def mmls_popup(query,result):
result.decoration = "naked"
my_offset = 0
last_offset = 0
done = False
try:
del query[offset]
except: pass
io = self.create(None, query.get('case'), query)
#This loops through the disk looking for a partition table.
#If it finds a block with the appropriate magic numbers, it
#tries to create a mmls object. If it fails, it moves to the
#next block.
while(1):
io.seek(last_offset)
while(1):
my_offset = io.tell()#Starting position of this next read; if it works, this will be the partition table offset
foobarbaz = re.sub('=','',binascii.b2a_qp(io.partial_read(512)))
last_offset=io.tell()#This is the offset we will resume our search at if this table doesn't work.
if len(foobarbaz) == 0:#If we've reached the end of the RAID, we're done.
done = True
if re.search('0UAA$',foobarbaz) != None:#Check for magic numbers of DOS partition table
break
io.seek(0)
try:
print "trying"+str(my_offset)
parts = sk.mmls(io,my_offset)
except IOError, e:
if done:#If we've reached the end without finding a partition table, we give up.
result.heading("No Partitions found")
result.text("TESTFUNC %d Sleuthkit returned: %s" % (my_offset,e))
return
else:#If we created mmls object without error, we're done searching, so break
break
def mmls_popup(query,result):
result.decoration = "naked"
try:
del query[offset]
except: pass
io = self.create(None, query.get('case'), query)
try:
parts = sk.mmls(io)
except IOError, e:
result.heading("No Partitions found")
result.text("Sleuthkit returned: %s" % e)
return
def mmls_popup(query, result):
result.decoration = "naked"
try:
del query[offset]
except:
pass
io = self.create(None, query.get('case'), query)
try:
parts = sk.mmls(io)
except IOError, e:
result.heading("No Partitions found")
result.text("Sleuthkit returned: %s" % e)
return
def mmls_popup(query, result):
result.decoration = "naked"
my_offset = 0
last_offset = 0
done = False
try:
del query[offset]
except:
pass
io = self.create(None, query.get('case'), query)
#This loops through the disk looking for a partition table.
#If it finds a block with the appropriate magic numbers, it
#tries to create a mmls object. If it fails, it moves to the
#next block.
while (1):
io.seek(last_offset)
while (1):
my_offset = io.tell(
) #Starting position of this next read; if it works, this will be the partition table offset
foobarbaz = re.sub('=', '',
binascii.b2a_qp(io.partial_read(512)))
last_offset = io.tell(
) #This is the offset we will resume our search at if this table doesn't work.
if len(
foobarbaz
) == 0: #If we've reached the end of the RAID, we're done.
done = True
if re.search(
'0UAA$', foobarbaz
) != None: #Check for magic numbers of DOS partition table
break
io.seek(0)
try:
print "trying" + str(my_offset)
parts = sk.mmls(io, my_offset)
except IOError, e:
if done: #If we've reached the end without finding a partition table, we give up.
result.heading("No Partitions found")
result.text("TESTFUNC %d Sleuthkit returned: %s" %
(my_offset, e))
return
else: #If we created mmls object without error, we're done searching, so break
break
def scan(self, fd, scanners, type, mime, cookie, scores=None, **args):
if 'x86 boot sector' in type:
try:
parts = sk.mmls(fd)
except IOError, e:
print e
return
for part in parts:
## Make a unique and sensible name for this partition
name = "%s @ 0x%X" % (part[2], part[0])
## Add new maps for each partition
map = CacheManager.AFF4_MANAGER.create_cache_map(
fd.case, "%s/%s" % (fd.urn.parser.query, name))
map.write_from(fd.urn, SECTOR_SIZE * part[0],
SECTOR_SIZE * part[1])
map.close()
## Now we recursively scan each object
fsfd = FileSystem.DBFS(fd.case)
new_fd = fsfd.open(inode_id=map.inode_id)
try:
fs = sk.skfs(new_fd)
fs.close()
## Lets add a hint
Magic.set_magic(fd.case,
inode_id=map.inode_id,
mime="application/filesystem",
magic="Filesystem")
except:
pass
Scanner.scan_inode_distributed(fd.case, map.inode_id, scanners,
cookie)
def scan(self, fd, scanners, type, mime, cookie, scores=None, **args):
if 'x86 boot sector' in type:
try:
parts = sk.mmls(fd)
except IOError,e:
print e
return
for part in parts:
## Make a unique and sensible name for this partition
name = "%s @ 0x%X" % (part[2], part[0])
## Add new maps for each partition
map = CacheManager.AFF4_MANAGER.create_cache_map(
fd.case,
"%s/%s" % (fd.urn.parser.query, name))
map.write_from(fd.urn, SECTOR_SIZE * part[0],
SECTOR_SIZE * part[1])
map.close()
## Now we recursively scan each object
fsfd = FileSystem.DBFS(fd.case)
new_fd = fsfd.open(inode_id = map.inode_id)
try:
fs = sk.skfs(new_fd)
fs.close()
## Lets add a hint
Magic.set_magic(fd.case,
inode_id = map.inode_id,
mime = "application/filesystem",
magic = "Filesystem")
except: pass
Scanner.scan_inode_distributed(fd.case, map.inode_id,
scanners, cookie)
