def testScanDirectory(self): """Test the Scan function on a directory.""" test_file = self._GetTestFilePath([u'testdir_os']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) self._source_scanner.Scan(scan_context) self.assertEqual(scan_context.source_type, definitions.SOURCE_TYPE_DIRECTORY) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertIsNotNone(scan_node.path_spec) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_OS) test_file = self._GetTestFilePath([u'testdir_os', u'file1.txt']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) self._source_scanner.Scan(scan_context) self.assertEqual(scan_context.source_type, definitions.SOURCE_TYPE_FILE) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertIsNotNone(scan_node.path_spec) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_OS)
def testScanVolumeScanNodeRAW(self): """Tests the _ScanVolumeScanNode function on a RAW image.""" test_scanner = volume_scanner.VolumeScanner() test_file = self._GetTestFilePath([u'ímynd.dd']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = scan_context.GetRootScanNode() base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test error conditions. scan_context = source_scanner.SourceScannerContext() with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNode(scan_context, None, []) volume_scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node, [])
def testGetTSKPartitionIdentifiersOnPartitionedImage(self): """Tests the _GetTSKPartitionIdentifiers function on a partitioned image.""" # Test with mediator. test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['tsk_volume_system.raw']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) identifiers = test_scanner._GetPartitionIdentifiers( scan_node, test_options) self.assertEqual(len(identifiers), 2) self.assertEqual(identifiers, ['p1', 'p2']) # Test without mediator. test_scanner = volume_scanner.VolumeScanner() test_options = volume_scanner.VolumeScannerOptions() scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) with self.assertRaises(errors.ScannerError): test_scanner._GetPartitionIdentifiers(scan_node, test_options)
def testScanVolumeScanNode(self): """Tests the _ScanVolumeScanNode function on VSS.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(test_mediator) # Test VSS root. test_file = self._GetTestFilePath([u'vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = self._GetTestScanNode(scan_context) base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node, base_path_specs) self.assertEqual(len(base_path_specs), 0) # Test VSS volume. test_file = self._GetTestFilePath([u'vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = self._GetTestScanNode(scan_context) base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node.sub_nodes[0], base_path_specs) self.assertEqual(len(base_path_specs), 2)
def testScanOnBDE(self): """Test the Scan function on BDE.""" resolver.Resolver.key_chain.Empty() test_path = self._GetTestFilePath(['bdetogo.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) self._source_scanner.Scan(scan_context) self.assertEqual( scan_context.source_type, definitions.SOURCE_TYPE_STORAGE_MEDIA_IMAGE) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_RAW) scan_node = scan_node.GetSubNodeByLocation(None) self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_BDE) self.assertEqual(len(scan_node.sub_nodes), 0) self.assertTrue(scan_context.IsLockedScanNode(scan_node.path_spec)) self._source_scanner.Unlock( scan_context, scan_node.path_spec, 'password', self._BDE_PASSWORD) self.assertFalse(scan_context.IsLockedScanNode(scan_node.path_spec)) self._source_scanner.Scan(scan_context, scan_path_spec=scan_node.path_spec) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.GetSubNodeByLocation('/') self.assertIsNotNone(scan_node) self.assertIsNotNone(scan_node.path_spec) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_TSK)
def testScanOnVSS(self): """Test the Scan function on VSS.""" test_path = self._GetTestFilePath(['vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) self._source_scanner.Scan(scan_context) self.assertEqual( scan_context.source_type, definitions.SOURCE_TYPE_STORAGE_MEDIA_IMAGE) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_QCOW) self.assertEqual(len(scan_node.sub_nodes), 2) scan_node = scan_node.sub_nodes[0] self.assertEqual( scan_node.type_indicator, definitions.TYPE_INDICATOR_VSHADOW) self.assertEqual(len(scan_node.sub_nodes), 2) scan_node = scan_node.sub_nodes[0] self.assertEqual( scan_node.type_indicator, definitions.TYPE_INDICATOR_VSHADOW) # By default the file system inside a VSS volume is not scanned. self.assertEqual(len(scan_node.sub_nodes), 0) self._source_scanner.Scan(scan_context, scan_path_spec=scan_node.path_spec) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.GetSubNodeByLocation('/') self.assertIsNotNone(scan_node) expected_type_indicator = definitions.PREFERRED_NTFS_BACK_END self.assertEqual(scan_node.type_indicator, expected_type_indicator)
def testScanVolumeOnAPFS(self): """Tests the _ScanVolume function on an APFS image.""" resolver.Resolver.key_chain.Empty() test_tool = storage_media_tool.StorageMediaTool() test_path = self._GetTestFilePath(['apfs.dmg']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_tool._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) apfs_container_scan_node = scan_node.sub_nodes[4].sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_tool._ScanVolume( scan_context, apfs_container_scan_node, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test on volume system sub node. base_path_specs = [] test_tool._ScanVolume( scan_context, apfs_container_scan_node.sub_nodes[0], base_path_specs) self.assertEqual(len(base_path_specs), 1)
def testScanVolumeOnVSS(self): """Tests the _ScanVolume function on VSS.""" test_tool = storage_media_tool.StorageMediaTool() test_tool._process_vss = True test_tool._vss_only = False test_tool._vss_stores = 'all' test_path = self._GetTestFilePath(['vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_tool._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) vss_scan_node = scan_node.sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_tool._ScanVolume(scan_context, vss_scan_node, base_path_specs) self.assertEqual(len(base_path_specs), 2) # Test on volume system sub node. base_path_specs = [] test_tool._ScanVolume( scan_context, vss_scan_node.sub_nodes[0], base_path_specs) self.assertEqual(len(base_path_specs), 1)
def testScanVolumeSystemRootOnLVM(self): """Tests the _ScanVolumeSystemRoot function on a LVM image.""" test_file_path = self._GetTestFilePath(['lvm.raw']) self._SkipIfPathNotExists(test_file_path) resolver.Resolver.key_chain.Empty() test_scanner = storage_media_tool.StorageMediaToolVolumeScanner() options = storage_media_tool.StorageMediaToolVolumeScannerOptions() options.scan_mode = options.SCAN_MODE_ALL options.volumes = ['all'] scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file_path) test_scanner._source_scanner.Scan(scan_context) lvm_scan_node = self._GetTestScanNode(scan_context) base_path_specs = [] test_scanner._ScanVolumeSystemRoot( scan_context, lvm_scan_node, options, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test error conditions. with self.assertRaises(dfvfs_errors.ScannerError): test_scanner._ScanVolumeSystemRoot( scan_context, lvm_scan_node.sub_nodes[0], options, base_path_specs)
def Analyze(self, source_path, output_writer): """Analyzes the source. Args: source_path (str): the source path. output_writer (StdoutWriter): the output writer. Raises: RuntimeError: if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported. """ if (not source_path.startswith('\\\\.\\') and not os.path.exists(source_path)): raise RuntimeError('No such source: {0:s}.'.format(source_path)) scan_context = source_scanner.SourceScannerContext() scan_path_spec = None scan_step = 0 scan_context.OpenSourcePath(source_path) while True: self._source_scanner.Scan(scan_context, auto_recurse=self._auto_recurse, scan_path_spec=scan_path_spec) if not scan_context.updated: break if not self._auto_recurse: output_writer.WriteScanContext(scan_context, scan_step=scan_step) scan_step += 1 # The source is a directory or file. if scan_context.source_type in ( dfvfs_definitions.SOURCE_TYPE_DIRECTORY, dfvfs_definitions.SOURCE_TYPE_FILE): break # The source scanner found a locked volume, e.g. an encrypted volume, # and we need a credential to unlock the volume. for locked_scan_node in scan_context.locked_scan_nodes: credentials = credentials_manager.CredentialsManager.GetCredentials( locked_scan_node.path_spec) self._mediator.UnlockEncryptedVolume(self._source_scanner, scan_context, locked_scan_node, credentials) if not self._auto_recurse: scan_node = scan_context.GetUnscannedScanNode() if not scan_node: return scan_path_spec = scan_node.path_spec if self._auto_recurse: output_writer.WriteScanContext(scan_context)
def testScanVolumeOnVSS(self): """Tests the _ScanVolume function on VSS.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) vss_scan_node = scan_node.sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_scanner._ScanVolume(scan_context, vss_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 2) # Test on volume system sub node. base_path_specs = [] test_scanner._ScanVolume(scan_context, vss_scan_node.sub_nodes[0], test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1)
def testScanVolumeScanNodeEncrypted(self): """Tests the _ScanVolumeScanNodeEncrypted function.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(test_mediator) test_file = self._GetTestFilePath([u'bdetogo.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = self._GetTestScanNode(scan_context) base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node.sub_nodes[0], base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test error conditions. path_spec = fake_path_spec.FakePathSpec(location=u'/') scan_node = source_scanner.SourceScanNode(path_spec) with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNodeEncrypted(scan_node, None, []) volume_scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNodeEncrypted(scan_node, volume_scan_node, [])
def testScanOnAPFS(self): """Test the Scan function on an APFS image.""" test_path = self._GetTestFilePath(['apfs.dmg']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) self._source_scanner.Scan(scan_context) self.assertEqual( scan_context.source_type, definitions.SOURCE_TYPE_STORAGE_MEDIA_IMAGE) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertEqual( scan_node.type_indicator, definitions.TYPE_INDICATOR_TSK_PARTITION) self.assertEqual(len(scan_node.sub_nodes), 6) scan_node = scan_node.sub_nodes[4].GetSubNodeByLocation('/') self.assertIsNotNone(scan_node) self.assertEqual( scan_node.type_indicator, definitions.TYPE_INDICATOR_APFS_CONTAINER) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.sub_nodes[0] self.assertIsNotNone(scan_node) self.assertEqual( scan_node.type_indicator, definitions.TYPE_INDICATOR_APFS_CONTAINER) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.GetSubNodeByLocation('/') self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_APFS)
def _ConfigureStorageMediaFileTest(self): """Configure a test against a storage media file. Returns: A front-end object (instance of PregFrontend). """ front_end = preg.PregFrontend() front_end.SetSingleFile(False) knowledge_base_object = knowledge_base.KnowledgeBase() front_end.SetKnowledgeBase(knowledge_base_object) storage_media_path = self._GetTestFilePath([u'registry_test.dd']) test_source_scanner = source_scanner.SourceScanner() scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(storage_media_path) test_source_scanner.Scan(scan_context) # Getting the most upper node. scan_node = scan_context.GetRootScanNode() while scan_node.sub_nodes: scan_node = scan_node.sub_nodes[0] front_end.SetSourcePath(storage_media_path) front_end.SetSourcePathSpecs([scan_node.path_spec]) return front_end
def testScanVolumeSystemRootOnAPFS(self): """Tests the _ScanVolumeSystemRoot function on an APFS image.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['apfs.dmg']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) apfs_container_scan_node = scan_node.sub_nodes[4].sub_nodes[0] base_path_specs = [] test_scanner._ScanVolumeSystemRoot(scan_context, apfs_container_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeSystemRoot( scan_context, apfs_container_scan_node.sub_nodes[0], test_options, base_path_specs)
def testScanFVDE(self): """Test the Scan function on FVDE.""" resolver.Resolver.key_chain.Empty() test_file = self._GetTestFilePath(['fvdetest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) self._source_scanner.Scan(scan_context) self.assertEqual( scan_context.source_type, definitions.SOURCE_TYPE_STORAGE_MEDIA_IMAGE) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertEqual( scan_node.type_indicator, definitions.TYPE_INDICATOR_TSK_PARTITION) scan_node = scan_node.GetSubNodeByLocation('/p1') scan_node = scan_node.sub_nodes[0] self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_FVDE) self.assertEqual(len(scan_node.sub_nodes), 0) self._source_scanner.Unlock( scan_context, scan_node.path_spec, 'password', self._FVDE_PASSWORD) self._source_scanner.Scan(scan_context, scan_path_spec=scan_node.path_spec) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.GetSubNodeByLocation('/') self.assertIsNotNone(scan_node) self.assertIsNotNone(scan_node.path_spec) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_TSK)
def testScanVolumeOnEncryptedAPFS(self): """Tests the _ScanVolume function on an encrypted APFS image.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['apfs_encrypted.dmg']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) apfs_container_scan_node = scan_node.sub_nodes[4].sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test on volume system sub node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node.sub_nodes[0], test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1)
def testScanOnNonExisting(self): """Test the Scan function on non-existing image file.""" test_path = self._GetTestFilePath(['nosuchfile.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) with self.assertRaises(errors.BackEndError): self._source_scanner.Scan(scan_context)
def testScanNonExisting(self): """Test the Scan function.""" test_file = self._GetTestFilePath([u'nosuchfile.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) with self.assertRaises(errors.BackEndError): _ = self._source_scanner.Scan(scan_context)
def ScanSource(self, source_path): if os.path.islink(source_path): source_path = os.path.realpath(source_path) if (not source_path.startswith('\\\\.\\') and not os.path.exists(source_path)): raise errors.SourceScannerError( 'No such device, file or directory: {0:s}.'.format( source_path)) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(source_path) try: self._source_scanner.Scan(scan_context) except (ValueError, dfvfs_errors.BackEndError) as exception: raise errors.SourceScannerError( 'Unable to scan source with error: {0!s}.'.format(exception)) # 경로를 입력받을 때 if scan_context.source_type not in ( scan_context.SOURCE_TYPE_STORAGE_MEDIA_DEVICE, scan_context.SOURCE_TYPE_STORAGE_MEDIA_IMAGE): scan_node = scan_context.GetRootScanNode() self._source_path_specs.append(scan_node.path_spec) return scan_context # Get the first node where where we need to decide what to process. scan_node = scan_context.GetRootScanNode() while len(scan_node.sub_nodes) == 1: scan_node = scan_node.sub_nodes[0] # if type_indicator가 TSK_PARTITION이 아닌 경우 base_path_specs = [] if scan_node.type_indicator != ( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION): self._ScanVolume(scan_context, scan_node, base_path_specs) # type_indicator가 TSK_PARTITION인 경우 else: # Determine which partition needs to be processed. partition_identifiers = self._GetTSKPartitionIdentifiers(scan_node) if not partition_identifiers: raise errors.SourceScannerError('No partitions found.') for partition_identifier in partition_identifiers: location = '/{0:s}'.format(partition_identifier) sub_scan_node = scan_node.GetSubNodeByLocation(location) self._ScanVolume(scan_context, sub_scan_node, base_path_specs) if not base_path_specs: raise errors.SourceScannerError( 'No supported file system found in source.') self._source_path_specs = base_path_specs return scan_context
def testGetVSSStoreIdentifiers(self): """Tests the _GetVSSStoreIdentifiers function.""" # Test with mediator. test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) identifiers = test_scanner._GetVSSStoreIdentifiers( scan_node.sub_nodes[0], test_options) self.assertEqual(len(identifiers), 2) self.assertEqual(identifiers, ['vss1', 'vss2']) # Test without mediator. test_scanner = volume_scanner.VolumeScanner() test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(scan_node.sub_nodes[0], test_options) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(None, test_options) scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(scan_node, test_options)
def testSetSourceType(self): """Test the SetSourceType function.""" test_context = source_scanner.SourceScannerContext() test_context.SetSourceType(definitions.SOURCE_TYPE_FILE) self.assertEqual(test_context.source_type, definitions.SOURCE_TYPE_FILE) test_context.SetSourceType(definitions.SOURCE_TYPE_DIRECTORY) self.assertEqual(test_context.source_type, definitions.SOURCE_TYPE_FILE)
def testScanVolumeOnEncryptedAPFS(self): """Tests the _ScanVolume function on an encrypted APFS image.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['apfs_encrypted.dmg']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = scan_context.GetRootScanNode() self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_OS) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.sub_nodes[0] self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_RAW) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.sub_nodes[0] self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.PREFERRED_GPT_BACK_END) if scan_node.type_indicator == definitions.TYPE_INDICATOR_GPT: self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.sub_nodes[0] else: # The pytsk partition back-end yields more than 1 scan node for various # metadata and unallocated parts of the GPT. self.assertEqual(len(scan_node.sub_nodes), 6) scan_node = scan_node.sub_nodes[4] apfs_container_scan_node = scan_node.sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test on volume system sub node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node.sub_nodes[0], test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1)
def testHasScanNode(self): """Test the HasScanNode function.""" test_fake_path_spec = fake_path_spec.FakePathSpec(location='/') test_context = source_scanner.SourceScannerContext() self.assertFalse(test_context.HasScanNode(test_fake_path_spec)) test_context.AddScanNode(test_fake_path_spec, None) self.assertTrue(test_context.HasScanNode(test_fake_path_spec))
def testAddScanNode(self): """Test the AddScanNode function.""" test_context = source_scanner.SourceScannerContext() self.assertEqual(len(test_context._scan_nodes), 0) test_fake_path_spec = fake_path_spec.FakePathSpec(location='/') test_context.AddScanNode(test_fake_path_spec, None) self.assertEqual(len(test_context._scan_nodes), 1)
def testOpenSourcePath(self): """Test the OpenSourcePath function.""" test_context = source_scanner.SourceScannerContext() self.assertEqual(len(test_context._scan_nodes), 0) test_path = self._GetTestFilePath(['testdir_os', 'file1.txt']) test_context.OpenSourcePath(test_path) self.assertEqual(len(test_context._scan_nodes), 1)
def Analyze(self, source_path, output_writer): """Analyzes the source. Args: source_path: the source path. output_writer: the output writer (instance of StdoutWriter). Raises: RuntimeError: if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported. """ if not os.path.exists(source_path): raise RuntimeError(u'No such source: {0:s}.'.format(source_path)) scan_context = source_scanner.SourceScannerContext() scan_path_spec = None scan_step = 0 scan_context.OpenSourcePath(source_path) while True: self._source_scanner.Scan(scan_context, auto_recurse=self._auto_recurse, scan_path_spec=scan_path_spec) if not scan_context.updated: break if not self._auto_recurse: output_writer.WriteScanContext(scan_context, scan_step=scan_step) scan_step += 1 # The source is a directory or file. if scan_context.source_type in [ definitions.SOURCE_TYPE_DIRECTORY, definitions.SOURCE_TYPE_FILE ]: break # The source scanner found a locked volume, e.g. an encrypted volume, # and we need a credential to unlock the volume. for locked_scan_node in scan_context.locked_scan_nodes: self._PromptUserForEncryptedVolumeCredential( scan_context, locked_scan_node, output_writer) if not self._auto_recurse: scan_node = scan_context.GetUnscannedScanNode() if not scan_node: return scan_path_spec = scan_node.path_spec if self._auto_recurse: output_writer.WriteScanContext(scan_context)
def testLockScanNode(self): """Test the LockScanNode function.""" test_fake_path_spec = fake_path_spec.FakePathSpec(location='/') test_context = source_scanner.SourceScannerContext() with self.assertRaises(KeyError): test_context.LockScanNode(test_fake_path_spec) test_context.AddScanNode(test_fake_path_spec, None) test_context.LockScanNode(test_fake_path_spec)
def testIsSourceTypeFile(self): """Test the IsSourceTypeFile function.""" test_context = source_scanner.SourceScannerContext() self.assertIsNone(test_context.IsSourceTypeFile()) test_context.source_type = definitions.SOURCE_TYPE_FILE self.assertTrue(test_context.IsSourceTypeFile()) test_context.source_type = definitions.SOURCE_TYPE_DIRECTORY self.assertFalse(test_context.IsSourceTypeFile())
def testGetScanNode(self): """Test the GetScanNode function.""" test_fake_path_spec = fake_path_spec.FakePathSpec(location='/') test_context = source_scanner.SourceScannerContext() scan_node = test_context.GetScanNode(test_fake_path_spec) self.assertIsNone(scan_node) test_context.AddScanNode(test_fake_path_spec, None) scan_node = test_context.GetScanNode(test_fake_path_spec) self.assertIsNotNone(scan_node)