-
Notifications
You must be signed in to change notification settings - Fork 45
Home
dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
dfVFS originates from the Plaso project and is also based on ideas from the GRR project. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.
dfVFS is currently implemented as a Python module. A packaged version can be found on the Downloads page.
Note that is project is a continuous work in progress.
For more information see:
Travis-CI | AppVeyor | Coveralls |
---|---|---|
- EWF (EWF-E01, EWF-Ex01, EWF-S01) (Requires: libewf/pyewf)
- QCOW version 1, 2, 3 (Requires: libqcow/pyqcow)
- Storage Media device (Requires: libsmdev/pysmdev)
- (split) Storage Media RAW (Requires: libsmraw/pysmraw)
- VHD (Requires: libvhdi/pyvhdi)
- VMDK (Requires: libvmdk/pyvmdk)
Note that at the moment differential images are not supported.
- APM (Requires: libtsk/pytsk)
- BitLocker (BDE) (Requires: libbde/pybde)
- AES-XTS variant not supported yet
- GPT (Requires: libtsk/pytsk)
- LVM (Requires: libvslvm/pyvslvm)
- Pending changes for single physical volume LVM support
- MBR (Requires: libtsk/pytsk)
- VSS (Requires: libvshadow/pyvshadow)
- ext version 2, 3, 4 (Requires: libtsk/pytsk)
- FAT (Requires: libtsk/pytsk)
- HFS, HFS+, HFSX (Requires: libtsk/pytsk)
- NTFS version 3 (Requires: libtsk/pytsk)
- UFS version 1, 2 (Requires: libtsk/pytsk)
TODO add more detail here regarding FAT and other supported FS
- bzip2
- gzip
- zlib (both zlib-DEFLATE and raw-DEFLATE)
- base16
- base32
- base64
- RC4 (Requires: pycrypto)
- cpio
- Pending changes
- tar
- zip
- blob stored in SQlite