`dissect.apfs.objects.fs`¶

Module Contents¶

Classes¶

`FS`	APFS Filesystem object, also referred to as the "volume".
`Snapshot`
`INode`	APFS inode.
`DirectoryEntry`	APFS directory entry.
`XAttr`	APFS extended attribute.

class dissect.apfs.objects.fs.FS(*args, **kwargs)¶

Bases: dissect.apfs.objects.base.Object

APFS Filesystem object, also referred to as the “volume”.

__type__¶

__struct__¶

object: dissect.apfs.c_apfs.c_apfs.apfs_superblock¶

inode¶

root¶

__repr__() → str¶

property index: int¶: The volume index within the container.

property features: dissect.apfs.c_apfs.c_apfs.APFS_FEATURE¶: The features supported by this filesystem.

property incompatible_features: dissect.apfs.c_apfs.c_apfs.APFS_INCOMPAT¶: The incompatible features supported by this filesystem.

property is_case_insensitive: bool¶: Whether the filesystem is case insensitive.

property is_normalization_insensitive: bool¶: Whether the filesystem is normalization insensitive.

property is_sealed: bool¶: Whether the filesystem is sealed (read-only).

property unmount_time: datetime.datetime¶: The last unmount time of the filesystem.

property omap: dissect.apfs.objects.omap.ObjectMap¶: The object map for the filesystem.

property root_tree: dissect.apfs.objects.btree.BTree¶: The root B-tree for the filesystem.

property snap_meta_tree: dissect.apfs.objects.btree.BTree¶: The snapshot metadata B-tree for the filesystem.

property uuid: uuid.UUID¶: The filesystem UUID.

property mtime: datetime.datetime¶: The last modification time of the filesystem.

property flags: dissect.apfs.c_apfs.c_apfs.APFS_FS¶

property is_unencrypted: bool¶: Whether the filesystem is unencrypted.

property is_encrypted: bool¶: Whether the filesystem is encrypted.

property is_onekey: bool¶: Whether the filesystem uses the volume encryption key for all.

property formatted_by: tuple[str, datetime.datetime, int]¶: Information about the tool that formatted the filesystem.

property modified_by: list[tuple[str, datetime.datetime, int]]¶: Information about the tools that modified the filesystem.

property name: str¶: The volume name.

property role: dissect.apfs.c_apfs.c_apfs.APFS_VOL_ROLE¶: The volume role.

property snapshots: list[Snapshot]¶: All snapshots in the filesystem.

property fext_tree: dissect.apfs.objects.btree.BTree¶: The file extent B-tree for the filesystem.

property keybag: dissect.apfs.objects.keybag.VolumeKeybag | None¶: The volume keybag, if present.

property password_hint: str | None¶: The password hint for the volume, if present.

unlock(password: str, uuid: uuid.UUID | str | None = None) → None¶

cursor() → dissect.apfs.cursor.Cursor¶: Create a new cursor for the volume’s root B-tree.

records(oid: int) → dict[dissect.apfs.c_apfs.c_apfs.APFS_TYPE, list[Any]]¶

Get all records for a given object ID.

Parameters:: oid – The object ID to search for.

inodes() → collections.abc.Iterator[INode]¶: Iterate over all inodes in the filesystem.

get(path: str | int | DirectoryEntry, node: INode | None = None) → INode¶

Get an inode by its path, object ID, or directory entry.

Parameters:

path – The path, object ID, or directory entry of the inode to retrieve.
node – The starting inode for relative paths. Defaults to the root inode.

class dissect.apfs.objects.fs.Snapshot(fs: FS, xid: int, value: bytes)¶

fs¶

xid¶

value¶

__repr__() → str¶

property create_time: datetime.datetime¶: The creation time of the snapshot.

property change_time: datetime.datetime¶: The change time of the snapshot.

property name: str¶: The name of the snapshot.

open() → FS¶: Open the snapshot as a filesystem.

class dissect.apfs.objects.fs.INode(volume: FS, oid: int, sibling_id: int | None = None)¶

APFS inode.

Represents a file or directory in an APFS volume.

Parameters:

volume – Parent APFS volume.
oid – The object ID of the inode.
sibling_id – The sibling ID of the inode, if applicable.

volume¶

oid¶

sibling_id = None¶

__repr__() → str¶

property records: dict[dissect.apfs.c_apfs.c_apfs.APFS_TYPE, list[Any]]¶: All records for this inode.

property inode: dissect.apfs.c_apfs.c_apfs.j_inode_val¶: The parsed inode structure.

property xfields: dict¶: The extended fields for this inode.

property xattr: dict[str, XAttr]¶: The extended attributes for this inode.

property parent: INode¶: The parent inode.

property parents: collections.abc.Iterator[INode]¶: Iterate over the parent inodes of this inode, up to the root.

property private_id: int¶: The private ID of this inode.

property btime: datetime.datetime¶: The birth time of this inode.

property mtime: datetime.datetime¶: The modification time of this inode.

property ctime: datetime.datetime¶: The change time of this inode.

property atime: datetime.datetime¶: The access time of this inode.

property internal_flags: dissect.apfs.c_apfs.c_apfs.INODE¶: The inode internal flags.

property bsd_flags: int¶: The inode BSD flags.

is_compressed() → bool¶: Return whether this inode is compressed.

property uid: int¶: The owner user ID of this inode.

property gid: int¶: The owner group ID of this inode.

property mode: int¶: The file mode of this inode.

property type: int¶: The file type of this inode.

is_dir() → bool¶: Return whether this inode is a directory.

is_file() → bool¶: Return whether this inode is a regular file.

is_symlink() → bool¶: Return whether this inode is a symbolic link.

is_block_device() → bool¶: Return whether this inode is a block device.

is_character_device() → bool¶: Return whether this inode is a character device.

is_device() → bool¶: Return whether this inode is a device (block or character).

is_fifo() → bool¶: Return whether this inode is a FIFO.

is_socket() → bool¶: Return whether this inode is a socket.

is_whiteout() → bool¶: Return whether this inode is a whiteout.

property size: int¶: The size of this inode in bytes.

property siblings: list[INode]¶: All sibling inodes of this inode.

property sibling_link: tuple[int, str] | None¶: The sibling link (parent_id, name) tuple of this inode, if available.

property name: str | None¶: The name of this inode, if available.

property names: list[str]¶: All names of this inode, if available.

property path: str¶: The full path of this inode, if available.

property paths: list[str]¶: All full paths of this inode, if available.

get(name: str) → DirectoryEntry¶: Get a directory entry by name.

listdir() → dict[str, DirectoryEntry]¶: List the directory entries in this inode.

iterdir() → collections.abc.Iterator[DirectoryEntry]¶: Iterate over the directory entries in this inode.

readlink() → str¶: The target of this inode if it is a symbolic link.

open() → dissect.util.stream.BufferedStream | dissect.apfs.stream.DecmpfsStream | dissect.apfs.stream.FileStream¶: Open a stream for reading the inode data.

class dissect.apfs.objects.fs.DirectoryEntry(volume: FS, key: bytes, value: bytes)¶

APFS directory entry.

Parameters:

volume – Parent APFS volume.
key – The raw directory entry key.
value – The raw directory entry value.

volume¶

value¶

xfields¶

__repr__() → str¶

property name: str¶: The name of this directory entry.

property hash: int | None¶: The hash of this directory entry, if available.

property file_id: int¶: The object ID of the inode this directory entry refers to.

property sibling_id: int | None¶: The sibling ID of the inode this directory entry refers to, if available.

property inode: INode¶: The inode this directory entry refers to.

property date_added: datetime.datetime¶: The date and time this directory entry was added.

property dt: dissect.apfs.c_apfs.c_apfs.DT¶: The directory entry type.

property type: int¶: The file type of this directory entry.

is_dir() → bool¶: Return whether this directory entry is a directory.

is_file() → bool¶: Return whether this directory entry is a regular file.

is_symlink() → bool¶: Return whether this directory entry is a symbolic link.

is_block_device() → bool¶: Return whether this directory entry is a block device.

is_character_device() → bool¶: Return whether this directory entry is a character device.

is_device() → bool¶: Return whether this directory entry is a device (block or character).

is_fifo() → bool¶: Return whether this directory entry is a FIFO.

is_socket() → bool¶: Return whether this directory entry is a socket.

is_whiteout() → bool¶: Return whether this directory entry is a whiteout.

class dissect.apfs.objects.fs.XAttr(inode: INode, key: bytes, value: bytes)¶

APFS extended attribute.

Parameters:

inode – The inode this xattr belongs to.
key – The raw xattr key.
value – The raw xattr value.

inode¶

key¶

value¶

__repr__() → str¶

property name: str¶: The name of this xattr.

property flags: dissect.apfs.c_apfs.c_apfs.XATTR¶: The flags of this xattr.

open() → dissect.util.stream.BufferedStream | dissect.apfs.stream.FileStream¶: Open a stream for reading the xattr data.

dissect.apfs.objects.fs¶

Module Contents¶

Classes¶

`dissect.apfs.objects.fs`¶