def vshadowList(Evidences, ags, options):
for evi in Evidences:
for fs in evi.fileSystems:
fs.mount('vshadow', 'Used by vshadow command')
if pyvshadow.check_volume_signature(fs.loopDevice):
fritutils.termout.printSuccess(
"Volume shadow copy found on '{}/{}'".format(
fs.evidenceConfigName, fs.configName))
vshadowVol = pyvshadow.volume()
vshadowVol.open(fs.loopDevice)
fritutils.termout.printNormal(
" Number of stores on volume: {}".format(
vshadowVol.number_of_stores))
for st in vshadowVol.get_stores():
fritutils.termout.printNormal(
" Store identifier: {}".format(st.identifier))
fritutils.termout.printNormal(
" Store creation time: {}".format(
st.get_creation_time()))
fritutils.termout.printNormal(
" Store size: {}".format(
fritutils.humanize(st.size)))
fritutils.termout.printNormal(
" Shadow-copy set ID: {}".format(
st.copy_set_identifier))
fritutils.termout.printNormal(
" Shadow-copy ID: {}".format(
st.copy_identifier))
vshadowVol.close()
fs.umount('vshadow')
if evi.isMounted():
evi.umount('vshadow')
def pyvshadow_test_multi_open_close_file_object(filename, mode):
print(
("Testing multi open close of file-like object of: {0:s} " "with access: {1:s}\t").format(
filename, get_mode_string(mode)
)
)
result = True
try:
file_object = open(filename, "rb")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object, mode)
vshadow_volume.close()
vshadow_volume.open_file_object(file_object, mode)
vshadow_volume.close()
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def _Open(self, path_spec, mode='rb'):
"""Opens the file system object defined by path specification.
Args:
path_spec: a path specification (instance of path.PathSpec).
mode: optional file access mode. The default is 'rb' read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file system object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec.HasParent():
raise errors.PathSpecError(
u'Unsupported path specification without parent.')
file_object = resolver.Resolver.OpenFileObject(
path_spec.parent, resolver_context=self._resolver_context)
try:
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object)
except:
file_object.close()
raise
self._file_object = file_object
self._vshadow_volume = vshadow_volume
def _Open(self, mode='rb'):
"""Opens the file system object defined by path specification.
Args:
mode (Optional[str]): file access mode. The default is 'rb' which
represents read-only binary.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file system object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not self._path_spec.HasParent():
raise errors.PathSpecError(
'Unsupported path specification without parent.')
file_object = resolver.Resolver.OpenFileObject(
self._path_spec.parent, resolver_context=self._resolver_context)
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object)
self._file_object = file_object
self._vshadow_volume = vshadow_volume
def pyvshadow_test_multi_open_close_file_object( filename, mode ): file_object = open( filename, mode ) vshadow_volume = pyvshadow.volume() vshadow_volume.open_file_object( file_object, mode ) vshadow_volume.close() vshadow_volume.open_file_object( file_object, mode ) vshadow_volume.close()
def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source:
return
if unittest.offset:
raise unittest.SkipTest("source defines offset")
vshadow_volume = pyvshadow.volume()
# Test open and close.
vshadow_volume.open(unittest.source)
vshadow_volume.close()
# Test open and close a second time to validate clean up on close.
vshadow_volume.open(unittest.source)
vshadow_volume.close()
if os.path.isfile(unittest.source):
with open(unittest.source, "rb") as file_object:
# Test open_file_object and close.
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# Test open_file_object and close a second time to validate clean up on close.
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# Test open_file_object and close and dereferencing file_object.
vshadow_volume.open_file_object(file_object)
del file_object
vshadow_volume.close()
def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
# Test open and close.
vshadow_volume.open(unittest.source)
vshadow_volume.close()
# Test open and close a second time to validate clean up on close.
vshadow_volume.open(unittest.source)
vshadow_volume.close()
file_object = open(unittest.source, "rb")
# Test open_file_object and close.
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# Test open_file_object and close a second time to validate clean up on close.
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# Test open_file_object and close and dereferencing file_object.
vshadow_volume.open_file_object(file_object)
del file_object
vshadow_volume.close()
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
if not os.path.isfile(unittest.source):
raise unittest.SkipTest("source not a regular file")
vshadow_volume = pyvshadow.volume()
with DataRangeFileObject(unittest.source, unittest.offset or 0,
None) as file_object:
vshadow_volume.open_file_object(file_object)
with self.assertRaises(IOError):
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
with self.assertRaises(TypeError):
vshadow_volume.open_file_object(None)
with self.assertRaises(ValueError):
vshadow_volume.open_file_object(file_object, mode="w")
def _Open(self, path_spec, mode='rb'):
"""Opens the file system object defined by path specification.
Args:
path_spec (PathSpec): path specification.
mode (Optional[str]): file access mode.
Raises:
AccessError: if the access to open the file was denied.
IOError: if the file system object could not be opened.
PathSpecError: if the path specification is incorrect.
ValueError: if the path specification is invalid.
"""
if not path_spec.HasParent():
raise errors.PathSpecError(
'Unsupported path specification without parent.')
file_object = resolver.Resolver.OpenFileObject(
path_spec.parent, resolver_context=self._resolver_context)
try:
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object)
except:
file_object.close()
raise
self._file_object = file_object
self._vshadow_volume = vshadow_volume
def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source:
return
vshadow_volume = pyvshadow.volume()
# Test open and close.
vshadow_volume.open(unittest.source)
vshadow_volume.close()
# Test open and close a second time to validate clean up on close.
vshadow_volume.open(unittest.source)
vshadow_volume.close()
file_object = open(unittest.source, "rb")
# Test open_file_object and close.
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# Test open_file_object and close a second time to validate clean up on close.
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# Test open_file_object and close and dereferencing file_object.
vshadow_volume.open_file_object(file_object)
del file_object
vshadow_volume.close()
def test_get_number_of_blocks(self):
"""Tests the get_number_of_blocks function and number_of_blocks property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
with DataRangeFileObject(unittest.source, unittest.offset or 0,
None) as file_object:
vshadow_volume.open_file_object(file_object)
if vshadow_volume.number_of_stores == 0:
raise unittest.SkipTest("missing stores")
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
number_of_blocks = vshadow_store.get_number_of_blocks()
self.assertIsNotNone(number_of_blocks)
self.assertIsNotNone(vshadow_store.number_of_blocks)
vshadow_volume.close()
def test_seek_offset(self):
"""Tests the seek_offset function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
if vshadow_volume.number_of_stores > 0:
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
volume_size = vshadow_store.get_size()
vshadow_store.seek_offset(16, os.SEEK_SET)
offset = vshadow_store.get_offset()
self.assertEqual(offset, 16)
vshadow_store.seek_offset(16, os.SEEK_CUR)
offset = vshadow_store.get_offset()
self.assertEqual(offset, 32)
vshadow_store.seek_offset(-16, os.SEEK_CUR)
offset = vshadow_store.get_offset()
self.assertEqual(offset, 16)
vshadow_store.seek_offset(-16, os.SEEK_END)
offset = vshadow_store.get_offset()
self.assertEqual(offset, volume_size - 16)
vshadow_store.seek_offset(16, os.SEEK_END)
offset = vshadow_store.get_offset()
self.assertEqual(offset, volume_size + 16)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(-1, os.SEEK_SET)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(-32 - volume_size, os.SEEK_CUR)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(-32 - volume_size, os.SEEK_END)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(0, -1)
vshadow_volume.close()
def test_seek_offset(self):
"""Tests the seek_offset function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
if vshadow_volume.number_of_stores > 0:
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
volume_size = vshadow_store.get_size()
vshadow_store.seek_offset(16, os.SEEK_SET)
offset = vshadow_store.get_offset()
self.assertEqual(offset, 16)
vshadow_store.seek_offset(16, os.SEEK_CUR)
offset = vshadow_store.get_offset()
self.assertEqual(offset, 32)
vshadow_store.seek_offset(-16, os.SEEK_CUR)
offset = vshadow_store.get_offset()
self.assertEqual(offset, 16)
vshadow_store.seek_offset(-16, os.SEEK_END)
offset = vshadow_store.get_offset()
self.assertEqual(offset, volume_size - 16)
vshadow_store.seek_offset(16, os.SEEK_END)
offset = vshadow_store.get_offset()
self.assertEqual(offset, volume_size + 16)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(-1, os.SEEK_SET)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(-32 - volume_size, os.SEEK_CUR)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(-32 - volume_size, os.SEEK_END)
# TODO: change IOError into ValueError
with self.assertRaises(IOError):
vshadow_store.seek_offset(0, -1)
vshadow_volume.close()
def test_close(self):
"""Tests the close function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
with self.assertRaises(IOError):
vshadow_volume.close()
def GetVssStoreCount(image, offset=0):
"""Return the number of VSS stores available in an image."""
volume = pyvshadow.volume()
fh = VShadowVolume(image, offset)
try:
volume.open_file_object(fh)
return volume.number_of_stores
except IOError as e:
logging.warning('Error while trying to read VSS information: %s', e)
return 0
def GetVssStoreCount(image, offset=0):
"""Return the number of VSS stores available in an image."""
volume = pyvshadow.volume()
fh = VShadowVolume(image, offset)
try:
volume.open_file_object(fh)
return volume.number_of_stores
except IOError as e:
logging.warning('Error while trying to read VSS information: %s', e)
return 0
def test_number_of_stores(self):
"""Tests the number_of_stores property."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
self.assertIsNotNone(vshadow_volume.number_of_stores)
vshadow_volume.close()
def test_get_number_of_stores(self):
"""Tests the get_number_of_stores function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
number_of_stores = vshadow_volume.get_number_of_stores()
self.assertIsNotNone(number_of_stores)
vshadow_volume.close()
def pyvshadow_test_seek_file(filename):
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(filename, "r")
result = True
for vshadow_store in vshadow_volume.stores:
result = pyvshadow_test_seek(vshadow_store)
if not result:
break
vshadow_volume.close()
return result
def explore_vss(evidence, part_offset, output):
vss_volume = pyvshadow.volume()
vss_handle = vss.VShadowVolume(evidence, part_offset)
vss_count = vss.GetVssStoreCount(evidence, part_offset)
if vss_count > 0:
vss_volume.open_file_object(vss_handle)
vss_data = []
for x in range(vss_count):
print("Gathering data for VSC {} of {}".format(x, vss_count))
vss_store = vss_volume.get_store(x)
image = vss.VShadowImgInfo(vss_store)
vss_data.append(pytskutil.openVSSFS(image, x))
write_csv(vss_data, output)
def pyvshadow_test_seek_file(filename):
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(filename, "r")
result = True
for vshadow_store in vshadow_volume.stores:
result = pyvshadow_test_seek(vshadow_store)
if not result:
break
vshadow_volume.close()
return result
def pyvshadow_test_read_file_object(filename):
file_object = open(filename, "rb")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object, "r")
result = True
for vshadow_store in vshadow_volume.stores:
result = pyvshadow_test_read(vshadow_store)
if not result:
break
vshadow_volume.close()
return result
def pyvshadow_test_read_file_object(filename):
file_object = open(filename, "rb")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object, "r")
result = True
for vshadow_store in vshadow_volume.stores:
result = pyvshadow_test_seek(vshadow_store)
if not result:
break
vshadow_volume.close()
return result
def test_stores(self):
"""Tests the stores property."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
with DataRangeFileObject(unittest.source, unittest.offset or 0,
None) as file_object:
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object)
if vshadow_volume.number_of_stores == 0:
raise unittest.SkipTest("missing stores")
self.assertIsNotNone(vshadow_volume.stores)
vshadow_volume.close()
def pyvshadow_test_single_open_close_file(filename, mode):
if not filename:
filename_string = "None"
else:
filename_string = filename
print("Testing single open close of: {0:s} with access: {1:s}\t".format(
filename_string, get_mode_string(mode)))
result = True
try:
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(filename, mode)
vshadow_volume.close()
except TypeError as exception:
expected_message = (
"{0:s}: unsupported string object type.").format(
"pyvshadow_volume_open")
if not filename and str(exception) == expected_message:
pass
else:
print(str(exception))
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format(
"pyvshadow_volume_open")
if mode != "w" or str(exception) != expected_message:
print(str(exception))
result = False
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def pyvshadow_test_single_open_close_file(filename, mode):
if not filename:
filename_string = "None"
else:
filename_string = filename
print("Testing single open close of: {0:s} with access: {1:s}\t".format(
filename_string, get_mode_string(mode)))
result = True
try:
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(filename, mode)
vshadow_volume.close()
except TypeError as exception:
expected_message = (
"{0:s}: unsupported string object type.").format(
"pyvshadow_volume_open")
if not filename and str(exception) == expected_message:
pass
else:
print(str(exception))
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format(
"pyvshadow_volume_open")
if mode != "w" or str(exception) != expected_message:
print(str(exception))
result = False
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def test_get_store(self):
"""Tests the get_store function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
if vshadow_volume.number_of_stores > 0:
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
with self.assertRaises(IOError):
vshadow_volume.get_store(-1)
vshadow_volume.close()
def test_open(self):
"""Tests the open function."""
if not unittest.source:
return
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
with self.assertRaises(IOError):
vshadow_volume.open(unittest.source)
vshadow_volume.close()
with self.assertRaises(TypeError):
vshadow_volume.open(None)
with self.assertRaises(ValueError):
vshadow_volume.open(unittest.source, mode="w")
def vshadowList(Evidences, ags, options):
for evi in Evidences:
for fs in evi.fileSystems:
fs.mount('vshadow','Used by vshadow command')
if pyvshadow.check_volume_signature(fs.loopDevice):
fritutils.termout.printSuccess("Volume shadow copy found on '{}/{}'".format(fs.evidenceConfigName,fs.configName))
vshadowVol = pyvshadow.volume()
vshadowVol.open(fs.loopDevice)
fritutils.termout.printNormal(" Number of stores on volume: {}".format(vshadowVol.number_of_stores))
for st in vshadowVol.get_stores():
fritutils.termout.printNormal(" Store identifier: {}".format(st.identifier))
fritutils.termout.printNormal(" Store creation time: {}".format(st.get_creation_time()))
fritutils.termout.printNormal(" Store size: {}".format(fritutils.humanize(st.size)))
fritutils.termout.printNormal(" Shadow-copy set ID: {}".format(st.copy_set_identifier))
fritutils.termout.printNormal(" Shadow-copy ID: {}".format(st.copy_identifier))
vshadowVol.close()
fs.umount('vshadow')
if evi.isMounted():
evi.umount('vshadow')
def test_open(self):
"""Tests the open function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
with self.assertRaises(IOError):
vshadow_volume.open(unittest.source)
vshadow_volume.close()
with self.assertRaises(TypeError):
vshadow_volume.open(None)
with self.assertRaises(ValueError):
vshadow_volume.open(unittest.source, mode="w")
def test_read_buffer(self):
"""Tests the read_buffer function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
if vshadow_volume.number_of_stores > 0:
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
volume_size = vshadow_store.get_size()
# Test normal read.
data = vshadow_store.read_buffer(size=4096)
self.assertIsNotNone(data)
self.assertEqual(len(data), min(volume_size, 4096))
if volume_size < 4096:
data = vshadow_store.read_buffer()
self.assertIsNotNone(data)
self.assertEqual(len(data), volume_size)
# Test read beyond volume size.
if volume_size > 16:
vshadow_store.seek_offset(-16, os.SEEK_END)
data = vshadow_store.read_buffer(size=4096)
self.assertIsNotNone(data)
self.assertEqual(len(data), 16)
with self.assertRaises(ValueError):
vshadow_store.read_buffer(size=-1)
vshadow_volume.close()
def test_read_buffer(self):
"""Tests the read_buffer function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
if vshadow_volume.number_of_stores > 0:
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
volume_size = vshadow_store.get_size()
# Test normal read.
data = vshadow_store.read_buffer(size=4096)
self.assertIsNotNone(data)
self.assertEqual(len(data), min(volume_size, 4096))
if volume_size < 4096:
data = vshadow_store.read_buffer()
self.assertIsNotNone(data)
self.assertEqual(len(data), volume_size)
# Test read beyond volume size.
if volume_size > 16:
vshadow_store.seek_offset(-16, os.SEEK_END)
data = vshadow_store.read_buffer(size=4096)
self.assertIsNotNone(data)
self.assertEqual(len(data), 16)
with self.assertRaises(ValueError):
vshadow_store.read_buffer(size=-1)
vshadow_volume.close()
def pyvshadow_test_single_open_close_file_object(filename, mode):
print(("Testing single open close of file-like object of: {0:s} "
"with access: {1:s}\t").format(filename, get_mode_string(mode)))
result = True
try:
file_object = open(filename, "rb")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object, mode)
vshadow_volume.close()
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def pyvshadow_test_multi_open_close_file(filename, mode):
print("Testing multi open close of: {0:s} with access: {1:s}\t".format(
filename, get_mode_string(mode)))
result = True
try:
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(filename, mode)
vshadow_volume.close()
vshadow_volume.open(filename, mode)
vshadow_volume.close()
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
file_object = open(unittest.source, "rb")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object)
with self.assertRaises(IOError):
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
vshadow_volume.open_file_object(None)
with self.assertRaises(ValueError):
vshadow_volume.open_file_object(file_object, mode="w")
def test_get_store(self):
"""Tests the get_store function."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
with DataRangeFileObject(unittest.source, unittest.offset or 0,
None) as file_object:
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object)
if vshadow_volume.number_of_stores == 0:
raise unittest.SkipTest("missing stores")
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
with self.assertRaises(IOError):
vshadow_volume.get_store(-1)
vshadow_volume.close()
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
return
file_object = open(unittest.source, "rb")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open_file_object(file_object)
# with self.assertRaises(IOError):
with self.assertRaises(MemoryError):
vshadow_volume.open_file_object(file_object)
vshadow_volume.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
vshadow_volume.open_file_object(None)
with self.assertRaises(ValueError):
vshadow_volume.open_file_object(file_object, mode="w")
def test_read_buffer_file_object(self):
"""Tests the read_buffer function on a file-like object."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
if vshadow_volume.number_of_stores > 0:
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
volume_size = vshadow_store.get_size()
# Test normal read.
data = vshadow_store.read_buffer(size=4096)
self.assertIsNotNone(data)
self.assertEqual(len(data), min(volume_size, 4096))
vshadow_volume.close()
def test_read_buffer_file_object(self):
"""Tests the read_buffer function on a file-like object."""
if not unittest.source or unittest.offset != 0:
raise unittest.SkipTest("missing source")
vshadow_volume = pyvshadow.volume()
vshadow_volume.open(unittest.source)
if vshadow_volume.number_of_stores > 0:
vshadow_store = vshadow_volume.get_store(
vshadow_volume.number_of_stores - 1)
self.assertIsNotNone(vshadow_store)
volume_size = vshadow_store.get_size()
# Test normal read.
data = vshadow_store.read_buffer(size=4096)
self.assertIsNotNone(data)
self.assertEqual(len(data), min(volume_size, 4096))
vshadow_volume.close()
def pyvshadow_test_single_open_close_file_object_with_dereference( filename, mode ): file_object = open( filename, mode ) vshadow_volume = pyvshadow.volume() vshadow_volume.open_file_object( file_object, mode ) del file_object vshadow_volume.close()
def test_close(self):
"""Tests the close function."""
vshadow_volume = pyvshadow.volume()
with self.assertRaises(IOError):
vshadow_volume.close()
imagehandle = ewf_Img_Info(ewf_handle)
elif (args.imagetype == "raw"):
print "Raw Type"
imagehandle = pytsk3.Img_Info(url=args.imagefile)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
try:
filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
except:
print "Partition has no supported file system"
continue
print "File System Type Dectected .",filesystemObject.info.ftype,"."
if (str(filesystemObject.info.ftype) == "TSK_FS_TYPE_NTFS_DETECT"):
print "NTFS DETECTED"
volume = pyvshadow.volume()
offset=(partition.start*512)
fh = vss.VShadowVolume(args.imagefile, offset)
count = vss.GetVssStoreCount(args.imagefile, offset)
if (count):
vstore=0
volume.open_file_object(fh)
while (vstore < count):
store = volume.get_store(vstore)
img = vss.VShadowImgInfo(store)
vssfilesystemObject = pytsk3.FS_Info(img)
vssdirectoryObject = vssfilesystemObject.open_dir(path=dirPath)
print "Directory:","vss",str(vstore),dirPath
directoryRecurse(vssdirectoryObject,['vss',str(vstore)])
vstore = vstore + 1
#Capture the live volume
def test_signal_abort(self):
"""Tests the signal_abort function."""
vshadow_volume = pyvshadow.volume()
vshadow_volume.signal_abort()
def pyvshadow_test_multi_open_close_file( filename, mode ): vshadow_volume = pyvshadow.volume() vshadow_volume.open( filename, mode ) vshadow_volume.close() vshadow_volume.open( filename, mode ) vshadow_volume.close()