def analyse(self, execution, sample):
"""
Analyse a file-system.
"""
# Attach the disk image and mount the partition on the host machine.
logger.info("Attaching '%s' for file-system analysis", self.image)
device = volume.attach(self.image)
try:
partition_device = volume.partition(device, self.partition)
volume.wait_for_partition(partition_device)
path = volume.mount(partition_device)
# Open the output handle.
logger.info("Generating a hash of each file on the volume")
output_filename = self.output.format(execution=execution)
handle = bz2.BZ2File(output_filename, "wb")
writer = csv.writer(handle)
writer.writerow(["hash", "filename"])
# Generate a hash of each file in the partition.
for filename in filenames(path):
checksum = hashlib.md5()
for block in blocks(filename, 4096):
checksum.update(block)
relative = os.path.relpath(filename, path)
writer.writerow([checksum.hexdigest(), relative])
# Close the output handle and detach the disk image.
logger.info("Finished file-system analysis, detaching volume")
handle.close()
volume.unmount(path)
finally:
volume.detach(device)
def transfer_acquired_image(self):
"""
Transfer the acquired memory image from the acquisition vector
to the host machine.
"""
# Attach the disk image and mount the partition on the host machine.
logger.info("Attaching and mounting the acquisition vector")
device = volume.attach(self.vector_filename)
partition_device = volume.partition(device, self.vector_partition)
volume.wait_for_partition(partition_device)
path = volume.mount(partition_device)
# Copy the memory image from the vector partition.
logger.info("Copying the memory image from the acquisition vector")
image_filename = os.path.join(path, self.vector_image)
shutil.copy(image_filename, self.image_acquired)
# Unmount the partition and detach the disk image.
logger.info("Unmounting and detaching the acquisition vector")
volume.unmount(path)
volume.detach(device)
def transfer_acquired_image(self):
"""
Transfer the acquired memory image from the acquisition vector
to the host machine.
"""
# Attach the disk image and mount the partition on the host machine.
logger.info("Attaching and mounting the acquisition vector")
device = volume.attach(self.vector_filename)
partition_device = volume.partition(device, self.vector_partition)
volume.wait_for_partition(partition_device)
path = volume.mount(partition_device)
# Copy the memory image from the vector partition.
logger.info("Copying the memory image from the acquisition vector")
image_filename = os.path.join(path, self.vector_image)
shutil.copy(image_filename, self.image_acquired)
# Unmount the partition and detach the disk image.
logger.info("Unmounting and detaching the acquisition vector")
volume.unmount(path)
volume.detach(device)
def analyse(self, execution, sample):
"""
Analyse a block storage partition.
"""
# Attach the disk image to the host machine.
logger.info("Attaching '%s' for block-storage analysis", self.image)
device = volume.attach(self.image)
try:
partition_device = volume.partition(device, self.partition)
volume.wait_for_partition(partition_device)
# Open the output handle.
logger.info("Generating a hash of each block on the partition")
output_filename = self.output.format(execution=execution)
handle = bz2.BZ2File(output_filename, "w")
# Generate a hash of each block in the partition.
for block in blocks(partition_device, self.block_size):
checksum = hashlib.md5(block)
handle.write(checksum.hexdigest())
handle.write("\n")
# Close output handle and detach the disk image.
logger.info("Finished block-storage analysis, detaching volume")
handle.close()
finally:
volume.detach(device)