Пример #1
0
    def _get_vss_store_identifiers(self, scan_node, interactive):
        """Determines the VSS store identifiers.
        Args:
            scan_node: the scan node (instance of dfvfs.ScanNode).
        Returns:
            A list of VSS store identifiers.
        Raises:
            RuntimeError: if the format of or within the source
                                        is not supported or the the scan node is invalid.
        """
        if not scan_node or not scan_node.path_spec:
            raise RuntimeError(u'Invalid scan node.')

        volume_system = vshadow_volume_system.VShadowVolumeSystem()
        volume_system.Open(scan_node.path_spec)

        volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
            volume_system)
        if not volume_identifiers:
            return []

        try:
            selected_store_identifiers = self._prompt_user_for_vss_store_identifiers(
                volume_system, volume_identifiers, interactive)
        except KeyboardInterrupt:
            raise errors.UserAbort(u'File system scan aborted.')

        return selected_store_identifiers
Пример #2
0
    def _GetVSSStoreIdentifiers(self, scan_node):
        """Determines the VSS store identifiers.

    Args:
      scan_node: the scan node (instance of dfvfs.ScanNode).

    Returns:
      A list of VSS store identifiers.

    Raises:
      ScannerError: if the format of or within the source is not supported,
                    the the scan node is invalid or no mediator is provided
                    and VSS store identifiers are found.
    """
        if not scan_node or not scan_node.path_spec:
            raise errors.ScannerError(u'Invalid scan node.')

        volume_system = vshadow_volume_system.VShadowVolumeSystem()
        volume_system.Open(scan_node.path_spec)

        volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
            volume_system)
        if not self._mediator and not volume_identifiers:
            return []

        if not self._mediator:
            raise errors.ScannerError(
                u'Unable to proceed VSS. Identifiers found but no mediator to '
                u'determine how they should be used.')

        try:
            return self._mediator.GetVSSStoreIdentifiers(
                volume_system, volume_identifiers)
        except KeyboardInterrupt:
            raise errors.UserAbort(u'File system scan aborted.')
Пример #3
0
    def _GetVSSStoreIdentifiers(self, scan_node, options):
        """Determines the VSS store identifiers.

    Args:
      scan_node (SourceScanNode): scan node.
      options (VolumeScannerOptions): volume scanner options.

    Returns:
      list[str]: VSS store identifiers.

    Raises:
      ScannerError: if the format the scan node is invalid or no mediator
          is provided and VSS store identifiers are found.
      UserAbort: if the user requested to abort.
    """
        if not scan_node or not scan_node.path_spec:
            raise errors.ScannerError('Invalid scan node.')

        volume_system = vshadow_volume_system.VShadowVolumeSystem()
        volume_system.Open(scan_node.path_spec)

        volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
            volume_system)
        if not volume_identifiers:
            return []

        if options.snapshots:
            if options.snapshots == ['all']:
                snapshots = range(1, volume_system.number_of_volumes + 1)
            elif options.snapshots == ['none']:
                snapshots = []
            else:
                snapshots = options.snapshots

            try:
                selected_volumes = self._NormalizedVolumeIdentifiers(
                    volume_system, snapshots, prefix='vss')

                if not set(selected_volumes).difference(volume_identifiers):
                    return selected_volumes
            except errors.ScannerError as exception:
                if self._mediator:
                    self._mediator.PrintWarning('{0!s}'.format(exception))

        if not self._mediator:
            raise errors.ScannerError(
                'Unable to proceed. VSS stores found but no mediator to determine '
                'how they should be used.')

        try:
            volume_identifiers = self._mediator.GetVSSStoreIdentifiers(
                volume_system, volume_identifiers)

        except KeyboardInterrupt:
            raise errors.UserAbort('File system scan aborted.')

        return self._NormalizedVolumeIdentifiers(volume_system,
                                                 volume_identifiers,
                                                 prefix='vss')
Пример #4
0
    def _GetAPFSVolumeIdentifiers(self, scan_node, options):
        """Determines the APFS volume identifiers.

    Args:
      scan_node (SourceScanNode): scan node.
      options (VolumeScannerOptions): volume scanner options.

    Returns:
      list[str]: APFS volume identifiers.

    Raises:
      ScannerError: if the format of or within the source is not supported
          or the the scan node is invalid.
      UserAbort: if the user requested to abort.
    """
        if not scan_node or not scan_node.path_spec:
            raise errors.ScannerError('Invalid scan node.')

        volume_system = apfs_volume_system.APFSVolumeSystem()
        volume_system.Open(scan_node.path_spec)

        volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
            volume_system)
        if not volume_identifiers:
            return []

        if options.volumes:
            if options.volumes == ['all']:
                volumes = range(1, volume_system.number_of_volumes + 1)
            else:
                volumes = options.volumes

            try:
                selected_volumes = self._NormalizedVolumeIdentifiers(
                    volume_system, volumes, prefix='apfs')

                if not set(selected_volumes).difference(volume_identifiers):
                    return selected_volumes
            except errors.ScannerError as exception:
                if self._mediator:
                    self._mediator.PrintWarning('{0!s}'.format(exception))

        if len(volume_identifiers) > 1:
            if not self._mediator:
                raise errors.ScannerError(
                    'Unable to proceed. APFS volumes found but no mediator to '
                    'determine how they should be used.')

            try:
                volume_identifiers = self._mediator.GetAPFSVolumeIdentifiers(
                    volume_system, volume_identifiers)
            except KeyboardInterrupt:
                raise errors.UserAbort('File system scan aborted.')

        return self._NormalizedVolumeIdentifiers(volume_system,
                                                 volume_identifiers,
                                                 prefix='apfs')
Пример #5
0
    def _GetTSKPartitionIdentifiers(self, scan_node):
        """Determines the TSK partition identifiers.

    Args:
      scan_node (SourceScanNode): scan node.

    Returns:
      list[str]: TSK partition identifiers.

    Raises:
      ScannerError: if the format of or within the source is not supported or
          the scan node is invalid or if the volume for a specific identifier
          cannot be retrieved.
      UserAbort: if the user requested to abort.
    """
        if not scan_node or not scan_node.path_spec:
            raise errors.ScannerError('Invalid scan node.')

        volume_system = tsk_volume_system.TSKVolumeSystem()
        volume_system.Open(scan_node.path_spec)

        volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
            volume_system)
        if not volume_identifiers:
            return []

        if len(volume_identifiers) == 1:
            return volume_identifiers

        if not self._mediator:
            raise errors.ScannerError(
                'Unable to proceed. Partitions found but no mediator to determine '
                'how they should be used.')

        try:
            volume_identifiers = self._mediator.GetPartitionIdentifiers(
                volume_system, volume_identifiers)

        except KeyboardInterrupt:
            raise errors.UserAbort('File system scan aborted.')

        return self._NormalizedVolumeIdentifiers(volume_system,
                                                 volume_identifiers,
                                                 prefix='p')
Пример #6
0
    def _GetVSSStoreIdentifiers(self, scan_node):
        """Determines the VSS store identifiers.

    Args:
      scan_node (SourceScanNode): scan node.

    Returns:
      list[str]: VSS store identifiers.

    Raises:
      ScannerError: if the format the scan node is invalid or no mediator
          is provided and VSS store identifiers are found.
      UserAbort: if the user requested to abort.
    """
        if not scan_node or not scan_node.path_spec:
            raise errors.ScannerError('Invalid scan node.')

        volume_system = vshadow_volume_system.VShadowVolumeSystem()
        volume_system.Open(scan_node.path_spec)

        volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
            volume_system)
        if not volume_identifiers:
            return []

        if not self._mediator:
            raise errors.ScannerError(
                'Unable to proceed. VSS stores found but no mediator to determine '
                'how they should be used.')

        try:
            volume_identifiers = self._mediator.GetVSSStoreIdentifiers(
                volume_system, volume_identifiers)

        except KeyboardInterrupt:
            raise errors.UserAbort('File system scan aborted.')

        return self._NormalizedVolumeIdentifiers(volume_system,
                                                 volume_identifiers,
                                                 prefix='vss')
Пример #7
0
    def _GetAPFSVolumeIdentifiers(self, scan_node):
        """Determines the APFS volume identifiers.

    Args:
      scan_node (SourceScanNode): scan node.

    Returns:
      list[str]: APFS volume identifiers.

    Raises:
      ScannerError: if the format of or within the source is not supported
          or the the scan node is invalid.
      UserAbort: if the user requested to abort.
    """
        if not scan_node or not scan_node.path_spec:
            raise errors.ScannerError('Invalid scan node.')

        volume_system = apfs_volume_system.APFSVolumeSystem()
        volume_system.Open(scan_node.path_spec)

        volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
            volume_system)
        if not volume_identifiers:
            return []

        if len(volume_identifiers) > 1:
            if not self._mediator:
                raise errors.ScannerError(
                    'Unable to proceed. APFS volumes found but no mediator to '
                    'determine how they should be used.')

            try:
                volume_identifiers = self._mediator.GetAPFSVolumeIdentifiers(
                    volume_system, volume_identifiers)
            except KeyboardInterrupt:
                raise errors.UserAbort('File system scan aborted.')

        return self._NormalizedVolumeIdentifiers(volume_system,
                                                 volume_identifiers,
                                                 prefix='apfs')
Пример #8
0
  def _GetTSKPartitionIdentifiers(self, scan_node):
    """Determines the TSK partition identifiers.

    Args:
      scan_node (ScanNode): scan node.

    Returns:
      list[str]: partition identifiers.

    Raises:
      ScannerError: if the format of or within the source is not supported or
          the scan node is invalid or if the volume for a specific identifier
          cannot be retrieved.
    """
    if not scan_node or not scan_node.path_spec:
      raise errors.ScannerError('Invalid scan node.')

    volume_system = tsk_volume_system.TSKVolumeSystem()
    volume_system.Open(scan_node.path_spec)

    volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
        volume_system)
    if not volume_identifiers:
      raise errors.ScannerError('No partitions found.')

    if not self._mediator or len(volume_identifiers) == 1:
      return volume_identifiers

    try:
      partition_identifiers = self._mediator.GetPartitionIdentifiers(
          volume_system, volume_identifiers)

    except KeyboardInterrupt:
      raise errors.UserAbort('File system scan aborted.')

    if partition_identifiers is None:
      return []

    return partition_identifiers
Пример #9
0
  def _GetPartitionIdentifiers(self, scan_node, options):
    """Determines the partition identifiers.

    This function determines which partition identifiers need to be scanned
    based on the volume scanner options. If no options are provided and there
    is more than a single partition the mediator is used to ask the user.

    Args:
      scan_node (SourceScanNode): scan node.
      options (VolumeScannerOptions): volume scanner options.

    Returns:
      list[str]: partition identifiers.

    Raises:
      ScannerError: if the scan node is invalid or the scanner does not know
          how to proceed.
      UserAbort: if the user requested to abort.
    """
    if not scan_node or not scan_node.path_spec:
      raise errors.ScannerError('Invalid scan node.')

    if scan_node.path_spec.type_indicator == definitions.TYPE_INDICATOR_GPT:
      volume_system = gpt_volume_system.GPTVolumeSystem()
      volume_system.Open(scan_node.path_spec)
      prefix = 'gpt'
    else:
      volume_system = tsk_volume_system.TSKVolumeSystem()
      volume_system.Open(scan_node.path_spec)
      prefix = 'p'

    volume_identifiers = self._source_scanner.GetVolumeIdentifiers(
        volume_system)
    if not volume_identifiers:
      return []

    if options.partitions:
      if options.partitions == ['all']:
        partitions = range(1, volume_system.number_of_volumes + 1)
      else:
        partitions = options.partitions

      try:
        selected_volumes = self._NormalizedVolumeIdentifiers(
            volume_system, partitions, prefix=prefix)

        if not set(selected_volumes).difference(volume_identifiers):
          return selected_volumes
      except errors.ScannerError as exception:
        if self._mediator:
          self._mediator.PrintWarning('{0!s}'.format(exception))

    if len(volume_identifiers) > 1:
      if not self._mediator:
        raise errors.ScannerError(
            'Unable to proceed. More than one partitions found but no mediator '
            'to determine how they should be used.')

      try:
        volume_identifiers = self._mediator.GetPartitionIdentifiers(
            volume_system, volume_identifiers)

      except KeyboardInterrupt:
        raise errors.UserAbort('File system scan aborted.')

    return self._NormalizedVolumeIdentifiers(
        volume_system, volume_identifiers, prefix=prefix)