Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
class TSKFile(vfs_base.VFSHandler):
"""Read a regular file."""
supported_pathtype = rdf_paths.PathSpec.PathType.TSK
auto_register = True
# A mapping to encode TSK types to a stat.st_mode
FILE_TYPE_LOOKUP = {
pytsk3.TSK_FS_NAME_TYPE_UNDEF: 0,
pytsk3.TSK_FS_NAME_TYPE_FIFO: stat.S_IFIFO,
pytsk3.TSK_FS_NAME_TYPE_CHR: stat.S_IFCHR,
pytsk3.TSK_FS_NAME_TYPE_DIR: stat.S_IFDIR,
pytsk3.TSK_FS_NAME_TYPE_BLK: stat.S_IFBLK,
pytsk3.TSK_FS_NAME_TYPE_REG: stat.S_IFREG,
pytsk3.TSK_FS_NAME_TYPE_LNK: stat.S_IFLNK,
pytsk3.TSK_FS_NAME_TYPE_SOCK: stat.S_IFSOCK,
}
META_TYPE_LOOKUP = {
pytsk3.TSK_FS_META_TYPE_BLK: 0,
pytsk3.TSK_FS_META_TYPE_CHR: stat.S_IFCHR,
pytsk3.TSK_FS_META_TYPE_DIR: stat.S_IFDIR,
pytsk3.TSK_FS_META_TYPE_FIFO: stat.S_IFIFO,
pytsk3.TSK_FS_META_TYPE_LNK: stat.S_IFLNK,
pytsk3.TSK_FS_META_TYPE_REG: stat.S_IFREG,
pytsk3.TSK_FS_META_TYPE_SOCK: stat.S_IFSOCK,
}
# Files we won't return in directories.
BLACKLIST_FILES = [
except Exception as e:
return [False, "Plugin Services Failed, reason: " + str(e)]
class Hoarder:
verbose = 0
options = []
plugins = Plugins()
FILE_TYPE_LOOKUP = {
pytsk3.TSK_FS_NAME_TYPE_UNDEF: "-",
pytsk3.TSK_FS_NAME_TYPE_FIFO: "p",
pytsk3.TSK_FS_NAME_TYPE_CHR: "c",
pytsk3.TSK_FS_NAME_TYPE_DIR: "d",
pytsk3.TSK_FS_NAME_TYPE_BLK: "b",
pytsk3.TSK_FS_NAME_TYPE_REG: "r",
pytsk3.TSK_FS_NAME_TYPE_LNK: "l",
pytsk3.TSK_FS_NAME_TYPE_SOCK: "h",
pytsk3.TSK_FS_NAME_TYPE_SHAD: "s",
pytsk3.TSK_FS_NAME_TYPE_WHT: "w",
pytsk3.TSK_FS_NAME_TYPE_VIRT: "v"
}
# ==========
# parameters:
# config_file: path to the yaml config file
# options: options of collected files and plugins
# enabled_verbose level of information to print
# output output file name
# compress_level compression level
# compress_method compression method
# image_path using disk image instead of the system disk
filepath = parentPath + entryObject.info.name.name
outputPath = parentPath
if f_type == pytsk3.TSK_FS_NAME_TYPE_DIR:
sub_directory = entryObject.as_directory()
print "Entering Directory: %s" % filepath
#parentPath.append(entryObject.info.name.name)
#directoryRecurse(sub_directory,parentPath)
#parentPath.pop(-1)
print "Leaving Directory: %s" % filepath
extract_file_from_image(filesystemObject, filepath+"/NTUSER.DAT" ,entryObject.info.name.name+"NTUSER")
registry = Registry.Registry(entryObject.info.name.name+"NTUSER")
process_mountpoints2(registry, entryObject.info.name.name+"NTUSER", entryObject.info.name.name)
elif f_type == pytsk3.TSK_FS_NAME_TYPE_REG and entryObject.info.meta.size == 0:
continue
else:
print "This went wrong",entryObject.info.name.name,f_type
except IOError as e:
print e
continue
These client actions are designed to maintain the client's Virtual File System
(VFS) view.
"""
import os
import pytsk3
from rekall.plugins.common.efilter_plugins import helpers
from rekall_agent.client_actions import files
FILE_TYPE_LOOKUP = {
pytsk3.TSK_FS_NAME_TYPE_UNDEF: "-",
pytsk3.TSK_FS_NAME_TYPE_FIFO: "p",
pytsk3.TSK_FS_NAME_TYPE_CHR: "c",
pytsk3.TSK_FS_NAME_TYPE_DIR: "d",
pytsk3.TSK_FS_NAME_TYPE_BLK: "b",
pytsk3.TSK_FS_NAME_TYPE_REG: "r",
pytsk3.TSK_FS_NAME_TYPE_LNK: "l",
pytsk3.TSK_FS_NAME_TYPE_SOCK: "h",
pytsk3.TSK_FS_NAME_TYPE_SHAD: "s",
pytsk3.TSK_FS_NAME_TYPE_WHT: "w",
pytsk3.TSK_FS_NAME_TYPE_VIRT: "v"
}
META_TYPE_LOOKUP = {
pytsk3.TSK_FS_META_TYPE_REG: "r",
pytsk3.TSK_FS_META_TYPE_DIR: "d",
pytsk3.TSK_FS_META_TYPE_FIFO: "p",
pytsk3.TSK_FS_META_TYPE_CHR: "c",
pytsk3.TSK_FS_META_TYPE_BLK: "b",
pytsk3.TSK_FS_META_TYPE_LNK: "h",
pytsk3.TSK_FS_META_TYPE_SHAD: "s",
pytsk3.TSK_FS_META_TYPE_SOCK: "s",
try:
filepath = '/%s/%s' % ('/'.join(parentPath),entryObject.info.name.name)
outputPath ='./%s/' % ('/'.join(parentPath))
if f_type == pytsk3.TSK_FS_NAME_TYPE_DIR:
sub_directory = entryObject.as_directory()
#print "Entering Directory: %s" % filepath
parentPath.append(entryObject.info.name.name)
directoryRecurse(sub_directory,parentPath)
parentPath.pop(-1)
#print "Leaving Directory: %s" % filepath
elif f_type == pytsk3.TSK_FS_NAME_TYPE_REG and entryObject.info.meta.size != 0:
searchResult = re.match(args.search,entryObject.info.name.name)
if not searchResult:
continue
#print "File:",parentPath,entryObject.info.name.name,entryObject.info.meta.size
BUFF_SIZE = 1024 * 1024
offset=0
md5hash = hashlib.md5()
sha1hash = hashlib.sha1()
if args.extract == True:
if not os.path.exists(outputPath):
os.makedirs(outputPath)
extractFile = open(outputPath+entryObject.info.name.name,'wb')
while offset < entryObject.info.meta.size:
available_to_read = min(BUFF_SIZE, entryObject.info.meta.size - offset)
filedata = entryObject.read_random(offset,available_to_read)
md5hash.update(filedata)
os.makedirs(outputPath)
extractFile = open(outputPath+entryObject.info.name.name,'w')
while offset < entryObject.info.meta.size:
available_to_read = min(BUFF_SIZE, entryObject.info.meta.size - offset)
filedata = entryObject.read_random(offset,available_to_read)
md5hash.update(filedata)
sha1hash.update(filedata)
offset += len(filedata)
if args.extract == True:
extractFile.write(filedata)
if args.extract == True:
extractFile.close
wr.writerow([int(entryObject.info.meta.addr),'/'.join(parentPath)+entryObject.info.name.name,datetime.datetime.fromtimestamp(entryObject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'),int(entryObject.info.meta.size),md5hash.hexdigest(),sha1hash.hexdigest()])
elif f_type == pytsk3.TSK_FS_NAME_TYPE_REG and entryObject.info.meta.size == 0:
wr.writerow([int(entryObject.info.meta.addr),'/'.join(parentPath)+entryObject.info.name.name,datetime.datetime.fromtimestamp(entryObject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'),int(entryObject.info.meta.size),"d41d8cd98f00b204e9800998ecf8427e","da39a3ee5e6b4b0d3255bfef95601890afd80709"])
else:
print "This went wrong",entryObject.info.name.name,f_type
except IOError as e:
print e
continue
def _IsValidFileOrFolderEntry(self, entry):
try:
if entry.info.name.type == pytsk3.TSK_FS_NAME_TYPE_REG:
return True
elif entry.info.name.type == pytsk3.TSK_FS_NAME_TYPE_DIR:
return True
else:
log.warning(" Found invalid entry - " + self._GetName(entry) + " " + str(entry.info.name.type) )
except Exception:
log.error(" Unknown exception from _IsValidFileOrFolderEntry:" + self._GetName(entry))
log.debug("Exception details:\n", exc_info=True) #traceback.print_exc()
return False