TruxtonFileIO
This class provides read-only access to a file's contents in Truxton.
Contents
- 1 IOBase Attributes and Methods
- 2 RawIOBase Attributes and Methods
- 3 Truxton Methods
- 4 Truxton Attributes
- 4.1 accessed: int
- 4.2 attributes: int
- 4.3 children: int
- 4.4 created: int
- 4.5 depot: str
- 4.6 depotid: str
- 4.7 depotlength: int
- 4.8 depotoffset: int
- 4.9 diskoffset: int
- 4.10 eliminated: boolean
- 4.11 entropy: float
- 4.12 hash: str
- 4.13 id: str
- 4.14 mediaid: str
- 4.15 modified: int
- 4.16 name: str
- 4.17 origin: int
- 4.18 parentid: str
- 4.19 resident: boolean
- 4.20 size: int
- 4.21 status: int
- 4.22 type: int
- 5 Sample
IOBase Attributes and Methods
These mirror the IOBase methods.
close()
Closes the stream. Implements close()
closed
Returns True if the stream is closed, False if it is open. Implements closed
fileno()
Will always return an error. Implements fileno()
flush()
Does nothing. Implements flush()
isatty()
Returns False Implements isatty()
readable()
Returns True Implements readable()
readline(size = -1)
Reads a line of text from the file. Implements readline()
readlines(hint = -1)
Reads multiple lines of text from the file. Implements readlines()
seek(offset, whence = SEEK_SET)
Changes the current file pointer. Implements seek()
seekable()
Returns True Implements seekable()
tell()
Returns the current stream position. Implements tell()
truncate(size = None)
Returns an error. Implements truncate()
writable()
Returns IOError Implements writable()
writelines(lines)
Returns an error. Implements writelines() - Always returns IOError
RawIOBase Attributes and Methods
From RawIOBase it implements:
read(size = -1)
Reads bytes from the file. Implements read()
readall()
Reads all of the bytes of the file. Implements readall()
readinto(b)
Will fill byte array with bytes from the file. Implements readinto()
write(b)
Implements write() - Always returns IOError
Truxton Methods
The above methods will let you read from a file in Truxton as if it were any other file in Python. The following methods are also present to make tasks of adding items extracted from a file easier.
- addnote() - Used to create a record in the
[InvestigatorNote]
table in the database associated with this file. - changetype() - Used the change the type of the file.
- newartifact() - Used to create a record in the
[Entity]
table and associated with this file. - newchild() - Creates a writable file that will be a child of this file.
- newcommunication() - Creates a new communication object with this file as its source.
- newevent() - Used to create a record in the
[Event]
table and associated with this file. - newexif() - Used to create a record in the
[EXIF]
table and associated with this file. - newlocation() - Used to create a record in the
[Location]
table and associated with this file. - newrelation() - Used to create a record in the
[Relation]
table and associated with this file. - newurl() - Used to create a record in the
[WebsiteVisit]
table and associated with this file. - newusb() - Used to create a record in the
[USBDevice]
table and associated with this file. - tag() - Used to associate a tag with this file.
Truxton Attributes
accessed: int
When the file was last accessed in FILETIME ticks.
This corresponds to the [LastAccess]
column of the [File]
table.
attributes: int
An integer value representing the attributes of the file.
For a Microsoft filesystem, it can be a combination of the file attribute flags.
This corresponds to the [Attributes]
column of the [File]
table.
children: int
The number of files that have this file as their parent.
This corresponds to the [NumberOfChildren]
column of the [File]
table.
created: int
When the file was created in FILETIME ticks.
This corresponds to the [Created]
column of the [File]
table.
depot: str
The name of the depot holding the file's contents.
This corresponds to the [Filename]
column of the [Depot]
table.
depotid: str
The name of the depot holding the file's contents.
This corresponds to the [DepotID]
column of the [Content]
table.
depotlength: int
The number of bytes in the depot used for this file's contents.
This corresponds tot he [Length]
column of the [Content]
table.
depotoffset: int
The number of bytes in the depot used for this file's contents.
This corresponds tot he [Offset]
column of the [Content]
table.
diskoffset: int
The offset, in bytes, of the first byte of the contents of the file on the physical disk.
This corresponds to the [PhysicalDiskOffset]
column of the [File]
table.
eliminated: boolean
True when the original contents of the file were eliminated based on the hash matching one from a list of hashes of files known to have no investigative value. The NSRL is one such library. If this is False, the file's contents are available for use.
entropy: float
Shannon's entropy of the contents of the file.
This corresponds to the [RawEntropy]
column of the [File]
table.
hash: str
The MD5 hash of the contents of the file.
This corresponds to the [HashID]
column of the [File]
table.
id: str
The GUID of the file record.
This corresponds to the [ID]
column of the [File]
table.
mediaid: str
The GUID of the media the child file came from.
This corresponds to the [MediaID]
column of the [File]
table.
modified: int
When the file was last written in FILETIME ticks.
This corresponds to the [LastWrite]
column of the [File]
table.
name: str
The name of the file.
origin: int
Where the file came from.
It should be one of the origin values.
This corresponds to the [OriginID]
column of the [File]
table.
parentid: str
The GUID of the parent of this file.
This corresponds to the [ParentFileID]
column of the [File]
table.
resident: boolean
True if this file's contents exist contiguously within the contents of another file.
size: int
The size, in bytes, of the file.
This corresponds to the [OSLength]
column of the [File]
table.
status: int
The status of the contents of the file.
It should be one of the content status values.
This corresponds to the [ContentStatusID]
column of the [File]
table.
type: int
The type of the file.
This corresponds to the [FileTypeID]
column of the [File]
table.
Sample
This will retrieve a file from Truxton, print the name and hash as stored in the database then calculate a hash on the contents and print that.
import sys
sys.path.append('C:/Program Files/Truxton/SDK')
import truxton
import hashlib
def main() -> None:
t = truxton.create()
with t.getfileid("5ec2a123-74d6-5da7-0653-4e6800000000") as the_file:
byte_buffer = the_file.readall()
readable_hash = hashlib.md5(byte_buffer).hexdigest()
print(readable_hash + " is the calculated hash of the contents")
return None
if __name__ == "__main__":
sys.exit(main())