dfvfs.lib package

Submodules

dfvfs.lib.apfs_helper module

Helper functions for Apple File System (APFS) support.

dfvfs.lib.apfs_helper.APFSUnlockVolume(fsapfs_volume, path_spec, key_chain)[source]

Unlocks an APFS volume using the path specification.

Parameters

  • fsapfs_volume (pyapfs.volume) – APFS volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns

True if the volume is unlocked, False otherwise.

Return type

bool

dfvfs.lib.apm_helper module

Helper functions for Apple Partition Map (APM) support.

dfvfs.lib.apm_helper.APMPathSpecGetEntryIndex(path_spec)[source]

Retrieves the entry index from the path specification.

Parameters

path_spec (PathSpec) – path specification.

Returns

entry index or None if not available.

Return type

int

dfvfs.lib.bde_helper module

Helper function for BitLocker Drive Encryption (BDE) support.

dfvfs.lib.bde_helper.BDEOpenVolume(bde_volume, path_spec, file_object, key_chain)[source]

Opens the BDE volume using the path specification.

Parameters

  • bde_volume (pybde.volume) – BDE volume.

  • path_spec (PathSpec) – path specification.

  • file_object (FileIO) – file-like object.

  • key_chain (KeyChain) – key chain.

dfvfs.lib.bde_helper.BDEUnlockVolume(bde_volume, path_spec, key_chain)[source]

Unlocks a BDE volume using the path specification.

Parameters

  • bde_volume (pybde.volume) – BDE volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns

True if the volume is unlocked, False otherwise.

Return type

bool

dfvfs.lib.cpio module

Copy in and out (CPIO) archive file.

class dfvfs.lib.cpio.CPIOArchiveFile(encoding='utf-8')[source]

Bases: DataFormat

CPIO archive file.

file_format

CPIO file format.

Type

str

Close()[source]

Closes the CPIO archive file.

FileEntryExistsByPath(path)[source]

Determines if file entry for a specific path exists.

Returns

True if the file entry exists.

Return type

bool

GetFileEntries(path_prefix='')[source]

Retrieves the file entries.

Parameters

path_prefix (str) – path prefix.

Yields

CPIOArchiveFileEntry – a CPIO archive file entry.

GetFileEntryByPath(path)[source]

Retrieves a file entry for a specific path.

Returns

a CPIO archive file entry or None if not available.

Return type

CPIOArchiveFileEntry

Open(file_object)[source]

Opens the CPIO archive file.

Parameters

file_object (FileIO) – a file-like object.

Raises

  • IOError – if the file format signature is not supported.

  • OSError – if the file format signature is not supported.

ReadDataAtOffset(file_offset, size)[source]

Reads a byte string from the file-like object at a specific offset.

Parameters

  • file_offset (int) – file offset.

  • size (int) – number of bytes to read.

Returns

data read.

Return type

bytes

Raises

  • IOError – if the read failed.

  • OSError – if the read failed.

property encoding

encoding of paths within the archive file.

Type

str

file_object = <_io.BufferedReader name='/home/docs/checkouts/readthedocs.org/user_builds/dfvfs/checkouts/latest/dfvfs/lib/cpio.yaml'>
class dfvfs.lib.cpio.CPIOArchiveFileEntry[source]

Bases: object

CPIO archive file entry.

data_offset

data start offset.

Type

int

data_size

data size.

Type

int

group_identifier

group identifier (gid).

Type

int

inode_number

inode number.

Type

int

mode

mode.

Type

int

modification_time

modification POSIX timestamp.

Type

int

number of hard links.

Type

int

path

path.

Type

str

size

archive file entry record size.

Type

int

user_identifier

user identifier (uid).

Type

int

dfvfs.lib.cs_helper module

Helper function for Core Storage (CS) support.

dfvfs.lib.cs_helper.CSPathSpecGetVolumeIndex(path_spec)[source]

Retrieves the volume index from the path specification.

Parameters

path_spec (PathSpec) – path specification.

Returns

volume index or None if not available.

Return type

int

dfvfs.lib.cs_helper.CSUnlockLogicalVolume(fvde_logical_volume, path_spec, key_chain)[source]

Unlocks a Core Storage logical volume using the path specification.

Parameters

  • fvde_logical_volume (pyfvde.logical_volume) – Core Storage logical volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns

True if the volume is unlocked, False otherwise.

Return type

bool

dfvfs.lib.data_format module

dtFabric data format helpers.

class dfvfs.lib.data_format.DataFormat[source]

Bases: object

Data format.

dfvfs.lib.decorators module

Function decorators.

dfvfs.lib.decorators.deprecated(function)[source]

Decorator to mark functions or methods as deprecated.

dfvfs.lib.definitions module

The Virtual File System (VFS) definitions.

dfvfs.lib.errors module

The Virtual File System (VFS) error classes.

exception dfvfs.lib.errors.AccessError[source]

Bases: Error

Error indicating that a resource could not be accessed.

exception dfvfs.lib.errors.BackEndError[source]

Bases: Error

Error indicating that a dependency has encountered a problem.

exception dfvfs.lib.errors.CacheFullError[source]

Bases: Error

Error indicating a cache is full.

exception dfvfs.lib.errors.Error[source]

Bases: Exception

Parent class for dfVFS specific errors.

exception dfvfs.lib.errors.FileFormatError[source]

Bases: Error

Error indicating a problem in the format of a file.

exception dfvfs.lib.errors.MountPointError[source]

Bases: Error

Error indicating a mount point does not exist.

exception dfvfs.lib.errors.NotSupported[source]

Bases: Error

Error indicating that unsupported functionality was requested.

exception dfvfs.lib.errors.PathSpecError[source]

Bases: Error

Error indicating a problem with a path specification.

exception dfvfs.lib.errors.ScannerError[source]

Bases: Error

Error indicating that an item could not be scanned.

exception dfvfs.lib.errors.UserAbort[source]

Bases: Error

Exception indicating that the user initiated an abort.

exception dfvfs.lib.errors.VolumeSystemError[source]

Bases: Error

Error indicating a problem with a volume system.

dfvfs.lib.ewf_helper module

Helper functions for EWF image support.

dfvfs.lib.ewf_helper.EWFGlobPathSpec(file_system, path_spec)[source]

Globs for path specifications according to the EWF naming schema.

Parameters
Returns

path specifications that match the glob.

Return type

list[PathSpec]

Raises

  • PathSpecError – if the path specification is invalid.

  • RuntimeError – if the maximum number of supported segment files is reached.

dfvfs.lib.glob2regex module

Glob to regular expression conversion.

Also see: https://en.wikipedia.org/wiki/Glob_(programming)

dfvfs.lib.glob2regex.Glob2Regex(glob_pattern)[source]

Converts a glob pattern to a regular expression.

This function supports basic glob patterns that consist of: * matches everything ? matches any single character [seq] matches any character in sequence [!seq] matches any character not in sequence

Parameters

glob_pattern (str) – glob pattern.

Returns

regular expression pattern.

Return type

str

Raises

ValueError – if the glob pattern cannot be converted.

dfvfs.lib.gzipfile module

Gzip compressed stream file.

class dfvfs.lib.gzipfile.GzipCompressedStream[source]

Bases: object

File-like object of a gzip compressed stream (file).

The gzip file format is defined in RFC1952: http://www.zlib.org/rfc-gzip.html

uncompressed_data_size

total size of the decompressed data stored in the gzip file.

Type

int

Open(file_object)[source]

Opens the file-like object defined by path specification.

Parameters

file_object (FileIO) – file-like object that contains the gzip compressed stream.

Raises

  • IOError – if the file-like object could not be opened.

  • OSError – if the file-like object could not be opened.

close()[source]

Closes the file-like object.

get_offset()[source]

Retrieves the current offset into the file-like object.

Returns

current offset into the file-like object.

Return type

int

Raises

  • IOError – if the file-like object has not been opened.

  • OSError – if the file-like object has not been opened.

get_size()[source]

Retrieves the size of the file-like object.

Returns

size of the file-like object data.

Return type

int

Raises

  • IOError – if the file-like object has not been opened.

  • OSError – if the file-like object has not been opened.

property members

members in the gzip file.

Type

list(GzipMember)

read(size=None)[source]

Reads a byte string from the gzip file at the current offset.

The function will read a byte string up to the specified size or all of the remaining data if no size was specified.

Parameters

size (Optional[int]) – number of bytes to read, where None is all remaining data.

Returns

data read.

Return type

bytes

Raises

  • IOError – if the read failed.

  • OSError – if the read failed.

seek(offset, whence=0)[source]

Seeks to an offset within the file-like object.

Parameters

  • offset (int) – offset to seek to.

  • whence (Optional(int)) – value that indicates whether offset is an absolute or relative position within the file.

Raises

  • IOError – if the seek failed or the file has not been opened.

  • OSError – if the seek failed or the file has not been opened.

class dfvfs.lib.gzipfile.GzipMember(file_object, member_start_offset, uncompressed_data_offset)[source]

Bases: DataFormat

Gzip member.

Gzip files have no index of members, so each member must be read sequentially before metadata and random seeks are possible. This class provides caching of gzip member data during the initial read of each member.

comment

comment stored in the member.

Type

str

member_end_offset

offset to the end of the member in the parent file object.

Type

int

member_start_offset

offset to the start of the member in the parent file object.

Type

int

operating_system

type of file system on which the compression took place.

Type

int

original_filename

original filename of the uncompressed file.

Type

str

uncompressed_data_offset

offset of the start of the uncompressed data in this member relative to the whole gzip file’s uncompressed data.

Type

int

uncompressed_data_size

total size of the data in this gzip member after decompression.

Type

int

FlushCache()[source]

Empties the cache that holds cached decompressed data.

ReadAtOffset(offset, size=None)[source]

Reads a byte string from the gzip member at the specified offset.

The function will read a byte string of the specified size or all of the remaining data if no size was specified.

Parameters

  • offset (int) – offset within the uncompressed data in this member to read from.

  • size (Optional[int]) – maximum number of bytes to read, where None represents all remaining data, to a maximum of the uncompressed cache size.

Returns

data read.

Return type

bytes

Raises

  • IOError – if the read failed.

  • ValueError – if a negative read size or offset is specified.

file_object = <_io.BufferedReader name='/home/docs/checkouts/readthedocs.org/user_builds/dfvfs/checkouts/latest/dfvfs/lib/gzipfile.yaml'>

dfvfs.lib.luksde_helper module

Helper function for LUKS Drive Encryption support.

dfvfs.lib.luksde_helper.LUKSDEOpenVolume(luksde_volume, path_spec, file_object, key_chain)[source]

Opens the LUKSDE volume using the path specification.

Parameters

  • luksde_volume (pyluksde.volume) – LUKSDE volume.

  • path_spec (PathSpec) – path specification.

  • file_object (FileIO) – file-like object.

  • key_chain (KeyChain) – key chain.

dfvfs.lib.luksde_helper.LUKSDEUnlockVolume(luksde_volume, path_spec, key_chain)[source]

Unlocks a LUKSDE volume using the path specification.

Parameters

  • luksde_volume (pyluksde.volume) – LUKSDE volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns

True if the volume is unlocked, False otherwise.

Return type

bool

dfvfs.lib.lvm_helper module

Helper functions for Logical Volume Manager (LVM) support.

dfvfs.lib.lvm_helper.LVMPathSpecGetVolumeIndex(path_spec)[source]

Retrieves the volume index from the path specification.

Parameters

path_spec (PathSpec) – path specification.

Returns

volume index or None if not available.

Return type

int

dfvfs.lib.raw_helper module

Helper functions for RAW storage media image support.

dfvfs.lib.raw_helper.RawGlobPathSpec(file_system, path_spec)[source]

Globs for path specifications according to the split RAW naming schema.

Parameters
Returns

path specifications that match the glob.

Return type

list[PathSpec]

Raises

  • PathSpecError – if the path specification is invalid.

  • RuntimeError – if the maximum number of supported segment files is reached.

dfvfs.lib.sqlite_database module

Helper functions for SQLite database support.

class dfvfs.lib.sqlite_database.SQLiteDatabaseFile[source]

Bases: object

SQLite database file using a file-like object.

Close()[source]

Closes the database file object.

Raises

  • IOError – if the close failed.

  • OSError – if the close failed.

GetNumberOfRows(table_name)[source]

Retrieves the number of rows in the table.

Parameters

table_name (str) – name of the table.

Returns

number of rows.

Return type

int

Raises

  • IOError – if the file-like object has not been opened.

  • OSError – if the file-like object has not been opened.

HasColumn(table_name, column_name)[source]

Determines if a specific column exists.

Parameters

  • table_name (str) – name of the table.

  • column_name (str) – name of the column.

Returns

True if the column exists.

Return type

bool

Raises

  • IOError – if the database file is not opened.

  • OSError – if the database file is not opened.

HasTable(table_name)[source]

Determines if a specific table exists.

Parameters

table_name (str) – name of the table.

Returns

True if the column exists.

Return type

bool

Raises

  • IOError – if the database file is not opened.

  • OSError – if the database file is not opened.

Open(file_object)[source]

Opens the database file object.

Parameters

file_object (FileIO) – file-like object.

Raises

  • IOError – if the SQLite database signature does not match.

  • OSError – if the SQLite database signature does not match.

  • ValueError – if the file-like object is invalid.

Query(query, parameters=None)[source]

Queries the database file.

Parameters

  • query (str) – SQL query.

  • parameters (Optional[dict|tuple]) – query parameters.

Returns

rows resulting from the query.

Return type

list[sqlite3.Row]

dfvfs.lib.tsk_image module

Helper functions for SleuthKit (TSK) image support.

class dfvfs.lib.tsk_image.TSKFileSystemImage(*args: Any, **kwargs: Any)[source]

Bases: Img_Info

Pytsk3 image object using a file-like object.

close()[source]

Closes the volume IO object.

get_size()[source]

Retrieves the size.

read(offset, size)[source]

Reads a byte string from the image object at the specified offset.

Parameters

  • offset (int) – offset where to start reading.

  • size (int) – number of bytes to read.

Returns

data read.

Return type

bytes

dfvfs.lib.tsk_partition module

Helper functions for SleuthKit (TSK) partition support.

dfvfs.lib.tsk_partition.GetTSKVsPartByPathSpec(tsk_volume, path_spec)[source]

Retrieves the TSK volume system part object from the TSK volume object.

Parameters

  • tsk_volume (pytsk3.Volume_Info) – TSK volume information.

  • path_spec (PathSpec) – path specification.

Returns

containing:

pytsk3.TSK_VS_PART_INFO: TSK volume system part information or

None on error.

int: partition index or None if not available.

Return type

tuple

dfvfs.lib.tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)[source]

Retrieves the number of bytes per sector from a TSK volume object.

Parameters

tsk_volume (pytsk3.Volume_Info) – TSK volume information.

Returns

number of bytes per sector or 512 by default.

Return type

int

dfvfs.lib.tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs_part)[source]

Retrieves the number of sectors of a TSK volume system part object.

Parameters

tsk_vs_part (pytsk3.TSK_VS_PART_INFO) – TSK volume system part information.

Returns

number of sectors or None.

Return type

int

dfvfs.lib.tsk_partition.TSKVsPartGetStartSector(tsk_vs_part)[source]

Retrieves the start sector of a TSK volume system part object.

Parameters

tsk_vs_part (pytsk3.TSK_VS_PART_INFO) – TSK volume system part information.

Returns

start sector or None.

Return type

int

dfvfs.lib.tsk_partition.TSKVsPartIsAllocated(tsk_vs_part)[source]

Determines if the TSK volume system part object is allocated.

Parameters

tsk_vs_part (pytsk3.TSK_VS_PART_INFO) – TSK volume system part information.

Returns

True if the volume system part is allocated, False otherwise.

Return type

bool

dfvfs.lib.vshadow_helper module

Helper functions for Volume Shadow Snapshots (VSS) support.

dfvfs.lib.vshadow_helper.VShadowPathSpecGetStoreIndex(path_spec)[source]

Retrieves the store index from the path specification.

Parameters

path_spec (PathSpec) – path specification.

Returns

store index or None if not available.

Return type

int

Module contents