:py:mod:`dissect.target.loaders.local` ====================================== .. py:module:: dissect.target.loaders.local Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.loaders.local.LocalLoader Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.loaders.local.map_linux_drives dissect.target.loaders.local.map_solaris_drives dissect.target.loaders.local.map_esxi_drives dissect.target.loaders.local.map_windows_drives dissect.target.loaders.local.map_windows_mounted_drives Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.loaders.local.SOLARIS_DEV_DIR dissect.target.loaders.local.SOLARIS_DRIVE_REGEX dissect.target.loaders.local.LINUX_DEV_DIR dissect.target.loaders.local.LINUX_DRIVE_REGEX dissect.target.loaders.local.VOLATILE_LINUX_PATHS dissect.target.loaders.local.ESXI_DEV_DIR dissect.target.loaders.local.WINDOWS_ERROR_INSUFFICIENT_BUFFER dissect.target.loaders.local.WINDOWS_DRIVE_FIXED .. py:data:: SOLARIS_DEV_DIR .. py:data:: SOLARIS_DRIVE_REGEX .. py:data:: LINUX_DEV_DIR .. py:data:: LINUX_DRIVE_REGEX .. py:data:: VOLATILE_LINUX_PATHS .. py:data:: ESXI_DEV_DIR .. py:data:: WINDOWS_ERROR_INSUFFICIENT_BUFFER :value: 122 .. py:data:: WINDOWS_DRIVE_FIXED :value: 3 .. py:class:: LocalLoader(path: pathlib.Path, **kwargs) Bases: :py:obj:`dissect.target.loader.Loader` Load local filesystem. .. py:method:: detect(path) :staticmethod: Detects wether this ``Loader`` class can load this specific ``path``. :param path: The target path to check. :returns: ``True`` if the ``path`` can be loaded by a ``Loader`` instance. ``False`` otherwise. .. py:method:: map(target) Maps the loaded path into a ``Target``. :param target: The target that we're mapping into. .. py:function:: map_linux_drives(target: dissect.target.Target) Map Linux raw disks and /proc and /sys. Iterate through /dev and match raw device names (not partitions). /proc and /sys are mounted if they exists, allowing access to volatile files. .. py:function:: map_solaris_drives(target) Map Solaris raw disks. Iterate through /dev/dsk and match raw device names (not slices or partitions). .. py:function:: map_esxi_drives(target) Map ESXi raw disks. Get all devices from /vmfs/devices/disks/* (not partitions). .. py:function:: map_windows_drives(target) Map Windows drives by iterating physical drives. For each physical drive, load the partition table and volumes. If a drive is encrypted using Bitlocker, use the OS transparent device to access it instead. Using this method, we get the drive serial and partition offset (MBR), or partition GUID (GPT), which we need for regular drive mounting. With this method we should open every partition of every disk, instead of only mounted drives. .. py:function:: map_windows_mounted_drives(target: dissect.target.Target, force_dirfs: bool = False, fallback_to_dirfs: bool = False) Map Windows drives by their drive letter. For each drive (mounted) partition, determine if it's a fixed drive and if it's readable. If it is, add it as a volume to the target. Since we don't know the drive serial and other information, we already mount filesystems to drive letters (which we do know). Downside to this method is that we only open mounted volumes. Upside is that we can also open BDE/LDM/Storage space volumes. Some inspiration drawn from http://velisthoughts.blogspot.com/2012/02/enumerating-and-using-partitions-and.html