def _preprocess(self, _, required_states):
# Late loading the partition processor to avoid loading dfVFS unnecessarily.
from turbinia.processors import partitions
# We need to enumerate partitions in preprocessing so the path_specs match
# the parent evidence location for each task.
try:
# We should only get one path_spec here since we're specifying the location.
path_specs = partitions.Enumerate(self.parent_evidence,
self.partition_location)
except TurbiniaException as e:
log.error(e)
if len(path_specs) > 1:
path_specs_dicts = [
path_spec.CopyToDict() for path_spec in path_specs
]
raise TurbiniaException(
'Found more than one path_spec for {0:s} {1:s}: {2!s}'.format(
self.parent_evidence.name, self.partition_location,
path_specs_dicts))
elif len(path_specs) == 1:
self.path_spec = path_specs[0]
log.debug('Found path_spec {0!s} for parent evidence {1:s}'.format(
self.path_spec.CopyToDict(), self.parent_evidence.name))
else:
raise TurbiniaException(
'Could not find path_spec for location {0:s}'.format(
self.partition_location))
# In attaching a partition, we create a new loopback device using the
# partition offset and size.
if EvidenceState.ATTACHED in required_states or self.has_child_evidence:
# Check for encryption
encryption_type = partitions.GetPartitionEncryptionType(
self.path_spec)
if encryption_type == 'BDE':
self.device_path = mount_local.PreprocessBitLocker(
self.parent_evidence.device_path,
partition_offset=self.partition_offset,
credentials=self.parent_evidence.credentials)
if not self.device_path:
log.error('Could not decrypt partition.')
else:
self.device_path = mount_local.PreprocessLosetup(
self.parent_evidence.device_path,
partition_offset=self.partition_offset,
partition_size=self.partition_size,
lv_uuid=self.lv_uuid)
if self.device_path:
self.state[EvidenceState.ATTACHED] = True
self.local_path = self.device_path
if EvidenceState.MOUNTED in required_states or self.has_child_evidence:
self.mount_path = mount_local.PreprocessMountPartition(
self.device_path, self.path_spec.type_indicator)
if self.mount_path:
self.local_path = self.mount_path
self.state[EvidenceState.MOUNTED] = True
def testEnumerateOnBDE(self):
"""Test Enumerate on BDE."""
test_path = self._getTestDataPath('bdetogo.raw')
test_evidence = evidence.RawDisk(source_path=test_path)
# Test without credentials
with self.assertRaises(TurbiniaException):
partitions.Enumerate(test_evidence)
# Test with bad credentials
test_evidence.credentials = [('password', 'bde!TEST')]
with self.assertRaises(TurbiniaException):
partitions.Enumerate(test_evidence)
# Test with good credentials
test_evidence.credentials = [('password', 'bde-TEST')]
path_specs = partitions.Enumerate(test_evidence)
self.assertEqual(len(path_specs), 2)
def testEnumerateOnEncryptedAPFS(self):
"""Test Enumerate on encrypted APFS."""
test_path = self._getTestDataPath('apfs_encrypted.dmg')
test_evidence = evidence.RawDisk(source_path=test_path)
# Test without credentials
with self.assertRaises(TurbiniaException):
partitions.Enumerate(test_evidence)
# Test with bad credentials
test_evidence.credentials = [('password', 'apfs!TEST')]
with self.assertRaises(TurbiniaException):
partitions.Enumerate(test_evidence)
# Test with good credentials
test_evidence.credentials = [('password', 'apfs-TEST')]
path_specs = partitions.Enumerate(test_evidence)
self.assertEqual(len(path_specs), 1)
def run(self, evidence, result):
"""Scan a raw disk for partitions.
Args:
evidence (Evidence object): The evidence we will process.
result (TurbiniaTaskResult): The object to place task results into.
Returns:
TurbiniaTaskResult object.
"""
# TODO(dfjxs): Use evidence name instead of evidence_description (#718)
evidence_description = None
if hasattr(evidence, 'embedded_path'):
evidence_description = ':'.join(
(evidence.disk_name, evidence.embedded_path))
elif hasattr(evidence, 'disk_name'):
evidence_description = evidence.disk_name
else:
evidence_description = evidence.source_path
result.log(
'Scanning [{0:s}] for partitions'.format(evidence_description))
path_specs = []
success = False
try:
path_specs = partitions.Enumerate(evidence)
status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format(
len(path_specs), evidence_description)
except dfvfs_errors.ScannerError as e:
status_summary = 'Error scanning for partitions: {0!s}'.format(e)
status_report = [fmt.heading4(status_summary)]
try:
for path_spec in path_specs:
partition_evidence, partition_status = self._ProcessPartition(
path_spec)
status_report.extend(partition_status)
result.add_evidence(partition_evidence, evidence.config)
status_report = '\n'.join(status_report)
success = True
except TurbiniaException as e:
status_summary = 'Error enumerating partitions: {0!s}'.format(e)
status_report = status_summary
result.log(
'Scanning of [{0:s}] is complete'.format(evidence_description))
result.report_priority = Priority.LOW
result.report_data = status_report
result.close(self, success=success, status=status_summary)
return result
def testEnumerateOnPartitionedImage(self):
"""Test Enumerate on partitioned image."""
test_path = self._getTestDataPath('mbr.raw')
test_evidence = evidence.RawDisk(source_path=test_path)
path_specs = partitions.Enumerate(test_evidence)
self.assertEqual(len(path_specs), 2)
# Test GetPathSpecByLocation
path_spec = partitions.GetPathSpecByLocation(path_specs, '/p1')
self.assertIsNotNone(path_spec)
def _preprocess(self, _, required_states):
# Late loading the partition processor to avoid loading dfVFS unnecessarily.
from turbinia.processors import partitions
# We need to enumerate partitions in preprocessing so the path_specs match
# the parent evidence location for each task.
try:
path_specs = partitions.Enumerate(self.parent_evidence)
except TurbiniaException as e:
log.error(e)
path_spec = partitions.GetPathSpecByLocation(path_specs,
self.partition_location)
if path_spec:
self.path_spec = path_spec
# In attaching a partition, we create a new loopback device using the
# partition offset and size.
if EvidenceState.ATTACHED in required_states or self.has_child_evidence:
# Check for encryption
encryption_type = partitions.GetPartitionEncryptionType(path_spec)
if encryption_type == 'BDE':
self.device_path = mount_local.PreprocessBitLocker(
self.parent_evidence.device_path,
partition_offset=self.partition_offset,
credentials=self.parent_evidence.credentials)
if not self.device_path:
log.error('Could not decrypt partition.')
else:
self.device_path = mount_local.PreprocessLosetup(
self.parent_evidence.device_path,
partition_offset=self.partition_offset,
partition_size=self.partition_size,
lv_uuid=self.lv_uuid)
if self.device_path:
self.state[EvidenceState.ATTACHED] = True
self.local_path = self.device_path
if EvidenceState.MOUNTED in required_states or self.has_child_evidence:
self.mount_path = mount_local.PreprocessMountPartition(
self.device_path, self.path_spec.type_indicator)
if self.mount_path:
self.local_path = self.mount_path
self.state[EvidenceState.MOUNTED] = True
def testEnumerateOnRaw(self):
"""Test Enumerate on raw image."""
test_path = self._getTestDataPath('ext2.raw')
test_evidence = evidence.RawDisk(source_path=test_path)
path_specs = partitions.Enumerate(test_evidence)
self.assertEqual(len(path_specs), 1)
def testEnumerateOnPartitionedImage(self):
"""Test Enumerate on partitioned image."""
test_path = self._getTestDataPath('mbr.raw')
test_evidence = evidence.RawDisk(source_path=test_path)
path_specs = partitions.Enumerate(test_evidence)
self.assertEqual(len(path_specs), 2)
