dfvfs.analyzer package

Submodules

dfvfs.analyzer.analyzer module

The format analyzer.

class dfvfs.analyzer.analyzer.Analyzer[source]

Bases: object

Format analyzer.

classmethod DeregisterHelper(analyzer_helper)[source]

Deregisters a format analyzer helper.

Parameters:: analyzer_helper (AnalyzerHelper) – analyzer helper.
Raises:: KeyError – if analyzer helper object is not set for the corresponding type indicator.

classmethod GetArchiveTypeIndicators(path_spec, resolver_context=None)[source]

Determines if a file contains a supported archive types.

Parameters:

path_spec (PathSpec) – path specification.
resolver_context (Optional[Context]) – resolver context, where None represents the built-in context which is not multi process safe.

Returns:

supported format type indicators.

Return type:

list[str]

classmethod GetCompressedStreamTypeIndicators(path_spec, resolver_context=None)[source]

Determines if a file contains a supported compressed stream types.

Parameters:

path_spec (PathSpec) – path specification.
resolver_context (Optional[Context]) – resolver context, where None represents the built-in context which is not multi process safe.

Returns:

supported format type indicators.

Return type:

list[str]

classmethod GetFileSystemTypeIndicators(path_spec, resolver_context=None)[source]

Determines if a file contains a supported file system types.

Parameters:

path_spec (PathSpec) – path specification.
resolver_context (Optional[Context]) – resolver context, where None represents the built-in context which is not multi process safe.

Returns:

supported format type indicators.

Return type:

list[str]

classmethod GetStorageMediaImageTypeIndicators(path_spec, resolver_context=None)[source]

Determines if a file contains a supported storage media image types.

Parameters:

path_spec (PathSpec) – path specification.
resolver_context (Optional[Context]) – resolver context, where None represents the built-in context which is not multi process safe.

Returns:

supported format type indicators.

Return type:

list[str]

classmethod GetVolumeSystemTypeIndicators(path_spec, resolver_context=None)[source]

Determines if a file contains a supported volume system types.

Parameters:

path_spec (PathSpec) – path specification.
resolver_context (Optional[Context]) – resolver context, where None represents the built-in context which is not multi process safe.

Returns:

supported format type indicators.

Return type:

list[str]

classmethod RegisterHelper(analyzer_helper)[source]

Registers a format analyzer helper.

Parameters:: analyzer_helper (AnalyzerHelper) – analyzer helper.
Raises:: KeyError – if analyzer helper object is already set for the corresponding type indicator.

dfvfs.analyzer.analyzer_helper module

The analyzer helper interface.

class dfvfs.analyzer.analyzer_helper.AnalyzerHelper[source]

Bases: object

Analyzer helper interface.

AnalyzeFileObject(file_object)[source]

Retrieves the format specification.

This is the fall through implementation that raises a RuntimeError.

Parameters:

file_object (FileIO) – file-like object.

Returns:

type indicator if the file-like object contains a supported format: or None otherwise.

Return type:

str

Raises:

NotSupported – since this is the fall through implementation.

GetFormatSpecification()[source]

Retrieves the format specification.

This is the fall through implementation that returns None.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

IsEnabled()[source]

Determines if the analyzer helper is enabled.

Returns:: True if the analyzer helper is enabled.
Return type:: bool

__init__()[source]

Initializes an analyzer helper.

Raises:: ValueError – if a derived analyzer helper class does not define format categories or a type indicator.

property format_categories

Retrieves the format categories.

The format categories are defined in definitions.FORMAT_CATEGORIES.

Returns:: format categories, such as archive file or file system.
Return type:: set[str]

property type_indicator

Retrieves the type indicator.

Returns:: type indicator or None if not available.
Return type:: str

dfvfs.analyzer.apfs_analyzer_helper module

The APFS format analyzer helper implementation.

class dfvfs.analyzer.apfs_analyzer_helper.APFSAnalyzerHelper[source]

Bases: AnalyzerHelper

APFS analyzer helper.

FORMAT_CATEGORIES = frozenset({4})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'APFS'

dfvfs.analyzer.apfs_container_analyzer_helper module

The APFS container format analyzer helper implementation.

class dfvfs.analyzer.apfs_container_analyzer_helper.APFSContainerAnalyzerHelper[source]

Bases: AnalyzerHelper

APFS container analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'APFS_CONTAINER'

dfvfs.analyzer.apm_analyzer_helper module

The Apple Partition Map (APM) format analyzer helper implementation.

class dfvfs.analyzer.apm_analyzer_helper.APMAnalyzerHelper[source]

Bases: AnalyzerHelper

APM analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

IsEnabled()[source]

Determines if the analyzer helper is enabled.

Returns:: True if the analyzer helper is enabled.
Return type:: bool

TYPE_INDICATOR = 'APM'

dfvfs.analyzer.bde_analyzer_helper module

The BDE format analyzer helper implementation.

class dfvfs.analyzer.bde_analyzer_helper.BDEAnalyzerHelper[source]

Bases: AnalyzerHelper

BDE analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'BDE'

dfvfs.analyzer.bzip2_analyzer_helper module

The BZIP2 format analyzer helper implementation.

class dfvfs.analyzer.bzip2_analyzer_helper.BZIP2AnalyzerHelper[source]

Bases: AnalyzerHelper

BZIP2 analyzer helper.

FORMAT_CATEGORIES = frozenset({2})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'BZIP2'

dfvfs.analyzer.cpio_analyzer_helper module

The CPIO format analyzer helper implementation.

class dfvfs.analyzer.cpio_analyzer_helper.CPIOAnalyzerHelper[source]

Bases: AnalyzerHelper

CPIO analyzer helper.

FORMAT_CATEGORIES = frozenset({1})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'CPIO'

dfvfs.analyzer.cs_analyzer_helper module

The Core Storage (CS) format analyzer helper implementation.

class dfvfs.analyzer.cs_analyzer_helper.CSAnalyzerHelper[source]

Bases: AnalyzerHelper

Core Storage (CS) analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'CS'

dfvfs.analyzer.ewf_analyzer_helper module

The EWF format analyzer helper implementation.

class dfvfs.analyzer.ewf_analyzer_helper.EWFAnalyzerHelper[source]

Bases: AnalyzerHelper

EWF analyzer helper.

FORMAT_CATEGORIES = frozenset({1, 5})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'EWF'

dfvfs.analyzer.ext_analyzer_helper module

The EXT format analyzer helper implementation.

class dfvfs.analyzer.ext_analyzer_helper.EXTAnalyzerHelper[source]

Bases: AnalyzerHelper

EXT analyzer helper.

FORMAT_CATEGORIES = frozenset({4})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

IsEnabled()[source]

Determines if the analyzer helper is enabled.

Returns:: True if the analyzer helper is enabled.
Return type:: bool

TYPE_INDICATOR = 'EXT'

dfvfs.analyzer.fat_analyzer_helper module

The FAT format analyzer helper implementation.

class dfvfs.analyzer.fat_analyzer_helper.FATAnalyzerHelper[source]

Bases: AnalyzerHelper

FAT analyzer helper.

FORMAT_CATEGORIES = frozenset({4})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

IsEnabled()[source]

Determines if the analyzer helper is enabled.

Returns:: True if the analyzer helper is enabled.
Return type:: bool

TYPE_INDICATOR = 'FAT'

dfvfs.analyzer.gpt_analyzer_helper module

The GUID Partition Table (GPT) format analyzer helper implementation.

class dfvfs.analyzer.gpt_analyzer_helper.GPTAnalyzerHelper[source]

Bases: AnalyzerHelper

GPT analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

IsEnabled()[source]

Determines if the analyzer helper is enabled.

Returns:: True if the analyzer helper is enabled.
Return type:: bool

TYPE_INDICATOR = 'GPT'

dfvfs.analyzer.gzip_analyzer_helper module

The GZIP format analyzer helper implementation.

class dfvfs.analyzer.gzip_analyzer_helper.GzipAnalyzerHelper[source]

Bases: AnalyzerHelper

GZIP analyzer helper.

FORMAT_CATEGORIES = frozenset({2})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'GZIP'

dfvfs.analyzer.hfs_analyzer_helper module

The HFS format analyzer helper implementation.

class dfvfs.analyzer.hfs_analyzer_helper.HFSAnalyzerHelper[source]

Bases: AnalyzerHelper

HFS analyzer helper.

FORMAT_CATEGORIES = frozenset({4})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

IsEnabled()[source]

Determines if the analyzer helper is enabled.

Returns:: True if the analyzer helper is enabled.
Return type:: bool

TYPE_INDICATOR = 'HFS'

dfvfs.analyzer.luksde_analyzer_helper module

The LUKSDE format analyzer helper implementation.

class dfvfs.analyzer.luksde_analyzer_helper.LUKSDEAnalyzerHelper[source]

Bases: AnalyzerHelper

LUKSDE analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'LUKSDE'

dfvfs.analyzer.lvm_analyzer_helper module

The Logical Volume Manager (LVM) format analyzer helper implementation.

class dfvfs.analyzer.lvm_analyzer_helper.LVMAnalyzerHelper[source]

Bases: AnalyzerHelper

LVM analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'LVM'

dfvfs.analyzer.modi_analyzer_helper module

The Mac OS disk image (MODI) format analyzer helper implementation.

class dfvfs.analyzer.modi_analyzer_helper.MODIAnalyzerHelper[source]

Bases: AnalyzerHelper

Mac OS disk image (MODI) analyzer helper.

FORMAT_CATEGORIES = frozenset({5})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'MODI'

dfvfs.analyzer.ntfs_analyzer_helper module

The NTFS format analyzer helper implementation.

class dfvfs.analyzer.ntfs_analyzer_helper.NTFSAnalyzerHelper[source]

Bases: AnalyzerHelper

NTFS analyzer helper.

FORMAT_CATEGORIES = frozenset({4})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

IsEnabled()[source]

Determines if the analyzer helper is enabled.

Returns:: True if the analyzer helper is enabled.
Return type:: bool

TYPE_INDICATOR = 'NTFS'

dfvfs.analyzer.phdi_analyzer_helper module

The PHDI format analyzer helper implementation.

class dfvfs.analyzer.phdi_analyzer_helper.PHDIAnalyzerHelper[source]

Bases: AnalyzerHelper

PHDI analyzer helper.

FORMAT_CATEGORIES = frozenset({5})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'PHDI'

dfvfs.analyzer.qcow_analyzer_helper module

The QCOW format analyzer helper implementation.

class dfvfs.analyzer.qcow_analyzer_helper.QCOWAnalyzerHelper[source]

Bases: AnalyzerHelper

QCOW analyzer helper.

FORMAT_CATEGORIES = frozenset({5})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'QCOW'

dfvfs.analyzer.specification module

The format specification classes.

class dfvfs.analyzer.specification.FormatSpecification(identifier)[source]

Bases: object

Format specification.

AddNewSignature(pattern, offset=None)[source]

Adds a signature.

Parameters:

pattern (bytes) – pattern of the signature. Wildcards or regular pattern (regexp) are not supported.
offset (Optional[int]) – offset of the signature, where None indicates the signature has no offset. A positive offset or 0 is relative from the start of the data a negative offset is relative to the end of the data.

__init__(identifier)[source]

Initializes a specification.

Parameters:: identifier (str) – unique name for the format.

class dfvfs.analyzer.specification.FormatSpecificationStore[source]

Bases: object

Store for format specifications.

AddNewSpecification(identifier)[source]

Adds a new format specification.

Parameters:: identifier (str) – unique signature identifier for a specification store.
Returns:: format specification.
Return type:: FormatSpecification
Raises:: KeyError – if the store already contains a specification with the same identifier.

AddSpecification(specification)[source]

Adds a specification.

Parameters:: specification (FormatSpecification) – format specification.
Raises:: KeyError – if the store already contains a specification with the same identifier.

GetSpecificationBySignature(signature_identifier)[source]

Retrieves a specification mapped to a signature identifier.

Parameters:

signature_identifier (str) – unique signature identifier for a specification store.

Returns:

A format specification or None if the signature: identifier does not exist within the specification store.

Return type:

FormatSpecification

__init__()[source]: Initializes a format specification store.

property specifications

Retrieves the format specifications.

Returns:: format specifications.
Return type:: generator[FormatSpecification]

class dfvfs.analyzer.specification.Signature(pattern, offset=None)[source]

Bases: object

Signature of a format specification.

The signature consists of a byte string pattern, an optional offset relative to the start of the data, and a value to indicate if the pattern is bound to the offset.

identifier

unique signature identifier for a specification store.

Type:: str

offset

offset of the signature, where None indicates the signature has no offset. A positive offset or 0 is relative to the start of the data a negative offset is relative to the end of the data.

Type:: int

pattern

pattern of the signature.

Type:: bytes

SetIdentifier(identifier)[source]

Sets the identifier of the signature in the specification store.

Parameters:: identifier (str) – unique signature identifier for a specification store.

__init__(pattern, offset=None)[source]

Initializes a signature.

Parameters:

pattern (bytes) – pattern of the signature. Wildcards or regular pattern (regexp) are not supported.
offset (Optional[int]) – offset of the signature, where None indicates the signature has no offset. A positive offset or 0 is relative from the start of the data a negative offset is relative to the end of the data.

dfvfs.analyzer.tar_analyzer_helper module

The TAR format analyzer helper implementation.

class dfvfs.analyzer.tar_analyzer_helper.TARAnalyzerHelper[source]

Bases: AnalyzerHelper

TAR analyzer helper.

FORMAT_CATEGORIES = frozenset({1})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'TAR'

dfvfs.analyzer.tsk_analyzer_helper module

The SleuthKit (TSK) format analyzer helper implementation.

class dfvfs.analyzer.tsk_analyzer_helper.TSKAnalyzerHelper[source]

Bases: AnalyzerHelper

TSK analyzer helper.

FORMAT_CATEGORIES = frozenset({4})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'TSK'

dfvfs.analyzer.tsk_partition_analyzer_helper module

The SleuthKit (TSK) partition format analyzer helper implementation.

class dfvfs.analyzer.tsk_partition_analyzer_helper.TSKPartitionAnalyzerHelper[source]

Bases: AnalyzerHelper

TSK partition analyzer helper.

AnalyzeFileObject(file_object)[source]

Retrieves the format specification.

Parameters:

file_object (FileIO) – file-like object.

Returns:

type indicator if the file-like object contains a supported format: or None otherwise.

Return type:

str

FORMAT_CATEGORIES = frozenset({6})

TYPE_INDICATOR = 'TSK_PARTITION'

dfvfs.analyzer.vhdi_analyzer_helper module

The Virtual Hard Disk image (VHDI) format analyzer helper implementation.

class dfvfs.analyzer.vhdi_analyzer_helper.VHDIAnalyzerHelper[source]

Bases: AnalyzerHelper

Virtual Hard Disk image (VHDI) analyzer helper.

FORMAT_CATEGORIES = frozenset({5})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'VHDI'

dfvfs.analyzer.vmdk_analyzer_helper module

The VMDK format analyzer helper implementation.

class dfvfs.analyzer.vmdk_analyzer_helper.VMDKAnalyzerHelper[source]

Bases: AnalyzerHelper

VMDK analyzer helper.

FORMAT_CATEGORIES = frozenset({5})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'VMDK'

dfvfs.analyzer.vshadow_analyzer_helper module

The Volume Shadow Snapshots (VSS) format analyzer helper implementation.

class dfvfs.analyzer.vshadow_analyzer_helper.VShadowAnalyzerHelper[source]

Bases: AnalyzerHelper

VSS analyzer helper.

FORMAT_CATEGORIES = frozenset({6})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'VSHADOW'

dfvfs.analyzer.xfs_analyzer_helper module

The XFS format analyzer helper implementation.

class dfvfs.analyzer.xfs_analyzer_helper.XFSAnalyzerHelper[source]

Bases: AnalyzerHelper

XFS analyzer helper.

FORMAT_CATEGORIES = frozenset({4})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'XFS'

dfvfs.analyzer.xz_analyzer_helper module

The XZ format analyzer helper implementation.

class dfvfs.analyzer.xz_analyzer_helper.XZAnalyzerHelper[source]

Bases: AnalyzerHelper

XZ analyzer helper.

FORMAT_CATEGORIES = frozenset({2})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'XZ'

dfvfs.analyzer.zip_analyzer_helper module

The ZIP format analyzer helper implementation.

class dfvfs.analyzer.zip_analyzer_helper.ZipAnalyzerHelper[source]

Bases: AnalyzerHelper

ZIP analyzer helper.

FORMAT_CATEGORIES = frozenset({1})

GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification or None if the format cannot: be defined by a specification object.

Return type:

FormatSpecification

TYPE_INDICATOR = 'ZIP'

Module contents

Imports for the format analyzer.