:py:mod:`dissect.evidence.asdf` =============================== .. py:module:: dissect.evidence.asdf Submodules ---------- .. toctree:: :titlesonly: :maxdepth: 1 asdf/index.rst streams/index.rst Package Contents ---------------- Classes ~~~~~~~ .. autoapisummary:: dissect.evidence.asdf.AsdfSnapshot dissect.evidence.asdf.AsdfStream dissect.evidence.asdf.AsdfWriter Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.evidence.asdf.FILE_MAGIC .. py:data:: FILE_MAGIC :value: b'ASDF' .. py:class:: AsdfSnapshot(fh: BinaryIO, recover: bool = False) ASDF file reader. :param fh: File-like object to read the ASDF file from. .. py:attribute:: fh .. py:attribute:: header .. py:attribute:: timestamp .. py:attribute:: guid .. py:attribute:: table :type: dict[list[SnapshotTableEntry]] .. py:attribute:: footer .. py:attribute:: metadata .. py:method:: contains(idx: int) -> bool Check whether this file contains the given stream index. :param idx: The stream to check. .. py:method:: open(idx: int) -> AsdfStream Open a specific stream in the file. :param idx: The stream to open. .. py:method:: streams() -> AsdfStream Iterate over all streams in the file. .. py:method:: disks() -> AsdfStream Iterate over all non-reserved streams in the file. .. py:class:: AsdfStream(asdf: AsdfSnapshot, idx: int) Bases: :py:obj:`dissect.util.stream.AlignedStream` ASDF stream from a snapshot. :param asdf: :class:`AsdfSnapshot` parent object. :param idx: Stream index in the :class:`AsdfSnapshot`. .. py:attribute:: fh .. py:attribute:: asdf .. py:attribute:: idx .. py:attribute:: table .. py:class:: AsdfWriter(fh: BinaryIO, guid: uuid.UUID = None, compress: bool = False, block_crc: bool = True) Bases: :py:obj:`io.RawIOBase` ASDF file writer. Current limitations: - Maximum source disk size is ~16EiB - Maximum number of disks is 254 Some things are currently hardcoded (like SHA256), although they may become variable in the future. :param fh: File-like object to write to. :param guid: Unique identifier. Used to link images to writers. :param compress: Write gzip compressed file. :param block_crc: Flag to store a CRC32 after each block. .. py:attribute:: fh .. py:attribute:: guid .. py:attribute:: block_crc :value: True .. py:attribute:: block_compress :value: False .. py:method:: add_metadata_file(path: str, fh: BinaryIO, size: Optional[int] = None) -> None Add a file to the metadata stream. :param path: The path in the metadata tar to write to. :param fh: The file-like object to write. :param size: Optional size to write. .. py:method:: add_bytes(data: bytes, idx: int = 0, base: int = 0) -> None Add some bytes into this snapshot. Convenience method for adding some bytes at a specific offset. :param data: The bytes to copy. :param idx: The stream index. :param base: The base offset. .. py:method:: copy_bytes(source: BinaryIO, offset: int, num_bytes: int, idx: int = 0, base: int = 0) -> None Copy some bytes from the source file-like object into this snapshot. Often the source will be a volume on a disk, which is usually represented as a relative stream. If this is the case, use the ``base`` argument to indicate what the byte offset of the source is, relative to the start of the disk. The ``offset`` argument is always the offset in the source, so that is not affected. :param source: The source file-like object to copy the bytes from. :param offset: The byte offset into the source to start copying bytes from. :param num_bytes: The amount of bytes to copy. :param idx: The stream index, if copying from multiple disks. :param base: The base offset, if the source is a relative stream from e.g. a disk. .. py:method:: copy_block(source: BinaryIO, offset: int, num_blocks: int, block_size: Optional[int] = None, idx: int = 0, base: int = 0) -> None Copy some blocks in the given block size into this snapshot. If no block size is given, the ASDF native block size is used. This is really just a convenience method that does the block multiplication before calling ``copy_bytes``. :param source: The source file-like object to copy the blocks from. :param offset: The byte offset into the source to start copying blocks from. :param num_blocks: The amount of blocks to copy. :param block_size: The size of each block. :param idx: The stream index, if copying from multiple disks. :param base: The base offset, if the source is a relative stream from e.g. a disk. .. py:method:: copy_runlist(source: BinaryIO, runlist: list[tuple[Optional[int], int]], runlist_block_size: int, idx: int = 0, base: int = 0) -> None Copy a runlist of blocks in the given block size into this snapshot. A runlist must be a list of tuples, where: (block_offset, num_blocks) This is really just a convenience method that does the runlist iteration and block multiplication before calling `copy_bytes`. :param source: The source file-like object to copy the blocks from. :param runlist: The runlist that describes the blocks. :param runlist_block_size: The size of each block. :param idx: The stream index, if copying from multiple disks. :param base: The base offset, if the source is a relative stream from e.g. a disk. .. py:method:: close() -> None Close the ASDF file. Writes the block table and footer, then closes the destination file-like object.