1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
|
# Path specifications
## Terminology
In dfVFS a path specification is defines the location of a file system entry
or data stream. It is comparable with the path on an operating system with the
diffence that the dfVFS path specification includes information about its
parents, such a the volume system of the file system.
### System-level path specification
A "system-level path specification" is a path specification that can be
resolved by the operating system; typically TYPE_INDICATOR_OS or equivalent.
## Type indicators
The dfVFS path specification type indicators are defined in:
```
dfvfs/lib/definitions.py
```
In your code use the type indicator as defined by dfVFS and not its value, in
case it changes. The following is a list of type indicators as available in
version 20200625.
| **Type indicator** | **Description** |
| --- | --- |
| TYPE_INDICATOR_APFS | The Apple File System (APFS) type |
| TYPE_INDICATOR_APFS_CONTAINER | The Apple File System (APFS) container volume system type |
| TYPE_INDICATOR_BDE | The BitLocker Drive Entryption (BDE) volume system type |
| TYPE_INDICATOR_COMPRESSED_STREAM | The compressed stream type |
| TYPE_INDICATOR_CPIO | The cpio archive file type |
| TYPE_INDICATOR_DATA_RANGE | The data range type |
| TYPE_INDICATOR_ENCODED_STREAM | The encoded stream type |
| TYPE_INDICATOR_ENCRYPTED_STREAM | The encrypted stream type |
| TYPE_INDICATOR_EWF | The EWF storage media image type |
| TYPE_INDICATOR_EXT | The Extended file system (ext) type |
| TYPE_INDICATOR_FAKE | The fake file system type |
| TYPE_INDICATOR_FVDE | The FileVault Drive Enryption (FVDE) volume system type |
| TYPE_INDICATOR_GZIP | The gzip compressed file type |
| TYPE_INDICATOR_LUKSDE | The LUKS drive encryption volume system type |
| TYPE_INDICATOR_LVM | The Logical Volume Manager (LVM) volume system type |
| TYPE_INDICATOR_MOUNT | Type to represent a mount point |
| TYPE_INDICATOR_NTFS | The Windows NT file system (NTFS) type |
| TYPE_INDICATOR_OS | The operating system type |
| TYPE_INDICATOR_QCOW | The QCOW storage media image type |
| TYPE_INDICATOR_RAW | The RAW storage media image type |
| TYPE_INDICATOR_SQLITE_BLOB | The SQLite binary large objects (BLOB) type |
| TYPE_INDICATOR_TAR | The tar archive file type |
| TYPE_INDICATOR_TSK | The SleuthKit file system type |
| TYPE_INDICATOR_TSK_PARTITION | The SleuthKit partition volume system type |
| TYPE_INDICATOR_VHDI | The VHD storage media image type |
| TYPE_INDICATOR_VMDK | The VMDK storage media image type |
| TYPE_INDICATOR_VSHADOW | The VSS volume system type |
| TYPE_INDICATOR_ZIP | The zip archive file type |
## Addressing attributes
All types, with the exception of the operating system type, require a parent
path specification addressing attribute.
### The APFS file system type
The APFS type (TYPE_INDICATOR_APFS) is a type that addresses files stored within
an Apple file system (APFS).
| **Attribute name** | **Description** |
| --- | --- |
| identifier | The identifier of the file entry within the file system. Comparable to the catalog node identifier (CNID) on HFS. |
| location | The location of the file entry |
| parent | The parent path specification |
### The APFS container volume system type
The APFS container type (TYPE_INDICATOR_APFS_CONTAINER) is a type that addresses
volumes stored within a Apple file system (APFS) container.
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the volume within the container |
| parent | The parent path specification |
| volume_index | The index of the volume within the container |
### The BDE volume system type
The BDE type (TYPE_INDICATOR_BDE) is a type that addresses volumes stored
within a BitLocker encrypted volume.
| **Attribute name** | **Description** |
| --- | --- |
| password | The password to unlock the BitLocker volume |
| parent | The parent path specification |
| recovery_password | The recovery password to unlock the BitLocker volume |
| startup_key | The name of the startup key file to unlock the BitLocker volume |
**Note that it is recommended to use the credential manager instead of providing
decryption keys (credentials) in a path specification.**
### The compressed stream type
The compressed stream type (TYPE_INDICATOR_COMPRESSED_STREAM) is an internal
type that defines the following addressing attributes:
| **Attribute name** | **Description** |
| --- | --- |
| compression_method | The method used to compress the stream |
| parent | The parent path specification |
### The cpio archive file type
The cpio type (TYPE_INDICATOR_CPIO) is a type that addresses files stored within
the cpio archive file format.
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the file entry within the cpio archive |
| parent | The parent path specification |
### The data range type
The data range type (TYPE_INDICATOR_DATA_RANGE) is an internal type that
defines the following addressing attributes:
| **Attribute name** | **Description** |
| --- | --- |
| range_offset | The offset, in bytes, relative to the start of the parent file entry, where the data range starts |
| range_size | The size, in bytes, of the data range |
| parent | The parent path specification |
### The encoded stream type
The encoded stream type (TYPE_INDICATOR_ENCODED_STREAM) is an internal type
that defines the following addressing attributes:
| **Attribute name** | **Description** |
| --- | --- |
| encoding_method | The method used to encode the stream |
| parent | The parent path specification |
### The encrypted stream type
The encrypted stream type (TYPE_INDICATOR_ENCRYPTED_STREAM) is an internal type
that defines the following addressing attributes:
| **Attribute name** | **Description** |
| --- | --- |
| cipher_mode | The cipher mode used by the encryption method, for example XTS |
| encryption_method | The method used to encrypt the stream, for example AES |
| initialization_vector | The initialization vector used to encrypt the stream |
| key | The key used to encrypt the stream |
| parent | The parent path specification |
**Note that it is recommended to use the credential manager instead of providing
decryption keys (credentials) in a path specification.**
### The EWF storage media image type
The EWF type (TYPE_INDICATOR_EWF) is a type that addresses storage media images
stored within the [Expert Witness (Compression) Format](https://forensicswiki.xyz/wiki/index.php?title=Encase_image_file_format).
| **Attribute name** | **Description** |
| --- | --- |
| parent | The parent path specification |
**Note that at the moment this type is not addressable as a file system.**
**Note that at the moment L01 or Lx01 files are not supported.**
### The EXT file system type
The EXT type (TYPE_INDICATOR_EXT) is a type that addresses files stored within
a Extended file system (ext).
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the file entry |
| inode | The inode number of the file entry |
### The fake file system type
The FAKE type (TYPE_INDICATOR_FAKE) is a virtual file system intended for
testing purposes.
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the file entry |
| parent | The parent path specification, must be None |
### The FVDE volume system type
The FVDE type (TYPE_INDICATOR_FVDE) is a type that addresses volumes stored
within a FileVault encrypted CoreStorage volume.
| **Attribute name** | **Description** |
| --- | --- |
| encrypted_root_plist | The path of the EncryptedRoot.plist.wipekey file to unlock the FileVault volume |
| password | The password to unlock the FileVault volume |
| parent | The parent path specification |
| recovery_password | The recovery password to unlock the FileVault volume |
**Note that it is recommended to use the credential manager instead of providing
decryption keys (credentials) in a path specification.**
### The gzip file type
The GZIP type (TYPE_INDICATOR_GZIP) is a type that addresses data stored within
the [gzip compressed stream file format](https://forensicswiki.xyz/wiki/index.php?title=Gzip).
| **Attribute name** | **Description** |
| --- | --- |
| parent | The parent path specification |
### The LUKSDE volume system type
The LUKSDE type (TYPE_INDICATOR_LUKSDE) is a type that addresses volumes stored
within a LUKS encrypted volume.
| **Attribute name** | **Description** |
| --- | --- |
| password | The password to unlock the FileVault volume |
| parent | The parent path specification |
### The LVM volume system type
The LVM type (TYPE_INDICATOR_LVM) is a type that addresses volumes stored
within a Logical Volume Manager (LVM) volume system.
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the volume within the LVM volume system |
| parent | The parent path specification |
| volume_index | The index of the volume within the LVM volume system |
### The mount type
The MOUNT type (TYPE_INDICATOR_MOUNT) is a type that defines a mount point
within dfVFS. Also see [the mount point manager](https://github.com/log2timeline/dfvfs/wiki/Internals).
| **Attribute name** | **Description** |
| --- | --- |
| identifier | The identifier of the mount point |
| parent | The parent path specification, must be None |
### The NTFS file system type
The NTFS type (TYPE_INDICATOR_NTFS) is a type that addresses files stored within
a Windows NT file system (NTFS).
| **Attribute name** | **Description** |
| --- | --- |
| data_stream | The name of the data stream in the file entry |
| location | The location of the file entry |
| mft_attribute | The index of the $FILE_NAME of the MFT attribute within the MFT entry that contains the name of the file entry |
| mft_entry | The identifier of the MFT entry within the file system |
| parent | The parent path specification |
### The operating system type
The OS type (TYPE_INDICATOR_OS) is a type that addresses files stored within an
operating system.
| **Attribute name** | **Description** |
| --- | --- |
| location | The operating system specific location of the file entry which corresponds to the path. <br> E.g. C:\Windows\System32\config\SAM or /etc/passwd |
| parent | The parent path specification, must be None |
### The QCOW storage media image type
The QCOW type (TYPE_INDICATOR_QCOW) is a type that addresses storage media
images stored within the [QCOW image format](https://forensicswiki.xyz/wiki/index.php?title=QCOW_Image_Format),
version 1, 2 and 3.
| **Attribute name** | **Description** |
| --- | --- |
| parent | The parent path specification |
**Note that at the moment this type is not addressable as a file system.**
### The RAW storage media image type
The RAW storage media image type (TYPE_INDICATOR_RAW) is a type that addresses
storage media images stored within the [RAW image format](https://forensicswiki.xyz/wiki/index.php?title=Raw_Image_Format).
| **Attribute name** | **Description** |
| --- | --- |
| parent | The parent path specification |
**Note that at the moment this type is not addressable as a file system.**
### The SQlite blob file type
The SQlite blob type (TYPE_INDICATOR_SQLITE_BLOB) is a type that addresses files
stored within a blob within a SQLite file.
| **Attribute name** | **Description** |
| --- | --- |
| column_name | The name of the column in which the blob is stored |
| parent | The parent path specification |
| row_condition | A condition that matches the row in which the blob is stored |
| row_index | The index of the row in which the blob is stored |
| table_name | The name of the table in which the blob is stored |
### The tar archive file type
The TAR type (TYPE_INDICATOR_TAR) is a type that addresses files stored within
the [tar archive file format](https://forensicswiki.xyz/wiki/index.php?title=Tar).
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the file entry within the tar archive |
| parent | The parent path specification |
**Note that to access e.g. a .tar.gz the a path specification of type TAR should be stacked on top of one of type GZIP.**
### The SleuthKit file system type
The TSK type (TYPE_INDICATOR_TSK) is a type that addresses files stored within
a SleuthKit supported file system.
| **Attribute name** | **Description** |
| --- | --- |
| inode | The inode number of the file entry |
| location | The location of the file entry |
| parent | The parent path specification |
### The SleuthKit volume system type
The TSK_PARTITION type (TYPE_INDICATOR_TSK_PARTITION) is a type that addresses
volumes stored within a SleuthKit supported volume system, which largely
consists of support for the [APM](https://forensicswiki.xyz/wiki/index.php?title=APM),
[GPT](https://forensicswiki.xyz/wiki/index.php?title=GPT) and
[MBR](https://forensicswiki.xyz/wiki/index.php?title=Master_boot_record) partitioning
systems.
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the volume within the volume system |
| parent | The parent path specification |
| part_index | The SleuthKit part index that indicates the volume within the volume system |
| start_offset | The start offset, in bytes, of the volume within the volume system |
### The VHD storage media image type
The VHDI type (TYPE_INDICATOR_VHDI) is a type that addresses storage media
images stored within the [Virtual Hard Disk Image format](https://forensicswiki.xyz/wiki/index.php?title=Virtual_Hard_Disk_(VHD)).
| **Attribute name** | **Description** |
| --- | --- |
| parent | The parent path specification |
**Note that at the moment this type is not addressable as a file system.**
### The VMDK storage media image type
The VMDK type (TYPE_INDICATOR_VMDK) is a type that addresses storage media
images stored within the [VMWare Virtual Disk Format](https://forensicswiki.xyz/wiki/index.php?title=VMWare_Virtual_Disk_Format_(VMDK)).
| **Attribute name** | **Description** |
| --- | --- |
| parent | The parent path specification |
**Note that at the moment this type is not addressable as a file system.**
### The VSS volume system type
The VSHADOW type (TYPE_INDICATOR_VSHADOW) is a type that addresses volumes
stored within the [Volume Shadow Snapshots (VSS)](https://forensicswiki.xyz/wiki/index.php?title=Windows_Shadow_Volumes).
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the volume within the volume system |
| parent | The parent path specification |
| store_index | The store index of the volume within the volume system |
### The zip archive file type
The ZIP type (TYPE_INDICATOR_ZIP) is a type that addresses files stored within
the [zip archive file format](https://forensicswiki.xyz/wiki/index.php?title=Zip).
| **Attribute name** | **Description** |
| --- | --- |
| location | The location of the file entry within the zip archive |
| parent | The parent path specification |
|
