TruxtonFileIO

From truxwiki.com
Jump to navigation Jump to search

This class provides read-only access to a file's contents in Truxton.

IOBase Attributes and Methods

These mirror the IOBase methods.

close()

Closes the stream. Implements close()

closed

Returns True if the stream is closed, False if it is open. Implements closed

fileno()

Will always return an error. Implements fileno()

flush()

Does nothing. Implements flush()

isatty()

Returns False Implements isatty()

readable()

Returns True Implements readable()

readline(size = -1)

Reads a line of text from the file. Implements readline()

readlines(hint = -1)

Reads multiple lines of text from the file. Implements readlines()

seek(offset, whence = SEEK_SET)

Changes the current file pointer. Implements seek()

seekable()

Returns True Implements seekable()

tell()

Returns the current stream position. Implements tell()

truncate(size = None)

Returns an error. Implements truncate()

writable()

Returns IOError Implements writable()

writelines(lines)

Returns an error. Implements writelines() - Always returns IOError

RawIOBase Attributes and Methods

From RawIOBase it implements:

read(size = -1)

Reads bytes from the file. Implements read()

readall()

Reads all of the bytes of the file. Implements readall()

readinto(b)

Will fill byte array with bytes from the file. Implements readinto()

write(b)

Implements write() - Always returns IOError

Truxton Methods

The above methods will let you read from a file in Truxton as if it were any other file in Python. The following methods are also present to make tasks of adding items extracted from a file easier.

  • addnote() - Used to create a record in the [InvestigatorNote] table in the database associated with this file.
  • changetype() - Used the change the type of the file.
  • newartifact() - Used to create a record in the [Entity] table and associated with this file.
  • newchild() - Creates a writable file that will be a child of this file.
  • newcommunication() - Creates a new communication object with this file as its source.
  • newevent() - Used to create a record in the [Event] table and associated with this file.
  • newexif() - Used to create a record in the [EXIF] table and associated with this file.
  • newlocation() - Used to create a record in the [Location] table and associated with this file.
  • newrelation() - Used to create a record in the [Relation] table and associated with this file.
  • newurl() - Used to create a record in the [WebsiteVisit] table and associated with this file.
  • newusb() - Used to create a record in the [USBDevice] table and associated with this file.
  • tag() - Used to associate a tag with this file.

Truxton Attributes

accessed: int

When the file was last accessed in FILETIME ticks. This corresponds to the [LastAccess] column of the [File] table.

attributes: int

An integer value representing the attributes of the file. For a Microsoft filesystem, it can be a combination of the file attribute flags. This corresponds to the [Attributes] column of the [File] table.

children: int

The number of files that have this file as their parent. This corresponds to the [NumberOfChildren] column of the [File] table.

created: int

When the file was created in FILETIME ticks. This corresponds to the [Created] column of the [File] table.

depot: str

The name of the depot holding the file's contents. This corresponds to the [Filename] column of the [Depot] table.

depotid: str

The name of the depot holding the file's contents. This corresponds to the [DepotID] column of the [Content] table.

depotlength: int

The number of bytes in the depot used for this file's contents. This corresponds tot he [Length] column of the [Content] table.

depotoffset: int

The number of bytes in the depot used for this file's contents. This corresponds tot he [Offset] column of the [Content] table.

diskoffset: int

The offset, in bytes, of the first byte of the contents of the file on the physical disk. This corresponds to the [PhysicalDiskOffset] column of the [File] table.

eliminated: boolean

True when the original contents of the file were eliminated based on the hash matching one from a list of hashes of files known to have no investigative value. The NSRL is one such library. If this is False, the file's contents are available for use.

entropy: float

Shannon's entropy of the contents of the file. This corresponds to the [RawEntropy] column of the [File] table.

hash: str

The MD5 hash of the contents of the file. This corresponds to the [HashID] column of the [File] table.

id: str

The GUID of the file record. This corresponds to the [ID] column of the [File] table.

mediaid: str

The GUID of the media the child file came from. This corresponds to the [MediaID] column of the [File] table.

modified: int

When the file was last written in FILETIME ticks. This corresponds to the [LastWrite] column of the [File] table.

name: str

The name of the file.

origin: int

Where the file came from. It should be one of the origin values. This corresponds to the [OriginID] column of the [File] table.

parentid: str

The GUID of the parent of this file. This corresponds to the [ParentFileID] column of the [File] table.

resident: boolean

True if this file's contents exist contiguously within the contents of another file.

size: int

The size, in bytes, of the file. This corresponds to the [OSLength] column of the [File] table.

status: int

The status of the contents of the file. It should be one of the content status values. This corresponds to the [ContentStatusID] column of the [File] table.

type: int

The type of the file. This corresponds to the [FileTypeID] column of the [File] table.

Sample

This will retrieve a file from Truxton, print the name and hash as stored in the database then calculate a hash on the contents and print that.

import sys
sys.path.append('C:/Program Files/Truxton/SDK')
import truxton
import hashlib

def main() -> None:
  t = truxton.create()
  with t.getfileid("5ec2a123-74d6-5da7-0653-4e6800000000") as the_file:
    byte_buffer = the_file.readall()
    readable_hash = hashlib.md5(byte_buffer).hexdigest()
    print(readable_hash + " is the calculated hash of the contents")

  return None

if __name__ == "__main__":
  sys.exit(main())