dissect.target.loaders.local#

Module Contents#

Classes#

LocalLoader

Load local filesystem.

Functions#

map_linux_drives

Map Linux raw disks and /proc and /sys.

map_solaris_drives

Map Solaris raw disks.

map_esxi_drives

Map ESXi raw disks.

map_windows_drives

Map Windows drives by iterating physical drives.

map_windows_mounted_drives

Map Windows drives by their drive letter.

Attributes#

dissect.target.loaders.local.SOLARIS_DEV_DIR#
dissect.target.loaders.local.SOLARIS_DRIVE_REGEX#
dissect.target.loaders.local.LINUX_DEV_DIR#
dissect.target.loaders.local.LINUX_DRIVE_REGEX#
dissect.target.loaders.local.VOLATILE_LINUX_PATHS#
dissect.target.loaders.local.ESXI_DEV_DIR#
dissect.target.loaders.local.WINDOWS_ERROR_INSUFFICIENT_BUFFER = 122#
dissect.target.loaders.local.WINDOWS_DRIVE_FIXED = 3#
class dissect.target.loaders.local.LocalLoader(path: pathlib.Path, **kwargs)#

Bases: dissect.target.loader.Loader

Load local filesystem.

static detect(path)#

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target)#

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.

dissect.target.loaders.local.map_linux_drives(target: dissect.target.Target)#

Map Linux raw disks and /proc and /sys.

Iterate through /dev and match raw device names (not partitions).

/proc and /sys are mounted if they exists, allowing access to volatile files.

dissect.target.loaders.local.map_solaris_drives(target)#

Map Solaris raw disks.

Iterate through /dev/dsk and match raw device names (not slices or partitions).

dissect.target.loaders.local.map_esxi_drives(target)#

Map ESXi raw disks.

Get all devices from /vmfs/devices/disks/* (not partitions).

dissect.target.loaders.local.map_windows_drives(target)#

Map Windows drives by iterating physical drives.

For each physical drive, load the partition table and volumes. If a drive is encrypted using Bitlocker, use the OS transparent device to access it instead.

Using this method, we get the drive serial and partition offset (MBR), or partition GUID (GPT), which we need for regular drive mounting.

With this method we should open every partition of every disk, instead of only mounted drives.

dissect.target.loaders.local.map_windows_mounted_drives(target: dissect.target.Target, force_dirfs: bool = False, fallback_to_dirfs: bool = False)#

Map Windows drives by their drive letter.

For each drive (mounted) partition, determine if it’s a fixed drive and if it’s readable. If it is, add it as a volume to the target.

Since we don’t know the drive serial and other information, we already mount filesystems to drive letters (which we do know).

Downside to this method is that we only open mounted volumes. Upside is that we can also open BDE/LDM/Storage space volumes.

Some inspiration drawn from http://velisthoughts.blogspot.com/2012/02/enumerating-and-using-partitions-and.html