Matteo Cafasso
2016-Mar-16 21:09 UTC
[Libguestfs] [PATCH 0/2] blkls API to extract unallocated blocks
The blkls API downloads on the host a range of unallocated blocks on the virtual disk image. This allows to recover deleted data on filesystems where icat fails. Example: guestfish --ro -a /home/noxdafox/ubuntu.qcow2><fs> run ><fs> mount /dev/sda1 / ><fs> write /test.txt "$foo$bar$" ><fs> rm /test.txt ><fs> umount / ><fs> blkls /dev/sda1 0 8192 blocks.bin$ strings -t d blocks.bin 516096 $foo$bar$ A more complete example can be found here: http://wiki.sleuthkit.org/index.php?title=FS_Analysis Matteo Cafasso (2): added blkls API added blkls API tests daemon/tsk.c | 27 +++++++++++++++++++++++ generator/actions.ml | 19 ++++++++++++++++ src/MAX_PROC_NR | 2 +- tests/tsk/Makefile.am | 3 ++- tests/tsk/test-blkls.sh | 58 +++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 107 insertions(+), 2 deletions(-) create mode 100755 tests/tsk/test-blkls.sh -- 2.7.0
Signed-off-by: Matteo Cafasso <noxdafox@gmail.com>
---
daemon/tsk.c | 27 +++++++++++++++++++++++++++
generator/actions.ml | 19 +++++++++++++++++++
src/MAX_PROC_NR | 2 +-
3 files changed, 47 insertions(+), 1 deletion(-)
diff --git a/daemon/tsk.c b/daemon/tsk.c
index 5b55739..a00f3ee 100644
--- a/daemon/tsk.c
+++ b/daemon/tsk.c
@@ -86,6 +86,33 @@ do_blkcat (const mountable_t *mountable, int64_t start,
int64_t number)
return file_out (cmd);
}
+int
+do_blkls (const mountable_t *mountable, int64_t start, int64_t stop)
+{
+ CLEANUP_FREE char *cmd = NULL;
+
+ /* Data unit address start must be greater than 0 */
+ if (start < 0) {
+ reply_with_error ("data unit starting address must be >= 0");
+ return -1;
+ }
+
+ /* Data unit address end must be greater than start */
+ if (stop <= start) {
+ reply_with_error ("data unit stopping address must be > starting
one");
+ return -1;
+ }
+
+ /* Construct the command. */
+ if (asprintf (&cmd, "blkls %s %" PRIi64 "-%" PRIi64,
+ mountable->device, start, stop) == -1) {
+ reply_with_perror ("asprintf");
+ return -1;
+ }
+
+ return file_out (cmd);
+}
+
static int
file_out (const char *cmd)
{
diff --git a/generator/actions.ml b/generator/actions.ml
index 0fabed6..8ecdace 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -12976,6 +12976,25 @@ while on ExtX ones they are referred as fragments.
This command allows to download unallocated sectors of the disk." };
+ { defaults with
+ name = "blkls"; added = (1, 33, 14);
+ style = RErr, [Mountable "device"; Int64 "start"; Int64
"stop"; FileOut "filename"], [];
+ proc_nr = Some 466;
+ optional = Some "sleuthkit";
+ progress = true; cancellable = true;
+ shortdesc = "download the unallocated data units from the disk";
+ longdesc = "\
+Download the unallocated data units from F<start> address
+to F<stop> from the disk partition (eg. F</dev/sda1>)
+and save them as F<filename> on the local machine.
+
+The use of this API on sparse disk image formats might results
+in long zero-filled strings downloaded on the host.
+
+The size of a data unit varies across filesystem implementations.
+On NTFS filesystems data units are referred as clusters
+while on ExtX ones they are referred as fragments." };
+
]
(* Non-API meta-commands available only in guestfish.
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index 073c57b..f27d46f 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-465
+466
--
2.7.0
Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- tests/tsk/Makefile.am | 3 ++- tests/tsk/test-blkls.sh | 58 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100755 tests/tsk/test-blkls.sh diff --git a/tests/tsk/Makefile.am b/tests/tsk/Makefile.am index 37fc13c..80e8793 100644 --- a/tests/tsk/Makefile.am +++ b/tests/tsk/Makefile.am @@ -19,7 +19,8 @@ include $(top_srcdir)/subdir-rules.mk TESTS = \ test-icat.sh \ - test-blkcat.sh + test-blkcat.sh \ + test-blkls.sh TESTS_ENVIRONMENT = $(top_builddir)/run --test diff --git a/tests/tsk/test-blkls.sh b/tests/tsk/test-blkls.sh new file mode 100755 index 0000000..7745922 --- /dev/null +++ b/tests/tsk/test-blkls.sh @@ -0,0 +1,58 @@ +#!/bin/bash - +# libguestfs +# Copyright (C) 2016 Red Hat Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +# Test the blkls command. + +set -e + +if [ -n "$SKIP_TEST_BLKLS_SH" ]; then + echo "$0: test skipped because environment variable is set." + exit 77 +fi + +rm -f test-blkls.bin + +# Skip if TSK is not supported by the appliance. +if ! guestfish add /dev/null : run : available "sleuthkit"; then + echo "$0: skipped because TSK is not available in the appliance" + exit 77 +fi + +if [ ! -s ../../test-data/phony-guests/blank-fs.img ]; then + echo "$0: skipped because blank-fs.img is zero-sized" + exit 77 +fi + +# download Master File Table ($MFT). +guestfish --ro -a ../../test-data/phony-guests/blank-fs.img <<EOF +run +mount /dev/sda1 / +write /test.txt "$foo$bar$" +rm /test.txt +umount / +blkls /dev/sda1 0 8192 test-blkls.bin +EOF + +# test extracted data contains $foo$bar$ string +grep -q "$foo$bar$" test-blkls.bin +if [ $? neq 0 ]; then + echo "$0: deleted data not found." + exit 1 +fi + +rm -f test-blkls.bin -- 2.7.0