def _get_volume_from_image(self) -> pytsk3.Volume_Info:
"""
Tries to get a Volume_Info object from the provided image file.
:return: pytsk3.Volume_Info
"""
logger: Logger = logging.getLogger(__name__)
try:
attr_id: int = getattr(pytsk3, f"TSK_VS_TYPE_{self._fstype}")
volume: pytsk3.Volume_Info = pytsk3.Volume_Info(
self._imageinfo, attr_id)
except IOError:
try:
# Give it another try without a type. Maybe the provided type was wrong.
logger.info(
f"Could not open volume with the type '{self._fstype}'. Trying without type..."
)
volume = pytsk3.Volume_Info = pytsk3.Volume_Info(
self._imageinfo)
except IOError as ioerror:
logger.info(f"Unable to read partition table.")
raise ioerror
with suppress(Exception):
self._logger.info(f"Volume is of type '{volume.info.vstype}'.")
return volume
def iterate_image(self, image, img_type, output, part_type):
volume = None
print("[+] Opening {}".format(image))
if img_type == "ewf":
try:
#image = image.split('/')
#image = image[len(image) - 1]
image = image.replace('/', '\\')
print(image)
filenames = pyewf.glob(image)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Invalid EWF format:\n {}".format(e))
sys.exit(2)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
print(filenames)
# Open PYTSK3 handle on EWF Image
img_info = EWFImgInfo(ewf_handle)
else:
img_info = pytsk3.Img_Info(image)
print(img_info)
try:
if part_type is not None:
attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
volume = pytsk3.Volume_Info(img_info, attr_id)
print(volume)
else:
volume = pytsk3.Volume_Info(img_info)
print(volume)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to read partition table:\n {}".format(e))
image_stored_list.open_fs(self, volume, img_info, output)
def main(image, img_type, hashes, part_type=None, pbar_total=0):
hash_list, hash_type = read_hashes(hashes)
volume = None
print("[+] Opening {}".format(image))
if img_type == "ewf":
try:
filenames = pyewf.glob(image)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Invalid EWF format:\n {}".format(e))
sys.exit(2)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
# Open PYTSK3 handle on EWF Image
img_info = EWFImgInfo(ewf_handle)
else:
img_info = pytsk3.Img_Info(image)
try:
if part_type is not None:
attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
volume = pytsk3.Volume_Info(img_info, attr_id)
else:
volume = pytsk3.Volume_Info(img_info)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to read partition table:\n {}".format(e))
open_fs(volume, img_info, hash_list, hash_type, pbar_total)
def image_read(image, img_type, part_type):
print("[+] Opening {}".format(image))
if img_type == "ewf":
try:
filenames = pyewf.glob(image)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Invalid EWF format:\n {}".format(e))
sys.exit(2)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
e01_metadata(ewf_handle)
# Open PYTSK3 handle on EWF Image
img_info = EWFImgInfo(ewf_handle)
else:
img_info = pytsk3.Img_Info(image)
try:
if part_type is not None:
attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
volume = pytsk3.Volume_Info(img_info, attr_id)
else:
volume = pytsk3.Volume_Info(img_info)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to read partition table:\n {}".format(e))
sys.exit(3)
part_metadata(volume)
def _find_volumes(self, volume_system, vstype='detect'):
"""Finds all volumes based on the pytsk3 library."""
try:
# noinspection PyUnresolvedReferences
import pytsk3
except ImportError:
logger.error("pytsk3 not installed, could not detect volumes")
raise ModuleNotFoundError("pytsk3")
baseimage = None
try:
# ewf raw image is now available on base mountpoint
# either as ewf1 file or as .dd file
raw_path = volume_system.parent.get_raw_path()
# noinspection PyBroadException
try:
baseimage = pytsk3.Img_Info(raw_path)
except Exception:
logger.error(
"Failed retrieving image info (possible empty image).",
exc_info=True)
return []
try:
volumes = pytsk3.Volume_Info(
baseimage, getattr(pytsk3,
'TSK_VS_TYPE_' + vstype.upper()),
volume_system.parent.offset //
volume_system.disk.block_size)
volume_system.volume_source = 'multi'
return volumes
except Exception as e:
# some bug in sleuthkit makes detection sometimes difficult, so we hack around it:
if "(GPT or DOS at 0)" in str(e) and vstype != 'gpt':
volume_system.vstype = 'gpt'
# noinspection PyBroadException
try:
logger.warning(
"Error in retrieving volume info: TSK couldn't decide between GPT and DOS, "
"choosing GPT for you. Use --vstype=dos to force DOS.",
exc_info=True)
volumes = pytsk3.Volume_Info(
baseimage, getattr(pytsk3, 'TSK_VS_TYPE_GPT'))
volume_system.volume_source = 'multi'
return volumes
except Exception as e:
logger.exception(
"Failed retrieving image info (possible empty image)."
)
raise SubsystemError(e)
else:
logger.exception(
"Failed retrieving image info (possible empty image).")
raise SubsystemError(e)
finally:
if baseimage:
baseimage.close()
del baseimage
def main(image,
img_type,
offset,
hashListFile,
evidence_Dir,
part_Type,
pbar_total=0):
matched_Hash_Files = {}
hash_List, type_of_Hash = get_Hash_Type(hashListFile)
volume = None
print("[+] Opening {}".format(image))
if img_type == "ewf":
try:
filenames = pyewf.glob(image)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Invalid EWF format:\n {}".format(e))
sys.exit(2)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
# Open PYTSK3 handle on EWF Image
img_info = EWFImgInfo(ewf_handle)
else:
img_info = pytsk3.Img_Info(image)
# The above code is taken from the "Combining pyewf with pytsk3" section of
# the python development page for pyewf
try:
if part_Type is not None:
attr_ID = getattr(pytsk3, "TSK_VS_TYPE_" + part_Type)
volume = pytsk3.Volume_Info(img_info, attr_ID)
else:
volume = pytsk3.Volume_Info(img_info)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to read partition table:\n {}".format(e))
exit()
finished_fileDict = open_FS(volume, img_info, hash_List, type_of_Hash,
matched_Hash_Files, evidence_Dir, pbar_total)
for hash_Value in hash_List:
if hash_Value in finished_fileDict:
print("value for %r in finished_fileDict: %r" %
(hash_Value, finished_fileDict[hash_Value]))
else:
continue
finished_evidenceDict = os_Hash_Check(evidence_Dir, hash_List,
type_of_Hash)
for hash_Value in hash_List:
if hash_Value in finished_fileDict:
print("value for %r in finished_evidenceDict: %r" %
(hash_Value, finished_evidenceDict[hash_Value]))
else:
continue
def extractFile(imageFile,filenames):
# vhdi_file = pyvhdi.file()
# vhdi_file.open(imageFile)
# img_info = vhdi_Img_Info(vhdi_file)
# partitionTable = pytsk3.Volume_Info(img_info)
if "vhd" in imageFile:
vhdi_file = pyvhdi.file()
vhdi_file.open(imageFile)
img_info = vhdi_Img_Info(vhdi_file)
partitionTable = pytsk3.Volume_Info(img_info)
else:
img_info = pytsk3.Img_Info(imageFile)
partitionTable = pytsk3.Volume_Info(img_info)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
# try:
if 'NTFS' in partition.desc:
filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512))
print "File System Type Dectected ",filesystemObject.info.ftype
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
elif 'FAT32' in partition.desc: # Use DFIR tutorial example to deal with other partitions later on.
filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512))
print "File System Type Dectected ",filesystemObject.info.ftype
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
outputPath = 'Evidence_Package'
for filename in filenames:
if not os.path.exists(outputPath):
os.makedirs(outputPath)
if not os.path.isdir(str(filename)):
try:
# ex_path = ('%s/%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/')
# ex_path = outputPath + os.sep + os.path.basename(str(filename))
ex_path = ('%s\%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/')
extractFile = open(ex_path,'w')
fileobject = filesystemObject.open(str(filename))
filedata = fileobject.read_random(0,fileobject.info.meta.size)
extractFile.write(filedata)
extractFile.close
except IOError:
print('cannot open', str(filename))
def _Open(self, path_spec, mode='rb'):
"""Opens the file system object defined by path specification.
Args:
path_spec: a path specification (instance of PathSpec).
mode: optional file access mode. The default is 'rb' read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file system object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec.HasParent():
raise errors.PathSpecError(
u'Unsupported path specification without parent.')
file_object = resolver.Resolver.OpenFileObject(
path_spec.parent, resolver_context=self._resolver_context)
try:
tsk_image_object = tsk_image.TSKFileSystemImage(file_object)
tsk_volume = pytsk3.Volume_Info(tsk_image_object)
except:
file_object.close()
raise
self._file_object = file_object
self._tsk_volume = tsk_volume
def testIterate(self):
"""Test the iterate functionality."""
volume_info = pytsk3.Volume_Info(self._img_info)
self.assertNotEquals(volume_info, None)
self.assertNotEquals(getattr(volume_info, 'info', None), None)
self.assertEquals(str(volume_info.info.vstype), 'TSK_VS_TYPE_DOS')
parts = []
for part in volume_info:
part_string = (
u'{0:02d}: {1:010d} {2:010d} {3:010d} {4:s}\n').format(
part.addr, part.start, part.start + part.len - 1, part.len,
part.desc.decode('utf-8'))
parts.append(part_string)
# Note that due to the size the SleuthKit will add a non-existing part:
# 07: 0000002880 2147483647 2147480768 Unallocated
self.assertEquals(len(parts), 8)
expected_parts_string = (
u'00: 0000000000 0000000000 0000000001 Primary Table (#0)\n'
u'01: 0000000000 0000000000 0000000001 Unallocated\n'
u'02: 0000000001 0000000350 0000000350 Linux (0x83)\n'
u'03: 0000000351 0000002879 0000002529 DOS Extended (0x05)\n'
u'04: 0000000351 0000000351 0000000001 Extended Table (#1)\n'
u'05: 0000000351 0000000351 0000000001 Unallocated\n'
u'06: 0000000352 0000002879 0000002528 Linux (0x83)\n'
u'07: 0000002880 2147483647 2147480768 Unallocated\n')
self.assertEquals(u''.join(parts), expected_parts_string)
def offset_recog():
partition_offset_list = []
ewf_handle = pyewf.handle()
filenames = pyewf.glob("image_sd_pi.E01")
ewf_handle.open(filenames)
imagehandle = ewf_Img_Info(ewf_handle)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
print(partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len)
partition_offset_list.append(partition.start * 512)
for x in partition_offset_list:
print(x)
filesystemObject = pytsk3.FS_Info(imagehandle, offset=4194304)
fileobject = filesystemObject.open("/$FAT1")
print("File Inode:",fileobject.info.meta.addr)
print("File Name:",fileobject.info.name.name)
print("File Creation Time:",datetime.datetime.fromtimestamp(fileobject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'))
#outfile = open('DFIRWizard-output', 'w')
#filedata = fileobject.read_random(0,fileobject.info.meta.size)
return partition_offset_list
def main():
#TODO move image loading to a method or util class
imagefile = './forensic_image/AssignmentImage.dmg'
imagehandle = pytsk3.Img_Info(imagefile)
partitionTable = pytsk3.Volume_Info(imagehandle)
print_partition_table(partitionTable)
filesystemObject = pytsk3.FS_Info(imagehandle, offset=512)
#print dir(filesystemObject)
walk_file_system(filesystemObject)
print 'The lenght of the dictionary is %d' % len(hashMap)
rev_multidict = {}
for key, value in hashMap.items():
rev_multidict.setdefault(value, set()).add(key)
for v in [
values for key, values in rev_multidict.items() if len(values) > 1
]:
print list(v)
print '========'
fileobject = filesystemObject.open_dir("/")
for a_file in fileobject:
if a_file.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
print ''
def parseImage(diskPath):
filenames = pyewf.glob(diskPath)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
#call class to parse .EO1 image with pytsk3
img_Info = ewf_Img_Info(ewf_handle)
try:
partitionTable = pytsk3.Volume_Info(img_Info)
except IOError:
print "Error!Could not determine partition type ", filenames
sys.exit(0)
#find partitions
for partition in partitionTable:
print partition.addr, partition.desc, "%s %s (%s)" % (
partition.start, partition.start * 512, partition.len)
if 'NTFS' in partition.desc:
fileSystemObject = pytsk3.FS_Info(img_Info,
offset=(partition.start * 512))
#Extract all files
directory = fileSystemObject.open_dir(path='/')
#find all the files of the system
extraction(directory, [], [])
ewf_handle.close()
def __init__(self, address_space, session=None):
self.session = session
self.block_size = 512
# The address space of the entire disk.
self.address_space = address_space
self._img_info = AS_Img_Info(address_space)
try:
# open as disk image
tsk_vs = pytsk3.Volume_Info(self._img_info)
self.volume_system = VolumeSystem(self,
tsk_vs,
session=self.session)
self.block_size = tsk_vs.info.block_size
self.partitions = self.volume_system.partitions
except IOError:
# open as partition image
self.volume_system = obj.NoneObject("No Volume")
self.partitions = []
try:
fake_partition = Partition(self,
filesystem=FS(
pytsk3.FS_Info(self._img_info)),
session=self.session)
self.partitions.append(fake_partition)
except IOError:
pass
def extractFile(imageFile,filenames):
vhdi_file = pyvhdi.file()
vhdi_file.open(imageFile)
img_info = vhdi_Img_Info(vhdi_file)
partitionTable = pytsk3.Volume_Info(img_info)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
# try:
if 'NTFS' in partition.desc:
filesystemObject = pytsk3.FS_Info(img_info, offset=(partition.start*512))
# except:
# print "Partition has no supported file system"
# continue
print "File System Type Dectected ",filesystemObject.info.ftype
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
outputPath = 'ex_differ_file-test2'
for filename in filenames:
if not os.path.exists(outputPath):
os.makedirs(outputPath)
if not os.path.isdir(str(filename)):
try:
ex_path = ('%s/%s' % (outputPath, os.path.basename(str(filename)))).replace('//','/')
extractFile = open(ex_path,'w')
fileobject = filesystemObject.open(str(filename))
filedata = fileobject.read_random(0,fileobject.info.meta.size)
extractFile.write(filedata)
extractFile.close
except IOError:
print('cannot open', str(filename))
def open_vol(self):
sys.stderr.write("[+] Opening {}\n".format(self.evidence))
# Handle EWF/Raw Images
if self.image_type == "ewf":
try:
filenames = pyewf.glob(self.evidence)
except IOError:
_, e, _ = sys.exc_info()
sys.stderr.write("[-] Invalid EWF format:\n {}\n".format(e))
raise IOError
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
# Open PYTSK3 handle on EWF Image
self.image_handle = EWFImgInfo(ewf_handle)
else:
self.image_handle = pytsk3.Img_Info(self.evidence)
# Open volume from image
try:
self.vol = pytsk3.Volume_Info(self.image_handle)
except IOError:
_, e, _ = sys.exc_info()
sys.stderr.write("[-] Unable to read partition table. Possible logical image:\n {}\n".format(e))
def EnumerateFilesystemsFromClient(args):
"""List all local filesystems mounted on this system."""
del args # Unused.
for fs_struct in client_utils_osx.GetFileSystems():
yield rdf_client_fs.Filesystem(
device=fs_struct.f_mntfromname,
mount_point=fs_struct.f_mntonname,
type=fs_struct.f_fstypename)
drive_re = re.compile("r?disk[0-9].*")
for drive in os.listdir("/dev"):
if not drive_re.match(drive):
continue
path = os.path.join("/dev", drive)
try:
img_inf = pytsk3.Img_Info(path)
# This is a volume or a partition - we send back a TSK device.
yield rdf_client_fs.Filesystem(device=path)
vol_inf = pytsk3.Volume_Info(img_inf)
for volume in vol_inf:
if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
offset = volume.start * vol_inf.info.block_size
yield rdf_client_fs.Filesystem(
device="{path}:{offset}".format(path=path, offset=offset),
type="partition")
except (IOError, RuntimeError):
continue
def __init__(self, url):
# parse out the different volumes
self.url = url
self.img = pytsk3.Img_Info(url=self.url)
self.VOL_INFO = pytsk3.Volume_Info(self.img)
self.vol_to_se = {}
self.VOLUMES = []
self.VOLUME_BOUNDARIES = []
# print out some info about the disk image
logger.debug("--- Volume info ---")
logger.debug("Current: %d" % self.VOL_INFO.current)
logger.debug("VS Type: %d" % self.VOL_INFO.info.vstype)
logger.debug("Offset: %d" % self.VOL_INFO.info.offset)
logger.debug("Block Size: %d" % self.VOL_INFO.info.block_size)
logger.debug("Endian: %d" % self.VOL_INFO.info.endian)
logger.debug("Partition List: %s" % self.VOL_INFO.info.part_list)
logger.debug("Parition Count: %d" % self.VOL_INFO.info.part_count)
logger.debug("--- Volume info ---")
# Add each volume
for vol in self.VOL_INFO:
#print part.addr, part.desc, part.start, part.len
self.add_volume(vol)
def __init__(self, url):
# parse out the different volumes
logger.info("Initializing Semantic Engine")
self.url = url
self.img = pytsk3.Img_Info(url=self.url)
self.VOL_INFO = pytsk3.Volume_Info(self.img)
self.vol_to_se = {}
self.VOLUMES = []
self.VOLUME_BOUNDARIES = []
# print out some info about the disk image
'''
print("--- Volume info ---")
print("Current: %d" % self.VOL_INFO.current)
print("VS Type: %d" % self.VOL_INFO.info.vstype)
print("Offset: %d" % self.VOL_INFO.info.offset)
print("Block Size: %d" % self.VOL_INFO.info.block_size)
print("Endian: %d" % self.VOL_INFO.info.endian)
print("Partition List: %s" % self.VOL_INFO.info.part_list)
print("Parition Count: %d" % self.VOL_INFO.info.part_count)
print("--- Volume info ---")
'''
# Add each volume
for vol in self.VOL_INFO:
self.add_volume(vol)
def Run(self, unused_args):
"""List all local filesystems mounted on this system."""
for fs_struct in client_utils_osx.GetFileSystems():
self.SendReply(
rdf_client.Filesystem(device=fs_struct.f_mntfromname,
mount_point=fs_struct.f_mntonname,
type=fs_struct.f_fstypename))
drive_re = re.compile("r?disk[0-9].*")
for drive in os.listdir("/dev"):
if not drive_re.match(drive):
continue
path = os.path.join("/dev", drive)
try:
img_inf = pytsk3.Img_Info(path)
# This is a volume or a partition - we send back a TSK device.
self.SendReply(rdf_client.Filesystem(device=path))
vol_inf = pytsk3.Volume_Info(img_inf)
for volume in vol_inf:
if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
offset = volume.start * vol_inf.info.block_size
self.SendReply(
rdf_client.Filesystem(device=path + ":" +
str(offset),
type="partition"))
except (IOError, RuntimeError):
continue
def __init__(self, file, hash_val):
self.__file = file
self.img = pytsk3.Img_Info(self.__file)
self.__partition_list = list()
self.__vol = pytsk3.Volume_Info(self.img)
self.__hash_val = [hash_val]
self.__cal_hash()
def GetVolumes(self, phyDrive="\\\\.\\PhysicalDrive0"):
list_fs_info = [] # contain the file system object
block_size = 512 # by default block size is 512
try:
img = pytsk3.Img_Info(phyDrive) # open the physical drive
volume = pytsk3.Volume_Info(img) # get volume information
except OSError as e:
if "file not found" in str(e):
raise Exception("PHYSICAL_DRIVE_NOT_FOUND")
else:
raise Exception(str(e))
# for each volume in the drive, check if it is NTFS and open object to handle it
for part in volume:
try:
self.logging(
"INFO",
"Check partition: desc{0:s}, offset{1:d}, size:{2:d}".
format(part.desc.decode('utf-8'), part.start, part.len))
fs_info = pytsk3.FS_Info(img, offset=part.start * block_size)
# check if file system is NTFS
if fs_info.info.ftype in [
pytsk3.TSK_FS_TYPE_NTFS, pytsk3.TSK_FS_TYPE_NTFS_DETECT
]:
list_fs_info.append(fs_info)
except Exception as e:
pass
return list_fs_info
def get_volume_object(self):
try:
volume_object = pytsk3.Volume_Info(self.img_object)
return volume_object
except IOError:
_, e, _ = sys.exc_info()
logging.error("Unable to read partition table:\n {}".format(e))
def main():
args = parser.parse_args()
image = args.image
partition_starts = []
# Check if the user provided image format is ewf. If so, use the libewf developer's provided class to extend
# the capabilities of pytsk3 to include the ewf format. If the image format is not ewf then pytsk3 can handle the image natively.
try:
if args.format == "ewf":
files = pyewf.glob(args.image)
ewf_handle = pyewf.handle()
ewf_handle.open(files)
image_handle = ewf_Img_Info(ewf_handle)
else:
image_handle = pytsk3.Img_Info(url=image)
# Once a handle to the image has been established print all of the detected partitions to the user and allow them to pick the partition of
# interest to be scanned.
print "Which partition should be scanned?"
volume = pytsk3.Volume_Info(image_handle)
for partition in volume:
print partition.addr, partition.desc, "%s(%s)" % (
partition.start, partition.start * 512), partition.len
partition_starts.append(int(partition.start))
except IOError, error:
print error
def _Open(self, mode='rb'):
"""Opens the file system object defined by path specification.
Args:
mode (Optional[str]): file access mode. The default is 'rb' which
represents read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file system object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not self._path_spec.HasParent():
raise errors.PathSpecError(
'Unsupported path specification without parent.')
file_object = resolver.Resolver.OpenFileObject(
self._path_spec.parent, resolver_context=self._resolver_context)
tsk_image_object = tsk_image.TSKFileSystemImage(file_object)
tsk_volume = pytsk3.Volume_Info(tsk_image_object)
self._file_object = file_object
self._tsk_volume = tsk_volume
def __init__(self, file, path, hash_val):
self.__file = file
self.__partition_list = list()
self.__img_info = EWFImgInfo(self.__file)
self.__vol = pytsk3.Volume_Info(self.__img_info)
self.__path = path
self.__hash_val = [hash_val]
self.__cal_hash()
def readImageFile(self, imagefile):
filenames = pyewf.glob(imagefile)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
imagehandle = ewf_Img_Info(ewf_handle)
partitionTable = pytsk3.Volume_Info(imagehandle)
return partitionTable, imagehandle
def main(imgpath):
img = pytsk3.Img_Info(imgpath)
vol = pytsk3.Volume_Info(img)
bs = vol.info.block_size
for part in vol:
try:
mount(imgpath, part, bs)
except Exception as e:
print(e)
def main(image, img_type, ext, output, part_type):
volume = None
print("[+] Opening {}".format(image))
if img_type == "ewf":
print("jammer")
else:
img_info = pytsk3.Img_Info(image)
try:
if part_type is not None:
attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
volume = pytsk3.Volume_Info(img_info, attr_id)
else:
volume = pytsk3.Volume_Info(img_info)
except IOError:
_, e, _ = sys.exc_info()
print("[-] Unable to read partition table:\n {}".format(e))
open_fs(volume, img_info, ext, output)
def get_volume_info(image_info):
return [partition(
image_info=image_info,
volume_info=part,
partition_number=part.addr,
description=part.desc.decode('utf-8'),
starting_offset_bytes=part.start,
starting_offset_sector=int(part.start*512),
partition_length=part.len)
for part in pytsk3.Volume_Info(image_info)]
def get_partitions(self):
partitions = []
with open(self.file_path) as imageFile:
image_handle = pytsk3.Img_Info(imageFile.name)
partition_table = pytsk3.Volume_Info(image_handle)
for partition in partition_table:
#print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
partitions.add(Partition(partition.addr, partition.desc, partition.start, partition.len))