[sleuthkit-users] announcing isectorfind.py (was Re: icat and ifind -- Help with -- )

[Simson G. <si...@ac...>]

All,

I have written a small program using the fiwalk python framework that takes a disk image and sector numbers and prints a list of the files that map to those sectors. The program automatically handles filesystems on raw devices as well as multiple partitions on a single physical device. The program is called isectorfind.py and it is part of version 0.5.7 of the fiwalk package. You can download it from http://www.afflib.org/. 

Total time to write this program using the framework was about 45 minutes. Most of the time was spent fixing some bugs in the fiwalk.py Python module that resulted from some XML changes that I made over the weekend. I had to make those fixes before the release anyway, of course.  I also had to add the has_sector() method to the fileobject class and the byterun class. Both additions took about 3 minutes.

This program is part of the fiwalk system that you can download from http://afflib.org/. Basically, fiwalk finds all of the partitions and filesystems on a disk image using SleuthKit's "walk" functions and outputs a big XML block. The idea is that it is easier for us to write tools that work with this XML block than to work with the raw SleuthKit primitives.  The main "tool" that I use for this XML block is the fiwalk.py Python module, which provides a very easy-to-use (and efficient) python interface to the disk metadata.

To use fiwalk.py you need to install fiwalk, which requires that the SleuthKit developer libraries be installed.

My purpose of posting this program is to show just how easy it is to write forensic tools using Python and the fiwalk XML system we have been creating. If you would like to learn more, please read my paper from SADFE 2009, which you can download from: 
	http://simson.net/xml_forensics.pdf . 

This paper includes a tutorial and several sample programs.

Here is an example of using isectorfind.py to find which files map to sectors 47520 49217 and 50690 from the the disk image nps-2009-canon2-gen6.raw, which you can download from digitalcorpora.org:

$ python isectorfind.py nps-2009-canon2-gen6.raw 47520 49217 50690
47520	DCIM/100CANON/_MG_0030.JPG
49217	DCIM/100CANON/IMG_0031.JPG
50690	DCIM/100CANON/IMG_0032.JPG
$ 


Below is the program in its entirety; the business portion is in BOLD. As you can see, more space is taken up by the usage message and options processing than by the business logic.


#!/usr/bin/python                                                                                                     
"""Usage: isectorfind.py imagefile.iso s1 [s2 s3 ...] ...                                                                   
                                                                                                                     
Reports the files in which sectors s1, s2, s3... are located.                                                         
"""
import fiwalk

if __name__=="__main__":
    import sys
    from sys import stdout

    from optparse import OptionParser
    parser = OptionParser()
    parser.usage = '%prog [options] image.iso  s1 [s2 s3 s3 ...]'
    parser.add_option("-d","--debug",help="debug",action="store_true")
    (options,args) = parser.parse_args()

    if len(args)<1:
        parser.print_help()
        sys.exit(1)

    sectors = set()                            # sectors we are looking for                                           
    for s in args[1:]:
        sectors.add(int(s))

    def process(fi):
        for s in sectors:
            if fi.has_sector(s):
                print "%d\t%s" % (s,fi.filename())

    fiwalk.fiwalk_using_sax(imagefile=open(args[0]),callback=process)