dissect.target.loaders.velociraptor

Module Contents

Classes

VelociraptorLoader	Load Rapid7 Velociraptor forensic image files.
VelociraptorDirectoryFilesystem	Base class for filesystems.
VelociraptorZipFilesystem	Filesystem implementation for zip files.

Functions

find_fs_directories
extract_drive_letter

Attributes

log
FILESYSTEMS_ROOT
UNIX_ACCESSORS
WINDOWS_ACCESSORS

dissect.target.loaders.velociraptor.log

dissect.target.loaders.velociraptor.FILESYSTEMS_ROOT = 'uploads'

dissect.target.loaders.velociraptor.UNIX_ACCESSORS = ['file', 'auto']

dissect.target.loaders.velociraptor.WINDOWS_ACCESSORS = ['mft', 'ntfs', 'lazy_ntfs', 'ntfs_vss', 'auto']

dissect.target.loaders.velociraptor.find_fs_directories(path: pathlib.Path) → tuple[dissect.target.plugin.OperatingSystem | None, list[pathlib.Path] | None]

dissect.target.loaders.velociraptor.extract_drive_letter(name: str) → str | None

class dissect.target.loaders.velociraptor.VelociraptorLoader(path: pathlib.Path, **kwargs)

Bases: dissect.target.loaders.dir.DirLoader

Load Rapid7 Velociraptor forensic image files.

As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system. Generic.Collectors.File (Unix) uses the accessors file and auto. The loader supports the following configuration:

{"Generic.Collectors.File":{"Root":"/","collectionSpec":"Glob\netc/**\nvar/log/**"}}

Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors mft, ntfs, lazy_ntfs, ntfs_vss and auto. The loader supports a collection where multiple accessors were used.

References

• https://www.rapid7.com/products/velociraptor/

• https://docs.velociraptor.app/

• https://github.com/Velocidex/velociraptor

static detect(path: pathlib.Path) → bool

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target: dissect.target.Target) → None

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.

class dissect.target.loaders.velociraptor.VelociraptorDirectoryFilesystem(path: pathlib.Path, *args, **kwargs)

Bases: dissect.target.filesystems.dir.DirectoryFilesystem

Base class for filesystems.

class dissect.target.loaders.velociraptor.VelociraptorZipFilesystem(fh: BinaryIO, base: str | None = None, *args, **kwargs)

Bases: dissect.target.filesystems.zip.ZipFilesystem

Filesystem implementation for zip files.

Python does not have symlink support in the zipfile module, so that’s not currently supported. See https://github.com/python/cpython/issues/82102 for more information.