name) data_stream = file_entry.GetDataStream('bogus') self.assertIsNone(data_stream)
def testGetStat(self): """Tests the GetStat function.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) stat_object = file_entry.GetStat() self.assertIsNotNone(stat_object) self.assertEqual(stat_object.type, stat_object.TYPE_FILE) self.assertEqual(stat_object.size, 1073741824) self.assertEqual(stat_object.crtime, 1386052668) self.assertEqual(stat_object.crtime_nano, 9190583)
def testScanForFileSystem(self): """Test the ScanForFileSystem() function.""" test_file = os.path.join(u'test_data', u'vsstest.qcow2') source_path_spec = os_path_spec.OSPathSpec(location=test_file) source_path_spec = qcow_path_spec.QcowPathSpec(parent=source_path_spec) source_path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=source_path_spec) path_spec = self._source_scanner.ScanForFileSystem(source_path_spec) self.assertNotEqual(path_spec, None) self.assertEqual(path_spec.type_indicator, definitions.TYPE_INDICATOR_TSK) test_file = os.path.join(u'test_data', u'mactime.body') source_path_spec = os_path_spec.OSPathSpec(location=test_file) path_spec = self._source_scanner.ScanForFileSystem(source_path_spec) self.assertEqual(path_spec, None)
def testSeek(self): """Test the seek functionality.""" path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_object = vshadow_file_io.VShadowFile(self._resolver_context) file_object.open(path_spec=path_spec) self.assertEqual(file_object.get_size(), 0x40000000) file_object.seek(0x1e0) self.assertEqual(file_object.get_offset(), 0x1e0) self.assertEqual(file_object.read(16), b'rl+Alt+Del to re') self.assertEqual(file_object.get_offset(), 0x1f0) file_object.seek(-40, os.SEEK_END) self.assertEqual(file_object.get_offset(), 0x3fffffd8) self.assertEqual(file_object.read(8), b'Press Ct') self.assertEqual(file_object.get_offset(), 0x3fffffe0) file_object.seek(3, os.SEEK_CUR) self.assertEqual(file_object.get_offset(), 0x3fffffe3) self.assertEqual(file_object.read(7), b'Alt+Del') self.assertEqual(file_object.get_offset(), 0x3fffffea) # Conforming to the POSIX seek the offset can exceed the file size # but reading will result in no data being returned. expected_offset = 0x40000000 + 100 file_object.seek(expected_offset, os.SEEK_SET) self.assertEqual(file_object.get_offset(), expected_offset) self.assertEqual(file_object.read(20), b'') with self.assertRaises(IOError): file_object.seek(-10, os.SEEK_SET) # On error the offset should not change. self.assertEqual(file_object.get_offset(), expected_offset) with self.assertRaises(IOError): file_object.seek(10, 5) # On error the offset should not change. self.assertEqual(file_object.get_offset(), expected_offset) file_object.close()
def testScanForFileSystem(self): """Test the ScanForFileSystem() function.""" test_file = os.path.join(u'test_data', u'vsstest.qcow2') source_path_spec = os_path_spec.OSPathSpec(location=test_file) source_path_spec = qcow_path_spec.QCOWPathSpec(parent=source_path_spec) source_path_spec = vshadow_path_spec.VShadowPathSpec( store_index=1, parent=source_path_spec) path_spec = self._source_scanner.ScanForFileSystem(source_path_spec) self.assertIsNotNone(path_spec) expected_type_indicator = definitions.PREFERRED_NTFS_BACK_END self.assertEqual(path_spec.type_indicator, expected_type_indicator) test_file = os.path.join(u'test_data', u'mactime.body') source_path_spec = os_path_spec.OSPathSpec(location=test_file) path_spec = self._source_scanner.ScanForFileSystem(source_path_spec) self.assertIsNone(path_spec)
def testSubFileEntries(self): """Test the sub file entries iteration functionality.""" path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=self._qcow_path_spec) file_entry = self._file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.number_of_sub_file_entries, 2) expected_sub_file_entry_names = ['vss1', 'vss2'] sub_file_entry_names = [] for sub_file_entry in file_entry.sub_file_entries: sub_file_entry_names.append(sub_file_entry.name) self.assertEqual(len(sub_file_entry_names), len(expected_sub_file_entry_names)) self.assertEqual(sorted(sub_file_entry_names), sorted(expected_sub_file_entry_names))
def testGetFileEntryByPathSpec(self): """Tests the GetFileEntryByPathSpec function.""" file_system = vshadow_file_system.VShadowFileSystem( self._resolver_context) self.assertIsNotNone(file_system) file_system.Open(self._vshadow_path_spec) path_spec = vshadow_path_spec.VShadowPathSpec( location='/', parent=self._qcow_path_spec) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.name, '') path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=1) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.name, 'vss2') path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss2', parent=self._qcow_path_spec) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNotNone(file_entry) self.assertEqual(file_entry.name, 'vss2') path_spec = vshadow_path_spec.VShadowPathSpec( parent=self._qcow_path_spec, store_index=9) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNone(file_entry) path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss0', parent=self._qcow_path_spec) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNone(file_entry) path_spec = vshadow_path_spec.VShadowPathSpec( location='/vss9', parent=self._qcow_path_spec) file_entry = file_system.GetFileEntryByPathSpec(path_spec) self.assertIsNone(file_entry) file_system.Close()