dissect.target.loaders.local
#
Module Contents#
Classes#
Load local filesystem. |
Functions#
Map Linux raw disks and /proc and /sys. |
|
Map Solaris raw disks. |
|
Map ESXi raw disks. |
|
Map Windows drives by iterating physical drives. |
|
Map Windows drives by their drive letter. |
Attributes#
- dissect.target.loaders.local.SOLARIS_DEV_DIR#
- dissect.target.loaders.local.SOLARIS_DRIVE_REGEX#
- dissect.target.loaders.local.LINUX_DEV_DIR#
- dissect.target.loaders.local.LINUX_DRIVE_REGEX#
- dissect.target.loaders.local.VOLATILE_LINUX_PATHS#
- dissect.target.loaders.local.ESXI_DEV_DIR#
- dissect.target.loaders.local.WINDOWS_ERROR_INSUFFICIENT_BUFFER = 122#
- dissect.target.loaders.local.WINDOWS_DRIVE_FIXED = 3#
- class dissect.target.loaders.local.LocalLoader(path: pathlib.Path, **kwargs)#
Bases:
dissect.target.loader.Loader
Load local filesystem.
- static detect(path)#
Detects wether this
Loader
class can load this specificpath
.- Parameters:
path – The target path to check.
- Returns:
True
if thepath
can be loaded by aLoader
instance.False
otherwise.
- map(target)#
Maps the loaded path into a
Target
.- Parameters:
target – The target that we’re mapping into.
- dissect.target.loaders.local.map_linux_drives(target: dissect.target.Target)#
Map Linux raw disks and /proc and /sys.
Iterate through /dev and match raw device names (not partitions).
/proc and /sys are mounted if they exists, allowing access to volatile files.
- dissect.target.loaders.local.map_solaris_drives(target)#
Map Solaris raw disks.
Iterate through /dev/dsk and match raw device names (not slices or partitions).
- dissect.target.loaders.local.map_esxi_drives(target)#
Map ESXi raw disks.
Get all devices from /vmfs/devices/disks/* (not partitions).
- dissect.target.loaders.local.map_windows_drives(target)#
Map Windows drives by iterating physical drives.
For each physical drive, load the partition table and volumes. If a drive is encrypted using Bitlocker, use the OS transparent device to access it instead.
Using this method, we get the drive serial and partition offset (MBR), or partition GUID (GPT), which we need for regular drive mounting.
With this method we should open every partition of every disk, instead of only mounted drives.
- dissect.target.loaders.local.map_windows_mounted_drives(target: dissect.target.Target, force_dirfs: bool = False, fallback_to_dirfs: bool = False)#
Map Windows drives by their drive letter.
For each drive (mounted) partition, determine if it’s a fixed drive and if it’s readable. If it is, add it as a volume to the target.
Since we don’t know the drive serial and other information, we already mount filesystems to drive letters (which we do know).
Downside to this method is that we only open mounted volumes. Upside is that we can also open BDE/LDM/Storage space volumes.
Some inspiration drawn from http://velisthoughts.blogspot.com/2012/02/enumerating-and-using-partitions-and.html