├── dfxml
├── bin
│ ├── __init__.py
│ ├── .gitignore
│ ├── conftest.py
│ ├── iredact-config.txt
│ ├── igrep.py
│ ├── xdiff.py
│ ├── validate_dfxml.py
│ ├── iblkfind.py
│ ├── mem_info.py
│ ├── nsrl_rds.py
│ ├── iextract.py
│ ├── iverify.py
│ ├── exp_slack.py
│ ├── corpus_sync.py
│ ├── Makefile
│ ├── xmirror.py
│ ├── break_out_diffs_by_anno.py
│ ├── imap.py
│ ├── dedup.py
│ ├── iexport.py
│ ├── allocation_counter.py
│ ├── cat_fileobjects.py
│ ├── tcpdiff.py
│ ├── report_silent_changes.py
│ ├── ihistogram.py
│ ├── README.md
│ ├── deidentify_xml.py
│ └── filesdb.py
├── conftest.py
├── py.typed
└── dfxml_html.py
├── tests
├── .gitignore
├── requirements.txt
├── make_differential_dfxml
│ ├── .gitignore
│ ├── README.md
│ ├── differential_dfxml_test_by_path_01.txt
│ ├── differential_dfxml_test_by_times_01.txt
│ ├── differential_dfxml_test_by_path_23.txt
│ ├── differential_dfxml_test_by_times_23.txt
│ └── Makefile
├── walk_to_dfxml
│ ├── .gitignore
│ ├── README.md
│ ├── Makefile
│ └── test_walk_to_dfxml.py
├── misc_bin_tests
│ ├── paths.sh
│ ├── README.md
│ ├── test_regxml.sh
│ ├── iexport_test.py
│ ├── _sane_defaults.sh
│ ├── test_hfsj.sh
│ ├── test_redact.sh
│ ├── _pick_pythons.sh
│ ├── test_dfxml_tool.sh
│ ├── test_idifference.py
│ ├── test_cat_fileobjects.sh
│ ├── test_idifference_to_dfxml.sh
│ └── test_mac_timelines.sh
├── misc_object_tests
│ ├── .gitignore
│ ├── README.md
│ ├── FileObject_from_stat_test.py
│ ├── RegXMLObject_test.py
│ ├── diffing_TimestampObject_test.py
│ ├── diff_file_ignore_sample_dfxml_test.py
│ ├── objects_test.py
│ ├── DFXMLObject_program_test.py
│ ├── diff_file_ignore_test.py
│ ├── VolumeObject_test.py
│ ├── Makefile_test.py
│ ├── LibraryObject_read_test.py
│ ├── diffing_HiveObject_test.py
│ ├── CellObject_test.py
│ ├── VolumeObject_hash_test.py
│ ├── LibraryObject_write_test.py
│ ├── diffing_ByteRuns_test.py
│ ├── test_TCPFlowObjects.py
│ ├── diffing_VolumeObject_test.py
│ ├── FileObject_test.py
│ ├── FileObject_byte_run_facets_test.py
│ ├── ByteRuns_test.py
│ ├── diffing_CellObject_test.py
│ ├── FileObject_allocation_test.py
│ ├── PartitionSystemObject_test.py
│ ├── PartitionObject_test.py
│ ├── Makefile
│ ├── FileObject_externals_test.py
│ └── diffing_FileObject_test.py
├── README.md
├── test_version.py
├── test_reads.py
└── Makefile
├── demos
├── .gitignore
├── vmstats
│ ├── Makefile
│ ├── vmstats_decode.html
│ └── vmstats_json.html
├── demo_registry_timeline.py
├── demo_mac_timeline.py
├── demo_sizes.py
├── demo_plot_times.py
├── demo_fiwalk_diskimage.py
├── demo_spark.py
├── spark
│ └── demo_spark.py
├── demo_piecewise.py
├── demo_mac_timeline_iter.py
├── demo_mac_timeline_objects.py
└── demo_readtimes.py
├── samples
├── .gitignore
├── README.md
├── fileobjectexample.xml
├── tcpflow_zip_generic_header.xml
├── Makefile
├── difference_test_1.xml
├── difference_test_0.xml
└── simple.xml
├── .pre-commit-config.yaml
├── .gitmodules
├── .gitignore
├── .gitattributes
├── setup.cfg
├── setup.py
├── .github
└── workflows
│ ├── supply-chain.yml
│ └── continuous-integration.yml
├── Makefile
└── CONTRIBUTE.md
/dfxml/bin/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/tests/.gitignore:
--------------------------------------------------------------------------------
1 | venv
2 |
--------------------------------------------------------------------------------
/demos/.gitignore:
--------------------------------------------------------------------------------
1 | *.dfxml
2 | *.xml
3 |
--------------------------------------------------------------------------------
/dfxml/bin/.gitignore:
--------------------------------------------------------------------------------
1 | .pytest_cache
2 |
--------------------------------------------------------------------------------
/tests/requirements.txt:
--------------------------------------------------------------------------------
1 | mypy
2 | pytest
3 |
--------------------------------------------------------------------------------
/samples/.gitignore:
--------------------------------------------------------------------------------
1 | *.err.log
2 | *.validates.log
3 |
--------------------------------------------------------------------------------
/tests/make_differential_dfxml/.gitignore:
--------------------------------------------------------------------------------
1 | *.dfxml
2 |
--------------------------------------------------------------------------------
/tests/walk_to_dfxml/.gitignore:
--------------------------------------------------------------------------------
1 | *.dfxml
2 | walk_ignore_test/
3 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/paths.sh:
--------------------------------------------------------------------------------
1 | source tests/_pick_pythons.sh
2 |
3 | #DEMO_DIR=../demos
4 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: https://github.com/psf/black
3 | rev: 25.1.0
4 | hooks:
5 | - id: black
6 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/.gitignore:
--------------------------------------------------------------------------------
1 | *.dfxml
2 | *.xml
3 | walk_ignore_test/
4 | differential_dfxml_test_??.txt
5 | graph.png
6 | graph_data.json
7 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "dependencies/dfxml_schema"]
2 | path = dependencies/dfxml_schema
3 | url = https://github.com/dfxml-working-group/dfxml_schema.git
4 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | *~
3 | __pycache__
4 | _deps
5 | python/demo.dfxml
6 |
7 | .DS_Store
8 | build
9 | python/demo.dfxml
10 | .cache
11 | .pytest_cache
12 | *.egg-info
13 | *.log
14 | .venv-pre-commit
15 |
--------------------------------------------------------------------------------
/dfxml/conftest.py:
--------------------------------------------------------------------------------
1 | #
2 | # This file is empty, but it permits test discovery of the subdirectory.
3 | # See:
4 | # https://stackoverflow.com/questions/10253826/path-issue-with-pytest-importerror-no-module-named-yadayadayada
5 |
--------------------------------------------------------------------------------
/dfxml/bin/conftest.py:
--------------------------------------------------------------------------------
1 | #
2 | # This file is empty, but it permits test discovery of the subdirectory.
3 | # See:
4 | # https://stackoverflow.com/questions/10253826/path-issue-with-pytest-importerror-no-module-named-yadayadayada
5 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/README.md:
--------------------------------------------------------------------------------
1 | The tests in this directory needed to be moved to address a new behavior in a deployed static type checker. The intent is to empty this directory, moving its tests to appropriate locations under `/tests`.
2 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/README.md:
--------------------------------------------------------------------------------
1 | The tests in this directory needed to be moved to address a new behavior in a deployed static type checker. The intent is to empty this directory, moving its tests to appropriate locations under `/tests`.
2 |
--------------------------------------------------------------------------------
/samples/README.md:
--------------------------------------------------------------------------------
1 | # Sample DFXML
2 | This directory contains sample DFXML files. The Makefile here runs tests for conformance against the DFXML Schema with `make check`.
3 |
4 | Not all of these files are currently conformant; these can be seen with `make --keep-going check-TODO`.
5 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/test_regxml.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | source ${TEST_DIR}/_pick_pythons.sh
3 | "$PYTHON2" ${DEMO_DIR}/demo_registry_timeline.py ../tests/m57-charlie-2009-11-20-charlie-ntuser.dat.regxml
4 | "$PYTHON3" ${DEMO_DIR}/demo_registry_timeline.py ../tests/m57-charlie-2009-11-20-charlie-ntuser.dat.regxml
5 |
--------------------------------------------------------------------------------
/tests/README.md:
--------------------------------------------------------------------------------
1 | Contents of this directory test the functionality of `dfxml` as an importable Python module.
2 |
3 | Running `make check` in this directory will build a Python virtual environment, install the top source directory into that virtual environment as a module, and then run further tests with `pytest`.
4 |
--------------------------------------------------------------------------------
/demos/vmstats/Makefile:
--------------------------------------------------------------------------------
1 | all:vmstats_pretty.dfxml vmstatsN
2 |
3 | vmstats_pretty.dfxml: vmstats.py
4 | python3 vmstats.py --prettyprint vmstats_pretty.dfxml
5 |
6 | vmstatsN: vmstats.py
7 | python3 vmstats.py --repeat 24 --interval 10 vmstatsN-new.dfxml
8 | /bin/mv -f vmstatsN-new.dfxml vmstatsN.dfxml
9 |
10 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Set the default behavior, in case people don't have core.autocrlf set.
2 | # NOTE: At the time this rule was written, all files tracked in this repository were known to be text files. From documentation on this file at git-scm.com, it seems possible this might trip up commiting a binary file in the future.
3 | * text=auto
4 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/iexport_test.py:
--------------------------------------------------------------------------------
1 | import os
2 | import sys
3 |
4 | from dfxml.bin.iexport import *
5 |
6 |
7 | def test_iexport():
8 | r1 = Run(0, 1000)
9 | r2 = Run(50, 60)
10 | assert r1.intersects_run(r2)
11 | assert r2.intersects_run(r1)
12 |
13 | disk = RunDB(0, 1000)
14 | print(disk)
15 | disk.remove(Run(50, 60))
16 | disk.remove(Run(0, 10))
17 | disk.remove(Run(40, 20))
18 | print(disk)
19 |
--------------------------------------------------------------------------------
/samples/fileobjectexample.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/_sane_defaults.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | SCRIPT_DIR="$1"
4 |
5 | # Guarantee sane defaults
6 | if [ -z ${TEST_DIR} ];
7 | then
8 | TEST_DIR="${SCRIPT_DIR}"
9 | fi
10 |
11 | if [ -z ${TOOL_DIR} ];
12 | then
13 | TOOL_DIR="$(dirname ${SCRIPT_DIR})"
14 | fi
15 |
16 | if [ -z ${SAMPLE_DIR} ];
17 | then
18 | SAMPLE_DIR="$(dirname $(dirname ${SCRIPT_DIR}))/samples"
19 | fi
20 |
21 | if [ -z ${PYTHONPATH} ];
22 | then
23 | PYTHONPATH="$(dirname $(dirname ${SCRIPT_DIR}))"
24 | export PYTHONPATH;
25 | fi
26 |
--------------------------------------------------------------------------------
/setup.cfg:
--------------------------------------------------------------------------------
1 | [metadata]
2 | name = dfxml
3 | version = attr: dfxml.__version__
4 | url = https://github.com/dfxml-working-group/dfxml_python
5 | classifiers =
6 | License :: Public Domain
7 | Programming Language :: Python :: 3
8 |
9 | [options]
10 | include_package_data = true
11 | packages = find:
12 | python_requires = >=3.10
13 |
14 | # See CONTRIBUTE.md before adding a console script line.
15 | [options.entry_points]
16 | console_scripts =
17 | make_differential_dfxml = dfxml.bin.make_differential_dfxml:main
18 | walk_to_dfxml = dfxml.bin.walk_to_dfxml:main
19 |
20 | [options.package_data]
21 | dfxml = py.typed
22 |
--------------------------------------------------------------------------------
/dfxml/bin/iredact-config.txt:
--------------------------------------------------------------------------------
1 | #
2 | # Paths to the disk image and fiwalk XML output
3 | #
4 | IMAGEFILE /home/bcadmin/Desktop/jowork.raw.raw
5 | XMLFILE /home/bcadmin/Desktop/jofiwalk.xml
6 |
7 | #
8 | # Redaction patterns
9 | #
10 | #FILEPAT *.dll FUZZ
11 | #FILEPAT *.com FUZZ
12 | FILEPAT *.exe FUZZ
13 |
14 | #
15 | # Other examples
16 | #
17 | #KEY 100200300400
18 | #MD5 db06069ef1c9f40986ffa06db4fe8fd7 FILL 0x44
19 | #FILENAME file3.txt ENCRYPT
20 | #FILEPAT file*.txt ENCRYPT
21 | #CONTAINS This FILL 0x44
22 | #FILEPAT *Spotlight* FILL 0x44
23 |
24 | #
25 | # Uncomment this line to actually commit the redaction:
26 | #
27 | COMMIT
28 |
29 |
30 |
--------------------------------------------------------------------------------
/dfxml/py.typed:
--------------------------------------------------------------------------------
1 | # This software was developed at the National Institute of Standards
2 | # and Technology by employees of the Federal Government in the course
3 | # of their official duties. Pursuant to title 17 Section 105 of the
4 | # United States Code this software is not subject to copyright
5 | # protection and is in the public domain. NIST assumes no
6 | # responsibility whatsoever for its use by other parties, and makes
7 | # no guarantees, expressed or implied, about its quality,
8 | # reliability, or any other characteristic.
9 | #
10 | # We would appreciate acknowledgement if the software is used.
11 |
12 | # This file is defined to support PEP 561:
13 | # https://www.python.org/dev/peps/pep-0561/
14 |
--------------------------------------------------------------------------------
/demos/demo_registry_timeline.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import os
3 | import sys
4 |
5 | sys.path.append(os.path.join(os.path.dirname(__file__), ".."))
6 | import dfxml
7 |
8 | timeline = []
9 |
10 |
11 | def process(co):
12 | mtime = co.mtime()
13 | if mtime != None:
14 | timeline.append([co.mtime(), co.full_path(), " modified"])
15 |
16 |
17 | def main():
18 | if len(sys.argv) < 2:
19 | print("Usage: {} ".format(sys.argv[0]))
20 | exit(1)
21 | dfxml.read_regxml(xmlfile=open(sys.argv[1], "rb"), callback=process)
22 | timeline.sort()
23 | for record in timeline:
24 | print("\t".join(map(str, record)))
25 |
26 |
27 | if __name__ == "__main__":
28 | main()
29 |
--------------------------------------------------------------------------------
/tests/test_version.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology by employees of the Federal Government in the course
5 | # of their official duties. Pursuant to title 17 Section 105 of the
6 | # United States Code this software is not subject to copyright
7 | # protection and is in the public domain. NIST assumes no
8 | # responsibility whatsoever for its use by other parties, and makes
9 | # no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | import dfxml
15 |
16 |
17 | def test_version() -> None:
18 | assert not dfxml.__version__ is None
19 |
--------------------------------------------------------------------------------
/dfxml/bin/igrep.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | """Usage: igrep imagefile.iso string ...
3 |
4 | Reports the files in which files have the string.
5 | """
6 | import fiwalk
7 |
8 | import dfxml
9 |
10 | if __name__ == "__main__":
11 | import sys
12 | from optparse import OptionParser
13 |
14 | parser = OptionParser()
15 | parser.usage = "%prog [options] image.iso s1"
16 | parser.add_option("-d", "--debug", help="debug", action="store_true")
17 | (options, args) = parser.parse_args()
18 |
19 | if len(args) != 2:
20 | parser.print_help()
21 | sys.exit(1)
22 |
23 | (imagefn, data) = args
24 |
25 | def process(fi):
26 | offset = fi.contents().find(data)
27 | if offset > 0:
28 | print("%s (offset=%d)" % (fi.filename(), offset))
29 |
30 | fiwalk.fiwalk_using_sax(imagefile=open(imagefn), callback=process)
31 |
--------------------------------------------------------------------------------
/dfxml/bin/xdiff.py:
--------------------------------------------------------------------------------
1 | #
2 | # Report the difference between two dfxml files
3 | #
4 | import sys
5 |
6 | from filesdb import filesdb
7 |
8 | import dfxml
9 |
10 | #
11 | # test program. Reads a database and dumps it.
12 | #
13 | if __name__ == "__main__":
14 | from argparse import ArgumentParser
15 |
16 | parser = ArgumentParser(
17 | description="Test the files database with one or more DFXML files"
18 | )
19 | parser.add_argument("xmlfiles", help="XML files to process", nargs="+")
20 |
21 | args = parser.parse_args()
22 | db0 = None
23 | for fn in args.xmlfiles:
24 | db1 = filesdb()
25 | db1.fname = fn
26 | db1.read(fn)
27 | print("{} stats:".format(fn))
28 | db1.print_stats(sys.stdout)
29 | if db0:
30 | print("")
31 | print("Difference from {}".format(db0.fname))
32 | db0 = db1
33 |
--------------------------------------------------------------------------------
/dfxml/bin/validate_dfxml.py:
--------------------------------------------------------------------------------
1 | import os.path
2 | import sys
3 | from optparse import OptionParser
4 | from sys import stdout
5 |
6 | import dfxml.fiwalk as fiwalk
7 |
8 |
9 | def demo_dfxml_time_bug(filename):
10 | parser = OptionParser()
11 | parser.usage = "%prog% [options] xmlfile "
12 | (options, args) = parser.parse_args()
13 | for fi in fiwalk.fileobjects_using_sax(xmlfile=open(filename, "rb")):
14 | fsize = fi.filesize()
15 | try:
16 | mt = fi.mtime()
17 | print("Type of mt:", type(mt))
18 | print("Normal mtime:")
19 | print(mt)
20 | except KeyboardInterrupt:
21 | raise
22 | except:
23 | raise RuntimeException("Abnormal mtime for file with size {}".format(fsize))
24 |
25 |
26 | if __name__ == "__main__":
27 | filename = sys.argv[1]
28 | demo_dfxml_time_bug(filename)
29 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/test_hfsj.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | hdiutil create -size 10m -fs HFS+J -nospotlight -attach -volname image -ov -layout NONE \
4 | -imagekey diskimage-class=CRawDiskImage image.dmg
5 | echo "This is file 1 - snarf" > /Volumes/image/file1.txt
6 | echo "This is file 2 - snarf" > /Volumes/image/file2.txt
7 | sync
8 | hdiutil detach /Volumes/image
9 | cp image.dmg image.gen0.dmg
10 | echo "look for file1 and file2:"
11 | strings -o image.dmg | grep snarf
12 | echo "mount the disk and overwrite the contents of file2"
13 | hdiutil attach image.dmg
14 | echo "New file 1 contents - snarf" | dd of=/Volumes/image/file1.txt
15 | echo ""
16 | echo "===file1.txt==="
17 | cat /Volumes/image/file1.txt
18 | echo ""
19 | echo "===file2.txt==="
20 | cat /Volumes/image/file2.txt
21 | echo ""
22 | hdiutil detach /Volumes/image
23 | cp image.dmg image.gen1.dmg
24 | strings -o image.dmg | grep snarf
25 |
--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed in whole or in part by employees of the
4 | # Federal Government in the course of their official duties, and with
5 | # other Federal assistance. Pursuant to title 17 Section 105 of the
6 | # United States Code portions of this software authored by Federal
7 | # employees are not subject to copyright protection within the United
8 | # States. For portions not authored by Federal employees, the Federal
9 | # Government has been granted unlimited rights, and no claim to
10 | # copyright is made. The Federal Government assumes no responsibility
11 | # whatsoever for its use by other parties, and makes no guarantees,
12 | # expressed or implied, about its quality, reliability, or any other
13 | # characteristic.
14 | #
15 | # We would appreciate acknowledgement if the software is used.
16 |
17 | import setuptools
18 |
19 | setuptools.setup()
20 |
--------------------------------------------------------------------------------
/tests/make_differential_dfxml/README.md:
--------------------------------------------------------------------------------
1 | # `make_differential_dfxml`
2 |
3 | *Source*: [`../../dfxml/bin/make_differential_dfxml.py`](../../dfxml/bin/make_differential_dfxml.py)
4 |
5 | This command takes as input two DFXML files, and outputs a DFXML document showing differential annotations. Output is sent to `stdout`.
6 |
7 | This tool was introduced in [Nelson et al., DFRWS 2014](https://doi.org/10.1016/j.diin.2014.05.004).
8 |
9 |
10 | ## Usage
11 |
12 | ```bash
13 | make_differential_dfxml input_1.dfxml input_2.dfxml > deltas.dfxml
14 | ```
15 |
16 | If one is using the [DFXML Objects module](../../dfxml/objects.py), the differentially-annotated DFXML can be analyzed by referring to each encountered `FileObject`'s property `.annos`. See e.g. [`summarize_differential_dfxml.py`](../../dfxml/bin/summarize_differential_dfxml.py)'s output for [changes scoped to single file systems](differential_dfxml_test_by_path_01.txt), or [changes that cross file systems](differential_dfxml_test_by_times_23.txt).
17 |
--------------------------------------------------------------------------------
/demos/demo_mac_timeline.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # produce a MAC-times timeline.
3 | # works under either Python2 or Python3
4 | import os
5 | import sys
6 |
7 | sys.path.append(os.path.join(os.path.dirname(__file__), ".."))
8 | import dfxml
9 |
10 | timeline = []
11 |
12 |
13 | def process(fi):
14 | if fi.mtime() != None:
15 | timeline.append([fi.mtime(), fi.filename(), " modified"])
16 | if fi.crtime() != None:
17 | timeline.append([fi.crtime(), fi.filename(), " created"])
18 | if fi.ctime() != None:
19 | timeline.append([fi.ctime(), fi.filename(), " changed"])
20 | if fi.atime() != None:
21 | timeline.append([fi.atime(), fi.filename(), " accessed"])
22 |
23 |
24 | def main():
25 | if len(sys.argv) < 2:
26 | print("Usage: {} ".format(sys.argv[0]))
27 | exit(1)
28 | dfxml.read_dfxml(xmlfile=open(sys.argv[1], "rb"), callback=process)
29 | timeline.sort()
30 | for record in timeline:
31 | print("\t".join(map(str, record)))
32 |
33 |
34 | if __name__ == "__main__":
35 | main()
36 |
--------------------------------------------------------------------------------
/demos/demo_sizes.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3.2
2 |
3 | #
4 | # Demo program that shows how to calculate the average size of file objects in a DFXML file
5 | #
6 |
7 | import collections
8 | import math
9 | import os
10 | import sys
11 |
12 | sys.path.append(os.path.join(os.path.dirname(__file__), ".."))
13 | import dfxml
14 |
15 | sums = collections.Counter()
16 | sum_of_squares = collections.Counter()
17 | count = collections.Counter()
18 |
19 |
20 | def func(fi):
21 | ext = fi.ext()
22 | count[ext] += 1
23 | sums[ext] += fi.filesize()
24 | sum_of_squares[ext] = fi.filesize() ** 2
25 |
26 |
27 | dfxml.read_dfxml(xmlfile=open(sys.argv[1], "rb"), callback=func)
28 | fmt = "{:8} {:8} {:8} {:8} {:8}"
29 | print(fmt.format("Ext", "Count", "Total", "Average", "StdDev"))
30 | for ext in sums.keys():
31 | print(
32 | fmt.format(
33 | ext,
34 | count[ext],
35 | sums[ext],
36 | sums[ext] / count[ext],
37 | math.sqrt(sum_of_squares[ext] / count[ext] - (sums[ext] / count[ext]) ** 2),
38 | )
39 | )
40 |
--------------------------------------------------------------------------------
/demos/demo_plot_times.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import os
3 | import sys
4 | import time
5 |
6 | import fiwalk
7 |
8 | sys.path.append(os.path.join(os.path.dirname(__file__), ".."))
9 | import dfxml
10 |
11 | if __name__ == "__main__":
12 | import sys
13 | from optparse import OptionParser
14 | from sys import stdout
15 |
16 | parser = OptionParser()
17 | parser.usage = "%prog [options] (xmlfile or imagefile)"
18 | (options, args) = parser.parse_args()
19 |
20 | if not args:
21 | parser.print_usage()
22 | exit(1)
23 |
24 | sizes = []
25 | dates = {}
26 |
27 | def callback(fi):
28 | sizes.append(fi.filesize())
29 | for tag, val in fi.times().iteritems():
30 | date = val.datetime()
31 | dates[date] = dates.get(date, 0) + 1
32 |
33 | fn = args[0]
34 | if fn.endswith(".xml"):
35 | fiwalk.fiwalk_using_sax(xmlfile=open(fn), callback=callback)
36 | else:
37 | fiwalk.fiwalk_using_sax(imagefile=open(fn), callback=callback)
38 |
39 | print("Here is the dates array:")
40 | for d in sorted(dates.keys()):
41 | print("{} {}".format(d, dates[d]))
42 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/test_redact.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | /bin/rm -f testdisk.dmg redact.cfg
3 | hdiutil create -size 1m -fs MS-DOS -nospotlight -attach -volname testdisk testdisk.dmg
4 | echo "This is the zero file. FILE0001." > /Volumes/TESTDISK/file0.txt
5 | echo "This is the first file. FILE0001." > /Volumes/TESTDISK/file1.txt
6 | echo "This is the second file. FILE0002." > /Volumes/TESTDISK/file2.txt
7 | echo "This is the third file. FILE0003." > /Volumes/TESTDISK/file3.txt
8 | echo "This is the fourth file. FILE0004." > /Volumes/TESTDISK/file4.txt
9 | echo "This is the fifth file. FILE0005." > /Volumes/TESTDISK/file5.txt
10 | echo "This is the dixth file. FILE0006." > /Volumes/TESTDISK/file6.txt
11 | hdiutil detach /Volumes/TESTDISK
12 | cat > redact.cfg < None:
16 | """Generate filesystem metadata for disk image and and write resulting
17 | dfxml to file"""
18 | # Analyse image file
19 | with open(imageFile, "rb") as ifs:
20 | fwOutBuffer = fiwalk.fiwalk_xml_stream(imagefile=ifs)
21 | fwOut = fwOutBuffer.read()
22 |
23 | # Write dfxml to output file
24 | with io.open(outFile, "wb") as fOut:
25 | fOut.write(fwOut)
26 |
27 |
28 | def main() -> None:
29 | if len(sys.argv) < 3:
30 | print("Usage: {} ".format(sys.argv[0]))
31 | exit(1)
32 | imageFile = sys.argv[1]
33 | outFile = sys.argv[2]
34 | writeDfxml(imageFile, outFile)
35 |
36 |
37 | if __name__ == "__main__":
38 | main()
39 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/FileObject_from_stat_test.py:
--------------------------------------------------------------------------------
1 | # This software was developed at the National Institute of Standards
2 | # and Technology in whole or in part by employees of the Federal
3 | # Government in the course of their official duties. Pursuant to
4 | # title 17 Section 105 of the United States Code portions of this
5 | # software authored by NIST employees are not subject to copyright
6 | # protection and are in the public domain. For portions not authored
7 | # by NIST employees, NIST has been granted unlimited rights. NIST
8 | # assumes no responsibility whatsoever for its use by other parties,
9 | # and makes no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | __version__ = "0.1.1"
15 |
16 | import logging
17 | import os
18 | import sys
19 |
20 | import dfxml.objects as Objects
21 |
22 |
23 | def test_all():
24 | logging.basicConfig(level=logging.DEBUG)
25 | _logger = logging.getLogger(os.path.basename(__file__))
26 |
27 | f0 = Objects.FileObject()
28 | f0.populate_from_stat(os.stat(__file__))
29 | _logger.debug("f0.to_dfxml() = %r" % f0.to_dfxml())
30 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/RegXMLObject_test.py:
--------------------------------------------------------------------------------
1 | # This software was developed at the National Institute of Standards
2 | # and Technology in whole or in part by employees of the Federal
3 | # Government in the course of their official duties. Pursuant to
4 | # title 17 Section 105 of the United States Code portions of this
5 | # software authored by NIST employees are not subject to copyright
6 | # protection and are in the public domain. For portions not authored
7 | # by NIST employees, NIST has been granted unlimited rights. NIST
8 | # assumes no responsibility whatsoever for its use by other parties,
9 | # and makes no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | __version__ = "0.1.1"
15 |
16 | import os
17 | import sys
18 |
19 | import diffing_CellObject_test
20 | import diffing_HiveObject_test
21 |
22 | import dfxml.objects as Objects
23 |
24 |
25 | def test_all():
26 | ro = Objects.RegXMLObject(version="0.2")
27 | ho = Objects.HiveObject()
28 | ho.append(diffing_CellObject_test.get_co())
29 | ho.append(diffing_CellObject_test.get_nco())
30 | ro.append(diffing_HiveObject_test.get_ho())
31 | ro.print_regxml()
32 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/diffing_TimestampObject_test.py:
--------------------------------------------------------------------------------
1 | # This software was developed at the National Institute of Standards
2 | # and Technology in whole or in part by employees of the Federal
3 | # Government in the course of their official duties. Pursuant to
4 | # title 17 Section 105 of the United States Code portions of this
5 | # software authored by NIST employees are not subject to copyright
6 | # protection and are in the public domain. For portions not authored
7 | # by NIST employees, NIST has been granted unlimited rights. NIST
8 | # assumes no responsibility whatsoever for its use by other parties,
9 | # and makes no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | __version__ = "0.1.1"
15 |
16 | import copy
17 | import logging
18 | import os
19 | import sys
20 |
21 | import dfxml.objects as Objects
22 |
23 |
24 | def test_all():
25 | t0 = Objects.TimestampObject()
26 | t0.name = "mtime"
27 | t0.prec = "2s"
28 |
29 | t1 = copy.deepcopy(t0)
30 |
31 | assert t0 == t1
32 |
33 | t0e = t0.to_Element()
34 | t2 = Objects.TimestampObject()
35 | t2.populate_from_Element(t0e)
36 |
37 | assert t0 == t2
38 |
39 | t2.prec = "100"
40 |
41 | assert t0 != t2
42 |
--------------------------------------------------------------------------------
/dfxml/bin/iblkfind.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | """Usage: iblkfind imagefile.iso s1 [s2 s3 ...] ...
3 |
4 | Reports the files in which sectors s1, s2, s3... are located.
5 | """
6 | import sys
7 |
8 | import dfxml
9 |
10 | if __name__ == "__main__":
11 | from optparse import OptionParser
12 |
13 | parser = OptionParser()
14 | parser.usage = "%prog [options] imagefile-or-xmlfile s1 [s2 s3 s3 ...]"
15 | parser.add_option(
16 | "--offset", help="values are byte offsets, not sectors", action="store_true"
17 | )
18 | parser.add_option("--blocksize", help="specify sector blockszie", default=512)
19 | (options, args) = parser.parse_args()
20 |
21 | if len(args) < 1:
22 | parser.print_help()
23 | sys.exit(1)
24 | fn = args[0]
25 |
26 | print(args)
27 | print("Processing %s" % fn)
28 | print("Searching for %s" % ", ".join(args[1:]))
29 |
30 | divisor = 1
31 | if options.offset:
32 | divisor = options.blocksize
33 |
34 | sectors = set([int(s) / divisor for s in args[1:]])
35 |
36 | def process(fi):
37 | for s in sectors:
38 | if fi.has_sector(s):
39 | print("%d\t%s" % (s, fi.filename()))
40 |
41 | if not fn.endswith(".xml"):
42 | print("iblkfind requires an XML file")
43 | exit(1)
44 | dfxml.read_dfxml(xmlfile=open(args[0], "rb"), callback=process)
45 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/diff_file_ignore_sample_dfxml_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology by employees of the Federal Government in the course
5 | # of their official duties. Pursuant to title 17 Section 105 of the
6 | # United States Code this software is not subject to copyright
7 | # protection and is in the public domain. NIST assumes no
8 | # responsibility whatsoever for its use by other parties, and makes
9 | # no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | __version__ = "0.1.1"
15 |
16 | import logging
17 | import os
18 | import sys
19 |
20 | import dfxml.objects as Objects
21 |
22 |
23 | def main():
24 | dobj = Objects.DFXMLObject()
25 | dobj.diff_file_ignores.add("atime")
26 | dobj.diff_file_ignores.add("crtime")
27 | with open(args.out_dfxml, "w") as fh:
28 | dobj.print_dfxml(fh)
29 |
30 |
31 | if __name__ == "__main__":
32 | import argparse
33 |
34 | parser = argparse.ArgumentParser()
35 | parser.add_argument("-d", "--debug", action="store_true")
36 | parser.add_argument("out_dfxml")
37 | args = parser.parse_args()
38 | logging.basicConfig(level=logging.DEBUG if args.debug else logging.INFO)
39 | main()
40 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/objects_test.py:
--------------------------------------------------------------------------------
1 | # Unit tests for objects
2 |
3 |
4 | __version__ = "0.1.1"
5 |
6 | import os
7 | import sys
8 |
9 | from dfxml.objects import *
10 | from dfxml.objects import _intcast, _logger, _qsplit
11 |
12 |
13 | def test_all():
14 | assert _intcast(-1) == -1
15 | assert _intcast("-1") == -1
16 | assert _qsplit("{http://www.w3.org/2001/XMLSchema}all") == (
17 | "http://www.w3.org/2001/XMLSchema",
18 | "all",
19 | )
20 | assert _qsplit("http://www.w3.org/2001/XMLSchema}all") == (
21 | None,
22 | "http://www.w3.org/2001/XMLSchema}all",
23 | )
24 |
25 | fi = FileObject()
26 |
27 | # Check property setting
28 | fi.mtime = "1999-12-31T23:59:59Z"
29 | _logger.debug("fi = %r" % fi)
30 |
31 | # Check bad property setting
32 | failed = None
33 | try:
34 | fi.mtime = "Not a timestamp"
35 | failed = False
36 | except:
37 | failed = True
38 | _logger.debug("fi = %r" % fi)
39 | _logger.debug("failed = %r" % failed)
40 | assert failed == True
41 |
42 | t0 = TimestampObject(prec="100ns", name="mtime")
43 | _logger.debug("t0 = %r" % t0)
44 | assert t0.prec[0] == 100
45 | assert t0.prec[1] == "ns"
46 | t1 = TimestampObject("2009-01-23T01:23:45Z", prec="2", name="atime")
47 | _logger.debug("t1 = %r" % t1)
48 | assert t1.prec[0] == 2
49 | assert t1.prec[1] == "s"
50 |
--------------------------------------------------------------------------------
/.github/workflows/supply-chain.yml:
--------------------------------------------------------------------------------
1 | # Portions of this file contributed by NIST are governed by the
2 | # following statement:
3 | #
4 | # This software was developed at the National Institute of Standards
5 | # and Technology by employees of the Federal Government in the course
6 | # of their official duties. Pursuant to title 17 Section 105 of the
7 | # United States Code this software is not subject to copyright
8 | # protection and is in the public domain. NIST assumes no
9 | # responsibility whatsoever for its use by other parties, and makes
10 | # no guarantees, expressed or implied, about its quality,
11 | # reliability, or any other characteristic.
12 | #
13 | # We would appreciate acknowledgement if the software is used.
14 |
15 | # This workflow uses Make to review direct dependencies of this
16 | # repository.
17 |
18 | name: Supply Chain
19 |
20 | on:
21 | schedule:
22 | - cron: '15 5 * * 1,2,3,4,5'
23 |
24 | jobs:
25 | build:
26 |
27 | runs-on: ubuntu-latest
28 | strategy:
29 | matrix:
30 | python-version:
31 | - '3.9'
32 | - '3.13'
33 |
34 | steps:
35 | - uses: actions/checkout@v4
36 | with:
37 | fetch-depth: 0
38 | - name: Set up Python ${{ matrix.python-version }}
39 | uses: actions/setup-python@v5
40 | with:
41 | python-version: ${{ matrix.python-version }}
42 | - name: Review dependencies
43 | run: make check-supply-chain
44 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/DFXMLObject_program_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | __version__ = "0.1.1"
17 |
18 | import os
19 | import sys
20 |
21 | import dfxml.objects as Objects
22 |
23 |
24 | def main():
25 | dobj = Objects.parse(args.in_dfxml)
26 | assert dobj.program == args.expected_program
27 | assert dobj.program_version == args.expected_program_version
28 |
29 |
30 | if __name__ == "__main__":
31 | import argparse
32 |
33 | parser = argparse.ArgumentParser()
34 | parser.add_argument("in_dfxml")
35 | parser.add_argument("expected_program")
36 | parser.add_argument("expected_program_version")
37 | args = parser.parse_args()
38 |
39 | main()
40 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/diff_file_ignore_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology by employees of the Federal Government in the course
5 | # of their official duties. Pursuant to title 17 Section 105 of the
6 | # United States Code this software is not subject to copyright
7 | # protection and is in the public domain. NIST assumes no
8 | # responsibility whatsoever for its use by other parties, and makes
9 | # no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | __version__ = "0.1.1"
15 |
16 | import logging
17 | import os
18 | import sys
19 |
20 | import dfxml.objects as Objects
21 |
22 |
23 | def main():
24 | dobj = Objects.parse(args.in_dfxml)
25 | assert not dobj is None
26 | _logger = logging.getLogger(os.path.basename(__file__))
27 | _logger.debug("dobj.diff_file_ignores = %r." % dobj.diff_file_ignores)
28 | assert "atime" in dobj.diff_file_ignores
29 | assert "crtime" in dobj.diff_file_ignores
30 |
31 |
32 | if __name__ == "__main__":
33 | import argparse
34 |
35 | parser = argparse.ArgumentParser()
36 | parser.add_argument("-d", "--debug", action="store_true")
37 | parser.add_argument("in_dfxml")
38 | args = parser.parse_args()
39 | logging.basicConfig(level=logging.DEBUG if args.debug else logging.INFO)
40 | main()
41 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/VolumeObject_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | __version__ = "0.1.1"
17 |
18 | import logging
19 | import os
20 | import sys
21 |
22 | import libtest
23 |
24 | import dfxml.objects as Objects
25 |
26 | _logger = logging.getLogger(os.path.basename(__file__))
27 |
28 |
29 | def test_empty_object():
30 | dobj = Objects.DFXMLObject()
31 | vobj = Objects.VolumeObject()
32 | dobj.append(vobj)
33 |
34 | # Do file I/O round trip.
35 | (tmp_filename, dobj_reconst) = libtest.file_round_trip_dfxmlobject(dobj)
36 | try:
37 | vobj_reconst = dobj_reconst.volumes[0]
38 | except:
39 | _logger.debug("tmp_filename = %r." % tmp_filename)
40 | raise
41 | os.remove(tmp_filename)
42 |
--------------------------------------------------------------------------------
/demos/vmstats/vmstats_decode.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | History for {{host}}
5 |
6 |
7 |
14 |
15 |
16 |
21 |
22 |
Stats
23 |
24 | | CPU Utilization: | {{cpu_percent}} % |
|---|
25 | | Mem Utilization: | {{mem_percent}} % |
|---|
26 |
27 |
30 |
Processes
31 |
32 | | | CPU Time |
|---|
33 | | PID | NAME | User | System |
|---|
34 |
35 | {% for ps in ps_list %}
36 | | {{ps.pid}} | {{ps.name}} | {{ps.user}} | {{ps.system}} |
|---|
37 | {% endfor %}
38 |
39 |
47 |
48 |
49 | | Property |
50 | """
51 | )
52 | for anno in annos:
53 | print(" %s | " % anno)
54 | print(
55 | """
56 |
57 |
58 |
59 |
60 | """
61 | )
62 | for diff in sorted(Objects.FileObject._all_properties):
63 | print(" ")
64 | if diff in Objects.FileObject._incomparable_properties:
65 | continue
66 | print(" | %s | " % diff)
67 | for anno in annos:
68 | print(" %d | " % hist[(anno, diff)])
69 | print("
")
70 | print(
71 | """
72 |
73 |
74 | """
75 | )
76 |
77 |
78 | if __name__ == "__main__":
79 | main()
80 |
--------------------------------------------------------------------------------
/dfxml/bin/imap.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | """Usage: imap imagefile0.iso imagefile1.iso imagefile2.iso ...
3 |
4 | Produces a map of imagefile0.iso, using the other image files as "hints" for missing
5 | data. Only reports files that have been allocated; deleted files are reported only if
6 | they can be found allocated in another file.
7 | """
8 | import dfxml.fiwalk as fiwalk
9 |
10 | ################################################################
11 | if __name__ == "__main__":
12 | import sys
13 | from optparse import OptionParser
14 | from sys import stdout
15 |
16 | parser = OptionParser()
17 | parser.usage = "%prog [options] image.iso "
18 | parser.add_option("-d", "--debug", help="debug", action="store_true")
19 | (options, args) = parser.parse_args()
20 |
21 | if len(args) < 1:
22 | parser.print_help()
23 | sys.exit(1)
24 |
25 | imagefile = open(args[0], "r")
26 | annotated_runs = []
27 | # TODO - This debug statement needs to moved to somewhere appropriate after an image read.
28 | # if options.debug: print("Read %d file objects from %s" % (len(fileobjects),imagefile.name))
29 |
30 | def cb(fi):
31 | if options.debug:
32 | print("Read " + str(fi))
33 | fragment_num = 1
34 | for run in fi.byte_runs():
35 | annotated_runs.append((run.img_offset, run, fragment_num, fi))
36 | fragment_num += 1
37 |
38 | fiwalk.fiwalk_using_sax(imagefile=imagefile, callback=cb)
39 |
40 | next_sector = 0
41 |
42 | for ip, run, fragment_num, fi in sorted(annotated_runs):
43 | extra = ""
44 | fragment = ""
45 | start_sector = run.img_offset / 512
46 | sector_count = int(run.bytes / 512)
47 | partial = run.bytes % 512
48 |
49 | if not fi.allocated():
50 | print("***")
51 |
52 | if not fi.file_present(): # it's not here!
53 | continue
54 |
55 | if partial > 0:
56 | sector_count += 1
57 | extra = "(%3d bytes slack)" % (512 - partial)
58 |
59 | if fi.fragments() > 2:
60 | fragment = "fragment %d" % fragment_num
61 |
62 | if next_sector != start_sector:
63 | print(
64 | " <-- %5d unallocated sectors @ sector %5d -->"
65 | % (start_sector - next_sector, next_sector)
66 | )
67 |
68 | print(
69 | "[ %6d -> %6d sectors %18s ] %s %s "
70 | % (start_sector, sector_count, extra, fi.filename(), fragment)
71 | )
72 |
73 | next_sector = start_sector + sector_count
74 |
--------------------------------------------------------------------------------
/tests/walk_to_dfxml/Makefile:
--------------------------------------------------------------------------------
1 | #!/usr/bin/make -f
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology by employees of the Federal Government in the course
5 | # of their official duties. Pursuant to title 17 Section 105 of the
6 | # United States Code this software is not subject to copyright
7 | # protection and is in the public domain. NIST assumes no
8 | # responsibility whatsoever for its use by other parties, and makes
9 | # no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | # Bash selection is described in the top-level Makefile.
15 | ifeq ($(shell basename $(SHELL)),sh)
16 | SHELL := $(shell which /bin/bash 2>/dev/null || which /usr/local/bin/bash)
17 | endif
18 |
19 | top_srcdir := $(shell cd ../.. ; pwd)
20 |
21 | tests_srcdir := $(top_srcdir)/tests
22 |
23 | all: \
24 | walk_ignore_genprops.dfxml \
25 | walk_ignore_hashes.dfxml
26 |
27 | .scaffolding.done.log:
28 | rm -rf walk_ignore_test
29 | mkdir -p walk_ignore_test/foo/bar/baz
30 | echo 'contents c' > walk_ignore_test/foo/bar/baz/c
31 | echo 'contents b' > walk_ignore_test/foo/bar/b
32 | echo 'contents a' > walk_ignore_test/foo/a
33 | touch $@
34 |
35 | check: \
36 | walk_ignore_genprops.dfxml \
37 | walk_ignore_hashes.dfxml
38 | source $(tests_srcdir)/venv/bin/activate \
39 | && pytest \
40 | --log-level=DEBUG
41 |
42 | clean:
43 | @rm -f \
44 | .scaffolding.done.log \
45 | *.dfxml
46 | @rm -rf \
47 | walk_ignore_test/
48 |
49 | walk_ignore_genprops.dfxml: \
50 | $(tests_srcdir)/.venv.done.log \
51 | $(top_srcdir)/dfxml/bin/walk_to_dfxml.py \
52 | .scaffolding.done.log
53 | rm -f \
54 | __$@ \
55 | _$@
56 | source $(tests_srcdir)/venv/bin/activate \
57 | && cd walk_ignore_test \
58 | && walk_to_dfxml \
59 | -i atime \
60 | -i ctime \
61 | -i crtime \
62 | -i gid \
63 | -i inode \
64 | -i mtime@d \
65 | -i uid \
66 | > ../__$@
67 | xmllint \
68 | --format \
69 | __$@ \
70 | > _$@
71 | rm __$@
72 | mv _$@ $@
73 |
74 | walk_ignore_hashes.dfxml: \
75 | $(tests_srcdir)/.venv.done.log \
76 | $(top_srcdir)/dfxml/bin/walk_to_dfxml.py \
77 | .scaffolding.done.log
78 | rm -f \
79 | __$@ \
80 | _$@
81 | source $(tests_srcdir)/venv/bin/activate \
82 | && cd walk_ignore_test \
83 | && walk_to_dfxml \
84 | --ignore-hashes \
85 | > ../__$@
86 | xmllint \
87 | --format \
88 | __$@ \
89 | > _$@
90 | rm __$@
91 | mv _$@ $@
92 |
--------------------------------------------------------------------------------
/dfxml/bin/dedup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | #
3 | # dedup - detect and optionally remove duplicates based on a DFXML file
4 |
5 | import os
6 | import xml
7 |
8 | import dfxml
9 |
10 |
11 | class dedup:
12 | def __init__(self):
13 | from collections import defaultdict
14 |
15 | self.seen = defaultdict(list)
16 | self.files = 0
17 | self.md5s = 0
18 |
19 | def process(self, fi):
20 | self.files += 1
21 | if fi.md5():
22 | self.seen[fi.md5()].append(fi.filename())
23 | self.md5s += 1
24 |
25 | def find_dups(self, cb=None):
26 | for md5, names in self.seen.items():
27 | if cb and len(names) > 1:
28 | cb(names)
29 |
30 | def report(self, func, cb):
31 | for md5, names in self.seen.items():
32 | if func(names):
33 | cb(names)
34 |
35 |
36 | def process_dups(names):
37 | print("dups: ", names)
38 |
39 |
40 | if __name__ == "__main__":
41 | from argparse import ArgumentParser
42 |
43 | global options
44 |
45 | parser = ArgumentParser()
46 | parser.add_argument("dfxml", type=str)
47 | parser.add_argument("--verbose", action="store_true")
48 | parser.add_argument(
49 | "--prefix", type=str, help="Only output files with the given prefix"
50 | )
51 | parser.add_argument(
52 | "--distinct", action="store_true", help="Report the distinct files"
53 | )
54 | parser.add_argument(
55 | "--dups",
56 | action="store_true",
57 | help="Report the files that are dups, and give dup count",
58 | )
59 | args = parser.parse_args()
60 |
61 | dobj = dedup()
62 |
63 | try:
64 | dfxml.read_dfxml(open(args.dfxml, "rb"), callback=dobj.process)
65 | except xml.parsers.expat.ExpatError:
66 | pass
67 |
68 | print(
69 | "Total files: {:,} total MD5s processed: {:,} Unique MD5s: {:,}".format(
70 | dobj.files, dobj.md5s, len(dobj.seen)
71 | )
72 | )
73 |
74 | if args.distinct:
75 |
76 | def report_distinct(names):
77 | if args.prefix and not names[0].startswith(args.prefix):
78 | return
79 | print("distinct: ", names[0])
80 |
81 | dobj.report(lambda names: len(names) == 1, report_distinct)
82 |
83 | if args.dups:
84 |
85 | def report_dups(names):
86 | for name in names:
87 | if not args.prefix or name.startswith(args.prefix):
88 | print("dups: {} {}".format(name, len(names)))
89 |
90 | dobj.report(lambda names: len(names) > 1, report_dups)
91 |
--------------------------------------------------------------------------------
/samples/difference_test_1.xml:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 | Sample
9 |
10 |
11 | vi
12 | 8.0
13 |
14 | vi post.xml
15 |
16 |
17 |
18 |
19 | i_am_new.txt
20 | r
21 | 40
22 | 123459
23 | 2013-05-16T21:01:00Z
24 | 2013-05-16T21:01:00Z
25 | 2013-05-16T21:01:00Z
26 |
27 |
28 |
29 | 55b228770d96e4dbd1b218f4f07d8aae
30 | 8632a06e80eefbaf702ac6a44e633937e2be7186
31 | 77f380ce33609d55f8b874833c4495282fdf54869912822cde05c68090a60a18
32 |
33 |
34 | i_will_be_modified.txt
35 | r
36 | 23
37 | 123457
38 | 2013-05-16T20:59:00Z
39 | 2013-05-16T20:59:00Z
40 | 2013-05-16T20:59:00Z
41 |
42 |
43 |
44 | a6d9ebd95bcd3602b757ea63f9dd02ab
45 | 1e087807678a33ebbde2624341184c14303675a3
46 | e49ff8fc09127f458830d7328b0aaabed46cab5bbeb1a22e4c93d762025be281
47 |
48 |
49 | i_will_be_accessed.txt
50 | r
51 | 12
52 | 123458
53 | 2013-01-01T00:00:00Z
54 | 2013-01-01T00:00:00Z
55 | 2013-05-16T21:00:00Z
56 |
57 |
58 |
59 | f3a8f17b47f1fe899805c25b8f5a26b0
60 | b439e832cb243e18f6bfc21ca0150de3ef4c6f27
61 | 3c4ace963a2a069a92d8abaa7c77d88e118758eff65c5180fed6534e75889bf3
62 |
63 |
64 |
--------------------------------------------------------------------------------
/dfxml/bin/iexport.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | """iexport.py: export the unallocated spaces."""
3 |
4 |
5 | class Run:
6 | """Keeps track of a single run"""
7 |
8 | def __init__(self, start, len):
9 | self.start = start
10 | self.len = len
11 | self.end = start + len - 1
12 |
13 | def __str__(self):
14 | return "Run<%d--%d> (len %d)" % (self.start, self.end, self.len)
15 |
16 | def contains(self, b):
17 | """Returns true if b is inside self."""
18 | print(
19 | "%d <= %d <= %d = %s"
20 | % (self.start, b, self.end, (self.start <= b <= self.end))
21 | )
22 | return self.start <= b <= self.end
23 |
24 | def intersects_run(self, r):
25 | """Return true if self intersects r. This may be because r.start is
26 | inside the run, r.end is inside the run, or self is inside the run."""
27 | return self.contains(r.start) or self.contains(r.end) or r.contains(self.start)
28 |
29 | def contains_run(self, r):
30 | """Returns true if self completely contains r"""
31 | return self.contains(r.start) and self.contains(r.end)
32 |
33 |
34 | class RunDB:
35 | """The RunDB maintains a list of all the runs in a disk image. The
36 | RunDB is created with a single run that represents all of the sectors
37 | in the disk image. Runs can then be removed, which causes existing
38 | runs to be split. Finally all of the remaining runs can be removed."""
39 |
40 | def __init__(self, start, len):
41 | self.runs = [Run(start, len)]
42 |
43 | def __str__(self):
44 | return "RunDB\n" + "\n".join([str(p) for p in self.runs])
45 |
46 | def intersecting_runs(self, r):
47 | """Return a list of all the Runs that intersect with r.
48 | This may be because r.start is inside the run, r.end is inside
49 | the run, because the run completely encloses r, or because r completely
50 | encloses the run."""
51 | return filter(lambda x: x.intersects_run(r), self.runs)
52 |
53 | def remove(self, r):
54 | """Remove run r"""
55 | for p in self.intersecting_runs(r):
56 | self.runs.remove(p)
57 |
58 | # if P is completely inside r, just remove it
59 | if r.contains_run(p):
60 | continue
61 |
62 | # Split p into before and after r; add the non-zero pieces
63 | before_len = r.start - p.start
64 | if before_len > 0:
65 | self.runs.append(Run(p.start, before_len))
66 | after_len = p.end - r.end
67 | if after_len > 0:
68 | self.runs.append(Run(r.end, after_len))
69 |
--------------------------------------------------------------------------------
/samples/difference_test_0.xml:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 | Sample
9 |
10 |
11 | vi
12 | 8.0
13 |
14 | vi pre.xml
15 |
16 |
17 |
18 |
19 | i_will_be_deleted.txt
20 | r
21 | 20
22 | 123456
23 | 2013-01-01T00:00:00Z
24 | 2013-01-01T00:00:00Z
25 | 2013-01-01T00:00:00Z
26 |
27 |
28 |
29 | e834b5c2f64759832fb33ec53c8b5028
30 | 9125cb87b8f0035c22d3efad2b0473367cc456ca
31 | c75d73927a6ca221ccc71c4f4dee9286fce2b5cf7122950c73157cbf821af07f
32 |
33 |
34 | i_will_be_modified.txt
35 | r
36 | 22
37 | 123457
38 | 2013-01-01T00:00:00Z
39 | 2013-01-01T00:00:00Z
40 | 2013-01-01T00:00:00Z
41 |
42 |
43 |
44 | e91577092351461d7800ef7b870a2bcf
45 | 44e426344f15bd7621ca2f9ffea70d29752dccda
46 | 1a13a4bb62ab8549fa4836cc5ae37803217ab10c3fba4c1204b216485dcf1357
47 |
48 |
49 | i_will_be_accessed.txt
50 | r
51 | 12
52 | 123458
53 | 2013-01-01T00:00:00Z
54 | 2013-01-01T00:00:00Z
55 | 2013-01-01T00:00:00Z
56 |
57 |
58 |
59 | f3a8f17b47f1fe899805c25b8f5a26b0
60 | b439e832cb243e18f6bfc21ca0150de3ef4c6f27
61 | 3c4ace963a2a069a92d8abaa7c77d88e118758eff65c5180fed6534e75889bf3
62 |
63 |
64 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/PartitionSystemObject_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | __version__ = "0.1.1"
17 |
18 | import logging
19 | import os
20 | import sys
21 |
22 | import libtest
23 |
24 | import dfxml.objects as Objects
25 |
26 | _logger = logging.getLogger(os.path.basename(__file__))
27 |
28 |
29 | def test_empty_object():
30 | dobj = Objects.DFXMLObject()
31 | psobj = Objects.PartitionSystemObject()
32 | dobj.append(psobj)
33 |
34 | # Do file I/O round trip.
35 | (tmp_filename, dobj_reconst) = libtest.file_round_trip_dfxmlobject(dobj)
36 | try:
37 | psobj_reconst = dobj_reconst.partition_systems[0]
38 | except:
39 | _logger.debug("tmp_filename = %r." % tmp_filename)
40 | raise
41 | os.remove(tmp_filename)
42 |
43 |
44 | def test_error_element_order():
45 | dobj = Objects.DFXMLObject()
46 | psobj = Objects.PartitionSystemObject()
47 | fobj = Objects.FileObject()
48 |
49 | psobj.pstype_str = "gpt"
50 |
51 | # The error element should come after the fileobject stream.
52 | psobj.error = "foo"
53 |
54 | # Add a unallocated file object found floating in the partition system.
55 | fobj.alloc_inode = False
56 | fobj.alloc_name = False
57 |
58 | dobj.append(psobj)
59 | psobj.append(fobj)
60 |
61 | el = dobj.to_Element()
62 |
63 | # Confirm error comes after file stream.
64 | assert el[-1][0].tag.endswith("pstype_str")
65 | assert el[-1][-2].tag.endswith("fileobject")
66 | assert el[-1][-1].tag.endswith("error")
67 |
68 | # Do file I/O round trip.
69 | (tmp_filename, dobj_reconst) = libtest.file_round_trip_dfxmlobject(dobj)
70 | psobj_reconst = dobj_reconst.partition_systems[0]
71 | try:
72 | assert psobj_reconst.pstype_str == "gpt"
73 | assert psobj_reconst.error == "foo"
74 | except:
75 | _logger.debug("tmp_filename = %r." % tmp_filename)
76 | raise
77 | os.remove(tmp_filename)
78 |
--------------------------------------------------------------------------------
/tests/misc_bin_tests/test_mac_timelines.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | # Determine script location
17 | SCRIPT="$(realpath $0)"
18 | SCRIPT_DIR="$(dirname ${SCRIPT})"
19 |
20 | # Guarantee sane defaults
21 | . ${SCRIPT_DIR}/_sane_defaults.sh ${SCRIPT_DIR}
22 |
23 | # Choose python interpreter
24 | source ${TEST_DIR}/_pick_pythons.sh
25 |
26 | # Halt on error
27 | set -e
28 | # Display all executed commands
29 | set -x
30 |
31 | "$PYTHON2" $DEMO_DIR/demo_mac_timeline.py ../samples/simple.xml >demo_mac_timeline_simple_p2.txt
32 | test 12 == $(cat demo_mac_timeline_simple_p2.txt | wc -l)
33 |
34 | "$PYTHON3" $DEMO_DIR/demo_mac_timeline.py ../samples/simple.xml >demo_mac_timeline_simple_p3.txt
35 | test 12 == $(cat demo_mac_timeline_simple_p3.txt | wc -l)
36 |
37 | "$PYTHON2" $DEMO_DIR/demo_mac_timeline_iter.py ../samples/simple.xml >demo_mac_timeline_iter_simple_p2.txt
38 | test 12 == $(cat demo_mac_timeline_iter_simple_p2.txt | wc -l)
39 |
40 | "$PYTHON3" $DEMO_DIR/demo_mac_timeline_iter.py ../samples/simple.xml >demo_mac_timeline_iter_simple_p3.txt
41 | test 12 == $(cat demo_mac_timeline_iter_simple_p3.txt | wc -l)
42 |
43 | "$PYTHON2" $DEMO_DIR/demo_mac_timeline_objects.py ../samples/simple.xml >demo_mac_timeline_objects_simple_p2.txt
44 | test 12 == $(cat demo_mac_timeline_iter_simple_p2.txt | wc -l)
45 |
46 | "$PYTHON3" $DEMO_DIR/demo_mac_timeline_objects.py ../samples/simple.xml >demo_mac_timeline_objects_simple_p3.txt
47 | test 12 == $(cat demo_mac_timeline_iter_simple_p3.txt | wc -l)
48 |
49 | "$PYTHON3" $DEMO_DIR/demo_mac_timeline.py ../samples/difference_test_1.xml >demo_mac_timeline_dt1.txt
50 | test 9 == $(cat demo_mac_timeline_dt1.txt | wc -l)
51 |
52 | "$PYTHON3" $DEMO_DIR/demo_mac_timeline_iter.py ../samples/difference_test_1.xml >demo_mac_timeline_iter_dt1.txt
53 | test 9 == $(cat demo_mac_timeline_iter_dt1.txt | wc -l)
54 |
55 | "$PYTHON3" $DEMO_DIR/demo_mac_timeline_objects.py ../samples/difference_test_1.xml >demo_mac_timeline_objects_dt1.txt
56 | test 9 == $(cat demo_mac_timeline_objects_dt1.txt | wc -l)
57 |
--------------------------------------------------------------------------------
/tests/walk_to_dfxml/test_walk_to_dfxml.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | __version__ = "0.2.0"
17 |
18 | import logging
19 | import os
20 |
21 | import pytest
22 |
23 | import dfxml.objects as Objects
24 |
25 | _logger = logging.getLogger(os.path.basename(__file__))
26 |
27 |
28 | @pytest.fixture
29 | def srcdir() -> str:
30 | retval = os.path.dirname(__file__)
31 | return retval
32 |
33 |
34 | def test_walk_ignore_genprops(srcdir: str) -> None:
35 | files_encountered = 0
36 | for event, obj in Objects.iterparse(
37 | os.path.join(srcdir, "walk_ignore_genprops.dfxml")
38 | ):
39 | if not isinstance(obj, Objects.FileObject):
40 | continue
41 | files_encountered += 1
42 | for propname in ["atime", "ctime", "crtime", "gid", "inode", "mtime", "uid"]:
43 | try:
44 | assert (
45 | getattr(obj, propname) is None
46 | ), "Found property that should have been ignored."
47 | except:
48 | if propname == "mtime" and obj.name_type != "d":
49 | continue
50 | _logger.error("obj.filename = %r.", obj.filename)
51 | _logger.error("propname = %r.", propname)
52 | raise
53 | assert files_encountered > 0, "Encountered no files in walk_ignore_genprops.dfxml."
54 |
55 |
56 | def test_walk_ignore_hashes(srcdir: str) -> None:
57 | files_encountered = 0
58 | for event, obj in Objects.iterparse(
59 | os.path.join(srcdir, "walk_ignore_hashes.dfxml")
60 | ):
61 | if not isinstance(obj, Objects.FileObject):
62 | continue
63 | files_encountered += 1
64 | for propname in Objects.FileObject._hash_properties:
65 | try:
66 | assert (
67 | getattr(obj, propname) is None
68 | ), "Found hash property when none was expected."
69 | except:
70 | _logger.error("obj.filename = %r.", obj.filename)
71 | _logger.error("propname = %r.", propname)
72 | raise
73 | assert files_encountered > 0, "Encountered no files in walk_ignore_hashes.dfxml."
74 |
--------------------------------------------------------------------------------
/dfxml/bin/allocation_counter.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | """
17 | For a disk image or DFXML file, this program produces a cross-tabulation of the allocation state of each file's inode and name.
18 | """
19 |
20 | __version__ = "0.1.1"
21 | # Version 0.2.0:
22 | # * Tabular output in HTML
23 | # * Tabular output in LaTeX
24 |
25 | import collections
26 | import logging
27 | import os
28 | import sys
29 | import xml.etree.ElementTree as ET
30 |
31 | import dfxml.bin.make_differential_dfxml
32 | import dfxml.objects as Objects
33 |
34 | _logger = logging.getLogger(os.path.basename(__file__))
35 |
36 |
37 | def main():
38 | counter = collections.defaultdict(lambda: 0)
39 | prev_obj = None
40 | for event, obj in Objects.iterparse(args.input_image):
41 | if isinstance(obj, Objects.FileObject):
42 | if (
43 | args.ignore_virtual_files
44 | and dfxml.bin.make_differential_dfxml.ignorable_name(obj.filename)
45 | ):
46 | continue
47 | counter[(obj.alloc_inode, obj.alloc_name)] += 1
48 |
49 | # Inspect weird data
50 | if args.debug and obj.alloc_inode is None and obj.alloc_name is None:
51 | _logger.debug("Encountered a file with all-null allocation.")
52 | _logger.debug("Event: %r." % event)
53 | _logger.debug(
54 | "Previous object: %s." % ET.tostring(prev_obj.to_Element())
55 | )
56 | _logger.debug("Current object: %s." % ET.tostring(obj.to_Element()))
57 | prev_obj = obj
58 | print(repr(counter))
59 |
60 |
61 | if __name__ == "__main__":
62 | import argparse
63 |
64 | parser = argparse.ArgumentParser()
65 | parser.add_argument(
66 | "--ignore-virtual-files",
67 | action="store_true",
68 | help="Use the same file-ignoring rules as make_differential_dfxml.py.",
69 | )
70 | parser.add_argument(
71 | "-d", "--debug", action="store_true", help="Enable debug printing."
72 | )
73 | parser.add_argument("input_image", help="Disk image, or DFXML file.")
74 | args = parser.parse_args()
75 |
76 | logging.basicConfig(level=logging.DEBUG if args.debug else logging.INFO)
77 |
78 | main()
79 |
--------------------------------------------------------------------------------
/demos/demo_readtimes.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | """Reads an fiwalk XML file and reports how many of the files are still in the image..."""
3 |
4 | import os
5 | import sys
6 |
7 | sys.path.append(os.path.join(os.path.dirname(__file__), ".."))
8 | import time
9 |
10 | import dfxml
11 | import dfxml.fiwalk as fiwalk
12 |
13 |
14 | def calc_jumps(fis, title):
15 | print(title)
16 | print("Count: %d" % (len(fis)))
17 | from histogram import histogram
18 |
19 | h = histogram()
20 | pos = 0
21 | backwards = 0
22 | prev_frag_count = 0
23 | for fi in fis:
24 | for i in range(0, len(fi.byte_runs())):
25 | run = fi.byte_runs()[i]
26 | try:
27 | sector = run.start_sector()
28 | if sector < pos:
29 | backwards += 1
30 | h.add((prev_frag_count, i))
31 | pos = sector
32 | except AttributeError:
33 | pass
34 | pref_frag_count = len(fi.byte_runs())
35 |
36 | print("Backwards Jumps: %d" % backwards)
37 | print("Histogram of backwards:")
38 | h.print_top(10)
39 |
40 |
41 | if __name__ == "__main__":
42 | import sys
43 | from optparse import OptionParser
44 | from subprocess import PIPE, Popen
45 |
46 | global options
47 |
48 | parser = OptionParser()
49 | parser.add_option("-d", "--debug", help="prints debugging info", dest="debug")
50 | parser.add_option("-x", "--xmlfile", help="XML file (optional)")
51 | parser.add_option("-i", "--imagefile", help="image file (required)")
52 | parser.usage = "%prog [options] xmlfile diskimage"
53 | (options, args) = parser.parse_args()
54 |
55 | if not options.xmlfile or not options.imagefile:
56 | parser.print_help()
57 | sys.exit(1)
58 |
59 | # Read the redaction configuration file
60 | imagefile = open(options.imagefile, "r")
61 | if options.xmlfile:
62 | xmlfile = open(options.xmlfile, "r")
63 | else:
64 | xmlfile = None
65 |
66 | t0 = time.time()
67 | fis = fiwalk.fileobjects_using_sax(imagefile=imagefile, xmlfile=xmlfile)
68 | t1 = time.time()
69 | print("Time to read file objects: {} seconds".format(t1 - t0))
70 |
71 | # Create a new array with just those that we can read
72 | def resident_file(fi):
73 | if len(fi.byte_runs()) == 0:
74 | return False
75 | if len(fi.byte_runs()) > 2:
76 | return False
77 | if hasattr(fi.byte_runs()[0], "uncompressed_len"):
78 | return False
79 | if not hasattr(fi.byte_runs()[0], "img_offset"):
80 | return False
81 | return True
82 |
83 | fis = filter(resident_file, fis)
84 |
85 | print("Native order: ")
86 | calc_jumps(fis, "Native Order")
87 |
88 | def sort_function(a, b):
89 | a0 = a.byte_runs()[0].start_sector()
90 | b0 = b.byte_runs()[0].start_sector()
91 | if a0 < b0:
92 | return -1
93 | if a0 == b0:
94 | return 0
95 | return 1
96 |
97 | fis.sort(sort_function)
98 | calc_jumps(fis, "Sorted Order")
99 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/PartitionObject_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | __version__ = "0.1.1"
17 |
18 | import logging
19 | import os
20 | import sys
21 |
22 | import libtest
23 |
24 | import dfxml.objects as Objects
25 |
26 | _logger = logging.getLogger(os.path.basename(__file__))
27 |
28 |
29 | def test_empty_object():
30 | dobj = Objects.DFXMLObject()
31 | pobj = Objects.PartitionObject()
32 | dobj.append(pobj)
33 |
34 | # Do file I/O round trip.
35 | (tmp_filename, dobj_reconst) = libtest.file_round_trip_dfxmlobject(dobj)
36 | try:
37 | pobj_reconst = dobj_reconst.partitions[0]
38 | except:
39 | _logger.debug("tmp_filename = %r." % tmp_filename)
40 | raise
41 | os.remove(tmp_filename)
42 |
43 |
44 | def test_cfreds_macwd_properties():
45 | """
46 | These were drawn from a CFReDS sample Mac disk image.
47 | """
48 | dobj = Objects.DFXMLObject()
49 | pobj = Objects.PartitionObject()
50 | dobj.append(pobj)
51 |
52 | pobj.ptype_str = "Apple_Boot"
53 | pobj.partition_index = 8
54 |
55 | # Do file I/O round trip.
56 | (tmp_filename, dobj_reconst) = libtest.file_round_trip_dfxmlobject(dobj)
57 | try:
58 | pobj_reconst = dobj_reconst.partitions[0]
59 | assert pobj_reconst.ptype_str == "Apple_Boot"
60 | assert pobj_reconst.partition_index == "8"
61 | except:
62 | _logger.debug("tmp_filename = %r." % tmp_filename)
63 | raise
64 | os.remove(tmp_filename)
65 |
66 |
67 | def test_bsd_disklabel_properties():
68 | """
69 | These were drawn from a BSD Disk Label sample image.
70 | """
71 | dobj = Objects.DFXMLObject()
72 | pobj_a = Objects.PartitionObject()
73 | pobj_c = Objects.PartitionObject()
74 | dobj.append(pobj_a)
75 | dobj.append(pobj_c)
76 |
77 | pobj_a.partition_index = "a"
78 | pobj_c.partition_index = "c"
79 |
80 | # Do file I/O round trip.
81 | (tmp_filename, dobj_reconst) = libtest.file_round_trip_dfxmlobject(dobj)
82 | try:
83 | pobj_a_reconst = dobj_reconst.partitions[0]
84 | pobj_c_reconst = dobj_reconst.partitions[1]
85 | assert pobj_a_reconst.partition_index == "a"
86 | assert pobj_c_reconst.partition_index == "c"
87 | except:
88 | _logger.debug("tmp_filename = %r." % tmp_filename)
89 | raise
90 | os.remove(tmp_filename)
91 |
--------------------------------------------------------------------------------
/tests/misc_object_tests/Makefile:
--------------------------------------------------------------------------------
1 | #!/usr/bin/make -f
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | # Bash selection is described in the top-level Makefile.
17 | ifeq ($(shell basename $(SHELL)),sh)
18 | SHELL := $(shell which /bin/bash 2>/dev/null || which /usr/local/bin/bash)
19 | endif
20 |
21 | top_srcdir := $(shell cd ../.. ; pwd)
22 |
23 | PYTHON3 ?= python3
24 |
25 | OBJECTS := $(top_srcdir)/dfxml/objects.py
26 |
27 | SAMPLES_DIR := $(top_srcdir)/samples
28 |
29 | TOOLS_DIR := $(top_srcdir)/dfxml/bin
30 |
31 | all: \
32 | check
33 |
34 | .PHONY: \
35 | check-diff_file_ignore-py3 \
36 | check-versioned
37 |
38 | check: \
39 | check-diff_file_ignore-py3 \
40 | check-libraries-py3 \
41 | check-versioned
42 | source $(top_srcdir)/tests/venv/bin/activate \
43 | && $(PYTHON3) "$(TOOLS_DIR)/cat_partitions.py" \
44 | 12345678:$(SAMPLES_DIR)/difference_test_0.xml \
45 | 87654321:$(SAMPLES_DIR)/difference_test_1.xml \
46 | > __cat_patterns_test.sh.dfxml
47 | xmllint \
48 | --format \
49 | __cat_patterns_test.sh.dfxml \
50 | > _cat_patterns_test.sh.dfxml
51 | rm \
52 | __cat_patterns_test.sh.dfxml
53 | mv \
54 | _cat_patterns_test.sh.dfxml \
55 | cat_patterns_test.sh.dfxml
56 |
57 | check-diff_file_ignore-py3: \
58 | diff_file_ignore_sample-py3.dfxml \
59 | diff_file_ignore_test.py
60 | source $(top_srcdir)/tests/venv/bin/activate \
61 | && $(PYTHON3) diff_file_ignore_test.py --debug diff_file_ignore_sample-py3.dfxml
62 |
63 | check-libraries-py3:
64 | source $(top_srcdir)/tests/venv/bin/activate \
65 | && $(PYTHON3) LibraryObject_write_test.py LibraryObject_py3_test.dfxml
66 | source $(top_srcdir)/tests/venv/bin/activate \
67 | && $(PYTHON3) LibraryObject_read_test.py LibraryObject_py3_test.dfxml
68 |
69 | check-versioned:
70 | $(PYTHON3) $(OBJECTS)
71 | source $(top_srcdir)/tests/venv/bin/activate \
72 | && $(PYTHON3) DFXMLObject_program_test.py \
73 | $(SAMPLES_DIR)/difference_test_0.xml \
74 | vi \
75 | 8.0
76 |
77 | clean:
78 | rm -f difference_counts_test.py-d*
79 | rm -f cat_partitions_test.sh.dfxml
80 | rm -f diff_file_ignore_sample-py3.dfxml
81 | rm -f LibraryObject_py3_test.dfxml
82 | rm -f *~
83 |
84 |
85 | diff_file_ignore_sample-py3.dfxml: \
86 | $(OBJECTS) \
87 | diff_file_ignore_sample_dfxml_test.py
88 | rm -f _$@
89 | source $(top_srcdir)/tests/venv/bin/activate \
90 | && $(PYTHON3) diff_file_ignore_sample_dfxml_test.py --debug _$@
91 | mv _$@ $@
92 |
--------------------------------------------------------------------------------
/samples/simple.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
7 | Hash List
8 |
9 |
10 | MD5DEEP
11 | 4.0.0_beta2-002
12 |
13 | GCC 4.2
14 |
15 |
16 | Darwin
17 | 11.3.0
18 | Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64
19 | Mucha.local
20 | x86_64
21 | md5deep -dp512 /Users/simsong/uploads/einstein template.jpg /Users/simsong/uploads/image1.jpg /Users/simsong/uploads/image2.jpg /Users/simsong/uploads/image3.jpg
22 | 502
23 | 2012-02-23T16:35:11Z
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 | /Users/simsong/uploads/image2.jpg
37 | 12833
38 | 2012-02-22T03:53:05Z
39 | 2012-02-22T03:53:05Z
40 | 2012-02-23T16:34:27Z
41 | d7ced55e7d7f5b9995fc3cbac7942155
42 |
43 |
44 | /Users/simsong/uploads/image1.jpg
45 | 12551
46 | 2012-02-22T03:53:54Z
47 | 2012-02-22T03:53:54Z
48 | 2012-02-23T16:34:27Z
49 | 3bb144b5abc65312099f79caa69ff94f
50 |
51 |
52 | /Users/simsong/uploads/image3.jpg
53 | 12545
54 | 2012-02-22T03:55:38Z
55 | 2012-02-22T03:55:38Z
56 | 2012-02-23T16:34:27Z
57 | 6377d89ab3165a3fe24b390b513f47d7
58 |
59 |
60 | /Users/simsong/uploads/einstein template.jpg
61 | 43819
62 | 2012-02-22T03:54:19Z
63 | 2012-02-22T03:54:19Z
64 | 2012-02-23T16:34:27Z
65 | 702da00183448a42f5a861c95973f4f3
66 |
67 |
68 | 0.008982
69 | 0.003041
70 | 1069056
71 | 391
72 | 0
73 | 0
74 | 0
75 | 0
76 | 0.006578
77 |
78 |
79 |
--------------------------------------------------------------------------------
/dfxml/bin/cat_fileobjects.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | """
17 | Make a new DFXML file of all fileobjects in an input DFXML file.
18 | """
19 |
20 | __version__ = "0.4.0"
21 |
22 | import logging
23 | import os
24 | import sys
25 | import xml.etree.ElementTree as ET
26 |
27 | import dfxml
28 |
29 | _logger = logging.getLogger(os.path.basename(__file__))
30 |
31 | if sys.version < "3":
32 | _logger.error(
33 | "Due to Unicode issues with Python 2's ElementTree, Python 3 and up is required.\n"
34 | )
35 | exit(1)
36 |
37 |
38 | def main():
39 | print(
40 | """\
41 |
42 |
46 |
47 |
48 | %s
49 | %s
50 |
51 | %s
52 |
53 |
54 |
55 | %s
56 | \
57 | """
58 | % (
59 | dfxml.XMLNS_DFXML,
60 | dfxml.XMLNS_DELTA,
61 | dfxml.DFXML_VERSION,
62 | sys.argv[0],
63 | __version__,
64 | " ".join(sys.argv),
65 | args.filename,
66 | )
67 | )
68 |
69 | ET.register_namespace("delta", dfxml.XMLNS_DELTA)
70 |
71 | xs = []
72 | for fi in dfxml.iter_dfxml(
73 | xmlfile=open(args.filename, "rb"), preserve_elements=True
74 | ):
75 | _logger.debug("Processing: %s" % str(fi))
76 | if args.cache:
77 | xs.append(fi.xml_element)
78 | else:
79 | _logger.debug("Printing without cache: %s" % str(fi))
80 | print(dfxml.ET_tostring(fi.xml_element, encoding="unicode"))
81 | if args.cache:
82 | for x in xs:
83 | _logger.debug("Printing with cache: %s" % str(fi))
84 | print(dfxml.ET_tostring(x, encoding="unicode"))
85 |
86 | print("""""")
87 |
88 |
89 | if __name__ == "__main__":
90 | import argparse
91 |
92 | parser = argparse.ArgumentParser()
93 | parser.add_argument("filename")
94 | parser.add_argument("--cache", action="store_true")
95 | parser.add_argument("--debug", action="store_true")
96 | args = parser.parse_args()
97 |
98 | logging.basicConfig(level=logging.DEBUG if args.debug else logging.INFO)
99 |
100 | main()
101 |
--------------------------------------------------------------------------------
/dfxml/bin/tcpdiff.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # This software was developed in whole or in part by employees of the
4 | # Federal Government in the course of their official duties, and with
5 | # other Federal assistance. Pursuant to title 17 Section 105 of the
6 | # United States Code portions of this software authored by Federal
7 | # employees are not subject to copyright protection within the United
8 | # States. For portions not authored by Federal employees, the Federal
9 | # Government has been granted unlimited rights, and no claim to
10 | # copyright is made. The Federal Government assumes no responsibility
11 | # whatsoever for its use by other parties, and makes no guarantees,
12 | # expressed or implied, about its quality, reliability, or any other
13 | # characteristic.
14 | #
15 | # We would appreciate acknowledgement if the software is used.
16 |
17 | """tcpdiff.py
18 |
19 | Generates a report about what's different between two tcp DFXML files
20 | produced by tcpflow.
21 |
22 | Process:
23 |
24 | """
25 |
26 | import sys
27 | import time
28 |
29 | if sys.version_info < (3, 1):
30 | raise RuntimeError("rdifference.py requires Python 3.1 or above")
31 |
32 | import dfxml
33 | import dfxml.dfxml_html as dfxml_html
34 | import dfxml.fiwalk as fiwalk
35 |
36 |
37 | def ptime(t):
38 | """Print the time in the requested format. T is a dfxml time value"""
39 | global options
40 | if t is None:
41 | return None
42 | elif options.timestamp:
43 | return str(t.timestamp())
44 | else:
45 | return str(t.iso8601())
46 |
47 |
48 | def dprint(x):
49 | "Debug print"
50 | global options
51 | if options.debug:
52 | print(x)
53 |
54 |
55 | #
56 | # This program keeps track of the current and previous TCP connections in a single
57 | # object called "FlowState". Another way to do that would have been to have
58 | # the instance built from the XML file and then have another function that compares
59 | # them.
60 | #
61 |
62 |
63 | class FlowState:
64 | def __init__(self, fname):
65 | self.options = options
66 | self.connections = set()
67 | self.process(fname)
68 |
69 | def process(self, fname):
70 | self.fname = fname
71 | dfxml.read_dfxml(xmlfile=open(fname, "rb"), callback=self.process_fi)
72 |
73 | def process_fi(self, fi):
74 | self.connections.add(fi)
75 |
76 | def report(self):
77 | dfxml_html.header()
78 | dfxml_html.h1("DFXML file:" + self.current_fname)
79 | dfxml_html.table(["Total Connections", str(len(self.connections))])
80 |
81 |
82 | if __name__ == "__main__":
83 | from copy import deepcopy
84 | from optparse import OptionParser
85 |
86 | global options
87 |
88 | parser = OptionParser()
89 | parser.usage = "%prog [options] file1 file2 (files MUST be tcpflow DFXML files)"
90 | parser.add_option("-d", "--debug", help="debug", action="store_true")
91 |
92 | (options, args) = parser.parse_args()
93 |
94 | if len(args) != 2:
95 | parser.print_help()
96 | sys.exit(1)
97 |
98 | a = FlowState(fname=args[0])
99 | a.report()
100 |
101 | b = FlowState(fname=args[1])
102 | b.report()
103 |
104 | print("Difference:")
105 |
--------------------------------------------------------------------------------
/tests/Makefile:
--------------------------------------------------------------------------------
1 | #!/usr/bin/make -f
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology by employees of the Federal Government in the course
5 | # of their official duties. Pursuant to title 17 Section 105 of the
6 | # United States Code this software is not subject to copyright
7 | # protection and is in the public domain. NIST assumes no
8 | # responsibility whatsoever for its use by other parties, and makes
9 | # no guarantees, expressed or implied, about its quality,
10 | # reliability, or any other characteristic.
11 | #
12 | # We would appreciate acknowledgement if the software is used.
13 |
14 | # Bash selection is described in the top-level Makefile.
15 | ifeq ($(shell basename $(SHELL)),sh)
16 | SHELL := $(shell which /bin/bash 2>/dev/null || which /usr/local/bin/bash)
17 | endif
18 |
19 | top_srcdir := $(shell cd .. ; pwd)
20 |
21 | PYTHON3 ?= python3
22 | ifeq ($(PYTHON3),)
23 | $(error python3 not found)
24 | endif
25 |
26 | all: \
27 | all-make_differential_dfxml \
28 | all-walk_to_dfxml
29 |
30 | .PHONY: \
31 | all-make_differential_dfxml \
32 | all-walk_to_dfxml \
33 | check-mypy \
34 | check-mypy-stricter
35 |
36 | all-make_differential_dfxml: \
37 | .venv.done.log
38 | $(MAKE) \
39 | --directory make_differential_dfxml
40 |
41 | all-walk_to_dfxml: \
42 | .venv.done.log
43 | $(MAKE) \
44 | --directory walk_to_dfxml
45 |
46 | .venv.done.log: \
47 | $(top_srcdir)/setup.cfg \
48 | $(top_srcdir)/setup.py \
49 | requirements.txt
50 | rm -rf venv
51 | $(PYTHON3) -m venv \
52 | venv
53 | source venv/bin/activate \
54 | && pip install \
55 | --upgrade \
56 | pip \
57 | setuptools
58 | source venv/bin/activate \
59 | && cd $(top_srcdir) \
60 | && pip install \
61 | --editable \
62 | .
63 | source venv/bin/activate \
64 | && pip install \
65 | --requirement requirements.txt
66 | touch $@
67 |
68 | check: \
69 | all-make_differential_dfxml \
70 | all-walk_to_dfxml \
71 | check-mypy
72 | source venv/bin/activate \
73 | && pytest \
74 | --log-level=DEBUG
75 |
76 | #TODO - Type-checking would best be done against all of ../dfxml, when someone finds some time to do so.
77 | check-mypy: \
78 | check-mypy-stricter
79 | source venv/bin/activate \
80 | && mypy \
81 | ../dfxml/bin/idifference.py \
82 | ../dfxml/bin/summarize_differential_dfxml.py \
83 | ../dfxml/__init__.py \
84 | ../dfxml/fiwalk.py \
85 | ../dfxml/objects.py \
86 | misc_bin_tests \
87 | misc_object_tests
88 | @echo "INFO:tests/Makefile:mypy is currently run against a subset of the dfxml directory." >&2
89 |
90 | #TODO - Strict type-checking is another long-term goal, likewise eventually done against all of ../dfxml.
91 | check-mypy-stricter: \
92 | .venv.done.log
93 | source venv/bin/activate \
94 | && mypy \
95 | ../demos/demo_fiwalk_diskimage.py \
96 | ../dfxml/bin/idifference2.py \
97 | ../dfxml/bin/make_differential_dfxml.py \
98 | ../dfxml/bin/walk_to_dfxml.py \
99 | make_differential_dfxml \
100 | walk_to_dfxml \
101 | *.py
102 |
103 | clean:
104 | @$(MAKE) \
105 | --directory misc_object_tests \
106 | clean
107 | @$(MAKE) \
108 | --directory make_differential_dfxml \
109 | clean
110 | @$(MAKE) \
111 | --directory walk_to_dfxml \
112 | clean
113 | @rm -f \
114 | .venv.done.log
115 | @rm -rf \
116 | venv
117 |
--------------------------------------------------------------------------------
/dfxml/bin/report_silent_changes.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # This software was developed at the National Institute of Standards
4 | # and Technology in whole or in part by employees of the Federal
5 | # Government in the course of their official duties. Pursuant to
6 | # title 17 Section 105 of the United States Code portions of this
7 | # software authored by NIST employees are not subject to copyright
8 | # protection and are in the public domain. For portions not authored
9 | # by NIST employees, NIST has been granted unlimited rights. NIST
10 | # assumes no responsibility whatsoever for its use by other parties,
11 | # and makes no guarantees, expressed or implied, about its quality,
12 | # reliability, or any other characteristic.
13 | #
14 | # We would appreciate acknowledgement if the software is used.
15 |
16 | """
17 | This program takes a differentially-annotated DFXML file as input, and outputs a DFXML document that contains 'Silent' changes. For instance, a changed checksum with no changed timestamps would be 'Silent.'
18 | """
19 |
20 | __version__ = "0.2.2"
21 |
22 | import logging
23 | import os
24 | import sys
25 |
26 | _logger = logging.getLogger(os.path.basename(__file__))
27 |
28 | import make_differential_dfxml
29 |
30 | import dfxml.objects as Objects
31 |
32 |
33 | def main():
34 | d = Objects.DFXMLObject("1.2.0")
35 | d.program = sys.argv[0]
36 | d.program_version = __version__
37 | d.command_line = " ".join(sys.argv)
38 | d.dc["type"] = "File system silent-change report"
39 | d.add_creator_library(
40 | "Python", ".".join(map(str, sys.version_info[0:3]))
41 | ) # A bit of a bend, but gets the major version information out.
42 | d.add_creator_library("Objects.py", Objects.__version__)
43 | d.add_creator_library("dfxml.py", Objects.dfxml.__version__)
44 |
45 | current_appender = d
46 | tally = 0
47 | for event, obj in Objects.iterparse(args.infile):
48 | if event == "start":
49 | # Inherit namespaces
50 | if isinstance(obj, Objects.DFXMLObject):
51 | for prefix, url in obj.iter_namespaces():
52 | d.add_namespace(prefix, url)
53 | # Group files by volume
54 | elif isinstance(obj, Objects.VolumeObject):
55 | d.append(obj)
56 | current_appender = obj
57 | elif event == "end":
58 | if isinstance(obj, Objects.VolumeObject):
59 | current_appender = d
60 | elif isinstance(obj, Objects.FileObject):
61 | if "_changed" not in obj.diffs:
62 | if "_modified" in obj.diffs or "_renamed" in obj.diffs:
63 | current_appender.append(obj)
64 | tally += 1
65 | print(d.to_dfxml())
66 | _logger.info("Found %d suspiciously-changed files." % tally)
67 |
68 |
69 | if __name__ == "__main__":
70 | import argparse
71 |
72 | parser = argparse.ArgumentParser()
73 | parser.add_argument("-d", "--debug", action="store_true")
74 | parser.add_argument("infile")
75 | args = parser.parse_args()
76 |
77 | logging.basicConfig(level=logging.DEBUG if args.debug else logging.INFO)
78 |
79 | if not args.infile.endswith("xml"):
80 | raise Exception(
81 | "Input file should be a DFXML file, and should end with 'xml': %r."
82 | % args.infile
83 | )
84 |
85 | if not os.path.exists(args.infile):
86 | raise Exception("Input file does not exist: %r." % args.infile)
87 |
88 | main()
89 |
--------------------------------------------------------------------------------
/dfxml/dfxml_html.py:
--------------------------------------------------------------------------------
1 | # This software was developed in whole or in part by employees of the
2 | # Federal Government in the course of their official duties, and with
3 | # other Federal assistance. Pursuant to title 17 Section 105 of the
4 | # United States Code portions of this software authored by Federal
5 | # employees are not subject to copyright protection within the United
6 | # States. For portions not authored by Federal employees, the Federal
7 | # Government has been granted unlimited rights, and no claim to
8 | # copyright is made. The Federal Government assumes no responsibility
9 | # whatsoever for its use by other parties, and makes no guarantees,
10 | # expressed or implied, about its quality, reliability, or any other
11 | # characteristic.
12 | #
13 | # We would appreciate acknowledgement if the software is used.
14 |
15 | # dfxml_html.py:
16 | # A collection of functions for generating HTML
17 |
18 | html = False
19 |
20 |
21 | def header():
22 | if html:
23 | print(
24 | """
25 |
26 |
27 |
32 | """
33 | )
34 |
35 |
36 | def h1(title):
37 | global options
38 | if html:
39 | print("%s
" % title)
40 | return
41 | print("\n\n%s\n" % title)
42 |
43 |
44 | def h2(title):
45 | global options
46 | if html:
47 | print("%s
" % title)
48 | return
49 | print("\n%s\n" % title)
50 |
51 |
52 | def table(rows, styles=None, break_on_change=False):
53 | import sys
54 |
55 | global options
56 |
57 | def alldigits(x):
58 | if type(x) != str and type(x) != unicode:
59 | return False
60 | for ch in x:
61 | if ch.isdigit() == False:
62 | return False
63 | return True
64 |
65 | def fmt(x):
66 | if x == None:
67 | return ""
68 | if type(x) == int:
69 | return "%12d" % x
70 | if alldigits(x):
71 | return "%12d" % int(x)
72 | if type(x) == unicode:
73 | return x
74 | return unicode(x)
75 |
76 | if html:
77 | print("")
78 | for row in rows:
79 | print("")
80 | if not styles:
81 | styles = [""] * len(rows)
82 | for col, style in zip(row, styles):
83 | sys.stdout.write("| %s | " % (style, col))
84 | print("
")
85 | print("
")
86 | return
87 | lastRowCol0 = None
88 | for row in rows:
89 | if row[0] != lastRowCol0:
90 | sys.stdout.write("\n")
91 | lastRowCol0 = row[0]
92 | try:
93 | line = "\t".join([fmt(col) for col in row])
94 | sys.stdout.write(line)
95 | sys.stdout.write("\n")
96 | except UnicodeEncodeError:
97 | # Fall back to manual join
98 | for col in row:
99 | for ch in fmt(col):
100 | try:
101 | sys.stdout.write(ch)
102 | except UnicodeEncodeError:
103 | sys.stdout.write("?")
104 | sys.stdout.write("\t")
105 | print("(UNICODE ERROR)")
106 |
--------------------------------------------------------------------------------
/demos/vmstats/vmstats_json.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | History for my host
5 |
6 |
7 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | | [PREV] |
23 | [NEXT] |
24 |
25 |
26 |
28 |
Stats
29 |
30 | | Host: | |
|---|
31 | | Time: | |
|---|
32 | | CPU Utilization: | |
|---|
33 | | Mem Utilization: | |
|---|
34 | | Page: | 1 |
|---|
35 |
36 |
38 |
Processes
39 |
40 |
41 | | | CPU Time | |
|---|
42 |
43 | | PID | NAME | User |
44 | System | RSS |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |