def extract_created_files(timeline, path, events): for event in (e for e in events if 'FILE_CREATE' in e['changes'] and e['allocated']): try: if 'hash' in event: sha_hash = event['hash'] else: sha_hash = timeline.checksum(event['path']) source = event['path'] name = Path(posix_path(event['path'])).name destination = Path(path, '_'.join((sha_hash, name))) if not destination.exists(): timeline.download(source, str(destination)) except RuntimeError: pass
def extract_deleted_files(timeline, path, events): root = timeline.inspect_get_roots()[0] for event in (e for e in events if 'FILE_DELETE' in e['changes']): inode = event['file_reference_number'] try: with NamedTemporaryFile(buffering=0) as tempfile: timeline.download_inode(root, inode, tempfile.name) name = Path(posix_path(event['path'])).name sha_hash = hashlib.sha1(tempfile.read()).hexdigest() destination = Path(path, '_'.join((sha_hash, name))) shutil.copy(tempfile.name, str(destination)) event['hash'] = sha_hash event['recovered'] = True except RuntimeError: event['recovered'] = False
def extract_created_files(timeline, path, events): path = Path(path) if not path.exists(): path.mkdir(parents=True) for event in (e for e in events if 'FILE_CREATE' in e['changes'] and e['allocated']): try: if 'hash' in event: sha_hash = event['hash'] else: sha_hash = timeline.checksum(event['path']) source = event['path'] name = Path(posix_path(event['path'])).name destination = Path(path, '_'.join((sha_hash, name))) if not destination.exists(): timeline.download(source, str(destination)) except RuntimeError: pass
def extract_deleted_files(timeline, path, events): path = Path(path) root = timeline.inspect_get_roots()[0] if not path.exists(): path.mkdir(parents=True) for event in (e for e in events if 'FILE_DELETE' in e['changes']): inode = event['file_reference_number'] try: with NamedTemporaryFile(buffering=0) as tempfile: timeline.download_inode(root, inode, tempfile.name) name = Path(posix_path(event['path'])).name sha_hash = hashlib.sha1(tempfile.read()).hexdigest() destination = Path(path, '_'.join((sha_hash, name))) shutil.copy(tempfile.name, str(destination)) event['hash'] = sha_hash event['recovered'] = True except RuntimeError: event['recovered'] = False