dissect.evidence.ad1.ad1¶
Module Contents¶
Classes¶
AccessData Logical Image (AD1v4) implementation. |
|
Represents an AD1 segmented file. |
|
Represents an AD1 logical image. |
|
Represents a file entry in an AD1 logical image. |
|
Represents the root entry in an AD1 logical image. |
|
Represents a single AD1 logical file metadata item found inside |
Functions¶
Convert an AD1 timestamp to datetime object. Assuming this is UTC. |
Attributes¶
- dissect.evidence.ad1.ad1.EntryType¶
- dissect.evidence.ad1.ad1.MetaType¶
- dissect.evidence.ad1.ad1.FileClassType¶
- dissect.evidence.ad1.ad1.MAX_OPEN_SEGMENTS = 128¶
- dissect.evidence.ad1.ad1.find_files(path: pathlib.Path) list[pathlib.Path]¶
- class dissect.evidence.ad1.ad1.AD1(fh: BinaryIO | list[BinaryIO])¶
AccessData Logical Image (AD1v4) implementation.
Supports
zlibcompressed images and ADCRYPT encrypted images.Should be initialized using a list of segment paths or file-like objects, e.g.:
fs = AD1([Path("file.ad1"), Path("file.ad2")]) fs = AD1([Path("file.ad1").open("rb"), Path("file.ad2").open("rb")])
If the AD1 container is ADCRYPT encrypted, it can be unlocked using either a passphrase or private key:
fs.unlock(passphrase="my secret passphrase") fs.unlock(private_key=Path("path/to/private/key.pem"))
- Resources:
Reverse engineering FTK Imager
https://github.com/pcbje/pyad1/blob/master/documentation/AccessData%20Format%20(AD1).asciidoc
- fh¶
- root¶
- size = 0¶
- stream: dissect.evidence.ad1.stream.AD1Stream | None = None¶
- logical_image: LogicalImage | None = None¶
- adcrypt = None¶
- is_adcrypt() bool¶
Return whether the AD1 container is ADCRYPT encrypted.
- is_locked() bool¶
Return whether the ADCRYPT container is locked.
- segment(idx: int) SegmentFile¶
Open a segment by index.
Implements a simple LRU cache to limit the number of open segments.
- Parameters:
idx – Index or URI of the segment to open.
- unlock(*, passphrase: str | bytes | None = None, private_key: pathlib.Path | bytes | None = None) None¶
Unlock the ADCRYPT container with a given passphrase or private key.
- Parameters:
passphrase – The passphrase to unlock the container.
private_key – The private key to unlock the container.
- Raises:
RuntimeError – If required dependencies are missing.
ValueError – If unlocking failed.
- entry(path: str, entry: FileEntry | None = None) FileEntry¶
Return a
FileEntrybased on the given absolutepath.- Parameters:
path – Absolute path within the AD1 container.
entry – The starting entry for relative paths. Defaults to the root entry.
- Raises:
ValueError – If the ADCRYPT container is locked.
FileNotFoundError if the given path is not found in the container. –
- Returns:
FileEntrywhen the givenpathis found.
- open(path: str) dissect.evidence.ad1.stream.FileStream¶
Shortcut for
AD1.entry(path).open().
- class dissect.evidence.ad1.ad1.SegmentFile(fh: BinaryIO)¶
Represents an AD1 segmented file.
- fh¶
- header¶
- number¶
- count¶
- size¶
- __repr__() str¶
- class dissect.evidence.ad1.ad1.LogicalImage(fh: BinaryIO)¶
Represents an AD1 logical image.
- fh¶
- header¶
- name¶
- version¶
- offset¶
- chunk_size¶
- __repr__() str¶
- class dissect.evidence.ad1.ad1.FileEntry(ad1: AD1, offset: int)¶
Represents a file entry in an AD1 logical image.
- ad1¶
- offset¶
- __repr__() str¶
- property entry: dissect.evidence.ad1.c_ad1.c_ad1.FileEntry¶
- property name: str¶
- property type: EntryType¶
- property size: int¶
- property atime: datetime.datetime¶
- property ctime: datetime.datetime¶
- property mtime: datetime.datetime¶
- property btime: datetime.datetime¶
- property md5: str | None¶
- property sha1: str | None¶
- is_file() bool¶
- is_dir() bool¶
- is_symlink() bool¶
- listdir() list[str]¶
- readlink() str¶
- open() dissect.evidence.ad1.stream.FileStream¶
Open the file entry for reading.
- class dissect.evidence.ad1.ad1.VirtualEntry(ad1: AD1, name: str)¶
Bases:
FileEntryRepresents the root entry in an AD1 logical image.
- entry¶