最近搞了下Truecrypt,发现大多数自动化取证工具没有对truecrypt文件的发现,原因有二:1、truecrypt的生成的文件没有格式 2、truecrypt已经基本上退出历史舞台。但是很多时候还是会发现Truecrypt在比赛中甚至现实中的案例中出现。因此决定造个轮子
# -*- coding:utf-8 -*-
#__author__='berTrAM'
import os
import struct
def typeList():
return {
"52617221": 'rar',
"504B0304": 'zip',
'FFD8FF' : 'jpeg',
'89504E47':'png',
'47494638':'gif',
'49492A00':'tiff',
'38425053':'psd',
'7B5C727466':'rtf',
'3C3F786D6C':'xml',
'68746D6C3E':'html',
'44656C69766572792D646174653A':'eml',
'CFAD12FEC5FD746F':'dbx',
'2142444E':'pst',
'D0CF11E0':'xls',
'5374616E64617264204A':'mdb',
'FF575043':'wpd',
'255044462D312E':'pdf',
'E3828596':'pwl',
'57415645':'wav',
'41564920':'avi'
}
def bytes2hex(bytes):
num = len(bytes)
hexstr = u""
for i in range(num):
t = u"%x" % bytes[i]
if len(t) % 2:
hexstr += u"0"
hexstr += t
return hexstr.upper()
def filetype(filename):
binfile = open(filename, 'rb')
tl = typeList()
ftype = 'unknown'
for hcode in tl.keys():
numOfBytes = len(hcode) / 2
binfile.seek(0)
hbytes = struct.unpack_from("B"*numOfBytes, binfile.read(numOfBytes))
f_hcode = bytes2hex(hbytes)
if f_hcode == hcode:
ftype = tl[hcode]
break
binfile.close()
return ftype
path='l:\\'
for dirpath,dirnames,filenames in os.walk(path):
for file in filenames:
fullpath=os.path.join(dirpath,file)
if os.path.isfile(fullpath):
if os.path.getsize(fullpath)%512==0:
print fullpath
try:
if filetype(fullpath) == None:
print 'yeah'
except:
print "=======Pass======="
最终还是需要手工检索的,精度决定于你的文件头字典大小,只是单纯的加速一下一些手工的过程罢了
此处评论已关闭