transferContent: use mmls to check on partitions

Question

transferContent: use mmls to check on partitions

Closed this issue 6 years ago · 3 comments

shallcro commented 6 years ago

First check: are there partitions?

If no, then use disktype

if yes, then need to consider which tool for which partition

Maybe create a dictionary of values from disktype (can include sector offset)
Then use this dictionary to determine which tool to run..
Disktype has added valued of indicating filesystem with standardized

Create separate directory for each partition; loop through dictionary until it's all done

Key elements to track and automate process:

info_package: partition or filesystem;
file_system:
- declaration (FS)
- file system type (note; may have more than 1--as with CD-ROMS)
partition
- declaration (partition)
- partition number (needed by unhfs; use values in mmls--start with 0)
  - NOTE: If there is only 1 partition with a file system, then we don't add a 'partition' folder?
- Filesystem type (parse out from disktype--i.e., file_sys_line.split(' file system', 1)[0])
  -This will determine whether we use tsk_recover or unhfs
  - NOTE: have to verify that partition includes a filesystem; partition maps will not include files--will need to verify existence of 'file system' string
- sector offset: parse from mmls? would need to be padded... if from disktype

First attempt:

make a list out of disktype output
find out where partition occurs: indices = [i for i, x in enumerate(mylist) if 'Partition' in x]

Answer 1 · 2019-04-11T21:30:44.000Z

Gets info in a dictioonary--could then parse through

newlist = []

c = 0
for part in mmls[5:]:
... tempdict = {}
... if any(x.isdigit() for x in part.split()[1]):
... tempdict['part#'] = str(c)
... tempdict['start'] = part.split()[2]
... tempdict['fs'] = part.split()[5]
... newlist.append(tempdict)
... c += 1

ISSUE: partition type is also split...

Answer 2 · 2019-04-11T21:34:37.000Z

This does a better job:

import re

for part in mmls[5:]:
... print(re.split(r'\s\s+', part))

['000:', 'Meta', '0000000000', '0000000000', '0000000001', 'Primary Table (#0)']
['001:', '-------', '0000000000', '0000000127', '0000000128', 'Unallocated']
['002:', '000:000', '0000000128', '0000016511', '0000016384', 'DOS FAT12 (0x01)']
['003:', '000:001', '0000016512', '0000082047', '0000065536', 'DOS FAT16 (0x06)']
['004:', '000:002', '0000082048', '0000213119', '0000131072', 'Win95 FAT32 (0x0b)']
['005:', '-------', '0000213120', '0002097152', '0001884033', 'Unallocated']

Answer 3 · 2019-04-11T21:37:05.000Z

Now,:

Check Disktype to identify UDF or ISO9660 disks (Send to teracopy)
Then check mmls description
- 'osj', 'HFS' , or 'Apple': send to unhfs with partition #
- other: send to tsk recover (need start point and partition #)

NOTE: fiwalk starts numbering partitions @ 1 (not 0)