Digital Evidence Containers (DECs) are files that contain one or more items of digital evidence. Common examples are DD, E01, and AFF files.
In the framework, DECs are represented by two types of classes, containers and streams. Containers represent the container file, while streams are the logical representation of the digital evidence.
To use a DEC, initialize the container, and then use the Container.list() and Container.open() to enumerate and open streams inside the container. For example:
>>> raw_file = Raw.open("/path/to/image.dd")
>>> raw_file.list()
[StreamInfo(id=0)]
>>> raw_stream = raw_file.open(0)
For container types that need to manage the stream position (i.e. aren’t just wrappers around an existing stream type) there exists the ManagedIStream class.
Base class for container files. Subclasses are required to implement the list() and open() methods.
Lists streams inside a container
| Return type: | list |
|---|---|
| Returns: | A list of StreamInfo objects, describing the streams inside the container. |
Opens a stream for use.
| Return type: | IStream |
|---|---|
| Returns: | The appropriate stream. |
A container for raw/dd files.
| Parameter: | name (str) – The name of the raw/dd file. |
|---|
A container file for a bytes or bytearray object.
| Parameter: | bytes (bytes or bytearray) – The bytes or bytearray object to wrap around. |
|---|
A container for a stream whose contents are a subset of another stream.
| Parameters: |
|
|---|
A container for a stream composed of subsets of other streams.
| Parameter: | segments (list of tuples) – A list of tuples, where the elements of each tuple are:
|
|---|
A container for a raw/dd file that has been split into pieces.
| Parameter: | names (list of strings) – A list of the names of the raw/dd files. |
|---|
StreamInfo objects are used to describe information (e.g. name of file) about a stream.
Base class for input streams. All input streams are required to be seekable (random access). Subclasses are required to implement the seek(), tell(), and readinto() methods.
Positions the stream at offset, relative to whence. Valid values for whence are the same as the Python io module. They are:
- SEEK_SET - The start of the stream.
- SEEK_CUR - Current stream position.
- SEEK_END - The end of the stream.
| Parameters: |
|
|---|
| Raises ValueError: | |||||
|---|---|---|---|---|---|
If the stream is closed, whence is not one of the SEEK_* constants, or whence is SEEK_SET and offset is negative.
|
|||||
Returns the absolute position of the stream.
| Raises ValueError: | |
|---|---|
| If the stream is closed. | |
| Return type: | int |
| Returns: | The position in the stream. |
Reads up to len(b) bytes into b.
| Parameter: | b (bytearray) – A bytearray to hold the bytes read from the stream. |
|---|---|
| Raises ValueError: | |
| If the stream is closed. | |
| Return type: | int |
| Returns: | The number of bytes read. |
An IStream that keeps track of stream position. This class is useful when implementing your own stream types. The seek(), and tell() methods are provided.
The seek() and tell() methods update the _position attribute.
Note
In order for this class to properly implement the seek() method, subclasses are required to set the size attribute.
An IStream that wraps around an existing Python io stream.
| Parameters: |
|
|---|
A stream for raw/dd files.
| Parameter: | name (str) – The name of the raw/dd image file. |
|---|
Note
This class raises IOError (instead of ValueError) in the seek() method if the offset parameter is negative, and whence is SEEK_SET.
A stream for a bytes or bytearray object.
| Parameter: | bytes (bytes or bytearray) – The bytes or bytearray object to read from. |
|---|
A stream that is a subset of another stream.
| Parameters: |
|
|---|
A stream composed of subsets of other streams.
| Parameter: | segments (list of tuples) – A list of tuples where the elements of each tuple are:
|
|---|