:py:mod:`dissect.target.loaders.velociraptor`
=============================================

.. py:module:: dissect.target.loaders.velociraptor


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.loaders.velociraptor.VelociraptorLoader



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.target.loaders.velociraptor.find_fs_directories
   dissect.target.loaders.velociraptor.extract_drive_letter



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.loaders.velociraptor.log
   dissect.target.loaders.velociraptor.FILESYSTEMS_ROOT
   dissect.target.loaders.velociraptor.UNIX_ACCESSORS
   dissect.target.loaders.velociraptor.WINDOWS_ACCESSORS


.. py:data:: log

   

.. py:data:: FILESYSTEMS_ROOT
   :value: 'uploads'

   

.. py:data:: UNIX_ACCESSORS
   :value: ['file', 'auto']

   

.. py:data:: WINDOWS_ACCESSORS
   :value: ['mft', 'ntfs', 'lazy_ntfs', 'ntfs_vss', 'auto']

   

.. py:function:: find_fs_directories(path: pathlib.Path) -> tuple[Optional[dissect.target.plugin.OperatingSystem], Optional[list[pathlib.Path]]]


.. py:function:: extract_drive_letter(name: str) -> Optional[str]


.. py:class:: VelociraptorLoader(path: pathlib.Path, **kwargs)


   Bases: :py:obj:`dissect.target.loaders.dir.DirLoader`

   Load Rapid7 Velociraptor forensic image files.

   As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system.
   Generic.Collectors.File (Unix) uses the accessors file and auto. The loader supports the following configuration::

       {"Generic.Collectors.File":{"Root":"/","collectionSpec":"Glob\netc/**\nvar/log/**"}}

   Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors mft, ntfs, lazy_ntfs,
   ntfs_vss and auto. The loader supports a collection where multiple accessors were used.

   .. rubric:: References

   - https://www.rapid7.com/products/velociraptor/
   - https://docs.velociraptor.app/
   - https://github.com/Velocidex/velociraptor

   .. py:method:: detect(path: pathlib.Path) -> bool
      :staticmethod:

      Detects wether this ``Loader`` class can load this specific ``path``.

      :param path: The target path to check.

      :returns: ``True`` if the ``path`` can be loaded by a ``Loader`` instance. ``False`` otherwise.


   .. py:method:: map(target: dissect.target.Target) -> None

      Maps the loaded path into a ``Target``.

      :param target: The target that we're mapping into.