def _attributesFileCallback(self, data, usn, filter_): for k,v in carveBtreeNode(data,HFSPlusAttrKey, HFSPlusAttrData): if getString(k) != "com.apple.system.cprotect": continue if self.fileIds.has_key(k.fileID): continue filekeys = self.keys.setdefault(k.fileID, []) try: cprotect = cprotect_xattr.parse(v.data) except: continue if cprotect.key_size == 0: continue filekey = self.volume.keybag.unwrapKeyForClass(cprotect.persistent_class, cprotect.persistent_key, False) if filekey and not filekey in filekeys: #print "Found key for file ID ", k.fileID filekeys.append(filekey)
def do_cprotect(self, p): id = self.volume.getFileIDByPath(self.get_path(p)) if not id: return cprotect = self.volume.getXattr(id, "com.apple.system.cprotect") if not cprotect: return cp = cprotect_xattr.parse(cprotect) print cp print "Protection class %d => %s" % (cp.persistent_class, PROTECTION_CLASSES.get(cp.persistent_class)) if not cp.persistent_key: return fk = self.volume.getFileKeyForCprotect(cprotect) if fk: print "Unwrapped file key : %s" % fk.encode("hex") else: print "Cannot decrypt file key"