def extract_artifact(self, artifact_name): # pylint: disable=invalid-name
"""
Extract a particular artifact from all possible locations within this dfvfs-image
"""
real_partitions: List[PartitionInfo] = []
if self.zip_mode:
# zip extract have exactly one partition per dfvfs instance (zip file)
real_partitions = [
PartitionInfo(helper=d,
path_spec=d.partitions()[0],
name=chr(ord('c') + i))
for i, d in enumerate(self.dfvfs_list)
]
else:
# forensic images can have more than one partition, but we always only process one image at a time
real_partitions = [
PartitionInfo(helper=self.dfvfs_list[0],
path_spec=partition,
name=chr(ord('c') + i))
for i, partition in enumerate(self.dfvfs_list[0].partitions())
if not dfvfs_helper.is_on_filesystem(
partition, dfvfs_defs.TYPE_INDICATOR_VSHADOW)
]
LOGGER.info("Found %d partitions", len(real_partitions))
for partinfo in real_partitions:
current_os = self._guess_os(partinfo.helper, partinfo.path_spec)
try:
if current_os == definitions.OPERATING_SYSTEM_WINDOWS:
system = WindowsSystem(partinfo.helper, partinfo.path_spec)
elif current_os == definitions.OPERATING_SYSTEM_UNKNOWN:
system = UnknownOS()
LOGGER.warning(
"Operating system not detected on partition %s. Only basic extraction possible.",
dfvfs_helper.reconstruct_full_path(partinfo.path_spec))
else:
LOGGER.warning(
"Operating system %s is not yet supported on %s. Using basic extraction.",
dfvfs_helper.reconstruct_full_path(partinfo.path_spec),
current_os)
system = UnknownOS()
LOGGER.info("=== Starting processing of partition")
resolver = ArtifactResolver(partinfo, self.artifact_registry,
system)
resolver.process_artifact(artifact_name, self.store)
if current_os == definitions.OPERATING_SYSTEM_WINDOWS:
system._reg_reader._cleanup_open_files("") # TODO
except RuntimeError as err:
LOGGER.exception(
"Encountered exception during processing of %s: %s",
dfvfs_helper.reconstruct_full_path(partinfo.path_spec),
err)
if 'pytest' in sys.modules:
raise # we want to see what exactly is failing when tests are running
def __init__(self, partinfo: PartitionInfo, artifacts_registry: Registry, system: OperatingSystemBase = None):
"""
Initializes the class and loads artifacts
:param dfvfs: [DFVFSHelper]: DFVFSHelper-object to access data
:param partition: [PathSpec]: A DFVFS-PathSpec object identifying the root of the
system partition
:param partition_name: Name of the current partition
:param artifacts_registry: [Registry]: Database of forensic artifacts definitions
:param system: [OperatingSystemBase]: optional reference to a OperatingSystem-instance for
further variable resolving
"""
# pylint: disable=invalid-name,too-many-instance-attributes,too-many-arguments
self.dfvfs = partinfo.helper
self.partition = partinfo.path_spec
self.partition_name = partinfo.name
if system:
self.system = system
else:
self.system = UnknownOS()
if system:
self.os = system.get_os_name()
else:
self.os = None
if not self.os:
self.artifacts = artifacts_registry.artifacts
else:
self.artifacts = {name: artifact for name, artifact in artifacts_registry.artifacts.items()
if not artifact.supported_os or self.os in artifact.supported_os}
LOGGER.debug("Picked %d matching artifact definitions", len(self.artifacts))
self.knowledge_base = KnowledgeBase(self.artifacts)
# hard code values that cannot be resolved with their provides-definition for implementation reasons
self.knowledge_cache: Dict[str, Iterable[str]] = {'environ_systemdrive': '/'}