dissect.target.loaders.velociraptor
#
Module Contents#
Classes#
Load Rapid7 Velociraptor forensic image files. |
Functions#
Attributes#
- dissect.target.loaders.velociraptor.log#
- dissect.target.loaders.velociraptor.FILESYSTEMS_ROOT = 'uploads'#
- dissect.target.loaders.velociraptor.UNIX_ACCESSORS = ['file', 'auto']#
- dissect.target.loaders.velociraptor.WINDOWS_ACCESSORS = ['mft', 'ntfs', 'lazy_ntfs', 'ntfs_vss', 'auto']#
- dissect.target.loaders.velociraptor.find_fs_directories(path: pathlib.Path) tuple[dissect.target.plugin.OperatingSystem | None, list[pathlib.Path] | None] #
- dissect.target.loaders.velociraptor.extract_drive_letter(name: str) str | None #
- class dissect.target.loaders.velociraptor.VelociraptorLoader(path: pathlib.Path, **kwargs)#
Bases:
dissect.target.loaders.dir.DirLoader
Load Rapid7 Velociraptor forensic image files.
As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system. Generic.Collectors.File (Unix) uses the accessors file and auto. The loader supports the following configuration:
{"Generic.Collectors.File":{"Root":"/","collectionSpec":"Glob\netc/**\nvar/log/**"}}
Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors mft, ntfs, lazy_ntfs, ntfs_vss and auto. The loader only supports a collection where a single accessor is used, which can be forced by using the following configuration:
{"Windows.KapeFiles.Targets":{"VSSAnalysisAge":"1000","_SANS_Triage":"Y"}}
References
- static detect(path: pathlib.Path) bool #
Detects wether this
Loader
class can load this specificpath
.- Parameters:
path – The target path to check.
- Returns:
True
if thepath
can be loaded by aLoader
instance.False
otherwise.
- map(target: dissect.target.Target) None #
Maps the loaded path into a
Target
.- Parameters:
target – The target that we’re mapping into.