def read_disk(options): # Setup our log files dcap_filename = options.dcap_file # read from the cap file in real time reader = CaptureReader(options.dcap_file) # Tailing or terminating? reader_iter = reader if options.tail_enable: reader_iter = reader.tail() # Loop over all of the dcap contents for (timestamp, data) in reader_iter: print timestamp if options.sensor_type == G.MACHINE_TYPES.PHYSICAL: sata_frame = SATAFrame(data) print sata_frame else: disk_sensor_pkt = [DiskSensorPacket(data)] print disk_sensor_pkt
def run(self): """ This function will read a raw disk capture and use a scanned disk image to reconstruct the recorded SATA traffic and output the semantic output. """ # copy our disk image to a temporary working image self.working_disk_img = os.path.join(self.output_dir, "disk.img.tmp") print "* Creating temporary working image from disk scan. (%s)"%self.working_disk_img # Delete, copy, chmod new file try: os.unlink(self.working_disk_img) except: pass cmd = "cp --sparse=always %s %s" % (self.disk_img, self.working_disk_img) subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read() os.chmod(self.working_disk_img, 0755) # Set up our semantic bridge print "* Parsing disk image %s into our semantic engine... (This may take a while)" % self.working_disk_img semantic_engine = SemanticEngineDisk(self.working_disk_img) # Start processing our dcap print "* Processing dcap file %s..." % self.dcap_filename # SATA Interpreter sata = SATAInterpreter() """ @TODO Extract sector size from PyTSK """ sata_reconstructor = SATAReconstructor(sector_size=G.SENSOR_DISK.DEFAULT_SECTOR_SIZE) # read from the cap file in real time reader = CaptureReader(self.dcap_filename) # Tailing or terminating? reader_iter = reader if self.tail_enable: reader_iter = reader.tail() # Loop over all of the dcap contents for (timestamp, data) in reader_iter: if self.sensor_type == G.MACHINE_TYPES.PHYSICAL: (header, data) = sata.extract_sata_data(data) # deal with SATA NCQ reordering disk_sensor_pkts = sata_reconstructor.process_packet(PhysicalPacket(header, data)) else: disk_sensor_pkts = [DiskSensorPacket(data)] # Process all of our disk packets if disk_sensor_pkts: for dsp in disk_sensor_pkts: # Skip empty packets if not dsp: continue try: fs_operations = semantic_engine.get_access(dsp.sector, dsp.num_sectors, dsp.disk_operation, dsp.data) self.log_output(timestamp, fs_operations) except: logging.exception("Encountered error while trying to bridge semantic gap for this disk access.")