dissect.volume.vss
¶
Module Contents¶
Classes¶
Basic buffered stream that provides easy aligned reads. |
|
Functions¶
Attributes¶
- dissect.volume.vss.log¶
- dissect.volume.vss.vss_def = Multiline-String¶
Show Value
""" flag _VSS_VOLUME_SNAPSHOT_ATTRIBUTES : uint32 { VSS_VOLSNAP_ATTR_PERSISTENT = 0x00000001, VSS_VOLSNAP_ATTR_NO_AUTORECOVERY = 0x00000002, VSS_VOLSNAP_ATTR_CLIENT_ACCESSIBLE = 0x00000004, VSS_VOLSNAP_ATTR_NO_AUTO_RELEASE = 0x00000008, VSS_VOLSNAP_ATTR_NO_WRITERS = 0x00000010, VSS_VOLSNAP_ATTR_TRANSPORTABLE = 0x00000020, VSS_VOLSNAP_ATTR_NOT_SURFACED = 0x00000040, VSS_VOLSNAP_ATTR_NOT_TRANSACTED = 0x00000080, VSS_VOLSNAP_ATTR_HARDWARE_ASSISTED = 0x00010000, VSS_VOLSNAP_ATTR_DIFFERENTIAL = 0x00020000, VSS_VOLSNAP_ATTR_PLEX = 0x00040000, VSS_VOLSNAP_ATTR_IMPORTED = 0x00080000, VSS_VOLSNAP_ATTR_EXPOSED_LOCALLY = 0x00100000, VSS_VOLSNAP_ATTR_EXPOSED_REMOTELY = 0x00200000, VSS_VOLSNAP_ATTR_AUTORECOVER = 0x00400000, VSS_VOLSNAP_ATTR_ROLLBACK_RECOVERY = 0x00800000, VSS_VOLSNAP_ATTR_DELAYED_POSTSNAPSHOT = 0x01000000, VSS_VOLSNAP_ATTR_TXF_RECOVERY = 0x02000000 }; enum RECORD_TYPE : uint32 { VOLUME_HEADER = 0x1, CATALOG = 0x2, STORE_INDEX = 0x3, STORE_HEADER = 0x4, STORE_BLOCK_RANGE = 0x5, STORE_BITMAP = 0x6 }; flag BLOCK_FLAG : uint32 { IS_FORWARDER = 0x1, IS_OVERLAY = 0x2, NOT_USED = 0x4 }; struct volume_header { char identifier[16]; uint32 version; uint32 record_type; uint64 current_offset; uint64 unk0; uint64 unk1; uint64 catalog_offset; uint64 maximum_size; char volume_identifier[16]; char store_volume_identifier[16]; uint32 unk2; char unk3[412]; }; struct catalog_header { char identifier[16]; uint32 version; uint32 record_type; uint64 relative_offset; uint64 offset; uint64 next_offset; char unk0[80]; }; struct catalog_entry_1 { uint64 entry_type; char unk0[120]; }; struct catalog_entry_2 { uint64 entry_type; uint64 volume_size; char store_identifier[16]; uint64 unk0; uint64 unk1; uint64 creation_time; char unk2[72]; }; struct catalog_entry_3 { uint64 entry_type; uint64 store_block_list_offset; char store_identifier[16]; uint64 store_header_offset; uint64 store_range_list_offset; uint64 store_bitmap_offset; uint64 metadata_reference; uint64 allocated_size; uint64 store_previous_bitmap_offset; uint64 unk0; char unk1[40]; }; struct store_header { char identifier[16]; uint32 version; RECORD_TYPE record_type; uint64 relative_offset; uint64 offset; uint64 next_offset; uint64 size; char unk0[72]; }; struct store_information { char unk_identifier[16]; char copy_identifier[16]; char copy_set_identifier[16]; uint32 type; uint32 provider; _VSS_VOLUME_SNAPSHOT_ATTRIBUTES attributes; uint32 unk0; uint16 operating_machine_len; wchar operating_machine[operating_machine_len / 2]; uint16 service_machine_len; wchar service_machine[service_machine_len / 2]; }; struct block_descriptor { uint64 original_offset; uint64 relative_offset; uint64 store_offset; BLOCK_FLAG flags; uint32 allocation_bitmap; }; struct range_descriptor { uint64 store_offset; uint64 relative_offset; uint64 size; }; """
- dissect.volume.vss.c_vss¶
- dissect.volume.vss.RECORD_TYPE¶
- dissect.volume.vss.BLOCK_FLAG¶
- dissect.volume.vss.VSS_IDENTIFIER = b'k\x87\x088v\xc1HN\xb7\xae\x04\x04nl\xc7R'¶
- dissect.volume.vss.VOLUME_HEADER_OFFSET = 7680¶
- dissect.volume.vss.BLOCK_SIZE = 16384¶
- dissect.volume.vss.CATALOG_BLOCK_SIZE = 16384¶
- dissect.volume.vss.CATALOG_ENTRY_SIZE = 128¶
- dissect.volume.vss.STORE_BLOCK_SIZE = 16384¶
- dissect.volume.vss.STORE_BLOCKLIST_ENTRY_SIZE = 32¶
- dissect.volume.vss.STORE_RANGELIST_ENTRY_SIZE = 24¶
- class dissect.volume.vss.VSS(fh)¶
- property volume_identifier¶
- property store_volume_identifier¶
- __repr__()¶
Return repr(self).
- dissect.volume.vss.DEBUG = False¶
- class dissect.volume.vss.Store(catalog, descriptors)¶
- property block_list¶
- property range_list¶
- property bitmap¶
- property previous_bitmap¶
- open()¶
- read_block(block, active_store=None)¶
- class dissect.volume.vss.StoreStream(store)¶
Bases:
dissect.util.stream.AlignedStream
Basic buffered stream that provides easy aligned reads.
- Must be subclassed for various stream implementations. Subclasses can implement:
_read(offset, length)
_seek(pos, whence=io.SEEK_SET)
The offset and length for _read are guaranteed to be aligned. The only time that overriding _seek would make sense is if there’s no known size of your stream, but still want to provide SEEK_END functionality.
Most subclasses of AlignedStream take one or more file-like objects as source. Operations on these subclasses, like reading, will modify the source file-like object as a side effect.
- Parameters:
size – The size of the stream. This is used in read and seek operations. None if unknown.
align – The alignment size. Read operations are aligned on this boundary. Also determines buffer size.
- class dissect.volume.vss.BlockList(store, offset)¶
- class dissect.volume.vss.RangeList(store, offset)¶
- class dissect.volume.vss.StoreBitmap(store, offset)¶
- has_offset(offset)¶
- in_use(block)¶
- is_set(block)¶
- __getitem__(block)¶
- class dissect.volume.vss.BlockDescriptor(buf)¶
- __slots__ = ('store', 'original_offset', 'relative_offset', 'store_offset', 'flags', 'bitmap', 'overlay',...¶
- __eq__(other)¶
Return self==value.
- __repr__()¶
Return repr(self).
- dissect.volume.vss.read_block(fh, offset, struct)¶
- dissect.volume.vss.read_block_data(fh, offset, struct)¶