def test01RunScanners(self): """ Running Logical Index Scanner """ ## Make sure the word secret is in there. pdbh = DB.DBO() pdbh.execute("select * from dictionary where word='secret' limit 1") row = pdbh.fetch() if not row: pdbh.insert('dictionary', **{'word':'secret', 'class':'English', 'type':'word'}) env = pyflagsh.environment(case=self.test_case) pyflagsh.shell_execv(env=env, command="scan", argv=["*",'IndexScan']) dbh = DB.DBO(self.test_case) dbh2 = DB.DBO(self.test_case) fsfd = DBFS(self.test_case) dbh.execute("select inode_id, word,offset,length from LogicalIndexOffsets join %s.dictionary on LogicalIndexOffsets.word_id=%s.dictionary.id where word='secret'", (config.FLAGDB,config.FLAGDB)) count = 0 for row in dbh: count += 1 path, inode, inode_id = fsfd.lookup(inode_id = row['inode_id']) fd = fsfd.open(inode=inode) fd.overread = True fd.slack = True fd.seek(row['offset']) data = fd.read(row['length']) print "Looking for %s: Found in %s at offset %s length %s %r" % ( row['word'], inode, row['offset'], row['length'],data) self.assertEqual(data.lower(), row['word'].lower()) ## Did we find all the secrets? self.assertEqual(count,2)
def test03MultipleSources(self): """ Test that multiple images can be loaded on the same VFS """ pyflagsh.shell_execv(command="execute", argv=["Load Data.Load IO Data Source",'case=%s' % self.test_case, "iosource=second_image", "subsys=EWF", "filename=ntfs_image.e01" , ]) pyflagsh.shell_execv(command="execute", argv=["Load Data.Load Filesystem image",'case=%s' % self.test_case, "iosource=second_image", "fstype=Sleuthkit", "mount_point=/ntfsimage/"]) ## Try to read a file from the first source: fsfd = DBFS(self.test_case) fd = fsfd.open("/stdimage/dscf1081.jpg") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(),'11bec410aebe0c22c14f3eaaae306f46') ## Try to read a file from the second source: fd = fsfd.open("/ntfsimage/Books/80day11.txt") m = hashlib.md5() m.update(fd.read()) self.assertEqual(m.hexdigest(),'f5b394b5d0ca8c9ce206353e71d1d1f2')
def display(self, query, result): filenames = query.getarray('filename') print "Openning AFF4 volumes %s" % (filenames, ) result.heading("Loading AFF4 Volumes") fsfd = DBFS(query['case']) for filename in filenames: ## Filenames are always specified relative to the upload ## directory urn = pyaff4.RDFURN() urn.set(config.UPLOADDIR) urn.add(filename) ## We try to load the volume contained in the URI given, ## but if that fails we just load the URI as a raw file: if not oracle.load(urn): fsfd.VFSCreate(urn, urn.parser.query, _fast=True, mode=-1) return stream_urn = pyaff4.RDFURN() iter = oracle.get_iter(urn, pyaff4.AFF4_CONTAINS) while oracle.iter_next(iter, stream_urn): result.row("Adding %s" % stream_urn.value) ## FIXME - what kind of objects do we import? ## Segments might be too much fsfd.VFSCreate(stream_urn, stream_urn.parser.query, _fast=True, mode=-1) return ## FIXME - record the fact that these volumes are loaded ## already into this case... ## Load all the objects inside the volumes for v in loaded_volumes: for urn in aff4.oracle.resolve_list(v, AFF4_CONTAINS): type = aff4.oracle.resolve(urn, AFF4_TYPE) if 1 or type in SUPPORTED_STREAMS: if "/" in urn: path = "%s/%s" % (base_dir, urn[urn.index("/"):]) else: path = base_dir fsfd.VFSCreate(urn, path, _fast=True, mode=-1)
def setUp(self): self.fs = DBFS(self.test_case) self.fd = self.fs.open(inode=self.test_inode)