dissect.evidence.asdf.asdf#

Module Contents#

Classes#

AsdfWriter

ASDF file writer.

AsdfSnapshot

ASDF file reader.

Metadata

ASDF metadata reader.

AsdfStream

ASDF stream from a snapshot.

Functions#

scrape_blocks

Scrape for block headers in fh and yield parsed block headers and their offset.

Attributes#

dissect.evidence.asdf.asdf.SnapshotTableEntry#
dissect.evidence.asdf.asdf.VERSION = 1#
dissect.evidence.asdf.asdf.DEFAULT_BLOCK_SIZE = 4096#
dissect.evidence.asdf.asdf.MAX_BLOCK_TABLE_SIZE#
dissect.evidence.asdf.asdf.MAX_IDX = 253#
dissect.evidence.asdf.asdf.IDX_MEMORY = 254#
dissect.evidence.asdf.asdf.IDX_METADATA = 255#
dissect.evidence.asdf.asdf.RESERVED_IDX#
dissect.evidence.asdf.asdf.FILE_MAGIC = b'ASDF'#
dissect.evidence.asdf.asdf.BLOCK_MAGIC = b'BL\xa5\xdf'#
dissect.evidence.asdf.asdf.FOOTER_MAGIC = b'FT\xa5\xdf'#
dissect.evidence.asdf.asdf.SPARSE_BYTES = b'\xa5\xdf'#
dissect.evidence.asdf.asdf.asdf_def = Multiline-String#
Show Value
"""
flag FILE_FLAG : uint32 {
    SHA256      = 0x01,
};

flag BLOCK_FLAG : uint8 {
    CRC32       = 0x01,
    COMPRESS    = 0x02,
};

struct header {
    char        magic[4];       // File magic, must be "ASDF"
    FILE_FLAG   flags;          // File flags
    uint8       version;        // File version
    char        reserved1[7];   // Reserved
    uint64      timestamp;      // Creation timestamp of the file
    char        reserved2[8];   // Reserved
    char        guid[16];       // GUID, should be unique per writer
};

struct block {
    char        magic[4];       // Block magic, must be "BL\xa5\xdf"
    BLOCK_FLAG  flags;          // Block flags
    uint8       idx;            // Stream index, some reserved values have special meaning
    char        reserved[2];    // Reserved
    uint64      offset;         // Absolute offset of block in stream
    uint64      size;           // Size of block in stream
};

struct table_entry {
    BLOCK_FLAG  flags;          // Block flags
    uint8       idx;            // Stream index, some reserved values have special meaning
    char        reserved[2];    // Reserved
    uint64      offset;         // Absolute offset of block in stream
    uint64      size;           // Size of block in stream
    uint64      file_offset;    // Absolute offset of block in file
    uint64      file_size;      // Size of block in file
};

struct footer {
    char        magic[4];       // Footer magic, must be "FT\xa5\xdf"
    char        reserved[4];    // Reserved
    uint64      table_offset;   // Offset in file to start of block table
    char        sha256[32];     // SHA256 of this file up until this hash
};
"""
dissect.evidence.asdf.asdf.c_asdf#
class dissect.evidence.asdf.asdf.AsdfWriter(fh: BinaryIO, guid: uuid.UUID = None, compress: bool = False, block_crc: bool = True)#

Bases: io.RawIOBase

ASDF file writer.

Current limitations:
  • Maximum source disk size is ~16EiB

  • Maximum number of disks is 254

Some things are currently hardcoded (like SHA256), although they may become variable in the future.

Parameters:
  • fh – File-like object to write to.

  • guid – Unique identifier. Used to link images to writers.

  • compress – Write gzip compressed file.

  • block_crc – Flag to store a CRC32 after each block.

add_metadata_file(path: str, fh: BinaryIO, size: int | None = None) None#

Add a file to the metadata stream.

Parameters:
  • path – The path in the metadata tar to write to.

  • fh – The file-like object to write.

  • size – Optional size to write.

add_bytes(data: bytes, idx: int = 0, base: int = 0) None#

Add some bytes into this snapshot.

Convenience method for adding some bytes at a specific offset.

Parameters:
  • data – The bytes to copy.

  • idx – The stream index.

  • base – The base offset.

copy_bytes(source: BinaryIO, offset: int, num_bytes: int, idx: int = 0, base: int = 0) None#

Copy some bytes from the source file-like object into this snapshot.

Often the source will be a volume on a disk, which is usually represented as a relative stream. If this is the case, use the base argument to indicate what the byte offset of the source is, relative to the start of the disk. The offset argument is always the offset in the source, so that is not affected.

Parameters:
  • source – The source file-like object to copy the bytes from.

  • offset – The byte offset into the source to start copying bytes from.

  • num_bytes – The amount of bytes to copy.

  • idx – The stream index, if copying from multiple disks.

  • base – The base offset, if the source is a relative stream from e.g. a disk.

copy_block(source: BinaryIO, offset: int, num_blocks: int, block_size: int | None = None, idx: int = 0, base: int = 0) None#

Copy some blocks in the given block size into this snapshot.

If no block size is given, the ASDF native block size is used. This is really just a convenience method that does the block multiplication before calling copy_bytes.

Parameters:
  • source – The source file-like object to copy the blocks from.

  • offset – The byte offset into the source to start copying blocks from.

  • num_blocks – The amount of blocks to copy.

  • block_size – The size of each block.

  • idx – The stream index, if copying from multiple disks.

  • base – The base offset, if the source is a relative stream from e.g. a disk.

copy_runlist(source: BinaryIO, runlist: list[tuple[int | None, int]], runlist_block_size: int, idx: int = 0, base: int = 0) None#

Copy a runlist of blocks in the given block size into this snapshot.

A runlist must be a list of tuples, where:

(block_offset, num_blocks)

This is really just a convenience method that does the runlist iteration and block multiplication before calling copy_bytes.

Parameters:
  • source – The source file-like object to copy the blocks from.

  • runlist – The runlist that describes the blocks.

  • runlist_block_size – The size of each block.

  • idx – The stream index, if copying from multiple disks.

  • base – The base offset, if the source is a relative stream from e.g. a disk.

close() None#

Close the ASDF file.

Writes the block table and footer, then closes the destination file-like object.

class dissect.evidence.asdf.asdf.AsdfSnapshot(fh: BinaryIO, recover: bool = False)#

ASDF file reader.

Parameters:

fh – File-like object to read the ASDF file from.

contains(idx: int) bool#

Check whether this file contains the given stream index.

Parameters:

idx – The stream to check.

open(idx: int) AsdfStream#

Open a specific stream in the file.

Parameters:

idx – The stream to open.

streams() AsdfStream#

Iterate over all streams in the file.

disks() AsdfStream#

Iterate over all non-reserved streams in the file.

class dissect.evidence.asdf.asdf.Metadata(asdf: AsdfSnapshot)#

ASDF metadata reader.

Thin wrapper around tarfile.

Parameters:

asdf – The AsdfSnapshot to open the metadata of.

names() list[str]#

Return all metadata file entries.

members() list[tarfile.TarInfo]#

Return all metadata tarfile.TarInfo entries.

open(path: str) BinaryIO#

Open a metadata entry and return a binary file-like object.

class dissect.evidence.asdf.asdf.AsdfStream(asdf: AsdfSnapshot, idx: int)#

Bases: dissect.util.stream.AlignedStream

ASDF stream from a snapshot.

Parameters:
dissect.evidence.asdf.asdf.scrape_blocks(fh: BinaryIO, buffer_size: int = io.DEFAULT_BUFFER_SIZE) Iterator[dissect.cstruct.Instance, int]#

Scrape for block headers in fh and yield parsed block headers and their offset.

Parameters:
  • fh – The file-like object to scrape for block headers.

  • buffer_size – The buffer size to use when scraping.