def _detect_pytsk3_volumes(self, vstype='detect'):
"""Generator that mounts every partition of this image and yields the mountpoint."""
# Loop over all volumes in image.
for p in self._find_pytsk3_volumes(vstype):
import pytsk3
volume = self._make_subvolume(index=self._format_index(p.addr),
offset=p.start * self.disk.block_size,
size=p.len * self.disk.block_size)
# Fill volume with more information
volume.info['fsdescription'] = p.desc.strip()
if p.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
volume.flag = 'alloc'
volume.slot = _util.determine_slot(p.table_num, p.slot_num)
self._assign_disktype_data(volume)
logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(p.start, p.len,
volume.info['fsdescription']))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_UNALLOC:
volume.flag = 'unalloc'
logger.info("Found unallocated space: block offset: {0}, length: {1} ".format(p.start, p.len))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_META:
volume.flag = 'meta'
logger.info("Found meta volume: block offset: {0}, length: {1} ".format(p.start, p.len))
yield volume
def _detect_pytsk3_volumes(self, vstype='detect'):
"""Generator that mounts every partition of this image and yields the mountpoint."""
# Loop over all volumes in image.
for p in self._find_pytsk3_volumes(vstype):
import pytsk3
volume = self._make_subvolume(index=self._format_index(p.addr),
offset=p.start *
self.disk.block_size,
size=p.len * self.disk.block_size)
# Fill volume with more information
volume.info['fsdescription'] = p.desc.strip().decode('utf-8')
if p.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
volume.flag = 'alloc'
volume.slot = _util.determine_slot(p.table_num, p.slot_num)
self._assign_disktype_data(volume)
logger.info(
"Found allocated {2}: block offset: {0}, length: {1} ".
format(p.start, p.len, volume.info['fsdescription']))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_UNALLOC:
volume.flag = 'unalloc'
logger.info(
"Found unallocated space: block offset: {0}, length: {1} ".
format(p.start, p.len))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_META:
volume.flag = 'meta'
logger.info(
"Found meta volume: block offset: {0}, length: {1} ".
format(p.start, p.len))
yield volume
def _mount_pytsk3_volumes(self):
"""Generator that mounts every partition of this image and yields the mountpoint."""
# Loop over all volumes in image.
for p in self._find_pytsk3_volumes():
import pytsk3
volume = Volume(disk=self, **self.args)
self.volumes.append(volume)
# Fill volume with more information
volume.offset = p.start * self.block_size
volume.fsdescription = p.desc.strip()
if self.index is not None:
volume.index = '{0}.{1}'.format(self.index, p.addr)
else:
volume.index = p.addr
volume.size = p.len * self.block_size
if p.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
volume.flag = 'alloc'
volume.slot = _util.determine_slot(p.table_num, p.slot_num)
self._assign_disktype_data(volume)
logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(p.start, p.len,
volume.fsdescription))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_UNALLOC:
volume.flag = 'unalloc'
logger.info("Found unallocated space: block offset: {0}, length: {1} ".format(p.start, p.len))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_META:
volume.flag = 'meta'
logger.info("Found meta volume: block offset: {0}, length: {1} ".format(p.start, p.len))
# unalloc / meta partitions do not have stats and can not be mounted
if volume.flag != 'alloc':
yield volume
continue
for v in volume.init():
yield v
def _detect_mmls_volumes(self, vstype='detect'):
"""Finds and mounts all volumes based on mmls."""
try:
cmd = ['mmls']
if self.parent.offset:
cmd.extend(['-o', str(int(self.parent.offset) / self.disk.block_size)])
if vstype != 'detect':
cmd.extend(['-t', vstype])
cmd.append(self.parent.get_raw_path())
output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
self.volume_source = 'multi'
except Exception as e:
# some bug in sleuthkit makes detection sometimes difficult, so we hack around it:
if hasattr(e, 'output') and "(GPT or DOS at 0)" in e.output.decode() and vstype != 'gpt':
self.vstype = 'gpt'
# noinspection PyBroadException
try:
logger.warning("Error in retrieving volume info: mmls couldn't decide between GPT and DOS, "
"choosing GPT for you. Use --vstype=dos to force DOS.", exc_info=True)
cmd = ['mmls', '-t', 'gpt', self.parent.get_raw_path()]
output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
self.volume_source = 'multi'
except Exception as e:
logger.exception("Failed executing mmls command")
raise SubsystemError(e)
else:
logger.exception("Failed executing mmls command")
raise SubsystemError(e)
output = output.split("Description", 1)[-1]
for line in output.splitlines():
if not line:
continue
# noinspection PyBroadException
try:
values = line.split(None, 5)
# sometimes there are only 5 elements available
description = ''
index, slot, start, end, length = values[0:5]
if len(values) > 5:
description = values[5]
volume = self._make_subvolume(index=self._format_index(int(index[:-1])),
offset=int(start) * self.disk.block_size,
size=int(length) * self.disk.block_size)
volume.info['fsdescription'] = description
except Exception:
logger.exception("Error while parsing mmls output")
continue
if slot.lower() == 'meta':
volume.flag = 'meta'
logger.info("Found meta volume: block offset: {0}, length: {1}".format(start, length))
elif slot.lower().startswith('-----'):
volume.flag = 'unalloc'
logger.info("Found unallocated space: block offset: {0}, length: {1}".format(start, length))
else:
volume.flag = 'alloc'
if ":" in slot:
volume.slot = _util.determine_slot(*slot.split(':'))
else:
volume.slot = _util.determine_slot(-1, slot)
self._assign_disktype_data(volume)
logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(start, length,
volume.info['fsdescription']))
yield volume
def _mount_mmls_volumes(self):
"""Finds and mounts all volumes based on mmls."""
try:
cmd = ['mmls']
if self.vstype != 'detect':
cmd.extend(['-t', self.vstype])
cmd.append(self.get_raw_path())
output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
self.volume_source = 'multi'
except Exception as e:
# some bug in sleuthkit makes detection sometimes difficult, so we hack around it:
if hasattr(e, 'output') and "(GPT or DOS at 0)" in e.output.decode() and self.vstype != 'gpt':
self.vstype = 'gpt'
try:
logger.warning("Error in retrieving volume info: mmls couldn't decide between GPT and DOS, "
"choosing GPT for you. Use --vstype=dos to force DOS.", exc_info=True)
cmd = ['mmls', '-t', self.vstype, self.get_raw_path()]
output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
self.volume_source = 'multi'
except Exception as e:
logger.exception("Failed executing mmls command")
return
else:
logger.exception("Failed executing mmls command")
return
output = output.split("Description", 1)[-1]
for line in output.splitlines():
if not line:
continue
try:
values = line.split(None, 5)
# sometimes there are only 5 elements available
description = ''
index, slot, start, end, length = values[0:5]
if len(values) > 5:
description = values[5]
volume = Volume(disk=self, **self.args)
self.volumes.append(volume)
volume.offset = int(start) * self.block_size
volume.fsdescription = description
if self.index is not None:
volume.index = '{0}.{1}'.format(self.index, int(index[:-1]))
else:
volume.index = int(index[:-1])
volume.size = int(length) * self.block_size
except Exception as e:
logger.exception("Error while parsing mmls output")
continue
if slot.lower() == 'meta':
volume.flag = 'meta'
logger.info("Found meta volume: block offset: {0}, length: {1}".format(start, length))
elif slot.lower() == '-----':
volume.flag = 'unalloc'
logger.info("Found unallocated space: block offset: {0}, length: {1}".format(start, length))
else:
volume.flag = 'alloc'
if ":" in slot:
volume.slot = _util.determine_slot(*slot.split(':'))
else:
volume.slot = _util.determine_slot(-1, slot)
self._assign_disktype_data(volume)
logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(start, length,
volume.fsdescription))
# unalloc / meta partitions do not have stats and can not be mounted
if volume.flag != 'alloc':
yield volume
continue
for v in volume.init():
yield v
def _detect_mmls_volumes(self, vstype='detect'):
"""Finds and mounts all volumes based on mmls."""
try:
cmd = ['mmls']
if self.parent.offset:
cmd.extend(
['-o',
str(self.parent.offset // self.disk.block_size)])
if vstype != 'detect':
cmd.extend(['-t', vstype])
cmd.append(self.parent.get_raw_path())
output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
self.volume_source = 'multi'
except Exception as e:
# some bug in sleuthkit makes detection sometimes difficult, so we hack around it:
if hasattr(e, 'output') and "(GPT or DOS at 0)" in e.output.decode(
) and vstype != 'gpt':
self.vstype = 'gpt'
# noinspection PyBroadException
try:
logger.warning(
"Error in retrieving volume info: mmls couldn't decide between GPT and DOS, "
"choosing GPT for you. Use --vstype=dos to force DOS.",
exc_info=True)
cmd = ['mmls', '-t', 'gpt', self.parent.get_raw_path()]
output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
self.volume_source = 'multi'
except Exception as e:
logger.exception("Failed executing mmls command")
raise SubsystemError(e)
else:
logger.exception("Failed executing mmls command")
raise SubsystemError(e)
output = output.split("Description", 1)[-1]
for line in output.splitlines():
if not line:
continue
# noinspection PyBroadException
try:
values = line.split(None, 5)
# sometimes there are only 5 elements available
description = ''
index, slot, start, end, length = values[0:5]
if len(values) > 5:
description = values[5]
volume = self._make_subvolume(
index=self._format_index(int(index[:-1])),
offset=int(start) * self.disk.block_size,
size=int(length) * self.disk.block_size)
volume.info['fsdescription'] = description
except Exception:
logger.exception("Error while parsing mmls output")
continue
if slot.lower() == 'meta':
volume.flag = 'meta'
logger.info(
"Found meta volume: block offset: {0}, length: {1}".format(
start, length))
elif slot.lower().startswith('-----'):
volume.flag = 'unalloc'
logger.info(
"Found unallocated space: block offset: {0}, length: {1}".
format(start, length))
else:
volume.flag = 'alloc'
if ":" in slot:
volume.slot = _util.determine_slot(*slot.split(':'))
else:
volume.slot = _util.determine_slot(-1, slot)
self._assign_disktype_data(volume)
logger.info(
"Found allocated {2}: block offset: {0}, length: {1} ".
format(start, length, volume.info['fsdescription']))
yield volume
