def test03MultipleSources(self): """ Test that multiple images can be loaded on the same VFS """ pyflagsh.shell_execv(command="execute", argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case, "iosource=second_image", "subsys=EWF", "filename=ntfs_image.e01" , ]) pyflagsh.shell_execv(command="execute", argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case, "iosource=second_image", "fstype=Sleuthkit", "mount_point=/ntfsimage/"]) ## Try to read a file from the first source: fsfd = DBFS(self.test_case) fd = fsfd.open("/stdimage/dscf1081.jpg") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(),'11bec410aebe0c22c14f3eaaae306f46') ## Try to read a file from the second source: fd = fsfd.open("/ntfsimage/Books/80day11.txt") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')
def test03MultipleSources(self): """ Test that multiple images can be loaded on the same VFS """ pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load IO Data Source", "case=%s" % self.test_case, "iosource=second_image", "subsys=EWF", "filename=ntfs_image.e01", ], ) pyflagsh.shell_execv( command="execute", argv=[ "Load Data.Load Filesystem image", "case=%s" % self.test_case, "iosource=second_image", "fstype=Sleuthkit", "mount_point=/ntfsimage/", ], ) ## Try to read a file from the first source: fsfd = DBFS(self.test_case) fd = fsfd.open("/stdimage/dscf1081.jpg") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(), "11bec410aebe0c22c14f3eaaae306f46") ## Try to read a file from the second source: fd = fsfd.open("/ntfsimage/Books/80day11.txt") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(), "f5b394b5d0ca8c9ce206353e71d1d1f2")
def test01RunScanners(self): """ Running Logical Index Scanner """ ## Make sure the word secret is in there. pdbh = DB.DBO() pdbh.execute("select * from dictionary where word='secret' limit 1") row = pdbh.fetch() if not row: pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'}) env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'IndexScan']) dbh = DB.DBO(self.test_case) dbh2 = DB.DBO(self.test_case) fsfd = DBFS(self.test_case) dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB)) count = 0 for row in dbh: count += 1 path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id']) fd = fsfd.open(inode=inode) fd.overread = True fd.slack = True fd.seek(row['offset']) data = fd.read(row['length']) print "Looking for %s: Found in %s at offset %s length %s %r" % ( row['word'], inode, row['offset'], row['length'],data) self.assertEqual(data.lower(), row['word'].lower()) ## Did we find all the secrets? self.assertEqual(count,2)
def run(self,case, inode, scanners, *args): factories = Scanner.get_factories(case, scanners.split(",")) if factories: ddfs = DBFS(case) fd = ddfs.open(inode = inode) Scanner.scanfile(ddfs, fd, factories) fd.close()
class SKFSTests2(tests.FDTest): """ Test Sleuthkit file like object for compressed files """ test_case = "PyFlagNTFSTestCase" test_file = "/Books/80day11.txt" def setUp(self): self.fs = DBFS(self.test_case) self.fd = self.fs.open(self.test_file)
def get_evidence_tz_name(case, fd): """ return the name of the timezone for the given piece of evidence """ try: tz = fd.gettz() return tz except AttributeError: pass ## fd is not an a File descendant, it could be a cached file ddfs = DBFS(case) fd2 = ddfs.open(inode = basename(fd.name)) return fd2.gettz()
class FDTest(unittest.TestCase): ## These must be overridden with a file which is at least 100 ## bytes long test_case = "" test_inode = "" def setUp(self): self.fs = DBFS(self.test_case) self.fd = self.fs.open(inode=self.test_inode) def test01HaveValidSize(self): """ Test for valid size """ self.assert_(self.fd, "No fd found") size = self.fd.size ## Go to the end: self.fd.seek(0, 2) self.assert_(size != 0, "Size is zero") self.assertEqual(self.fd.tell(), size, "Seek to end of file does not agree with size") def test02ReadingTests(self): """ Test reading ranges """ ## Note we assume the file is at least 100 bytes long... self.fd.seek(0) data = self.fd.read(100) self.assertEqual( len(data), 100, "Data length read does not agree with read - or file too short?") self.assertEqual(self.fd.tell(), 100, "Seek after read does not agree") ## Check seeking and reading: self.fd.seek(50, 0) self.assertEqual(self.fd.tell(), 50) self.assertEqual(data[50:], self.fd.read(50), "Seek and read does not agree") def test03SeekingTests(self): """ Test seeking """ self.fd.seek(50) self.assertEqual(self.fd.tell(), 50, "Absolute Seek does not agree with tell") ## Relative seeking: self.fd.seek(50, 1) self.assertEqual(self.fd.tell(), 100, "Relative seek does not agree") ## Seeking before the start of file should raise self.assertRaises(IOError, lambda: self.fd.seek(-5000, 1)) ## Check that a read at the end returns zero: self.fd.seek(0, 2) self.assertEqual(self.fd.read(), '', "Read data past end of file")
class FDTest(unittest.TestCase): ## These must be overridden with a file which is at least 100 ## bytes long test_case = "" test_inode = "" def setUp(self): self.fs = DBFS(self.test_case) self.fd = self.fs.open(inode=self.test_inode) def test01HaveValidSize(self): """ Test for valid size """ self.assert_(self.fd,"No fd found") size=self.fd.size ## Go to the end: self.fd.seek(0,2) self.assert_(size != 0, "Size is zero") self.assertEqual(self.fd.tell(),size,"Seek to end of file does not agree with size") def test02ReadingTests(self): """ Test reading ranges """ ## Note we assume the file is at least 100 bytes long... self.fd.seek(0) data = self.fd.read(100) self.assertEqual(len(data),100, "Data length read does not agree with read - or file too short?") self.assertEqual(self.fd.tell(),100, "Seek after read does not agree") ## Check seeking and reading: self.fd.seek(50,0) self.assertEqual(self.fd.tell(), 50) self.assertEqual(data[50:], self.fd.read(50), "Seek and read does not agree") def test03SeekingTests(self): """ Test seeking """ self.fd.seek(50) self.assertEqual(self.fd.tell(),50,"Absolute Seek does not agree with tell") ## Relative seeking: self.fd.seek(50,1) self.assertEqual(self.fd.tell(),100,"Relative seek does not agree") ## Seeking before the start of file should raise self.assertRaises(IOError, lambda : self.fd.seek(-5000,1)) ## Check that a read at the end returns zero: self.fd.seek(0,2) self.assertEqual(self.fd.read(),'', "Read data past end of file")
class NTFSTests(unittest.TestCase): """ Sleuthkit NTFS Support """ order = 1 test_case = "PyFlagNTFSTestCase" def test01LoadNTFSFileSystem(self): """ Test Loading of NTFS Filesystem """ pyflagsh.shell_execv(command="execute", argv=["Case Management.Remove case",'remove_case=%s' % self.test_case]) pyflagsh.shell_execv(command="execute", argv=["Case Management.Create new case",'create_case=%s' % self.test_case]) pyflagsh.shell_execv(command="execute", argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case, "iosource=test", "subsys=EWF", "filename=ntfs_image.e01", ]) pyflagsh.shell_execv(command="execute", argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case, "iosource=test", "fstype=Sleuthkit", "mount_point=/"]) dbh = DB.DBO(self.test_case) dbh.execute("select count(*) as count from inode") row = dbh.fetch() self.assertEqual(row['count'],140) dbh.execute("select count(*) as count from file") row = dbh.fetch() self.assertEqual(row['count'],153) def test02ReadNTFSFile(self): """ Test reading a regular NTFS file """ self.fsfd = DBFS(self.test_case) ## This file is Images/250px-Holmes_by_Paget.jpg fd = self.fsfd.open(inode='Itest|K33-128-4') data = fd.read() m = hashlib.md5() m.update(data) self.assertEqual(m.hexdigest(),'f9c4ea83dfcdcf5eb441e130359f4a0d') def test03ReadNTFSCompressed(self): """ Test reading a compressed NTFS file """ self.fsfd = DBFS(self.test_case) fd = self.fsfd.open("/Books/80day11.txt") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2') def test04LocatingNTFS_ADS(self): """ Test for finding ADS files """ ## Do type scanning: env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'TypeScan']) dbh = DB.DBO(self.test_case) dbh.execute('select type.type from type,inode where type.inode_id=inode.inode_id and type like "%executable%" and inode.inode like "%33-128-7%"') row = dbh.fetch() self.assert_(row, "Executable within ADS was not found???")