How to use the pytsk3.Volume_Info function in pytsk3
To help you get started, we’ve selected a few pytsk3 examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ralphje / imagemounter / imagemounter / volume_system.py View on Github 
return []
try:
volumes = pytsk3.Volume_Info(baseimage, getattr(pytsk3, 'TSK_VS_TYPE_' + vstype.upper()),
volume_system.parent.offset // volume_system.disk.block_size)
volume_system.volume_source = 'multi'
return volumes
except Exception as e:
# some bug in sleuthkit makes detection sometimes difficult, so we hack around it:
if "(GPT or DOS at 0)" in str(e) and vstype != 'gpt':
volume_system.vstype = 'gpt'
# noinspection PyBroadException
try:
logger.warning("Error in retrieving volume info: TSK couldn't decide between GPT and DOS, "
"choosing GPT for you. Use --vstype=dos to force DOS.", exc_info=True)
volumes = pytsk3.Volume_Info(baseimage, getattr(pytsk3, 'TSK_VS_TYPE_GPT'))
volume_system.volume_source = 'multi'
return volumes
except Exception as e:
logger.exception("Failed retrieving image info (possible empty image).")
raise SubsystemError(e)
else:
logger.exception("Failed retrieving image info (possible empty image).")
raise SubsystemError(e)
finally:
if baseimage:
baseimage.close()
del baseimage#!/usr/bin/python
# Sample program or step 4 in becoming a DFIR Wizard!
# No license as this code is simple and free!
import sys
import pytsk3
import datetime
import admin
if not admin.isUserAdmin():
admin.runAsAdmin()
sys.exit()
imagefile = "\\\\.\\PhysicalDrive0"
imagehandle = pytsk3.Img_Info(imagefile)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
if 'NTFS' in partition.desc:
filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
fileobject = filesystemObject.open("/$MFT")
print "File Inode:",fileobject.info.meta.addr
print "File Name:",fileobject.info.name.name
print "File Creation Time:",datetime.datetime.fromtimestamp(fileobject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S')
outFileName = str(partition.addr)+fileobject.info.name.name
print outFileName
outfile = open(outFileName, 'w')
filedata = fileobject.read_random(0,fileobject.info.meta.size)
outfile.write(filedata)
outfile.closedef tsktest(retstr=None):
# Step 1: get an IMG_INFO object
img = pytsk3.Img_Info("/home/bcadmin/Desktop/jo-work-usb-2009-12-11.E01")
## Step 2: get a Volume_Info object
volume = pytsk3.Volume_Info(img)
## Step 3: Iterate over all the partitions.
retstr = 'PARTITIONS ON THIS DISK:' + '\'
for part in volume:
#print part.addr, part.desc, part.start, part.len
retstr += str(part.addr) + ' ' + str(part.desc) + ' ' + str(part.start) + ' ' + str(part.len) + '<br>'
retstr += '<br>' + 'Contents of the root directory:' + '<br>'
## Now, a hack to recognize the start location. Do NOT use this
## code in production. It's just a demo.
fs = pytsk3.FS_Info(img, offset = 63 * 512)
for directory_entry in fs.open_dir(path="/"):
directory_entry = directory_entry.info.name.name
try:def __init__(self, url):
# parse out the different volumes
self.url = url
self.img = pytsk3.Img_Info(url=self.url)
self.VOL_INFO = pytsk3.Volume_Info(self.img)
self.vol_to_se = {}
self.VOLUMES = []
self.VOLUME_BOUNDARIES = []
# print out some info about the disk image
logger.debug("--- Volume info ---")
logger.debug("Current: %d" % self.VOL_INFO.current)
logger.debug("VS Type: %d" % self.VOL_INFO.info.vstype)
logger.debug("Offset: %d" % self.VOL_INFO.info.offset)
logger.debug("Block Size: %d" % self.VOL_INFO.info.block_size)
logger.debug("Endian: %d" % self.VOL_INFO.info.endian)
logger.debug("Partition List: %s" % self.VOL_INFO.info.part_list)
logger.debug("Parition Count: %d" % self.VOL_INFO.info.part_count)
logger.debug("--- Volume info ---")type=str,
default='inventory.csv',
required=False,
help='File to write the hashes to'
)
args = argparser.parse_args()
filenames = pyewf.glob(args.imagefile)
dirPath = args.path
outfile = open(args.output,'w')
outfile.write('"Inode","Full Path","Creation Time","Size","MD5 Hash","SHA1 Hash"\n')
wr = csv.writer(outfile, quoting=csv.QUOTE_ALL)
ewf_handle = pyewf.handle()
ewf_handle.open(filenames)
imagehandle = ewf_Img_Info(ewf_handle)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
if 'NTFS' in partition.desc:
filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
directoryObject = filesystemObject.open_dir(path=dirPath)
print "Directory:",dirPath
directoryRecurse(directoryObject,[])def process(image_path, output, format):
"""Processing entry point"""
imagehandle = pytsk3.Img_Info(url=image_path)
partitionTable = pytsk3.Volume_Info(imagehandle)
for partition in partitionTable:
print partition.addr, partition.desc, "%ss(%s)" % (partition.start, partition.start * 512), partition.len
try:
filesystemObject = pytsk3.FS_Info(imagehandle, offset=(partition.start*512))
except:
print "Partition has no supported file system"
continue
print "File System Type Detected .",filesystemObject.info.ftype,"."
if (str(filesystemObject.info.ftype) == "TSK_FS_TYPE_NTFS_DETECT"):
print "NTFS DETECTED"
# Process the hives in a specific order so that the
# data can be correctly matched between the hives
try:
filesystemObject.open("/Windows")
except:
print "No Windows directory, skipping"def GetImageSize(file_path, offset):
"""Read the partition information to gather volume size."""
if not offset:
return 0, 0
img = pytsk3.Img_Info(file_path)
try:
volume = pytsk3.Volume_Info(img)
except IOError:
return 0, 0
size = 0
for vol in volume:
if vol.start == offset:
size = vol.len
break
size *= volume.info.block_size
return volume.info.block_size, sizedevice=fs_struct.f_mntfromname,
mount_point=fs_struct.f_mntonname,
type=fs_struct.f_fstypename)
drive_re = re.compile("r?disk[0-9].*")
for drive in os.listdir("/dev"):
if not drive_re.match(drive):
continue
path = os.path.join("/dev", drive)
try:
img_inf = pytsk3.Img_Info(path)
# This is a volume or a partition - we send back a TSK device.
yield rdf_client_fs.Filesystem(device=path)
vol_inf = pytsk3.Volume_Info(img_inf)
for volume in vol_inf:
if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
offset = volume.start * vol_inf.info.block_size
yield rdf_client_fs.Filesystem(
device="{path}:{offset}".format(path=path, offset=offset),
type="partition")
except (IOError, RuntimeError):
continuedef populate_parts(image, image_file):
"""Populate partition information for an image from the image file."""
logging.debug("Getting image info for: " + image_file.path)
image_info = pytsk3.Img_Info(image_file.path)
try:
volume_info = pytsk3.Volume_Info(image_info)
except:
logging.info("Failed to get Volume Info for: " + image_file.path)
# pytsk3.Volume_Info works only with file systems which have partition
# defined. For file systems like FAT12, with no partition info, we need
# to handle in an exception.
try:
fs_info = pytsk3.FS_Info(image_info, offset=0)
except:
# Botch by populating with file system details
image_file.__partitions__.append(
Partition(image, -1, -1, -1, -1, "Error Parsing"))
return
if fs_info.info.ftype == pytsk3.TSK_FS_TYPE_FAT12:
fs_desc = "FAT12 file system"
elif fs_info.info.ftype == pytsk3.TSK_FS_TYPE_ISO9660_DETECT:
Popular pytsk3 functions
- pytsk3.FS_Info
- pytsk3.get_version
- pytsk3.Img_Info
- pytsk3.Img_Info.__init__
- pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA
- pytsk3.TSK_FS_META_FLAG_ALLOC
- pytsk3.TSK_FS_META_TYPE_BLK
- pytsk3.TSK_FS_META_TYPE_CHR
- pytsk3.TSK_FS_META_TYPE_DIR
- pytsk3.TSK_FS_META_TYPE_FIFO
- pytsk3.TSK_FS_META_TYPE_LNK
- pytsk3.TSK_FS_META_TYPE_REG
- pytsk3.TSK_FS_META_TYPE_SOCK
- pytsk3.TSK_FS_NAME_TYPE_BLK
- pytsk3.TSK_FS_NAME_TYPE_DIR
- pytsk3.TSK_FS_NAME_TYPE_REG
- pytsk3.TSK_FS_TYPE_UNSUPP
- pytsk3.TSK_IMG_TYPE_EXTERNAL
- pytsk3.TSK_VS_PART_FLAG_ALLOC
- pytsk3.Volume_Info