Exemplo n.º 1
0
def parsePrimaryVolumeDescriptor(bytesData):

    # Set up elemement object to store extracted properties
    properties = ET.Element("primaryVolumeDescriptor")
           
    addProperty(properties, "typeCode", bc.bytesToUnsignedChar(bytesData[0:1]))
    addProperty(properties, "standardIdentifier", bc.bytesToText(bytesData[1:6]))
    addProperty(properties, "version", bc.bytesToUnsignedChar(bytesData[6:7]))
    addProperty(properties, "systemIdentifier", bc.bytesToText(bytesData[8:40]))
    addProperty(properties, "volumeIdentifier", bc.bytesToText(bytesData[40:72]))

    # Fields below are stored as both little-endian and big-endian; only
    # big-endian values read here!
    
    # Number of Logical Blocks in which the volume is recorded
    addProperty(properties, "volumeSpaceSize", bc.bytesToUInt(bytesData[84:88]))
    # The size of the set in this logical volume (number of disks)
    addProperty(properties, "volumeSetSize", bc.bytesToUShortInt(bytesData[122:124]))
    # The number of this disk in the Volume Set
    addProperty(properties, "volumeSequenceNumber", bc.bytesToUShortInt(bytesData[126:128]))
    # The size in bytes of a logical block
    addProperty(properties, "logicalBlockSize", bc.bytesToUShortInt(bytesData[130:132]))
    # The size in bytes of the path table
    addProperty(properties, "pathTableSize", bc.bytesToUInt(bytesData[136:140]))
	# Location of Type-L Path Table (note this is stored as little-endian only, hence
	# byte swap!)
    addProperty(properties, "typeLPathTableLocation", bc.swap32(bc.bytesToUInt(bytesData[140:144])))
    # Location of Optional Type-L Path Table
    addProperty(properties, "optionalTypeLPathTableLocation", bc.swap32(bc.bytesToUInt(bytesData[144:148])))
    # Location of Type-M Path Table
    addProperty(properties, "typeMPathTableLocation", bc.bytesToUInt(bytesData[148:152]))
    # Location of Optional Type-M Path Table
    addProperty(properties, "optionalTypeMPathTableLocation", bc.bytesToUInt(bytesData[152:156]))

    # Following fields are all text strings
    addProperty(properties, "volumeSetIdentifier", bc.bytesToText(bytesData[190:318]))
    addProperty(properties, "publisherIdentifier", bc.bytesToText(bytesData[318:446]))
    addProperty(properties, "dataPreparerIdentifier", bc.bytesToText(bytesData[446:574]))
    addProperty(properties, "applicationIdentifier", bc.bytesToText(bytesData[574:702]))
    addProperty(properties, "copyrightFileIdentifier", bc.bytesToText(bytesData[702:740]))
    addProperty(properties, "abstractFileIdentifier", bc.bytesToText(bytesData[740:776]))
    addProperty(properties, "bibliographicFileIdentifier", bc.bytesToText(bytesData[776:813]))
    
    # Following fields are all date-time values    
    addProperty(properties, "volumeCreationDateAndTime", decDateTimeToDate(bytesData[813:830]))
    addProperty(properties, "volumeModificationDateAndTime", decDateTimeToDate(bytesData[830:847]))
    addProperty(properties, "volumeExpirationDateAndTime", decDateTimeToDate(bytesData[847:864]))
    addProperty(properties, "volumeEffectiveDateAndTime", decDateTimeToDate(bytesData[864:881]))
    
    addProperty(properties, "fileStructureVersion", bc.bytesToUnsignedChar(bytesData[881:882]))
    
    return(properties)
Exemplo n.º 2
0
def parseMasterDirectoryBlock(bytesData):
    # Based on description at:
    # https://developer.apple.com/legacy/library/documentation/mac/Files/Files-102.html

    # Set up elemement object to store extracted properties
    properties = ET.Element("masterDirectoryBlock")

    addProperty(properties, "signature", bc.bytesToText(bytesData[0:2]))
    addProperty(properties, "blockSize", bc.bytesToUShortInt(bytesData[18:20]))
    addProperty(properties, "blockCount", bc.bytesToUInt(bytesData[20:24]))
    return (properties)
Exemplo n.º 3
0
def parseAppleZeroBlock(bytesData):

    # Based on code at:
    # https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h

    # Set up elemement object to store extracted properties
    properties = ET.Element("appleZeroBlock")
            
    addProperty(properties, "signature", bc.bytesToText(bytesData[0:2]))
    addProperty(properties, "blockSize", bc.bytesToUShortInt(bytesData[2:4]))
    addProperty(properties, "blockCount", bc.bytesToUInt(bytesData[4:8]))
    addProperty(properties, "deviceType", bc.bytesToUShortInt(bytesData[8:10]))
    addProperty(properties, "deviceID", bc.bytesToUShortInt(bytesData[10:12]))
    addProperty(properties, "driverData", bc.bytesToUInt(bytesData[12:16])) 
    addProperty(properties, "driverDescriptorCount", bc.bytesToUShortInt(bytesData[80:82]))
    addProperty(properties, "driverDescriptorBlockStart", bc.bytesToUInt(bytesData[82:86]))
    addProperty(properties, "driverDescriptorBlockCount", bc.bytesToUShortInt(bytesData[86:88]))
    addProperty(properties, "driverDescriptorSystemType", bc.bytesToUShortInt(bytesData[88:90]))
    return(properties)
Exemplo n.º 4
0
def parseAppleZeroBlock(bytesData):

    # Based on code at:
    # https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h

    # Set up elemement object to store extracted properties
    properties = ET.Element("appleZeroBlock")

    addProperty(properties, "signature", bc.bytesToText(bytesData[0:2]))
    addProperty(properties, "blockSize", bc.bytesToUShortInt(bytesData[2:4]))
    addProperty(properties, "blockCount", bc.bytesToUInt(bytesData[4:8]))
    addProperty(properties, "deviceType", bc.bytesToUShortInt(bytesData[8:10]))
    addProperty(properties, "deviceID", bc.bytesToUShortInt(bytesData[10:12]))
    addProperty(properties, "driverData", bc.bytesToUInt(bytesData[12:16]))
    addProperty(properties, "driverDescriptorCount",
                bc.bytesToUShortInt(bytesData[80:82]))
    addProperty(properties, "driverDescriptorBlockStart",
                bc.bytesToUInt(bytesData[82:86]))
    addProperty(properties, "driverDescriptorBlockCount",
                bc.bytesToUShortInt(bytesData[86:88]))
    addProperty(properties, "driverDescriptorSystemType",
                bc.bytesToUShortInt(bytesData[88:90]))
    return (properties)
Exemplo n.º 5
0
def parsePrimaryVolumeDescriptor(bytesData):

    # Set up elemement object to store extracted properties
    properties = ET.Element("primaryVolumeDescriptor")

    addProperty(properties, "typeCode", bc.bytesToUnsignedChar(bytesData[0:1]))
    addProperty(properties, "standardIdentifier",
                bc.bytesToText(bytesData[1:6]))
    addProperty(properties, "version", bc.bytesToUnsignedChar(bytesData[6:7]))
    addProperty(properties, "systemIdentifier",
                bc.bytesToText(bytesData[8:40]))
    addProperty(properties, "volumeIdentifier",
                bc.bytesToText(bytesData[40:72]))

    # Fields below are stored as both little-endian and big-endian; only
    # big-endian values read here!

    # Number of Logical Blocks in which the volume is recorded
    addProperty(properties, "volumeSpaceSize",
                bc.bytesToUInt(bytesData[84:88]))
    # The size of the set in this logical volume (number of disks)
    addProperty(properties, "volumeSetSize",
                bc.bytesToUShortInt(bytesData[122:124]))
    # The number of this disk in the Volume Set
    addProperty(properties, "volumeSequenceNumber",
                bc.bytesToUShortInt(bytesData[126:128]))
    # The size in bytes of a logical block
    addProperty(properties, "logicalBlockSize",
                bc.bytesToUShortInt(bytesData[130:132]))
    # The size in bytes of the path table
    addProperty(properties, "pathTableSize",
                bc.bytesToUInt(bytesData[136:140]))
    # Location of Type-L Path Table (note this is stored as little-endian only, hence
    # byte swap!)
    addProperty(properties, "typeLPathTableLocation",
                bc.swap32(bc.bytesToUInt(bytesData[140:144])))
    # Location of Optional Type-L Path Table
    addProperty(properties, "optionalTypeLPathTableLocation",
                bc.swap32(bc.bytesToUInt(bytesData[144:148])))
    # Location of Type-M Path Table
    addProperty(properties, "typeMPathTableLocation",
                bc.bytesToUInt(bytesData[148:152]))
    # Location of Optional Type-M Path Table
    addProperty(properties, "optionalTypeMPathTableLocation",
                bc.bytesToUInt(bytesData[152:156]))

    # Following fields are all text strings
    addProperty(properties, "volumeSetIdentifier",
                bc.bytesToText(bytesData[190:318]))
    addProperty(properties, "publisherIdentifier",
                bc.bytesToText(bytesData[318:446]))
    addProperty(properties, "dataPreparerIdentifier",
                bc.bytesToText(bytesData[446:574]))
    addProperty(properties, "applicationIdentifier",
                bc.bytesToText(bytesData[574:702]))
    addProperty(properties, "copyrightFileIdentifier",
                bc.bytesToText(bytesData[702:740]))
    addProperty(properties, "abstractFileIdentifier",
                bc.bytesToText(bytesData[740:776]))
    addProperty(properties, "bibliographicFileIdentifier",
                bc.bytesToText(bytesData[776:813]))

    # Following fields are all date-time values
    addProperty(properties, "volumeCreationDateAndTime",
                decDateTimeToDate(bytesData[813:830]))
    addProperty(properties, "volumeModificationDateAndTime",
                decDateTimeToDate(bytesData[830:847]))
    addProperty(properties, "volumeExpirationDateAndTime",
                decDateTimeToDate(bytesData[847:864]))
    addProperty(properties, "volumeEffectiveDateAndTime",
                decDateTimeToDate(bytesData[864:881]))

    addProperty(properties, "fileStructureVersion",
                bc.bytesToUnsignedChar(bytesData[881:882]))

    return (properties)