Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
Dissect 3.18 documentation
Light Logo Dark Logo
  • Home

Basics

  • Install
  • Tutorial
  • Querying
  • Shell
  • Mount
  • Acquire
  • RDump

In-Depth

  • Tools
    • acquire
    • target-query
    • target-shell
    • target-fs
    • target-reg
    • target-dump
    • target-dd
    • target-mount
    • target-info
    • rdump
  • Projects
    • acquire
    • dissect.archive
    • dissect.btrfs
    • dissect.cim
    • dissect.clfs
    • dissect.cstruct
    • dissect.esedb
    • dissect.etl
    • dissect.eventlog
    • dissect.evidence
    • dissect.executable
    • dissect.extfs
    • dissect.fat
    • dissect.ffs
    • dissect.fve
    • dissect.hypervisor
    • dissect.jffs
    • dissect.ntfs
    • dissect.ole
    • dissect.regf
    • dissect.shellitem
    • dissect.sql
    • dissect.squashfs
    • dissect.target
    • dissect.thumbcache
    • dissect.util
    • dissect.vmfs
    • dissect.volume
    • dissect.xfs
    • flow.record
  • Usage
    • Introduction
    • First steps
      • Next steps as an Incident Handler
      • Next steps as a Security Analyst
    • Use-cases
    • Disk encryption (FVE)
  • Plugin Reference
    • 7zip
    • _dpapi_keyprovider
    • _dpapi_keyprovider.keys
    • _dpapi_keyprovider_credhist
    • _dpapi_keyprovider_credhist.keys
    • _dpapi_keyprovider_empty
    • _dpapi_keyprovider_empty.keys
    • _dpapi_keyprovider_keychain
    • _dpapi_keyprovider_keychain.keys
    • _dpapi_keyprovider_lsa_defaultpassword
    • _dpapi_keyprovider_lsa_defaultpassword.keys
    • account_policy
    • acquire_handles
    • acquire_hashes
    • activitiescache
    • activity
    • adpolicy
    • alternateshell
    • amcache
    • amcache.applaunches
    • amcache.application_files
    • amcache.applications
    • amcache.device_containers
    • amcache.drivers
    • amcache.files
    • amcache.programs
    • amcache.shortcuts
    • amcache_install
    • anydesk
    • anydesk.logs
    • apache
    • apache.access
    • apache.error
    • apache.logs
    • appinit
    • applications
    • appxdebugkeys
    • apt
    • apt.logs
    • atop
    • audit
    • auditpol
    • authlog
    • bam
    • bashhistory
    • bootshell
    • brave
    • brave.cookies
    • brave.downloads
    • brave.extensions
    • brave.history
    • brave.passwords
    • browser
    • browser.cookies
    • browser.downloads
    • browser.extensions
    • browser.history
    • browser.passwords
    • btmp
    • caddy
    • caddy.access
    • caddy.logs
    • cam
    • capability_binaries
    • chrome
    • chrome.cookies
    • chrome.downloads
    • chrome.extensions
    • chrome.history
    • chrome.passwords
    • chromium
    • chromium.cookies
    • chromium.downloads
    • chromium.extensions
    • chromium.history
    • chromium.passwords
    • cim
    • cim.consumerbindings
    • cit
    • cit.cit
    • cit.dp
    • cit.modules
    • cit.puu
    • cit.telemetry
    • citrix
    • citrix.access
    • citrix.error
    • citrix.logs
    • clfs
    • clsid
    • clsid.machine
    • clsid.user
    • cmdline
    • codepage
    • commandhistory
    • commandprocautorun
    • config_tree
    • cpanel
    • cpanel.lastlogin
    • credhist
    • cronjobs
    • datetime
    • defender
    • defender.evtx
    • defender.exclusions
    • defender.mplog
    • defender.quarantine
    • defender.recover
    • docker
    • docker.containers
    • docker.images
    • docker.logs
    • domain
    • dpapi
    • dpkg
    • dpkg.log
    • dpkg.status
    • edge
    • edge.cookies
    • edge.downloads
    • edge.extensions
    • edge.history
    • edge.passwords
    • editor
    • editor.extensions
    • editor.history
    • editor.tabs
    • envfile
    • environ
    • environment_variables
    • etc
    • etc.etc
    • etl
    • etl.boot
    • etl.etl
    • etl.shutdown
    • evt
    • evtx
    • example
    • example_none
    • example_record
    • example_user_registry_record
    • example_yield
    • exchange
    • exchange.transport_agents
    • filerenameop
    • firefox
    • firefox.cookies
    • firefox.downloads
    • firefox.extensions
    • firefox.history
    • firefox.passwords
    • firewall
    • gnulocate
    • gnulocate.locate
    • icat
    • iexplore
    • iexplore.downloads
    • iexplore.history
    • iis
    • iis.access
    • iis.logs
    • install_date
    • iptables
    • jumplist
    • jumplist.automatic_destination
    • jumplist.custom_destination
    • keyboard
    • knowndlls
    • language
    • lastlog
    • lnk
    • loaders
    • locate
    • locate.locate
    • lsa
    • lsa.secrets
    • lsmod
    • mcafee
    • mcafee.msc
    • messages
    • mft
    • mft_timeline
    • mlocate
    • mlocate.locate
    • mru
    • mru.acmru
    • mru.lastvisited
    • mru.msoffice
    • mru.mstsc
    • mru.networkdrive
    • mru.opensave
    • mru.recentdocs
    • mru.run
    • msoffice
    • msoffice.native
    • msoffice.startup
    • msoffice.web
    • mssql
    • mssql.errorlog
    • muicache
    • ndis
    • netstat
    • network
    • network.dns
    • network.gateways
    • network.interfaces
    • network.ips
    • network.macs
    • network_history
    • nginx
    • nginx.access
    • nginx.logs
    • notifications
    • notifications.appdb
    • notifications.wpndatabase
    • ntversion
    • nullsessionpipes
    • openssh
    • openssh.authorized_keys
    • openssh.known_hosts
    • openssh.private_keys
    • openssh.public_keys
    • opensshd
    • opensshd.config
    • openvpn
    • openvpn.config
    • osinfo
    • packagemanager
    • packagemanager.logs
    • passwords
    • path_extensions
    • pathenvironment
    • pfro
    • plocate
    • plocate.locate
    • plugins
    • powershell_history
    • prefetch
    • proc
    • processes
    • putty
    • putty.known_hosts
    • putty.sessions
    • qfind
    • recentfilecache
    • recyclebin
    • regf
    • registry
    • remoteaccess
    • remoteaccess.logs
    • runkeys
    • sam
    • schedlgu
    • scrape
    • scraped_evt
    • scraped_evtx
    • securelog
    • services
    • sessionmanager
    • sevenzip
    • shellbags
    • shimcache
    • sid
    • snap
    • snaps
    • sockets
    • sockets.packet
    • sockets.raw
    • sockets.tcp
    • sockets.udp
    • sockets.unix
    • sophos
    • sophos.hitmanlogs
    • sophos.sophoshomelogs
    • sru
    • sru.application
    • sru.application_timeline
    • sru.energy_estimator
    • sru.energy_usage
    • sru.energy_usage_lt
    • sru.network_connectivity
    • sru.network_data
    • sru.push_notification
    • sru.sdp_cpu_provider
    • sru.sdp_network_provider
    • sru.sdp_physical_disk_provider
    • sru.sdp_volume_provider
    • sru.vfu
    • ssh
    • ssh.authorized_keys
    • ssh.config
    • ssh.known_hosts
    • ssh.private_keys
    • ssh.public_keys
    • ssh.sessions
    • startupinfo
    • suid_binaries
    • symantec
    • symantec.firewall
    • symantec.logs
    • syscache
    • syslog
    • sysmodules
    • tasks
    • teamviewer
    • teamviewer.logs
    • thumbcache
    • thumbcache.iconcache
    • thumbcache.thumbcache
    • timezone
    • trash
    • trendmicro
    • trendmicro.wffirewall
    • trendmicro.wflogs
    • trusteddocs
    • ual
    • ual.client_access
    • ual.domains_seen
    • ual.role_access
    • ual.system_identities
    • ual.virtual_machines
    • usb
    • user_details
    • userassist
    • usnjrnl
    • utmp
    • vmlist
    • vmware
    • vmware.clipboard
    • vmware.draganddrop
    • walkfs
    • webserver
    • webserver.access
    • webserver.error
    • webserver.logs
    • wer
    • wget
    • wget.hsts
    • windowsnotepad
    • windowsnotepad.extensions
    • windowsnotepad.history
    • windowsnotepad.tabs
    • winrar
    • winsocknamespaceprovider
    • wireguard
    • wireguard.config
    • wtmp
    • wua_history
    • yara
    • yum
    • yum.logs
    • zypper
    • zypper.logs
  • Architecture
  • Advanced
    • Python API
    • Targets
    • Loaders
    • Containers
    • Volumes
    • Filesystems
    • Plugins
    • Record Descriptors
  • API Reference
    • acquire.acquire
      • acquire.acquire.dynamic
        • acquire.acquire.dynamic.windows
          • acquire.acquire.dynamic.windows.collect
          • acquire.acquire.dynamic.windows.exceptions
          • acquire.acquire.dynamic.windows.handles
          • acquire.acquire.dynamic.windows.named_objects
          • acquire.acquire.dynamic.windows.ntdll
          • acquire.acquire.dynamic.windows.types
      • acquire.acquire.gui
        • acquire.acquire.gui.base
        • acquire.acquire.gui.win32
      • acquire.acquire.outputs
        • acquire.acquire.outputs.base
        • acquire.acquire.outputs.dir
        • acquire.acquire.outputs.tar
        • acquire.acquire.outputs.zip
      • acquire.acquire.tools
        • acquire.acquire.tools.decrypter
      • acquire.acquire.uploaders
        • acquire.acquire.uploaders.minio
        • acquire.acquire.uploaders.plugin
        • acquire.acquire.uploaders.plugin_registry
      • acquire.acquire.acquire
      • acquire.acquire.collector
      • acquire.acquire.crypt
      • acquire.acquire.esxi
      • acquire.acquire.hashes
      • acquire.acquire.log
      • acquire.acquire.utils
      • acquire.acquire.volatilestream
    • dissect.archive
      • dissect.archive.tools
        • dissect.archive.tools.backup
      • dissect.archive.c_vbk
      • dissect.archive.c_vma
      • dissect.archive.c_wim
      • dissect.archive.exceptions
      • dissect.archive.vbk
      • dissect.archive.vma
      • dissect.archive.wim
      • dissect.archive.xva
    • dissect.btrfs
      • dissect.btrfs.btrfs
      • dissect.btrfs.c_btrfs
      • dissect.btrfs.exceptions
      • dissect.btrfs.stream
      • dissect.btrfs.tree
    • dissect.cim
      • dissect.cim.c_cim
      • dissect.cim.cim
      • dissect.cim.classes
      • dissect.cim.exceptions
      • dissect.cim.index
      • dissect.cim.mappings
      • dissect.cim.objects
      • dissect.cim.utils
    • dissect.clfs
      • dissect.clfs.blf
      • dissect.clfs.c_clfs
      • dissect.clfs.container
      • dissect.clfs.exceptions
    • dissect.cstruct
      • dissect.cstruct.types
        • dissect.cstruct.types.base
        • dissect.cstruct.types.char
        • dissect.cstruct.types.enum
        • dissect.cstruct.types.flag
        • dissect.cstruct.types.int
        • dissect.cstruct.types.leb128
        • dissect.cstruct.types.packed
        • dissect.cstruct.types.pointer
        • dissect.cstruct.types.structure
        • dissect.cstruct.types.void
        • dissect.cstruct.types.wchar
      • dissect.cstruct.bitbuffer
      • dissect.cstruct.compiler
      • dissect.cstruct.cstruct
      • dissect.cstruct.exceptions
      • dissect.cstruct.expression
      • dissect.cstruct.parser
      • dissect.cstruct.utils
    • dissect.esedb
      • dissect.esedb.tools
        • dissect.esedb.tools.impacket
        • dissect.esedb.tools.sru
        • dissect.esedb.tools.ual
      • dissect.esedb.c_esedb
      • dissect.esedb.compression
      • dissect.esedb.cursor
      • dissect.esedb.esedb
      • dissect.esedb.exceptions
      • dissect.esedb.index
      • dissect.esedb.lcmapstring
      • dissect.esedb.page
      • dissect.esedb.record
      • dissect.esedb.sorting_table
      • dissect.esedb.table
    • dissect.etl
      • dissect.etl.headers
        • dissect.etl.headers.event
        • dissect.etl.headers.headers
        • dissect.etl.headers.logfile
        • dissect.etl.headers.system
        • dissect.etl.headers.utils
      • dissect.etl.manifests
      • dissect.etl.c_etl
      • dissect.etl.etl
      • dissect.etl.exceptions
      • dissect.etl.manifest
      • dissect.etl.utils
    • dissect.eventlog
      • dissect.eventlog.bxml
      • dissect.eventlog.evt
      • dissect.eventlog.evtx
      • dissect.eventlog.exceptions
      • dissect.eventlog.utils
      • dissect.eventlog.wevt
      • dissect.eventlog.wevt_object
      • dissect.eventlog.wevtutil
    • dissect.evidence
      • dissect.evidence.asdf
        • dissect.evidence.asdf.asdf
        • dissect.evidence.asdf.streams
      • dissect.evidence.tools
        • dissect.evidence.tools.asdf
          • dissect.evidence.tools.asdf.dd
          • dissect.evidence.tools.asdf.meta
          • dissect.evidence.tools.asdf.repair
          • dissect.evidence.tools.asdf.verify
      • dissect.evidence.ad1
      • dissect.evidence.aff4
      • dissect.evidence.ewf
      • dissect.evidence.exceptions
    • dissect.executable
      • dissect.executable.elf
        • dissect.executable.elf.c_elf
        • dissect.executable.elf.elf
      • dissect.executable.macho
      • dissect.executable.pe
      • dissect.executable.exception
    • dissect.extfs
      • dissect.extfs.c_ext
      • dissect.extfs.c_jdb2
      • dissect.extfs.exceptions
      • dissect.extfs.extfs
      • dissect.extfs.journal
    • dissect.fat
      • dissect.fat.c_exfat
      • dissect.fat.c_fat
      • dissect.fat.exceptions
      • dissect.fat.exfat
      • dissect.fat.fat
    • dissect.ffs
      • dissect.ffs.c_ffs
      • dissect.ffs.exceptions
      • dissect.ffs.ffs
    • dissect.fve
      • dissect.fve.bde
        • dissect.fve.bde.bde
        • dissect.fve.bde.c_bde
        • dissect.fve.bde.eow
        • dissect.fve.bde.information
        • dissect.fve.bde.keys
      • dissect.fve.crypto
        • dissect.fve.crypto.base
        • dissect.fve.crypto.elephant
        • dissect.fve.crypto.utils
      • dissect.fve.luks
        • dissect.fve.luks.af
        • dissect.fve.luks.c_luks
        • dissect.fve.luks.luks
        • dissect.fve.luks.metadata
      • dissect.fve.tools
        • dissect.fve.tools.dd
      • dissect.fve.exceptions
    • dissect.hypervisor
      • dissect.hypervisor.descriptor
        • dissect.hypervisor.descriptor.c_hyperv
        • dissect.hypervisor.descriptor.hyperv
        • dissect.hypervisor.descriptor.ovf
        • dissect.hypervisor.descriptor.pvs
        • dissect.hypervisor.descriptor.vbox
        • dissect.hypervisor.descriptor.vmx
      • dissect.hypervisor.disk
        • dissect.hypervisor.disk.c_hdd
        • dissect.hypervisor.disk.c_qcow2
        • dissect.hypervisor.disk.c_vdi
        • dissect.hypervisor.disk.c_vhd
        • dissect.hypervisor.disk.c_vhdx
        • dissect.hypervisor.disk.c_vmdk
        • dissect.hypervisor.disk.hdd
        • dissect.hypervisor.disk.qcow2
        • dissect.hypervisor.disk.vdi
        • dissect.hypervisor.disk.vhd
        • dissect.hypervisor.disk.vhdx
        • dissect.hypervisor.disk.vmdk
      • dissect.hypervisor.tools
        • dissect.hypervisor.tools.envelope
      • dissect.hypervisor.util
        • dissect.hypervisor.util.envelope
        • dissect.hypervisor.util.vmtar
      • dissect.hypervisor.exceptions
    • dissect.jffs
      • dissect.jffs.c_jffs2
      • dissect.jffs.exceptions
      • dissect.jffs.jffs2
    • dissect.ntfs
      • dissect.ntfs.attr
      • dissect.ntfs.c_ntfs
      • dissect.ntfs.exceptions
      • dissect.ntfs.index
      • dissect.ntfs.mft
      • dissect.ntfs.ntfs
      • dissect.ntfs.secure
      • dissect.ntfs.stream
      • dissect.ntfs.usnjrnl
      • dissect.ntfs.util
    • dissect.ole
      • dissect.ole.c_ole
      • dissect.ole.exceptions
      • dissect.ole.ole
    • dissect.regf
      • dissect.regf.c_regf
      • dissect.regf.exceptions
      • dissect.regf.regf
    • dissect.shellitem
      • dissect.shellitem.lnk
        • dissect.shellitem.lnk.c_lnk
        • dissect.shellitem.lnk.lnk
      • dissect.shellitem.tools
        • dissect.shellitem.tools.lnk
    • dissect.sql
      • dissect.sql.c_sqlite3
      • dissect.sql.exceptions
      • dissect.sql.sqlite3
      • dissect.sql.utils
    • dissect.squashfs
      • dissect.squashfs.c_squashfs
      • dissect.squashfs.compression
      • dissect.squashfs.exceptions
      • dissect.squashfs.squashfs
    • dissect.target
      • dissect.target.containers
        • dissect.target.containers.asdf
        • dissect.target.containers.ewf
        • dissect.target.containers.fortifw
        • dissect.target.containers.hdd
        • dissect.target.containers.hds
        • dissect.target.containers.qcow2
        • dissect.target.containers.raw
        • dissect.target.containers.split
        • dissect.target.containers.vdi
        • dissect.target.containers.vhd
        • dissect.target.containers.vhdx
        • dissect.target.containers.vmdk
      • dissect.target.filesystems
        • dissect.target.filesystems.ad1
        • dissect.target.filesystems.btrfs
        • dissect.target.filesystems.cb
        • dissect.target.filesystems.config
        • dissect.target.filesystems.cpio
        • dissect.target.filesystems.dir
        • dissect.target.filesystems.exfat
        • dissect.target.filesystems.extfs
        • dissect.target.filesystems.fat
        • dissect.target.filesystems.ffs
        • dissect.target.filesystems.itunes
        • dissect.target.filesystems.jffs
        • dissect.target.filesystems.ntfs
        • dissect.target.filesystems.overlay
        • dissect.target.filesystems.smb
        • dissect.target.filesystems.squashfs
        • dissect.target.filesystems.tar
        • dissect.target.filesystems.vmfs
        • dissect.target.filesystems.vmtar
        • dissect.target.filesystems.xfs
        • dissect.target.filesystems.zip
      • dissect.target.helpers
        • dissect.target.helpers.compat
          • dissect.target.helpers.compat.path_310
          • dissect.target.helpers.compat.path_311
          • dissect.target.helpers.compat.path_312
          • dissect.target.helpers.compat.path_313
          • dissect.target.helpers.compat.path_39
          • dissect.target.helpers.compat.path_common
        • dissect.target.helpers.nfs
          • dissect.target.helpers.nfs.client
          • dissect.target.helpers.nfs.demo
          • dissect.target.helpers.nfs.nfs3
          • dissect.target.helpers.nfs.serializer
        • dissect.target.helpers.sunrpc
          • dissect.target.helpers.sunrpc.client
          • dissect.target.helpers.sunrpc.serializer
          • dissect.target.helpers.sunrpc.sunrpc
        • dissect.target.helpers.cache
        • dissect.target.helpers.config
        • dissect.target.helpers.configutil
        • dissect.target.helpers.cyber
        • dissect.target.helpers.descriptor_extensions
        • dissect.target.helpers.docs
        • dissect.target.helpers.fsutil
        • dissect.target.helpers.hashutil
        • dissect.target.helpers.keychain
        • dissect.target.helpers.lazy
        • dissect.target.helpers.loaderutil
        • dissect.target.helpers.localeutil
        • dissect.target.helpers.mount
        • dissect.target.helpers.mui
        • dissect.target.helpers.polypath
        • dissect.target.helpers.protobuf
        • dissect.target.helpers.record
        • dissect.target.helpers.record_modifier
        • dissect.target.helpers.regutil
        • dissect.target.helpers.scrape
        • dissect.target.helpers.shell_application_ids
        • dissect.target.helpers.shell_folder_ids
        • dissect.target.helpers.utils
      • dissect.target.loaders
        • dissect.target.loaders.ab
        • dissect.target.loaders.ad1
        • dissect.target.loaders.asdf
        • dissect.target.loaders.cb
        • dissect.target.loaders.cyber
        • dissect.target.loaders.dir
        • dissect.target.loaders.hyperv
        • dissect.target.loaders.itunes
        • dissect.target.loaders.kape
        • dissect.target.loaders.libvirt
        • dissect.target.loaders.local
        • dissect.target.loaders.log
        • dissect.target.loaders.mqtt
        • dissect.target.loaders.multiraw
        • dissect.target.loaders.ova
        • dissect.target.loaders.overlay
        • dissect.target.loaders.ovf
        • dissect.target.loaders.phobos
        • dissect.target.loaders.profile
        • dissect.target.loaders.proxmox
        • dissect.target.loaders.pvm
        • dissect.target.loaders.pvs
        • dissect.target.loaders.raw
        • dissect.target.loaders.remote
        • dissect.target.loaders.res
        • dissect.target.loaders.smb
        • dissect.target.loaders.tanium
        • dissect.target.loaders.tar
        • dissect.target.loaders.target
        • dissect.target.loaders.utm
        • dissect.target.loaders.vb
        • dissect.target.loaders.vbox
        • dissect.target.loaders.velociraptor
        • dissect.target.loaders.vma
        • dissect.target.loaders.vmwarevm
        • dissect.target.loaders.vmx
        • dissect.target.loaders.xva
      • dissect.target.plugins
        • dissect.target.plugins.apps
          • dissect.target.plugins.apps.av
            • dissect.target.plugins.apps.av.mcafee
            • dissect.target.plugins.apps.av.sophos
            • dissect.target.plugins.apps.av.symantec
            • dissect.target.plugins.apps.av.trendmicro
          • dissect.target.plugins.apps.browser
            • dissect.target.plugins.apps.browser.brave
            • dissect.target.plugins.apps.browser.browser
            • dissect.target.plugins.apps.browser.chrome
            • dissect.target.plugins.apps.browser.chromium
            • dissect.target.plugins.apps.browser.edge
            • dissect.target.plugins.apps.browser.firefox
            • dissect.target.plugins.apps.browser.iexplore
          • dissect.target.plugins.apps.container
            • dissect.target.plugins.apps.container.docker
          • dissect.target.plugins.apps.database
          • dissect.target.plugins.apps.editor
            • dissect.target.plugins.apps.editor.editor
            • dissect.target.plugins.apps.editor.windowsnotepad
          • dissect.target.plugins.apps.other
            • dissect.target.plugins.apps.other.env
          • dissect.target.plugins.apps.productivity
            • dissect.target.plugins.apps.productivity.msoffice
            • dissect.target.plugins.apps.productivity.sevenzip
            • dissect.target.plugins.apps.productivity.winrar
          • dissect.target.plugins.apps.remoteaccess
            • dissect.target.plugins.apps.remoteaccess.anydesk
            • dissect.target.plugins.apps.remoteaccess.remoteaccess
            • dissect.target.plugins.apps.remoteaccess.teamviewer
          • dissect.target.plugins.apps.shell
            • dissect.target.plugins.apps.shell.powershell
            • dissect.target.plugins.apps.shell.wget
          • dissect.target.plugins.apps.ssh
            • dissect.target.plugins.apps.ssh.openssh
            • dissect.target.plugins.apps.ssh.opensshd
            • dissect.target.plugins.apps.ssh.putty
            • dissect.target.plugins.apps.ssh.ssh
          • dissect.target.plugins.apps.virtualization
            • dissect.target.plugins.apps.virtualization.vmware_workstation
          • dissect.target.plugins.apps.vpn
            • dissect.target.plugins.apps.vpn.openvpn
            • dissect.target.plugins.apps.vpn.wireguard
          • dissect.target.plugins.apps.webhosting
            • dissect.target.plugins.apps.webhosting.cpanel
          • dissect.target.plugins.apps.webserver
            • dissect.target.plugins.apps.webserver.apache
            • dissect.target.plugins.apps.webserver.caddy
            • dissect.target.plugins.apps.webserver.citrix
            • dissect.target.plugins.apps.webserver.iis
            • dissect.target.plugins.apps.webserver.nginx
            • dissect.target.plugins.apps.webserver.webserver
        • dissect.target.plugins.child
          • dissect.target.plugins.child.docker
          • dissect.target.plugins.child.esxi
          • dissect.target.plugins.child.hyperv
          • dissect.target.plugins.child.parallels
          • dissect.target.plugins.child.proxmox
          • dissect.target.plugins.child.qemu
          • dissect.target.plugins.child.virtuozzo
          • dissect.target.plugins.child.vmware_workstation
          • dissect.target.plugins.child.wsl
        • dissect.target.plugins.filesystem
          • dissect.target.plugins.filesystem.ntfs
            • dissect.target.plugins.filesystem.ntfs.mft
            • dissect.target.plugins.filesystem.ntfs.mft_timeline
            • dissect.target.plugins.filesystem.ntfs.usnjrnl
            • dissect.target.plugins.filesystem.ntfs.utils
          • dissect.target.plugins.filesystem.unix
            • dissect.target.plugins.filesystem.unix.capability
            • dissect.target.plugins.filesystem.unix.suid
          • dissect.target.plugins.filesystem.acquire_handles
          • dissect.target.plugins.filesystem.acquire_hash
          • dissect.target.plugins.filesystem.icat
          • dissect.target.plugins.filesystem.resolver
          • dissect.target.plugins.filesystem.walkfs
          • dissect.target.plugins.filesystem.yara
        • dissect.target.plugins.general
          • dissect.target.plugins.general.config
          • dissect.target.plugins.general.example
          • dissect.target.plugins.general.loaders
          • dissect.target.plugins.general.osinfo
          • dissect.target.plugins.general.plugins
          • dissect.target.plugins.general.users
        • dissect.target.plugins.os
          • dissect.target.plugins.os.default
            • dissect.target.plugins.os.default.network
          • dissect.target.plugins.os.unix
            • dissect.target.plugins.os.unix.bsd
              • dissect.target.plugins.os.unix.bsd.citrix
                • dissect.target.plugins.os.unix.bsd.citrix.history
              • dissect.target.plugins.os.unix.bsd.freebsd
              • dissect.target.plugins.os.unix.bsd.ios
              • dissect.target.plugins.os.unix.bsd.openbsd
              • dissect.target.plugins.os.unix.bsd.osx
                • dissect.target.plugins.os.unix.bsd.osx.network
                • dissect.target.plugins.os.unix.bsd.osx.user
            • dissect.target.plugins.os.unix.esxi
            • dissect.target.plugins.os.unix.etc
              • dissect.target.plugins.os.unix.etc.etc
            • dissect.target.plugins.os.unix.linux
              • dissect.target.plugins.os.unix.linux.android
              • dissect.target.plugins.os.unix.linux.debian
                • dissect.target.plugins.os.unix.linux.debian.proxmox
                  • dissect.target.plugins.os.unix.linux.debian.proxmox.vm
                • dissect.target.plugins.os.unix.linux.debian.vyos
                • dissect.target.plugins.os.unix.linux.debian.apt
                • dissect.target.plugins.os.unix.linux.debian.dpkg
                • dissect.target.plugins.os.unix.linux.debian.snap
              • dissect.target.plugins.os.unix.linux.fortios
                • dissect.target.plugins.os.unix.linux.fortios.generic
                • dissect.target.plugins.os.unix.linux.fortios.locale
              • dissect.target.plugins.os.unix.linux.redhat
                • dissect.target.plugins.os.unix.linux.redhat.yum
              • dissect.target.plugins.os.unix.linux.suse
                • dissect.target.plugins.os.unix.linux.suse.zypper
              • dissect.target.plugins.os.unix.linux.cmdline
              • dissect.target.plugins.os.unix.linux.environ
              • dissect.target.plugins.os.unix.linux.iptables
              • dissect.target.plugins.os.unix.linux.modules
              • dissect.target.plugins.os.unix.linux.netstat
              • dissect.target.plugins.os.unix.linux.network
              • dissect.target.plugins.os.unix.linux.network_managers
              • dissect.target.plugins.os.unix.linux.proc
              • dissect.target.plugins.os.unix.linux.processes
              • dissect.target.plugins.os.unix.linux.services
              • dissect.target.plugins.os.unix.linux.sockets
            • dissect.target.plugins.os.unix.locate
              • dissect.target.plugins.os.unix.locate.gnulocate
              • dissect.target.plugins.os.unix.locate.locate
              • dissect.target.plugins.os.unix.locate.mlocate
              • dissect.target.plugins.os.unix.locate.plocate
            • dissect.target.plugins.os.unix.log
              • dissect.target.plugins.os.unix.log.atop
              • dissect.target.plugins.os.unix.log.audit
              • dissect.target.plugins.os.unix.log.auth
              • dissect.target.plugins.os.unix.log.helpers
              • dissect.target.plugins.os.unix.log.journal
              • dissect.target.plugins.os.unix.log.lastlog
              • dissect.target.plugins.os.unix.log.messages
              • dissect.target.plugins.os.unix.log.utmp
            • dissect.target.plugins.os.unix.applications
            • dissect.target.plugins.os.unix.cronjobs
            • dissect.target.plugins.os.unix.datetime
            • dissect.target.plugins.os.unix.generic
            • dissect.target.plugins.os.unix.history
            • dissect.target.plugins.os.unix.locale
            • dissect.target.plugins.os.unix.packagemanager
            • dissect.target.plugins.os.unix.shadow
            • dissect.target.plugins.os.unix.trash
          • dissect.target.plugins.os.windows
            • dissect.target.plugins.os.windows.credential
              • dissect.target.plugins.os.windows.credential.credhist
              • dissect.target.plugins.os.windows.credential.lsa
              • dissect.target.plugins.os.windows.credential.sam
            • dissect.target.plugins.os.windows.defender
              • dissect.target.plugins.os.windows.defender.mplog
              • dissect.target.plugins.os.windows.defender.quarantine
            • dissect.target.plugins.os.windows.dpapi
              • dissect.target.plugins.os.windows.dpapi.keyprovider
                • dissect.target.plugins.os.windows.dpapi.keyprovider.credhist
                • dissect.target.plugins.os.windows.dpapi.keyprovider.empty
                • dissect.target.plugins.os.windows.dpapi.keyprovider.keychain
                • dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider
                • dissect.target.plugins.os.windows.dpapi.keyprovider.lsa
              • dissect.target.plugins.os.windows.dpapi.blob
              • dissect.target.plugins.os.windows.dpapi.crypto
              • dissect.target.plugins.os.windows.dpapi.dpapi
              • dissect.target.plugins.os.windows.dpapi.master_key
            • dissect.target.plugins.os.windows.exchange
              • dissect.target.plugins.os.windows.exchange.exchange
            • dissect.target.plugins.os.windows.log
              • dissect.target.plugins.os.windows.log.amcache
              • dissect.target.plugins.os.windows.log.etl
              • dissect.target.plugins.os.windows.log.evt
              • dissect.target.plugins.os.windows.log.evtx
              • dissect.target.plugins.os.windows.log.mssql
              • dissect.target.plugins.os.windows.log.pfro
              • dissect.target.plugins.os.windows.log.schedlgu
            • dissect.target.plugins.os.windows.regf
              • dissect.target.plugins.os.windows.regf.applications
              • dissect.target.plugins.os.windows.regf.appxdebugkeys
              • dissect.target.plugins.os.windows.regf.auditpol
              • dissect.target.plugins.os.windows.regf.bam
              • dissect.target.plugins.os.windows.regf.cam
              • dissect.target.plugins.os.windows.regf.cit
              • dissect.target.plugins.os.windows.regf.clsid
              • dissect.target.plugins.os.windows.regf.firewall
              • dissect.target.plugins.os.windows.regf.mru
              • dissect.target.plugins.os.windows.regf.muicache
              • dissect.target.plugins.os.windows.regf.nethist
              • dissect.target.plugins.os.windows.regf.recentfilecache
              • dissect.target.plugins.os.windows.regf.regf
              • dissect.target.plugins.os.windows.regf.runkeys
              • dissect.target.plugins.os.windows.regf.shellbags
              • dissect.target.plugins.os.windows.regf.shimcache
              • dissect.target.plugins.os.windows.regf.trusteddocs
              • dissect.target.plugins.os.windows.regf.usb
              • dissect.target.plugins.os.windows.regf.userassist
            • dissect.target.plugins.os.windows.tasks
              • dissect.target.plugins.os.windows.tasks.job
              • dissect.target.plugins.os.windows.tasks.records
              • dissect.target.plugins.os.windows.tasks.xml
            • dissect.target.plugins.os.windows.activitiescache
            • dissect.target.plugins.os.windows.adpolicy
            • dissect.target.plugins.os.windows.amcache
            • dissect.target.plugins.os.windows.catroot
            • dissect.target.plugins.os.windows.cim
            • dissect.target.plugins.os.windows.clfs
            • dissect.target.plugins.os.windows.datetime
            • dissect.target.plugins.os.windows.env
            • dissect.target.plugins.os.windows.generic
            • dissect.target.plugins.os.windows.jumplist
            • dissect.target.plugins.os.windows.lnk
            • dissect.target.plugins.os.windows.locale
            • dissect.target.plugins.os.windows.network
            • dissect.target.plugins.os.windows.notifications
            • dissect.target.plugins.os.windows.prefetch
            • dissect.target.plugins.os.windows.recyclebin
            • dissect.target.plugins.os.windows.registry
            • dissect.target.plugins.os.windows.services
            • dissect.target.plugins.os.windows.sru
            • dissect.target.plugins.os.windows.startupinfo
            • dissect.target.plugins.os.windows.syscache
            • dissect.target.plugins.os.windows.thumbcache
            • dissect.target.plugins.os.windows.ual
            • dissect.target.plugins.os.windows.wer
            • dissect.target.plugins.os.windows.wua_history
        • dissect.target.plugins.scrape
          • dissect.target.plugins.scrape.qfind
          • dissect.target.plugins.scrape.scrape
      • dissect.target.tools
        • dissect.target.tools.dump
          • dissect.target.tools.dump.run
          • dissect.target.tools.dump.state
          • dissect.target.tools.dump.utils
        • dissect.target.tools.build_pluginlist
        • dissect.target.tools.dd
        • dissect.target.tools.diff
        • dissect.target.tools.fs
        • dissect.target.tools.fsutils
        • dissect.target.tools.info
        • dissect.target.tools.logging
        • dissect.target.tools.mount
        • dissect.target.tools.qfind
        • dissect.target.tools.query
        • dissect.target.tools.reg
        • dissect.target.tools.report
        • dissect.target.tools.shell
        • dissect.target.tools.utils
        • dissect.target.tools.yara
      • dissect.target.volumes
        • dissect.target.volumes.bde
        • dissect.target.volumes.ddf
        • dissect.target.volumes.disk
        • dissect.target.volumes.luks
        • dissect.target.volumes.lvm
        • dissect.target.volumes.md
        • dissect.target.volumes.vmfs
      • dissect.target.container
      • dissect.target.exceptions
      • dissect.target.filesystem
      • dissect.target.loader
      • dissect.target.plugin
      • dissect.target.target
      • dissect.target.volume
    • dissect.thumbcache
      • dissect.thumbcache.tools
        • dissect.thumbcache.tools.extract_images
        • dissect.thumbcache.tools.extract_with_index
        • dissect.thumbcache.tools.utils
      • dissect.thumbcache.c_thumbcache
      • dissect.thumbcache.exceptions
      • dissect.thumbcache.index
      • dissect.thumbcache.thumbcache
      • dissect.thumbcache.thumbcache_file
      • dissect.thumbcache.util
    • dissect.util
      • dissect.util.compression
        • dissect.util.compression.lz4
        • dissect.util.compression.lznt1
        • dissect.util.compression.lzo
        • dissect.util.compression.lzxpress
        • dissect.util.compression.lzxpress_huffman
        • dissect.util.compression.sevenbit
        • dissect.util.compression.xz
      • dissect.util.encoding
        • dissect.util.encoding.surrogateescape
      • dissect.util.tools
        • dissect.util.tools.dump_nskeyedarchiver
      • dissect.util.cpio
      • dissect.util.crc32c
      • dissect.util.exceptions
      • dissect.util.feature
      • dissect.util.plist
      • dissect.util.sid
      • dissect.util.stream
      • dissect.util.ts
      • dissect.util.xmemoryview
    • dissect.vmfs
      • dissect.vmfs.c_vmfs
      • dissect.vmfs.exceptions
      • dissect.vmfs.lvm
      • dissect.vmfs.resource
      • dissect.vmfs.vmfs
    • dissect.volume
      • dissect.volume.ddf
        • dissect.volume.ddf.c_ddf
        • dissect.volume.ddf.ddf
      • dissect.volume.disk
        • dissect.volume.disk.schemes
          • dissect.volume.disk.schemes.apm
          • dissect.volume.disk.schemes.bsd
          • dissect.volume.disk.schemes.gpt
          • dissect.volume.disk.schemes.mbr
        • dissect.volume.disk.disk
        • dissect.volume.disk.partition
      • dissect.volume.dm
        • dissect.volume.dm.btree
        • dissect.volume.dm.c_dm
        • dissect.volume.dm.thin
      • dissect.volume.lvm
        • dissect.volume.lvm.c_lvm2
        • dissect.volume.lvm.lvm2
        • dissect.volume.lvm.metadata
        • dissect.volume.lvm.physical
      • dissect.volume.md
        • dissect.volume.md.c_md
        • dissect.volume.md.md
      • dissect.volume.raid
        • dissect.volume.raid.raid
        • dissect.volume.raid.stream
      • dissect.volume.vinum
        • dissect.volume.vinum.c_vinum
        • dissect.volume.vinum.config
        • dissect.volume.vinum.vinum
      • dissect.volume.exceptions
      • dissect.volume.ldm
      • dissect.volume.vss
    • dissect.xfs
      • dissect.xfs.c_xfs
      • dissect.xfs.exceptions
      • dissect.xfs.xfs
    • flow.record
      • flow.record.adapter
        • flow.record.adapter.archive
        • flow.record.adapter.avro
        • flow.record.adapter.broker
        • flow.record.adapter.csvfile
        • flow.record.adapter.duckdb
        • flow.record.adapter.elastic
        • flow.record.adapter.jsonfile
        • flow.record.adapter.line
        • flow.record.adapter.mongo
        • flow.record.adapter.split
        • flow.record.adapter.splunk
        • flow.record.adapter.sqlite
        • flow.record.adapter.stream
        • flow.record.adapter.text
        • flow.record.adapter.xlsx
      • flow.record.fieldtypes
        • flow.record.fieldtypes.net
          • flow.record.fieldtypes.net.ip
          • flow.record.fieldtypes.net.ipv4
          • flow.record.fieldtypes.net.tcp
          • flow.record.fieldtypes.net.udp
        • flow.record.fieldtypes.credential
      • flow.record.tools
        • flow.record.tools.geoip
        • flow.record.tools.rdump
      • flow.record.base
      • flow.record.exceptions
      • flow.record.jsonpacker
      • flow.record.packer
      • flow.record.selector
      • flow.record.stream
      • flow.record.utils
      • flow.record.whitelist

Contributing

  • Developing for Dissect
  • Style guide
  • Tooling
  • License

Resources

  • Dissect in Action
  • Talks and Conferences
  • Try in your browser
  • GitHub
  • PyPI
Back to top
View this page

dissect.executable¶

Subpackages¶

  • dissect.executable.elf
    • dissect.executable.elf.c_elf
    • dissect.executable.elf.elf
  • dissect.executable.macho
  • dissect.executable.pe

Submodules¶

  • dissect.executable.exception

Package Contents¶

Classes¶

ELF

class dissect.executable.ELF(fh: BinaryIO)¶
fh¶
e_ident¶
c_elf¶
header¶
segments¶
section_table¶
symbol_tables: list[SymbolTable]¶
__repr__() → str¶
dump() → bytes¶
property dynamic: bool¶
Next
dissect.executable.elf
Previous
dissect.evidence.exceptions
Copyright © 2023, Fox-IT part of NCC Group
Made with Sphinx and @pradyunsg's Furo
On this page
  • dissect.executable
    • Subpackages
    • Submodules
    • Package Contents
      • Classes
        • ELF
          • ELF.fh
          • ELF.e_ident
          • ELF.c_elf
          • ELF.header
          • ELF.segments
          • ELF.section_table
          • ELF.symbol_tables
          • ELF.__repr__()
          • ELF.dump()
          • ELF.dynamic