def _preprocess(self, _, required_states): # Late loading the partition processor to avoid loading dfVFS unnecessarily. from turbinia.processors import partitions # We need to enumerate partitions in preprocessing so the path_specs match # the parent evidence location for each task. try: # We should only get one path_spec here since we're specifying the location. path_specs = partitions.Enumerate(self.parent_evidence, self.partition_location) except TurbiniaException as e: log.error(e) if len(path_specs) > 1: path_specs_dicts = [ path_spec.CopyToDict() for path_spec in path_specs ] raise TurbiniaException( 'Found more than one path_spec for {0:s} {1:s}: {2!s}'.format( self.parent_evidence.name, self.partition_location, path_specs_dicts)) elif len(path_specs) == 1: self.path_spec = path_specs[0] log.debug('Found path_spec {0!s} for parent evidence {1:s}'.format( self.path_spec.CopyToDict(), self.parent_evidence.name)) else: raise TurbiniaException( 'Could not find path_spec for location {0:s}'.format( self.partition_location)) # In attaching a partition, we create a new loopback device using the # partition offset and size. if EvidenceState.ATTACHED in required_states or self.has_child_evidence: # Check for encryption encryption_type = partitions.GetPartitionEncryptionType( self.path_spec) if encryption_type == 'BDE': self.device_path = mount_local.PreprocessBitLocker( self.parent_evidence.device_path, partition_offset=self.partition_offset, credentials=self.parent_evidence.credentials) if not self.device_path: log.error('Could not decrypt partition.') else: self.device_path = mount_local.PreprocessLosetup( self.parent_evidence.device_path, partition_offset=self.partition_offset, partition_size=self.partition_size, lv_uuid=self.lv_uuid) if self.device_path: self.state[EvidenceState.ATTACHED] = True self.local_path = self.device_path if EvidenceState.MOUNTED in required_states or self.has_child_evidence: self.mount_path = mount_local.PreprocessMountPartition( self.device_path, self.path_spec.type_indicator) if self.mount_path: self.local_path = self.mount_path self.state[EvidenceState.MOUNTED] = True
def testEnumerateOnBDE(self): """Test Enumerate on BDE.""" test_path = self._getTestDataPath('bdetogo.raw') test_evidence = evidence.RawDisk(source_path=test_path) # Test without credentials with self.assertRaises(TurbiniaException): partitions.Enumerate(test_evidence) # Test with bad credentials test_evidence.credentials = [('password', 'bde!TEST')] with self.assertRaises(TurbiniaException): partitions.Enumerate(test_evidence) # Test with good credentials test_evidence.credentials = [('password', 'bde-TEST')] path_specs = partitions.Enumerate(test_evidence) self.assertEqual(len(path_specs), 2)
def testEnumerateOnEncryptedAPFS(self): """Test Enumerate on encrypted APFS.""" test_path = self._getTestDataPath('apfs_encrypted.dmg') test_evidence = evidence.RawDisk(source_path=test_path) # Test without credentials with self.assertRaises(TurbiniaException): partitions.Enumerate(test_evidence) # Test with bad credentials test_evidence.credentials = [('password', 'apfs!TEST')] with self.assertRaises(TurbiniaException): partitions.Enumerate(test_evidence) # Test with good credentials test_evidence.credentials = [('password', 'apfs-TEST')] path_specs = partitions.Enumerate(test_evidence) self.assertEqual(len(path_specs), 1)
def run(self, evidence, result): """Scan a raw disk for partitions. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ # TODO(dfjxs): Use evidence name instead of evidence_description (#718) evidence_description = None if hasattr(evidence, 'embedded_path'): evidence_description = ':'.join( (evidence.disk_name, evidence.embedded_path)) elif hasattr(evidence, 'disk_name'): evidence_description = evidence.disk_name else: evidence_description = evidence.source_path result.log( 'Scanning [{0:s}] for partitions'.format(evidence_description)) path_specs = [] success = False try: path_specs = partitions.Enumerate(evidence) status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format( len(path_specs), evidence_description) except dfvfs_errors.ScannerError as e: status_summary = 'Error scanning for partitions: {0!s}'.format(e) status_report = [fmt.heading4(status_summary)] try: for path_spec in path_specs: partition_evidence, partition_status = self._ProcessPartition( path_spec) status_report.extend(partition_status) result.add_evidence(partition_evidence, evidence.config) status_report = '\n'.join(status_report) success = True except TurbiniaException as e: status_summary = 'Error enumerating partitions: {0!s}'.format(e) status_report = status_summary result.log( 'Scanning of [{0:s}] is complete'.format(evidence_description)) result.report_priority = Priority.LOW result.report_data = status_report result.close(self, success=success, status=status_summary) return result
def testEnumerateOnPartitionedImage(self): """Test Enumerate on partitioned image.""" test_path = self._getTestDataPath('mbr.raw') test_evidence = evidence.RawDisk(source_path=test_path) path_specs = partitions.Enumerate(test_evidence) self.assertEqual(len(path_specs), 2) # Test GetPathSpecByLocation path_spec = partitions.GetPathSpecByLocation(path_specs, '/p1') self.assertIsNotNone(path_spec)
def _preprocess(self, _, required_states): # Late loading the partition processor to avoid loading dfVFS unnecessarily. from turbinia.processors import partitions # We need to enumerate partitions in preprocessing so the path_specs match # the parent evidence location for each task. try: path_specs = partitions.Enumerate(self.parent_evidence) except TurbiniaException as e: log.error(e) path_spec = partitions.GetPathSpecByLocation(path_specs, self.partition_location) if path_spec: self.path_spec = path_spec # In attaching a partition, we create a new loopback device using the # partition offset and size. if EvidenceState.ATTACHED in required_states or self.has_child_evidence: # Check for encryption encryption_type = partitions.GetPartitionEncryptionType(path_spec) if encryption_type == 'BDE': self.device_path = mount_local.PreprocessBitLocker( self.parent_evidence.device_path, partition_offset=self.partition_offset, credentials=self.parent_evidence.credentials) if not self.device_path: log.error('Could not decrypt partition.') else: self.device_path = mount_local.PreprocessLosetup( self.parent_evidence.device_path, partition_offset=self.partition_offset, partition_size=self.partition_size, lv_uuid=self.lv_uuid) if self.device_path: self.state[EvidenceState.ATTACHED] = True self.local_path = self.device_path if EvidenceState.MOUNTED in required_states or self.has_child_evidence: self.mount_path = mount_local.PreprocessMountPartition( self.device_path, self.path_spec.type_indicator) if self.mount_path: self.local_path = self.mount_path self.state[EvidenceState.MOUNTED] = True
def testEnumerateOnRaw(self): """Test Enumerate on raw image.""" test_path = self._getTestDataPath('ext2.raw') test_evidence = evidence.RawDisk(source_path=test_path) path_specs = partitions.Enumerate(test_evidence) self.assertEqual(len(path_specs), 1)
def testEnumerateOnPartitionedImage(self): """Test Enumerate on partitioned image.""" test_path = self._getTestDataPath('mbr.raw') test_evidence = evidence.RawDisk(source_path=test_path) path_specs = partitions.Enumerate(test_evidence) self.assertEqual(len(path_specs), 2)