def GetFileEntryByPathSpec(self, path_spec): """Retrieves a file entry for a path specification. Args: path_spec (PathSpec): a path specification. Returns: TSKPartitionFileEntry: a file entry or None of not available. """ tsk_vs_part, partition_index = tsk_partition.GetTSKVsPartByPathSpec( self._tsk_volume, path_spec) location = getattr(path_spec, 'location', None) # The virtual root file has no corresponding TSK volume system part object # but should have a location. if tsk_vs_part is None: if location is None or location != self.LOCATION_ROOT: return None return tsk_partition_file_entry.TSKPartitionFileEntry( self._resolver_context, self, path_spec, is_root=True, is_virtual=True) if location is None and partition_index is not None: path_spec.location = '/p{0:d}'.format(partition_index) return tsk_partition_file_entry.TSKPartitionFileEntry( self._resolver_context, self, path_spec)
def GetTSKVsPart(self): """Retrieves the TSK volume system part object. Returns: A TSK volume system part object (instance of pytsk3.TSK_VS_PART_INFO) or None. """ tsk_volume = self._file_system.GetTSKVolume() tsk_vs_part, _ = tsk_partition.GetTSKVsPartByPathSpec( tsk_volume, self.path_spec) return tsk_vs_part
def _Open(self, path_spec=None, mode='rb'): """Opens the file-like object defined by path specification. Args: path_spec: optional path specification (instance of path.PathSpec). The default is None. mode: optional file access mode. The default is 'rb' read-only binary. Raises: AccessError: if the access to open the file was denied. IOError: if the file-like object could not be opened. PathSpecError: if the path specification is incorrect. ValueError: if the path specification is invalid. """ if not path_spec: raise ValueError(u'Missing path specfication.') if not path_spec.HasParent(): raise errors.PathSpecError( u'Unsupported path specification without parent.') self._file_system = resolver.Resolver.OpenFileSystem( path_spec, resolver_context=self._resolver_context) tsk_volume = self._file_system.GetTSKVolume() tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec(tsk_volume, path_spec) if tsk_vs is None: raise errors.PathSpecError( u'Unable to retrieve TSK volume system part from path ' u'specification.') range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs) range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs) if range_offset is None or range_size is None: raise errors.PathSpecError( u'Unable to retrieve TSK volume system part data range from path ' u'specification.') bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume) range_offset *= bytes_per_sector range_size *= bytes_per_sector self.SetRange(range_offset, range_size) self._file_object = resolver.Resolver.OpenFileObject( path_spec.parent, resolver_context=self._resolver_context) self._file_object_set_in_init = True # pylint: disable=protected-access super(TSKPartitionFile, self)._Open(path_spec=path_spec, mode=mode)
def _ScanDisk(self, scan_context, scan_node, disk_info): """Scan Disk internal Args: scan_context (SourceScannerContext): the source scanner context. scan_node (SourceScanNode): the scan node. """ if not scan_node: return if scan_node.path_spec.IsVolumeSystem( ) and not scan_node.path_spec.IsVolumeSystemRoot(): file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec) if scan_node.type_indicator == definitions.TYPE_INDICATOR_TSK_PARTITION: tsk_volumes = file_system.GetTSKVolume() vol_part, _ = tsk_partition.GetTSKVsPartByPathSpec( tsk_volumes, scan_node.path_spec) if tsk_partition.TSKVsPartIsAllocated(vol_part): bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector( vol_part) length = tsk_partition.TSKVsPartGetNumberOfSectors( vol_part) start_sector = tsk_partition.TSKVsPartGetStartSector( vol_part) vol_name = getattr(scan_node.path_spec, 'location', None)[1:] #vol_name = self.prefix + str(scan_node.path_spec.part_index) base_path_spec = scan_node.path_spec disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \ "length" : length * bytes_per_sector, "bytes_per_sector" : bytes_per_sector, "start_sector" : start_sector, \ "vol_name" : vol_name, "identifier" : None}) elif scan_node.type_indicator == definitions.TYPE_INDICATOR_VSHADOW: vss_volumes = file_system.GetVShadowVolume() store_index = vshadow.VShadowPathSpecGetStoreIndex( scan_node.path_spec) vss_part = list(vss_volumes.stores)[store_index] length = vss_part.volume_size identifier = getattr(vss_part, 'identifier', None) vol_name = getattr(scan_node.path_spec, 'location', None)[1:] base_path_spec = scan_node.path_spec disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \ "length" : length, "bytes_per_sector" : None, "start_sector" : None, "vol_name" : vol_name, \ "identifier" : identifier}) for sub_scan_node in scan_node.sub_nodes: self._ScanDisk(scan_context, sub_scan_node, disk_info)
def __init__(self, resolver_context, file_system, path_spec, is_root=False, is_virtual=False, tsk_vs_part=None): """Initializes a file entry. Args: resolver_context (Context): resolver context. file_system (FileSystem): file system. path_spec (PathSpec): path specification. is_root (Optional[bool]): True if the file entry is the root file entry of the corresponding file system. is_virtual (Optional[bool]): True if the file entry is a virtual file entry emulated by the corresponding file system. tsk_vs_part (Optional[pytsk3.TSK_VS_PART_INFO]): TSK volume system part. Raises: BackEndError: when the TSK volume system part is missing in a non-virtual file entry. """ tsk_volume = file_system.GetTSKVolume() if not is_virtual and tsk_vs_part is None: tsk_vs_part, _ = tsk_partition.GetTSKVsPartByPathSpec( tsk_volume, path_spec) if not is_virtual and tsk_vs_part is None: raise errors.BackEndError( 'Missing TSK volume system part in non-virtual file entry.') super(TSKPartitionFileEntry, self).__init__(resolver_context, file_system, path_spec, is_root=is_root, is_virtual=is_virtual) self._name = None self._tsk_volume = tsk_volume self._tsk_vs_part = tsk_vs_part if is_virtual: self.entry_type = definitions.FILE_ENTRY_TYPE_DIRECTORY else: self.entry_type = definitions.FILE_ENTRY_TYPE_FILE
def FileEntryExistsByPathSpec(self, path_spec): """Determines if a file entry for a path specification exists. Args: path_spec (PathSpec): a path specification. Returns: bool: True if the file entry exists or false otherwise. """ tsk_vs_part, _ = tsk_partition.GetTSKVsPartByPathSpec( self._tsk_volume, path_spec) # The virtual root file has no corresponding TSK volume system part object # but should have a location. if tsk_vs_part is None: location = getattr(path_spec, 'location', None) return location is not None and location == self.LOCATION_ROOT return True
def _Open(self, mode='rb'): """Opens the file-like object defined by path specification. Args: mode (Optional[str]): file access mode. Raises: AccessError: if the access to open the file was denied. IOError: if the file-like object could not be opened. OSError: if the file-like object could not be opened. PathSpecError: if the path specification is incorrect. """ if not self._path_spec.HasParent(): raise errors.PathSpecError( 'Unsupported path specification without parent.') self._file_system = resolver.Resolver.OpenFileSystem( self._path_spec, resolver_context=self._resolver_context) tsk_volume = self._file_system.GetTSKVolume() tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec( tsk_volume, self._path_spec) if tsk_vs is None: raise errors.PathSpecError( 'Unable to retrieve TSK volume system part from path ' 'specification.') range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs) range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs) if range_offset is None or range_size is None: raise errors.PathSpecError( 'Unable to retrieve TSK volume system part data range from path ' 'specification.') bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume) range_offset *= bytes_per_sector range_size *= bytes_per_sector self._SetRange(range_offset, range_size) self._file_object = resolver.Resolver.OpenFileObject( self._path_spec.parent, resolver_context=self._resolver_context)
def InsertImageInformation(self): if not self._source_path_specs: logger.error('source is empty') return disk_info = [] for path_spec in self._source_path_specs: filesystem_type = None if not path_spec.parent: return False if path_spec.parent.IsVolumeSystem(): if path_spec.IsFileSystem(): fs = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) fs_info = fs.GetFsInfo() filesystem_type = getattr(fs_info.info, 'ftype', None) path_spec = path_spec.parent file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION: tsk_volumes = file_system.GetTSKVolume() vol_part, _ = dfvfs_partition.GetTSKVsPartByPathSpec( tsk_volumes, path_spec) if dfvfs_partition.TSKVsPartIsAllocated(vol_part): bytes_per_sector = dfvfs_partition.TSKVolumeGetBytesPerSector( vol_part) length = dfvfs_partition.TSKVsPartGetNumberOfSectors( vol_part) start_sector = dfvfs_partition.TSKVsPartGetStartSector( vol_part) par_label = getattr(vol_part, 'desc', None) try: temp = par_label.decode('ascii') par_label = temp except UnicodeDecodeError: par_label = par_label.decode('utf-8') volume_name = getattr(path_spec, 'location', None)[1:] base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": length * bytes_per_sector, "bytes_per_sector": bytes_per_sector, "start_sector": start_sector, "vol_name": volume_name, "identifier": None, "par_label": par_label, "filesystem": filesystem_type }) elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK: #elif path_spec.IsFileSystem(): file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) fs_info = file_system.GetFsInfo() block_size = getattr(fs_info.info, 'block_size', 0) block_count = getattr(fs_info.info, 'block_count', 0) filesystem = getattr(fs_info.info, 'ftype', None) base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": block_count * block_size, "bytes_per_sector": block_size, "start_sector": 0, "vol_name": 'p1', "identifier": None, "par_label": None, "filesystem": filesystem }) elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_VSHADOW: vss_volumes = file_system.GetVShadowVolume() store_index = dfvfs_vshadow.VShadowPathSpecGetStoreIndex( path_spec) vss_part = list(vss_volumes.stores)[store_index] length = vss_part.volume_size identifier = getattr(vss_part, 'identifier', None) volume_name = getattr(path_spec, 'location', None)[1:] base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": length, "bytes_per_sector": None, "start_sector": None, "vol_name": volume_name, "identifier": identifier, "par_label": None, "filesystem": None }) self._InsertDiskInfo(disk_info)