Path specifications
Terminology
In dfVFS a path specification is defines the location of a file system entry or data stream. It is comparable with the path on an operating system with the difference that the dfVFS path specification includes information about its parents, such a the volume system of the file system.
System-level path specification
A “system-level path specification” is a path specification that can be resolved by the operating system; typically TYPE_INDICATOR_OS or equivalent.
Type indicators
The dfVFS path specification type indicators are defined in:
dfvfs/lib/definitions.py
In your code use the type indicator as defined by dfVFS and not its value, in case it changes. The following is a list of type indicators as available in version 20220120.
Type indicator | Description |
---|---|
TYPE_INDICATOR_APFS | The Apple File System (APFS) type |
TYPE_INDICATOR_APFS_CONTAINER | The Apple File System (APFS) container volume system type |
TYPE_INDICATOR_BDE | The BitLocker Drive Entryption (BDE) volume system type |
TYPE_INDICATOR_COMPRESSED_STREAM | The compressed stream type |
TYPE_INDICATOR_CPIO | The cpio archive file type |
TYPE_INDICATOR_CS | The Core Storage (CS) volume system type, includes FileVault Disk Encryption (FVDE) |
TYPE_INDICATOR_DATA_RANGE | The data range type |
TYPE_INDICATOR_ENCODED_STREAM | The encoded stream type |
TYPE_INDICATOR_ENCRYPTED_STREAM | The encrypted stream type |
TYPE_INDICATOR_EWF | The EWF storage media image type |
TYPE_INDICATOR_EXT | The Extended file system (ext) type |
TYPE_INDICATOR_FAKE | The fake file system type |
TYPE_INDICATOR_GZIP | The gzip compressed file type |
TYPE_INDICATOR_LUKSDE | The LUKS drive encryption volume system type |
TYPE_INDICATOR_LVM | The Logical Volume Manager (LVM) volume system type |
TYPE_INDICATOR_MOUNT | Type to represent a mount point |
TYPE_INDICATOR_NTFS | The Windows NT file system (NTFS) type |
TYPE_INDICATOR_OS | The operating system type |
TYPE_INDICATOR_QCOW | The QCOW storage media image type |
TYPE_INDICATOR_RAW | The RAW storage media image type |
TYPE_INDICATOR_SQLITE_BLOB | The SQLite binary large objects (BLOB) type |
TYPE_INDICATOR_TAR | The tar archive file type |
TYPE_INDICATOR_TSK | The SleuthKit file system type |
TYPE_INDICATOR_TSK_PARTITION | The SleuthKit partition volume system type |
TYPE_INDICATOR_VHDI | The VHD storage media image type |
TYPE_INDICATOR_VMDK | The VMDK storage media image type |
TYPE_INDICATOR_VSHADOW | The VSS volume system type |
TYPE_INDICATOR_ZIP | The zip archive file type |
Addressing attributes
All types, with the exception of the operating system type, require a parent path specification addressing attribute.
The APFS file system type
The APFS type (TYPE_INDICATOR_APFS) is a type that addresses files stored within an Apple file system (APFS).
Attribute name | Description |
---|---|
identifier | The identifier of the file entry within the file system. Comparable to the catalog node identifier (CNID) on HFS. |
location | The location of the file entry |
parent | The parent path specification |
The APFS container volume system type
The APFS container type (TYPE_INDICATOR_APFS_CONTAINER) is a type that addresses volumes stored within a Apple file system (APFS) container.
Attribute name | Description |
---|---|
location | The location of the volume within the container |
parent | The parent path specification |
volume_index | The index of the volume within the container |
The BDE volume system type
The BDE type (TYPE_INDICATOR_BDE) is a type that addresses volumes stored within a BitLocker encrypted volume.
Attribute name | Description |
---|---|
password | The password to unlock the BitLocker volume |
parent | The parent path specification |
recovery_password | The recovery password to unlock the BitLocker volume |
startup_key | The name of the startup key file to unlock the BitLocker volume |
Note that it is recommended to use the credential manager instead of providing decryption keys (credentials) in a path specification.
The compressed stream type
The compressed stream type (TYPE_INDICATOR_COMPRESSED_STREAM) is an internal type that defines the following addressing attributes:
Attribute name | Description |
---|---|
compression_method | The method used to compress the stream |
parent | The parent path specification |
The cpio archive file type
The cpio type (TYPE_INDICATOR_CPIO) is a type that addresses files stored within the cpio archive file format.
Attribute name | Description |
---|---|
location | The location of the file entry within the cpio archive |
parent | The parent path specification |
The CS volume system type
The CS type (TYPE_INDICATOR_CS) is a type that addresses volumes stored within a Core Storage (CS) volume system.
Attribute name | Description |
---|---|
encrypted_root_plist | The path of the EncryptedRoot.plist.wipekey file to unlock a FileVault volume |
location | The location of the volume within the CS volume system |
password | The password to unlock an encrypted logical volume |
parent | The parent path specification |
recovery_password | The recovery password to unlock an encrypted logical volume |
volume_index | The index of the logical volume within the CS volume system |
Note that it is recommended to use the credential manager instead of providing decryption keys (credentials) in a path specification.
The data range type
The data range type (TYPE_INDICATOR_DATA_RANGE) is an internal type that defines the following addressing attributes:
Attribute name | Description |
---|---|
range_offset | The offset, in bytes, relative to the start of the parent file entry, where the data range starts |
range_size | The size, in bytes, of the data range |
parent | The parent path specification |
The encoded stream type
The encoded stream type (TYPE_INDICATOR_ENCODED_STREAM) is an internal type that defines the following addressing attributes:
Attribute name | Description |
---|---|
encoding_method | The method used to encode the stream |
parent | The parent path specification |
The encrypted stream type
The encrypted stream type (TYPE_INDICATOR_ENCRYPTED_STREAM) is an internal type that defines the following addressing attributes:
Attribute name | Description |
---|---|
cipher_mode | The cipher mode used by the encryption method, for example XTS |
encryption_method | The method used to encrypt the stream, for example AES |
initialization_vector | The initialization vector used to encrypt the stream |
key | The key used to encrypt the stream |
parent | The parent path specification |
Note that it is recommended to use the credential manager instead of providing decryption keys (credentials) in a path specification.
The EWF storage media image type
The EWF type (TYPE_INDICATOR_EWF) is a type that addresses storage media images stored within the Expert Witness (Compression) Format.
Attribute name | Description |
---|---|
parent | The parent path specification |
Note that at the moment this type is not addressable as a file system.
Note that at the moment L01 or Lx01 files are not supported.
The EXT file system type
The EXT type (TYPE_INDICATOR_EXT) is a type that addresses files stored within a Extended file system (ext).
Attribute name | Description |
---|---|
location | The location of the file entry |
inode | The inode number of the file entry |
The fake file system type
The FAKE type (TYPE_INDICATOR_FAKE) is a virtual file system intended for testing purposes.
Attribute name | Description |
---|---|
location | The location of the file entry |
parent | The parent path specification, must be None |
The gzip file type
The GZIP type (TYPE_INDICATOR_GZIP) is a type that addresses data stored within the gzip compressed stream file format.
Attribute name | Description |
---|---|
parent | The parent path specification |
The LUKSDE volume system type
The LUKSDE type (TYPE_INDICATOR_LUKSDE) is a type that addresses volumes stored within a LUKS encrypted volume.
Attribute name | Description |
---|---|
password | The password to unlock the FileVault volume |
parent | The parent path specification |
The LVM volume system type
The LVM type (TYPE_INDICATOR_LVM) is a type that addresses volumes stored within a Logical Volume Manager (LVM) volume system.
Attribute name | Description |
---|---|
location | The location of the volume within the LVM volume system |
parent | The parent path specification |
volume_index | The index of the logical volume within the LVM volume system |
The mount type
The MOUNT type (TYPE_INDICATOR_MOUNT) is a type that defines a mount point within dfVFS. Also see the mount point manager.
Attribute name | Description |
---|---|
identifier | The identifier of the mount point |
parent | The parent path specification, must be None |
The NTFS file system type
The NTFS type (TYPE_INDICATOR_NTFS) is a type that addresses files stored within a Windows NT file system (NTFS).
Attribute name | Description |
---|---|
data_stream | The name of the data stream in the file entry |
location | The location of the file entry |
mft_attribute | The index of the $FILE_NAME of the MFT attribute within the MFT entry that contains the name of the file entry |
mft_entry | The identifier of the MFT entry within the file system |
parent | The parent path specification |
The operating system type
The OS type (TYPE_INDICATOR_OS) is a type that addresses files stored within an operating system.
Attribute name | Description |
---|---|
location | The operating system specific location of the file entry which corresponds to the path. E.g. C:\Windows\System32\config\SAM or /etc/passwd |
parent | The parent path specification, must be None |
The QCOW storage media image type
The QCOW type (TYPE_INDICATOR_QCOW) is a type that addresses storage media images stored within the QCOW image format, version 1, 2 and 3.
Attribute name | Description |
---|---|
parent | The parent path specification |
Note that at the moment this type is not addressable as a file system.
The RAW storage media image type
The RAW storage media image type (TYPE_INDICATOR_RAW) is a type that addresses storage media images stored within the RAW image format.
Attribute name | Description |
---|---|
parent | The parent path specification |
Note that at the moment this type is not addressable as a file system.
The SQlite blob file type
The SQlite blob type (TYPE_INDICATOR_SQLITE_BLOB) is a type that addresses files stored within a blob within a SQLite file.
Attribute name | Description |
---|---|
column_name | The name of the column in which the blob is stored |
parent | The parent path specification |
row_condition | A condition that matches the row in which the blob is stored |
row_index | The index of the row in which the blob is stored |
table_name | The name of the table in which the blob is stored |
The tar archive file type
The TAR type (TYPE_INDICATOR_TAR) is a type that addresses files stored within the tar archive file format.
Attribute name | Description |
---|---|
location | The location of the file entry within the tar archive |
parent | The parent path specification |
Note that to access e.g. a .tar.gz the a path specification of type TAR should be stacked on top of one of type GZIP.
The SleuthKit file system type
The TSK type (TYPE_INDICATOR_TSK) is a type that addresses files stored within a SleuthKit supported file system.
Attribute name | Description |
---|---|
inode | The inode number of the file entry |
location | The location of the file entry |
parent | The parent path specification |
The SleuthKit volume system type
The TSK_PARTITION type (TYPE_INDICATOR_TSK_PARTITION) is a type that addresses volumes stored within a SleuthKit supported volume system, which largely consists of support for the APM, GPT and MBR partitioning systems.
Attribute name | Description |
---|---|
location | The location of the volume within the volume system |
parent | The parent path specification |
part_index | The SleuthKit part index that indicates the volume within the volume system |
start_offset | The start offset, in bytes, of the volume within the volume system |
The VHD storage media image type
The VHDI type (TYPE_INDICATOR_VHDI) is a type that addresses storage media images stored within the Virtual Hard Disk Image format.
Attribute name | Description |
---|---|
parent | The parent path specification |
Note that at the moment this type is not addressable as a file system.
The VMDK storage media image type
The VMDK type (TYPE_INDICATOR_VMDK) is a type that addresses storage media images stored within the VMWare Virtual Disk Format.
Attribute name | Description |
---|---|
parent | The parent path specification |
Note that at the moment this type is not addressable as a file system.
The VSS volume system type
The VSHADOW type (TYPE_INDICATOR_VSHADOW) is a type that addresses volumes stored within the Volume Shadow Snapshots (VSS).
Attribute name | Description |
---|---|
location | The location of the volume within the volume system |
parent | The parent path specification |
store_index | The store index of the volume within the volume system |
The zip archive file type
The ZIP type (TYPE_INDICATOR_ZIP) is a type that addresses files stored within the zip archive file format.
Attribute name | Description |
---|---|
location | The location of the file entry within the zip archive |
parent | The parent path specification |