/
tsk_volume_system.py
210 lines (160 loc) · 7.89 KB
/
tsk_volume_system.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""Tests for the SleuthKit (TSK) volume system."""
import unittest
from dfvfs.lib import definitions
from dfvfs.path import factory as path_spec_factory
from dfvfs.volume import tsk_volume_system
from tests import test_lib as shared_test_lib
class TSKVolumeSystemTestAPM(shared_test_lib.BaseTestCase):
"""Tests the SleuthKit (TSK) volume system on APM."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
test_path = self._GetTestFilePath(['apm.dmg'])
self._SkipIfPathNotExists(test_path)
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
self._tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK_PARTITION, location='/',
parent=test_os_path_spec)
# mmls test_data/apm.dmg
# MAC Partition Map
# Offset Sector: 0
# Units are in 512-byte sectors
#
# Slot Start End Length Description
# 000: ------- 0000000000 0000000000 0000000001 Unallocated
# 001: 000 0000000001 0000000063 0000000063 Apple_partition_map
# 002: Meta 0000000001 0000000003 0000000003 Table
# 003: 001 0000000064 0000008175 0000008112 Apple_HFS
# 004: 002 0000008176 0000008191 0000000016 Apple_Free
def testIterateVolumes(self):
"""Test the iterate volumes functionality."""
volume_system = tsk_volume_system.TSKVolumeSystem()
volume_system.Open(self._tsk_path_spec)
self.assertEqual(volume_system.bytes_per_sector, 512)
self.assertEqual(volume_system.number_of_sections, 5)
self.assertEqual(volume_system.number_of_volumes, 1)
self.assertEqual(volume_system.volume_identifiers, ['p1'])
volume = volume_system.GetVolumeByIndex(0)
self.assertIsNotNone(volume)
self.assertEqual(volume.number_of_extents, 1)
self.assertEqual(volume.number_of_attributes, 2)
self.assertEqual(volume.identifier, 'p1')
volume_attribute = volume.GetAttribute('address')
self.assertIsNotNone(volume_attribute)
self.assertEqual(volume_attribute.value, 3)
volume_attribute = volume.GetAttribute('description')
self.assertIsNotNone(volume_attribute)
self.assertEqual(volume_attribute.value, 'Apple_HFS')
volume_extent = volume.extents[0]
self.assertIsNotNone(volume_extent)
self.assertEqual(volume_extent.offset, 64 * 512)
self.assertEqual(volume_extent.size, 8112 * 512)
self.assertEqual(volume_extent.extent_type, volume_extent.EXTENT_TYPE_DATA)
volume = volume_system.GetVolumeByIndex(9)
self.assertIsNone(volume)
class TSKVolumeSystemTestGPT(shared_test_lib.BaseTestCase):
"""Tests the SleuthKit (TSK) volume system on GPT."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
test_path = self._GetTestFilePath(['gpt.raw'])
self._SkipIfPathNotExists(test_path)
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
self._tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK_PARTITION, location='/',
parent=test_os_path_spec)
# mmls test_data/gpt.raw
# GUID Partition Table (EFI)
# Offset Sector: 0
# Units are in 512-byte sectors
#
# Slot Start End Length Description
# 000: Meta 0000000000 0000000000 0000000001 Safety Table
# 001: ------- 0000000000 0000002047 0000002048 Unallocated
# 002: Meta 0000000001 0000000001 0000000001 GPT Header
# 003: Meta 0000000002 0000000033 0000000032 Partition Table
# 004: 000 0000002048 0000002175 0000000128 Linux filesystem
# 005: ------- 0000002176 0000004095 0000001920 Unallocated
# 006: 001 0000004096 0000004223 0000000128 Linux filesystem
# 007: ------- 0000004224 0000008191 0000003968 Unallocated
def testIterateVolumes(self):
"""Test the iterate volumes functionality."""
volume_system = tsk_volume_system.TSKVolumeSystem()
volume_system.Open(self._tsk_path_spec)
self.assertEqual(volume_system.bytes_per_sector, 512)
self.assertEqual(volume_system.number_of_sections, 8)
self.assertEqual(volume_system.number_of_volumes, 2)
self.assertEqual(volume_system.volume_identifiers, ['p1', 'p2'])
volume = volume_system.GetVolumeByIndex(1)
self.assertIsNotNone(volume)
self.assertEqual(volume.number_of_extents, 1)
self.assertEqual(volume.number_of_attributes, 2)
self.assertEqual(volume.identifier, 'p2')
volume_attribute = volume.GetAttribute('address')
self.assertIsNotNone(volume_attribute)
self.assertEqual(volume_attribute.value, 6)
volume_attribute = volume.GetAttribute('description')
self.assertIsNotNone(volume_attribute)
self.assertEqual(volume_attribute.value, 'Linux filesystem')
volume_extent = volume.extents[0]
self.assertIsNotNone(volume_extent)
self.assertEqual(volume_extent.offset, 4096 * 512)
self.assertEqual(volume_extent.size, 128 * 512)
self.assertEqual(volume_extent.extent_type, volume_extent.EXTENT_TYPE_DATA)
volume = volume_system.GetVolumeByIndex(9)
self.assertIsNone(volume)
class TSKVolumeSystemTestMBR(shared_test_lib.BaseTestCase):
"""Tests the SleuthKit (TSK) volume system on MBR."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
test_path = self._GetTestFilePath(['mbr.raw'])
self._SkipIfPathNotExists(test_path)
test_os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_path)
self._tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK_PARTITION, location='/',
parent=test_os_path_spec)
# mmls test_data/mbr.raw
# DOS Partition Table
# Offset Sector: 0
# Units are in 512-byte sectors
#
# Slot Start End Length Description
# 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
# 001: ------- 0000000000 0000000000 0000000001 Unallocated
# 002: 000:000 0000000001 0000000129 0000000129 Linux (0x83)
# 003: Meta 0000000130 0000008191 0000008062 DOS Extended (0x05)
# 004: Meta 0000000130 0000000130 0000000001 Extended Table (#1)
# 005: ------- 0000000130 0000000130 0000000001 Unallocated
# 006: 001:000 0000000131 0000000259 0000000129 Linux (0x83)
# 007: ------- 0000000260 0000008191 0000007932 Unallocated
def testIterateVolumes(self):
"""Test the iterate volumes functionality."""
volume_system = tsk_volume_system.TSKVolumeSystem()
volume_system.Open(self._tsk_path_spec)
self.assertEqual(volume_system.bytes_per_sector, 512)
self.assertEqual(volume_system.number_of_sections, 8)
self.assertEqual(volume_system.number_of_volumes, 2)
self.assertEqual(volume_system.volume_identifiers, ['p1', 'p2'])
volume = volume_system.GetVolumeByIndex(1)
self.assertIsNotNone(volume)
self.assertEqual(volume.number_of_extents, 1)
self.assertEqual(volume.number_of_attributes, 2)
self.assertEqual(volume.identifier, 'p2')
volume_attribute = volume.GetAttribute('address')
self.assertIsNotNone(volume_attribute)
self.assertEqual(volume_attribute.value, 6)
volume_attribute = volume.GetAttribute('description')
self.assertIsNotNone(volume_attribute)
self.assertEqual(volume_attribute.value, 'Linux (0x83)')
volume_extent = volume.extents[0]
self.assertIsNotNone(volume_extent)
self.assertEqual(volume_extent.offset, 131 * 512)
self.assertEqual(volume_extent.size, 129 * 512)
self.assertEqual(volume_extent.extent_type, volume_extent.EXTENT_TYPE_DATA)
volume = volume_system.GetVolumeByIndex(9)
self.assertIsNone(volume)
if __name__ == '__main__':
unittest.main()