add file_name_with_device() to filescan

[GoogleCodeExporter]

Since we can have several volumes for a system at one time, we should add 
file_name_with_device() to filescan so that we can tell which volume a file was 
on.  for example, I have a TrueCrypt volume with a few files on it.  When I run 
the filescan plugin on the memory dump I have no idea what files might be 
associated with this volume as opposed to files on the c:\ drive.  I can see 
this file only because I know what it's called ahead of time:

$ ./vol.py -f XPSP3.vmem filescan |grep "blah blah"
Volatile Systems Volatility Framework 2.2_alpha
0x021f1678      1      0 R--rwd \blah blah.txt
0x0232b220      1      0 R--r-d \Documents and Settings\user\Recent\blah 
blah.txt.lnk

Now after the patch I can see all files:

grep "TrueCryptVolumeT" output/filescan.txt 
0x01e59028      1      0 R--r-- \Device\TrueCryptVolumeT\poison_ivy.py
0x01f8b028      3      0 RWD--- \Device\TrueCryptVolumeT\$BitMap
0x01fc1c60      3      0 RWD--- \Device\TrueCryptVolumeT\$LogFile
0x021f1678      1      0 R--rwd \Device\TrueCryptVolumeT\blah blah.txt
0x0235ddd8      1      0 RW-r-- \Device\TrueCryptVolumeT\New Text Document.txt
0x02479c98      3      0 RWD--- \Device\TrueCryptVolumeT\$Mft
0x024a6f00      3      0 RWD--- \Device\TrueCryptVolumeT\$Directory
0x024d9028      3      1 R--rwd \Device\TrueCryptVolumeT\
0x024ec700      3      0 RWD--- \Device\TrueCryptVolumeT\$Mft
0x024f96c0      3      0 RWD--- \Device\TrueCryptVolumeT\$MftMirr

Original issue reported on code.google.com by jamie.l...@gmail.com on 17 Aug 2012 at 2:44

Attachments:

• filescan.diff

[GoogleCodeExporter]

Fixed in r2195

Original comment by michael.hale@gmail.com on 17 Aug 2012 at 9:01

• Changed state: Fixed