dissect.clfs#

View on GitHub

A Dissect module implementing a parser for the CLFS (Common Log File System) file system of Windows. Currently only supports the persistent variant.

Installation#

dissect.clfs is available on PyPI.

$ pip install dissect.clfs

This module is also automatically installed if you install the dissect package.

Usage#

This package is a library with no CLI tools, so you can only interact with it from Python. For example, to print the logblock headers and associated containers of a given .blf file:

from dissect.clfs import blf

with open("windows/config/DRIVERS{1c2b59ad-c5f5-11eb-bacb-000d3a96488e}.TM.blf", "rb") as fh:
    blf_instance = blf.BLF(fh)

    for base_record in blf_instance.base_records():
        # Parse the base records and print the logblock record headers
        print(base_record.logblock.header)

        for stream in base_record.streams:
            # Print the associated container names
            for blf_container in base_record.containers:

                # Check if the stream ID is matching the container ID
                if blf_container.id != stream.lsn_base.Offset.ContainerId:
                    continue

                # We can encounter the same container ID for the shadow blocks
                if blf_container.type != stream.type:
                    continue

                # Invalid LSN (-1)
                if stream.lsn_base.PhysicalOffset <= 0:
                    continue

                # Strip the prepended directory to accommodate for dissect FS
                # %BLF%\DRIVERS{1c2b59ad-c5f5-11eb-bacb-000d3a96488e}.TMContainer00000000000000000001.regtrans-ms
                print(f"Associated container: {blf_container.name}")

Reference#

For more details, please refer to the API documentation of dissect.clfs.