コード例 #1
0
def vshadowList(Evidences, ags, options):
    for evi in Evidences:
        for fs in evi.fileSystems:
            fs.mount('vshadow', 'Used by vshadow command')
            if pyvshadow.check_volume_signature(fs.loopDevice):
                fritutils.termout.printSuccess(
                    "Volume shadow copy found on '{}/{}'".format(
                        fs.evidenceConfigName, fs.configName))
                vshadowVol = pyvshadow.volume()
                vshadowVol.open(fs.loopDevice)
                fritutils.termout.printNormal(
                    "    Number of stores on volume: {}".format(
                        vshadowVol.number_of_stores))
                for st in vshadowVol.get_stores():
                    fritutils.termout.printNormal(
                        "    Store identifier: {}".format(st.identifier))
                    fritutils.termout.printNormal(
                        "        Store creation time: {}".format(
                            st.get_creation_time()))
                    fritutils.termout.printNormal(
                        "        Store size: {}".format(
                            fritutils.humanize(st.size)))
                    fritutils.termout.printNormal(
                        "        Shadow-copy set ID: {}".format(
                            st.copy_set_identifier))
                    fritutils.termout.printNormal(
                        "        Shadow-copy ID: {}".format(
                            st.copy_identifier))
                vshadowVol.close()
            fs.umount('vshadow')
        if evi.isMounted():
            evi.umount('vshadow')
コード例 #2
0
def pyvshadow_test_multi_open_close_file_object(filename, mode):
    print(
        ("Testing multi open close of file-like object of: {0:s} " "with access: {1:s}\t").format(
            filename, get_mode_string(mode)
        )
    )

    result = True
    try:
        file_object = open(filename, "rb")
        vshadow_volume = pyvshadow.volume()

        vshadow_volume.open_file_object(file_object, mode)
        vshadow_volume.close()
        vshadow_volume.open_file_object(file_object, mode)
        vshadow_volume.close()

    except Exception as exception:
        print(str(exception))
        result = False

    if not result:
        print("(FAIL)")
    else:
        print("(PASS)")
    return result
コード例 #3
0
ファイル: vshadow_file_system.py プロジェクト: Onager/dfvfs
  def _Open(self, path_spec, mode='rb'):
    """Opens the file system object defined by path specification.

    Args:
      path_spec: a path specification (instance of path.PathSpec).
      mode: optional file access mode. The default is 'rb' read-only binary.

    Raises:
      AccessError: if the access to open the file was denied.
      IOError: if the file system object could not be opened.
      PathSpecError: if the path specification is incorrect.
      ValueError: if the path specification is invalid.
    """
    if not path_spec.HasParent():
      raise errors.PathSpecError(
          u'Unsupported path specification without parent.')

    file_object = resolver.Resolver.OpenFileObject(
        path_spec.parent, resolver_context=self._resolver_context)

    try:
      vshadow_volume = pyvshadow.volume()
      vshadow_volume.open_file_object(file_object)
    except:
      file_object.close()
      raise

    self._file_object = file_object
    self._vshadow_volume = vshadow_volume
コード例 #4
0
    def _Open(self, mode='rb'):
        """Opens the file system object defined by path specification.

    Args:
      mode (Optional[str]): file access mode. The default is 'rb' which
          represents read-only binary.

    Raises:
      AccessError: if the access to open the file was denied.
      IOError: if the file system object could not be opened.
      PathSpecError: if the path specification is incorrect.
      ValueError: if the path specification is invalid.
    """
        if not self._path_spec.HasParent():
            raise errors.PathSpecError(
                'Unsupported path specification without parent.')

        file_object = resolver.Resolver.OpenFileObject(
            self._path_spec.parent, resolver_context=self._resolver_context)

        vshadow_volume = pyvshadow.volume()
        vshadow_volume.open_file_object(file_object)

        self._file_object = file_object
        self._vshadow_volume = vshadow_volume
コード例 #5
0
def pyvshadow_test_multi_open_close_file_object( filename, mode ):
	file_object = open( filename, mode )
	vshadow_volume = pyvshadow.volume()
	vshadow_volume.open_file_object( file_object, mode )
	vshadow_volume.close()
	vshadow_volume.open_file_object( file_object, mode )
	vshadow_volume.close()
コード例 #6
0
    def test_open_close(self):
        """Tests the open and close functions."""
        if not unittest.source:
            return

        if unittest.offset:
            raise unittest.SkipTest("source defines offset")

        vshadow_volume = pyvshadow.volume()

        # Test open and close.
        vshadow_volume.open(unittest.source)
        vshadow_volume.close()

        # Test open and close a second time to validate clean up on close.
        vshadow_volume.open(unittest.source)
        vshadow_volume.close()

        if os.path.isfile(unittest.source):
            with open(unittest.source, "rb") as file_object:

                # Test open_file_object and close.
                vshadow_volume.open_file_object(file_object)
                vshadow_volume.close()

                # Test open_file_object and close a second time to validate clean up on close.
                vshadow_volume.open_file_object(file_object)
                vshadow_volume.close()

                # Test open_file_object and close and dereferencing file_object.
                vshadow_volume.open_file_object(file_object)
                del file_object
                vshadow_volume.close()
コード例 #7
0
  def test_open_close(self):
    """Tests the open and close functions."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    # Test open and close.
    vshadow_volume.open(unittest.source)
    vshadow_volume.close()

    # Test open and close a second time to validate clean up on close.
    vshadow_volume.open(unittest.source)
    vshadow_volume.close()

    file_object = open(unittest.source, "rb")

    # Test open_file_object and close.
    vshadow_volume.open_file_object(file_object)
    vshadow_volume.close()

    # Test open_file_object and close a second time to validate clean up on close.
    vshadow_volume.open_file_object(file_object)
    vshadow_volume.close()

    # Test open_file_object and close and dereferencing file_object.
    vshadow_volume.open_file_object(file_object)
    del file_object
    vshadow_volume.close()
コード例 #8
0
    def test_open_file_object(self):
        """Tests the open_file_object function."""
        if not unittest.source:
            raise unittest.SkipTest("missing source")

        if not os.path.isfile(unittest.source):
            raise unittest.SkipTest("source not a regular file")

        vshadow_volume = pyvshadow.volume()

        with DataRangeFileObject(unittest.source, unittest.offset or 0,
                                 None) as file_object:

            vshadow_volume.open_file_object(file_object)

            with self.assertRaises(IOError):
                vshadow_volume.open_file_object(file_object)

            vshadow_volume.close()

            with self.assertRaises(TypeError):
                vshadow_volume.open_file_object(None)

            with self.assertRaises(ValueError):
                vshadow_volume.open_file_object(file_object, mode="w")
コード例 #9
0
    def _Open(self, path_spec, mode='rb'):
        """Opens the file system object defined by path specification.

    Args:
      path_spec (PathSpec): path specification.
      mode (Optional[str]): file access mode.

    Raises:
      AccessError: if the access to open the file was denied.
      IOError: if the file system object could not be opened.
      PathSpecError: if the path specification is incorrect.
      ValueError: if the path specification is invalid.
    """
        if not path_spec.HasParent():
            raise errors.PathSpecError(
                'Unsupported path specification without parent.')

        file_object = resolver.Resolver.OpenFileObject(
            path_spec.parent, resolver_context=self._resolver_context)

        try:
            vshadow_volume = pyvshadow.volume()
            vshadow_volume.open_file_object(file_object)
        except:
            file_object.close()
            raise

        self._file_object = file_object
        self._vshadow_volume = vshadow_volume
コード例 #10
0
  def test_open_close(self):
    """Tests the open and close functions."""
    if not unittest.source:
      return

    vshadow_volume = pyvshadow.volume()

    # Test open and close.
    vshadow_volume.open(unittest.source)
    vshadow_volume.close()

    # Test open and close a second time to validate clean up on close.
    vshadow_volume.open(unittest.source)
    vshadow_volume.close()

    file_object = open(unittest.source, "rb")

    # Test open_file_object and close.
    vshadow_volume.open_file_object(file_object)
    vshadow_volume.close()

    # Test open_file_object and close a second time to validate clean up on close.
    vshadow_volume.open_file_object(file_object)
    vshadow_volume.close()

    # Test open_file_object and close and dereferencing file_object.
    vshadow_volume.open_file_object(file_object)
    del file_object
    vshadow_volume.close()
コード例 #11
0
    def test_get_number_of_blocks(self):
        """Tests the get_number_of_blocks function and number_of_blocks property."""
        if not unittest.source:
            raise unittest.SkipTest("missing source")

        vshadow_volume = pyvshadow.volume()

        with DataRangeFileObject(unittest.source, unittest.offset or 0,
                                 None) as file_object:

            vshadow_volume.open_file_object(file_object)

            if vshadow_volume.number_of_stores == 0:
                raise unittest.SkipTest("missing stores")

            vshadow_store = vshadow_volume.get_store(
                vshadow_volume.number_of_stores - 1)
            self.assertIsNotNone(vshadow_store)

            number_of_blocks = vshadow_store.get_number_of_blocks()
            self.assertIsNotNone(number_of_blocks)

            self.assertIsNotNone(vshadow_store.number_of_blocks)

            vshadow_volume.close()
コード例 #12
0
  def test_seek_offset(self):
    """Tests the seek_offset function."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    if vshadow_volume.number_of_stores > 0:
      vshadow_store = vshadow_volume.get_store(
          vshadow_volume.number_of_stores - 1)
      self.assertIsNotNone(vshadow_store)

      volume_size = vshadow_store.get_size()

      vshadow_store.seek_offset(16, os.SEEK_SET)

      offset = vshadow_store.get_offset()
      self.assertEqual(offset, 16)

      vshadow_store.seek_offset(16, os.SEEK_CUR)

      offset = vshadow_store.get_offset()
      self.assertEqual(offset, 32)

      vshadow_store.seek_offset(-16, os.SEEK_CUR)

      offset = vshadow_store.get_offset()
      self.assertEqual(offset, 16)

      vshadow_store.seek_offset(-16, os.SEEK_END)

      offset = vshadow_store.get_offset()
      self.assertEqual(offset, volume_size - 16)

      vshadow_store.seek_offset(16, os.SEEK_END)

      offset = vshadow_store.get_offset()
      self.assertEqual(offset, volume_size + 16)

      # TODO: change IOError into ValueError
      with self.assertRaises(IOError):
        vshadow_store.seek_offset(-1, os.SEEK_SET)

      # TODO: change IOError into ValueError
      with self.assertRaises(IOError):
        vshadow_store.seek_offset(-32 - volume_size, os.SEEK_CUR)

      # TODO: change IOError into ValueError
      with self.assertRaises(IOError):
        vshadow_store.seek_offset(-32 - volume_size, os.SEEK_END)

      # TODO: change IOError into ValueError
      with self.assertRaises(IOError):
        vshadow_store.seek_offset(0, -1)

    vshadow_volume.close()
コード例 #13
0
    def test_seek_offset(self):
        """Tests the seek_offset function."""
        if not unittest.source or unittest.offset != 0:
            raise unittest.SkipTest("missing source")

        vshadow_volume = pyvshadow.volume()

        vshadow_volume.open(unittest.source)

        if vshadow_volume.number_of_stores > 0:
            vshadow_store = vshadow_volume.get_store(
                vshadow_volume.number_of_stores - 1)
            self.assertIsNotNone(vshadow_store)

            volume_size = vshadow_store.get_size()

            vshadow_store.seek_offset(16, os.SEEK_SET)

            offset = vshadow_store.get_offset()
            self.assertEqual(offset, 16)

            vshadow_store.seek_offset(16, os.SEEK_CUR)

            offset = vshadow_store.get_offset()
            self.assertEqual(offset, 32)

            vshadow_store.seek_offset(-16, os.SEEK_CUR)

            offset = vshadow_store.get_offset()
            self.assertEqual(offset, 16)

            vshadow_store.seek_offset(-16, os.SEEK_END)

            offset = vshadow_store.get_offset()
            self.assertEqual(offset, volume_size - 16)

            vshadow_store.seek_offset(16, os.SEEK_END)

            offset = vshadow_store.get_offset()
            self.assertEqual(offset, volume_size + 16)

            # TODO: change IOError into ValueError
            with self.assertRaises(IOError):
                vshadow_store.seek_offset(-1, os.SEEK_SET)

            # TODO: change IOError into ValueError
            with self.assertRaises(IOError):
                vshadow_store.seek_offset(-32 - volume_size, os.SEEK_CUR)

            # TODO: change IOError into ValueError
            with self.assertRaises(IOError):
                vshadow_store.seek_offset(-32 - volume_size, os.SEEK_END)

            # TODO: change IOError into ValueError
            with self.assertRaises(IOError):
                vshadow_store.seek_offset(0, -1)

        vshadow_volume.close()
コード例 #14
0
    def test_close(self):
        """Tests the close function."""
        if not unittest.source:
            raise unittest.SkipTest("missing source")

        vshadow_volume = pyvshadow.volume()

        with self.assertRaises(IOError):
            vshadow_volume.close()
コード例 #15
0
def GetVssStoreCount(image, offset=0):
    """Return the number of VSS stores available in an image."""
    volume = pyvshadow.volume()
    fh = VShadowVolume(image, offset)
    try:
        volume.open_file_object(fh)
        return volume.number_of_stores
    except IOError as e:
        logging.warning('Error while trying to read VSS information: %s', e)

    return 0
コード例 #16
0
ファイル: vss.py プロジェクト: danmilburn/dfirwizard
def GetVssStoreCount(image, offset=0):
  """Return the number of VSS stores available in an image."""
  volume = pyvshadow.volume()
  fh = VShadowVolume(image, offset)
  try:
    volume.open_file_object(fh)
    return volume.number_of_stores
  except IOError as e:
    logging.warning('Error while trying to read VSS information: %s', e)

  return 0
コード例 #17
0
  def test_number_of_stores(self):
    """Tests the number_of_stores property."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    self.assertIsNotNone(vshadow_volume.number_of_stores)

    vshadow_volume.close()
コード例 #18
0
  def test_get_number_of_stores(self):
    """Tests the get_number_of_stores function."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    number_of_stores = vshadow_volume.get_number_of_stores()
    self.assertIsNotNone(number_of_stores)

    vshadow_volume.close()
コード例 #19
0
def pyvshadow_test_seek_file(filename):
    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(filename, "r")

    result = True
    for vshadow_store in vshadow_volume.stores:
        result = pyvshadow_test_seek(vshadow_store)
        if not result:
            break

    vshadow_volume.close()

    return result
コード例 #20
0
def explore_vss(evidence, part_offset, output):
    vss_volume = pyvshadow.volume()
    vss_handle = vss.VShadowVolume(evidence, part_offset)
    vss_count = vss.GetVssStoreCount(evidence, part_offset)
    if vss_count > 0:
        vss_volume.open_file_object(vss_handle)
        vss_data = []
        for x in range(vss_count):
            print("Gathering data for VSC {} of {}".format(x, vss_count))
            vss_store = vss_volume.get_store(x)
            image = vss.VShadowImgInfo(vss_store)
            vss_data.append(pytskutil.openVSSFS(image, x))

        write_csv(vss_data, output)
コード例 #21
0
def pyvshadow_test_seek_file(filename):
  vshadow_volume = pyvshadow.volume()

  vshadow_volume.open(filename, "r")

  result = True
  for vshadow_store in vshadow_volume.stores:
    result = pyvshadow_test_seek(vshadow_store)
    if not result:
      break

  vshadow_volume.close()

  return result
コード例 #22
0
def pyvshadow_test_read_file_object(filename):
    file_object = open(filename, "rb")
    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open_file_object(file_object, "r")

    result = True
    for vshadow_store in vshadow_volume.stores:
        result = pyvshadow_test_read(vshadow_store)
        if not result:
            break

    vshadow_volume.close()

    return result
コード例 #23
0
def pyvshadow_test_read_file_object(filename):
  file_object = open(filename, "rb")
  vshadow_volume = pyvshadow.volume()

  vshadow_volume.open_file_object(file_object, "r")

  result = True
  for vshadow_store in vshadow_volume.stores:
    result = pyvshadow_test_seek(vshadow_store)
    if not result:
      break

  vshadow_volume.close()

  return result
コード例 #24
0
    def test_stores(self):
        """Tests the stores property."""
        if not unittest.source or unittest.offset != 0:
            raise unittest.SkipTest("missing source")

        with DataRangeFileObject(unittest.source, unittest.offset or 0,
                                 None) as file_object:

            vshadow_volume = pyvshadow.volume()
            vshadow_volume.open_file_object(file_object)

            if vshadow_volume.number_of_stores == 0:
                raise unittest.SkipTest("missing stores")

            self.assertIsNotNone(vshadow_volume.stores)

            vshadow_volume.close()
コード例 #25
0
def pyvshadow_test_single_open_close_file(filename, mode):
  if not filename:
    filename_string = "None"
  else:
    filename_string = filename

  print("Testing single open close of: {0:s} with access: {1:s}\t".format(
      filename_string, get_mode_string(mode)))

  result = True
  try:
    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(filename, mode)
    vshadow_volume.close()

  except TypeError as exception:
    expected_message = (
        "{0:s}: unsupported string object type.").format(
            "pyvshadow_volume_open")

    if not filename and str(exception) == expected_message:
      pass

    else:
      print(str(exception))
      result = False

  except ValueError as exception:
    expected_message = (
        "{0:s}: unsupported mode: w.").format(
            "pyvshadow_volume_open")

    if mode != "w" or str(exception) != expected_message:
      print(str(exception))
      result = False

  except Exception as exception:
    print(str(exception))
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")
  return result
コード例 #26
0
def pyvshadow_test_single_open_close_file(filename, mode):
  if not filename:
    filename_string = "None"
  else:
    filename_string = filename

  print("Testing single open close of: {0:s} with access: {1:s}\t".format(
      filename_string, get_mode_string(mode)))

  result = True
  try:
    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(filename, mode)
    vshadow_volume.close()

  except TypeError as exception:
    expected_message = (
        "{0:s}: unsupported string object type.").format(
            "pyvshadow_volume_open")

    if not filename and str(exception) == expected_message:
      pass

    else:
      print(str(exception))
      result = False

  except ValueError as exception:
    expected_message = (
        "{0:s}: unsupported mode: w.").format(
            "pyvshadow_volume_open")

    if mode != "w" or str(exception) != expected_message:
      print(str(exception))
      result = False

  except Exception as exception:
    print(str(exception))
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")
  return result
コード例 #27
0
  def test_get_store(self):
    """Tests the get_store function."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    if vshadow_volume.number_of_stores > 0:
      vshadow_store = vshadow_volume.get_store(
          vshadow_volume.number_of_stores - 1)
      self.assertIsNotNone(vshadow_store)

      with self.assertRaises(IOError):
        vshadow_volume.get_store(-1)

    vshadow_volume.close()
コード例 #28
0
  def test_open(self):
    """Tests the open function."""
    if not unittest.source:
      return

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    with self.assertRaises(IOError):
      vshadow_volume.open(unittest.source)

    vshadow_volume.close()

    with self.assertRaises(TypeError):
      vshadow_volume.open(None)

    with self.assertRaises(ValueError):
      vshadow_volume.open(unittest.source, mode="w")
コード例 #29
0
ファイル: vshadow.py プロジェクト: d-fence/frit
def vshadowList(Evidences, ags, options):
    for evi in Evidences:
        for fs in evi.fileSystems:
            fs.mount('vshadow','Used by vshadow command')
            if pyvshadow.check_volume_signature(fs.loopDevice):
                fritutils.termout.printSuccess("Volume shadow copy found on '{}/{}'".format(fs.evidenceConfigName,fs.configName))
                vshadowVol = pyvshadow.volume()
                vshadowVol.open(fs.loopDevice)
                fritutils.termout.printNormal("    Number of stores on volume: {}".format(vshadowVol.number_of_stores))
                for st in vshadowVol.get_stores():
                    fritutils.termout.printNormal("    Store identifier: {}".format(st.identifier))
                    fritutils.termout.printNormal("        Store creation time: {}".format(st.get_creation_time()))
                    fritutils.termout.printNormal("        Store size: {}".format(fritutils.humanize(st.size)))
                    fritutils.termout.printNormal("        Shadow-copy set ID: {}".format(st.copy_set_identifier))
                    fritutils.termout.printNormal("        Shadow-copy ID: {}".format(st.copy_identifier))
                vshadowVol.close()
            fs.umount('vshadow')
        if evi.isMounted():
            evi.umount('vshadow')
コード例 #30
0
  def test_open(self):
    """Tests the open function."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    with self.assertRaises(IOError):
      vshadow_volume.open(unittest.source)

    vshadow_volume.close()

    with self.assertRaises(TypeError):
      vshadow_volume.open(None)

    with self.assertRaises(ValueError):
      vshadow_volume.open(unittest.source, mode="w")
コード例 #31
0
  def test_read_buffer(self):
    """Tests the read_buffer function."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    if vshadow_volume.number_of_stores > 0:
      vshadow_store = vshadow_volume.get_store(
          vshadow_volume.number_of_stores - 1)
      self.assertIsNotNone(vshadow_store)

      volume_size = vshadow_store.get_size()

      # Test normal read.
      data = vshadow_store.read_buffer(size=4096)

      self.assertIsNotNone(data)
      self.assertEqual(len(data), min(volume_size, 4096))

      if volume_size < 4096:
        data = vshadow_store.read_buffer()

        self.assertIsNotNone(data)
        self.assertEqual(len(data), volume_size)

      # Test read beyond volume size.
      if volume_size > 16:
        vshadow_store.seek_offset(-16, os.SEEK_END)

        data = vshadow_store.read_buffer(size=4096)

        self.assertIsNotNone(data)
        self.assertEqual(len(data), 16)

      with self.assertRaises(ValueError):
        vshadow_store.read_buffer(size=-1)

    vshadow_volume.close()
コード例 #32
0
    def test_read_buffer(self):
        """Tests the read_buffer function."""
        if not unittest.source or unittest.offset != 0:
            raise unittest.SkipTest("missing source")

        vshadow_volume = pyvshadow.volume()

        vshadow_volume.open(unittest.source)

        if vshadow_volume.number_of_stores > 0:
            vshadow_store = vshadow_volume.get_store(
                vshadow_volume.number_of_stores - 1)
            self.assertIsNotNone(vshadow_store)

            volume_size = vshadow_store.get_size()

            # Test normal read.
            data = vshadow_store.read_buffer(size=4096)

            self.assertIsNotNone(data)
            self.assertEqual(len(data), min(volume_size, 4096))

            if volume_size < 4096:
                data = vshadow_store.read_buffer()

                self.assertIsNotNone(data)
                self.assertEqual(len(data), volume_size)

            # Test read beyond volume size.
            if volume_size > 16:
                vshadow_store.seek_offset(-16, os.SEEK_END)

                data = vshadow_store.read_buffer(size=4096)

                self.assertIsNotNone(data)
                self.assertEqual(len(data), 16)

            with self.assertRaises(ValueError):
                vshadow_store.read_buffer(size=-1)

        vshadow_volume.close()
コード例 #33
0
def pyvshadow_test_single_open_close_file_object(filename, mode):
  print(("Testing single open close of file-like object of: {0:s} "
         "with access: {1:s}\t").format(filename, get_mode_string(mode)))

  result = True
  try:
    file_object = open(filename, "rb")
    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open_file_object(file_object, mode)
    vshadow_volume.close()

  except Exception as exception:
    print(str(exception))
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")
  return result
コード例 #34
0
def pyvshadow_test_multi_open_close_file(filename, mode):
  print("Testing multi open close of: {0:s} with access: {1:s}\t".format(
      filename, get_mode_string(mode)))

  result = True
  try:
    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(filename, mode)
    vshadow_volume.close()
    vshadow_volume.open(filename, mode)
    vshadow_volume.close()

  except Exception as exception:
    print(str(exception))
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")
  return result
コード例 #35
0
  def test_open_file_object(self):
    """Tests the open_file_object function."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    file_object = open(unittest.source, "rb")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open_file_object(file_object)

    with self.assertRaises(IOError):
      vshadow_volume.open_file_object(file_object)

    vshadow_volume.close()

    # TODO: change IOError into TypeError
    with self.assertRaises(IOError):
      vshadow_volume.open_file_object(None)

    with self.assertRaises(ValueError):
      vshadow_volume.open_file_object(file_object, mode="w")
コード例 #36
0
    def test_get_store(self):
        """Tests the get_store function."""
        if not unittest.source or unittest.offset != 0:
            raise unittest.SkipTest("missing source")

        with DataRangeFileObject(unittest.source, unittest.offset or 0,
                                 None) as file_object:

            vshadow_volume = pyvshadow.volume()
            vshadow_volume.open_file_object(file_object)

            if vshadow_volume.number_of_stores == 0:
                raise unittest.SkipTest("missing stores")

            vshadow_store = vshadow_volume.get_store(
                vshadow_volume.number_of_stores - 1)
            self.assertIsNotNone(vshadow_store)

            with self.assertRaises(IOError):
                vshadow_volume.get_store(-1)

            vshadow_volume.close()
コード例 #37
0
  def test_open_file_object(self):
    """Tests the open_file_object function."""
    if not unittest.source:
      return

    file_object = open(unittest.source, "rb")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open_file_object(file_object)

    # with self.assertRaises(IOError):
    with self.assertRaises(MemoryError):
      vshadow_volume.open_file_object(file_object)

    vshadow_volume.close()

    # TODO: change IOError into TypeError
    with self.assertRaises(IOError):
      vshadow_volume.open_file_object(None)

    with self.assertRaises(ValueError):
      vshadow_volume.open_file_object(file_object, mode="w")
コード例 #38
0
  def test_read_buffer_file_object(self):
    """Tests the read_buffer function on a file-like object."""
    if not unittest.source or unittest.offset != 0:
      raise unittest.SkipTest("missing source")

    vshadow_volume = pyvshadow.volume()

    vshadow_volume.open(unittest.source)

    if vshadow_volume.number_of_stores > 0:
      vshadow_store = vshadow_volume.get_store(
          vshadow_volume.number_of_stores - 1)
      self.assertIsNotNone(vshadow_store)

      volume_size = vshadow_store.get_size()

      # Test normal read.
      data = vshadow_store.read_buffer(size=4096)

      self.assertIsNotNone(data)
      self.assertEqual(len(data), min(volume_size, 4096))

    vshadow_volume.close()
コード例 #39
0
    def test_read_buffer_file_object(self):
        """Tests the read_buffer function on a file-like object."""
        if not unittest.source or unittest.offset != 0:
            raise unittest.SkipTest("missing source")

        vshadow_volume = pyvshadow.volume()

        vshadow_volume.open(unittest.source)

        if vshadow_volume.number_of_stores > 0:
            vshadow_store = vshadow_volume.get_store(
                vshadow_volume.number_of_stores - 1)
            self.assertIsNotNone(vshadow_store)

            volume_size = vshadow_store.get_size()

            # Test normal read.
            data = vshadow_store.read_buffer(size=4096)

            self.assertIsNotNone(data)
            self.assertEqual(len(data), min(volume_size, 4096))

        vshadow_volume.close()
コード例 #40
0
def pyvshadow_test_single_open_close_file_object_with_dereference( filename, mode ):
	file_object = open( filename, mode )
	vshadow_volume = pyvshadow.volume()
	vshadow_volume.open_file_object( file_object, mode )
	del file_object
	vshadow_volume.close()
コード例 #41
0
  def test_close(self):
    """Tests the close function."""
    vshadow_volume = pyvshadow.volume()

    with self.assertRaises(IOError):
      vshadow_volume.close()
コード例 #42
0
  imagehandle = ewf_Img_Info(ewf_handle)
elif (args.imagetype == "raw"):
    print "Raw Type"
    imagehandle = pytsk3.Img_Info(url=args.imagefile)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
  print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
  try:
        filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
  except:
          print "Partition has no supported file system"
          continue
  print "File System Type Dectected .",filesystemObject.info.ftype,"."
  if (str(filesystemObject.info.ftype) == "TSK_FS_TYPE_NTFS_DETECT"):
    print "NTFS DETECTED"
    volume = pyvshadow.volume()
    offset=(partition.start*512)
    fh = vss.VShadowVolume(args.imagefile, offset)
    count = vss.GetVssStoreCount(args.imagefile, offset)
    if (count):
      vstore=0
      volume.open_file_object(fh)
      while (vstore < count):
        store = volume.get_store(vstore)
        img = vss.VShadowImgInfo(store)
        vssfilesystemObject = pytsk3.FS_Info(img)
        vssdirectoryObject = vssfilesystemObject.open_dir(path=dirPath)
        print "Directory:","vss",str(vstore),dirPath
        directoryRecurse(vssdirectoryObject,['vss',str(vstore)])
        vstore = vstore + 1
      #Capture the live volume
コード例 #43
0
  def test_signal_abort(self):
    """Tests the signal_abort function."""
    vshadow_volume = pyvshadow.volume()

    vshadow_volume.signal_abort()
コード例 #44
0
def pyvshadow_test_multi_open_close_file( filename, mode ):
	vshadow_volume = pyvshadow.volume()
	vshadow_volume.open( filename, mode )
	vshadow_volume.close()
	vshadow_volume.open( filename, mode )
	vshadow_volume.close()