dissect.evidence.asdf.asdf¶
Module Contents¶
Classes¶
ASDF file writer. |
|
ASDF file reader. |
|
ASDF metadata reader. |
|
ASDF stream from a snapshot. |
Functions¶
Scrape for block headers in |
Attributes¶
- dissect.evidence.asdf.asdf.SnapshotTableEntry¶
- dissect.evidence.asdf.asdf.VERSION = 1¶
- dissect.evidence.asdf.asdf.DEFAULT_BLOCK_SIZE = 4096¶
- dissect.evidence.asdf.asdf.MAX_BLOCK_TABLE_SIZE = 4294967296¶
- dissect.evidence.asdf.asdf.MAX_IDX = 253¶
- dissect.evidence.asdf.asdf.IDX_MEMORY = 254¶
- dissect.evidence.asdf.asdf.IDX_METADATA = 255¶
- dissect.evidence.asdf.asdf.RESERVED_IDX¶
- dissect.evidence.asdf.asdf.FILE_MAGIC = b'ASDF'¶
- dissect.evidence.asdf.asdf.BLOCK_MAGIC = b'BL\xa5\xdf'¶
- dissect.evidence.asdf.asdf.FOOTER_MAGIC = b'FT\xa5\xdf'¶
- dissect.evidence.asdf.asdf.SPARSE_BYTES = b'\xa5\xdf'¶
- class dissect.evidence.asdf.asdf.AsdfWriter(fh: BinaryIO, guid: uuid.UUID | None = None, compress: bool = False, block_crc: bool = True)¶
Bases:
io.RawIOBaseASDF file writer.
- Current limitations:
Maximum source disk size is ~16EiB
Maximum number of disks is 254
Some things are currently hardcoded (like SHA256), although they may become variable in the future.
- Parameters:
fh – File-like object to write to.
guid – Unique identifier. Used to link images to writers.
compress – Write gzip compressed file.
block_crc – Flag to store a CRC32 after each block.
- fh¶
- guid¶
- block_crc = True¶
- block_compress = False¶
- add_metadata_file(path: str, fh: BinaryIO, size: int | None = None) None¶
Add a file to the metadata stream.
- Parameters:
path – The path in the metadata tar to write to.
fh – The file-like object to write.
size – Optional size to write.
- add_bytes(data: bytes, idx: int = 0, base: int = 0) None¶
Add some bytes into this snapshot.
Convenience method for adding some bytes at a specific offset.
- Parameters:
data – The bytes to copy.
idx – The stream index.
base – The base offset.
- copy_bytes(source: BinaryIO, offset: int, num_bytes: int, idx: int = 0, base: int = 0) None¶
Copy some bytes from the source file-like object into this snapshot.
Often the source will be a volume on a disk, which is usually represented as a relative stream. If this is the case, use the
baseargument to indicate what the byte offset of the source is, relative to the start of the disk. Theoffsetargument is always the offset in the source, so that is not affected.- Parameters:
source – The source file-like object to copy the bytes from.
offset – The byte offset into the source to start copying bytes from.
num_bytes – The amount of bytes to copy.
idx – The stream index, if copying from multiple disks.
base – The base offset, if the source is a relative stream from e.g. a disk.
- copy_block(source: BinaryIO, offset: int, num_blocks: int, block_size: int | None = None, idx: int = 0, base: int = 0) None¶
Copy some blocks in the given block size into this snapshot.
If no block size is given, the ASDF native block size is used. This is really just a convenience method that does the block multiplication before calling
copy_bytes.- Parameters:
source – The source file-like object to copy the blocks from.
offset – The byte offset into the source to start copying blocks from.
num_blocks – The amount of blocks to copy.
block_size – The size of each block.
idx – The stream index, if copying from multiple disks.
base – The base offset, if the source is a relative stream from e.g. a disk.
- copy_runlist(source: BinaryIO, runlist: list[tuple[int | None, int]], runlist_block_size: int, idx: int = 0, base: int = 0) None¶
Copy a runlist of blocks in the given block size into this snapshot.
- A runlist must be a list of tuples, where:
(block_offset, num_blocks)
This is really just a convenience method that does the runlist iteration and block multiplication before calling copy_bytes.
- Parameters:
source – The source file-like object to copy the blocks from.
runlist – The runlist that describes the blocks.
runlist_block_size – The size of each block.
idx – The stream index, if copying from multiple disks.
base – The base offset, if the source is a relative stream from e.g. a disk.
- close() None¶
Close the ASDF file.
Writes the block table and footer, then closes the destination file-like object.
- class dissect.evidence.asdf.asdf.AsdfSnapshot(fh: BinaryIO, recover: bool = False)¶
ASDF file reader.
- Parameters:
fh – File-like object to read the ASDF file from.
- fh¶
- header¶
- timestamp¶
- guid¶
- table: dict[list[SnapshotTableEntry]]¶
- metadata¶
- contains(idx: int) bool¶
Check whether this file contains the given stream index.
- Parameters:
idx – The stream to check.
- open(idx: int) AsdfStream¶
Open a specific stream in the file.
- Parameters:
idx – The stream to open.
- streams() collections.abc.Iterator[AsdfStream]¶
Iterate over all streams in the file.
- disks() collections.abc.Iterator[AsdfStream]¶
Iterate over all non-reserved streams in the file.
- class dissect.evidence.asdf.asdf.Metadata(asdf: AsdfSnapshot)¶
ASDF metadata reader.
Thin wrapper around
tarfile.- Parameters:
asdf – The
AsdfSnapshotto open the metadata of.
- tar = None¶
- names() list[str]¶
Return all metadata file entries.
- members() list[tarfile.TarInfo]¶
Return all metadata
tarfile.TarInfoentries.
- open(path: str) BinaryIO¶
Open a metadata entry and return a binary file-like object.
- class dissect.evidence.asdf.asdf.AsdfStream(asdf: AsdfSnapshot, idx: int)¶
Bases:
dissect.util.stream.AlignedStreamASDF stream from a snapshot.
- Parameters:
asdf –
AsdfSnapshotparent object.idx – Stream index in the
AsdfSnapshot.
- fh¶
- asdf¶
- idx¶
- table¶
- dissect.evidence.asdf.asdf.scrape_blocks(fh: BinaryIO, buffer_size: int = io.DEFAULT_BUFFER_SIZE) collections.abc.Iterator[dissect.evidence.asdf.c_asdf.c_asdf.block, int]¶
Scrape for block headers in
fhand yield parsed block headers and their offset.- Parameters:
fh – The file-like object to scrape for block headers.
buffer_size – The buffer size to use when scraping.