Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
if entryObject.info.name.name in [".", ".."]:
continue
#print entryObject.info.name.name
try:
f_type = entryObject.info.name.type
size = entryObject.info.meta.size
except Exception as error:
#print "Cannot retrieve type or size of",entryObject.info.name.name
#print error.message
continue
try:
filepath = '/%s/%s' % ('/'.join(parentPath),entryObject.info.name.name)
outputPath ='./%s/' % ('/'.join(parentPath))
if f_type == pytsk3.TSK_FS_NAME_TYPE_DIR:
sub_directory = entryObject.as_directory()
#print "Entering Directory: %s" % filepath
parentPath.append(entryObject.info.name.name)
directoryRecurse(sub_directory,parentPath)
parentPath.pop(-1)
#print "Leaving Directory: %s" % filepath
elif f_type == pytsk3.TSK_FS_NAME_TYPE_REG and entryObject.info.meta.size != 0:
searchResult = re.match(args.search,entryObject.info.name.name)
if not searchResult:
continue
#print "File:",parentPath,entryObject.info.name.name,entryObject.info.meta.size
BUFF_SIZE = 1024 * 1024
offset=0
return [True, result]
except Exception as e:
return [False, "Plugin Services Failed, reason: " + str(e)]
class Hoarder:
verbose = 0
options = []
plugins = Plugins()
FILE_TYPE_LOOKUP = {
pytsk3.TSK_FS_NAME_TYPE_UNDEF: "-",
pytsk3.TSK_FS_NAME_TYPE_FIFO: "p",
pytsk3.TSK_FS_NAME_TYPE_CHR: "c",
pytsk3.TSK_FS_NAME_TYPE_DIR: "d",
pytsk3.TSK_FS_NAME_TYPE_BLK: "b",
pytsk3.TSK_FS_NAME_TYPE_REG: "r",
pytsk3.TSK_FS_NAME_TYPE_LNK: "l",
pytsk3.TSK_FS_NAME_TYPE_SOCK: "h",
pytsk3.TSK_FS_NAME_TYPE_SHAD: "s",
pytsk3.TSK_FS_NAME_TYPE_WHT: "w",
pytsk3.TSK_FS_NAME_TYPE_VIRT: "v"
}
# ==========
# parameters:
# config_file: path to the yaml config file
# options: options of collected files and plugins
# enabled_verbose level of information to print
# output output file name
# compress_level compression level
continue
#print entryObject.info.name.name
try:
f_type = entryObject.info.name.type
size = entryObject.info.meta.size
except Exception as error:
print "Cannot retrieve type or size of",entryObject.info.name.name
print error.message
continue
try:
filepath = '/%s/%s' % ('/'.join(parentPath),entryObject.info.name.name)
outputPath ='./%s/' % ('/'.join(parentPath))
if f_type == pytsk3.TSK_FS_NAME_TYPE_DIR:
sub_directory = entryObject.as_directory()
print "Entering Directory: %s" % filepath
parentPath.append(entryObject.info.name.name)
directoryRecurse(sub_directory,parentPath)
parentPath.pop(-1)
print "Leaving Directory: %s" % filepath
elif f_type == pytsk3.TSK_FS_NAME_TYPE_REG and entryObject.info.meta.size != 0:
searchResult = re.match(args.search,entryObject.info.name.name)
if not searchResult:
continue
#print "File:",parentPath,entryObject.info.name.name,entryObject.info.meta.size
BUFF_SIZE = 1024 * 1024
offset=0
md5hash = hashlib.md5()
for f in directory:
filename = f.info.name.name
if filename in [".", ".."]:
continue
abs_filename = os.path.join(parent_path, filename)
# add to our inode -> path mapping if this file entry has an MFT number
if f.info.meta:
inode = f.info.meta.addr
self.fs_inode_to_path[inode] = abs_filename
if f.info.name.type == pytsk3.TSK_FS_NAME_TYPE_DIR and f.info.meta:
self._parse_paths(f.as_directory(), parent_path=abs_filename)
# anyway
return 1e12
class TSKFile(vfs_base.VFSHandler):
"""Read a regular file."""
supported_pathtype = rdf_paths.PathSpec.PathType.TSK
auto_register = True
# A mapping to encode TSK types to a stat.st_mode
FILE_TYPE_LOOKUP = {
pytsk3.TSK_FS_NAME_TYPE_UNDEF: 0,
pytsk3.TSK_FS_NAME_TYPE_FIFO: stat.S_IFIFO,
pytsk3.TSK_FS_NAME_TYPE_CHR: stat.S_IFCHR,
pytsk3.TSK_FS_NAME_TYPE_DIR: stat.S_IFDIR,
pytsk3.TSK_FS_NAME_TYPE_BLK: stat.S_IFBLK,
pytsk3.TSK_FS_NAME_TYPE_REG: stat.S_IFREG,
pytsk3.TSK_FS_NAME_TYPE_LNK: stat.S_IFLNK,
pytsk3.TSK_FS_NAME_TYPE_SOCK: stat.S_IFSOCK,
}
META_TYPE_LOOKUP = {
pytsk3.TSK_FS_META_TYPE_BLK: 0,
pytsk3.TSK_FS_META_TYPE_CHR: stat.S_IFCHR,
pytsk3.TSK_FS_META_TYPE_DIR: stat.S_IFDIR,
pytsk3.TSK_FS_META_TYPE_FIFO: stat.S_IFIFO,
pytsk3.TSK_FS_META_TYPE_LNK: stat.S_IFLNK,
pytsk3.TSK_FS_META_TYPE_REG: stat.S_IFREG,
pytsk3.TSK_FS_META_TYPE_SOCK: stat.S_IFSOCK,
}
Parse the full paths of our file entries
"""
for f in directory:
filename = f.info.name.name
if filename in [".", ".."]:
continue
abs_filename = os.path.join(parent_path,filename)
# add to our inode -> path mapping if this file entry has an MFT number
if f.info.meta:
inode = f.info.meta.addr
self.fs_inode_to_path[inode] = abs_filename
if f.info.name.type == pytsk3.TSK_FS_NAME_TYPE_DIR and f.info.meta:
self._parse_paths(f.as_directory(), parent_path=abs_filename)
"""File operations using the Sleuthkit.
These client actions are designed to maintain the client's Virtual File System
(VFS) view.
"""
import os
import pytsk3
from rekall.plugins.common.efilter_plugins import helpers
from rekall_agent.client_actions import files
FILE_TYPE_LOOKUP = {
pytsk3.TSK_FS_NAME_TYPE_UNDEF: "-",
pytsk3.TSK_FS_NAME_TYPE_FIFO: "p",
pytsk3.TSK_FS_NAME_TYPE_CHR: "c",
pytsk3.TSK_FS_NAME_TYPE_DIR: "d",
pytsk3.TSK_FS_NAME_TYPE_BLK: "b",
pytsk3.TSK_FS_NAME_TYPE_REG: "r",
pytsk3.TSK_FS_NAME_TYPE_LNK: "l",
pytsk3.TSK_FS_NAME_TYPE_SOCK: "h",
pytsk3.TSK_FS_NAME_TYPE_SHAD: "s",
pytsk3.TSK_FS_NAME_TYPE_WHT: "w",
pytsk3.TSK_FS_NAME_TYPE_VIRT: "v"
}
META_TYPE_LOOKUP = {
pytsk3.TSK_FS_META_TYPE_REG: "r",
pytsk3.TSK_FS_META_TYPE_DIR: "d",
pytsk3.TSK_FS_META_TYPE_FIFO: "p",
pytsk3.TSK_FS_META_TYPE_CHR: "c",
pytsk3.TSK_FS_META_TYPE_BLK: "b",
pytsk3.TSK_FS_META_TYPE_LNK: "h",
'''
Returns a list of files and/or folders in a list
Format of list = [ { 'name':'got.txt', 'type':EntryType.FILES, 'size':10, 'dates': {} }, .. ]
'path' should be linux style using forward-slash like '/var/db/xxyy/file.tdc'
'''
if self.use_native_hfs_parser:
return self.hfs_native.ListItemsInFolder(path, types_to_fetch, include_dates)
items = [] # List of dictionaries
try:
dir = self.macos_FS.open_dir(path)
for entry in dir:
name = self._GetName(entry)
if name == "": continue
elif name == "." or name == "..": continue
elif not self._IsValidFileOrFolderEntry(entry): continue # this filters for allocated files and folders only
entry_type = EntryType.FOLDERS if entry.info.name.type == pytsk3.TSK_FS_NAME_TYPE_DIR else EntryType.FILES
if include_dates:
path_no_trailing_slash = path.rstrip('/')
item = { 'name':name, 'type':entry_type, 'size':self._GetSize(entry), 'dates': self.GetFileMACTimes(path_no_trailing_slash + '/' + name) }
else:
item = { 'name':name, 'type':entry_type, 'size':self._GetSize(entry) }
if types_to_fetch == EntryType.FILES_AND_FOLDERS:
items.append( item )
elif types_to_fetch == EntryType.FILES and entry_type == EntryType.FILES:
items.append( item )
elif types_to_fetch == EntryType.FOLDERS and entry_type == EntryType.FOLDERS:
items.append( item )
except Exception as ex:
if str(ex).find('tsk_fs_dir_open: path not found'):
log.debug("Path not found : " + path)
else:
continue
#print entryObject.info.name.name
try:
f_type = entryObject.info.name.type
size = entryObject.info.meta.size
except Exception as error:
print "Cannot retrieve type or size of",entryObject.info.name.name
print error.message
continue
try:
filepath = parentPath + entryObject.info.name.name
outputPath = parentPath
if f_type == pytsk3.TSK_FS_NAME_TYPE_DIR:
sub_directory = entryObject.as_directory()
print "Entering Directory: %s" % filepath
#parentPath.append(entryObject.info.name.name)
#directoryRecurse(sub_directory,parentPath)
#parentPath.pop(-1)
print "Leaving Directory: %s" % filepath
extract_file_from_image(filesystemObject, filepath+"/NTUSER.DAT" ,entryObject.info.name.name+"NTUSER")
registry = Registry.Registry(entryObject.info.name.name+"NTUSER")
process_mountpoints2(registry, entryObject.info.name.name+"NTUSER", entryObject.info.name.name)
elif f_type == pytsk3.TSK_FS_NAME_TYPE_REG and entryObject.info.meta.size == 0:
continue
else:
print "This went wrong",entryObject.info.name.name,f_type