1- import json
1+ import contextlib
22import hashlib
3+ import json
4+ import os
35import shutil
4- import contextlib
56import tempfile
6- import os
7- from test import test_volatility , WindowsSamples
7+ from test import WindowsSamples , test_volatility
88
99
1010class TestWindowsVolshell :
@@ -843,20 +843,22 @@ def test_windows_specific_mftscan_ads_xp(self, volatility, python):
843843 {
844844 "ADS Filename" : "Zone.Identifier" ,
845845 "Filename" : "libby_hoeler_part1.wmv" ,
846- "Hexdump" : '" \n 5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a [ZoneTransfer].. \n 5a 6f 6e 65 49 64 3d 33 0d 0a ZoneId=3.. "'
846+ "Hexdump" : "5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 5a 6f 6e 65 49 64 3d 33 0d 0a"
847847 "MFT Type" : "DATA" ,
848848 "Offset" : 55926304 ,
849849 "Record Number" : 323 ,
850850 "Record Type" : "FILE" ,
851+ "__children" : [],
851852 },
852853 {
853854 "ADS Filename" : "Zone.Identifier" ,
854855 "Filename" : "NetZeroQuickHelpLite.exe" ,
855- "Hexdump" : '" \n 5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a [ZoneTransfer].. \n 5a 6f 6e 65 49 64 3d 33 0d 0a ZoneId=3.. "'
856+ "Hexdump" : "5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 5a 6f 6e 65 49 64 3d 33 0d 0a"
856857 "MFT Type" : "DATA" ,
857858 "Offset" : 56102400 ,
858859 "Record Number" : 347 ,
859860 "Record Type" : "FILE" ,
861+ "__children" : [],
860862 },
861863 ]
862864 for expected_row in expected_rows :
@@ -877,20 +879,22 @@ def test_windows_specific_mftscan_ads_win10(self, volatility, python):
877879 {
878880 "ADS Filename" : "$Max" ,
879881 "Filename" : "$UsnJrnl" ,
880- "Hexdump" : '" \n 00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 ................ \n b9 dd f0 cc df 73 db 01 00 00 00 00 00 00 00 00 .....s.........."'
882+ "Hexdump" : "00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 b9 dd f0 cc df 73 db 01 00 00 00 00 00 00 00 00"
881883 "MFT Type" : "DATA" ,
882- "Offset" : 1058018088 ,
884+ "Offset" : 26235616 ,
883885 "Record Number" : 107240 ,
884886 "Record Type" : "FILE" ,
887+ "__children" : [],
885888 },
886889 {
887- "ADS Filename" : "$Config " ,
888- "Filename" : "$Repair " ,
889- "Hexdump" : '" \n 01 00 00 00 03 00 00 00 ........ "'
890+ "ADS Filename" : "$SRAT " ,
891+ "Filename" : "$Bitmap " ,
892+ "Hexdump" : "a4 5f fd 60 38 00 01 03 10 00 0c 00 04 00 00 00 01 00 00 00 01 00 00 00 8d 4e 16 00 02 00 00 00 a0 00 00 00 00 00 06 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 7b 01 00 00 00 00 00"
890893 "MFT Type" : "DATA" ,
891- "Offset" : 5009678688 ,
892- "Record Number" : 28 ,
894+ "Offset" : 1052277088 ,
895+ "Record Number" : 6 ,
893896 "Record Type" : "FILE" ,
897+ "__children" : [],
894898 },
895899 ]
896900 for expected_row in expected_rows :
@@ -924,15 +928,15 @@ def test_windows_specific_mftscan_residentdata_win10(self, volatility, python):
924928 expected_rows = [
925929 {
926930 "Filename" : "index" ,
927- "Hexdump" : '" \n 30 5c 72 a7 1b 6d fb fc 09 00 00 00 00 00 00 00 0 \\ r..m.......... \n 00 00 00 00 00 00 00 00 ........ "'
931+ "Hexdump" : "30 5c 72 a7 1b 6d fb fc 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
928932 "MFT Type" : "DATA" ,
929933 "Offset" : 4961536280 ,
930934 "Record Number" : 116474 ,
931935 "Record Type" : "FILE" ,
932936 },
933937 {
934938 "Filename" : "0.2.filtertrie.intermediate.txt" ,
935- "Hexdump" : '" \n 30 09 32 0d 0a 0.2.. "'
939+ "Hexdump" : "30 09 32 0d 0a"
936940 "MFT Type" : "DATA" ,
937941 "Offset" : 619242944 ,
938942 "Record Number" : 113013 ,
@@ -1411,4 +1415,3 @@ def test_windows_specific_virtmap(self, volatility, python):
14111415 )
14121416 for expected_row in expected_rows :
14131417 assert test_volatility .match_output_row (expected_row , json_out )
1414-
0 commit comments