用Python更快发现Truecrypt加密文件

最近搞了下Truecrypt,发现大多数自动化取证工具没有对truecrypt文件的发现,原因有二:1、truecrypt的生成的文件没有格式 2、truecrypt已经基本上退出历史舞台。但是很多时候还是会发现Truecrypt在比赛中甚至现实中的案例中出现。因此决定造个轮子

# -*- coding:utf-8 -*-
#__author__='berTrAM'
import os
import struct

def typeList():  
    return {  
        "52617221": 'rar',
        "504B0304": 'zip',
        'FFD8FF' : 'jpeg',
        '89504E47':'png',
        '47494638':'gif',
        '49492A00':'tiff',
        '38425053':'psd',
        '7B5C727466':'rtf',
        '3C3F786D6C':'xml',
        '68746D6C3E':'html',
        '44656C69766572792D646174653A':'eml',
        'CFAD12FEC5FD746F':'dbx',
        '2142444E':'pst',
        'D0CF11E0':'xls',
        '5374616E64617264204A':'mdb',
        'FF575043':'wpd',
        '255044462D312E':'pdf',
        'E3828596':'pwl',
        '57415645':'wav',
        '41564920':'avi'
        }
  

def bytes2hex(bytes):  
    num = len(bytes)  
    hexstr = u""  
    for i in range(num):  
        t = u"%x" % bytes[i]  
        if len(t) % 2:  
            hexstr += u"0"  
        hexstr += t  
    return hexstr.upper()  


def filetype(filename):  
    binfile = open(filename, 'rb')
    tl = typeList()  
    ftype = 'unknown'  
    for hcode in tl.keys():  
        numOfBytes = len(hcode) / 2
        binfile.seek(0)
        hbytes = struct.unpack_from("B"*numOfBytes, binfile.read(numOfBytes))
        f_hcode = bytes2hex(hbytes)  
        if f_hcode == hcode:  
            ftype = tl[hcode]  
            break  
    binfile.close()  
    return ftype

path='l:\\'
for dirpath,dirnames,filenames in os.walk(path):
    for file in filenames:
        fullpath=os.path.join(dirpath,file)
        if os.path.isfile(fullpath):
            if os.path.getsize(fullpath)%512==0:
                print fullpath
                try:
                    if filetype(fullpath) == None:
                        print 'yeah'
                except:
                    print "=======Pass======="

最终还是需要手工检索的,精度决定于你的文件头字典大小,只是单纯的加速一下一些手工的过程罢了

此处评论已关闭