How to use the pytsk3.TSK_VS_PART_FLAG_ALLOC function in pytsk3
To help you get started, we’ve selected a few pytsk3 examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ydkhatri / mac_apt / plugins / helpers / disk_report.py View on Github 
def ReadVolumesFromPartTable(self):
if self.apfs_container_only:
size = self.mac_info.apfs_container_size
for volume in self.mac_info.apfs_container.volumes:
used_space = '{:.2f} GB'.format(float(volume.container.block_size * volume.num_blocks_used / (1024*1024*1024.0)))
vol = Vol_Info(volume.volume_name, size, used_space, 'APFS', 0, self.IsApfsBootVolume(volume))
self.volumes.append(vol)
else:
for part in self.mac_info.vol_info:
if (int(part.flags) & pytsk3.TSK_VS_PART_FLAG_ALLOC):
partition_start_offset = self.block_size * part.start
partition_size_in_sectors = part.len
file_system = 'Unknown'
part_is_apfs = False
used_space = ''
try:
fs = pytsk3.FS_Info(self.img, offset=partition_start_offset)
fs_info = fs.info # TSK_FS_INFO
fs_type = str(fs_info.ftype)[12:]
if fs_type.find("_") > 0: fs_type = fs_type[0:fs_type.find("_")]
file_system = fs_type
if file_system == 'HFS' and self.mac_info.osx_partition_start_offset == partition_start_offset: # For macOS partition only
hfs_info = self.mac_info.hfs_native.GetVolumeInfo()
used_space = '{:.2f} GB'.format(float(hfs_info.block_size * (hfs_info.total_blocks - hfs_info.free_blocks) / (1024*1024*1024.0)))
except Exception as ex:
if self.mac_info.is_apfs and partition_start_offset == self.mac_info.osx_partition_start_offset:def detect(self, volume_system, vstype='detect'):
"""Generator that mounts every partition of this image and yields the mountpoint."""
# Loop over all volumes in image.
for p in self._find_volumes(volume_system, vstype):
import pytsk3
volume = volume_system._make_subvolume(
index=self._format_index(volume_system, p.addr),
offset=p.start * volume_system.disk.block_size,
size=p.len * volume_system.disk.block_size
)
# Fill volume with more information
volume.info['fsdescription'] = p.desc.strip().decode('utf-8')
if p.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
volume.flag = 'alloc'
volume.slot = _util.determine_slot(p.table_num, p.slot_num)
volume_system._assign_disktype_data(volume)
logger.info("Found allocated {2}: block offset: {0}, length: {1} ".format(p.start, p.len,
volume.info['fsdescription']))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_UNALLOC:
volume.flag = 'unalloc'
logger.info("Found unallocated space: block offset: {0}, length: {1} ".format(p.start, p.len))
elif p.flags == pytsk3.TSK_VS_PART_FLAG_META:
volume.flag = 'meta'
logger.info("Found meta volume: block offset: {0}, length: {1} ".format(p.start, p.len))
yield volumedef FindOsxPartition(img, vol_info, vs_info):
for part in vol_info:
if (int(part.flags) & pytsk3.TSK_VS_PART_FLAG_ALLOC):
partition_start_offset = vs_info.block_size * part.start
if part.desc.decode('utf-8').upper() == "EFI SYSTEM PARTITION":
log.debug ("Skipping EFI System Partition @ offset {}".format(partition_start_offset))
continue # skip this
elif part.desc.decode('utf-8').upper() == "APPLE_PARTITION_MAP":
log.debug ("Skipping Apple_partition_map @ offset {}".format(partition_start_offset))
continue # skip this
else:
log.info ("Looking at FS with volume label '{}' @ offset {}".format(part.desc.decode('utf-8'), partition_start_offset))
if IsApfsContainer(img, partition_start_offset):
uuid = GetApfsContainerUuid(img, partition_start_offset)
log.info('Found an APFS container with uuid: {}'.format(str(uuid).upper()))
return FindOsxPartitionInApfsContainer(img, vol_info, vs_info.block_size * part.len, partition_start_offset, uuid)
elif IsOsxPartition(img, partition_start_offset, mac_info): # Assumes there is only one single OSX installation partitiondrive_re = re.compile("r?disk[0-9].*")
for drive in os.listdir("/dev"):
if not drive_re.match(drive):
continue
path = os.path.join("/dev", drive)
try:
img_inf = pytsk3.Img_Info(path)
# This is a volume or a partition - we send back a TSK device.
yield rdf_client_fs.Filesystem(device=path)
vol_inf = pytsk3.Volume_Info(img_inf)
for volume in vol_inf:
if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
offset = volume.start * vol_inf.info.block_size
yield rdf_client_fs.Filesystem(
device="{path}:{offset}".format(path=path, offset=offset),
type="partition")
except (IOError, RuntimeError):
continuedef __init__(self, disk, partition=None, id=0, session=None,
filesystem=None):
self.tsk_part = partition or obj.NoneObject()
self.id = id
self.disk = disk
self.session = session
self.filesystem = filesystem or obj.NoneObject("No filesystem")
if (filesystem == None and
self.tsk_part.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC):
try:
address_space = self.get_partition_address_space()
filesystem = pytsk3.FS_Info(AS_Img_Info(address_space))
self.filesystem = FS(filesystem)
except IOError:
passdef TSKVsPartIsAllocated(tsk_vs_part):
"""Determines if the TSK volume system part object is allocated.
Args:
tsk_vs_part (pytsk3.TSK_VS_PART_INFO): TSK volume system part information.
Returns:
bool: True if the volume system part is allocated, False otherwise.
"""
# Note that because pytsk3.TSK_VS_PART_INFO does not explicitly defines
# flags need to check if the attribute exists.
# The flags are an instance of TSK_VS_PART_FLAG_ENUM.
tsk_vs_part_flags = getattr(tsk_vs_part, 'flags', None)
return (tsk_vs_part_flags is not None and
tsk_vs_part_flags == pytsk3.TSK_VS_PART_FLAG_ALLOC)
Popular pytsk3 functions
- pytsk3.FS_Info
- pytsk3.get_version
- pytsk3.Img_Info
- pytsk3.Img_Info.__init__
- pytsk3.TSK_FS_ATTR_TYPE_NTFS_DATA
- pytsk3.TSK_FS_META_FLAG_ALLOC
- pytsk3.TSK_FS_META_TYPE_BLK
- pytsk3.TSK_FS_META_TYPE_CHR
- pytsk3.TSK_FS_META_TYPE_DIR
- pytsk3.TSK_FS_META_TYPE_FIFO
- pytsk3.TSK_FS_META_TYPE_LNK
- pytsk3.TSK_FS_META_TYPE_REG
- pytsk3.TSK_FS_META_TYPE_SOCK
- pytsk3.TSK_FS_NAME_TYPE_BLK
- pytsk3.TSK_FS_NAME_TYPE_DIR
- pytsk3.TSK_FS_NAME_TYPE_REG
- pytsk3.TSK_FS_TYPE_UNSUPP
- pytsk3.TSK_IMG_TYPE_EXTERNAL
- pytsk3.TSK_VS_PART_FLAG_ALLOC
- pytsk3.Volume_Info