PyFlag Logo
   
Introduction
FAQ
Screenshots
 
Downloads
Download PyFlag
Standard Image Sets
Browse the Source
 
Documentation
User Manual
Tutorials
Developer Documentation
Papers and Articles
Presentations
 
Email Us
Support Mailing List
 
Thanks to Sourceforge for their support: SourceForge.net Logo
[Python Powered]
 
© 2004-2005
 
Print this page
  

Using Fuse with PyFlag

Fuse is a very promising project which allows one to write filesystems in user space. Writing filesystems in userspace is much easier than writing them in kernel space, and allow one to use higher level libraries and languages such as python for example.

In PyFlag we use Fuse to allow users to mount a number of virtual filesystems which allows the mounting of compressed images (for example Encase images) over the standard kernel loopback driver, or mounting the entire PyFlag virtual filesystem so that standard linux grep and find may be used.

This howto will explain how to install the fuse python bindings and patch them appropriately. Then we can see how to use the PyFlag Fuse filesystems.

Installing Fuse

Currently Fuse is available as a standard package in both Debian and Ubuntu. Users of other distributions may need to download the fuse source package from Fuse. The Fuse source contains a set of utilities, as well as a kernel module:

apt-get install fuse-source fuse-utils

cd /usr/src/
tar -xvjf fuse.tar.gz
cd modules/fuse/kernel/
./configure
make
make install

Note

You may need to install the correct kernel headers for your installed kernel. You can cat /proc/version and install exactly the same headers as the currently running kernel.

The fuse python bindings have a small bug which needs to be patched before PyFlag can work properly with them. This bug may well be fixed by the time you read this. Grab the source code for the python bindings: python-fuse_2.2.orig.tar.gz and python-fuse_2.2-1ubuntu1.diff.gz. You will also need the fuse patch.

Now extract these somewhere, and patch:

tar -xvzf python-fuse_2.2.orig.tar.gz
cd python
zcat ~/python-fuse_2.2-1ubuntu1.diff.gz | patch -p1
cat ~/fuse_patch.diff | patch -p1    
python setup.py install

Alternatively you can install the updated debian package.

Mounting the PyFlag Virtual File System

Once PyFlag loads a case, and scanners are run, virtual files are added to the VFS. These might include the contents of compressed files, email attachements etc. Although one can use the PyFlag GUI to view the VFS, sometimes it may be convenient to mount the VFS and use standard tools to access the virtual files. For example:

  • Bulk copy large number of files from the VFS.
  • Grep through the files in the VFS for a certain keyword.
  • View images in the VFS using a dedicated image viewer.

In order to mount the VFS use:

~/pyflag$ ./launch.sh utilities/pyflag_fuse.py \
          /mnt/point/ -c case -f io_source

To unmount the filesystem use:

fusermount -u /mnt/point

Note

Providing /usr/bin/fusermount is suid root and your user has execute permission, you do not need to be running this as root to mount the VFS.

Fuse for IO Subsystem support

Suppose that you have an Encase evidence set which you wish to mount under Linux. it would be nice to be able to mount it using the normal Linux kernel filesystem drivers, without having to load it into PyFlag first. However, the kernel loopback device driver does not support compressed images. It would be nice to convince the kernel to use the PyFlag IO Subsystem drivers in mounting over loopback - then the kernel itself would support all the image formats that PyFlag itself support, for example Encase files, RAID sets etc.

In order to do this, we use the Fuse filesystem to create a virtual filesystem, where the raw image appears. We can then use this virtual raw image to mount via the regular loopback filesystem:

~/pyflag# ./launch.sh utilities/fuse_loopback_subsystem.py\
          /mnt/point/ -i advanced -filename image.dd -offset 63s

This will create a virtual filesystem attached to /mnt/point/ with a single virtual file in it called mountme. Now we can mount this file in another terminal:

mount -oloop /mnt/point/mountme /mnt/point2

For example to mount a partition off an Encase disk image:

~/pyflag# ./launch.sh utilities/fuse_loopback_subsystem.py \
          /mnt/point/ -i ewf -filename image.e0* -offset 63s

mount -oloop /mnt/point/mountme /mnt/point2

Note

In order to mount the filesystem over the loopback device, you must be running the mount command as root. This implies that you will need to mount the fuse filesystem as well as root since Fuse will, by default, refuse to allow users other than those that mounted the filesystem access to the Fuse filesystem (even root can not access it).
View document source. Generated on: 2005-07-05 12:46 UTC. Generated by Docutils from reStructuredText source.