def GetConfigFile(session):
"""Gets the configuration stored in the config file.
Searches for the config file in reasonable locations.
Return:
configuration stored in the config file. If the file is not found, returns
an empty configuration.
"""
search_path = [
# Next to the main binary (in case of pyinstaller - rekall.exe).
os.path.join(os.path.dirname(sys.executable), ".rekallrc"),
".rekallrc", # Current directory.
os.path.join(GetHomeDir(session), ".rekallrc"), # Home directory overrides system.
"/etc/rekallrc",
]
for path in search_path:
try:
with open(path, "rb") as fd:
result = yaml_utils.decode(fd.read(1000*1000*10)) or {}
logging.debug("Loaded configuration from %s", path)
# Allow the config file to update the
# environment. This is handy in standalone deployment
# where one can update %HOME% and ensure Rekall does
# not touch the drive.
os.environ.update(result.get("environment", {}))
return result
except (IOError, ValueError):
pass
return {}
def _parse_physical_memory_metadata(self, session, image_urn):
try:
with self.resolver.AFF4FactoryOpen(
image_urn.Append("information.yaml")) as fd:
metadata = yaml_utils.decode(fd.read(10000000))
for session_param, info_para in self._parameter:
# Allow the user to override the AFF4 file.
if session.HasParameter(session_param):
continue
tmp = metadata
value = None
for key in info_para.split("."):
value = tmp.get(key)
if value is None:
break
tmp = value
if value is not None:
session.SetCache(session_param, value, volatile=False)
except IOError:
session.logging.info(
"AFF4 volume does not contain %s/information.yaml" % image_urn)
def _load_yml(self, yml_path):
with open(yml_path) as fp:
data = self.pmem_metadata = yaml_utils.decode(fp.read())
for run in self._get_readable_runs(data["records"]):
self.add_run(*run)
def _load_yml(self, yml_path):
with open(yml_path) as fp:
data = self.pmem_metadata = yaml_utils.decode(fp.read())
for run in self._get_readable_runs(data["records"]):
self.add_run(*run)