:py:mod:`dissect.evidence.ad1` ============================== .. py:module:: dissect.evidence.ad1 Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.evidence.ad1.AD1 dissect.evidence.ad1.LogicalImage dissect.evidence.ad1.FileEntry dissect.evidence.ad1.FileMeta dissect.evidence.ad1.FileObject Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.evidence.ad1.ad1_def dissect.evidence.ad1.c_ad1 dissect.evidence.ad1.EntryType dissect.evidence.ad1.MetaType .. py:data:: ad1_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ enum EntryType : uint32 { File = 0x0, Directory = 0x5 }; enum MetaType : uint32 { FileClass = 0x2, FileSize = 0x3, PhysicalSize = 0x4, StartCluster = 0x6, DateAccessed = 0x7, DateCreated = 0x8, DateModified = 0x9, Unknown_1 = 0xd, Unknown_2 = 0xe, ActualFile = 0x1e, Unknown_3 = 0x1002, Unknown_4 = 0x1003, Unknown_5 = 0x1004, Unknown_6 = 0x1005, MD5 = 0x5001, SHA1 = 0x5002, ClusterSize = 0x9001, ClusterCount = 0x9002, FreeClusterCount = 0x9003, VolumeSerialNumber = 0x9006 }; typedef struct { char magic[16]; uint32 unk1; uint32 unk2; uint32 unk3; uint32 unk4; uint16 unk5; uint16 version; uint32 unk6; uint64 logical_image_offset; } SegmentedFileHeader; typedef struct { char magic[16]; uint32 unk1; uint32 unk2; uint32 chunk_size; // This is supposed to be uint64? But that doesn't seem right uint32 unk3; uint32 unk4; uint64 entry_offset; uint32 name_len; uint32 unk5; uint64 name_offset; uint64 unk6; uint64 unk7; uint64 unk8; uint64 unk9; char name[name_len]; } LogicalImageHeader; typedef struct { uint64 next; uint64 child; uint64 meta; uint64 unk1; uint64 size; EntryType type; uint32 name_len; char name[name_len]; uint64 unk2; uint64 num_chunks; uint64 chunks[num_chunks]; } FileEntry; typedef struct { uint64 next; uint32 category; MetaType type; uint32 len; char data[len]; } FileMeta; """ .. raw:: html
.. py:data:: c_ad1 .. py:data:: EntryType .. py:data:: MetaType .. py:class:: AD1(fh) .. py:method:: __getattr__(k) .. py:method:: entry(path='') .. py:method:: listdir(path) .. py:method:: get(path) .. py:method:: open(path) .. py:method:: walk() :abstractmethod: .. py:class:: LogicalImage(fh) .. py:method:: __repr__() Return repr(self). .. py:method:: __getattr__(k) .. py:class:: FileEntry(image, offset, parent) .. py:method:: __repr__() Return repr(self). .. py:method:: __getattr__(k) .. py:method:: open() .. py:method:: is_file() .. py:method:: is_dir() .. py:class:: FileMeta(image, offset) .. py:method:: __repr__() Return repr(self). .. py:method:: __getattr__(k) .. py:class:: FileObject(entry) Bases: :py:obj:`dissect.util.stream.AlignedStream` Basic buffered stream that provides easy aligned reads. Must be subclassed for various stream implementations. Subclasses can implement: - _read(offset, length) - _seek(pos, whence=io.SEEK_SET) The offset and length for _read are guaranteed to be aligned. The only time that overriding _seek would make sense is if there's no known size of your stream, but still want to provide SEEK_END functionality. Most subclasses of AlignedStream take one or more file-like objects as source. Operations on these subclasses, like reading, will modify the source file-like object as a side effect. :param size: The size of the stream. This is used in read and seek operations. None if unknown. :param align: The alignment size. Read operations are aligned on this boundary. Also determines buffer size.