def GetFileEntryByPathSpec(self, path_spec): """Retrieves a file entry for a path specification. Args: path_spec (PathSpec): path specification. Returns: VShadowFileEntry: file entry or None if not available. """ store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec) # The virtual root file has not corresponding store index but # should have a location. if store_index is None: location = getattr(path_spec, 'location', None) if location is None or location != self.LOCATION_ROOT: return return vshadow_file_entry.VShadowFileEntry(self._resolver_context, self, path_spec, is_root=True, is_virtual=True) if store_index < 0 or store_index >= self._vshadow_volume.number_of_stores: return return vshadow_file_entry.VShadowFileEntry(self._resolver_context, self, path_spec)
def _Open(self, path_spec=None, mode='rb'): """Opens the file-like object defined by path specification. Args: path_spec: optional path specification (instance of path.PathSpec). The default is None. mode: optional file access mode. The default is 'rb' read-only binary. Raises: AccessError: if the access to open the file was denied. IOError: if the file-like object could not be opened. PathSpecError: if the path specification is incorrect. ValueError: if the path specification is invalid. """ if not path_spec: raise ValueError(u'Missing path specfication.') store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec) if store_index is None: raise errors.PathSpecError( u'Unable to retrieve store index from path specification.') self._file_system = resolver.Resolver.OpenFileSystem( path_spec, resolver_context=self._resolver_context) vshadow_volume = self._file_system.GetVShadowVolume() if (store_index < 0 or store_index >= vshadow_volume.number_of_stores): raise errors.PathSpecError( (u'Unable to retrieve VSS store: {0:d} from path ' u'specification.').format(store_index)) self._vshadow_store = vshadow_volume.get_store(store_index)
def _Open(self, mode='rb'): """Opens the file-like object defined by path specification. Args: mode (Optional[str]): file access mode. Raises: AccessError: if the access to open the file was denied. IOError: if the file-like object could not be opened. OSError: if the file-like object could not be opened. PathSpecError: if the path specification is incorrect. """ store_index = vshadow.VShadowPathSpecGetStoreIndex(self._path_spec) if store_index is None: raise errors.PathSpecError( 'Unable to retrieve store index from path specification.') self._file_system = resolver.Resolver.OpenFileSystem( self._path_spec, resolver_context=self._resolver_context) vshadow_volume = self._file_system.GetVShadowVolume() if (store_index < 0 or store_index >= vshadow_volume.number_of_stores): raise errors.PathSpecError( ('Unable to retrieve VSS store: {0:d} from path ' 'specification.').format(store_index)) vshadow_store = vshadow_volume.get_store(store_index) if not vshadow_store.has_in_volume_data(): raise IOError( ('Unable to open VSS store: {0:d} without in-volume stored ' 'data.').format(store_index)) self._vshadow_store = vshadow_store
def GetVShadowStore(self): """Retrieves the VSS store object (instance of pyvshadow.store).""" store_index = vshadow.VShadowPathSpecGetStoreIndex(self.path_spec) if store_index is None: return vshadow_volume = self._file_system.GetVShadowVolume() return vshadow_volume.get_store(store_index)
def GetParentFileEntry(self): """Retrieves the parent file entry. Returns: FileEntry: parent file entry or None if not available. """ store_index = vshadow.VShadowPathSpecGetStoreIndex(self.path_spec) if store_index is None: return None return self._file_system.GetRootFileEntry()
def GetParentFileEntry(self): """Retrieves the parent file entry. Returns: The parent file entry (instance of FileEntry) or None. """ store_index = vshadow.VShadowPathSpecGetStoreIndex(self.path_spec) if store_index is None: return return self._file_system.GetRootFileEntry()
def GetVShadowStoreByPathSpec(self, path_spec): """Retrieves a VSS store for a path specification. Args: path_spec (PathSpec): path specification. Returns: pyvshadow.store: a VSS store or None if not available. """ store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec) if store_index is not None: return self._vshadow_volume.get_store(store_index)
def _ScanDisk(self, scan_context, scan_node, disk_info): """Scan Disk internal Args: scan_context (SourceScannerContext): the source scanner context. scan_node (SourceScanNode): the scan node. """ if not scan_node: return if scan_node.path_spec.IsVolumeSystem( ) and not scan_node.path_spec.IsVolumeSystemRoot(): file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec) if scan_node.type_indicator == definitions.TYPE_INDICATOR_TSK_PARTITION: tsk_volumes = file_system.GetTSKVolume() vol_part, _ = tsk_partition.GetTSKVsPartByPathSpec( tsk_volumes, scan_node.path_spec) if tsk_partition.TSKVsPartIsAllocated(vol_part): bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector( vol_part) length = tsk_partition.TSKVsPartGetNumberOfSectors( vol_part) start_sector = tsk_partition.TSKVsPartGetStartSector( vol_part) vol_name = getattr(scan_node.path_spec, 'location', None)[1:] #vol_name = self.prefix + str(scan_node.path_spec.part_index) base_path_spec = scan_node.path_spec disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \ "length" : length * bytes_per_sector, "bytes_per_sector" : bytes_per_sector, "start_sector" : start_sector, \ "vol_name" : vol_name, "identifier" : None}) elif scan_node.type_indicator == definitions.TYPE_INDICATOR_VSHADOW: vss_volumes = file_system.GetVShadowVolume() store_index = vshadow.VShadowPathSpecGetStoreIndex( scan_node.path_spec) vss_part = list(vss_volumes.stores)[store_index] length = vss_part.volume_size identifier = getattr(vss_part, 'identifier', None) vol_name = getattr(scan_node.path_spec, 'location', None)[1:] base_path_spec = scan_node.path_spec disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \ "length" : length, "bytes_per_sector" : None, "start_sector" : None, "vol_name" : vol_name, \ "identifier" : identifier}) for sub_scan_node in scan_node.sub_nodes: self._ScanDisk(scan_context, sub_scan_node, disk_info)
def FileEntryExistsByPathSpec(self, path_spec): """Determines if a file entry for a path specification exists. Args: path_spec (PathSpec): path specification. Returns: bool: True if the file entry exists. """ store_index = vshadow.VShadowPathSpecGetStoreIndex(path_spec) # The virtual root file has no corresponding store index but # should have a location. if store_index is None: location = getattr(path_spec, 'location', None) return location is not None and location == self.LOCATION_ROOT return 0 <= store_index < self._vshadow_volume.number_of_stores
def InsertImageInformation(self): if not self._source_path_specs: logger.error('source is empty') return disk_info = [] for path_spec in self._source_path_specs: filesystem_type = None if not path_spec.parent: return False if path_spec.parent.IsVolumeSystem(): if path_spec.IsFileSystem(): fs = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) fs_info = fs.GetFsInfo() filesystem_type = getattr(fs_info.info, 'ftype', None) path_spec = path_spec.parent file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION: tsk_volumes = file_system.GetTSKVolume() vol_part, _ = dfvfs_partition.GetTSKVsPartByPathSpec( tsk_volumes, path_spec) if dfvfs_partition.TSKVsPartIsAllocated(vol_part): bytes_per_sector = dfvfs_partition.TSKVolumeGetBytesPerSector( vol_part) length = dfvfs_partition.TSKVsPartGetNumberOfSectors( vol_part) start_sector = dfvfs_partition.TSKVsPartGetStartSector( vol_part) par_label = getattr(vol_part, 'desc', None) try: temp = par_label.decode('ascii') par_label = temp except UnicodeDecodeError: par_label = par_label.decode('utf-8') volume_name = getattr(path_spec, 'location', None)[1:] base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": length * bytes_per_sector, "bytes_per_sector": bytes_per_sector, "start_sector": start_sector, "vol_name": volume_name, "identifier": None, "par_label": par_label, "filesystem": filesystem_type }) elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK: #elif path_spec.IsFileSystem(): file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) fs_info = file_system.GetFsInfo() block_size = getattr(fs_info.info, 'block_size', 0) block_count = getattr(fs_info.info, 'block_count', 0) filesystem = getattr(fs_info.info, 'ftype', None) base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": block_count * block_size, "bytes_per_sector": block_size, "start_sector": 0, "vol_name": 'p1', "identifier": None, "par_label": None, "filesystem": filesystem }) elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_VSHADOW: vss_volumes = file_system.GetVShadowVolume() store_index = dfvfs_vshadow.VShadowPathSpecGetStoreIndex( path_spec) vss_part = list(vss_volumes.stores)[store_index] length = vss_part.volume_size identifier = getattr(vss_part, 'identifier', None) volume_name = getattr(path_spec, 'location', None)[1:] base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": length, "bytes_per_sector": None, "start_sector": None, "vol_name": volume_name, "identifier": identifier, "par_label": None, "filesystem": None }) self._InsertDiskInfo(disk_info)