def LogLibraryVersions(log):
'''Log the versions of libraries used'''
log.info('Python version = {}'.format(sys.version))
log.info('Pytsk version = {}'.format(pytsk3.get_version()))
log.info('Pyewf version = {}'.format(pyewf.get_version()))
log.info('Pyvmdk version = {}'.format(pyvmdk.get_version()))
log.info('PyAFF4 version = {}'.format(
pyaff4._version.raw_versions()['version']))
def GetPyTSKVersion(self):
return pytsk3.get_version()
def LogLibraryVersions(log):
'''Log the versions of libraries used'''
log.info('Pytsk version = {}'.format(pytsk3.get_version()))
log.info('Pyewf version = {}'.format(pyewf.get_version()))
log.info('Pyvmdk version= {}'.format(pyvmdk.get_version()))
def main():
# commands and arguments
# argparse https://docs.python.org/3/library/argparse.html#module-argparse
parser = ArgumentParser(description="Extract the file slack spaces.")
parser.add_argument("image", metavar="disk image", nargs=1, action="store")
parser.add_argument(
"-e",
"--encoding",
default="",
help=
"Display slack space in LATIN-1 or Hex. Supported options 'latin-1', 'hex'.",
)
parser.add_argument(
"-t",
"--type",
required=True,
help=
"Type of the disk image. Currently supported options 'raw' and 'ewf'.",
)
parser.add_argument(
"-p",
"--pprint",
action="store_true",
help="Pretty print all found file slack spaces.",
)
# create a temporary dir for slacks
tmpdir = tempfile.TemporaryDirectory(prefix="slacks_")
parser.add_argument(
"-d",
"--dump",
action="store",
default=tmpdir.name,
help=
"Dump file slack spaces of each file in raw format to a directory if specified, by default temporary dir.",
)
parser.add_argument(
"-c",
"--csv",
action="store",
default=None,
help="Write file slacks information to a CSV file.",
)
parser.add_argument(
"-v",
"--verbose",
action="store_true",
default=False,
help="Control the verbosity of the output.",
)
parser.add_argument("--version", action="version", version="v0.2.10")
global arguments
arguments = parser.parse_args()
global all_slacks
all_slacks = []
if arguments.image is not None:
CWD = Path().cwd()
if not CWD.joinpath(arguments.image[0]).exists():
print(
f"The disk image '{arguments.image[0]}' is not found.",
file=sys.stderr,
)
sys.exit(1)
# print versions
print("SleuthKit lib version:", pytsk3.TSK_VERSION_STR)
print("Module pytsk3 version:", pytsk3.get_version())
print("Module pyewf version:", pyewf.get_version())
# open image
if arguments.image is not None:
if arguments.type == "raw":
img_handler = pytsk3.Img_Info(arguments.image[0])
elif arguments.type == "ewf":
print(arguments.image)
ewf_handle = pyewf.handle()
filenames = pyewf.glob(arguments.image[0])
ewf_handle.open(filenames)
img_handler = ewf.ewf_Img_Info(ewf_handle)
elif arguments.type == "aff":
print("Not Supported Yet ! ", file=sys.stderr)
sys.exit(1)
elif arguments.type not in ["raw", "ewf"]:
print("Not Supported Yet ! Only 'raw' and 'ewf'. ",
file=sys.stderr)
sys.exit(1)
# open the image volume for the partitions within it
try:
partition_table = pytsk3.Volume_Info(img_handler)
print_partition_table(partition_table)
except OSError as e:
# there is no Volume in the image.
print(
"Maybe there is no Volume in the provided disk image.\n",
e,
file=sys.stderr,
)
else:
for partition in partition_table:
if b"NTFS" in partition.desc:
# open the filesystem with offset set to the absolute offset of
# the beginning of the NTFS partition.
fs = pytsk3.FS_Info(img_handler,
offset=(partition.start * 512))
# The Cluster Size (blocksize) can be chosen when the volume is formatted.
global blocksize
blocksize = fs.info.block_size
print("NTFS Cluster size: ", blocksize, "in bytes.")
# get the sector size
global sector
sector = fs.info.dev_bsize
print("NTFS Sector size: ", sector, "in bytes.\n")
# open the directory node for recursiveness and enqueue all
# directories in image fs from the root dir "/"
queue_all_dirs = []
directory = fs.open_dir(path="/")
processing(
partition,
directory=directory,
queue=queue_all_dirs,
parent_names=["/"],
)
# pretty printing the all_slack files
if arguments.pprint:
pp = pprint.PrettyPrinter(indent=4)
pp.pprint(all_slacks)
# writing out file slack spaces into seperate files located in 'slacks' directory
if arguments.dump:
if arguments.verbose:
print(
f"{arguments.dump} is the temporary output dir for file slacks."
)
for s in all_slacks:
CWD = Path().cwd()
SLACKS_DIR = CWD.joinpath(arguments.dump)
SLACKS_DIR.mkdir(exist_ok=True)
file_slack_name = SLACKS_DIR.joinpath(s.get_s_name())
file_slack_name.write_bytes(s.get_s_bytes())
# print slack bytes with encoding 'latin-1', 'hex'.
if arguments.encoding is not None:
for s in all_slacks:
s_bytes = s.get_s_bytes()
if arguments.encoding == "latin-1":
print(s_bytes.decode("latin-1"))
elif arguments.encoding == "hex":
print(s_bytes.hex())
# handle csv argument
if arguments.csv is not None:
csv_filename = arguments.csv
if arguments.verbose:
print(f"Writing CSV report to '{arguments.csv}'.")
with open(csv_filename, "w", newline="") as csvfile:
fieldnames = [
"slack filename",
"slack size",
"partition address",
"MD5",
"SHA1",
"parent dirs",
]
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for s in all_slacks:
writer.writerow({
"slack filename": s.get_s_name(),
"slack size": s.get_s_size(),
"partition address": s.get_s_partition_addr(),
"MD5": s.get_s_md5(),
"SHA1": s.get_s_sha1(),
"parent dirs": s.get_s_dirs(),
})
tmpdir.cleanup()
def GetPyTSKVersion(self): return pytsk3.get_version()
