def testGetTSKPartitionIdentifiersOnPartitionedImage(self): """Tests the _GetTSKPartitionIdentifiers function on a partitioned image.""" # Test with mediator. test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['tsk_volume_system.raw']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) identifiers = test_scanner._GetPartitionIdentifiers( scan_node, test_options) self.assertEqual(len(identifiers), 2) self.assertEqual(identifiers, ['p1', 'p2']) # Test without mediator. test_scanner = volume_scanner.VolumeScanner() test_options = volume_scanner.VolumeScannerOptions() scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) with self.assertRaises(errors.ScannerError): test_scanner._GetPartitionIdentifiers(scan_node, test_options)
def testScanVolumeOnVSS(self): """Tests the _ScanVolume function on VSS.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) vss_scan_node = scan_node.sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_scanner._ScanVolume(scan_context, vss_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 2) # Test on volume system sub node. base_path_specs = [] test_scanner._ScanVolume(scan_context, vss_scan_node.sub_nodes[0], test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1)
def Enumerate(evidence): """Uses dfVFS to enumerate partitions in a disk / image. Args: evidence: Evidence object to be scanned. Raises: TurbiniaException if source evidence can't be scanned. Returns: list[dfVFS.path_spec]: path specs for identified partitions """ dfvfs_definitions.PREFERRED_GPT_BACK_END = ( dfvfs_definitions.TYPE_INDICATOR_GPT) mediator = UnattendedVolumeScannerMediator() mediator.credentials = evidence.credentials path_specs = [] try: scanner = volume_scanner.VolumeScanner(mediator=mediator) path_specs = scanner.GetBasePathSpecs(evidence.local_path) except dfvfs_errors.ScannerError as e: raise TurbiniaException( 'Could not enumerate partitions [{0!s}]: {1!s}'.format( evidence.local_path, e)) return path_specs
def testGetBasePathSpecsOnRAW(self): """Tests the GetBasePathSpecs function on a RAW image.""" test_path = self._GetTestFilePath(['ext2.raw']) self._SkipIfPathNotExists(test_path) test_os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_path) test_raw_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec) test_tsk_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TSK, location='/', parent=test_raw_path_spec) test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) expected_base_path_specs = [test_tsk_path_spec.comparable] base_path_specs = test_scanner.GetBasePathSpecs(test_path) base_path_specs = [ base_path_spec.comparable for base_path_spec in base_path_specs ] self.assertEqual(base_path_specs, expected_base_path_specs) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner.GetBasePathSpecs(None) with self.assertRaises(errors.ScannerError): test_scanner.GetBasePathSpecs('/bogus')
def Enumerate(evidence): """Uses dfVFS to enumerate partitions in a disk / image. Args: evidence: Evidence object to be scanned. Raises: TurbiniaException if source evidence can't be scanned. Returns: list[dfVFS.path_spec]: path specs for identified partitions """ options = volume_scanner.VolumeScannerOptions() options.partitions = ['all'] options.volumes = ['all'] # Not processing volume snapshots options.snapshots = ['none'] options.credentials = evidence.credentials path_specs = [] try: # Setting the volume scanner mediator to None will cause the volume scanner # to operate in unattended mode scanner = volume_scanner.VolumeScanner(mediator=None) path_specs = scanner.GetBasePathSpecs(evidence.local_path, options=options) except dfvfs_errors.ScannerError as e: raise TurbiniaException( 'Could not enumerate partitions [{0!s}]: {1!s}'.format( evidence.local_path, e)) return path_specs
def testScanVolumeSystemRootOnAPFS(self): """Tests the _ScanVolumeSystemRoot function on an APFS image.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['apfs.dmg']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) apfs_container_scan_node = scan_node.sub_nodes[4].sub_nodes[0] base_path_specs = [] test_scanner._ScanVolumeSystemRoot(scan_context, apfs_container_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeSystemRoot( scan_context, apfs_container_scan_node.sub_nodes[0], test_options, base_path_specs)
def testScanVolumeOnEncryptedAPFS(self): """Tests the _ScanVolume function on an encrypted APFS image.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['apfs_encrypted.dmg']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) apfs_container_scan_node = scan_node.sub_nodes[4].sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test on volume system sub node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node.sub_nodes[0], test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1)
def run(self, evidence, result): """Scan a raw disk for partitions. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ # TODO(dfjxs): Use evidence name instead of evidence_description (#718) evidence_description = None if hasattr(evidence, 'embedded_path'): evidence_description = ':'.join( (evidence.disk_name, evidence.embedded_path)) elif hasattr(evidence, 'disk_name'): evidence_description = evidence.disk_name else: evidence_description = evidence.source_path result.log( 'Scanning [{0:s}] for partitions'.format(evidence_description)) success = False dfvfs_definitions.PREFERRED_GPT_BACK_END = ( dfvfs_definitions.TYPE_INDICATOR_GPT) mediator = dfvfs_classes.UnattendedVolumeScannerMediator() path_specs = [] try: scanner = volume_scanner.VolumeScanner(mediator=mediator) path_specs = scanner.GetBasePathSpecs(evidence.local_path) status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format( len(path_specs), evidence_description) except dfvfs_errors.ScannerError as e: status_summary = 'Error scanning for partitions: {0!s}'.format(e) status_report = [fmt.heading4(status_summary)] try: for path_spec in path_specs: partition_evidence, partition_status = self._ProcessPartition( path_spec) status_report.extend(partition_status) result.add_evidence(partition_evidence, evidence.config) status_report = '\n'.join(status_report) success = True except TurbiniaException as e: status_summary = 'Error enumerating partitions: {0!s}'.format(e) status_report = status_summary result.log( 'Scanning of [{0:s}] is complete'.format(evidence_description)) result.report_priority = Priority.LOW result.report_data = status_report result.close(self, success=success, status=status_summary) return result
def testNormalizedVolumeIdentifiersVSS(self): """Tests the _NormalizedVolumeIdentifiers function on a VSS.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_path) test_os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_path) test_qcow_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_QCOW, parent=test_os_path_spec) test_vss_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_VSHADOW, parent=test_qcow_path_spec) volume_system = vshadow_volume_system.VShadowVolumeSystem() volume_system.Open(test_vss_path_spec) volume_identifiers = test_scanner._NormalizedVolumeIdentifiers( volume_system, ['vss1', 'vss2'], prefix='vss') self.assertEqual(volume_identifiers, ['vss1', 'vss2']) volume_identifiers = test_scanner._NormalizedVolumeIdentifiers( volume_system, [1, 2], prefix='vss') self.assertEqual(volume_identifiers, ['vss1', 'vss2']) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._NormalizedVolumeIdentifiers(volume_system, ['vss3'], prefix='vss')
def testScanVolumeScanNodeRAW(self): """Tests the _ScanVolumeScanNode function on a RAW image.""" test_scanner = volume_scanner.VolumeScanner() test_file = self._GetTestFilePath([u'ímynd.dd']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = scan_context.GetRootScanNode() base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test error conditions. scan_context = source_scanner.SourceScannerContext() with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNode(scan_context, None, []) volume_scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node, [])
def testNormalizedVolumeIdentifiersPartitionedImage(self): """Tests the _NormalizedVolumeIdentifiers function.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_path = self._GetTestFilePath(['tsk_volume_system.raw']) self._SkipIfPathNotExists(test_path) test_os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_path) test_raw_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec) test_tsk_partition_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TSK_PARTITION, parent=test_raw_path_spec) volume_system = tsk_volume_system.TSKVolumeSystem() volume_system.Open(test_tsk_partition_path_spec) volume_identifiers = test_scanner._NormalizedVolumeIdentifiers( volume_system, ['p1', 'p2'], prefix='p') self.assertEqual(volume_identifiers, ['p1', 'p2']) volume_identifiers = test_scanner._NormalizedVolumeIdentifiers( volume_system, ['1', '2'], prefix='p') self.assertEqual(volume_identifiers, ['p1', 'p2']) volume_identifiers = test_scanner._NormalizedVolumeIdentifiers( volume_system, [1, 2], prefix='p') self.assertEqual(volume_identifiers, ['p1', 'p2']) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._NormalizedVolumeIdentifiers(volume_system, ['p3'], prefix='p')
def testScanVolumeScanNode(self): """Tests the _ScanVolumeScanNode function on VSS.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(test_mediator) # Test VSS root. test_file = self._GetTestFilePath([u'vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = self._GetTestScanNode(scan_context) base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node, base_path_specs) self.assertEqual(len(base_path_specs), 0) # Test VSS volume. test_file = self._GetTestFilePath([u'vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = self._GetTestScanNode(scan_context) base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node.sub_nodes[0], base_path_specs) self.assertEqual(len(base_path_specs), 2)
def testScanVolumeScanNodeEncrypted(self): """Tests the _ScanVolumeScanNodeEncrypted function.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(test_mediator) test_file = self._GetTestFilePath([u'bdetogo.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) volume_scan_node = self._GetTestScanNode(scan_context) base_path_specs = [] test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node.sub_nodes[0], base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test error conditions. path_spec = fake_path_spec.FakePathSpec(location=u'/') scan_node = source_scanner.SourceScanNode(path_spec) with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNodeEncrypted(scan_node, None, []) volume_scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeScanNodeEncrypted(scan_node, volume_scan_node, [])
def testGetBasePathSpecsRAW(self): """Tests the GetBasePathSpecs function on a RAW image.""" test_file = self._GetTestFilePath([u'ímynd.dd']) test_scanner = volume_scanner.VolumeScanner() test_os_path_spec = os_path_spec.OSPathSpec(location=test_file) test_raw_path_spec = raw_path_spec.RawPathSpec( parent=test_os_path_spec) test_tsk_path_spec = tsk_path_spec.TSKPathSpec( location=u'/', parent=test_raw_path_spec) expected_base_path_specs = [test_tsk_path_spec.comparable] base_path_specs = test_scanner.GetBasePathSpecs(test_file) base_path_specs = [ base_path_spec.comparable for base_path_spec in base_path_specs ] self.assertEqual(base_path_specs, expected_base_path_specs) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner.GetBasePathSpecs(None) with self.assertRaises(errors.ScannerError): test_scanner.GetBasePathSpecs(u'/bogus')
def testGetBasePathSpecsOnPartitionedImage(self): """Tests the GetBasePathSpecs function on a partitioned image.""" test_path = self._GetTestFilePath(['tsk_volume_system.raw']) self._SkipIfPathNotExists(test_path) test_os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_path) test_raw_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec) test_tsk_partition_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p2', part_index=6, start_offset=0x0002c000, parent=test_raw_path_spec) test_tsk_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TSK, location='/', parent=test_tsk_partition_path_spec) test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) expected_base_path_specs = [test_tsk_path_spec.comparable] base_path_specs = test_scanner.GetBasePathSpecs(test_path) base_path_specs = [ base_path_spec.comparable for base_path_spec in base_path_specs ] self.assertEqual(base_path_specs, expected_base_path_specs)
def testGetVSSStoreIdentifiers(self): """Tests the _GetVSSStoreIdentifiers function.""" # Test with mediator. test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) identifiers = test_scanner._GetVSSStoreIdentifiers( scan_node.sub_nodes[0], test_options) self.assertEqual(len(identifiers), 2) self.assertEqual(identifiers, ['vss1', 'vss2']) # Test without mediator. test_scanner = volume_scanner.VolumeScanner() test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(scan_node.sub_nodes[0], test_options) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(None, test_options) scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(scan_node, test_options)
def testScanVolumeOnEncryptedAPFS(self): """Tests the _ScanVolume function on an encrypted APFS image.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() test_path = self._GetTestFilePath(['apfs_encrypted.dmg']) self._SkipIfPathNotExists(test_path) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = scan_context.GetRootScanNode() self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_OS) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.sub_nodes[0] self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.TYPE_INDICATOR_RAW) self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.sub_nodes[0] self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, definitions.PREFERRED_GPT_BACK_END) if scan_node.type_indicator == definitions.TYPE_INDICATOR_GPT: self.assertEqual(len(scan_node.sub_nodes), 1) scan_node = scan_node.sub_nodes[0] else: # The pytsk partition back-end yields more than 1 scan node for various # metadata and unallocated parts of the GPT. self.assertEqual(len(scan_node.sub_nodes), 6) scan_node = scan_node.sub_nodes[4] apfs_container_scan_node = scan_node.sub_nodes[0] # Test on volume system root node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node, test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1) # Test on volume system sub node. base_path_specs = [] test_scanner._ScanVolume(scan_context, apfs_container_scan_node.sub_nodes[0], test_options, base_path_specs) self.assertEqual(len(base_path_specs), 1)
def testGetTSKPartitionIdentifiers(self): """Tests the _GetTSKPartitionIdentifiers function.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._GetTSKPartitionIdentifiers(None) scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._GetTSKPartitionIdentifiers(scan_node)
def testGetTSKPartitionIdentifiers(self): """Tests the _GetTSKPartitionIdentifiers function.""" # Test with mediator. test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(test_mediator) test_file = self._GetTestFilePath([u'tsk_volume_system.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) expected_identifiers = sorted([u'p1', u'p2']) identifiers = test_scanner._GetTSKPartitionIdentifiers(scan_node) self.assertEqual(len(identifiers), 2) self.assertEqual(sorted(identifiers), expected_identifiers) # Test without mediator. test_scanner = volume_scanner.VolumeScanner() test_file = self._GetTestFilePath([u'tsk_volume_system.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) expected_identifiers = sorted([u'p1', u'p2']) identifiers = test_scanner._GetTSKPartitionIdentifiers(scan_node) self.assertEqual(len(identifiers), 2) self.assertEqual(sorted(identifiers), expected_identifiers) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._GetTSKPartitionIdentifiers(None) scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._GetTSKPartitionIdentifiers(scan_node)
def testGetVSSStoreIdentifiers(self): """Tests the _GetVSSStoreIdentifiers function.""" # Test with mediator. test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(test_mediator) test_file = self._GetTestFilePath(['vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) expected_identifiers = sorted([1, 2]) identifiers = test_scanner._GetVSSStoreIdentifiers( scan_node.sub_nodes[0]) self.assertEqual(len(identifiers), 2) self.assertEqual(sorted(identifiers), expected_identifiers) # Test without mediator. test_scanner = volume_scanner.VolumeScanner() test_file = self._GetTestFilePath(['vsstest.qcow2']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_file) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(scan_node.sub_nodes[0]) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(None) scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._GetVSSStoreIdentifiers(scan_node)
def testScanEncryptedVolume(self): """Tests the _ScanEncryptedVolume function.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) scan_context = source_scanner.SourceScannerContext() # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._ScanEncryptedVolume(scan_context, None) scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._ScanEncryptedVolume(scan_context, scan_node)
def testGetBasePathSpecsDirectory(self): """Tests the GetBasePathSpecs function on a directory.""" test_file = self._GetTestFilePath([u'testdir_os']) test_scanner = volume_scanner.VolumeScanner() test_os_path_spec = os_path_spec.OSPathSpec(location=test_file) expected_base_path_specs = [test_os_path_spec.comparable] base_path_specs = test_scanner.GetBasePathSpecs(test_file) base_path_specs = [ base_path_spec.comparable for base_path_spec in base_path_specs ] self.assertEqual(base_path_specs, expected_base_path_specs)
def testScanVolumeOnRAW(self): """Tests the _ScanVolume function on a RAW image.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_path = self._GetTestFilePath(['ímynd.dd']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = scan_context.GetRootScanNode() base_path_specs = [] test_scanner._ScanVolume(scan_context, scan_node, base_path_specs) self.assertEqual(len(base_path_specs), 1)
def testScanVolumeSystemRootOnPartitionedImage(self): """Tests the _ScanVolumeSystemRoot function on a partitioned image.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_path = self._GetTestFilePath(['tsk_volume_system.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeSystemRoot(scan_context, scan_node, [])
def testGetTSKPartitionIdentifiersOnAPFS(self): """Tests the _GetTSKPartitionIdentifiers function on an APFS image.""" # Test with mediator. test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_path = self._GetTestFilePath(['apfs.dmg']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) identifiers = test_scanner._GetTSKPartitionIdentifiers(scan_node) self.assertEqual(len(identifiers), 1) self.assertEqual(identifiers, ['p1'])
def run(self, evidence, result): """Scan a raw disk for partitions. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ result.log('Scanning [{0:s}] for partitions'.format( evidence.local_path)) success = False mediator = dfvfs_classes.UnattendedVolumeScannerMediator() try: scanner = volume_scanner.VolumeScanner(mediator=mediator) path_specs = scanner.GetBasePathSpecs(evidence.local_path) status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format( len(path_specs), evidence.local_path) except dfvfs_errors.ScannerError as e: status_summary = 'Error scanning for partitions: {0!s}'.format(e) status_report = [fmt.heading4(status_summary)] try: for path_spec in path_specs: partition_evidence, partition_status = self._ProcessPartition( evidence.local_path, path_spec) status_report.extend(partition_status) result.add_evidence(partition_evidence, evidence.config) status_report = '\n'.join(status_report) success = True except TurbiniaException as e: status_summary = 'Error enumerating partitions: {0!s}'.format(e) status_report = status_summary result.log('Scanning of [{0:s}] is complete'.format( evidence.local_path)) result.report_priority = Priority.LOW result.report_data = status_report result.close(self, success=success, status=status_summary) return result
def testScanVolumeSystemRoot(self): """Tests the _ScanVolumeSystemRoot function.""" test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_options = volume_scanner.VolumeScannerOptions() scan_context = source_scanner.SourceScannerContext() # Test error conditions. with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeSystemRoot(scan_context, None, test_options, []) scan_node = source_scanner.SourceScanNode(None) with self.assertRaises(errors.ScannerError): test_scanner._ScanVolumeSystemRoot(scan_context, scan_node, test_options, [])
def testScanEncryptedVolumeOnBDE(self): """Tests the _ScanEncryptedVolume function on a BDE image.""" resolver.Resolver.key_chain.Empty() test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) test_path = self._GetTestFilePath(['bdetogo.raw']) scan_context = source_scanner.SourceScannerContext() scan_context.OpenSourcePath(test_path) test_scanner._source_scanner.Scan(scan_context) scan_node = self._GetTestScanNode(scan_context) bde_scan_node = scan_node.sub_nodes[0] test_scanner._ScanEncryptedVolume(scan_context, bde_scan_node)
def testGetBasePathSpecsOnDirectory(self): """Tests the GetBasePathSpecs function on a directory.""" test_path = self._GetTestFilePath(['testdir_os']) test_os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_path) test_mediator = TestVolumeScannerMediator() test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator) expected_base_path_specs = [test_os_path_spec.comparable] base_path_specs = test_scanner.GetBasePathSpecs(test_path) base_path_specs = [ base_path_spec.comparable for base_path_spec in base_path_specs ] self.assertEqual(base_path_specs, expected_base_path_specs)
def __init__(self, img, output_dir=None, dedup=False, resume=False): self.img = img img_name = os.path.basename(self.img) self.dedup = dedup self.resume = resume self.last_file = None log_file_mode = "wb" if self.resume: log_file_mode = "ab" # mkdirs if output_dir: self.output_dir = os.path.abspath(output_dir + "/" + img_name) if not os.path.exists(self.output_dir): os.makedirs(self.output_dir, exist_ok=True) self.dedup_dir = self.output_dir + "_duplicates" if not os.path.exists(self.dedup_dir): os.makedirs(self.dedup_dir, exist_ok=True) else: self.output_dir = os.path.abspath(".") self.log_file = FileOutputWriter( os.path.abspath(self.output_dir + "/../%s.log.csv" % img_name)) self.err_log_file = FileOutputWriter( os.path.abspath(self.output_dir + "/../%s.err.csv" % img_name)) self.log_file.Open(log_file_mode) self.err_log_file.Open(log_file_mode) if not self.resume: self.log_file.WriteFileEntry( "entry_type|size|full_path|hash|duplicate") self.err_log_file.WriteFileEntry("full_path|error") mediator = command_line.CLIVolumeScannerMediator() vol_scanner = volume_scanner.VolumeScanner(mediator=mediator) self.stats = { "errors": 0, "total": 0, "duplicates": 0, "total_size": 0 } self.hashes = {} self.base_path_specs = vol_scanner.GetBasePathSpecs(self.img)