def open_fs(vol, img, hashes, hash_type, pbar_total=0):
# Open FS and Recurse
print("[+] Recursing through and hashing files")
pbar = tqdm(desc="Hashing",
unit=" files",
unit_scale=True,
total=pbar_total)
if vol is not None:
for part in vol:
if part.len > 2048 and "Unallocated" not in part.desc and \
"Extended" not in part.desc and \
"Primary Table" not in part.desc:
try:
fs = pytsk3.FS_Info(img,
offset=part.start *
vol.info.block_size)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
root = fs.open_dir(path="/")
recurse_files(part.addr, fs, root, [], [""], hashes, hash_type, pbar)
else:
try:
fs = pytsk3.FS_Info(img)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
root = fs.open_dir(path="/")
recurse_files(1, fs, root, [], [""], hashes, hash_type, pbar)
pbar.close()
def open_fs(vol, img, output):
print("[+] Recursing through files..")
recursed_data = []
# Open FS and Recurse
if vol is not None:
for part in vol:
print(part.desc)
if part.len > 2048 and b"Unallocated" not in part.desc and \
b"Extended" not in part.desc and \
b"Primary Table" not in part.desc:
try:
fs = pytsk3.FS_Info(img,
offset=part.start *
vol.info.block_size)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
root = fs.open_dir(path="/")
data = recurse_files(part.addr, fs, root, [], [], [""])
recursed_data.append(data)
else:
try:
fs = pytsk3.FS_Info(img)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
root = fs.open_dir(path="/")
data = recurse_files(1, fs, root, [], [], [""])
recursed_data.append(data)
write_csv(recursed_data, output)
def open_fs(vol, img, ext, output):
# Open FS and Recurse
print("[+] Recursing through files and writing file extension matches "
"to output directory")
if vol is not None:
for part in vol:
if part.len > 2048 and "Unallocated" not in part.desc \
and "Extended" not in part.desc \
and "Primary Table" not in part.desc:
try:
fs = pytsk3.FS_Info(img,
offset=part.start *
vol.info.block_size)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
root = fs.open_dir(path="/")
recurse_files(part.addr, fs, root, [], [""], ext, output)
else:
try:
fs = pytsk3.FS_Info(img)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
root = fs.open_dir(path="/")
recurse_files(1, fs, root, [], [""], ext, output)
def extractFromDisk(imagehandle,partition,output):
# partitionTable = pytsk3.Volume_Info(imagehandle) #The partition table is returned from the Volume_Info function
# print partitionTable
# for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
if 'Basic data partition' or 'NTFS' in partition.desc:
try:
for entry in files:
path = entry["path"]
try:
filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
fileobject = filesystemObject.open(path)
outdir = output+"/"+entry["name"]
if not os.path.exists(outdir): os.makedirs(outdir)
outFileName = output+"/"+entry["name"]+ "/" +str(partition.addr)+" "+fileobject.info.name.name
outfile = open(outFileName, 'w')
filedata = fileobject.read_random(0,fileobject.info.meta.size)
outfile.write(filedata)
outfile.close
except:
pass
for entry in directories:
directory = entry["path"]
try:
filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
directoryObject = filesystemObject.open_dir(directory)
for entryObject in directoryObject:
if entryObject.info.name.name in [".", ".."]:
continue
filepath =(directory+"/"+entryObject.info.name.name)
fileobject = filesystemObject.open(filepath)
outFileName = output+"/"+entry["name"]+"/"+str(partition.addr)+" "+fileobject.info.name.name
outdir = output+"/"+entry["name"]
if not os.path.exists(outdir): os.makedirs(outdir)
outfile = open(outFileName, 'w')
filedata = fileobject.read_random(0,fileobject.info.meta.size)
outfile.write(filedata)
outfile.close
except:
pass
except:
pass
def extractFile(imageFile,filenames):
# vhdi_file = pyvhdi.file()
# vhdi_file.open(imageFile)
# img_info = vhdi_Img_Info(vhdi_file)
# partitionTable = pytsk3.Volume_Info(img_info)
if "vhd" in imageFile:
vhdi_file = pyvhdi.file()
vhdi_file.open(imageFile)
img_info = vhdi_Img_Info(vhdi_file)
partitionTable = pytsk3.Volume_Info(img_info)
else:
img_info = pytsk3.Img_Info(imageFile)
partitionTable = pytsk3.Volume_Info(img_info)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
# try:
if 'NTFS' in partition.desc:
filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512))
print "File System Type Dectected ",filesystemObject.info.ftype
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
elif 'FAT32' in partition.desc: # Use DFIR tutorial example to deal with other partitions later on.
filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512))
print "File System Type Dectected ",filesystemObject.info.ftype
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
outputPath = 'Evidence_Package'
for filename in filenames:
if not os.path.exists(outputPath):
os.makedirs(outputPath)
if not os.path.isdir(str(filename)):
try:
# ex_path = ('%s/%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/')
# ex_path = outputPath + os.sep + os.path.basename(str(filename))
ex_path = ('%s\%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/')
extractFile = open(ex_path,'w')
fileobject = filesystemObject.open(str(filename))
filedata = fileobject.read_random(0,fileobject.info.meta.size)
extractFile.write(filedata)
extractFile.close
except IOError:
print('cannot open', str(filename))
def analysis(self, dirPath):
partitionTable, imagehandle = self.readImageFile(self.imagefile)
for partition in partitionTable:
print partition.desc
if 'NTFS' in partition.desc or 'Basic data partition' in partition.desc or 'Win95 FAT32' in partition.desc:
if self.extractFromDisk == True:
extractFromDisk(imagehandle, partition, self.output()[0])
if self.getHashList == True:
filesystemObject = pytsk3.FS_Info(imagehandle,
offset=(partition.start *
512))
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:", dirPath
if not os.path.exists(self.output()[0]):
os.makedirs(self.output()[0])
outfile = open(self.output()[1], 'wb')
outfile.write(
'"Inode","Full Path","Creation Time","Modified Time","Accessed Time","Size","MD5 Hash","SHA1 Hash","SHA256 HASH"\n'
)
hashOutput = csv.writer(outfile, quoting=csv.QUOTE_ALL)
self.directoryRecurse(directoryObject, [], hashOutput)
def main():
#TODO move image loading to a method or util class
imagefile = './forensic_image/AssignmentImage.dmg'
imagehandle = pytsk3.Img_Info(imagefile)
partitionTable = pytsk3.Volume_Info(imagehandle)
print_partition_table(partitionTable)
filesystemObject = pytsk3.FS_Info(imagehandle, offset=512)
#print dir(filesystemObject)
walk_file_system(filesystemObject)
print 'The lenght of the dictionary is %d' % len(hashMap)
rev_multidict = {}
for key, value in hashMap.items():
rev_multidict.setdefault(value, set()).add(key)
for v in [
values for key, values in rev_multidict.items() if len(values) > 1
]:
print list(v)
print '========'
fileobject = filesystemObject.open_dir("/")
for a_file in fileobject:
if a_file.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
print ''
def justCopy(srcPath, dstPath):
try:
driveLetter = srcPath.split("\\")[0]
imagefile, offset = GetPhysicalDisk(driveLetter)
imagehandle = pytsk3.Img_Info(imagefile)
drive = pytsk3.FS_Info(imagehandle, offset=int(offset))
parsedname = os.path.abspath(srcPath).replace(driveLetter,
"").replace("\\", "/")
fileobject = drive.open(parsedname)
OutFileName = fileobject.info.name.name
if not os.path.exists(dstPath):
os.makedirs(dstPath)
FinalFilePath = os.path.join(dstPath, OutFileName)
OutFile = open(FinalFilePath, 'wb')
if fileobject.info.meta.size > 0:
logging.info("[+] Copying the file \"{}\" ".format(srcPath))
filedata = fileobject.read_random(0, fileobject.info.meta.size)
OutFile.write(filedata)
OutFile.close()
logging.info(
"[+] Successfully copied the file '{}' !".format(srcPath))
else:
filedata = b""
logging.warning(
"[!] Unable to copy the file \"{}\" . The file is Not Found / Empty!"
.format(srcPath))
except Exception as e:
logging.error("[!] Unable to copy the file \"{}\" .".format(srcPath))
logging.error("[X] Exception : ", exc_info=True)
def parseImage(diskPath):
filenames = pyewf.glob(diskPath)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
#call class to parse .EO1 image with pytsk3
img_Info = ewf_Img_Info(ewf_handle)
try:
partitionTable = pytsk3.Volume_Info(img_Info)
except IOError:
print "Error!Could not determine partition type ", filenames
sys.exit(0)
#find partitions
for partition in partitionTable:
print partition.addr, partition.desc, "%s %s (%s)" % (
partition.start, partition.start * 512, partition.len)
if 'NTFS' in partition.desc:
fileSystemObject = pytsk3.FS_Info(img_Info,
offset=(partition.start * 512))
#Extract all files
directory = fileSystemObject.open_dir(path='/')
#find all the files of the system
extraction(directory, [], [])
ewf_handle.close()
def extractFile(imageFile,filenames):
vhdi_file = pyvhdi.file()
vhdi_file.open(imageFile)
img_info = vhdi_Img_Info(vhdi_file)
partitionTable = pytsk3.Volume_Info(img_info)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
# try:
if 'NTFS' in partition.desc:
filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512))
# except:
# print "Partition has no supported file system"
# continue
print "File System Type Dectected ",filesystemObject.info.ftype
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
outputPath = 'ex_differ_file-test2'
for filename in filenames:
if not os.path.exists(outputPath):
os.makedirs(outputPath)
if not os.path.isdir(str(filename)):
try:
ex_path = ('%s/%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/')
extractFile = open(ex_path,'w')
fileobject = filesystemObject.open(str(filename))
filedata = fileobject.read_random(0,fileobject.info.meta.size)
extractFile.write(filedata)
extractFile.close
except IOError:
print('cannot open', str(filename))
def process(self, descriptor, sender_id):
start = time.time()
case = json.loads(descriptor.value)
print 'Processing slice %s' % case['slicenum']
try:
img = pytsk3.Img_Info(case['device'])
fs = pytsk3.FS_Info(img)
directory = fs.open_dir(path='/')
self.results = []
self.list_directory(directory, [], [])
outfilename = '%s_ads.csv' % case['slicenum']
out_file = os.path.join(case['casedir'], 'filesystem', outfilename)
file(out_file, 'w').write('\n'.join(self.results))
case['ads_results'] = out_file
desc = Descriptor(outfilename,
'ads_results',
json.dumps(case),
descriptor.domain,
agent=self._name_,
processing_time=(time.time() - start))
self.push(desc)
except:
print traceback.format_exc()
def main(image, img_type, offset):
try:
print("[+] Opening {}".format(image))
if img_type == "ewf":
print("jammer")
else:
img_info = pytsk3.Img_Info(image)
# Get Filesystem Handle
try:
fs = pytsk3.FS_Info(img_info, offset)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
exit()
root_dir = fs.open_dir(path="/")
table = [["Name", "Type", "Size", "Create Date", "Modify Date"]]
for f in root_dir:
name = f.info.name.name
if f.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
f_type = "DIR"
else:
f_type = "FILE"
size = f.info.meta.size
create = f.info.meta.crtime
modify = f.info.meta.mtime
table.append([name, f_type, size, create, modify])
print(tabulate(table, headers="firstrow"))
except IOError:
print("No such file1")
def exportHIVE(vol):
if os.path.isdir('./export') == False:
os.mkdir('./export')
img = pytsk3.Img_Info('\\\\.\\' + vol)
fs_info = pytsk3.FS_Info(img)
userprofile = os.path.expandvars("%userprofile%")
ntuser_ = cvtPath(userprofile + "\\NTUSER.DAT")
usrclass_ = cvtPath(userprofile +
"\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat")
exportList = []
exportList.append(ntuser_)
exportList.append(usrclass_)
for p in exportList:
f = fs_info.open(p)
name = f.info.name.name.decode('utf-8')
offset = 0
if f.info.meta == None:
continue
size = f.info.meta.size
BUFF_SIZE = 1024 * 1024
data = open('./export/' + name, 'wb')
while offset < size:
av_to_read = min(BUFF_SIZE, size - offset)
d = f.read_random(offset, av_to_read)
if not d: break
data.write(d)
offset += len(d)
print "\nExport Completed\n"
def Main():
args_parser = argparse.ArgumentParser(description=("Lists a file system in a storage media image or device."))
args_parser.add_argument("images", nargs="+", metavar="IMAGE", action="store", type=str, default=None, help=("Storage media images or devices."))
options = args_parser.parse_args()
img = pytsk3.Img_Info(options.images)
## Step 2: Open the filesystem
fs = pytsk3.FS_Info(img)
## Step 3: Open the file using the inode
f = fs.open_meta(inode = 0)
## Step 4: Read all the data and print to stdout
offset = 0
size = f.info.meta.size
file_name= "$MFT"
output_path="./"
file_2 = open(output_path + file_name,"w")
while offset < size:
available_to_read = min(BUFF_SIZE, size - offset)
data = f.read_random(offset, available_to_read,1)
if not data: break
offset += len(data)
file_2.write(data)
file_2.close()
def acquire_files(self, filepath, current, backup):
# get the image type (raw, encase, split)
img = self.get_img_info(filepath)
offsets = self.get_offsets(img)
# this needs to be expanded if we support dual boot disk images
# insert the file and the kept the id around
self.cursor.execute(
"insert into evidence_sources (filename) values (?)", [filepath])
self.evidence_id = self.cursor.execute(
"SELECT last_insert_rowid()").fetchone()[0]
for (part_num, offset) in offsets:
self.partition_id = self.new_partition(part_num, offset)
# FS_INFO
try:
fs = pytsk3.FS_Info(img, offset)
except Exception, e:
print "FS_Info: unable to get offset %d from filepath %s error: %s" % (
offset, filepath, str(e))
continue
self.refreshgui()
if current:
self.acquire_active_files(fs)
if backup:
self.acquire_backup_files(fs)
self.conn.commit()
def main(imgs):
global FLIST
fout = open("report.csv",'w')
fout.write("File Name,MD5 Sum,Meta Data,...,Exif Data,...\n")
rec = create_dir("./recovered/")
(con, cur) = open_db()
for i in imgs:
if os.path.exists(i):
print "Processing file - %s" % i
print "MD5 sum - %s" % hashlib.md5(open(i,'rb').read()).hexdigest()
img = pytsk3.Img_Info(i)
fs = pytsk3.FS_Info(img)
fs_walk('/', fs)
for (fname, md5, meta) in FLIST:
# Write file information out to report.csv
fout.write(fname+","+md5+","+meta+'\n')
# Enter file informatino into DB
cur.execute('''INSERT INTO recovered VALUES (NULL, ?, ?, ?)''', (unicode(fname, errors='replace'), md5, meta))
con.commit()
FLIST = [] # Clear the global files listing.
else:
print "Unable to find %s" % i
print "###################################################################"
print "Completed processing images. Recovered files saved in ./recovered/"
print "\tReport written out to report.csv and recovered.db"
print "###################################################################"
con.close()
fout.close()
def __init__(self, address_space, session=None):
self.session = session
self.block_size = 512
# The address space of the entire disk.
self.address_space = address_space
self._img_info = AS_Img_Info(address_space)
try:
# open as disk image
tsk_vs = pytsk3.Volume_Info(self._img_info)
self.volume_system = VolumeSystem(self,
tsk_vs,
session=self.session)
self.block_size = tsk_vs.info.block_size
self.partitions = self.volume_system.partitions
except IOError:
# open as partition image
self.volume_system = obj.NoneObject("No Volume")
self.partitions = []
try:
fake_partition = Partition(self,
filesystem=FS(
pytsk3.FS_Info(self._img_info)),
session=self.session)
self.partitions.append(fake_partition)
except IOError:
pass
def __init__(self, volume):
try:
self.volume='\\\\.\\'+str(volume)
self.img=pytsk3.Img_Info(self.volume)
self.fs=pytsk3.FS_Info(self.img)
except:
return "none"
def offset_recog():
partition_offset_list = []
ewf_handle = pyewf.handle()
filenames = pyewf.glob("image_sd_pi.E01")
ewf_handle.open(filenames)
imagehandle = ewf_Img_Info(ewf_handle)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
print(partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len)
partition_offset_list.append(partition.start * 512)
for x in partition_offset_list:
print(x)
filesystemObject = pytsk3.FS_Info(imagehandle, offset=4194304)
fileobject = filesystemObject.open("/$FAT1")
print("File Inode:",fileobject.info.meta.addr)
print("File Name:",fileobject.info.name.name)
print("File Creation Time:",datetime.datetime.fromtimestamp(fileobject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'))
#outfile = open('DFIRWizard-output', 'w')
#filedata = fileobject.read_random(0,fileobject.info.meta.size)
return partition_offset_list
def get_tsk_file_system(self, source_path_spec, configuration):
file_object = path_spec_resolver.Resolver.OpenFileObject(
source_path_spec.parent,
resolver_context=configuration.resolver_context)
tsk_image_object = tsk_image.TSKFileSystemImage(file_object)
tsk_file_system = pytsk3.FS_Info(tsk_image_object)
return tsk_file_system
def get_tsk_inodes(volume, root):
try:
# open the extX file system (e.g. /dev/sda1)
img = pytsk3.Img_Info(volume)
# FS_Info used as a handle for more detailed file system analysis. Check if file system of volume is of extX
try:
fs = pytsk3.FS_Info(img)
except OSError as e:
print(e)
sys.exit(
"Error: file system of " + volume +
" is not supported by hidden-inode-detector.py. Only ext2/ext3/ext4 file systems are supported."
)
# goes to tsk_walk_path(). root is /
# first time scan to collect inodes in same (root) dir
my_inodes, my_inodes_dir = tsk_walk_path(fs=fs, inode=root)
except (OSError) as e:
print(e)
sys.exit("Error: " + volume + " is not a valid mount point")
# This part tries to go through each dir found the first tsk_walk_path scan, and so on.
seen = my_inodes_dir.copy()
active = my_inodes_dir.copy()
while active:
next_active = set()
for current_inode_dir in active:
test = tsk_walk_path(fs=fs, inode=current_inode_dir)
for result in test[1]:
if result not in seen:
seen.add(result)
next_active.add(result)
active = next_active
return my_inodes
def extract_a_file(self, img_path, name, inode):
## Now open and read the file specified
## Step 1: get an IMG_INFO object (url can be any URL that AFF4 can handle)
img = pytsk3.Img_Info(img_path)
## Step 2: Open the filesystem
fs = pytsk3.FS_Info(img, offset=self._offset)
## Step 3: Open the file using the inode
f = fs.open_meta(inode=inode)
## Step 4: Read all the data and print to stdout
offset = 0
size = f.info.meta.size
if type(name) is None:
file_name = str(inode)
else:
file_name = name
entry_info = []
#print(file_name)
for i in f:
if (i.info.type == pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA):
#print(i.info.name)
#print(i.info.size)
if i.info.name is None:
entry_info.append([file_name, i.info.size])
for entry in entry_info:
file_2 = open(self._output_path + entry[0], "wb")
while offset < entry[1]:
available_to_read = min(BUFF_SIZE, entry[1] - offset)
data = f.read_random(offset, available_to_read, 1)
if not data: break
offset += len(data)
file_2.write(data)
file_2.close()
def _Open(self, path_spec, mode='rb'):
"""Opens the file system object defined by path specification.
Args:
path_spec (PathSpec): path specification.
mode (Optional[str]): file access mode.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file system object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec.HasParent():
raise errors.PathSpecError(
'Unsupported path specification without parent.')
file_object = resolver.Resolver.OpenFileObject(
path_spec.parent, resolver_context=self._resolver_context)
try:
tsk_image_object = tsk_image.TSKFileSystemImage(file_object)
tsk_file_system = pytsk3.FS_Info(tsk_image_object)
except:
file_object.close()
raise
self._file_object = file_object
self._tsk_file_system = tsk_file_system
def main(image, img_type, offset):
print("[+] Opening {}".format(image))
if img_type == "ewf":
try:
filenames = pyewf.glob(image)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Invalid EWF format:\n {}".format(e))
sys.exit(2)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
# Open PYTSK3 handle on EWF Image
img_info = EWFImgInfo(ewf_handle)
else:
img_info = pytsk3.Img_Info(image)
# Get Filesystem Handle
try:
fs = pytsk3.FS_Info(img_info, offset)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to open FS:\n {}".format(e))
exit()
root_dir = fs.open_dir(path="/")
table = [["Name", "Type", "Size", "Create Date", "Modify Date"]]
for f in root_dir:
name = f.info.name.name
if f.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
f_type = "DIR"
else:
f_type = "FILE"
size = f.info.meta.size
create = f.info.meta.crtime
modify = f.info.meta.mtime
table.append([name, f_type, size, create, modify])
print(tabulate(table, headers="firstrow"))
def GetVolumes(self, phyDrive="\\\\.\\PhysicalDrive0"):
list_fs_info = [] # contain the file system object
block_size = 512 # by default block size is 512
try:
img = pytsk3.Img_Info(phyDrive) # open the physical drive
volume = pytsk3.Volume_Info(img) # get volume information
except OSError as e:
if "file not found" in str(e):
raise Exception("PHYSICAL_DRIVE_NOT_FOUND")
else:
raise Exception(str(e))
# for each volume in the drive, check if it is NTFS and open object to handle it
for part in volume:
try:
self.logging(
"INFO",
"Check partition: desc{0:s}, offset{1:d}, size:{2:d}".
format(part.desc.decode('utf-8'), part.start, part.len))
fs_info = pytsk3.FS_Info(img, offset=part.start * block_size)
# check if file system is NTFS
if fs_info.info.ftype in [
pytsk3.TSK_FS_TYPE_NTFS, pytsk3.TSK_FS_TYPE_NTFS_DETECT
]:
list_fs_info.append(fs_info)
except Exception as e:
pass
return list_fs_info
def _Open(self, path_spec=None, mode='rb'):
"""Opens the file system object defined by path specification.
Args:
path_spec: optional path specification (instance of path.PathSpec).
The default is None.
mode: optional file access mode. The default is 'rb' read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file system object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec.HasParent():
raise errors.PathSpecError(
u'Unsupported path specification without parent.')
file_object = resolver.Resolver.OpenFileObject(
path_spec.parent, resolver_context=self._resolver_context)
tsk_image_object = tsk_image.TSKFileSystemImage(file_object)
tsk_file_system = pytsk3.FS_Info(tsk_image_object)
self._file_object = file_object
self._tsk_file_system = tsk_file_system
def _update_file_system(self, sector, sector_count, data):
# update the shadow image
self.IMG.write(sector, sector_count, data)
# Reload our filesystem to wipe away caches
self.FILE_SYSTEM = pytsk3.FS_Info(self.IMG, self.OFFSET_BYTES,
pytsk3.TSK_FS_TYPE_DETECT)
def IsHFSPartition(img, partition_start_offset):
'''Determines if the partition is HFS by mounting it'''
try:
fs = pytsk3.FS_Info(img, offset=partition_start_offset)
fs_info = fs.info # TSK_FS_INFO
return fs_info.ftype == pytsk3.TSK_FS_TYPE_HFS_DETECT
except Exception as ex:
log.exception("Exception")
return False
def process(self, descriptor, sender_id):
start = time.time()
case = json.loads(descriptor.value)
print 'Processing %s' % case['file_list']
img = pytsk3.Img_Info(case['device'])
fs = pytsk3.FS_Info(img)
if not os.path.exists(case['file_list']['out_dir']):
os.makedirs(case['file_list']['out_dir'])
def open_FS(self):
# Open FS and Recurse
if self.vol is not None:
for partition in self.vol:
if partition.len > 2048 and "Unallocated" not in partition.desc and "Extended" not in partition.desc and "Primary Table" not in partition.desc:
try:
self.fs.append(pytsk3.FS_Info(
self.image_handle,
offset=partition.start * self.vol.info.block_size))
except IOError:
_, e, _ = sys.exc_info()
sys.stderr.write("[-] Unable to open FS:\n {}\n".format(e))
else:
try:
self.fs.append(pytsk3.FS_Info(self.image_handle))
except IOError:
_, e, _ = sys.exc_info()
sys.stderr.write("[-] Unable to open FS:\n {}\n".format(e))
