Supported Targets

Dissect supports a large range of formats. From various disk images, volume systems, file systems and operating systems, to tarballs and proprietary backup formats, and everything combined! This page aims to provide you with an overview of what you can expect Dissect to be able to handle!

Loaders

Loaders provide a way to interact with a “target” by combining and accessing source data into usable parts. This creates a virtual representation of the original system.

See also

For a deeper dive into how loaders work, see loaders.

In most cases, Dissect selects the appropriate loader automatically based on the file you target. It does this by looking at things like the file type, folder structure or special configurations files. If needed, you can choose the loader yourself by using -L <loader type> option or by using the URI-style notation <loader type>://.

target-query -f func /path/to/target.ab
target-query -f func -L ab /path/to/target
target-query -f func ab:///path/to/target

Important

Just because it does not have a loader, does not mean Dissect cannot open it! In those cases, Dissect falls back to a “raw loader”, which allows it to be opened as any of the supported containers or even supported filesystems. Whether a target is supported as a loader, a container or a filesystem depends on implementation details for that specific format.

Supported loaders

Description	Format	API
Android backup	.ab	ab
Acquire	ZIP or tar with Acquire structure	acquire
AccessData AD1	.ad1	ad1
Carbon Black Live Response endpoint	cb:// or -L cb [1]	cb
Cellebrite UFED export	.ufdx, .ufd	cellebrite
Docker and OCI container images	tar file with Docker or OCI image structure	containerimage
Local directory	Common OS structure (path/Windows/System32 or path/etc)	dir
Microsoft Hyper-V virtual machine configuration	.vmcx, .xml	hyperv
iTunes backup	Directory with iTunes backup structure	itunes
KAPE	Directory or .vhdx with KAPE structure	kape
Libvirt XML configuration	.xml	libvirt
Local system (automatically load all drives such as /dev/sda or \\.\PhysicalDrive0)	local	local
MQTT broker	mqtt:// or -L mqtt [2]	mqtt
Netscaler Techsupport Collector	tar with Netscaler Techsupport structure	nscollector
Open Virtual Appliance (OVA)	.ova	ova
Podman OCI overlay	Directory with Podman overlay structure	overlay
Docker overlay2	Directory with Docker overlay2 structure	overlay2
Open Virtualization Format (OVF)	.ovf	ovf
Proxmox virtual machine configuration	.conf	proxmox
Parallels virtual machine directory	.pvm,	pvm
Parallels virtual machine configuration	config.pvs	pvs
Single raw binary file	Default fallback for unknown files	raw
Multiple raw binary files	Paths with + (/dev/vda+/dev/vdb)	multiraw
Remote Dissect agent	remote:// or -L remote	remote
Remote SMB server	smb:// or -L smb [3]	smb
Tanium	Directory with Tanium structure	tanium
(Compressed) tar	.tar, .tar.<comp>, .t<comp>	tar
Unix-like Artifacts Collector (UAC)	Directory, ZIP or tar with UAC structure	uac
UTM virtual machine	.utm	utm
Oracle VirtualBox virtual machine	.vbox	vbox
Veeam Backup (VBK)	.vbk	vbk
Rapid7 Velociraptor	Directory or ZIP with Velociraptor structure	velociraptor
Proxmox Virtual Machine Archive (VMA)	.vma	vma
VMware Fusion virtual machine	.vmwarevm	vmwarevm
VMware virtual machine configuration	.vmx	vmx
Citrix Hypervisor backup (XVA)	.xva	xva
ZIP	.zip	zip

[1]

Requires dissect.target[cb]

[2]

Requires dissect.target[mqtt]

[3]

Requires dissect.target[smb]

Containers

Containers let Dissect interact with a disk-like structure in a consistent way. These can be virtual machine files, forensic containers or a hard disk itself.

See also

For a deeper understanding on how containers work, see containers.

Dissect can select the appropriate container automatically based on either the file extension or file magic. For example, the QCOW2 container gets selected if the file extension is .qcow2 or if the first bytes of the file are b"QFI\xfb".

Supported containers

Description	Format	API
Apple Sparse Image Format	.asif	asif
FTK Expert Witness Disk Image Format (EWF)	.E01, .L01	ewf
Fortinet firmware	*-fortinet.out	fortifw
Parallels HDD virtual disk	.hdd	hdd
Parallels HDS sparse virtual disk	.hds	hds
QEMU QCOW2	.qcow2	qcow2
VirtualBox VDI virtual disk	.vdi	vdi
Hyper-V VHD virtual disk	.vhd	vhd
Hyper-V VHDX virtual disk	.vhdx	vhdx
VMware virtual disk	.vmdk	vmdk

Partition Schemes and Volume Systems

Dissect supports most common partition schemes. Nested partitions are supported as well.

Supported Partition Schemes

Description	API
Apple Partition Map (APM)	apm
BSD Disklabel	bsd
GUID Partition Table (GPT)	gpt
Master Boot Record (MBR)	mbr

Besides these standard partition schemes, Dissect supports disks in RAID configurations or disks with logical volumes that span multiple disks.

See also

For more details, see volumes.

Supported volume systems

Description	API
DDF (Disk Data Format) RAID, common in Dell RAID controllers	ddf
LVM2	lvm2
Linux MD RAID	md
VMFS LVM	vmfs

Dissect also has decryption capability for some well known systems. This functionality can be accessed with a keychain file (specified with -K) with multiple passphrases or a keychain value (-Kv) in most Dissect tools.

Supported encrypted volume systems

Description	API
LUKS (version 1 and 2)	luks
BitLocker (all configurations and versions, including EOW)	bde

Filesystems

In Dissect, filesystems go beyond traditional disk-based structures. If it behaves like a filesystem, Dissect can likely treat it as one. This includes both standard filesystems and formats that resemble filesystem behavior.

There might be some overlap with loaders and containers, as some formats can function in multiple roles, or need implementation in different areas to work correctly.

See also

For more details, see Filesystems.

Supported filesystems

Description	API
AccessData AD1	ad1
Apple File System (APFS)	apfs
Linux Btrfs	btrfs
CPIO archive	cpio
Linux cramfs	cramfs
exFAT	exfat
Linux EXT2, EXT3, EXT4	extfs
FAT12, FAT16, FAT32	fat
BSD Fast Filesystem (FFS)	ffs
Linux Journaling Flash Filesystem (JFFS)	jffs
Network File Share (NFS)	nfs
Microsoft NTFS	ntfs
QNX4 and QNX6	qnxfs
Linux SquashFS	squashfs
Veeam Backup (VBK)	vbk
VMware (VMFS)	vmfs
VMware vmtar	vmtar
Linux XFS	xfs

Operating Systems

Dissect tries to automatically figure out what operating system is available on the target, based on known file locations and structures. Once the operating system is known, it enables you to get more accurate information from the system, for example, the user or network configuration.

Supported operating systems

Description	API
Windows	windows
Generic Unix	unix
BSD	unix.bsd
Citrix	unix.bsd.citrix
FreeBSD	unix.bsd.freebsd
OpenBSD	unix.bsd.openbsd
Generic Darwin	unix.bsd.darwin
iOS	unix.bsd.darwin.ios
macOS	unix.bsd.darwin.macos
ESXi	unix.esxi
Generic Linux	unix.linux
Android	unix.linux.android
FortiOS	unix.linux.fortios
OpenSUSE	unix.linux.suse
RedHat	unix.linux.redhat
Debian	unix.linux.debian
Proxmox	unix.linux.debian.proxmox
VyOS	unix.linux.debian.vyos

Child Targets

Dissect supports identifying, listing and querying child targets. These are targets within other targets, such as virtual machines or containers. Dissect finds these by looking inside configuration files on a target. It can do this recursively, and look for child targets inside the child targets for even more child targets.

See also

For more details, see Child targets.

Supported child targets

Description	API
Colima containers	colima
Docker containers	docker
ESXi virtual machines	esxi
Hyper-V virtual machines	hyperv
Lima containers and virtual machines	lima
Parallels virtual machines	parallels
Podman containers	podman
Proxmox virtual machines	proxmox
QEMU virtual machines	qemu
Oracle VirtualBox virtual machines	virtualbox
Virtuozzo containers	virtuozzo
VMware Workstation virtual machines	vmware_workstation
Windows Subsystem for Linux 2 (WSL2) instances	wsl