dissect.target.loaders.local
#
Module Contents#
Classes#
A base class for loading a specific path and coupling it to a |
Functions#
Map Linux raw disks. |
|
Map Solaris raw disks. |
|
Map ESXi raw disks. |
|
Map Windows drives by iterating physical drives. |
|
Map Windows drives by their drive letter. |
Attributes#
- dissect.target.loaders.local.SOLARIS_DRIVE_REGEX#
- dissect.target.loaders.local.LINUX_DRIVE_REGEX#
- dissect.target.loaders.local.WINDOWS_ERROR_INSUFFICIENT_BUFFER = 122#
- dissect.target.loaders.local.WINDOWS_DRIVE_FIXED = 3#
- class dissect.target.loaders.local.LocalLoader(path: pathlib.Path, **kwargs)#
Bases:
dissect.target.loader.Loader
A base class for loading a specific path and coupling it to a
Target
.Implementors of this class are responsible for mapping any type of source data to a
Target
. Whether that’s to map all VMDK files from a VMX or mapping the contents of a zip file to a virtual filesystem, if it’s something that can be translated to a “disk”, “volume” or “filesystem”, you can write a loader that maps it into a target.You can do anything you want to manipulate the
Target
object in yourmap
function, but generally you do one of the following:open a
Container
and add it totarget.disks
.open a
Volume
and add it totarget.volumes
.open a
VirtualFilesystem
, add your files into it and add it totarget.filesystems
.
You don’t need to manually parse volumes or filesystems in your loader, just add the highest level object you have (e.g. a
Container
of a VMDK file) to the target. However, sometimes you need to get creative. Take a look at theITunesLoader
andTarLoader
for some creative examples.- Parameters:
path – The target path to load.
- static detect(path)#
Detects wether this
Loader
class can load this specificpath
.- Parameters:
path – The target path to check.
- Returns:
True
if thepath
can be loaded by aLoader
instance.False
otherwise.
- map(target)#
Maps the loaded path into a
Target
.- Parameters:
target – The target that we’re mapping into.
- dissect.target.loaders.local.map_linux_drives(target: dissect.target.Target)#
Map Linux raw disks.
Iterate through /dev and match raw device names (not partitions).
- dissect.target.loaders.local.map_solaris_drives(target)#
Map Solaris raw disks.
Iterate through /dev/dsk and match raw device names (not slices or partitions).
- dissect.target.loaders.local.map_esxi_drives(target)#
Map ESXi raw disks.
Get all devices from /vmfs/devices/disks/* (not partitions).
- dissect.target.loaders.local.map_windows_drives(target)#
Map Windows drives by iterating physical drives.
For each physical drive, load the partition table and volumes. If a drive is encrypted using Bitlocker, use the OS transparent device to access it instead.
Using this method, we get the drive serial and partition offset (MBR), or partition GUID (GPT), which we need for regular drive mounting.
With this method we should open every partition of every disk, instead of only mounted drives.
- dissect.target.loaders.local.map_windows_mounted_drives(target: dissect.target.Target, force_dirfs: bool = False, fallback_to_dirfs: bool = False)#
Map Windows drives by their drive letter.
For each drive (mounted) partition, determine if it’s a fixed drive and if it’s readable. If it is, add it as a volume to the target.
Since we don’t know the drive serial and other information, we already mount filesystems to drive letters (which we do know).
Downside to this method is that we only open mounted volumes. Upside is that we can also open BDE/LDM/Storage space volumes.
Some inspiration drawn from http://velisthoughts.blogspot.com/2012/02/enumerating-and-using-partitions-and.html