Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
help='Pass this option to extract files found'
)
args = argparser.parse_args()
if not admin.isUserAdmin():
admin.runAsAdmin()
sys.exit()
dirPath = args.path
if not args.search == '.*':
print "Search Term Provided",args.search
outfile = open(args.output,'w')
outfile.write('"Inode","Full Path","Creation Time","Size","MD5 Hash","SHA1 Hash"\n')
wr = csv.writer(outfile, quoting=csv.QUOTE_ALL)
partitionList = psutil.disk_partitions()
for partition in partitionList:
imagehandle = pytsk3.Img_Info('\\\\.\\'+partition.device.strip("\\"))
if 'NTFS' in partition.fstype:
filesystemObject = pytsk3.FS_Info(imagehandle)
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
directoryRecurse(directoryObject,[])
g = globals()
stat_info = os.stat("usbfor.py") #find user's uid to appropriately call cuckoo
luid = stat_info.st_uid
lgid = stat_info.st_gid
cuckoopath = '/home/{0}/.cuckoo/'.format(pwd.getpwuid(luid)[0])
pid = os.fork()
if pid == 0:
try:
if args.d is not None:
for a in args.d:
os.setgid(lgid)
os.setuid(luid) ##statically set uid change to dynamic
print '[+] Carving files from image'
z = a.split('/')[-1]
imghandle = pytsk3.Img_Info(a)
filesystemObject = pytsk3.FS_Info(imghandle)
dirObject = filesystemObject.open_dir(path="/")
recursive_extract(dirObject,[],a,z)
g['acid_{0}'.format(z)] = []
print "[+] Completed carving files from image"
print "[+] Submitting all files found to Cuckoo"
ddpid = subprocess.Popen(['cuckoo','submit','Carved_files_{0}/'.format(z)],stdout=subprocess.PIPE)
stoutdd = ddpid.communicate()
print "[+] Completed submitting files to cuckoo"
for cpid in stoutdd[0].split('\n'):
print cpid
g['acid_{0}'.format(z)].append(cpid.split(' ')[-1].replace("#",""))
g['acid_{0}'.format(z)].pop()
#print analysis information
while True:
img = None
found_osx = False
mac_info = None
time_processing_started = time.time()
try:
if args.input_type.upper() == 'E01':
img = GetImgInfoObjectForE01(args.input_path) # Use this function instead of pytsk3.Img_Info()
mac_info = macinfo.MacInfo(output_params)
elif args.input_type.upper() == 'VMDK':
img = GetImgInfoObjectForVMDK(args.input_path) # Use this function instead of pytsk3.Img_Info()
mac_info = macinfo.MacInfo(output_params)
elif args.input_type.upper() == 'AFF4':
img = GetImgInfoObjectForAff4(args.input_path) # Use this function instead of pytsk3.Img_Info()
mac_info = macinfo.MacInfo(output_params)
elif args.input_type.upper() == 'DD':
img = pytsk3.Img_Info(args.input_path) # Works for split dd images too! Works for DMG too, if no compression/encryption is used!
mac_info = macinfo.MacInfo(output_params)
elif args.input_type.upper() == 'MOUNTED':
if os.path.isdir(args.input_path):
mac_info = macinfo.MountedMacInfo(args.input_path, output_params)
found_osx = FindOsxFiles(mac_info)
else:
Exit("Exiting -> Cannot browse mounted image at " + args.input_path)
log.info("Opened image " + args.input_path)
except Exception as ex:
log.error("Failed to load image. Error Details are: " + str(ex))
Exit()
if args.input_type.upper() != 'MOUNTED':
mac_info.use_native_hfs_parser = True #False if args.use_tsk else True
try:
mac_info.pytsk_image = img
def scan_disk(disk_url, scan_file_dir):
"""
Scans a physical disk at disk_url, creates
a scan file and saves it at scan_file_dir
Scan file can be converted into a SemanticDiskEngine object, but only NTFS volumes will have any data at all,
and only metadata.
"""
# make the dir if it doesn't exist
if not os.path.exists(scan_file_dir):
os.makedirs(scan_file_dir)
# open up the image
img = pytsk3.Img_Info(url=disk_url)
# get the volume info
VOL_INFO = pytsk3.Volume_Info(img)
# print out some info about the disk image
logger.debug("--- Volume info ---")
logger.debug("Current: %d" % VOL_INFO.current)
logger.debug("VS Type: %d" % VOL_INFO.info.vstype)
logger.debug("Offset: %d" % VOL_INFO.info.offset)
logger.debug("Block Size: %d" % VOL_INFO.info.block_size)
logger.debug("Endian: %d" % VOL_INFO.info.endian)
logger.debug("Partition List: %s" % VOL_INFO.info.part_list)
logger.debug("Parition Count: %d" % VOL_INFO.info.part_count)
logger.debug("--- Volume info ---")
# Sample program or step 12 in becoming a DFIR Wizard!
# No license as this code is simple and free!
# Goes with blog post http://www.hecfblog.com/2015/05/automating-dfir-how-to-series-on_24.html
import sys
import pytsk3
import datetime
import pyewf
import argparse
import hashlib
import csv
import os
import re
import vss
import pyvshadow
class ewf_Img_Info(pytsk3.Img_Info):
def __init__(self, ewf_handle):
self._ewf_handle = ewf_handle
super(ewf_Img_Info, self).__init__(
url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
def close(self):
self._ewf_handle.close()
def read(self, offset, size):
self._ewf_handle.seek(offset)
return self._ewf_handle.read(size)
def get_size(self):
return self._ewf_handle.get_media_size()
def directoryRecurse(directoryObject, parentPath):
def GetVolumes(self, phyDrive = "\\\\.\\PhysicalDrive0"):
list_fs_info = [] # contain the file system object
block_size = 512 # by default block size is 512
try:
img = pytsk3.Img_Info(phyDrive) # open the physical drive
volume = pytsk3.Volume_Info(img) # get volume information
except OSError as e:
if "file not found" in str(e):
raise Exception("PHYSICAL_DRIVE_NOT_FOUND")
else:
raise Exception(str(e))
# for each volume in the drive, check if it is NTFS and open object to handle it
for part in volume:
try:
self.logging("INFO" , "Check partition: desc{0:s}, offset{1:d}, size:{2:d}".format( part.desc.decode('utf-8') ,part.start , part.len ) )
fs_info = pytsk3.FS_Info(img , offset=part.start * block_size )
# check if file system is NTFS
if fs_info.info.ftype in [pytsk3.TSK_FS_TYPE_NTFS, pytsk3.TSK_FS_TYPE_NTFS_DETECT]:
list_fs_info.append(fs_info)
try:
url = args[0]
except IndexError:
error("You must specify an image (try '%s -h' for help)" % sys.argv[0])
if len(args)==2:
inode = int(args[1])
else:
error("You must have exactly two arguements provided")
## Now open and read the file specified
## Step 1: get an IMG_INFO object (url can be any URL that AFF4 can
## handle)
img = pytsk3.Img_Info(url)
## Step 2: Open the filesystem
fs = pytsk3.FS_Info(img)
## Step 3: Open the file using the inode
f = fs.open_meta(inode = inode)
## Step 4: Read all the data and print to stdout
offset = 0
size = f.info.meta.size
BUFF_SIZE = 1024 * 1024
while offset < size:
available_to_read = min(BUFF_SIZE, size - offset)
data = f.read_random(offset, available_to_read)
if not data: break
source_path: Path of the source file or directory.
byte_offset: Optional byte offset into the image file if this is a disk
image. The default is 0.
store_number: Optional VSS store index number. The default is None.
Raises:
errors.UnableToOpenFilesystem: If it is not able to open the filesystem.
"""
if store_number is not None:
raise errors.UnableToOpenFilesystem(u'Unsupported store number.')
self._source_path = source_path
self._byte_offset = byte_offset
try:
self._tsk_img = pytsk3.Img_Info(self._source_path)
except IOError as e:
raise errors.UnableToOpenFilesystem(
u'Unable to open image file with error: {0:s}'.format(e))
try:
self.tsk_fs = pytsk3.FS_Info(self._tsk_img, offset=self._byte_offset)
except IOError as e:
raise errors.UnableToOpenFilesystem(
u'Unable to open file system with error: {0:s}'.format(e))