Source Code for Module rekall.plugins.addrspaces.ewf

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # Authors: 
 6  # Copyright (C) 2012 Michael Cohen <scudette@users.sourceforge.net> 
 7  # 
 8  # This program is free software; you can redistribute it and/or modify 
 9  # it under the terms of the GNU General Public License as published by 
10  # the Free Software Foundation; either version 2 of the License, or (at 
11  # your option) any later version. 
12  # 
13  # This program is distributed in the hope that it will be useful, but 
14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
16  # General Public License for more details. 
17  # 
18  # You should have received a copy of the GNU General Public License 
19  # along with this program; if not, write to the Free Software 
20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
21  # 
22   
23  """ This Address Space allows us to open ewf files """ 
24   
25  from rekall import addrspace 
26  from rekall.plugins.tools import ewf 
27   
28   
29 -class EWFAddressSpace(addrspace.CachingAddressSpaceMixIn, 
30                        addrspace.BaseAddressSpace): 
31      """ An EWF capable address space. 
32   
33      In order for us to work we need: 
34      1) There must be a base AS. 
35      2) The first 6 bytes must be 45 56 46 09 0D 0A (EVF header) 
36   
37      NOTE: We currently only support opening a single segment file since it is 
38      passed from the base address space. This address space supports stacking. 
39      """ 
40      order = 20 
41      __image = True 
42   
43 -    def __init__(self, **kwargs): 
44          super(EWFAddressSpace, self).__init__(**kwargs) 
45   
46          # Fail quickly if this is not an EWF file. 
47          self.as_assert(self.base != None, "No base address space provided") 
48   
49          self.as_assert(self.base.read(0, 6) == "\x45\x56\x46\x09\x0D\x0A", 
50                         "EWF signature not present") 
51   
52          # Now try to open it as an ewf file. 
53          self.ewf_file = ewf.EWFFile( 
54              session=self.session, address_space=self.base) 
55   
56          self.name = "%s (EWF)" % self.base.name 
57   
58 -    def cached_read_partial(self, offset, length): 
59          """Implement our own read method for caching.""" 
60          res = "" 
61          if offset != None: 
62              res = self.ewf_file.read(offset, length) 
63   
64          if len(res) < length: 
65              to_read = length - len(res) 
66              data = addrspace.ZEROER.GetZeros(to_read) 
67              return res + data 
68   
69          return res 
70   
71 -    def get_mappings(self, start=0, end=2**64): 
72          yield addrspace.Run(start=0, end=self.ewf_file.size, 
73                              file_offset=0, address_space=self) 
74