dissect.target.loaders.local

Module Contents

Classes

LocalLoader

A base class for loading a specific path and coupling it to a Target.

Functions

map_linux_drives	Map Linux raw disks.
map_solaris_drives	Map Solaris raw disks.
map_esxi_drives	Map ESXi raw disks.
map_windows_drives	Map Windows drives by iterating physical drives.
map_windows_mounted_drives	Map Windows drives by their drive letter.

Attributes

SOLARIS_DRIVE_REGEX
LINUX_DRIVE_REGEX
WINDOWS_ERROR_INSUFFICIENT_BUFFER
WINDOWS_DRIVE_FIXED

dissect.target.loaders.local.SOLARIS_DRIVE_REGEX

dissect.target.loaders.local.LINUX_DRIVE_REGEX

dissect.target.loaders.local.WINDOWS_ERROR_INSUFFICIENT_BUFFER = 122

dissect.target.loaders.local.WINDOWS_DRIVE_FIXED = 3

class dissect.target.loaders.local.LocalLoader(path: pathlib.Path, **kwargs)

Bases: dissect.target.loader.Loader

A base class for loading a specific path and coupling it to a Target.

Implementors of this class are responsible for mapping any type of source data to a Target. Whether that’s to map all VMDK files from a VMX or mapping the contents of a zip file to a virtual filesystem, if it’s something that can be translated to a “disk”, “volume” or “filesystem”, you can write a loader that maps it into a target.

You can do anything you want to manipulate the Target object in your map function, but generally you do one of the following:

• open a Container and add it to target.disks.

• open a Volume and add it to target.volumes.

• open a VirtualFilesystem, add your files into it and add it to target.filesystems.

You don’t need to manually parse volumes or filesystems in your loader, just add the highest level object you have (e.g. a Container of a VMDK file) to the target. However, sometimes you need to get creative. Take a look at the ITunesLoader and TarLoader for some creative examples.

Parameters:

path – The target path to load.

static detect(path)

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target)

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.

dissect.target.loaders.local.map_linux_drives(target: dissect.target.Target)

Map Linux raw disks.

Iterate through /dev and match raw device names (not partitions).

dissect.target.loaders.local.map_solaris_drives(target)

Map Solaris raw disks.

Iterate through /dev/dsk and match raw device names (not slices or partitions).

dissect.target.loaders.local.map_esxi_drives(target)

Map ESXi raw disks.

Get all devices from /vmfs/devices/disks/* (not partitions).

dissect.target.loaders.local.map_windows_drives(target)

Map Windows drives by iterating physical drives.

For each physical drive, load the partition table and volumes. If a drive is encrypted using Bitlocker, use the OS transparent device to access it instead.

Using this method, we get the drive serial and partition offset (MBR), or partition GUID (GPT), which we need for regular drive mounting.

With this method we should open every partition of every disk, instead of only mounted drives.

dissect.target.loaders.local.map_windows_mounted_drives(target: dissect.target.Target, force_dirfs: bool = False, fallback_to_dirfs: bool = False)

Map Windows drives by their drive letter.

For each drive (mounted) partition, determine if it’s a fixed drive and if it’s readable. If it is, add it as a volume to the target.

Since we don’t know the drive serial and other information, we already mount filesystems to drive letters (which we do know).

Downside to this method is that we only open mounted volumes. Upside is that we can also open BDE/LDM/Storage space volumes.

Some inspiration drawn from http://velisthoughts.blogspot.com/2012/02/enumerating-and-using-partitions-and.html