dissect.target.loaders.velociraptor

Module Contents

Classes

VelociraptorLoader

A base class for loading a specific path and coupling it to a Target.

Functions

find_fs_directories

Attributes

FILESYSTEMS_ROOT

dissect.target.loaders.velociraptor.FILESYSTEMS_ROOT = 'uploads'

dissect.target.loaders.velociraptor.find_fs_directories(path: pathlib.Path) → tuple[Optional[dissect.target.plugin.OperatingSystem], Optional[list[pathlib.Path]]]

class dissect.target.loaders.velociraptor.VelociraptorLoader(path: pathlib.Path, **kwargs)

Bases: dissect.target.loaders.dir.DirLoader

A base class for loading a specific path and coupling it to a Target.

Implementors of this class are responsible for mapping any type of source data to a Target. Whether that’s to map all VMDK files from a VMX or mapping the contents of a zip file to a virtual filesystem, if it’s something that can be translated to a “disk”, “volume” or “filesystem”, you can write a loader that maps it into a target.

You can do anything you want to manipulate the Target object in your map function, but generally you do one of the following:

• open a Container and add it to target.disks.

• open a Volume and add it to target.volumes.

• open a VirtualFilesystem, add your files into it and add it to target.filesystems.

You don’t need to manually parse volumes or filesystems in your loader, just add the highest level object you have (e.g. a Container of a VMDK file) to the target. However, sometimes you need to get creative. Take a look at the ITunesLoader and TarLoader for some creative examples.

Parameters:

path – The target path to load.

static detect(path: pathlib.Path) → bool

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target: dissect.target.Target) → None

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.