dissect.clfs.blf#

Module Contents#

Classes#

ControlRecord

Read the Control Record of the BLF.

BaseRecord

Function to parse the base record block.

TruncateRecord

Parser for the truncate records within a BLF if they exist.

BLF

Main class of dissect.clfs. Parsing of BLF and information regarding the associated containers starts here.

Attributes#

dissect.clfs.blf.Context#
dissect.clfs.blf.Container#
dissect.clfs.blf.Stream#
class dissect.clfs.blf.ControlRecord(fh: BinaryIO, offset: int)#

Read the Control Record of the BLF.

The control record is used to specify where the other blocks that make up the BLF are being stored within the given file. Each entry will have their image size, as well as the offset which is relative to the beginning of the file. This header also contains the CLFS magic value which in turn can be used to validate the given file (0xC1F5C1F500005F1C).

There are 3 different types of blocks:

  • Control Block

  • General Block

  • Metadata Block

Each of the 3 different blocks has another shadow block accompanied that is storing the information from the previous transaction on this block. A shadow block can be identified by the odd number in the block_type field.

Parameters:
  • fh – A file-like object to a BLF file.

  • offset – Offset to start reading the control records.

property valid: bool#

Return if the control record magic is valid.

class dissect.clfs.blf.BaseRecord(fh: BinaryIO, offset: int, block_type: int)#

Function to parse the base record block.

The base record block contains information about the different containers and which clients (streams) are using these. The first entries in the client and container symbol tables are the ones used, the full array can have more than just those values, but at the time of writing it is unclear if these are artefacts from earlier transactions in the log.

For every context (client, container, security) the symbol table is parsed to extract the stream and container data. At this point we don’t do anything with the security context yet as this seems only used for in-memory structures of CLFS.

Parameters:
  • fh – A file-like object to a BLF file.

  • offset – Offset to start reading the base records.

  • block_type – Type of CLFS block to parse.

class dissect.clfs.blf.TruncateRecord(fh: BinaryIO, offset: int)#

Parser for the truncate records within a BLF if they exist.

Parameters:
  • fh – A file-like object to a BLF file.

  • offset – Offset to start reading the truncate records.

class dissect.clfs.blf.BLF(fh: BinaryIO)#

Main class of dissect.clfs. Parsing of BLF and information regarding the associated containers starts here.

Parameters:

fh – A file-like object to a BLF file.

control_records() Iterator[ControlRecord]#

Yield the associated control records.

base_records() Iterator[BaseRecord]#

Yield the associated base records.

The base records hold most of the information regarding the parsing of the associated containers.

truncate_records() Iterator[TruncateRecord]#

Yield the truncate records.

This has not been encountered yet.