dissect.evidence.asdf.asdf
¶
Module Contents¶
Classes¶
ASDF file writer. |
|
ASDF file reader. |
|
ASDF metadata reader. |
|
ASDF stream from a snapshot. |
Functions¶
Scrape for block headers in |
Attributes¶
- dissect.evidence.asdf.asdf.SnapshotTableEntry¶
- dissect.evidence.asdf.asdf.VERSION = 1¶
- dissect.evidence.asdf.asdf.DEFAULT_BLOCK_SIZE = 4096¶
- dissect.evidence.asdf.asdf.MAX_BLOCK_TABLE_SIZE¶
- dissect.evidence.asdf.asdf.MAX_IDX = 253¶
- dissect.evidence.asdf.asdf.IDX_MEMORY = 254¶
- dissect.evidence.asdf.asdf.IDX_METADATA = 255¶
- dissect.evidence.asdf.asdf.RESERVED_IDX¶
- dissect.evidence.asdf.asdf.FILE_MAGIC = b'ASDF'¶
- dissect.evidence.asdf.asdf.BLOCK_MAGIC = b'BL\xa5\xdf'¶
- dissect.evidence.asdf.asdf.FOOTER_MAGIC = b'FT\xa5\xdf'¶
- dissect.evidence.asdf.asdf.SPARSE_BYTES = b'\xa5\xdf'¶
- dissect.evidence.asdf.asdf.asdf_def = Multiline-String¶
Show Value
""" flag FILE_FLAG : uint32 { SHA256 = 0x01, }; flag BLOCK_FLAG : uint8 { CRC32 = 0x01, COMPRESS = 0x02, }; struct header { char magic[4]; // File magic, must be "ASDF" FILE_FLAG flags; // File flags uint8 version; // File version char reserved1[7]; // Reserved uint64 timestamp; // Creation timestamp of the file char reserved2[8]; // Reserved char guid[16]; // GUID, should be unique per writer }; struct block { char magic[4]; // Block magic, must be "BL\xa5\xdf" BLOCK_FLAG flags; // Block flags uint8 idx; // Stream index, some reserved values have special meaning char reserved[2]; // Reserved uint64 offset; // Absolute offset of block in stream uint64 size; // Size of block in stream }; struct table_entry { BLOCK_FLAG flags; // Block flags uint8 idx; // Stream index, some reserved values have special meaning char reserved[2]; // Reserved uint64 offset; // Absolute offset of block in stream uint64 size; // Size of block in stream uint64 file_offset; // Absolute offset of block in file uint64 file_size; // Size of block in file }; struct footer { char magic[4]; // Footer magic, must be "FT\xa5\xdf" char reserved[4]; // Reserved uint64 table_offset; // Offset in file to start of block table char sha256[32]; // SHA256 of this file up until this hash }; """
- dissect.evidence.asdf.asdf.c_asdf¶
- class dissect.evidence.asdf.asdf.AsdfWriter(fh: BinaryIO, guid: uuid.UUID = None, compress: bool = False, block_crc: bool = True)¶
Bases:
io.RawIOBase
ASDF file writer.
- Current limitations:
Maximum source disk size is ~16EiB
Maximum number of disks is 254
Some things are currently hardcoded (like SHA256), although they may become variable in the future.
- Parameters:
fh – File-like object to write to.
guid – Unique identifier. Used to link images to writers.
compress – Write gzip compressed file.
block_crc – Flag to store a CRC32 after each block.
- add_metadata_file(path: str, fh: BinaryIO, size: int | None = None) None ¶
Add a file to the metadata stream.
- Parameters:
path – The path in the metadata tar to write to.
fh – The file-like object to write.
size – Optional size to write.
- add_bytes(data: bytes, idx: int = 0, base: int = 0) None ¶
Add some bytes into this snapshot.
Convenience method for adding some bytes at a specific offset.
- Parameters:
data – The bytes to copy.
idx – The stream index.
base – The base offset.
- copy_bytes(source: BinaryIO, offset: int, num_bytes: int, idx: int = 0, base: int = 0) None ¶
Copy some bytes from the source file-like object into this snapshot.
Often the source will be a volume on a disk, which is usually represented as a relative stream. If this is the case, use the
base
argument to indicate what the byte offset of the source is, relative to the start of the disk. Theoffset
argument is always the offset in the source, so that is not affected.- Parameters:
source – The source file-like object to copy the bytes from.
offset – The byte offset into the source to start copying bytes from.
num_bytes – The amount of bytes to copy.
idx – The stream index, if copying from multiple disks.
base – The base offset, if the source is a relative stream from e.g. a disk.
- copy_block(source: BinaryIO, offset: int, num_blocks: int, block_size: int | None = None, idx: int = 0, base: int = 0) None ¶
Copy some blocks in the given block size into this snapshot.
If no block size is given, the ASDF native block size is used. This is really just a convenience method that does the block multiplication before calling
copy_bytes
.- Parameters:
source – The source file-like object to copy the blocks from.
offset – The byte offset into the source to start copying blocks from.
num_blocks – The amount of blocks to copy.
block_size – The size of each block.
idx – The stream index, if copying from multiple disks.
base – The base offset, if the source is a relative stream from e.g. a disk.
- copy_runlist(source: BinaryIO, runlist: list[tuple[int | None, int]], runlist_block_size: int, idx: int = 0, base: int = 0) None ¶
Copy a runlist of blocks in the given block size into this snapshot.
- A runlist must be a list of tuples, where:
(block_offset, num_blocks)
This is really just a convenience method that does the runlist iteration and block multiplication before calling copy_bytes.
- Parameters:
source – The source file-like object to copy the blocks from.
runlist – The runlist that describes the blocks.
runlist_block_size – The size of each block.
idx – The stream index, if copying from multiple disks.
base – The base offset, if the source is a relative stream from e.g. a disk.
- close() None ¶
Close the ASDF file.
Writes the block table and footer, then closes the destination file-like object.
- class dissect.evidence.asdf.asdf.AsdfSnapshot(fh: BinaryIO, recover: bool = False)¶
ASDF file reader.
- Parameters:
fh – File-like object to read the ASDF file from.
- contains(idx: int) bool ¶
Check whether this file contains the given stream index.
- Parameters:
idx – The stream to check.
- open(idx: int) AsdfStream ¶
Open a specific stream in the file.
- Parameters:
idx – The stream to open.
- streams() AsdfStream ¶
Iterate over all streams in the file.
- disks() AsdfStream ¶
Iterate over all non-reserved streams in the file.
- class dissect.evidence.asdf.asdf.Metadata(asdf: AsdfSnapshot)¶
ASDF metadata reader.
Thin wrapper around
tarfile
.- Parameters:
asdf – The
AsdfSnapshot
to open the metadata of.
- names() list[str] ¶
Return all metadata file entries.
- members() list[tarfile.TarInfo] ¶
Return all metadata
tarfile.TarInfo
entries.
- open(path: str) BinaryIO ¶
Open a metadata entry and return a binary file-like object.
- class dissect.evidence.asdf.asdf.AsdfStream(asdf: AsdfSnapshot, idx: int)¶
Bases:
dissect.util.stream.AlignedStream
ASDF stream from a snapshot.
- Parameters:
asdf –
AsdfSnapshot
parent object.idx – Stream index in the
AsdfSnapshot
.
- dissect.evidence.asdf.asdf.scrape_blocks(fh: BinaryIO, buffer_size: int = io.DEFAULT_BUFFER_SIZE) Iterator[dissect.cstruct.Instance, int] ¶
Scrape for block headers in
fh
and yield parsed block headers and their offset.- Parameters:
fh – The file-like object to scrape for block headers.
buffer_size – The buffer size to use when scraping.