dissect.volume.vss#

Module Contents#

Classes#

VSS

Catalog

Store

StoreStream

Basic buffered stream that provides easy aligned reads.

BlockList

RangeList

StoreBitmap

BlockMap

BlockDescriptor

Functions#

Attributes#

dissect.volume.vss.log#
dissect.volume.vss.vss_def = Multiline-String#
Show Value
"""
flag _VSS_VOLUME_SNAPSHOT_ATTRIBUTES : uint32 {
    VSS_VOLSNAP_ATTR_PERSISTENT             = 0x00000001,
    VSS_VOLSNAP_ATTR_NO_AUTORECOVERY        = 0x00000002,
    VSS_VOLSNAP_ATTR_CLIENT_ACCESSIBLE      = 0x00000004,
    VSS_VOLSNAP_ATTR_NO_AUTO_RELEASE        = 0x00000008,
    VSS_VOLSNAP_ATTR_NO_WRITERS             = 0x00000010,
    VSS_VOLSNAP_ATTR_TRANSPORTABLE          = 0x00000020,
    VSS_VOLSNAP_ATTR_NOT_SURFACED           = 0x00000040,
    VSS_VOLSNAP_ATTR_NOT_TRANSACTED         = 0x00000080,
    VSS_VOLSNAP_ATTR_HARDWARE_ASSISTED      = 0x00010000,
    VSS_VOLSNAP_ATTR_DIFFERENTIAL           = 0x00020000,
    VSS_VOLSNAP_ATTR_PLEX                   = 0x00040000,
    VSS_VOLSNAP_ATTR_IMPORTED               = 0x00080000,
    VSS_VOLSNAP_ATTR_EXPOSED_LOCALLY        = 0x00100000,
    VSS_VOLSNAP_ATTR_EXPOSED_REMOTELY       = 0x00200000,
    VSS_VOLSNAP_ATTR_AUTORECOVER            = 0x00400000,
    VSS_VOLSNAP_ATTR_ROLLBACK_RECOVERY      = 0x00800000,
    VSS_VOLSNAP_ATTR_DELAYED_POSTSNAPSHOT   = 0x01000000,
    VSS_VOLSNAP_ATTR_TXF_RECOVERY           = 0x02000000
};

enum RECORD_TYPE : uint32 {
    VOLUME_HEADER       = 0x1,
    CATALOG             = 0x2,
    STORE_INDEX         = 0x3,
    STORE_HEADER        = 0x4,
    STORE_BLOCK_RANGE   = 0x5,
    STORE_BITMAP        = 0x6
};

flag BLOCK_FLAG : uint32 {
    IS_FORWARDER    = 0x1,
    IS_OVERLAY      = 0x2,
    NOT_USED        = 0x4
};

struct volume_header {
    char    identifier[16];
    uint32  version;
    uint32  record_type;
    uint64  current_offset;
    uint64  unk0;
    uint64  unk1;
    uint64  catalog_offset;
    uint64  maximum_size;
    char    volume_identifier[16];
    char    store_volume_identifier[16];
    uint32  unk2;
    char    unk3[412];
};

struct catalog_header {
    char    identifier[16];
    uint32  version;
    uint32  record_type;
    uint64  relative_offset;
    uint64  offset;
    uint64  next_offset;
    char    unk0[80];
};

struct catalog_entry_1 {
    uint64  entry_type;
    char    unk0[120];
};

struct catalog_entry_2 {
    uint64  entry_type;
    uint64  volume_size;
    char    store_identifier[16];
    uint64  unk0;
    uint64  unk1;
    uint64  creation_time;
    char    unk2[72];
};

struct catalog_entry_3 {
    uint64  entry_type;
    uint64  store_block_list_offset;
    char    store_identifier[16];
    uint64  store_header_offset;
    uint64  store_range_list_offset;
    uint64  store_bitmap_offset;
    uint64  metadata_reference;
    uint64  allocated_size;
    uint64  store_previous_bitmap_offset;
    uint64  unk0;
    char    unk1[40];
};

struct store_header {
    char        identifier[16];
    uint32      version;
    RECORD_TYPE record_type;
    uint64      relative_offset;
    uint64      offset;
    uint64      next_offset;
    uint64      size;
    char        unk0[72];
};

struct store_information {
    char    unk_identifier[16];
    char    copy_identifier[16];
    char    copy_set_identifier[16];
    uint32  type;
    uint32  provider;
    _VSS_VOLUME_SNAPSHOT_ATTRIBUTES attributes;
    uint32  unk0;
    uint16  operating_machine_len;
    wchar   operating_machine[operating_machine_len / 2];
    uint16  service_machine_len;
    wchar   service_machine[service_machine_len / 2];
};

struct block_descriptor {
    uint64  original_offset;
    uint64  relative_offset;
    uint64  store_offset;
    BLOCK_FLAG  flags;
    uint32  allocation_bitmap;
};

struct range_descriptor {
    uint64  store_offset;
    uint64  relative_offset;
    uint64  size;
};
"""
dissect.volume.vss.c_vss#
dissect.volume.vss.RECORD_TYPE#
dissect.volume.vss.BLOCK_FLAG#
dissect.volume.vss.VSS_IDENTIFIER = b'k\x87\x088v\xc1HN\xb7\xae\x04\x04nl\xc7R'#
dissect.volume.vss.VOLUME_HEADER_OFFSET = 7680#
dissect.volume.vss.BLOCK_SIZE = 16384#
dissect.volume.vss.CATALOG_BLOCK_SIZE = 16384#
dissect.volume.vss.CATALOG_ENTRY_SIZE = 128#
dissect.volume.vss.STORE_BLOCK_SIZE = 16384#
dissect.volume.vss.STORE_BLOCKLIST_ENTRY_SIZE = 32#
dissect.volume.vss.STORE_RANGELIST_ENTRY_SIZE = 24#
class dissect.volume.vss.VSS(fh)#
property volume_identifier#
property store_volume_identifier#
__repr__()#

Return repr(self).

class dissect.volume.vss.Catalog(vss, offset)#
__repr__()#

Return repr(self).

dissect.volume.vss.DEBUG = False#
class dissect.volume.vss.Store(catalog, descriptors)#
property block_list#
property range_list#
property bitmap#
property previous_bitmap#
open()#
read_block(block, active_store=None)#
class dissect.volume.vss.StoreStream(store)#

Bases: dissect.util.stream.AlignedStream

Basic buffered stream that provides easy aligned reads.

Must be subclassed for various stream implementations. Subclasses can implement:
  • _read(offset, length)

  • _seek(pos, whence=io.SEEK_SET)

The offset and length for _read are guaranteed to be aligned. The only time that overriding _seek would make sense is if there’s no known size of your stream, but still want to provide SEEK_END functionality.

Most subclasses of AlignedStream take one or more file-like objects as source. Operations on these subclasses, like reading, will modify the source file-like object as a side effect.

Parameters:
  • size – The size of the stream. This is used in read and seek operations. None if unknown.

  • align – The alignment size. Read operations are aligned on this boundary. Also determines buffer size.

class dissect.volume.vss.BlockList(store, offset)#
class dissect.volume.vss.RangeList(store, offset)#
class dissect.volume.vss.StoreBitmap(store, offset)#
has_offset(offset)#
in_use(block)#
is_set(block)#
__getitem__(block)#
class dissect.volume.vss.BlockMap#
add(descriptor)#
get_descriptor(offset)#
__getitem__(block)#
class dissect.volume.vss.BlockDescriptor(buf)#
__slots__ = ('store', 'original_offset', 'relative_offset', 'store_offset', 'flags', 'bitmap', 'overlay',...#
__eq__(other)#

Return self==value.

__repr__()#

Return repr(self).

dissect.volume.vss.read_block(fh, offset, struct)#
dissect.volume.vss.read_block_data(fh, offset, struct)#