def testAddSpecification(self):
"""Function to test the AddSpecification function."""
store = specification.FormatSpecificationStore()
format_regf = specification.FormatSpecification(u'REGF')
format_regf.AddNewSignature(b'regf', offset=0)
format_esedb = specification.FormatSpecification(u'ESEDB')
format_esedb.AddNewSignature(b'\xef\xcd\xab\x89', offset=4)
store.AddSpecification(format_regf)
store.AddSpecification(format_esedb)
with self.assertRaises(KeyError):
store.AddSpecification(format_regf)
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# CPIO binary file big-endian signature.
format_specification.AddNewSignature(b'\x71\xc7', offset=0)
# CPIO binary file little-endian signature.
format_specification.AddNewSignature(b'\xc7\x71', offset=0)
# CPIO portable ASCII file signature.
format_specification.AddNewSignature(b'070707', offset=0)
# CPIO new ASCII file signature.
format_specification.AddNewSignature(b'070701', offset=0)
# CPIO new ASCII file with checksum signature.
format_specification.AddNewSignature(b'070702', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# FAT volume header signature.
format_specification.AddNewSignature(b'\x55\xaa', offset=510)
# NTFS file system signature.
format_specification.AddNewSignature(b'NTFS ', offset=3)
# HFS boot block signature.
format_specification.AddNewSignature(b'LK', offset=0)
# HFS master directory block signature.
format_specification.AddNewSignature(b'BD', offset=0)
# HFS+ file system signature.
format_specification.AddNewSignature(b'H+', offset=1024)
# HFSX file system signature.
format_specification.AddNewSignature(b'HX', offset=1024)
# Ext file system signature.
format_specification.AddNewSignature(b'\x53\xef', offset=1080)
# ISO9660 file system signature.
format_specification.AddNewSignature(b'CD001', offset=32769)
# YAFFS file system signature.
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# ZIP file signature.
format_specification.AddNewSignature(b'PK\x03\x04', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# VSS identifier (GUID).
format_specification.AddNewSignature(
b'\x6b\x87\x08\x38\x76\xc1\x48\x4e\xb7\xae\x04\x04\x6e\x6c\xc7\x52',
offset=7680)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# TAR file signature.
format_specification.AddNewSignature(b'ustar\x00', offset=257)
# Old TAR file signature.
format_specification.AddNewSignature(b'ustar\x20\x20\x00', offset=257)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# VHDI image signature in footer.
format_specification.AddNewSignature(b'conectix', offset=-512)
# VHDI image signature in copy of footer in differential
# or dynamic disk image.
format_specification.AddNewSignature(b'conectix', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# EWF version 1 signature and start of fields.
format_specification.AddNewSignature(b'EVF\x09\x0d\x0a\xff\x00\x01',
offset=0)
# EWF version 2 signature and major version.
format_specification.AddNewSignature(b'EVF2\r\n\x81\x00\x02', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# TODO: add support for signature chains so that we add the 'BZ' at
# offset 0.
# BZIP2 compressed steam signature.
format_specification.AddNewSignature(b'\x31\x41\x59\x26\x53\x59',
offset=4)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# BDE signature.
format_specification.AddNewSignature(b'-FVE-FS-', offset=3)
# BDE ToGo BDE identifier.
format_specification.AddNewSignature(
b'\x3b\xd6\x67\x49\x29\x2e\xd8\x4a\x83\x99\xf6\xa3\x39\xe3\xd0\x01',
offset=424)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# FVDE CoreStorage signature.
format_specification.AddNewSignature(b'CS', offset=88)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# XZ compressed steam signature.
format_specification.AddNewSignature(b'\xfd7zXZ\x00', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# APFS file system signature.
format_specification.AddNewSignature(b'APSB', offset=32)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# ZIP file signature.
format_specification.AddNewSignature(b'PK\x03\x04', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# VMDK descriptor file signature.
format_specification.AddNewSignature(b'# Disk DescriptorFile',
offset=0)
# VMDK sparse extent file signature.
format_specification.AddNewSignature(b'KDMV', offset=0)
# COWD sparse extent file signature.
format_specification.AddNewSignature(b'COWD', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# LVM signature.
format_specification.AddNewSignature(b'LABELONE', offset=0)
format_specification.AddNewSignature(b'LABELONE', offset=512)
format_specification.AddNewSignature(b'LABELONE', offset=1024)
format_specification.AddNewSignature(b'LABELONE', offset=1536)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# TAR file signature.
format_specification.AddNewSignature(b'ustar\x00', offset=257)
# Old TAR file signature.
format_specification.AddNewSignature(b'ustar\x20\x20\x00', offset=257)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# Virtual Hard Disk version 1 (VHD) signature in footer.
format_specification.AddNewSignature(b'conectix', offset=-512)
# Virtual Hard Disk version 2 (VHDX) signature in file information.
format_specification.AddNewSignature(b'vhdxfile', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# GPT signature.
format_specification.AddNewSignature(b'EFI PART', offset=512)
format_specification.AddNewSignature(b'EFI PART', offset=1024)
format_specification.AddNewSignature(b'EFI PART', offset=2048)
format_specification.AddNewSignature(b'EFI PART', offset=4096)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification."""
format_specification = specification.FormatSpecification(
self.type_indicator)
# QCOW version 1 signature and version.
format_specification.AddNewSignature(b'QFI\xfb\x00\x00\x00\x01',
offset=0)
# QCOW version 2 signature and version.
format_specification.AddNewSignature(b'QFI\xfb\x00\x00\x00\x02',
offset=0)
# QCOW version 3 signature and version.
format_specification.AddNewSignature(b'QFI\xfb\x00\x00\x00\x03',
offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# FAT volume header signature.
format_specification.AddNewSignature(b'\x55\xaa', offset=510)
if definitions.PREFERRED_NTFS_BACK_END == self.TYPE_INDICATOR:
# NTFS file system signature.
format_specification.AddNewSignature(b'NTFS ', offset=3)
# HFS boot block signature.
format_specification.AddNewSignature(b'LK', offset=0)
# HFS master directory block signature.
format_specification.AddNewSignature(b'BD', offset=0)
# HFS+ file system signature.
format_specification.AddNewSignature(b'H+', offset=1024)
# HFSX file system signature.
format_specification.AddNewSignature(b'HX', offset=1024)
# Ext file system signature.
format_specification.AddNewSignature(b'\x53\xef', offset=1080)
# ISO9660 file system signature.
format_specification.AddNewSignature(b'CD001', offset=32769)
# YAFFS file system signature.
# Btrfs file system signature.
format_specification.AddNewSignature(b'_BHRfS_M', offset=65600)
# xfs file system signature.
format_specification.AddNewSignature(b'XFSB', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# QCOW version 1 signature and version.
format_specification.AddNewSignature(b'QFI\xfb\x00\x00\x00\x01', offset=0)
# QCOW version 2 signature and version.
format_specification.AddNewSignature(b'QFI\xfb\x00\x00\x00\x02', offset=0)
# QCOW version 3 signature and version.
format_specification.AddNewSignature(b'QFI\xfb\x00\x00\x00\x03', offset=0)
return format_specification
def GetFormatSpecification(self):
"""Retrieves the format specification.
Returns:
FormatSpecification: format specification or None if the format cannot
be defined by a specification object.
"""
format_specification = specification.FormatSpecification(
self.type_indicator)
# VMDK descriptor file signature.
format_specification.AddNewSignature(b'# Disk DescriptorFile', offset=0)
# VMDK sparse extent file signature.
format_specification.AddNewSignature(b'KDMV', offset=0)
# COWD sparse extent file signature.
format_specification.AddNewSignature(b'COWD', offset=0)
return format_specification