dissect.target.loaders.velociraptor#

Module Contents#

Classes#

VelociraptorLoader

Load Rapid7 Velociraptor forensic image files.

Functions#

find_fs_directories

extract_drive_letter

Attributes#

log

FILESYSTEMS_ROOT

UNIX_ACCESSORS

WINDOWS_ACCESSORS

dissect.target.loaders.velociraptor.log#
dissect.target.loaders.velociraptor.FILESYSTEMS_ROOT = 'uploads'#
dissect.target.loaders.velociraptor.UNIX_ACCESSORS = ['file', 'auto']#
dissect.target.loaders.velociraptor.WINDOWS_ACCESSORS = ['mft', 'ntfs', 'lazy_ntfs', 'ntfs_vss', 'auto']#
dissect.target.loaders.velociraptor.find_fs_directories(path: pathlib.Path) tuple[dissect.target.plugin.OperatingSystem | None, list[pathlib.Path] | None]#
dissect.target.loaders.velociraptor.extract_drive_letter(name: str) str | None#
class dissect.target.loaders.velociraptor.VelociraptorLoader(path: pathlib.Path, **kwargs)#

Bases: dissect.target.loaders.dir.DirLoader

Load Rapid7 Velociraptor forensic image files.

As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system. Generic.Collectors.File (Unix) uses the accessors file and auto. The loader supports the following configuration:

{"Generic.Collectors.File":{"Root":"/","collectionSpec":"Glob\netc/**\nvar/log/**"}}

Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors mft, ntfs, lazy_ntfs, ntfs_vss and auto. The loader only supports a collection where a single accessor is used, which can be forced by using the following configuration:

{"Windows.KapeFiles.Targets":{"VSSAnalysisAge":"1000","_SANS_Triage":"Y"}}

References

static detect(path: pathlib.Path) bool#

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target: dissect.target.Target) None#

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.