def _detect_pytsk3_volumes(self, vstype='detect'): """Generator that mounts every partition of this image and yields the mountpoint.""" # Loop over all volumes in image. for p in self._find_pytsk3_volumes(vstype): import pytsk3 volume = self._make_subvolume(index=self._format_index(p.addr), offset=p.start * self.disk.block_size, size=p.len * self.disk.block_size) # Fill volume with more information volume.info['fsdescription'] = p.desc.strip() if p.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC: volume.flag = 'alloc' volume.slot = _util.determine_slot(p.table_num, p.slot_num) self._assign_disktype_data(volume) logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(p.start, p.len, volume.info['fsdescription'])) elif p.flags == pytsk3.TSK_VS_PART_FLAG_UNALLOC: volume.flag = 'unalloc' logger.info("Found unallocated space: block offset: {0}, length: {1} ".format(p.start, p.len)) elif p.flags == pytsk3.TSK_VS_PART_FLAG_META: volume.flag = 'meta' logger.info("Found meta volume: block offset: {0}, length: {1} ".format(p.start, p.len)) yield volume
def _detect_pytsk3_volumes(self, vstype='detect'): """Generator that mounts every partition of this image and yields the mountpoint.""" # Loop over all volumes in image. for p in self._find_pytsk3_volumes(vstype): import pytsk3 volume = self._make_subvolume(index=self._format_index(p.addr), offset=p.start * self.disk.block_size, size=p.len * self.disk.block_size) # Fill volume with more information volume.info['fsdescription'] = p.desc.strip().decode('utf-8') if p.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC: volume.flag = 'alloc' volume.slot = _util.determine_slot(p.table_num, p.slot_num) self._assign_disktype_data(volume) logger.info( "Found allocated {2}: block offset: {0}, length: {1} ". format(p.start, p.len, volume.info['fsdescription'])) elif p.flags == pytsk3.TSK_VS_PART_FLAG_UNALLOC: volume.flag = 'unalloc' logger.info( "Found unallocated space: block offset: {0}, length: {1} ". format(p.start, p.len)) elif p.flags == pytsk3.TSK_VS_PART_FLAG_META: volume.flag = 'meta' logger.info( "Found meta volume: block offset: {0}, length: {1} ". format(p.start, p.len)) yield volume
def _mount_pytsk3_volumes(self): """Generator that mounts every partition of this image and yields the mountpoint.""" # Loop over all volumes in image. for p in self._find_pytsk3_volumes(): import pytsk3 volume = Volume(disk=self, **self.args) self.volumes.append(volume) # Fill volume with more information volume.offset = p.start * self.block_size volume.fsdescription = p.desc.strip() if self.index is not None: volume.index = '{0}.{1}'.format(self.index, p.addr) else: volume.index = p.addr volume.size = p.len * self.block_size if p.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC: volume.flag = 'alloc' volume.slot = _util.determine_slot(p.table_num, p.slot_num) self._assign_disktype_data(volume) logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(p.start, p.len, volume.fsdescription)) elif p.flags == pytsk3.TSK_VS_PART_FLAG_UNALLOC: volume.flag = 'unalloc' logger.info("Found unallocated space: block offset: {0}, length: {1} ".format(p.start, p.len)) elif p.flags == pytsk3.TSK_VS_PART_FLAG_META: volume.flag = 'meta' logger.info("Found meta volume: block offset: {0}, length: {1} ".format(p.start, p.len)) # unalloc / meta partitions do not have stats and can not be mounted if volume.flag != 'alloc': yield volume continue for v in volume.init(): yield v
def _detect_mmls_volumes(self, vstype='detect'): """Finds and mounts all volumes based on mmls.""" try: cmd = ['mmls'] if self.parent.offset: cmd.extend(['-o', str(int(self.parent.offset) / self.disk.block_size)]) if vstype != 'detect': cmd.extend(['-t', vstype]) cmd.append(self.parent.get_raw_path()) output = _util.check_output_(cmd, stderr=subprocess.STDOUT) self.volume_source = 'multi' except Exception as e: # some bug in sleuthkit makes detection sometimes difficult, so we hack around it: if hasattr(e, 'output') and "(GPT or DOS at 0)" in e.output.decode() and vstype != 'gpt': self.vstype = 'gpt' # noinspection PyBroadException try: logger.warning("Error in retrieving volume info: mmls couldn't decide between GPT and DOS, " "choosing GPT for you. Use --vstype=dos to force DOS.", exc_info=True) cmd = ['mmls', '-t', 'gpt', self.parent.get_raw_path()] output = _util.check_output_(cmd, stderr=subprocess.STDOUT) self.volume_source = 'multi' except Exception as e: logger.exception("Failed executing mmls command") raise SubsystemError(e) else: logger.exception("Failed executing mmls command") raise SubsystemError(e) output = output.split("Description", 1)[-1] for line in output.splitlines(): if not line: continue # noinspection PyBroadException try: values = line.split(None, 5) # sometimes there are only 5 elements available description = '' index, slot, start, end, length = values[0:5] if len(values) > 5: description = values[5] volume = self._make_subvolume(index=self._format_index(int(index[:-1])), offset=int(start) * self.disk.block_size, size=int(length) * self.disk.block_size) volume.info['fsdescription'] = description except Exception: logger.exception("Error while parsing mmls output") continue if slot.lower() == 'meta': volume.flag = 'meta' logger.info("Found meta volume: block offset: {0}, length: {1}".format(start, length)) elif slot.lower().startswith('-----'): volume.flag = 'unalloc' logger.info("Found unallocated space: block offset: {0}, length: {1}".format(start, length)) else: volume.flag = 'alloc' if ":" in slot: volume.slot = _util.determine_slot(*slot.split(':')) else: volume.slot = _util.determine_slot(-1, slot) self._assign_disktype_data(volume) logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(start, length, volume.info['fsdescription'])) yield volume
def _mount_mmls_volumes(self): """Finds and mounts all volumes based on mmls.""" try: cmd = ['mmls'] if self.vstype != 'detect': cmd.extend(['-t', self.vstype]) cmd.append(self.get_raw_path()) output = _util.check_output_(cmd, stderr=subprocess.STDOUT) self.volume_source = 'multi' except Exception as e: # some bug in sleuthkit makes detection sometimes difficult, so we hack around it: if hasattr(e, 'output') and "(GPT or DOS at 0)" in e.output.decode() and self.vstype != 'gpt': self.vstype = 'gpt' try: logger.warning("Error in retrieving volume info: mmls couldn't decide between GPT and DOS, " "choosing GPT for you. Use --vstype=dos to force DOS.", exc_info=True) cmd = ['mmls', '-t', self.vstype, self.get_raw_path()] output = _util.check_output_(cmd, stderr=subprocess.STDOUT) self.volume_source = 'multi' except Exception as e: logger.exception("Failed executing mmls command") return else: logger.exception("Failed executing mmls command") return output = output.split("Description", 1)[-1] for line in output.splitlines(): if not line: continue try: values = line.split(None, 5) # sometimes there are only 5 elements available description = '' index, slot, start, end, length = values[0:5] if len(values) > 5: description = values[5] volume = Volume(disk=self, **self.args) self.volumes.append(volume) volume.offset = int(start) * self.block_size volume.fsdescription = description if self.index is not None: volume.index = '{0}.{1}'.format(self.index, int(index[:-1])) else: volume.index = int(index[:-1]) volume.size = int(length) * self.block_size except Exception as e: logger.exception("Error while parsing mmls output") continue if slot.lower() == 'meta': volume.flag = 'meta' logger.info("Found meta volume: block offset: {0}, length: {1}".format(start, length)) elif slot.lower() == '-----': volume.flag = 'unalloc' logger.info("Found unallocated space: block offset: {0}, length: {1}".format(start, length)) else: volume.flag = 'alloc' if ":" in slot: volume.slot = _util.determine_slot(*slot.split(':')) else: volume.slot = _util.determine_slot(-1, slot) self._assign_disktype_data(volume) logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(start, length, volume.fsdescription)) # unalloc / meta partitions do not have stats and can not be mounted if volume.flag != 'alloc': yield volume continue for v in volume.init(): yield v
def _detect_mmls_volumes(self, vstype='detect'): """Finds and mounts all volumes based on mmls.""" try: cmd = ['mmls'] if self.parent.offset: cmd.extend( ['-o', str(self.parent.offset // self.disk.block_size)]) if vstype != 'detect': cmd.extend(['-t', vstype]) cmd.append(self.parent.get_raw_path()) output = _util.check_output_(cmd, stderr=subprocess.STDOUT) self.volume_source = 'multi' except Exception as e: # some bug in sleuthkit makes detection sometimes difficult, so we hack around it: if hasattr(e, 'output') and "(GPT or DOS at 0)" in e.output.decode( ) and vstype != 'gpt': self.vstype = 'gpt' # noinspection PyBroadException try: logger.warning( "Error in retrieving volume info: mmls couldn't decide between GPT and DOS, " "choosing GPT for you. Use --vstype=dos to force DOS.", exc_info=True) cmd = ['mmls', '-t', 'gpt', self.parent.get_raw_path()] output = _util.check_output_(cmd, stderr=subprocess.STDOUT) self.volume_source = 'multi' except Exception as e: logger.exception("Failed executing mmls command") raise SubsystemError(e) else: logger.exception("Failed executing mmls command") raise SubsystemError(e) output = output.split("Description", 1)[-1] for line in output.splitlines(): if not line: continue # noinspection PyBroadException try: values = line.split(None, 5) # sometimes there are only 5 elements available description = '' index, slot, start, end, length = values[0:5] if len(values) > 5: description = values[5] volume = self._make_subvolume( index=self._format_index(int(index[:-1])), offset=int(start) * self.disk.block_size, size=int(length) * self.disk.block_size) volume.info['fsdescription'] = description except Exception: logger.exception("Error while parsing mmls output") continue if slot.lower() == 'meta': volume.flag = 'meta' logger.info( "Found meta volume: block offset: {0}, length: {1}".format( start, length)) elif slot.lower().startswith('-----'): volume.flag = 'unalloc' logger.info( "Found unallocated space: block offset: {0}, length: {1}". format(start, length)) else: volume.flag = 'alloc' if ":" in slot: volume.slot = _util.determine_slot(*slot.split(':')) else: volume.slot = _util.determine_slot(-1, slot) self._assign_disktype_data(volume) logger.info( "Found allocated {2}: block offset: {0}, length: {1} ". format(start, length, volume.info['fsdescription'])) yield volume