dissect.evidence.ad1¶
Module Contents¶
Classes¶
Basic buffered stream that provides aligned reads. |
Attributes¶
- dissect.evidence.ad1.ad1_def = Multiline-String¶
Show Value
""" enum EntryType : uint32 { File = 0x0, Directory = 0x5 }; enum MetaType : uint32 { FileClass = 0x2, FileSize = 0x3, PhysicalSize = 0x4, StartCluster = 0x6, DateAccessed = 0x7, DateCreated = 0x8, DateModified = 0x9, Unknown_1 = 0xd, Unknown_2 = 0xe, ActualFile = 0x1e, Unknown_3 = 0x1002, Unknown_4 = 0x1003, Unknown_5 = 0x1004, Unknown_6 = 0x1005, MD5 = 0x5001, SHA1 = 0x5002, ClusterSize = 0x9001, ClusterCount = 0x9002, FreeClusterCount = 0x9003, VolumeSerialNumber = 0x9006 }; typedef struct { char magic[16]; uint32 unk1; uint32 unk2; uint32 unk3; uint32 unk4; uint16 unk5; uint16 version; uint32 unk6; uint64 logical_image_offset; } SegmentedFileHeader; typedef struct { char magic[16]; uint32 unk1; uint32 unk2; uint32 chunk_size; // This is supposed to be uint64? But that doesn't seem right uint32 unk3; uint32 unk4; uint64 entry_offset; uint32 name_len; uint32 unk5; uint64 name_offset; uint64 unk6; uint64 unk7; uint64 unk8; uint64 unk9; char name[name_len]; } LogicalImageHeader; typedef struct { uint64 next; uint64 child; uint64 meta; uint64 unk1; uint64 size; EntryType type; uint32 name_len; char name[name_len]; uint64 unk2; uint64 num_chunks; uint64 chunks[num_chunks]; } FileEntry; typedef struct { uint64 next; uint32 category; MetaType type; uint32 len; char data[len]; } FileMeta; """
- dissect.evidence.ad1.c_ad1¶
- dissect.evidence.ad1.EntryType¶
- dissect.evidence.ad1.MetaType¶
- class dissect.evidence.ad1.AD1(fh: BinaryIO)¶
- fh¶
- header¶
- logical_image¶
- root¶
- __getattr__(k: str) Any¶
- entry(path: str = '') LogicalImage | FileEntry¶
- get(path: str) LogicalImage | FileEntry¶
- open(path: str) FileObject¶
- class dissect.evidence.ad1.LogicalImage(fh: BinaryIO)¶
- fh¶
- header¶
- children = []¶
- __repr__() str¶
- __getattr__(k: str) Any¶
- class dissect.evidence.ad1.FileEntry(image: LogicalImage, offset: int)¶
- image¶
- offset¶
- entry¶
- size¶
- meta = []¶
- children = []¶
- __repr__() str¶
- __getattr__(k: str) Any¶
- open() FileObject¶
- is_file() bool¶
- is_dir() bool¶
- class dissect.evidence.ad1.FileMeta(image: LogicalImage, offset: int)¶
- image¶
- offset¶
- entry¶
- __repr__() str¶
- __getattr__(k: str) Any¶
- class dissect.evidence.ad1.FileObject(entry: FileEntry)¶
Bases:
dissect.util.stream.AlignedStreamBasic buffered stream that provides aligned reads.
- Must be subclassed for various stream implementations. Subclasses can implement:
_read()_seek()
The offset and length for
_readare guaranteed to be aligned for streams of a known size. If your stream has an unknown size (i.e.size == None), reads of length-1(i.e. read until EOF) will be passed through to your implementation of_read. The only time that overriding_seekwould make sense is if there’s no known size of your stream, but still want to provideSEEK_ENDfunctionality.Most subclasses of
AlignedStreamtake one or more file-like objects as source. Operations on these subclasses, like reading, will modify the source file-like object as a side effect.- Parameters:
size – The size of the stream. This is used in read and seek operations.
Noneif unknown.align – The alignment size. Read operations are aligned on this boundary. Also determines buffer size.
- _seek(pos: int, whence: int = 0) int¶
Calculate and return the new stream position after a seek.
- entry¶