def _Parse(self): """Extracts attributes and extents from the volume.""" tsk_vs_part = self._file_entry.GetTSKVsPart() tsk_addr = getattr(tsk_vs_part, 'addr', None) if tsk_addr is not None: address = volume_system.VolumeAttribute('address', tsk_addr) self._AddAttribute(address) tsk_desc = getattr(tsk_vs_part, 'desc', None) if tsk_desc is not None: # pytsk3 returns an UTF-8 encoded byte string. try: tsk_desc = tsk_desc.decode('utf8') self._AddAttribute(volume_system.VolumeAttribute( 'description', tsk_desc)) except UnicodeError: pass start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part) number_of_sectors = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs_part) volume_extent = volume_system.VolumeExtent( start_sector * self._bytes_per_sector, number_of_sectors * self._bytes_per_sector) self._extents.append(volume_extent)
def _Parse(self): """Extracts sections and volumes from the volume system.""" root_file_entry = self._file_system.GetRootFileEntry() tsk_volume = self._file_system.GetTSKVolume() self.bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector( tsk_volume) for sub_file_entry in root_file_entry.sub_file_entries: tsk_vs_part = sub_file_entry.GetTSKVsPart() start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part) number_of_sectors = tsk_partition.TSKVsPartGetNumberOfSectors( tsk_vs_part) if start_sector is None or number_of_sectors is None: continue if tsk_partition.TSKVsPartIsAllocated(tsk_vs_part): volume = TSKVolume(sub_file_entry, self.bytes_per_sector) self._AddVolume(volume) volume_extent = volume_system.VolumeExtent( start_sector * self.bytes_per_sector, number_of_sectors * self.bytes_per_sector) self._sections.append(volume_extent)
def _Open(self, path_spec=None, mode='rb'): """Opens the file-like object defined by path specification. Args: path_spec: optional path specification (instance of path.PathSpec). The default is None. mode: optional file access mode. The default is 'rb' read-only binary. Raises: AccessError: if the access to open the file was denied. IOError: if the file-like object could not be opened. PathSpecError: if the path specification is incorrect. ValueError: if the path specification is invalid. """ if not path_spec: raise ValueError(u'Missing path specfication.') if not path_spec.HasParent(): raise errors.PathSpecError( u'Unsupported path specification without parent.') self._file_system = resolver.Resolver.OpenFileSystem( path_spec, resolver_context=self._resolver_context) tsk_volume = self._file_system.GetTSKVolume() tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec(tsk_volume, path_spec) if tsk_vs is None: raise errors.PathSpecError( u'Unable to retrieve TSK volume system part from path ' u'specification.') range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs) range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs) if range_offset is None or range_size is None: raise errors.PathSpecError( u'Unable to retrieve TSK volume system part data range from path ' u'specification.') bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume) range_offset *= bytes_per_sector range_size *= bytes_per_sector self.SetRange(range_offset, range_size) self._file_object = resolver.Resolver.OpenFileObject( path_spec.parent, resolver_context=self._resolver_context) self._file_object_set_in_init = True # pylint: disable=protected-access super(TSKPartitionFile, self)._Open(path_spec=path_spec, mode=mode)
def _ScanDisk(self, scan_context, scan_node, disk_info): """Scan Disk internal Args: scan_context (SourceScannerContext): the source scanner context. scan_node (SourceScanNode): the scan node. """ if not scan_node: return if scan_node.path_spec.IsVolumeSystem( ) and not scan_node.path_spec.IsVolumeSystemRoot(): file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec) if scan_node.type_indicator == definitions.TYPE_INDICATOR_TSK_PARTITION: tsk_volumes = file_system.GetTSKVolume() vol_part, _ = tsk_partition.GetTSKVsPartByPathSpec( tsk_volumes, scan_node.path_spec) if tsk_partition.TSKVsPartIsAllocated(vol_part): bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector( vol_part) length = tsk_partition.TSKVsPartGetNumberOfSectors( vol_part) start_sector = tsk_partition.TSKVsPartGetStartSector( vol_part) vol_name = getattr(scan_node.path_spec, 'location', None)[1:] #vol_name = self.prefix + str(scan_node.path_spec.part_index) base_path_spec = scan_node.path_spec disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \ "length" : length * bytes_per_sector, "bytes_per_sector" : bytes_per_sector, "start_sector" : start_sector, \ "vol_name" : vol_name, "identifier" : None}) elif scan_node.type_indicator == definitions.TYPE_INDICATOR_VSHADOW: vss_volumes = file_system.GetVShadowVolume() store_index = vshadow.VShadowPathSpecGetStoreIndex( scan_node.path_spec) vss_part = list(vss_volumes.stores)[store_index] length = vss_part.volume_size identifier = getattr(vss_part, 'identifier', None) vol_name = getattr(scan_node.path_spec, 'location', None)[1:] base_path_spec = scan_node.path_spec disk_info.append({"base_path_spec" : base_path_spec, "type_indicator" : scan_node.type_indicator, \ "length" : length, "bytes_per_sector" : None, "start_sector" : None, "vol_name" : vol_name, \ "identifier" : identifier}) for sub_scan_node in scan_node.sub_nodes: self._ScanDisk(scan_context, sub_scan_node, disk_info)
def _EntriesGenerator(self): """Retrieves directory entries. Since a directory can contain a vast number of entries using a generator is more memory efficient. Yields: A path specification (instance of path.TSKPartitionPathSpec). """ # Only the virtual root file has directory entries. part_index = getattr(self.path_spec, u'part_index', None) start_offset = getattr(self.path_spec, u'start_offset', None) if part_index is not None or start_offset is not None: return location = getattr(self.path_spec, u'location', None) if location is None or location != self._file_system.LOCATION_ROOT: return tsk_volume = self._file_system.GetTSKVolume() bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume) part_index = 0 partition_index = 0 # pytsk3 does not handle the Volume_Info iterator correctly therefore # the explicit list is needed to prevent the iterator terminating too # soon or looping forever. for tsk_vs_part in list(tsk_volume): kwargs = {} if tsk_partition.TSKVsPartIsAllocated(tsk_vs_part): partition_index += 1 kwargs[u'location'] = u'/p{0:d}'.format(partition_index) kwargs[u'part_index'] = part_index part_index += 1 start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part) if start_sector is not None: kwargs[u'start_offset'] = start_sector * bytes_per_sector kwargs[u'parent'] = self.path_spec.parent yield tsk_partition_path_spec.TSKPartitionPathSpec(**kwargs)
def _Open(self, mode='rb'): """Opens the file-like object defined by path specification. Args: mode (Optional[str]): file access mode. Raises: AccessError: if the access to open the file was denied. IOError: if the file-like object could not be opened. OSError: if the file-like object could not be opened. PathSpecError: if the path specification is incorrect. """ if not self._path_spec.HasParent(): raise errors.PathSpecError( 'Unsupported path specification without parent.') self._file_system = resolver.Resolver.OpenFileSystem( self._path_spec, resolver_context=self._resolver_context) tsk_volume = self._file_system.GetTSKVolume() tsk_vs, _ = tsk_partition.GetTSKVsPartByPathSpec( tsk_volume, self._path_spec) if tsk_vs is None: raise errors.PathSpecError( 'Unable to retrieve TSK volume system part from path ' 'specification.') range_offset = tsk_partition.TSKVsPartGetStartSector(tsk_vs) range_size = tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs) if range_offset is None or range_size is None: raise errors.PathSpecError( 'Unable to retrieve TSK volume system part data range from path ' 'specification.') bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume) range_offset *= bytes_per_sector range_size *= bytes_per_sector self._SetRange(range_offset, range_size) self._file_object = resolver.Resolver.OpenFileObject( self._path_spec.parent, resolver_context=self._resolver_context)
def _Parse(self): """Extracts attributes and extents from the volume.""" tsk_vs_part = self._file_entry.GetTSKVsPart() tsk_addr = getattr(tsk_vs_part, u'addr', None) if tsk_addr is not None: self._AddAttribute( volume_system.VolumeAttribute(u'address', tsk_addr)) tsk_desc = getattr(tsk_vs_part, u'desc', None) if tsk_desc is not None: self._AddAttribute( volume_system.VolumeAttribute(u'description', tsk_desc)) start_sector = tsk_partition.TSKVsPartGetStartSector(tsk_vs_part) number_of_sectors = tsk_partition.TSKVsPartGetNumberOfSectors( tsk_vs_part) self._extents.append( volume_system.VolumeExtent( start_sector * self._bytes_per_sector, number_of_sectors * self._bytes_per_sector))
def InsertImageInformation(self): if not self._source_path_specs: logger.error('source is empty') return disk_info = [] for path_spec in self._source_path_specs: filesystem_type = None if not path_spec.parent: return False if path_spec.parent.IsVolumeSystem(): if path_spec.IsFileSystem(): fs = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) fs_info = fs.GetFsInfo() filesystem_type = getattr(fs_info.info, 'ftype', None) path_spec = path_spec.parent file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION: tsk_volumes = file_system.GetTSKVolume() vol_part, _ = dfvfs_partition.GetTSKVsPartByPathSpec( tsk_volumes, path_spec) if dfvfs_partition.TSKVsPartIsAllocated(vol_part): bytes_per_sector = dfvfs_partition.TSKVolumeGetBytesPerSector( vol_part) length = dfvfs_partition.TSKVsPartGetNumberOfSectors( vol_part) start_sector = dfvfs_partition.TSKVsPartGetStartSector( vol_part) par_label = getattr(vol_part, 'desc', None) try: temp = par_label.decode('ascii') par_label = temp except UnicodeDecodeError: par_label = par_label.decode('utf-8') volume_name = getattr(path_spec, 'location', None)[1:] base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": length * bytes_per_sector, "bytes_per_sector": bytes_per_sector, "start_sector": start_sector, "vol_name": volume_name, "identifier": None, "par_label": par_label, "filesystem": filesystem_type }) elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK: #elif path_spec.IsFileSystem(): file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) fs_info = file_system.GetFsInfo() block_size = getattr(fs_info.info, 'block_size', 0) block_count = getattr(fs_info.info, 'block_count', 0) filesystem = getattr(fs_info.info, 'ftype', None) base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": block_count * block_size, "bytes_per_sector": block_size, "start_sector": 0, "vol_name": 'p1', "identifier": None, "par_label": None, "filesystem": filesystem }) elif path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_VSHADOW: vss_volumes = file_system.GetVShadowVolume() store_index = dfvfs_vshadow.VShadowPathSpecGetStoreIndex( path_spec) vss_part = list(vss_volumes.stores)[store_index] length = vss_part.volume_size identifier = getattr(vss_part, 'identifier', None) volume_name = getattr(path_spec, 'location', None)[1:] base_path_spec = path_spec disk_info.append({ "base_path_spec": base_path_spec, "type_indicator": path_spec.type_indicator, "length": length, "bytes_per_sector": None, "start_sector": None, "vol_name": volume_name, "identifier": identifier, "par_label": None, "filesystem": None }) self._InsertDiskInfo(disk_info)