From ebb2f38264aed64b634db4e94ebe158757980d63 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Tue, 30 Jun 2015 19:25:27 +0200
Subject: [PATCH] Code review: 246600043:  Changes for dfVFS update #109

---
 config/dpkg/changelog                    |  2 +-
 plaso/cli/storage_media_tool.py          | 34 +++++++++++++++++-------
 plaso/dependencies.py                    |  4 +--
 tests/frontend/storage_media_frontend.py | 20 ++++++++++----
 4 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/config/dpkg/changelog b/config/dpkg/changelog
index d524b038db..adafddce49 100644
--- a/config/dpkg/changelog
+++ b/config/dpkg/changelog
@@ -2,4 +2,4 @@ python-plaso (1.3.0-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Log2Timeline <log2timeline-dev@googlegroups.com>  Tue, 30 Jun 2015 18:44:06 +0200
+ -- Log2Timeline <log2timeline-dev@googlegroups.com>  Tue, 30 Jun 2015 19:24:50 +0200
diff --git a/plaso/cli/storage_media_tool.py b/plaso/cli/storage_media_tool.py
index 0b6487e673..4682423f0b 100644
--- a/plaso/cli/storage_media_tool.py
+++ b/plaso/cli/storage_media_tool.py
@@ -525,6 +525,28 @@ def _PromptUserForVSSStoreIdentifiers(
   def _ScanVolume(self, volume_scan_node):
     """Scans the volume scan node for volume and file systems.
 
+    Args:
+      volume_scan_node: the volume scan node (instance of dfvfs.ScanNode).
+
+    Raises:
+      SourceScannerError: if the format of or within the source
+                          is not supported or the the scan node is invalid.
+    """
+    if not volume_scan_node or not volume_scan_node.path_spec:
+      raise errors.SourceScannerError(u'Invalid or missing volume scan node.')
+
+    if len(volume_scan_node.sub_nodes) == 0:
+      self._ScanVolumeScanNode(volume_scan_node)
+
+    else:
+      # Some volumes contain other volume or file systems e.g. BitLocker ToGo
+      # has an encrypted and unencrypted volume.
+      for sub_scan_node in volume_scan_node.sub_nodes:
+        self._ScanVolumeScanNode(sub_scan_node)
+
+  def _ScanVolumeScanNode(self, volume_scan_node):
+    """Scans an individual volume scan node for volume and file systems.
+
     Args:
       volume_scan_node: the volume scan node (instance of dfvfs.ScanNode).
 
@@ -561,15 +583,8 @@ def _ScanVolume(self, volume_scan_node):
               parent=sub_scan_node.path_spec)
           self._source_path_specs.append(path_spec)
 
-      # TODO: move the TSK current volume scan node to the same level as
-      # the VSS scan node.
-      for sub_scan_node in scan_node.sub_nodes:
-        if sub_scan_node.type_indicator == (
-            dfvfs_definitions.TYPE_INDICATOR_TSK):
-          self._source_path_specs.append(sub_scan_node.path_spec)
-
-    # TODO: replace check with dfvfs_definitions.FILE_SYSTEM_TYPE_INDICATORS.
-    elif scan_node.type_indicator == dfvfs_definitions.TYPE_INDICATOR_TSK:
+    elif scan_node.type_indicator in (
+        dfvfs_definitions.FILE_SYSTEM_TYPE_INDICATORS):
       self._source_path_specs.append(scan_node.path_spec)
 
   def AddFilterOptions(self, argument_group):
@@ -723,6 +738,7 @@ def ScanSource(self, front_end):
     if scan_node.type_indicator not in [
         dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION]:
       partition_identifiers = None
+
     else:
       partition_identifiers = self._GetTSKPartitionIdentifiers(
           scan_node, partition_string=self._partition_string,
diff --git a/plaso/dependencies.py b/plaso/dependencies.py
index 18a71c2404..2afe4cee0f 100644
--- a/plaso/dependencies.py
+++ b/plaso/dependencies.py
@@ -22,7 +22,7 @@
     u'pyolecf': 20150413,
     u'pyqcow': 20131204,
     u'pyregf': 20150315,
-    u'pysigscan': 20150114,
+    u'pysigscan': 20150627,
     u'pysmdev': 20140529,
     u'pysmraw': 20140612,
     u'pyvhdi': 20131210,
@@ -38,7 +38,7 @@
     (u'binplist', u'__version__', u'0.1.4', None),
     (u'construct', u'__version__', u'2.5.2', None),
     (u'dateutil', u'__version__', u'1.5', None),
-    (u'dfvfs', u'__version__', u'20150523', None),
+    (u'dfvfs', u'__version__', u'20150630', None),
     (u'dpkt', u'__version__', u'1.8', None),
     # The protobuf module does not appear to have version information.
     (u'google.protobuf', u'', u'', None),
diff --git a/tests/frontend/storage_media_frontend.py b/tests/frontend/storage_media_frontend.py
index fda248b30d..ae6da1e1d3 100644
--- a/tests/frontend/storage_media_frontend.py
+++ b/tests/frontend/storage_media_frontend.py
@@ -120,13 +120,23 @@ def _TestScanSourceVssImage(self, source_path):
     self.assertNotEqual(scan_node, None)
     self.assertEqual(
         scan_node.type_indicator,
-        dfvfs_definitions.TYPE_INDICATOR_VSHADOW)
-    self.assertEqual(len(scan_node.sub_nodes), 3)
+        dfvfs_definitions.TYPE_INDICATOR_QCOW)
+    self.assertEqual(len(scan_node.sub_nodes), 2)
 
-    for scan_node in scan_node.sub_nodes:
-      if getattr(scan_node.path_spec, u'location', None) == u'/':
-        break
+    volume_scan_node = scan_node
+
+    scan_node = volume_scan_node.sub_nodes[0]
+    self.assertEqual(
+        scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_VSHADOW)
+    self.assertEqual(len(scan_node.sub_nodes), 2)
+
+    scan_node = scan_node.sub_nodes[0]
+    self.assertEqual(
+        scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_VSHADOW)
+    # By default the file system inside a VSS volume is not scanned.
+    self.assertEqual(len(scan_node.sub_nodes), 0)
 
+    scan_node = volume_scan_node.sub_nodes[1]
     self.assertEqual(
         scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_TSK)