def testGetTSKPartitionIdentifiersOnPartitionedImage(self):
"""Tests the _GetTSKPartitionIdentifiers function on a partitioned image."""
# Test with mediator.
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_options = volume_scanner.VolumeScannerOptions()
test_path = self._GetTestFilePath(['tsk_volume_system.raw'])
self._SkipIfPathNotExists(test_path)
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
identifiers = test_scanner._GetPartitionIdentifiers(
scan_node, test_options)
self.assertEqual(len(identifiers), 2)
self.assertEqual(identifiers, ['p1', 'p2'])
# Test without mediator.
test_scanner = volume_scanner.VolumeScanner()
test_options = volume_scanner.VolumeScannerOptions()
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
with self.assertRaises(errors.ScannerError):
test_scanner._GetPartitionIdentifiers(scan_node, test_options)
def testScanVolumeOnVSS(self):
"""Tests the _ScanVolume function on VSS."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_options = volume_scanner.VolumeScannerOptions()
test_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_path)
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
vss_scan_node = scan_node.sub_nodes[0]
# Test on volume system root node.
base_path_specs = []
test_scanner._ScanVolume(scan_context, vss_scan_node, test_options,
base_path_specs)
self.assertEqual(len(base_path_specs), 2)
# Test on volume system sub node.
base_path_specs = []
test_scanner._ScanVolume(scan_context, vss_scan_node.sub_nodes[0],
test_options, base_path_specs)
self.assertEqual(len(base_path_specs), 1)
def Enumerate(evidence):
"""Uses dfVFS to enumerate partitions in a disk / image.
Args:
evidence: Evidence object to be scanned.
Raises:
TurbiniaException if source evidence can't be scanned.
Returns:
list[dfVFS.path_spec]: path specs for identified partitions
"""
dfvfs_definitions.PREFERRED_GPT_BACK_END = (
dfvfs_definitions.TYPE_INDICATOR_GPT)
mediator = UnattendedVolumeScannerMediator()
mediator.credentials = evidence.credentials
path_specs = []
try:
scanner = volume_scanner.VolumeScanner(mediator=mediator)
path_specs = scanner.GetBasePathSpecs(evidence.local_path)
except dfvfs_errors.ScannerError as e:
raise TurbiniaException(
'Could not enumerate partitions [{0!s}]: {1!s}'.format(
evidence.local_path, e))
return path_specs
def testGetBasePathSpecsOnRAW(self):
"""Tests the GetBasePathSpecs function on a RAW image."""
test_path = self._GetTestFilePath(['ext2.raw'])
self._SkipIfPathNotExists(test_path)
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
test_raw_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec)
test_tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK,
location='/',
parent=test_raw_path_spec)
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
expected_base_path_specs = [test_tsk_path_spec.comparable]
base_path_specs = test_scanner.GetBasePathSpecs(test_path)
base_path_specs = [
base_path_spec.comparable for base_path_spec in base_path_specs
]
self.assertEqual(base_path_specs, expected_base_path_specs)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner.GetBasePathSpecs(None)
with self.assertRaises(errors.ScannerError):
test_scanner.GetBasePathSpecs('/bogus')
def Enumerate(evidence):
"""Uses dfVFS to enumerate partitions in a disk / image.
Args:
evidence: Evidence object to be scanned.
Raises:
TurbiniaException if source evidence can't be scanned.
Returns:
list[dfVFS.path_spec]: path specs for identified partitions
"""
options = volume_scanner.VolumeScannerOptions()
options.partitions = ['all']
options.volumes = ['all']
# Not processing volume snapshots
options.snapshots = ['none']
options.credentials = evidence.credentials
path_specs = []
try:
# Setting the volume scanner mediator to None will cause the volume scanner
# to operate in unattended mode
scanner = volume_scanner.VolumeScanner(mediator=None)
path_specs = scanner.GetBasePathSpecs(evidence.local_path,
options=options)
except dfvfs_errors.ScannerError as e:
raise TurbiniaException(
'Could not enumerate partitions [{0!s}]: {1!s}'.format(
evidence.local_path, e))
return path_specs
def testScanVolumeSystemRootOnAPFS(self):
"""Tests the _ScanVolumeSystemRoot function on an APFS image."""
resolver.Resolver.key_chain.Empty()
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_options = volume_scanner.VolumeScannerOptions()
test_path = self._GetTestFilePath(['apfs.dmg'])
self._SkipIfPathNotExists(test_path)
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
apfs_container_scan_node = scan_node.sub_nodes[4].sub_nodes[0]
base_path_specs = []
test_scanner._ScanVolumeSystemRoot(scan_context,
apfs_container_scan_node,
test_options, base_path_specs)
self.assertEqual(len(base_path_specs), 1)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeSystemRoot(
scan_context, apfs_container_scan_node.sub_nodes[0],
test_options, base_path_specs)
def testScanVolumeOnEncryptedAPFS(self):
"""Tests the _ScanVolume function on an encrypted APFS image."""
resolver.Resolver.key_chain.Empty()
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_options = volume_scanner.VolumeScannerOptions()
test_path = self._GetTestFilePath(['apfs_encrypted.dmg'])
self._SkipIfPathNotExists(test_path)
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
apfs_container_scan_node = scan_node.sub_nodes[4].sub_nodes[0]
# Test on volume system root node.
base_path_specs = []
test_scanner._ScanVolume(scan_context, apfs_container_scan_node,
test_options, base_path_specs)
self.assertEqual(len(base_path_specs), 1)
# Test on volume system sub node.
base_path_specs = []
test_scanner._ScanVolume(scan_context,
apfs_container_scan_node.sub_nodes[0],
test_options, base_path_specs)
self.assertEqual(len(base_path_specs), 1)
def run(self, evidence, result):
"""Scan a raw disk for partitions.
Args:
evidence (Evidence object): The evidence we will process.
result (TurbiniaTaskResult): The object to place task results into.
Returns:
TurbiniaTaskResult object.
"""
# TODO(dfjxs): Use evidence name instead of evidence_description (#718)
evidence_description = None
if hasattr(evidence, 'embedded_path'):
evidence_description = ':'.join(
(evidence.disk_name, evidence.embedded_path))
elif hasattr(evidence, 'disk_name'):
evidence_description = evidence.disk_name
else:
evidence_description = evidence.source_path
result.log(
'Scanning [{0:s}] for partitions'.format(evidence_description))
success = False
dfvfs_definitions.PREFERRED_GPT_BACK_END = (
dfvfs_definitions.TYPE_INDICATOR_GPT)
mediator = dfvfs_classes.UnattendedVolumeScannerMediator()
path_specs = []
try:
scanner = volume_scanner.VolumeScanner(mediator=mediator)
path_specs = scanner.GetBasePathSpecs(evidence.local_path)
status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format(
len(path_specs), evidence_description)
except dfvfs_errors.ScannerError as e:
status_summary = 'Error scanning for partitions: {0!s}'.format(e)
status_report = [fmt.heading4(status_summary)]
try:
for path_spec in path_specs:
partition_evidence, partition_status = self._ProcessPartition(
path_spec)
status_report.extend(partition_status)
result.add_evidence(partition_evidence, evidence.config)
status_report = '\n'.join(status_report)
success = True
except TurbiniaException as e:
status_summary = 'Error enumerating partitions: {0!s}'.format(e)
status_report = status_summary
result.log(
'Scanning of [{0:s}] is complete'.format(evidence_description))
result.report_priority = Priority.LOW
result.report_data = status_report
result.close(self, success=success, status=status_summary)
return result
def testNormalizedVolumeIdentifiersVSS(self):
"""Tests the _NormalizedVolumeIdentifiers function on a VSS."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_path)
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
test_qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_QCOW, parent=test_os_path_spec)
test_vss_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_VSHADOW, parent=test_qcow_path_spec)
volume_system = vshadow_volume_system.VShadowVolumeSystem()
volume_system.Open(test_vss_path_spec)
volume_identifiers = test_scanner._NormalizedVolumeIdentifiers(
volume_system, ['vss1', 'vss2'], prefix='vss')
self.assertEqual(volume_identifiers, ['vss1', 'vss2'])
volume_identifiers = test_scanner._NormalizedVolumeIdentifiers(
volume_system, [1, 2], prefix='vss')
self.assertEqual(volume_identifiers, ['vss1', 'vss2'])
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._NormalizedVolumeIdentifiers(volume_system, ['vss3'],
prefix='vss')
def testScanVolumeScanNodeRAW(self):
"""Tests the _ScanVolumeScanNode function on a RAW image."""
test_scanner = volume_scanner.VolumeScanner()
test_file = self._GetTestFilePath([u'ímynd.dd'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
volume_scan_node = scan_context.GetRootScanNode()
base_path_specs = []
test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node,
base_path_specs)
self.assertEqual(len(base_path_specs), 1)
# Test error conditions.
scan_context = source_scanner.SourceScannerContext()
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeScanNode(scan_context, None, [])
volume_scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node,
[])
def testNormalizedVolumeIdentifiersPartitionedImage(self):
"""Tests the _NormalizedVolumeIdentifiers function."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_path = self._GetTestFilePath(['tsk_volume_system.raw'])
self._SkipIfPathNotExists(test_path)
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
test_raw_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec)
test_tsk_partition_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK_PARTITION,
parent=test_raw_path_spec)
volume_system = tsk_volume_system.TSKVolumeSystem()
volume_system.Open(test_tsk_partition_path_spec)
volume_identifiers = test_scanner._NormalizedVolumeIdentifiers(
volume_system, ['p1', 'p2'], prefix='p')
self.assertEqual(volume_identifiers, ['p1', 'p2'])
volume_identifiers = test_scanner._NormalizedVolumeIdentifiers(
volume_system, ['1', '2'], prefix='p')
self.assertEqual(volume_identifiers, ['p1', 'p2'])
volume_identifiers = test_scanner._NormalizedVolumeIdentifiers(
volume_system, [1, 2], prefix='p')
self.assertEqual(volume_identifiers, ['p1', 'p2'])
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._NormalizedVolumeIdentifiers(volume_system, ['p3'],
prefix='p')
def testScanVolumeScanNode(self):
"""Tests the _ScanVolumeScanNode function on VSS."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(test_mediator)
# Test VSS root.
test_file = self._GetTestFilePath([u'vsstest.qcow2'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
volume_scan_node = self._GetTestScanNode(scan_context)
base_path_specs = []
test_scanner._ScanVolumeScanNode(scan_context, volume_scan_node,
base_path_specs)
self.assertEqual(len(base_path_specs), 0)
# Test VSS volume.
test_file = self._GetTestFilePath([u'vsstest.qcow2'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
volume_scan_node = self._GetTestScanNode(scan_context)
base_path_specs = []
test_scanner._ScanVolumeScanNode(scan_context,
volume_scan_node.sub_nodes[0],
base_path_specs)
self.assertEqual(len(base_path_specs), 2)
def testScanVolumeScanNodeEncrypted(self):
"""Tests the _ScanVolumeScanNodeEncrypted function."""
resolver.Resolver.key_chain.Empty()
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(test_mediator)
test_file = self._GetTestFilePath([u'bdetogo.raw'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
volume_scan_node = self._GetTestScanNode(scan_context)
base_path_specs = []
test_scanner._ScanVolumeScanNode(scan_context,
volume_scan_node.sub_nodes[0],
base_path_specs)
self.assertEqual(len(base_path_specs), 1)
# Test error conditions.
path_spec = fake_path_spec.FakePathSpec(location=u'/')
scan_node = source_scanner.SourceScanNode(path_spec)
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeScanNodeEncrypted(scan_node, None, [])
volume_scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeScanNodeEncrypted(scan_node,
volume_scan_node, [])
def testGetBasePathSpecsRAW(self):
"""Tests the GetBasePathSpecs function on a RAW image."""
test_file = self._GetTestFilePath([u'ímynd.dd'])
test_scanner = volume_scanner.VolumeScanner()
test_os_path_spec = os_path_spec.OSPathSpec(location=test_file)
test_raw_path_spec = raw_path_spec.RawPathSpec(
parent=test_os_path_spec)
test_tsk_path_spec = tsk_path_spec.TSKPathSpec(
location=u'/', parent=test_raw_path_spec)
expected_base_path_specs = [test_tsk_path_spec.comparable]
base_path_specs = test_scanner.GetBasePathSpecs(test_file)
base_path_specs = [
base_path_spec.comparable for base_path_spec in base_path_specs
]
self.assertEqual(base_path_specs, expected_base_path_specs)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner.GetBasePathSpecs(None)
with self.assertRaises(errors.ScannerError):
test_scanner.GetBasePathSpecs(u'/bogus')
def testGetBasePathSpecsOnPartitionedImage(self):
"""Tests the GetBasePathSpecs function on a partitioned image."""
test_path = self._GetTestFilePath(['tsk_volume_system.raw'])
self._SkipIfPathNotExists(test_path)
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
test_raw_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec)
test_tsk_partition_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK_PARTITION,
location='/p2',
part_index=6,
start_offset=0x0002c000,
parent=test_raw_path_spec)
test_tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK,
location='/',
parent=test_tsk_partition_path_spec)
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
expected_base_path_specs = [test_tsk_path_spec.comparable]
base_path_specs = test_scanner.GetBasePathSpecs(test_path)
base_path_specs = [
base_path_spec.comparable for base_path_spec in base_path_specs
]
self.assertEqual(base_path_specs, expected_base_path_specs)
def testGetVSSStoreIdentifiers(self):
"""Tests the _GetVSSStoreIdentifiers function."""
# Test with mediator.
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_options = volume_scanner.VolumeScannerOptions()
test_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_path)
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
identifiers = test_scanner._GetVSSStoreIdentifiers(
scan_node.sub_nodes[0], test_options)
self.assertEqual(len(identifiers), 2)
self.assertEqual(identifiers, ['vss1', 'vss2'])
# Test without mediator.
test_scanner = volume_scanner.VolumeScanner()
test_options = volume_scanner.VolumeScannerOptions()
test_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_path)
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
with self.assertRaises(errors.ScannerError):
test_scanner._GetVSSStoreIdentifiers(scan_node.sub_nodes[0],
test_options)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._GetVSSStoreIdentifiers(None, test_options)
scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._GetVSSStoreIdentifiers(scan_node, test_options)
def testScanVolumeOnEncryptedAPFS(self):
"""Tests the _ScanVolume function on an encrypted APFS image."""
resolver.Resolver.key_chain.Empty()
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_options = volume_scanner.VolumeScannerOptions()
test_path = self._GetTestFilePath(['apfs_encrypted.dmg'])
self._SkipIfPathNotExists(test_path)
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = scan_context.GetRootScanNode()
self.assertIsNotNone(scan_node)
self.assertEqual(scan_node.type_indicator,
definitions.TYPE_INDICATOR_OS)
self.assertEqual(len(scan_node.sub_nodes), 1)
scan_node = scan_node.sub_nodes[0]
self.assertIsNotNone(scan_node)
self.assertEqual(scan_node.type_indicator,
definitions.TYPE_INDICATOR_RAW)
self.assertEqual(len(scan_node.sub_nodes), 1)
scan_node = scan_node.sub_nodes[0]
self.assertIsNotNone(scan_node)
self.assertEqual(scan_node.type_indicator,
definitions.PREFERRED_GPT_BACK_END)
if scan_node.type_indicator == definitions.TYPE_INDICATOR_GPT:
self.assertEqual(len(scan_node.sub_nodes), 1)
scan_node = scan_node.sub_nodes[0]
else:
# The pytsk partition back-end yields more than 1 scan node for various
# metadata and unallocated parts of the GPT.
self.assertEqual(len(scan_node.sub_nodes), 6)
scan_node = scan_node.sub_nodes[4]
apfs_container_scan_node = scan_node.sub_nodes[0]
# Test on volume system root node.
base_path_specs = []
test_scanner._ScanVolume(scan_context, apfs_container_scan_node,
test_options, base_path_specs)
self.assertEqual(len(base_path_specs), 1)
# Test on volume system sub node.
base_path_specs = []
test_scanner._ScanVolume(scan_context,
apfs_container_scan_node.sub_nodes[0],
test_options, base_path_specs)
self.assertEqual(len(base_path_specs), 1)
def testGetTSKPartitionIdentifiers(self):
"""Tests the _GetTSKPartitionIdentifiers function."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._GetTSKPartitionIdentifiers(None)
scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._GetTSKPartitionIdentifiers(scan_node)
def testGetTSKPartitionIdentifiers(self):
"""Tests the _GetTSKPartitionIdentifiers function."""
# Test with mediator.
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(test_mediator)
test_file = self._GetTestFilePath([u'tsk_volume_system.raw'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
expected_identifiers = sorted([u'p1', u'p2'])
identifiers = test_scanner._GetTSKPartitionIdentifiers(scan_node)
self.assertEqual(len(identifiers), 2)
self.assertEqual(sorted(identifiers), expected_identifiers)
# Test without mediator.
test_scanner = volume_scanner.VolumeScanner()
test_file = self._GetTestFilePath([u'tsk_volume_system.raw'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
expected_identifiers = sorted([u'p1', u'p2'])
identifiers = test_scanner._GetTSKPartitionIdentifiers(scan_node)
self.assertEqual(len(identifiers), 2)
self.assertEqual(sorted(identifiers), expected_identifiers)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._GetTSKPartitionIdentifiers(None)
scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._GetTSKPartitionIdentifiers(scan_node)
def testGetVSSStoreIdentifiers(self):
"""Tests the _GetVSSStoreIdentifiers function."""
# Test with mediator.
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(test_mediator)
test_file = self._GetTestFilePath(['vsstest.qcow2'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
expected_identifiers = sorted([1, 2])
identifiers = test_scanner._GetVSSStoreIdentifiers(
scan_node.sub_nodes[0])
self.assertEqual(len(identifiers), 2)
self.assertEqual(sorted(identifiers), expected_identifiers)
# Test without mediator.
test_scanner = volume_scanner.VolumeScanner()
test_file = self._GetTestFilePath(['vsstest.qcow2'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_file)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
with self.assertRaises(errors.ScannerError):
test_scanner._GetVSSStoreIdentifiers(scan_node.sub_nodes[0])
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._GetVSSStoreIdentifiers(None)
scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._GetVSSStoreIdentifiers(scan_node)
def testScanEncryptedVolume(self):
"""Tests the _ScanEncryptedVolume function."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
scan_context = source_scanner.SourceScannerContext()
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._ScanEncryptedVolume(scan_context, None)
scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._ScanEncryptedVolume(scan_context, scan_node)
def testGetBasePathSpecsDirectory(self):
"""Tests the GetBasePathSpecs function on a directory."""
test_file = self._GetTestFilePath([u'testdir_os'])
test_scanner = volume_scanner.VolumeScanner()
test_os_path_spec = os_path_spec.OSPathSpec(location=test_file)
expected_base_path_specs = [test_os_path_spec.comparable]
base_path_specs = test_scanner.GetBasePathSpecs(test_file)
base_path_specs = [
base_path_spec.comparable for base_path_spec in base_path_specs
]
self.assertEqual(base_path_specs, expected_base_path_specs)
def testScanVolumeOnRAW(self):
"""Tests the _ScanVolume function on a RAW image."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_path = self._GetTestFilePath(['ímynd.dd'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = scan_context.GetRootScanNode()
base_path_specs = []
test_scanner._ScanVolume(scan_context, scan_node, base_path_specs)
self.assertEqual(len(base_path_specs), 1)
def testScanVolumeSystemRootOnPartitionedImage(self):
"""Tests the _ScanVolumeSystemRoot function on a partitioned image."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_path = self._GetTestFilePath(['tsk_volume_system.raw'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeSystemRoot(scan_context, scan_node, [])
def testGetTSKPartitionIdentifiersOnAPFS(self):
"""Tests the _GetTSKPartitionIdentifiers function on an APFS image."""
# Test with mediator.
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_path = self._GetTestFilePath(['apfs.dmg'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
identifiers = test_scanner._GetTSKPartitionIdentifiers(scan_node)
self.assertEqual(len(identifiers), 1)
self.assertEqual(identifiers, ['p1'])
def run(self, evidence, result):
"""Scan a raw disk for partitions.
Args:
evidence (Evidence object): The evidence we will process.
result (TurbiniaTaskResult): The object to place task results into.
Returns:
TurbiniaTaskResult object.
"""
result.log('Scanning [{0:s}] for partitions'.format(
evidence.local_path))
success = False
mediator = dfvfs_classes.UnattendedVolumeScannerMediator()
try:
scanner = volume_scanner.VolumeScanner(mediator=mediator)
path_specs = scanner.GetBasePathSpecs(evidence.local_path)
status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format(
len(path_specs), evidence.local_path)
except dfvfs_errors.ScannerError as e:
status_summary = 'Error scanning for partitions: {0!s}'.format(e)
status_report = [fmt.heading4(status_summary)]
try:
for path_spec in path_specs:
partition_evidence, partition_status = self._ProcessPartition(
evidence.local_path, path_spec)
status_report.extend(partition_status)
result.add_evidence(partition_evidence, evidence.config)
status_report = '\n'.join(status_report)
success = True
except TurbiniaException as e:
status_summary = 'Error enumerating partitions: {0!s}'.format(e)
status_report = status_summary
result.log('Scanning of [{0:s}] is complete'.format(
evidence.local_path))
result.report_priority = Priority.LOW
result.report_data = status_report
result.close(self, success=success, status=status_summary)
return result
def testScanVolumeSystemRoot(self):
"""Tests the _ScanVolumeSystemRoot function."""
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_options = volume_scanner.VolumeScannerOptions()
scan_context = source_scanner.SourceScannerContext()
# Test error conditions.
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeSystemRoot(scan_context, None,
test_options, [])
scan_node = source_scanner.SourceScanNode(None)
with self.assertRaises(errors.ScannerError):
test_scanner._ScanVolumeSystemRoot(scan_context, scan_node,
test_options, [])
def testScanEncryptedVolumeOnBDE(self):
"""Tests the _ScanEncryptedVolume function on a BDE image."""
resolver.Resolver.key_chain.Empty()
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
test_path = self._GetTestFilePath(['bdetogo.raw'])
scan_context = source_scanner.SourceScannerContext()
scan_context.OpenSourcePath(test_path)
test_scanner._source_scanner.Scan(scan_context)
scan_node = self._GetTestScanNode(scan_context)
bde_scan_node = scan_node.sub_nodes[0]
test_scanner._ScanEncryptedVolume(scan_context, bde_scan_node)
def testGetBasePathSpecsOnDirectory(self):
"""Tests the GetBasePathSpecs function on a directory."""
test_path = self._GetTestFilePath(['testdir_os'])
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
test_mediator = TestVolumeScannerMediator()
test_scanner = volume_scanner.VolumeScanner(mediator=test_mediator)
expected_base_path_specs = [test_os_path_spec.comparable]
base_path_specs = test_scanner.GetBasePathSpecs(test_path)
base_path_specs = [
base_path_spec.comparable for base_path_spec in base_path_specs
]
self.assertEqual(base_path_specs, expected_base_path_specs)
def __init__(self, img, output_dir=None, dedup=False, resume=False):
self.img = img
img_name = os.path.basename(self.img)
self.dedup = dedup
self.resume = resume
self.last_file = None
log_file_mode = "wb"
if self.resume:
log_file_mode = "ab"
# mkdirs
if output_dir:
self.output_dir = os.path.abspath(output_dir + "/" + img_name)
if not os.path.exists(self.output_dir):
os.makedirs(self.output_dir, exist_ok=True)
self.dedup_dir = self.output_dir + "_duplicates"
if not os.path.exists(self.dedup_dir):
os.makedirs(self.dedup_dir, exist_ok=True)
else:
self.output_dir = os.path.abspath(".")
self.log_file = FileOutputWriter(
os.path.abspath(self.output_dir + "/../%s.log.csv" % img_name))
self.err_log_file = FileOutputWriter(
os.path.abspath(self.output_dir + "/../%s.err.csv" % img_name))
self.log_file.Open(log_file_mode)
self.err_log_file.Open(log_file_mode)
if not self.resume:
self.log_file.WriteFileEntry(
"entry_type|size|full_path|hash|duplicate")
self.err_log_file.WriteFileEntry("full_path|error")
mediator = command_line.CLIVolumeScannerMediator()
vol_scanner = volume_scanner.VolumeScanner(mediator=mediator)
self.stats = {
"errors": 0,
"total": 0,
"duplicates": 0,
"total_size": 0
}
self.hashes = {}
self.base_path_specs = vol_scanner.GetBasePathSpecs(self.img)
