def main():
Utility.DirectoryCleaning('transaction')
Utility.DirectoryCleaning('result')
if raw_input('Is disk connected? [y/n]: ').lower()=='y':
disk=Collector.VolumeFinder()
select = (raw_input('Would you like to create image? [y/n] : ').lower()=='y')
recovery = (raw_input('Would you like to recover the image? [y/n] : ').lower()=='y')
print 'Collecting files...'
volumeHeader=VolumeHeader(Utility.DiskDump(disk,'HFSPlusVolumeHeader',512,2,1,select))
journal=Collector.JournalExtractor(self.journalInfoBlock,disk,volumeHeader.blockSize,select)
allocationFile=Collector.SpecialFileExtractor('AllocationFile',volumeHeader.specialFileFork[0],disk,volumeHeader.blockSize,select)
extentsOverflowFile=Collector.SpecialFileExtractor('ExtentsOverflowFile',volumeHeader.specialFileFork[1],disk,volumeHeader.blockSize,select)
catalogFile=Collector.SpecialFileExtractor('CatalogFile',volumeHeader.specialFileFork[2],disk,volumeHeader.blockSize,select)
else:
path=raw_input('Input path of volume header\n')
f=open(path,'rb')
volumeHeader=VolumeHeader(f.read())
f.close()
path=raw_input('Input path of journal\n')
f=open(path,'rb')
journal=f.read()
f.close()
if raw_input('Input path of catalog file(y/n)\n') == 'y':
path=input()
f=open(path,'rb')
catalogFile=f.read()
f.close()
"""
if raw_input('Input path of allocation file(y/n)') == 'y':
path=raw_input()
f=open(path,'rb')
AllocationFile=f.read()
f.close()
if raw_input('Input path of extents overflow file(y/n)\n') == 'y':
path=raw_input()
f=open(path,'rb')
ExtentsOverflowFile=f.read()
f.close()
"""
recovery=False
print 'Analyzing journal...'
tranBlocks=Analyzer.journalParser(journal)
print 'Printing transactions...'
for i in range(1,tranBlocks[0]+1):
fName='./transaction/transaction{0}_block{1}(journaloffset:{2}_location:{3})'.format(i,j,tranBlocks[i].journalOffset,tranBlocks[i].offset)
f=open(fName,'wb')
f.write(tranBlocks[i].content)
f.close()
print 'Analyzing CatalogFile...'
Analyzer.CatalogFileAnalyzer(CatalogFile)
print 'Analyzing transactions...'
Analyzer.TransactionAnalyzer(tranBlocks,volumeHeader.specialFileFork,volumeHeader.blockSize)
print 'Printing record list...'
fName='./result/recordList.csv'
f=open(fName,'w')
for i in range(1,tranBlocks[0]+1):
if 0<tranBlocks.blockType[0]<4:
for j in range(tranBlocks.content.numRecords):
f.write(str(tranBlocks[i]))
f.write(str(tranBlocks.content.records[j]))
else:
f.write(str(tranBlocks[i]))
f.close()
'''
def main():
Utility.DirectoryCleaning('transaction')
Utility.DirectoryCleaning('result')
if raw_input('Is disk connected? [y/n]: ').lower() == 'y':
temp = Collector.VolumeFinder()
disk = temp[0]
select = temp[1]
recovery = temp[2]
print 'Collecting files...'
temp = Collector.VolumeHeaderParser(
Utility.DiskDump(disk, 'HFSPlusVolumeHeader', 1024, 1, 1, select))
blockSize = temp[0]
journalInfoBlock = temp[1]
specialFileInfo = temp[2]
AllocationFile = Collector.SpecialFileExtractor(
'AllocationFile', specialFileInfo[0], disk, blockSize, select)
ExtentsOverflowFile = Collector.SpecialFileExtractor(
'ExtentsOverflowFile', specialFileInfo[1], disk, blockSize, select)
CatalogFile = Collector.SpecialFileExtractor('CatalogFile',
specialFileInfo[2], disk,
blockSize, select)
Journal = Collector.JournalExtractor(journalInfoBlock, disk, blockSize,
select)
else:
path = raw_input('Input path of volume header\n')
f = open(path, 'rb')
temp = Collector.VolumeHeaderParser(f.read())
blockSize = temp[0]
journalInfoBlock = temp[1]
specialFileInfo = temp[2]
f.close()
path = raw_input('Input path of journal\n')
f = open(path, 'rb')
Journal = f.read()
f.close()
if raw_input('Input path of catalog file(y/n)\n') == 'y':
path = input()
f = open(path, 'rb')
CatalogFile = f.read()
f.close()
"""
if raw_input('Input path of allocation file(y/n)') == 'y':
path=raw_input()
f=open(path,'rb')
AllocationFile=f.read()
f.close()
if raw_input('Input path of extents overflow file(y/n)\n') == 'y':
path=raw_input()
f=open(path,'rb')
ExtentsOverflowFile=f.read()
f.close()
"""
recovery = False
print 'Analyzing journal...'
temp = Analyzer.JournalParser(Journal)
sectorSize = temp[0]
transaction = temp[1]
print 'Printing transactions...'
for i in range(1, transaction[0] + 1):
for j in range(1, transaction[i][0] + 1):
fName = './transaction/transaction' + str(i) + '_' + str(
j) + '(sector' + hex(transaction[i][j][0]) + ')'
f = open(fName, 'wb')
f.write(transaction[i][j][1])
f.close()
print 'Analyzing CatalogFile...'
nameAndParent = Analyzer.CatalogFileAnalyzer(CatalogFile)
print 'Analyzing transactions...'
Analyzer.TransactionAnalyzer(transaction, specialFileInfo[0],
specialFileInfo[2], nameAndParent, sectorSize,
blockSize)
print 'Printing record list...'
fName = './result/recordList.csv'
f = open(fName, 'w')
for i in range(1, transaction[0] + 1):
for j in range(1, transaction[i][0] + 1):
if transaction[i][j][1][0] == 'c':
if transaction[i][j][1][1] == 'l' or transaction[i][j][1][
1] == 'i':
for k in transaction[i][j][2].keys():
f.write(
'transaction{0}_{1} record{2}\n'.format(i, j, k) +
',')
for l in transaction[i][j][2][k].keys():
if l == 'nodeName':
f.write('{0} : {1}\n'.format(
l, transaction[i][j][2][k][l].encode(
'utf-8')) + ',')
else:
f.write('{0} : {1}\n'.format(
l, transaction[i][j][2][k][l]) + ',')
f.write('\n')
elif transaction[i][j][1][1] == 'h':
f.write('transaction{0}_{1}\n'.format(i, j) + ',')
for k in transaction[i][j][2].keys():
f.write(
'{0} : {1}\n'.format(k, transaction[i][j][2][k]) +
',')
f.write('\n')
f.close()
print 'Deduplicating records...'
deduplicatedRecord = Analyzer.RecordDeduplication(transaction)
print 'Printing deduplicated records...'
keyForType = ['recordType']
keyForString = ['nodeName', 'fullPath']
keyForID = ['parentID', 'CNID', 'ownerID', 'groupID']
keyForDate = [
'createDate', 'contentModDate', 'attributeModDate', 'accessDate'
]
keyForFork = ['dataFork', 'resourceFork']
fName = './result/deduplicatedRecordList.csv'
f = open(fName, 'w')
for i in keyForType:
f.write('transaction' + ',' + i + ',')
for i in keyForString:
f.write(i + ',')
for i in keyForID:
f.write(i + ',')
for i in keyForDate:
f.write(i + ',')
f.write('AllocatedFork' + ',')
f.write('\n')
for i in range(1, deduplicatedRecord[0][0] + 1):
f.write(',')
f.write('\ntransaction{0}\n'.format(i) + ',')
for j in range(1, deduplicatedRecord[0][i][0] + 1):
f.write('\ntransaction{0}_{1}\n'.format(i, j))
for k in range(1, deduplicatedRecord[0][i][j][0] + 1):
if deduplicatedRecord[0][i][j][k]['recordType'] < 3:
for l in keyForType:
if deduplicatedRecord[0][i][j][k][l] == 1:
f.write(',')
f.write('folder')
else:
f.write(',')
f.write('file')
for l in keyForString:
f.write(',')
f.write(
deduplicatedRecord[0][i][j][k][l].encode('utf-8'))
f.write(',')
for l in keyForID:
f.write(hex(deduplicatedRecord[0][i][j][k][l])[2:])
f.write(',')
for l in keyForDate:
f.write((datetime.datetime(1904, 1, 1) +
datetime.timedelta(
seconds=deduplicatedRecord[0][i][j][k][l])
).isoformat(' ') + ',')
if deduplicatedRecord[0][i][j][k]['recordType'] == 2:
duplicated = ''
allocatedFork = 0
for l in keyForFork:
for m in range(
1,
deduplicatedRecord[0][i][j][k][l][0] + 1):
if deduplicatedRecord[0][i][j][k][l][m][
0] == 1:
allocatedFork += 1
elif deduplicatedRecord[0][i][j][k][l][m][
0] == -1:
duplicated = '(duplicated)'
f.write('{0}/{1}{2}'.format(
allocatedFork,
deduplicatedRecord[0][i][j][k]['dataFork'][0] +
deduplicatedRecord[0][i][j][k]['resourceFork'][0],
duplicated) + ',')
f.write('\n')
f.close()
if recovery:
print 'Recoverying deleted files...'
Analyzer.DataRecovery(disk, deduplicatedRecord[2], blockSize)
