dfimagetools package

Subpackages

• dfimagetools.helpers package
  • Submodules
  • dfimagetools.helpers.backend module
    • SetDFVFSBackEnd()
  • dfimagetools.helpers.command_line module
    • AddStorageMediaImageCLIArguments()
    • ParseStorageMediaImageCLIArguments()
  • Module contents
• dfimagetools.scripts package
  • Submodules
  • dfimagetools.scripts.extract_data_streams module
    • Main()
  • dfimagetools.scripts.list_file_entries module
    • Main()
  • dfimagetools.scripts.map_extents module
    • Main()
  • dfimagetools.scripts.recursive_hasher module
    • Main()
  • dfimagetools.scripts.source_analyzer module
    • Main()
  • Module contents

Submodules

dfimagetools.artifact_filters module

Helper for filtering based on artifact definitions.

class dfimagetools.artifact_filters.ArtifactDefinitionFiltersGenerator(artifacts_registry, environment_variables=None, user_accounts=None)

Bases: object

Generator of filters based on artifact definitions.

GetFindSpecs(names=None, environment_variables=None, user_accounts=None)

Retrieves find specifications for one or more artifact definitions.

Parameters:

• names (Optional[list[str]]) – names of the artifact definitions to filter on.

• environment_variables (Optional[list[EnvironmentVariable]]) – environment variables.

• user_accounts (Optional[list[UserAccount]]) – user accounts.

Yields:

dfvfs.FindSpec – file system (dfVFS) find specification.

__init__(artifacts_registry, environment_variables=None, user_accounts=None)

Initializes an artifact definition filters generator.

Parameters:

• artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifact definitions registry.

• environment_variables (Optional[list[EnvironmentVariable]]) – environment variables.

• user_accounts (Optional[list[UserAccount]]]) – user accounts.

dfimagetools.bodyfile module

Helper for generating bodyfile entries.

class dfimagetools.bodyfile.BodyfileGenerator

Bases: object

Bodyfile generator.

GetEntries(file_entry, path_segments)

Retrieves bodyfile entry representations of a file entry.

Parameters:

• file_entry (dfvfs.FileEntry) – file entry.

• path_segments (str) – path segments of the full path of the file entry.

Yields:

str – bodyfile entry.

__init__()

Initializes a bodyfile generator.

dfimagetools.data_stream_writer module

Helper to write data streams.

class dfimagetools.data_stream_writer.DataStreamWriter

Bases: object

Data stream writer.

GetDisplayPath(source_path_segments, source_data_stream_name)

Retrieves a path to display.

Parameters:

• source_path_segments (list[str]) – path segment of the source file.

• source_data_stream_name (str) – name of the data stream of the source file.

Returns:

display path.

Return type:

str

GetSanitizedPath(source_path_segments, source_data_stream_name, target_path)

Retrieves santized a path.

This function replaces non-printable and other invalid path characters with an underscore “_”.

Parameters:

• source_path_segments (list[str]) – path segment of the source file.

• source_data_stream_name (str) – name of the data stream of the source file.

• target_path (str) – path of the target directory.

Returns:

sanitized path.

Return type:

str

WriteDataStream(file_entry, data_stream_name, destination_path)

Writes the contents of the source data stream to a destination file.

Note that this function will overwrite an existing file.

Parameters:

• file_entry (dfvfs.FileEntry) – file entry whose content is to be written.

• data_stream_name (str) – name of the data stream whose content is to be written.

• destination_path (str) – path of the destination file.

__init__()

Initializes a data stream writer.

dfimagetools.decorators module

Function decorators.

dfimagetools.decorators.deprecated(function)

Decorator to mark functions or methods as deprecated.

dfimagetools.definitions module

The dfImageTools definitions.

dfimagetools.environment_variables module

Windows environment variables collector.

class dfimagetools.environment_variables.WindowsEnvironmentVariablesCollector

Bases: object

Windows environment variables collector.

Collect(registry)

Collects environment variables.

Parameters:

registry (dfwinreg.WinRegistry) – Windows Registry.

Yields:

EnvironmentVariable – an environment variable.

dfimagetools.file_entry_lister module

Helper to list file entries.

class dfimagetools.file_entry_lister.FileEntryLister(*args: Any, **kwargs: Any)

Bases: VolumeScanner

File entry lister.

GetWindowsDirectory(base_path_spec)

Retrieves the Windows directory from the base path specification.

Parameters:

base_path_spec (dfvfs.PathSpec) – source path specification.

Returns:

path of the Windows directory or None if not available.

Return type:

str

ListFileEntries(base_path_specs)

Lists file entries in the base path specifications.

Parameters:

base_path_specs (list[dfvfs.PathSpec]) – source path specifications.

Yields:

tuple[dfvfs.FileEntry, list[str]] – file entry and path segments.

ListFileEntriesWithFindSpecs(base_path_specs, find_specs)

Lists file entries in the base path specifications.

This method filters file entries based on the find specifications.

Parameters:

• base_path_specs (list[dfvfs.PathSpec]) – source path specification.

• find_specs (list[dfvfs.FindSpec]) – find specifications.

Yields:

tuple[dfvfs.FileEntry, list[str]] – file entry and path segments.

__init__(mediator=None, use_aliases=True)

Initializes a file entry lister.

Parameters:

• mediator (Optional[dfvfs.VolumeScannerMediator]) – a volume scanner mediator.

• use_aliases (Optional[bool]) – True if partition and/or volume aliases should be used.

dfimagetools.path_filters module

Helper for filtering based on a path.

class dfimagetools.path_filters.PathFiltersGenerator(path)

Bases: object

Generator of filters based on a path.

GetFindSpecs()

Retrieves find specifications.

Yields:

dfvfs.FindSpec – file system (dfVFS) find specification.

__init__(path)

Initializes a path filters generator.

Parameters:

path (str) – path.

Raises:

ValueError – if the path is missing.

property partition

Retrieves the partition.

Returns:

partition defined by the path filter or None if not available.

Return type:

str

dfimagetools.path_resolver module

Helper for resolving paths.

class dfimagetools.path_resolver.PathResolver

Bases: object

Path resolver.

ExpandEnvironmentVariables(path, path_separator, environment_variables)

Expands environment variables.

Parameters:

• path (str) – path with environment variables.

• path_separator (str) – path segment separator.

• environment_variables (list[EnvironmentVariable]) – environment variables.

Returns:

path with environment variables expanded.

Return type:

str

ExpandGlobStars(path, path_separator)

Expands globstars “**”.

A globstar “**” will recursively match all files and zero or more directories and subdirectories.

By default the maximum recursion depth is 10 subdirectories, a numeric values after the globstar, such as “**5”, can be used to define the maximum recursion depth.

Parameters:

• path (str) – path with globstars.

• path_separator (str) – path segment separator.

Returns:

path with seperate globs for every globstar.

Return type:

str

ExpandUsersVariable(path, path_separator, user_accounts)

Expands a users variable, such as %%users.appdata%%.

Parameters:

• path (str) – path with users variable.

• path_separator (str) – path segment separator.

• user_accounts (list[UserAccount]) – user accounts.

Returns:

paths for which the users variables have been expanded.

Return type:

list[str]

dfimagetools.recursive_hasher module

Helper to recursively calculate a message digest hash of data streams.

class dfimagetools.recursive_hasher.RecursiveHasher

Bases: object

Recursively calculates message digest hashes of data streams.

CalculateHashesFileEntry(file_entry, path_segments)

Recursive calculates hashes starting with the file entry.

Parameters:

• file_entry (dfvfs.FileEntry) – file entry.

• path_segments (str) – path segments of the full path of file entry.

Yields:

tuple[str, str] – display path and hash value.

dfimagetools.resources module

Various resource classes.

class dfimagetools.resources.EnvironmentVariable(case_sensitive=True, name=None, value=None)

Bases: object

Environment variable.

case_sensitive

True if environment variable name is case sensitive.

Type:

bool

name

environment variable name such as “SystemRoot” as in “%SystemRoot%” or “HOME” as in “$HOME”.

Type:

str

value

environment variable value such as “C:Windows” or “/home/user”.

Type:

str

__init__(case_sensitive=True, name=None, value=None)

Initializes an environment variable.

Parameters:

• case_sensitive (Optional[bool]) – True if environment variable name is case sensitive.

• name (Optional[str]) – environment variable name.

• value (Optional[str]) – environment variable value.

class dfimagetools.resources.UserAccount(full_name=None, group_identifier=None, identifier=None, user_directory=None, user_directory_path_separator='/', username=None)

Bases: object

User account.

full_name

name describing the user.

Type:

str

group_identifier

identifier of the primary group the user is part of.

Type:

str

identifier

user identifier.

Type:

str

user_directory

path of the user (or home or profile) directory.

Type:

str

user_directory_path_separator

path segment separator of the user directory.

Type:

str

username

name uniquely identifying the user.

Type:

str

__init__(full_name=None, group_identifier=None, identifier=None, user_directory=None, user_directory_path_separator='/', username=None)

Initializes a user account.

Parameters:

• full_name (Optional[str]) – name describing the user.

• group_identifier (Optional[str]) – identifier of the primary group the user is part of.

• identifier (Optional[str]) – user identifier.

• user_directory (Optional[str]) – path of the user (or home or profile) directory.

• user_directory_path_separator (Optional[str]) – path segment separator of the user directory.

• username (Optional[str]) – name uniquely identifying the user.

dfimagetools.source_analyzer module

Helper to recursively check for volumes and file systems.

class dfimagetools.source_analyzer.SourceAnalyzer(auto_recurse=True, mediator=None)

Bases: object

Analyzer to recursively check for volumes and file systems.

Analyze(source_path)

Analyzes the source.

Parameters:

source_path (str) – the source path.

Yields:

dfvfs.SourceScannerContext – the source scanner context.

Raises:

RuntimeError – if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported.

WriteScanNode(scan_context, scan_node, indentation='')

Writes the source scanner node to stdout.

Parameters:

• scan_context (dfvfs.SourceScannerContext) – the source scanner context.

• scan_node (dfvfs.SourceScanNode) – the scan node.

• indentation (Optional[str]) – indentation.

__init__(auto_recurse=True, mediator=None)

Initializes a source analyzer.

Parameters:

• auto_recurse (Optional[bool]) – True if the scan should automatically recurse as far as possible.

• mediator (Optional[VolumeScannerMediator]) – a volume scanner mediator.

dfimagetools.windows_registry module

Helpers to collect information from the Windows Registry.

class dfimagetools.windows_registry.CREGWindowsRegistryFile(*args: Any, **kwargs: Any)

Bases: CREGWinRegistryFile

Windows 9x/Me Registry file (CREG).

Close()

Closes the Windows Registry file.

class dfimagetools.windows_registry.REGFWindowsRegistryFile(*args: Any, **kwargs: Any)

Bases: REGFWinRegistryFile

Windows NT Registry file (REGF).

Close()

Closes the Windows Registry file.

class dfimagetools.windows_registry.StorageMediaImageWindowsRegistryFileReader(*args: Any, **kwargs: Any)

Bases: WinRegistryFileReader

Storage media image Windows Registry file reader.

Open(path, ascii_codepage='cp1252')

Opens the Windows Registry file specified by the path.

Parameters:

• path (str) – path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file. E.g. C:WindowsSystem32configSYSTEM

• ascii_codepage (Optional[str]) – ASCII string codepage.

Returns:

Windows Registry file or None if the file cannot

be opened.

Return type:

dfwinreg.WinRegistryFile

__init__(file_system, path_resolver)

Initializes a storage media Windows Registry file reader.

Parameters:

• file_system (dfvfs.FileSystem) – file system that contains the Windows directory.

• path_resolver (dfvfs.WindowsPathResolver) – Windows path resolver.

class dfimagetools.windows_registry.WindowsRegistryCollector(path_spec, windows_directory)

Bases: object

Windows Registry collector.

CollectSystemEnvironmentVariables()

Collects the system environment variables.

Returns:

environment variables.

Return type:

list[EnvironmentVariable]

__init__(path_spec, windows_directory)

Initializes a Windows Registry collector.

Parameters:

• path_spec (PathSpec) – path specification of the file system that contains the Windows Registry files.

• windows_directory (str) – path of the Windows directory.

Module contents

Collection of tools to process storage media images.