def GetFileEntryByPathSpec(self, path_spec):
"""Retrieves a file entry for a path specification.
Args:
path_spec (PathSpec): a path specification.
Returns:
TSKPartitionFileEntry: a file entry or None of not available.
"""
tsk_vs_part, partition_index = tsk_partition.GetTSKVsPartByPathSpec(
self._tsk_volume, path_spec)
location = getattr(path_spec, 'location', None)
# The virtual root file has no corresponding TSK volume system part object
# but should have a location.
if tsk_vs_part is None:
if location is None or location != self.LOCATION_ROOT:
return None
return tsk_partition_file_entry.TSKPartitionFileEntry(
self._resolver_context, self, path_spec, is_root=True,
is_virtual=True)
if location is None and partition_index is not None:
path_spec.location = '/p{0:d}'.format(partition_index)
return tsk_partition_file_entry.TSKPartitionFileEntry(
self._resolver_context, self, path_spec)
def GetTSKVsPart(self):
"""Retrieves the TSK volume system part object.
Returns:
A TSK volume system part object (instance of pytsk3.TSK_VS_PART_INFO)
or None.
"""
tsk_volume = self._file_system.GetTSKVolume()
tsk_vs_part, _ = tsk_partition.GetTSKVsPartByPathSpec(
tsk_volume, self.path_spec)
return tsk_vs_part
def _Open(self, path_spec=None, mode='rb'):
"""Opens the file-like object defined by path specification.
Args:
path_spec: optional path specification (instance of path.PathSpec).
The default is None.
mode: optional file access mode. The default is 'rb' read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file-like object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec:
raise ValueError(u'Missing path specfication.')
if not path_spec.HasParent():
raise errors.PathSpecError(
u'Unsupported path specification without parent.')
self._file_system = resolver.Resolver.OpenFileSystem(
path_spec, resolver_context=self._resolver_context)
tsk_volume = self._file_system.GetTSKVolume()
tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec(tsk_volume, path_spec)
if tsk_vs is None:
raise errors.PathSpecError(
u'Unable to retrieve TSK volume system part from path '
u'specification.')
range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs)
range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs)
if range_offset is None or range_size is None:
raise errors.PathSpecError(
u'Unable to retrieve TSK volume system part data range from path '
u'specification.')
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)
range_offset *= bytes_per_sector
range_size *= bytes_per_sector
self.SetRange(range_offset, range_size)
self._file_object = resolver.Resolver.OpenFileObject(
path_spec.parent, resolver_context=self._resolver_context)
self._file_object_set_in_init = True
# pylint: disable=protected-access
super(TSKPartitionFile, self)._Open(path_spec=path_spec, mode=mode)
def _ScanDisk(self, scan_context, scan_node, disk_info):
"""Scan Disk internal
Args:
scan_context (SourceScannerContext): the source scanner context.
scan_node (SourceScanNode): the scan node.
"""
if not scan_node:
return
if scan_node.path_spec.IsVolumeSystem(
) and not scan_node.path_spec.IsVolumeSystemRoot():
file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec)
if scan_node.type_indicator == definitions.TYPE_INDICATOR_TSK_PARTITION:
tsk_volumes = file_system.GetTSKVolume()
vol_part, _ = tsk_partition.GetTSKVsPartByPathSpec(
tsk_volumes, scan_node.path_spec)
if tsk_partition.TSKVsPartIsAllocated(vol_part):
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(
vol_part)
length = tsk_partition.TSKVsPartGetNumberOfSectors(
vol_part)
start_sector = tsk_partition.TSKVsPartGetStartSector(
vol_part)
vol_name = getattr(scan_node.path_spec, 'location',
None)[1:]
#vol_name = self.prefix + str(scan_node.path_spec.part_index)
base_path_spec = scan_node.path_spec
disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \
"length" : length * bytes_per_sector, "bytes_per_sector" : bytes_per_sector, "start_sector" : start_sector, \
"vol_name" : vol_name, "identifier" : None})
elif scan_node.type_indicator == definitions.TYPE_INDICATOR_VSHADOW:
vss_volumes = file_system.GetVShadowVolume()
store_index = vshadow.VShadowPathSpecGetStoreIndex(
scan_node.path_spec)
vss_part = list(vss_volumes.stores)[store_index]
length = vss_part.volume_size
identifier = getattr(vss_part, 'identifier', None)
vol_name = getattr(scan_node.path_spec, 'location', None)[1:]
base_path_spec = scan_node.path_spec
disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \
"length" : length, "bytes_per_sector" : None, "start_sector" : None, "vol_name" : vol_name, \
"identifier" : identifier})
for sub_scan_node in scan_node.sub_nodes:
self._ScanDisk(scan_context, sub_scan_node, disk_info)
def __init__(self,
resolver_context,
file_system,
path_spec,
is_root=False,
is_virtual=False,
tsk_vs_part=None):
"""Initializes a file entry.
Args:
resolver_context (Context): resolver context.
file_system (FileSystem): file system.
path_spec (PathSpec): path specification.
is_root (Optional[bool]): True if the file entry is the root file entry
of the corresponding file system.
is_virtual (Optional[bool]): True if the file entry is a virtual file
entry emulated by the corresponding file system.
tsk_vs_part (Optional[pytsk3.TSK_VS_PART_INFO]): TSK volume system part.
Raises:
BackEndError: when the TSK volume system part is missing in a non-virtual
file entry.
"""
tsk_volume = file_system.GetTSKVolume()
if not is_virtual and tsk_vs_part is None:
tsk_vs_part, _ = tsk_partition.GetTSKVsPartByPathSpec(
tsk_volume, path_spec)
if not is_virtual and tsk_vs_part is None:
raise errors.BackEndError(
'Missing TSK volume system part in non-virtual file entry.')
super(TSKPartitionFileEntry, self).__init__(resolver_context,
file_system,
path_spec,
is_root=is_root,
is_virtual=is_virtual)
self._name = None
self._tsk_volume = tsk_volume
self._tsk_vs_part = tsk_vs_part
if is_virtual:
self.entry_type = definitions.FILE_ENTRY_TYPE_DIRECTORY
else:
self.entry_type = definitions.FILE_ENTRY_TYPE_FILE
def FileEntryExistsByPathSpec(self, path_spec):
"""Determines if a file entry for a path specification exists.
Args:
path_spec (PathSpec): a path specification.
Returns:
bool: True if the file entry exists or false otherwise.
"""
tsk_vs_part, _ = tsk_partition.GetTSKVsPartByPathSpec(
self._tsk_volume, path_spec)
# The virtual root file has no corresponding TSK volume system part object
# but should have a location.
if tsk_vs_part is None:
location = getattr(path_spec, 'location', None)
return location is not None and location == self.LOCATION_ROOT
return True
def _Open(self, mode='rb'):
"""Opens the file-like object defined by path specification.
Args:
mode (Optional[str]): file access mode.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file-like object could not be opened.
OSError: if the file-like object could not be opened.
PathSpecError: if the path specification is incorrect.
"""
if not self._path_spec.HasParent():
raise errors.PathSpecError(
'Unsupported path specification without parent.')
self._file_system = resolver.Resolver.OpenFileSystem(
self._path_spec, resolver_context=self._resolver_context)
tsk_volume = self._file_system.GetTSKVolume()
tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec(
tsk_volume, self._path_spec)
if tsk_vs is None:
raise errors.PathSpecError(
'Unable to retrieve TSK volume system part from path '
'specification.')
range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs)
range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs)
if range_offset is None or range_size is None:
raise errors.PathSpecError(
'Unable to retrieve TSK volume system part data range from path '
'specification.')
bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)
range_offset *= bytes_per_sector
range_size *= bytes_per_sector
self._SetRange(range_offset, range_size)
self._file_object = resolver.Resolver.OpenFileObject(
self._path_spec.parent, resolver_context=self._resolver_context)
def InsertImageInformation(self):
if not self._source_path_specs:
logger.error('source is empty')
return
disk_info = []
for path_spec in self._source_path_specs:
filesystem_type = None
if not path_spec.parent:
return False
if path_spec.parent.IsVolumeSystem():
if path_spec.IsFileSystem():
fs = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
fs_info = fs.GetFsInfo()
filesystem_type = getattr(fs_info.info, 'ftype', None)
path_spec = path_spec.parent
file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION:
tsk_volumes = file_system.GetTSKVolume()
vol_part, _ = dfvfs_partition.GetTSKVsPartByPathSpec(
tsk_volumes, path_spec)
if dfvfs_partition.TSKVsPartIsAllocated(vol_part):
bytes_per_sector = dfvfs_partition.TSKVolumeGetBytesPerSector(
vol_part)
length = dfvfs_partition.TSKVsPartGetNumberOfSectors(
vol_part)
start_sector = dfvfs_partition.TSKVsPartGetStartSector(
vol_part)
par_label = getattr(vol_part, 'desc', None)
try:
temp = par_label.decode('ascii')
par_label = temp
except UnicodeDecodeError:
par_label = par_label.decode('utf-8')
volume_name = getattr(path_spec, 'location', None)[1:]
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": length * bytes_per_sector,
"bytes_per_sector": bytes_per_sector,
"start_sector": start_sector,
"vol_name": volume_name,
"identifier": None,
"par_label": par_label,
"filesystem": filesystem_type
})
elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK:
#elif path_spec.IsFileSystem():
file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
fs_info = file_system.GetFsInfo()
block_size = getattr(fs_info.info, 'block_size', 0)
block_count = getattr(fs_info.info, 'block_count', 0)
filesystem = getattr(fs_info.info, 'ftype', None)
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": block_count * block_size,
"bytes_per_sector": block_size,
"start_sector": 0,
"vol_name": 'p1',
"identifier": None,
"par_label": None,
"filesystem": filesystem
})
elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_VSHADOW:
vss_volumes = file_system.GetVShadowVolume()
store_index = dfvfs_vshadow.VShadowPathSpecGetStoreIndex(
path_spec)
vss_part = list(vss_volumes.stores)[store_index]
length = vss_part.volume_size
identifier = getattr(vss_part, 'identifier', None)
volume_name = getattr(path_spec, 'location', None)[1:]
base_path_spec = path_spec
disk_info.append({
"base_path_spec": base_path_spec,
"type_indicator": path_spec.type_indicator,
"length": length,
"bytes_per_sector": None,
"start_sector": None,
"vol_name": volume_name,
"identifier": identifier,
"par_label": None,
"filesystem": None
})
self._InsertDiskInfo(disk_info)
