dissect.target.volume#

Module Contents#

Classes#

VolumeSystem

The base class for a volume system implementation.

EncryptedVolumeSystem

An extension of the VolumeSystem class that provides additional functionality for

LogicalVolumeSystem

An extension of the VolumeSystem class that provides additional functionality for dealing with

Volume

A representation of a volume on disk.

Functions#

open

Open a DissectVolumeSystem on the given file-like object.

is_lvm_volume

Determine whether the given file-like object belongs to any supported logical volume system.

is_encrypted

Determine whether the given file-like object belongs to any supported encrypted volume system.

open_encrypted

Open an encrypted volume.

open_lvm

Open a single logical volume system on a list of file-like objects.

Attributes#

disk

A lazy import of dissect.target.volumes.disk.

lvm

A lazy import of dissect.target.volumes.lvm.

vmfs

A lazy import of dissect.target.volumes.vmfs.

md

A lazy import of dissect.target.volumes.md.

ddf

A lazy import of dissect.target.volumes.ddf.

bde

A lazy import of dissect.target.volumes.bde.

luks

A lazy import of dissect.target.volumes.luks.

log

A logger instance for this module.

LOGICAL_VOLUME_MANAGERS

All available LogicalVolumeSystem classes.

ENCRYPTED_VOLUME_MANAGERS

All available EncryptedVolumeSystem classes.

dissect.target.volume.disk#

A lazy import of dissect.target.volumes.disk.

dissect.target.volume.lvm#

A lazy import of dissect.target.volumes.lvm.

dissect.target.volume.vmfs#

A lazy import of dissect.target.volumes.vmfs.

dissect.target.volume.md#

A lazy import of dissect.target.volumes.md.

dissect.target.volume.ddf#

A lazy import of dissect.target.volumes.ddf.

dissect.target.volume.bde#

A lazy import of dissect.target.volumes.bde.

dissect.target.volume.luks#

A lazy import of dissect.target.volumes.luks.

dissect.target.volume.log#

A logger instance for this module.

dissect.target.volume.LOGICAL_VOLUME_MANAGERS: list[type[LogicalVolumeSystem]]#

All available LogicalVolumeSystem classes.

dissect.target.volume.ENCRYPTED_VOLUME_MANAGERS: list[type[EncryptedVolumeSystem]]#

All available EncryptedVolumeSystem classes.

class dissect.target.volume.VolumeSystem(fh: BinaryIO | list[BinaryIO], dsk: dissect.target.container.Container | None = None, serial: str | None = None)#

The base class for a volume system implementation.

Volume systems are responsible for parsing a volume system over one or more disks and returning all available volumes.

Subclasses of VolumeSystem must implement the _detect and _volumes methods.

Parameters:
  • fh – The source file-like object(s) on which to open the volume system.

  • dsk – A reference to the source disk or container.

  • serial – Serial number of the volume system, if any.

property volumes: list[Volume]#

A list of all the discovered volumes.

__repr__() str#

Return repr(self).

classmethod detect(fh: BinaryIO) bool#

Detects whether this VolumeSystem class can be opened on the given file-like object.

The position of fh will be restored before returning.

Returns:

True or False if the VolumeSystem can be opened from this file-like object.

class dissect.target.volume.EncryptedVolumeSystem(fh: BinaryIO, *args, **kwargs)#

Bases: VolumeSystem

An extension of the VolumeSystem class that provides additional functionality for dealing with encryption.

It adds helper functions for interacting with the KEYCHAIN, so that subclasses don’t have to manually interact with it.

Subclasses must set the PROVIDER class attribute to a unique string, e.g. bitlocker.

Parameters:

fh – The file-like object on which to open the encrypted volume system.

PROVIDER: str#
get_keys_for_identifier(identifier: str) list[dissect.target.helpers.keychain.Key]#

Retrieves a list of keys that match a single identifier.

Parameters:

identifier – A single key identifier.

Returns:

All the keys for a single identifier.

get_keys_for_identifiers(identifiers: list[str]) list[dissect.target.helpers.keychain.Key]#

Retrieves a list of keys that match a list of identifiers.

Parameters:

identifiers – A list of different key identifiers.

get_keys_without_identifier() list[dissect.target.helpers.keychain.Key]#

Retrieve a list of keys that have no identifier (None).

These are the keys where no specific identifier was specified.

class dissect.target.volume.LogicalVolumeSystem(fh: BinaryIO | list[BinaryIO], dsk: dissect.target.container.Container | None = None, serial: str | None = None)#

Bases: VolumeSystem

An extension of the VolumeSystem class that provides additional functionality for dealing with logical volume systems.

classmethod detect_volume(fh: BinaryIO) bool#

Determine whether the given file-like object belongs to this logical volume system.

The position of fh will be restored before returning.

Parameters:

fh – A file-like object that may be part of the logical volume system.

Returns:

True if the given file-like object is part of the logical volume system, False otherwise.

abstract classmethod open_all(volumes: list[BinaryIO]) Iterator[LogicalVolumeSystem]#

Open all the discovered logical volume systems from the given file-like objects.

There can be more than one logical volume system on a given set of file-like objects. For example, you can have five disks or volumes with two separate LVM2 volume groups. This function is responsible for grouping the correct disks and volumes with each other, and correctly opening each distinct logical volume system.

Parameters:

volumes – A list of file-like objects to discover and open the logical volume systems on.

Returns:

An iterator of LogicalVolumeSystem.

class dissect.target.volume.Volume(fh: BinaryIO, number: int, offset: int | None, size: int, vtype: int | None, name: str | None, guid: str | None = None, raw: BinaryIO | None = None, disk: BinaryIO | None = None, vs: VolumeSystem | None = None, fs: dissect.target.filesystem.Filesystem | None = None, drive_letter: str | None = None)#

Bases: io.IOBase

A representation of a volume on disk.

It behaves like a regular file-like object with some additional information bound to it.

Parameters:
  • fh – The raw file-like object of the volume.

  • number – The logical volume number of this volume within the volume system.

  • offset – Where the volume starts relative to the start of the volume system.

  • size – The size of the volume.

  • vtype – What kind of volume it is.

  • name – The name of the volume.

  • guid – The unique identifier of the volume.

  • raw – A reference to the implementation specific object that the volume system uses for representing the volume.

  • disk – A reference to the associated Disk.

  • vs – A reference to the associated VolumeSystem.

  • fs – A reference to the Filesystem that is on this Volume.

  • drive_letter – The letter associated to the Volume, such as c or d in Windows.

__repr__() str#

Return repr(self).

read(length: int = -1) bytes#

Read a length of bytes from this Volume.

readinto(b: bytearray) int#

Uses dissect.target.helpers.utils.readinto().

seek(offset: int, whence: int = io.SEEK_SET) int#

Change the stream position to offset.

whence determines where to seek from:

  • io.SEEK_SET (0):: absolute offset in the stream.

  • io.SEEK_CUR (1):: current position in the stream.

  • io.SEEK_END (2):: end of stream.

Parameters:
  • offset – The offset relative to the position indicated by whence.

  • whence – Where to start the seek from.

tell() int#

Returns the current seek position of the Volume.

seekable() bool#

Returns whether seek can be used by this volume. Always True.

dissect.target.volume.open(fh: BinaryIO, *args, **kwargs) dissect.target.volumes.disk.DissectVolumeSystem#

Open a DissectVolumeSystem on the given file-like object.

Parameters:

fh – The file-like object to open a DissectVolumeSystem on.

Raises:

VolumeSystemError – If opening the DissectVolumeSystem failed.

Returns:

An opened DissectVolumeSystem.

dissect.target.volume.is_lvm_volume(volume: BinaryIO) bool#

Determine whether the given file-like object belongs to any supported logical volume system.

Parameters:

volume – A file-like object to test if it is part of any logical volume system.

dissect.target.volume.is_encrypted(volume: BinaryIO) bool#

Determine whether the given file-like object belongs to any supported encrypted volume system.

Parameters:

volume – A file-like object to test if it is part of any encrypted volume system.

dissect.target.volume.open_encrypted(volume: BinaryIO) Iterator[Volume]#

Open an encrypted volume.

An encrypted volume can only be opened if the encrypted volume system can successfully decrypt the volume, meaning that the correct decryption key must be present in the KEYCHAIN.

The resulting Volume object provides transparent decryption of the encrypted volume.

Parameters:

volume – A file-like object representing a Volume.

Returns:

An iterator of decrypted Volume objects as opened by the encrypted volume manager.

dissect.target.volume.open_lvm(volumes: list[BinaryIO], *args, **kwargs) Iterator[VolumeSystem]#

Open a single logical volume system on a list of file-like objects.

Parameters:

volumes – A list of file-like objects to open a logical volume system on.

Returns:

An iterator of all the Volume objects opened by the logical volume system.