-
Notifications
You must be signed in to change notification settings - Fork 0
/
my_first.py
115 lines (93 loc) · 3.74 KB
/
my_first.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/usr/bin/python
# Sample program or step 1 in becoming a DFIR Wizard!
# No license as this code is simple and free!
import sys
import pytsk3
import datetime
import hashlib
import collections
hashMap = {}
def setup():
"""TODO
"""
pass
def print_partition_table(partitionTable):
"""Print out the partition table
In following format,
addr desc start(start*512) len(mb)
Args:
partitionTable
"""
if partitionTable:
print '%-5s %-20s %-20s %-10s' % \
('addr', 'desc' ,'start(start*512)', 'len(mb)')
for partition in partitionTable:
print '%-5s %-20s %-20s %-10s' % \
(partition.addr, partition.desc,
'%ss(%s)' % (partition.start, partition.start * 512),
'%s(%s)' % (partition.len,partition.len*512/1024/1024))
def get_partitions():
"""TODO
"""
partitions = []
return partitions
def walk_file_system(filesystemObject, parentDirectories = []):
"""Walk through the file system using depth first
Args:
filesystemObject
parentDirectories: default is [] which means it is the top level
"""
parentDirectory = '/%s' % ('/'.join(parentDirectories))
fileObject = filesystemObject.open_dir(parentDirectory)
for entry in fileObject:
indent = ' ' * 4 * (len(parentDirectories))
print indent, entry.info.name.name
if (entry.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR and
entry.info.name.name != '.' and entry.info.name.name != '..'):
parentDirectories.append(entry.info.name.name)
# Recursion
walk_file_system(filesystemObject, parentDirectories)
parentDirectories.pop()
elif entry.info.meta.type == pytsk3.TSK_FS_META_TYPE_REG:
if entry.info.meta.size != 0:
#print 'Do hash'
filedata = entry.read_random(0, entry.info.meta.size)
md5hash = hashlib.md5()
md5hash.update(filedata)
sha1hash = hashlib.sha1()
sha1hash.update(filedata)
fullFilePath = ('%s/%s' % (parentDirectory, entry.info.name.name)).replace('//','/')
hashMap[fullFilePath] = md5hash.hexdigest()
else:
fullFilePath = ('%s/%s' % (parentDirectory, entry.info.name.name)).replace('//','/')
hashMap[fullFilePath] = 'd41d8cd98f00b204e9800998ecf8427e'
def main():
#TODO move image loading to a method or util class
imagefile = './forensic_image/AssignmentImage.dmg'
imagehandle = pytsk3.Img_Info(imagefile)
partitionTable = pytsk3.Volume_Info(imagehandle)
print_partition_table(partitionTable)
filesystemObject = pytsk3.FS_Info(imagehandle, offset=512)
#print dir(filesystemObject)
walk_file_system(filesystemObject)
print 'The lenght of the dictionary is %d' % len(hashMap)
rev_multidict = {}
for key, value in hashMap.items():
rev_multidict.setdefault(value, set()).add(key)
for v in [values for key, values in rev_multidict.items() if len(values) > 1]:
print list(v)
print '========'
fileobject = filesystemObject.open_dir("/")
for a_file in fileobject:
if a_file.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
print ''
#print dir(a_file.info.meta)
#print (a_file.info.meta.type)
#print "File Inode:",a_file.info.meta.addr
#print "File Name:",a_file.info.name.name
#print "File Creation Time:",datetime.datetime.fromtimestamp(a_file.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S')
#outfile = open('tmp/%s' % a_file.info.name.name, 'w')
#filedata = a_file.read_random(0,a_file.info.meta.size)
#outfile.write(filedata)
if __name__ == '__main__':
main()