dfvfs.lib package

Submodules

dfvfs.lib.apfs_helper module

Helper functions for Apple File System (APFS) support.

dfvfs.lib.apfs_helper.APFSUnlockVolume(fsapfs_volume, path_spec, key_chain)[source]

Unlocks an APFS volume using the path specification.

Parameters:

  • fsapfs_volume (pyapfs.volume) – APFS volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns:

True if the volume is unlocked, False otherwise.

Return type:

bool

dfvfs.lib.apm_helper module

Helper functions for Apple Partition Map (APM) support.

dfvfs.lib.apm_helper.APMPathSpecGetEntryIndex(path_spec)[source]

Retrieves the entry index from the path specification.

Parameters:

path_spec (PathSpec) – path specification.

Returns:

entry index or None if not available.

Return type:

int

dfvfs.lib.bde_helper module

Helper function for BitLocker Drive Encryption (BDE) support.

dfvfs.lib.bde_helper.BDEOpenVolume(bde_volume, path_spec, file_object, key_chain)[source]

Opens the BDE volume using the path specification.

Parameters:

  • bde_volume (pybde.volume) – BDE volume.

  • path_spec (PathSpec) – path specification.

  • file_object (FileIO) – file-like object.

  • key_chain (KeyChain) – key chain.

dfvfs.lib.bde_helper.BDEUnlockVolume(bde_volume, path_spec, key_chain)[source]

Unlocks a BDE volume using the path specification.

Parameters:

  • bde_volume (pybde.volume) – BDE volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns:

True if the volume is unlocked, False otherwise.

Return type:

bool

dfvfs.lib.cpio module

Copy in and out (CPIO) archive file.

class dfvfs.lib.cpio.CPIOArchiveFile(encoding='utf-8')[source]

Bases: DataFormat

CPIO archive file.

file_format

CPIO file format.

Type:

str

Close()[source]

Closes the CPIO archive file.

FileEntryExistsByPath(path)[source]

Determines if file entry for a specific path exists.

Returns:

True if the file entry exists.

Return type:

bool

GetFileEntries(path_prefix='')[source]

Retrieves the file entries.

Parameters:

path_prefix (str) – path prefix.

Yields:

CPIOArchiveFileEntry – a CPIO archive file entry.

GetFileEntryByPath(path)[source]

Retrieves a file entry for a specific path.

Returns:

a CPIO archive file entry or None if not available.

Return type:

CPIOArchiveFileEntry

Open(file_object)[source]

Opens the CPIO archive file.

Parameters:

file_object (FileIO) – a file-like object.

Raises:

  • IOError – if the file format signature is not supported.

  • OSError – if the file format signature is not supported.

ReadDataAtOffset(file_offset, size)[source]

Reads a byte string from the file-like object at a specific offset.

Parameters:

  • file_offset (int) – file offset.

  • size (int) – number of bytes to read.

Returns:

data read.

Return type:

bytes

Raises:

  • IOError – if the read failed.

  • OSError – if the read failed.

__init__(encoding='utf-8')[source]

Initializes a CPIO archive file.

Parameters:

encoding (str) – encoding of paths within the archive file.

property encoding

encoding of paths within the archive file.

Type:

str

file_object = <_io.BufferedReader name='/home/docs/checkouts/readthedocs.org/user_builds/dfvfs/checkouts/latest/dfvfs/lib/cpio.yaml'>
class dfvfs.lib.cpio.CPIOArchiveFileEntry[source]

Bases: object

CPIO archive file entry.

data_offset

data start offset.

Type:

int

data_size

data size.

Type:

int

group_identifier

group identifier (gid).

Type:

int

inode_number

inode number.

Type:

int

mode

mode.

Type:

int

modification_time

modification POSIX timestamp.

Type:

int

number of hard links.

Type:

int

path

path.

Type:

str

size

archive file entry record size.

Type:

int

user_identifier

user identifier (uid).

Type:

int

__init__()[source]

Initializes a CPIO archive file entry.

dfvfs.lib.cs_helper module

Helper function for Core Storage (CS) support.

dfvfs.lib.cs_helper.CSPathSpecGetVolumeIndex(path_spec)[source]

Retrieves the volume index from the path specification.

Parameters:

path_spec (PathSpec) – path specification.

Returns:

volume index or None if not available.

Return type:

int

dfvfs.lib.cs_helper.CSUnlockLogicalVolume(fvde_logical_volume, path_spec, key_chain)[source]

Unlocks a Core Storage logical volume using the path specification.

Parameters:

  • fvde_logical_volume (pyfvde.logical_volume) – Core Storage logical volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns:

True if the volume is unlocked, False otherwise.

Return type:

bool

dfvfs.lib.data_format module

dtFabric data format helpers.

class dfvfs.lib.data_format.DataFormat[source]

Bases: object

Data format.

dfvfs.lib.decorators module

Function decorators.

dfvfs.lib.decorators.deprecated(function)[source]

Decorator to mark functions or methods as deprecated.

dfvfs.lib.definitions module

The Virtual File System (VFS) definitions.

dfvfs.lib.errors module

The Virtual File System (VFS) error classes.

exception dfvfs.lib.errors.AccessError[source]

Bases: Error

Error indicating that a resource could not be accessed.

exception dfvfs.lib.errors.BackEndError[source]

Bases: Error

Error indicating that a dependency has encountered a problem.

exception dfvfs.lib.errors.CacheFullError[source]

Bases: Error

Error indicating a cache is full.

exception dfvfs.lib.errors.Error[source]

Bases: Exception

Parent class for dfVFS specific errors.

exception dfvfs.lib.errors.FileFormatError[source]

Bases: Error

Error indicating a problem in the format of a file.

exception dfvfs.lib.errors.MountPointError[source]

Bases: Error

Error indicating a mount point does not exist.

exception dfvfs.lib.errors.NotSupported[source]

Bases: Error

Error indicating that unsupported functionality was requested.

exception dfvfs.lib.errors.PathSpecError[source]

Bases: Error

Error indicating a problem with a path specification.

exception dfvfs.lib.errors.ScannerError[source]

Bases: Error

Error indicating that an item could not be scanned.

exception dfvfs.lib.errors.UserAbort[source]

Bases: Error

Exception indicating that the user initiated an abort.

exception dfvfs.lib.errors.VolumeSystemError[source]

Bases: Error

Error indicating a problem with a volume system.

dfvfs.lib.ewf_helper module

Helper functions for EWF image support.

dfvfs.lib.ewf_helper.EWFGlobPathSpec(file_system, path_spec)[source]

Globs for path specifications according to the EWF naming schema.

Parameters:
Returns:

path specifications that match the glob.

Return type:

list[PathSpec]

Raises:

  • PathSpecError – if the path specification is invalid.

  • RuntimeError – if the maximum number of supported segment files is reached.

dfvfs.lib.glob2regex module

Glob to regular expression conversion.

Also see: https://en.wikipedia.org/wiki/Glob_(programming)

dfvfs.lib.glob2regex.Glob2Regex(glob_pattern)[source]

Converts a glob pattern to a regular expression.

This function supports basic glob patterns that consist of: * matches everything ? matches any single character [seq] matches any character in sequence [!seq] matches any character not in sequence

Parameters:

glob_pattern (str) – glob pattern.

Returns:

regular expression pattern.

Return type:

str

Raises:

ValueError – if the glob pattern cannot be converted.

dfvfs.lib.gzipfile module

Gzip compressed stream file.

class dfvfs.lib.gzipfile.GzipCompressedStream[source]

Bases: object

File-like object of a gzip compressed stream (file).

The gzip file format is defined in RFC1952: http://www.zlib.org/rfc-gzip.html

uncompressed_data_size

total size of the decompressed data stored in the gzip file.

Type:

int

Open(file_object)[source]

Opens the file-like object defined by path specification.

Parameters:

file_object (FileIO) – file-like object that contains the gzip compressed stream.

Raises:

  • IOError – if the file-like object could not be opened.

  • OSError – if the file-like object could not be opened.

__init__()[source]

Initializes a file-like object.

close()[source]

Closes the file-like object.

get_offset()[source]

Retrieves the current offset into the file-like object.

Returns:

current offset into the file-like object.

Return type:

int

Raises:

  • IOError – if the file-like object has not been opened.

  • OSError – if the file-like object has not been opened.

get_size()[source]

Retrieves the size of the file-like object.

Returns:

size of the file-like object data.

Return type:

int

Raises:

  • IOError – if the file-like object has not been opened.

  • OSError – if the file-like object has not been opened.

property members

Retrieves the members in the file.

Returns:

members in the file.

Return type:

list[GzipMember]

read(size=None)[source]

Reads a byte string from the gzip file at the current offset.

The function will read a byte string up to the specified size or all of the remaining data if no size was specified.

Parameters:

size (Optional[int]) – number of bytes to read, where None is all remaining data.

Returns:

data read.

Return type:

bytes

Raises:

  • IOError – if the read failed.

  • OSError – if the read failed.

seek(offset, whence=0)[source]

Seeks to an offset within the file-like object.

Parameters:

  • offset (int) – offset to seek to.

  • whence (Optional(int)) – value that indicates whether offset is an absolute or relative position within the file.

Raises:

  • IOError – if the seek failed or the file has not been opened.

  • OSError – if the seek failed or the file has not been opened.

class dfvfs.lib.gzipfile.GzipMember(file_object, member_start_offset, uncompressed_data_offset)[source]

Bases: DataFormat

Gzip member.

Gzip files have no index of members, so each member must be read sequentially before metadata and random seeks are possible. This class provides caching of gzip member data during the initial read of each member.

comment

comment stored in the member.

Type:

str

member_end_offset

offset to the end of the member in the parent file object.

Type:

int

member_start_offset

offset to the start of the member in the parent file object.

Type:

int

operating_system

type of file system on which the compression took place.

Type:

int

original_filename

original filename of the uncompressed file.

Type:

str

uncompressed_data_offset

offset of the start of the uncompressed data in this member relative to the whole gzip file’s uncompressed data.

Type:

int

uncompressed_data_size

total size of the data in this gzip member after decompression.

Type:

int

FlushCache()[source]

Empties the cache that holds cached decompressed data.

ReadAtOffset(offset, size=None)[source]

Reads a byte string from the gzip member at the specified offset.

The function will read a byte string of the specified size or all of the remaining data if no size was specified.

Parameters:

  • offset (int) – offset within the uncompressed data in this member to read from.

  • size (Optional[int]) – maximum number of bytes to read, where None represents all remaining data, to a maximum of the uncompressed cache size.

Returns:

data read.

Return type:

bytes

Raises:

  • IOError – if the read failed.

  • ValueError – if a negative read size or offset is specified.

__init__(file_object, member_start_offset, uncompressed_data_offset)[source]

Initializes a gzip member.

Parameters:

  • file_object (FileIO) – file-like object, containing the gzip member.

  • member_start_offset (int) – offset to the beginning of the gzip member in the containing file.

  • uncompressed_data_offset (int) – offset of the start of the uncompressed data in this member relative to the whole gzip file’s uncompressed data.

file_object = <_io.BufferedReader name='/home/docs/checkouts/readthedocs.org/user_builds/dfvfs/checkouts/latest/dfvfs/lib/gzipfile.yaml'>

dfvfs.lib.luksde_helper module

Helper function for LUKS Drive Encryption support.

dfvfs.lib.luksde_helper.LUKSDEOpenVolume(luksde_volume, path_spec, file_object, key_chain)[source]

Opens the LUKSDE volume using the path specification.

Parameters:

  • luksde_volume (pyluksde.volume) – LUKSDE volume.

  • path_spec (PathSpec) – path specification.

  • file_object (FileIO) – file-like object.

  • key_chain (KeyChain) – key chain.

dfvfs.lib.luksde_helper.LUKSDEUnlockVolume(luksde_volume, path_spec, key_chain)[source]

Unlocks a LUKSDE volume using the path specification.

Parameters:

  • luksde_volume (pyluksde.volume) – LUKSDE volume.

  • path_spec (PathSpec) – path specification.

  • key_chain (KeyChain) – key chain.

Returns:

True if the volume is unlocked, False otherwise.

Return type:

bool

dfvfs.lib.lvm_helper module

Helper functions for Logical Volume Manager (LVM) support.

dfvfs.lib.lvm_helper.LVMPathSpecGetVolumeIndex(path_spec)[source]

Retrieves the volume index from the path specification.

Parameters:

path_spec (PathSpec) – path specification.

Returns:

volume index or None if not available.

Return type:

int

dfvfs.lib.raw_helper module

Helper functions for RAW storage media image support.

dfvfs.lib.raw_helper.RawGlobPathSpec(file_system, path_spec)[source]

Globs for path specifications according to the split RAW naming schema.

Parameters:
Returns:

path specifications that match the glob.

Return type:

list[PathSpec]

Raises:

  • PathSpecError – if the path specification is invalid.

  • RuntimeError – if the maximum number of supported segment files is reached.

dfvfs.lib.sqlite_database module

Helper functions for SQLite database support.

class dfvfs.lib.sqlite_database.SQLiteDatabaseFile[source]

Bases: object

SQLite database file using a file-like object.

Close()[source]

Closes the database file object.

Raises:

  • IOError – if the close failed.

  • OSError – if the close failed.

GetNumberOfRows(table_name)[source]

Retrieves the number of rows in the table.

Parameters:

table_name (str) – name of the table.

Returns:

number of rows.

Return type:

int

Raises:

  • IOError – if the file-like object has not been opened.

  • OSError – if the file-like object has not been opened.

HasColumn(table_name, column_name)[source]

Determines if a specific column exists.

Parameters:

  • table_name (str) – name of the table.

  • column_name (str) – name of the column.

Returns:

True if the column exists.

Return type:

bool

Raises:

  • IOError – if the database file is not opened.

  • OSError – if the database file is not opened.

HasTable(table_name)[source]

Determines if a specific table exists.

Parameters:

table_name (str) – name of the table.

Returns:

True if the column exists.

Return type:

bool

Raises:

  • IOError – if the database file is not opened.

  • OSError – if the database file is not opened.

Open(file_object)[source]

Opens the database file object.

Parameters:

file_object (FileIO) – file-like object.

Raises:

  • IOError – if the SQLite database signature does not match.

  • OSError – if the SQLite database signature does not match.

  • ValueError – if the file-like object is invalid.

Query(query, parameters=None)[source]

Queries the database file.

Parameters:

  • query (str) – SQL query.

  • parameters (Optional[dict|tuple]) – query parameters.

Returns:

rows resulting from the query.

Return type:

list[sqlite3.Row]

__init__()[source]

Initializes the database file object.

dfvfs.lib.tsk_image module

Helper functions for SleuthKit (TSK) image support.

class dfvfs.lib.tsk_image.TSKFileSystemImage(*args: Any, **kwargs: Any)[source]

Bases: Img_Info

Pytsk3 image object using a file-like object.

__init__(file_object)[source]

Initializes an image object.

Parameters:

file_object (FileIO) – file-like object.

Raises:

ValueError – if the file-like object is invalid.

close()[source]

Closes the volume IO object.

get_size()[source]

Retrieves the size.

read(offset, size)[source]

Reads a byte string from the image object at the specified offset.

Parameters:

  • offset (int) – offset where to start reading.

  • size (int) – number of bytes to read.

Returns:

data read.

Return type:

bytes

dfvfs.lib.tsk_partition module

Helper functions for SleuthKit (TSK) partition support.

dfvfs.lib.tsk_partition.GetTSKVsPartByPathSpec(tsk_volume, path_spec)[source]

Retrieves the TSK volume system part object from the TSK volume object.

Parameters:

  • tsk_volume (pytsk3.Volume_Info) – TSK volume information.

  • path_spec (PathSpec) – path specification.

Returns:

containing:

pytsk3.TSK_VS_PART_INFO: TSK volume system part information or

None on error.

int: partition index or None if not available.

Return type:

tuple

dfvfs.lib.tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)[source]

Retrieves the number of bytes per sector from a TSK volume object.

Parameters:

tsk_volume (pytsk3.Volume_Info) – TSK volume information.

Returns:

number of bytes per sector or 512 by default.

Return type:

int

dfvfs.lib.tsk_partition.TSKVsPartGetNumberOfSectors(tsk_vs_part)[source]

Retrieves the number of sectors of a TSK volume system part object.

Parameters:

tsk_vs_part (pytsk3.TSK_VS_PART_INFO) – TSK volume system part information.

Returns:

number of sectors or None.

Return type:

int

dfvfs.lib.tsk_partition.TSKVsPartGetStartSector(tsk_vs_part)[source]

Retrieves the start sector of a TSK volume system part object.

Parameters:

tsk_vs_part (pytsk3.TSK_VS_PART_INFO) – TSK volume system part information.

Returns:

start sector or None.

Return type:

int

dfvfs.lib.tsk_partition.TSKVsPartIsAllocated(tsk_vs_part)[source]

Determines if the TSK volume system part object is allocated.

Parameters:

tsk_vs_part (pytsk3.TSK_VS_PART_INFO) – TSK volume system part information.

Returns:

True if the volume system part is allocated, False otherwise.

Return type:

bool

dfvfs.lib.vshadow_helper module

Helper functions for Volume Shadow Snapshots (VSS) support.

dfvfs.lib.vshadow_helper.VShadowPathSpecGetStoreIndex(path_spec)[source]

Retrieves the store index from the path specification.

Parameters:

path_spec (PathSpec) – path specification.

Returns:

store index or None if not available.

Return type:

int

Module contents