:py:mod:`dissect.evidence.asdf.asdf` ==================================== .. py:module:: dissect.evidence.asdf.asdf Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.evidence.asdf.asdf.AsdfWriter dissect.evidence.asdf.asdf.AsdfSnapshot dissect.evidence.asdf.asdf.Metadata dissect.evidence.asdf.asdf.AsdfStream Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.evidence.asdf.asdf.scrape_blocks Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.evidence.asdf.asdf.SnapshotTableEntry dissect.evidence.asdf.asdf.VERSION dissect.evidence.asdf.asdf.DEFAULT_BLOCK_SIZE dissect.evidence.asdf.asdf.MAX_BLOCK_TABLE_SIZE dissect.evidence.asdf.asdf.MAX_IDX dissect.evidence.asdf.asdf.IDX_MEMORY dissect.evidence.asdf.asdf.IDX_METADATA dissect.evidence.asdf.asdf.RESERVED_IDX dissect.evidence.asdf.asdf.FILE_MAGIC dissect.evidence.asdf.asdf.BLOCK_MAGIC dissect.evidence.asdf.asdf.FOOTER_MAGIC dissect.evidence.asdf.asdf.SPARSE_BYTES dissect.evidence.asdf.asdf.asdf_def dissect.evidence.asdf.asdf.c_asdf .. py:data:: SnapshotTableEntry .. py:data:: VERSION :value: 1 .. py:data:: DEFAULT_BLOCK_SIZE :value: 4096 .. py:data:: MAX_BLOCK_TABLE_SIZE .. py:data:: MAX_IDX :value: 253 .. py:data:: IDX_MEMORY :value: 254 .. py:data:: IDX_METADATA :value: 255 .. py:data:: RESERVED_IDX .. py:data:: FILE_MAGIC :value: b'ASDF' .. py:data:: BLOCK_MAGIC :value: b'BL\xa5\xdf' .. py:data:: FOOTER_MAGIC :value: b'FT\xa5\xdf' .. py:data:: SPARSE_BYTES :value: b'\xa5\xdf' .. py:data:: asdf_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ flag FILE_FLAG : uint32 { SHA256 = 0x01, }; flag BLOCK_FLAG : uint8 { CRC32 = 0x01, COMPRESS = 0x02, }; struct header { char magic[4]; // File magic, must be "ASDF" FILE_FLAG flags; // File flags uint8 version; // File version char reserved1[7]; // Reserved uint64 timestamp; // Creation timestamp of the file char reserved2[8]; // Reserved char guid[16]; // GUID, should be unique per writer }; struct block { char magic[4]; // Block magic, must be "BL\xa5\xdf" BLOCK_FLAG flags; // Block flags uint8 idx; // Stream index, some reserved values have special meaning char reserved[2]; // Reserved uint64 offset; // Absolute offset of block in stream uint64 size; // Size of block in stream }; struct table_entry { BLOCK_FLAG flags; // Block flags uint8 idx; // Stream index, some reserved values have special meaning char reserved[2]; // Reserved uint64 offset; // Absolute offset of block in stream uint64 size; // Size of block in stream uint64 file_offset; // Absolute offset of block in file uint64 file_size; // Size of block in file }; struct footer { char magic[4]; // Footer magic, must be "FT\xa5\xdf" char reserved[4]; // Reserved uint64 table_offset; // Offset in file to start of block table char sha256[32]; // SHA256 of this file up until this hash }; """ .. raw:: html
.. py:data:: c_asdf .. py:class:: AsdfWriter(fh: BinaryIO, guid: uuid.UUID = None, compress: bool = False, block_crc: bool = True) Bases: :py:obj:`io.RawIOBase` ASDF file writer. Current limitations: - Maximum source disk size is ~16EiB - Maximum number of disks is 254 Some things are currently hardcoded (like SHA256), although they may become variable in the future. :param fh: File-like object to write to. :param guid: Unique identifier. Used to link images to writers. :param compress: Write gzip compressed file. :param block_crc: Flag to store a CRC32 after each block. .. py:method:: add_metadata_file(path: str, fh: BinaryIO, size: Optional[int] = None) -> None Add a file to the metadata stream. :param path: The path in the metadata tar to write to. :param fh: The file-like object to write. :param size: Optional size to write. .. py:method:: add_bytes(data: bytes, idx: int = 0, base: int = 0) -> None Add some bytes into this snapshot. Convenience method for adding some bytes at a specific offset. :param data: The bytes to copy. :param idx: The stream index. :param base: The base offset. .. py:method:: copy_bytes(source: BinaryIO, offset: int, num_bytes: int, idx: int = 0, base: int = 0) -> None Copy some bytes from the source file-like object into this snapshot. Often the source will be a volume on a disk, which is usually represented as a relative stream. If this is the case, use the ``base`` argument to indicate what the byte offset of the source is, relative to the start of the disk. The ``offset`` argument is always the offset in the source, so that is not affected. :param source: The source file-like object to copy the bytes from. :param offset: The byte offset into the source to start copying bytes from. :param num_bytes: The amount of bytes to copy. :param idx: The stream index, if copying from multiple disks. :param base: The base offset, if the source is a relative stream from e.g. a disk. .. py:method:: copy_block(source: BinaryIO, offset: int, num_blocks: int, block_size: Optional[int] = None, idx: int = 0, base: int = 0) -> None Copy some blocks in the given block size into this snapshot. If no block size is given, the ASDF native block size is used. This is really just a convenience method that does the block multiplication before calling ``copy_bytes``. :param source: The source file-like object to copy the blocks from. :param offset: The byte offset into the source to start copying blocks from. :param num_blocks: The amount of blocks to copy. :param block_size: The size of each block. :param idx: The stream index, if copying from multiple disks. :param base: The base offset, if the source is a relative stream from e.g. a disk. .. py:method:: copy_runlist(source: BinaryIO, runlist: list[tuple[Optional[int], int]], runlist_block_size: int, idx: int = 0, base: int = 0) -> None Copy a runlist of blocks in the given block size into this snapshot. A runlist must be a list of tuples, where: (block_offset, num_blocks) This is really just a convenience method that does the runlist iteration and block multiplication before calling `copy_bytes`. :param source: The source file-like object to copy the blocks from. :param runlist: The runlist that describes the blocks. :param runlist_block_size: The size of each block. :param idx: The stream index, if copying from multiple disks. :param base: The base offset, if the source is a relative stream from e.g. a disk. .. py:method:: close() -> None Close the ASDF file. Writes the block table and footer, then closes the destination file-like object. .. py:class:: AsdfSnapshot(fh: BinaryIO, recover: bool = False) ASDF file reader. :param fh: File-like object to read the ASDF file from. .. py:method:: contains(idx: int) -> bool Check whether this file contains the given stream index. :param idx: The stream to check. .. py:method:: open(idx: int) -> AsdfStream Open a specific stream in the file. :param idx: The stream to open. .. py:method:: streams() -> AsdfStream Iterate over all streams in the file. .. py:method:: disks() -> AsdfStream Iterate over all non-reserved streams in the file. .. py:class:: Metadata(asdf: AsdfSnapshot) ASDF metadata reader. Thin wrapper around ``tarfile``. :param asdf: The :class:`AsdfSnapshot` to open the metadata of. .. py:method:: names() -> list[str] Return all metadata file entries. .. py:method:: members() -> list[tarfile.TarInfo] Return all metadata :class:`tarfile.TarInfo` entries. .. py:method:: open(path: str) -> BinaryIO Open a metadata entry and return a binary file-like object. .. py:class:: AsdfStream(asdf: AsdfSnapshot, idx: int) Bases: :py:obj:`dissect.util.stream.AlignedStream` ASDF stream from a snapshot. :param asdf: :class:`AsdfSnapshot` parent object. :param idx: Stream index in the :class:`AsdfSnapshot`. .. py:function:: scrape_blocks(fh: BinaryIO, buffer_size: int = io.DEFAULT_BUFFER_SIZE) -> Iterator[dissect.cstruct.Instance, int] Scrape for block headers in ``fh`` and yield parsed block headers and their offset. :param fh: The file-like object to scrape for block headers. :param buffer_size: The buffer size to use when scraping.