dissect.evidence.asdf#

Submodules#

Package Contents#

Classes#

AsdfSnapshot

ASDF file reader.

AsdfStream

ASDF stream from a snapshot.

AsdfWriter

ASDF file writer.

Attributes#

dissect.evidence.asdf.FILE_MAGIC = b'ASDF'#
class dissect.evidence.asdf.AsdfSnapshot(fh: BinaryIO, recover: bool = False)#

ASDF file reader.

Parameters:

fh – File-like object to read the ASDF file from.

contains(idx: int) bool#

Check whether this file contains the given stream index.

Parameters:

idx – The stream to check.

open(idx: int) AsdfStream#

Open a specific stream in the file.

Parameters:

idx – The stream to open.

streams() AsdfStream#

Iterate over all streams in the file.

disks() AsdfStream#

Iterate over all non-reserved streams in the file.

class dissect.evidence.asdf.AsdfStream(asdf: AsdfSnapshot, idx: int)#

Bases: dissect.util.stream.AlignedStream

ASDF stream from a snapshot.

Parameters:
class dissect.evidence.asdf.AsdfWriter(fh: BinaryIO, guid: uuid.UUID = None, compress: bool = False, block_crc: bool = True)#

Bases: io.RawIOBase

ASDF file writer.

Current limitations:
  • Maximum source disk size is ~16EiB

  • Maximum number of disks is 254

Some things are currently hardcoded (like SHA256), although they may become variable in the future.

Parameters:
  • fh – File-like object to write to.

  • guid – Unique identifier. Used to link images to writers.

  • compress – Write gzip compressed file.

  • block_crc – Flag to store a CRC32 after each block.

add_metadata_file(path: str, fh: BinaryIO, size: int | None = None) None#

Add a file to the metadata stream.

Parameters:
  • path – The path in the metadata tar to write to.

  • fh – The file-like object to write.

  • size – Optional size to write.

add_bytes(data: bytes, idx: int = 0, base: int = 0) None#

Add some bytes into this snapshot.

Convenience method for adding some bytes at a specific offset.

Parameters:
  • data – The bytes to copy.

  • idx – The stream index.

  • base – The base offset.

copy_bytes(source: BinaryIO, offset: int, num_bytes: int, idx: int = 0, base: int = 0) None#

Copy some bytes from the source file-like object into this snapshot.

Often the source will be a volume on a disk, which is usually represented as a relative stream. If this is the case, use the base argument to indicate what the byte offset of the source is, relative to the start of the disk. The offset argument is always the offset in the source, so that is not affected.

Parameters:
  • source – The source file-like object to copy the bytes from.

  • offset – The byte offset into the source to start copying bytes from.

  • num_bytes – The amount of bytes to copy.

  • idx – The stream index, if copying from multiple disks.

  • base – The base offset, if the source is a relative stream from e.g. a disk.

copy_block(source: BinaryIO, offset: int, num_blocks: int, block_size: int | None = None, idx: int = 0, base: int = 0) None#

Copy some blocks in the given block size into this snapshot.

If no block size is given, the ASDF native block size is used. This is really just a convenience method that does the block multiplication before calling copy_bytes.

Parameters:
  • source – The source file-like object to copy the blocks from.

  • offset – The byte offset into the source to start copying blocks from.

  • num_blocks – The amount of blocks to copy.

  • block_size – The size of each block.

  • idx – The stream index, if copying from multiple disks.

  • base – The base offset, if the source is a relative stream from e.g. a disk.

copy_runlist(source: BinaryIO, runlist: list[tuple[int | None, int]], runlist_block_size: int, idx: int = 0, base: int = 0) None#

Copy a runlist of blocks in the given block size into this snapshot.

A runlist must be a list of tuples, where:

(block_offset, num_blocks)

This is really just a convenience method that does the runlist iteration and block multiplication before calling copy_bytes.

Parameters:
  • source – The source file-like object to copy the blocks from.

  • runlist – The runlist that describes the blocks.

  • runlist_block_size – The size of each block.

  • idx – The stream index, if copying from multiple disks.

  • base – The base offset, if the source is a relative stream from e.g. a disk.

close() None#

Close the ASDF file.

Writes the block table and footer, then closes the destination file-like object.