How to use the pytsk3.FS_Info function in pytsk3
To help you get started, we’ve selected a few pytsk3 examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
dlcowen / dfirwizard / dfirwizard-v10.py View on Github 
args = argparser.parse_args()
if not admin.isUserAdmin():
admin.runAsAdmin()
sys.exit()
dirPath = args.path
if not args.search == '.*':
print "Search Term Provided",args.search
outfile = open(args.output,'w')
outfile.write('"Inode","Full Path","Creation Time","Size","MD5 Hash","SHA1 Hash"\n')
wr = csv.writer(outfile, quoting=csv.QUOTE_ALL)
partitionList = psutil.disk_partitions()
for partition in partitionList:
imagehandle = pytsk3.Img_Info('\\\\.\\'+partition.device.strip("\\"))
if 'NTFS' in partition.fstype:
filesystemObject = pytsk3.FS_Info(imagehandle)
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
directoryRecurse(directoryObject,[])def __init__(self, img, vol_info, volume, url):
SemanticEngineVolume.__init__(self, img, vol_info, volume, url)
# Try to open the file system
try:
file_system = pytsk3.FS_Info(self.IMG, self.OFFSET_BYTES, pytsk3.TSK_FS_TYPE_DETECT)
except IOError:
# If we couldn't find a file system, return None
logger.error("Could not load file system with pyTSK at offset %d" % self.VOLUME_OFFSET)
self.NON_FILESYSTEM = True
return
self.fs_block_to_file = {}
self.fs_file_to_path = {}
self.FILE_SYSTEM = file_system
self.ROOT_INUM = file_system.info.root_inum
first_inum = file_system.info.first_inum
last_inum = file_system.info.last_inum
offset = file_system.info.offset
self.BLOCK_COUNT = file_system.info.block_count
self.BLOCK_SIZE = file_system.info.block_sizetry:
img = pytsk3.Img_Info(phyDrive) # open the physical drive
volume = pytsk3.Volume_Info(img) # get volume information
except OSError as e:
if "file not found" in str(e):
raise Exception("PHYSICAL_DRIVE_NOT_FOUND")
else:
raise Exception(str(e))
# for each volume in the drive, check if it is NTFS and open object to handle it
for part in volume:
try:
self.logging("INFO" , "Check partition: desc{0:s}, offset{1:d}, size:{2:d}".format( part.desc.decode('utf-8') ,part.start , part.len ) )
fs_info = pytsk3.FS_Info(img , offset=part.start * block_size )
# check if file system is NTFS
if fs_info.info.ftype in [pytsk3.TSK_FS_TYPE_NTFS, pytsk3.TSK_FS_TYPE_NTFS_DETECT]:
list_fs_info.append(fs_info)
except Exception as e :
pass
return list_fs_infodef _update_file_system(self, sector, sector_count, data):
# update the shadow image
self.IMG.write(sector, sector_count, data)
# Reload our filesystem to wipe away caches
self.FILE_SYSTEM = pytsk3.FS_Info(self.IMG, self.OFFSET_BYTES, pytsk3.TSK_FS_TYPE_DETECT)def dump_filesystem(self, imgoff):
fd = AFF4ImgInfo(self.in_urn)
fs = pytsk3.FS_Info(fd, offset = imgoff)
self.blocksize = fs.info.block_size
self.dump_directory(fs.open_dir("/"))if self.apfs_container_only:
size = self.mac_info.apfs_container_size
for volume in self.mac_info.apfs_container.volumes:
used_space = '{:.2f} GB'.format(float(volume.container.block_size * volume.num_blocks_used / (1024*1024*1024.0)))
vol = Vol_Info(volume.volume_name, size, used_space, 'APFS', 0, self.IsApfsBootVolume(volume))
self.volumes.append(vol)
else:
for part in self.mac_info.vol_info:
if (int(part.flags) & pytsk3.TSK_VS_PART_FLAG_ALLOC):
partition_start_offset = self.block_size * part.start
partition_size_in_sectors = part.len
file_system = 'Unknown'
part_is_apfs = False
used_space = ''
try:
fs = pytsk3.FS_Info(self.img, offset=partition_start_offset)
fs_info = fs.info # TSK_FS_INFO
fs_type = str(fs_info.ftype)[12:]
if fs_type.find("_") > 0: fs_type = fs_type[0:fs_type.find("_")]
file_system = fs_type
if file_system == 'HFS' and self.mac_info.osx_partition_start_offset == partition_start_offset: # For macOS partition only
hfs_info = self.mac_info.hfs_native.GetVolumeInfo()
used_space = '{:.2f} GB'.format(float(hfs_info.block_size * (hfs_info.total_blocks - hfs_info.free_blocks) / (1024*1024*1024.0)))
except Exception as ex:
if self.mac_info.is_apfs and partition_start_offset == self.mac_info.osx_partition_start_offset:
part_is_apfs = True
for volume in self.mac_info.apfs_container.volumes:
used_space = '{:.2f} GB'.format(float(volume.container.block_size * volume.num_blocks_used / (1024*1024*1024.0)))
vol = Vol_Info(volume.volume_name,
partition_size_in_sectors * self.block_size,
used_space, 'APFS',
partition_start_offset,print "Partition has no supported file system"
continue
print "File System Type Dectected .",filesystemObject.info.ftype,"."
if (str(filesystemObject.info.ftype) == "TSK_FS_TYPE_NTFS_DETECT"):
print "NTFS DETECTED"
volume = pyvshadow.volume()
offset=(partition.start*512)
fh = vss.VShadowVolume(args.imagefile, offset)
count = vss.GetVssStoreCount(args.imagefile, offset)
if (count):
vstore=0
volume.open_file_object(fh)
while (vstore < count):
store = volume.get_store(vstore)
img = vss.VShadowImgInfo(store)
vssfilesystemObject = pytsk3.FS_Info(img)
vssdirectoryObject = vssfilesystemObject.open_dir(path=dirPath)
print "Directory:","vss",str(vstore),dirPath
directoryRecurse(vssdirectoryObject,['vss',str(vstore)])
vstore = vstore + 1
#Capture the live volume
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
directoryRecurse(directoryObject,[])
else:
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
directoryRecurse(directoryObject,[])self._root = None
# Unix Device
if self._path.startswith('/'):
self._device = device
else:
# On Windows, we need a specific format '\\.\:'
self._device = r"\\.\{}:".format(device[0])
# Cache parsed entries for better performances
self._entries_cache = {}
self._entries_cache_last = []
# Open drive
img_info = pytsk3.Img_Info(self._device)
self._fs_info = pytsk3.FS_Info(img_info)
self._root = self._fs_info.open_dir('')
super().__init__()def process(image_path, output, format):
"""Processing entry point"""
imagehandle = pytsk3.Img_Info(url=image_path)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
try:
filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
except:
print "Partition has no supported file system"
continue
print "File System Type Detected .",filesystemObject.info.ftype,"."
if (str(filesystemObject.info.ftype) == "TSK_FS_TYPE_NTFS_DETECT"):
print "NTFS DETECTED"
# Process the hives in a specific order so that the
# data can be correctly matched between the hives
try:
filesystemObject.open("/Windows")
except:
print "No Windows directory, skipping"
continue
process_registry_hive(filesystemObject, Registry.HiveType.SYSTEM)
process_registry_hive(filesystemObject, Registry.HiveType.SOFTWARE)
process_registry_hive(filesystemObject, Registry.HiveType.NTUSER)
Popular pytsk3 functions
- pytsk3.FS_Info
- pytsk3.get_version
- pytsk3.Img_Info
- pytsk3.Img_Info.__init__
- pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA
- pytsk3.TSK_FS_META_FLAG_ALLOC
- pytsk3.TSK_FS_META_TYPE_BLK
- pytsk3.TSK_FS_META_TYPE_CHR
- pytsk3.TSK_FS_META_TYPE_DIR
- pytsk3.TSK_FS_META_TYPE_FIFO
- pytsk3.TSK_FS_META_TYPE_LNK
- pytsk3.TSK_FS_META_TYPE_REG
- pytsk3.TSK_FS_META_TYPE_SOCK
- pytsk3.TSK_FS_NAME_TYPE_BLK
- pytsk3.TSK_FS_NAME_TYPE_DIR
- pytsk3.TSK_FS_NAME_TYPE_REG
- pytsk3.TSK_FS_TYPE_UNSUPP
- pytsk3.TSK_IMG_TYPE_EXTERNAL
- pytsk3.TSK_VS_PART_FLAG_ALLOC
- pytsk3.Volume_Info