From 9329fa56eb6dfa76ddbdcfa5b3621583fbd96b59 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Tue, 29 Jul 2025 14:41:45 +0000 Subject: [PATCH 01/25] Add supported targets page with an extension The contents get generated from the files inside of defaults_/*.csv --- .gitignore | 2 + docs/source/_ext/supported_targets.py | 289 ++++++++++++++++++++++++++ docs/source/conf.py | 1 + docs/source/index.rst | 1 + docs/source/supported-targets.rst | 73 +++++++ 5 files changed, 366 insertions(+) create mode 100644 docs/source/_ext/supported_targets.py create mode 100644 docs/source/supported-targets.rst diff --git a/.gitignore b/.gitignore index d18c6d2..727d561 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,5 @@ _build/ __pycache__ docs/source/api/*/ +# The csv files inside this folder get automatically generated +docs/source/supported_targets/ diff --git a/docs/source/_ext/supported_targets.py b/docs/source/_ext/supported_targets.py new file mode 100644 index 0000000..7410591 --- /dev/null +++ b/docs/source/_ext/supported_targets.py @@ -0,0 +1,289 @@ +""" +This extension generates csv files for our supported targets. +""" + +from __future__ import annotations + +import csv +import importlib +import inspect +from dataclasses import dataclass, field +from functools import partial +from pathlib import Path +from typing import TYPE_CHECKING, Any, Callable, TextIO +from unittest.mock import Mock, patch + +from dissect.target.container import Container +from dissect.target.filesystem import Filesystem +from dissect.target.loader import LOADERS_BY_SCHEME, Loader +from dissect.target.plugin import PLUGINS, ChildTargetPlugin, OSPlugin +from dissect.target.volume import EncryptedVolumeSystem, LogicalVolumeSystem, VolumeSystem +from sphinx.util.logging import getLogger +from typing_extensions import Self + +if TYPE_CHECKING: + from collections.abc import Iterator + from types import ModuleType + + from sphinx.application import Sphinx + +LOGGER = getLogger(__name__) +ORIG_IMPORT = __import__ + + +@dataclass(eq=True, frozen=True) +class CSVItemBase: + module: str + type_: str + name: str + description: str + + @classmethod + def from_class(cls, klass: type, spec: LookupSpec, info: dict[str, str], **kwargs) -> Self: + _type = getattr(klass, "__type__", klass.__name__.removesuffix(spec.remove_suffix).lower()) + description = info.get(_type, "") + + if not description: + LOGGER.warning( + ("There was no description defined for %s. Please add a description for %r inside '_defaults/%s.csv'"), + klass.__name__, + _type, + spec.name, + ) + return cls( + module=klass.__module__, + type_=_type, + name=klass.__name__, + description=description, + **kwargs, + ) + + @property + def sphinx_class_string(self) -> str: + return f":class:`~{self.module}.{self.name}`" + + def as_dict(self) -> dict[str, str]: + return { + "Class": self.sphinx_class_string, + "Description": self.description, + } + + +class CSVItem(CSVItemBase): + def as_dict(self) -> dict[str, str]: + return { + "Class": self.sphinx_class_string, + "Type": f"``{self.type_}``", + "Description": self.description, + } + + +@dataclass(eq=True, frozen=True) +class LoaderCSVItem(CSVItemBase): + shorthand: str = "" + + def as_dict(self) -> dict[str, str]: + shorthand = self.shorthand + if self.type_ == "direct": + shorthand = "--direct" + + return { + "Class": self.sphinx_class_string, + "CMD Option": f"``{shorthand}``" if shorthand else "", + "Description": self.description, + } + + +def parse_descriptions(csv_file: Path) -> dict[str, str]: + target_dict: dict[str, str] = {} + try: + with csv_file.open("rt") as defaults: + file = csv.DictReader(defaults) + for line in file: + target_dict.update({line["name"]: line["description"]}) + except FileNotFoundError: + LOGGER.warning("missing defaults file at '_defaults/%s'", csv_file.name) + return {} + + return target_dict + + +def _create_loader_items(spec: LookupSpec, info: dict[str, str]) -> set[CSVItemBase]: + loader_items: set[LoaderCSVItem] = set() + + with patch("builtins.__import__", side_effect=mocked_import): + loader_items.update( + LoaderCSVItem.from_class(klass.realattr, spec=spec, info=info, shorthand=f"-L {shorthand}") + for (shorthand, klass) in LOADERS_BY_SCHEME.items() + ) + loaders = importlib.import_module(spec.subclass_location) + + loader_items.update( + LoaderCSVItem.from_class(klass, spec=spec, info=info) for klass in _find_subclasses(loaders, spec) + ) + + return loader_items + + +def _create_os_items(spec: LookupSpec, info: dict[str, str]) -> set[CSVItemBase]: + operating_systems: set[CSVItemBase] = set() + + for plugin_desc in PLUGINS.__plugins__.__os__.values(): + module = importlib.import_module(plugin_desc.module) + klass: type = getattr(module, plugin_desc.qualname) + operating_systems.add(CSVItemBase.from_class(klass, spec=spec, info=info)) + + return operating_systems + + +def _create_items(spec: LookupSpec, info: dict[str, str], item_class: type[CSVItemBase] = CSVItem) -> set[CSVItemBase]: + base_module = importlib.import_module(spec.subclass_location) + csv_items: set[CSVItemBase] = set() + csv_items.update( + item_class.from_class(class_, spec=spec, info=info) for class_ in _find_subclasses(base_module, spec) + ) + + return csv_items + + +def _create_partition_items(spec: LookupSpec, info: dict[str, str]) -> set[CSVItemBase]: + partition_schemes: set[CSVItemBase] = set() + + module = importlib.import_module(spec.subclass_location) + partition_schemes.update( + CSVItemBase.from_class(getattr(module, name), spec=spec, info=info) for name in module.__all__ + ) + + return partition_schemes + + +def mocked_import(name: str, *args) -> ModuleType: + """Mock all the unknown imports""" + try: + return ORIG_IMPORT(name, *args) + except ImportError: + return Mock() + + +def _find_subclasses(module: ModuleType, spec: LookupSpec) -> Iterator[type]: + for path in Path(module.__spec__.origin).parent.iterdir(): + if not path.is_file(): + continue + if path.stem == "__init__": + continue + + component = importlib.import_module(".".join([module.__name__, path.stem])) + yield from _filter_subclasses(spec, component) + + +def _filter_subclasses(spec: LookupSpec, module: ModuleType) -> Iterator[type]: + exclusions: list[type] = spec.exclusions + + if callable(exclusions): + exclusions = exclusions() + + for _, _class in inspect.getmembers(module): + if not inspect.isclass(_class): + continue + + if _class is spec.base_class: + continue + + if _class in exclusions: + continue + + if issubclass(_class, spec.base_class): + yield _class + + +def write_to_csv(output_file: TextIO, items: list[CSVItemBase]) -> None: + first_item = items[0].as_dict() + + writer = csv.DictWriter(output_file, fieldnames=first_item.keys()) + writer.writeheader() + writer.writerow(first_item) + writer.writerows(item.as_dict() for item in items[1:]) + + +@dataclass +class LookupSpec: + name: str + base_class: type | None + remove_suffix: str = "" + subclass_location: str = "" + exclusions: list[type] | Callable[[], list[type]] = field(default_factory=list) + item_function: Callable[[LookupSpec, dict[str, str]], set[CSVItemBase]] = _create_items + + +def _loader_exclusions() -> list[type[Loader]]: + return [loader.realattr for loader in LOADERS_BY_SCHEME.values()] + + +SUPPORTED_SYSTEMS = [ + LookupSpec( + name="loaders", + base_class=Loader, + remove_suffix="Loader", + subclass_location="dissect.target.loaders", + exclusions=_loader_exclusions, + item_function=_create_loader_items, + ), + LookupSpec( + name="volumes", + base_class=VolumeSystem, + remove_suffix="VolumeSystem", + subclass_location="dissect.target.volumes", + exclusions=[EncryptedVolumeSystem, LogicalVolumeSystem], + ), + LookupSpec( + name="containers", + base_class=Container, + remove_suffix="Container", + subclass_location="dissect.target.containers", + ), + LookupSpec( + name="filesystems", + base_class=Filesystem, + remove_suffix="Filesystem", + subclass_location="dissect.target.filesystems", + ), + LookupSpec( + name="child_targets", + base_class=ChildTargetPlugin, + remove_suffix="ChildTargetPlugin", + subclass_location="dissect.target.plugins.child", + item_function=partial(_create_items, item_class=CSVItemBase), + ), + LookupSpec(name="operating_systems", base_class=OSPlugin, remove_suffix="Plugin", item_function=_create_os_items), + LookupSpec( + name="partition_schemes", + base_class=None, + subclass_location="dissect.volume.disk.schemes", + item_function=_create_partition_items, + ), +] + + +def builder_inited(app: Sphinx) -> None: + dst = Path(app.srcdir).joinpath("supported_targets") + dst.mkdir(exist_ok=True) + + csv_default_dir = Path(app.srcdir).joinpath("_defaults") + + for spec in SUPPORTED_SYSTEMS: + info_dict = parse_descriptions(csv_default_dir.joinpath(f"{spec.name}.csv")) + csv_items = list(spec.item_function(spec, info_dict)) + csv_items.sort(key=lambda x: x.name) + with dst.joinpath(f"{spec.name}.csv").open("wt") as fh: + write_to_csv(fh, csv_items) + + +def setup(app: Sphinx) -> dict[str, Any]: + app.connect("builder-inited", builder_inited) + app.add_config_value("dissect_table_keep_files", False, "html") + + return { + "version": "0.1", + "parallel_read_safe": True, + "parallel_write_safe": True, + } diff --git a/docs/source/conf.py b/docs/source/conf.py index f562ada..0941b1e 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -51,6 +51,7 @@ "sphinx_copybutton", "sphinx_design", "dissect_plugins", + "supported_targets", ] # Define the canonical URL if you are using a custom domain on Read the Docs diff --git a/docs/source/index.rst b/docs/source/index.rst index 0a8ae28..ad62162 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -98,6 +98,7 @@ Get in touch, join us on `github `_! Shell Mount Acquire + Supported Targets RDump diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst new file mode 100644 index 0000000..768c184 --- /dev/null +++ b/docs/source/supported-targets.rst @@ -0,0 +1,73 @@ +Supported targets +----------------- + +This page contains a list of the systems that ``dissect`` supports. + +Loaders +~~~~~~~ + +.. Descriptions can be reworded by changing _defaults/loaders.csv +.. csv-table:: Supported Loaders + :header-rows: 1 + :file: /supported_targets/loaders.csv + :widths: 15 10 25 + + +Containers +~~~~~~~~~~ + +.. Descriptions can be reworded by changing _defaults/containers.csv +.. csv-table:: Supported Containers + :header-rows: 1 + :file: /supported_targets/containers.csv + :widths: 15 10 25 + + +Partition Schemes +~~~~~~~~~~~~~~~~~ + +.. Descriptions can be reworded by changing _defaults/containers.csv +.. csv-table:: Supported Partition Schemes + :header-rows: 1 + :file: /supported_targets/partition_schemes.csv + :widths: 15 35 + + +Volume Systems +~~~~~~~~~~~~~~ + +.. Descriptions can be reworded by changing _defaults/volumes.csv +.. csv-table:: Supported Volume Systems + :header-rows: 1 + :file: /supported_targets/volumes.csv + :widths: 15 10 25 + + +Filesystems +~~~~~~~~~~~ + +.. Descriptions can be reworded by changing _defaults/filesystems.csv +.. csv-table:: Supported Filesystems + :header-rows: 1 + :file: /supported_targets/filesystems.csv + :widths: 15 10 25 + + +Operating Systems +~~~~~~~~~~~~~~~~~ + +.. Descriptions can be reworded by changing _defaults/operating_systems.csv +.. csv-table:: Supported Operating Systems + :header-rows: 1 + :file: /supported_targets/operating_systems.csv + :widths: 15 35 + +Child Targets +~~~~~~~~~~~~~ + +.. Descriptions can be reworded by changing _defaults/operating_systems.csv +.. csv-table:: Supported Child Targets + :header-rows: 1 + :file: /supported_targets/child_targets.csv + :widths: 15 35 + From a78a215c4e89490812496105431840e26b6eccbc Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Tue, 29 Jul 2025 14:42:30 +0000 Subject: [PATCH 02/25] Add the defaults for every type These were generated by taking the first line from the class its docstring --- docs/source/_defaults/child_targets.csv | 12 +++++++ docs/source/_defaults/containers.csv | 13 +++++++ docs/source/_defaults/filesystems.csv | 28 +++++++++++++++ docs/source/_defaults/loaders.csv | 40 +++++++++++++++++++++ docs/source/_defaults/operating_systems.csv | 22 ++++++++++++ docs/source/_defaults/partition_schemes.csv | 5 +++ docs/source/_defaults/volumes.csv | 8 +++++ 7 files changed, 128 insertions(+) create mode 100644 docs/source/_defaults/child_targets.csv create mode 100644 docs/source/_defaults/containers.csv create mode 100644 docs/source/_defaults/filesystems.csv create mode 100644 docs/source/_defaults/loaders.csv create mode 100644 docs/source/_defaults/operating_systems.csv create mode 100644 docs/source/_defaults/partition_schemes.csv create mode 100644 docs/source/_defaults/volumes.csv diff --git a/docs/source/_defaults/child_targets.csv b/docs/source/_defaults/child_targets.csv new file mode 100644 index 0000000..8f3589a --- /dev/null +++ b/docs/source/_defaults/child_targets.csv @@ -0,0 +1,12 @@ +name,description +colima,Child target plugin that yields Colima containers. +docker,Child target plugin that yields from Docker overlay2fs containers. +esxi,Child target plugin that yields from ESXi VM inventory. +hyper-v,Child target plugin that yields from Hyper-V VM inventory. +parallels,Child target plugin that yields Parallels Desktop VM files. +proxmox,Child target plugin that yields from the VM listing. +qemu,Child target plugin that yields all QEMU domains from a KVM libvirt deamon. +virtualbox,Child target plugin that yields from Oracle VirtualBox VMs. +virtuozzo,Child target plugin that yields from Virtuozzo container's root. +vmware_workstation,Child target plugin that yields from VMware Workstation VM inventory. +wsl,Child target plugin that yields WSL VHDX file locations. diff --git a/docs/source/_defaults/containers.csv b/docs/source/_defaults/containers.csv new file mode 100644 index 0000000..ac1986b --- /dev/null +++ b/docs/source/_defaults/containers.csv @@ -0,0 +1,13 @@ +name,description +asdf,No documentation +ewf,Expert Witness Disk Image Format. +fortifw,No documentation +hdd,No documentation +hds,No documentation +qcow2,No documentation +raw,No documentation +split,No documentation +vdi,VirtualBox hard disks. +vhd,No documentation +vhdx,No documentation +vmdk,VMware virtual hard disks. diff --git a/docs/source/_defaults/filesystems.csv b/docs/source/_defaults/filesystems.csv new file mode 100644 index 0000000..341c513 --- /dev/null +++ b/docs/source/_defaults/filesystems.csv @@ -0,0 +1,28 @@ +name,description +ad1,No documentation +btrfs,No documentation +btrfs,No documentation +cb,No documentation +META:configuration,A special :class:`.Filesystem` class that allows you to browse and interact with configuration files +cpio,No documentation +dir,No documentation +exfat,No documentation +ext,No documentation +fat,No documentation +ffs,No documentation +itunes,Filesystem implementation for iTunes backups. +jffs,No documentation +layer,No documentation +nfs,Filesystem implementation of a NFS share +ntfs,No documentation +overlay2,Overlay 2 filesystem implementation. +qnxfs,No documentation +smb,Filesystem implementation for SMB. +squashfs,No documentation +tar,Filesystem implementation for tar files. +vbk,Filesystem implementation for VBK files. +virtual,No documentation +vmfs,No documentation +vmtar,No documentation +xfs,No documentation +zip,Filesystem implementation for zip files. diff --git a/docs/source/_defaults/loaders.csv b/docs/source/_defaults/loaders.csv new file mode 100644 index 0000000..8661ae6 --- /dev/null +++ b/docs/source/_defaults/loaders.csv @@ -0,0 +1,40 @@ +name,description +androidbackup,Load Android backup files. +asdf,Load an ASDF target. +cb,Use Carbon Black endpoints as targets using Live Response. +cellebrite,Load Cellebrite UFED exports (``.ufdx`` and ``.ufd``). +cyber,No documentation +dir,Load a directory as a filesystem. +direct,No documentation +hyperv,Load Microsoft Hyper-V hypervisor files. +itunes,Load iTunes backup files. +kape,Load KAPE forensic image format files. +libvirt,Load libvirt xml configuration files. +local,Load local filesystem. +log,Load separate log files without a target. +mqtt,Load remote targets through a broker. +multiraw,Load multiple raw containers as a single target (i.e. a multi-disk system). +ova,Load Open Virtual Appliance (OVA) files. +overlay2,Load overlay2 filesystems. +ovf,Load Open Virtualization Format (OVF) files. +phobos,Load Phobos Ransomware files. +profile,Load NTUSER.DAT files. +proxmox,Loader for Proxmox VM configuration files. +pvm,Parallels VM directory (.pvm). +pvs,Parallels VM configuration file (config.pvs). +raw,Load raw container files such as disk images. +remote,Load a remote target that runs a compatible Dissect agent. +res,No documentation +smb,Use remote SMB servers as targets. +tanium,Load Tanium forensic image format files. +tar,Load tar files. +target,Load target files. +utm,Load UTM virtual machine files. +vb,No documentation +vbox,Load Oracle VirtualBox files. +vbk,Load Veaam Backup (VBK) files. +velociraptor,Load Rapid7 Velociraptor forensic image files. +vma,Load Proxmox Virtual Machine Archive (VMA) files. +vmwarevm,Load ``*.vmwarevm`` folders from VMware Fusion. +vmx,Load VMware virtual machine configuration (VMX) files. +xva,Load Citrix Hypervisor XVA format files. diff --git a/docs/source/_defaults/operating_systems.csv b/docs/source/_defaults/operating_systems.csv new file mode 100644 index 0000000..f68d3d7 --- /dev/null +++ b/docs/source/_defaults/operating_systems.csv @@ -0,0 +1,22 @@ +name,description +android,No documentation +bsd,No documentation +citrix,No documentation +darwin,Darwin plugin. +debian,No documentation +defaultos,No documentation +esxi,ESXi OS plugin +fortios,FortiOS plugin for various Fortinet appliances. +freebsd,No documentation +ios,Apple iOS plugin. +linux,Linux plugin. +macos,No documentation +openbsd,No documentation +profileos,No documentation +proxmox,No documentation +redhat,"RedHat, CentOS and Fedora Plugin." +resos,No documentation +suse,No documentation +unix,UNIX plugin. +vyos,No documentation +windows,No documentation diff --git a/docs/source/_defaults/partition_schemes.csv b/docs/source/_defaults/partition_schemes.csv new file mode 100644 index 0000000..1c594d2 --- /dev/null +++ b/docs/source/_defaults/partition_schemes.csv @@ -0,0 +1,5 @@ +name,description +apm,Apple Partition Map. +bsd,BSD disklabel. +gpt,GUID Partition Table. +mbr,Master Boot Record. diff --git a/docs/source/_defaults/volumes.csv b/docs/source/_defaults/volumes.csv new file mode 100644 index 0000000..1fb9ee1 --- /dev/null +++ b/docs/source/_defaults/volumes.csv @@ -0,0 +1,8 @@ +name,description +bitlocker,No documentation +ddf,No documentation +disk,No documentation +luks,No documentation +lvm,No documentation +md,No documentation +vmfs,No documentation From fe39c05c016d1d94ee767c67c2469f47a2f55f4f Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 8 Oct 2025 17:33:44 +0200 Subject: [PATCH 03/25] Remove supported_targets plugin in favor of a manual table --- .gitignore | 2 - docs/source/_defaults/child_targets.csv | 12 - docs/source/_defaults/containers.csv | 13 - docs/source/_defaults/filesystems.csv | 28 -- docs/source/_defaults/loaders.csv | 40 --- docs/source/_defaults/operating_systems.csv | 22 -- docs/source/_defaults/partition_schemes.csv | 5 - docs/source/_defaults/volumes.csv | 8 - docs/source/_ext/supported_targets.py | 289 -------------------- docs/source/conf.py | 1 - 10 files changed, 420 deletions(-) delete mode 100644 docs/source/_defaults/child_targets.csv delete mode 100644 docs/source/_defaults/containers.csv delete mode 100644 docs/source/_defaults/filesystems.csv delete mode 100644 docs/source/_defaults/loaders.csv delete mode 100644 docs/source/_defaults/operating_systems.csv delete mode 100644 docs/source/_defaults/partition_schemes.csv delete mode 100644 docs/source/_defaults/volumes.csv delete mode 100644 docs/source/_ext/supported_targets.py diff --git a/.gitignore b/.gitignore index 727d561..d18c6d2 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,3 @@ _build/ __pycache__ docs/source/api/*/ -# The csv files inside this folder get automatically generated -docs/source/supported_targets/ diff --git a/docs/source/_defaults/child_targets.csv b/docs/source/_defaults/child_targets.csv deleted file mode 100644 index 8f3589a..0000000 --- a/docs/source/_defaults/child_targets.csv +++ /dev/null @@ -1,12 +0,0 @@ -name,description -colima,Child target plugin that yields Colima containers. -docker,Child target plugin that yields from Docker overlay2fs containers. -esxi,Child target plugin that yields from ESXi VM inventory. -hyper-v,Child target plugin that yields from Hyper-V VM inventory. -parallels,Child target plugin that yields Parallels Desktop VM files. -proxmox,Child target plugin that yields from the VM listing. -qemu,Child target plugin that yields all QEMU domains from a KVM libvirt deamon. -virtualbox,Child target plugin that yields from Oracle VirtualBox VMs. -virtuozzo,Child target plugin that yields from Virtuozzo container's root. -vmware_workstation,Child target plugin that yields from VMware Workstation VM inventory. -wsl,Child target plugin that yields WSL VHDX file locations. diff --git a/docs/source/_defaults/containers.csv b/docs/source/_defaults/containers.csv deleted file mode 100644 index ac1986b..0000000 --- a/docs/source/_defaults/containers.csv +++ /dev/null @@ -1,13 +0,0 @@ -name,description -asdf,No documentation -ewf,Expert Witness Disk Image Format. -fortifw,No documentation -hdd,No documentation -hds,No documentation -qcow2,No documentation -raw,No documentation -split,No documentation -vdi,VirtualBox hard disks. -vhd,No documentation -vhdx,No documentation -vmdk,VMware virtual hard disks. diff --git a/docs/source/_defaults/filesystems.csv b/docs/source/_defaults/filesystems.csv deleted file mode 100644 index 341c513..0000000 --- a/docs/source/_defaults/filesystems.csv +++ /dev/null @@ -1,28 +0,0 @@ -name,description -ad1,No documentation -btrfs,No documentation -btrfs,No documentation -cb,No documentation -META:configuration,A special :class:`.Filesystem` class that allows you to browse and interact with configuration files -cpio,No documentation -dir,No documentation -exfat,No documentation -ext,No documentation -fat,No documentation -ffs,No documentation -itunes,Filesystem implementation for iTunes backups. -jffs,No documentation -layer,No documentation -nfs,Filesystem implementation of a NFS share -ntfs,No documentation -overlay2,Overlay 2 filesystem implementation. -qnxfs,No documentation -smb,Filesystem implementation for SMB. -squashfs,No documentation -tar,Filesystem implementation for tar files. -vbk,Filesystem implementation for VBK files. -virtual,No documentation -vmfs,No documentation -vmtar,No documentation -xfs,No documentation -zip,Filesystem implementation for zip files. diff --git a/docs/source/_defaults/loaders.csv b/docs/source/_defaults/loaders.csv deleted file mode 100644 index 8661ae6..0000000 --- a/docs/source/_defaults/loaders.csv +++ /dev/null @@ -1,40 +0,0 @@ -name,description -androidbackup,Load Android backup files. -asdf,Load an ASDF target. -cb,Use Carbon Black endpoints as targets using Live Response. -cellebrite,Load Cellebrite UFED exports (``.ufdx`` and ``.ufd``). -cyber,No documentation -dir,Load a directory as a filesystem. -direct,No documentation -hyperv,Load Microsoft Hyper-V hypervisor files. -itunes,Load iTunes backup files. -kape,Load KAPE forensic image format files. -libvirt,Load libvirt xml configuration files. -local,Load local filesystem. -log,Load separate log files without a target. -mqtt,Load remote targets through a broker. -multiraw,Load multiple raw containers as a single target (i.e. a multi-disk system). -ova,Load Open Virtual Appliance (OVA) files. -overlay2,Load overlay2 filesystems. -ovf,Load Open Virtualization Format (OVF) files. -phobos,Load Phobos Ransomware files. -profile,Load NTUSER.DAT files. -proxmox,Loader for Proxmox VM configuration files. -pvm,Parallels VM directory (.pvm). -pvs,Parallels VM configuration file (config.pvs). -raw,Load raw container files such as disk images. -remote,Load a remote target that runs a compatible Dissect agent. -res,No documentation -smb,Use remote SMB servers as targets. -tanium,Load Tanium forensic image format files. -tar,Load tar files. -target,Load target files. -utm,Load UTM virtual machine files. -vb,No documentation -vbox,Load Oracle VirtualBox files. -vbk,Load Veaam Backup (VBK) files. -velociraptor,Load Rapid7 Velociraptor forensic image files. -vma,Load Proxmox Virtual Machine Archive (VMA) files. -vmwarevm,Load ``*.vmwarevm`` folders from VMware Fusion. -vmx,Load VMware virtual machine configuration (VMX) files. -xva,Load Citrix Hypervisor XVA format files. diff --git a/docs/source/_defaults/operating_systems.csv b/docs/source/_defaults/operating_systems.csv deleted file mode 100644 index f68d3d7..0000000 --- a/docs/source/_defaults/operating_systems.csv +++ /dev/null @@ -1,22 +0,0 @@ -name,description -android,No documentation -bsd,No documentation -citrix,No documentation -darwin,Darwin plugin. -debian,No documentation -defaultos,No documentation -esxi,ESXi OS plugin -fortios,FortiOS plugin for various Fortinet appliances. -freebsd,No documentation -ios,Apple iOS plugin. -linux,Linux plugin. -macos,No documentation -openbsd,No documentation -profileos,No documentation -proxmox,No documentation -redhat,"RedHat, CentOS and Fedora Plugin." -resos,No documentation -suse,No documentation -unix,UNIX plugin. -vyos,No documentation -windows,No documentation diff --git a/docs/source/_defaults/partition_schemes.csv b/docs/source/_defaults/partition_schemes.csv deleted file mode 100644 index 1c594d2..0000000 --- a/docs/source/_defaults/partition_schemes.csv +++ /dev/null @@ -1,5 +0,0 @@ -name,description -apm,Apple Partition Map. -bsd,BSD disklabel. -gpt,GUID Partition Table. -mbr,Master Boot Record. diff --git a/docs/source/_defaults/volumes.csv b/docs/source/_defaults/volumes.csv deleted file mode 100644 index 1fb9ee1..0000000 --- a/docs/source/_defaults/volumes.csv +++ /dev/null @@ -1,8 +0,0 @@ -name,description -bitlocker,No documentation -ddf,No documentation -disk,No documentation -luks,No documentation -lvm,No documentation -md,No documentation -vmfs,No documentation diff --git a/docs/source/_ext/supported_targets.py b/docs/source/_ext/supported_targets.py deleted file mode 100644 index 7410591..0000000 --- a/docs/source/_ext/supported_targets.py +++ /dev/null @@ -1,289 +0,0 @@ -""" -This extension generates csv files for our supported targets. -""" - -from __future__ import annotations - -import csv -import importlib -import inspect -from dataclasses import dataclass, field -from functools import partial -from pathlib import Path -from typing import TYPE_CHECKING, Any, Callable, TextIO -from unittest.mock import Mock, patch - -from dissect.target.container import Container -from dissect.target.filesystem import Filesystem -from dissect.target.loader import LOADERS_BY_SCHEME, Loader -from dissect.target.plugin import PLUGINS, ChildTargetPlugin, OSPlugin -from dissect.target.volume import EncryptedVolumeSystem, LogicalVolumeSystem, VolumeSystem -from sphinx.util.logging import getLogger -from typing_extensions import Self - -if TYPE_CHECKING: - from collections.abc import Iterator - from types import ModuleType - - from sphinx.application import Sphinx - -LOGGER = getLogger(__name__) -ORIG_IMPORT = __import__ - - -@dataclass(eq=True, frozen=True) -class CSVItemBase: - module: str - type_: str - name: str - description: str - - @classmethod - def from_class(cls, klass: type, spec: LookupSpec, info: dict[str, str], **kwargs) -> Self: - _type = getattr(klass, "__type__", klass.__name__.removesuffix(spec.remove_suffix).lower()) - description = info.get(_type, "") - - if not description: - LOGGER.warning( - ("There was no description defined for %s. Please add a description for %r inside '_defaults/%s.csv'"), - klass.__name__, - _type, - spec.name, - ) - return cls( - module=klass.__module__, - type_=_type, - name=klass.__name__, - description=description, - **kwargs, - ) - - @property - def sphinx_class_string(self) -> str: - return f":class:`~{self.module}.{self.name}`" - - def as_dict(self) -> dict[str, str]: - return { - "Class": self.sphinx_class_string, - "Description": self.description, - } - - -class CSVItem(CSVItemBase): - def as_dict(self) -> dict[str, str]: - return { - "Class": self.sphinx_class_string, - "Type": f"``{self.type_}``", - "Description": self.description, - } - - -@dataclass(eq=True, frozen=True) -class LoaderCSVItem(CSVItemBase): - shorthand: str = "" - - def as_dict(self) -> dict[str, str]: - shorthand = self.shorthand - if self.type_ == "direct": - shorthand = "--direct" - - return { - "Class": self.sphinx_class_string, - "CMD Option": f"``{shorthand}``" if shorthand else "", - "Description": self.description, - } - - -def parse_descriptions(csv_file: Path) -> dict[str, str]: - target_dict: dict[str, str] = {} - try: - with csv_file.open("rt") as defaults: - file = csv.DictReader(defaults) - for line in file: - target_dict.update({line["name"]: line["description"]}) - except FileNotFoundError: - LOGGER.warning("missing defaults file at '_defaults/%s'", csv_file.name) - return {} - - return target_dict - - -def _create_loader_items(spec: LookupSpec, info: dict[str, str]) -> set[CSVItemBase]: - loader_items: set[LoaderCSVItem] = set() - - with patch("builtins.__import__", side_effect=mocked_import): - loader_items.update( - LoaderCSVItem.from_class(klass.realattr, spec=spec, info=info, shorthand=f"-L {shorthand}") - for (shorthand, klass) in LOADERS_BY_SCHEME.items() - ) - loaders = importlib.import_module(spec.subclass_location) - - loader_items.update( - LoaderCSVItem.from_class(klass, spec=spec, info=info) for klass in _find_subclasses(loaders, spec) - ) - - return loader_items - - -def _create_os_items(spec: LookupSpec, info: dict[str, str]) -> set[CSVItemBase]: - operating_systems: set[CSVItemBase] = set() - - for plugin_desc in PLUGINS.__plugins__.__os__.values(): - module = importlib.import_module(plugin_desc.module) - klass: type = getattr(module, plugin_desc.qualname) - operating_systems.add(CSVItemBase.from_class(klass, spec=spec, info=info)) - - return operating_systems - - -def _create_items(spec: LookupSpec, info: dict[str, str], item_class: type[CSVItemBase] = CSVItem) -> set[CSVItemBase]: - base_module = importlib.import_module(spec.subclass_location) - csv_items: set[CSVItemBase] = set() - csv_items.update( - item_class.from_class(class_, spec=spec, info=info) for class_ in _find_subclasses(base_module, spec) - ) - - return csv_items - - -def _create_partition_items(spec: LookupSpec, info: dict[str, str]) -> set[CSVItemBase]: - partition_schemes: set[CSVItemBase] = set() - - module = importlib.import_module(spec.subclass_location) - partition_schemes.update( - CSVItemBase.from_class(getattr(module, name), spec=spec, info=info) for name in module.__all__ - ) - - return partition_schemes - - -def mocked_import(name: str, *args) -> ModuleType: - """Mock all the unknown imports""" - try: - return ORIG_IMPORT(name, *args) - except ImportError: - return Mock() - - -def _find_subclasses(module: ModuleType, spec: LookupSpec) -> Iterator[type]: - for path in Path(module.__spec__.origin).parent.iterdir(): - if not path.is_file(): - continue - if path.stem == "__init__": - continue - - component = importlib.import_module(".".join([module.__name__, path.stem])) - yield from _filter_subclasses(spec, component) - - -def _filter_subclasses(spec: LookupSpec, module: ModuleType) -> Iterator[type]: - exclusions: list[type] = spec.exclusions - - if callable(exclusions): - exclusions = exclusions() - - for _, _class in inspect.getmembers(module): - if not inspect.isclass(_class): - continue - - if _class is spec.base_class: - continue - - if _class in exclusions: - continue - - if issubclass(_class, spec.base_class): - yield _class - - -def write_to_csv(output_file: TextIO, items: list[CSVItemBase]) -> None: - first_item = items[0].as_dict() - - writer = csv.DictWriter(output_file, fieldnames=first_item.keys()) - writer.writeheader() - writer.writerow(first_item) - writer.writerows(item.as_dict() for item in items[1:]) - - -@dataclass -class LookupSpec: - name: str - base_class: type | None - remove_suffix: str = "" - subclass_location: str = "" - exclusions: list[type] | Callable[[], list[type]] = field(default_factory=list) - item_function: Callable[[LookupSpec, dict[str, str]], set[CSVItemBase]] = _create_items - - -def _loader_exclusions() -> list[type[Loader]]: - return [loader.realattr for loader in LOADERS_BY_SCHEME.values()] - - -SUPPORTED_SYSTEMS = [ - LookupSpec( - name="loaders", - base_class=Loader, - remove_suffix="Loader", - subclass_location="dissect.target.loaders", - exclusions=_loader_exclusions, - item_function=_create_loader_items, - ), - LookupSpec( - name="volumes", - base_class=VolumeSystem, - remove_suffix="VolumeSystem", - subclass_location="dissect.target.volumes", - exclusions=[EncryptedVolumeSystem, LogicalVolumeSystem], - ), - LookupSpec( - name="containers", - base_class=Container, - remove_suffix="Container", - subclass_location="dissect.target.containers", - ), - LookupSpec( - name="filesystems", - base_class=Filesystem, - remove_suffix="Filesystem", - subclass_location="dissect.target.filesystems", - ), - LookupSpec( - name="child_targets", - base_class=ChildTargetPlugin, - remove_suffix="ChildTargetPlugin", - subclass_location="dissect.target.plugins.child", - item_function=partial(_create_items, item_class=CSVItemBase), - ), - LookupSpec(name="operating_systems", base_class=OSPlugin, remove_suffix="Plugin", item_function=_create_os_items), - LookupSpec( - name="partition_schemes", - base_class=None, - subclass_location="dissect.volume.disk.schemes", - item_function=_create_partition_items, - ), -] - - -def builder_inited(app: Sphinx) -> None: - dst = Path(app.srcdir).joinpath("supported_targets") - dst.mkdir(exist_ok=True) - - csv_default_dir = Path(app.srcdir).joinpath("_defaults") - - for spec in SUPPORTED_SYSTEMS: - info_dict = parse_descriptions(csv_default_dir.joinpath(f"{spec.name}.csv")) - csv_items = list(spec.item_function(spec, info_dict)) - csv_items.sort(key=lambda x: x.name) - with dst.joinpath(f"{spec.name}.csv").open("wt") as fh: - write_to_csv(fh, csv_items) - - -def setup(app: Sphinx) -> dict[str, Any]: - app.connect("builder-inited", builder_inited) - app.add_config_value("dissect_table_keep_files", False, "html") - - return { - "version": "0.1", - "parallel_read_safe": True, - "parallel_write_safe": True, - } diff --git a/docs/source/conf.py b/docs/source/conf.py index 0941b1e..f562ada 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -51,7 +51,6 @@ "sphinx_copybutton", "sphinx_design", "dissect_plugins", - "supported_targets", ] # Define the canonical URL if you are using a custom domain on Read the Docs From 2c5ce6341a362a8ae216012c0dbc9811c4c33b76 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 8 Oct 2025 17:34:14 +0200 Subject: [PATCH 04/25] Add manual list of supported targets --- docs/source/supported-targets.rst | 380 +++++++++++++++++++++++++++--- 1 file changed, 351 insertions(+), 29 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 768c184..d52b5a1 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -6,68 +6,390 @@ This page contains a list of the systems that ``dissect`` supports. Loaders ~~~~~~~ -.. Descriptions can be reworded by changing _defaults/loaders.csv -.. csv-table:: Supported Loaders +Loaders are a method to interact with a . +They are responsible for mapping any kind of source data into something ``dissect.target`` understands. +They do this by stitching together different files to construct a virtual representation of the system. + +.. seealso:: + + See :doc:`loaders ` for more information about how they work. + +The table below shows the different kind of loaders we have. +Most of these loaders are selected automatically based on the type of targets. +However you can access most of them using directly using ``-L `` or use URI notation ``://``. +E.g. for the ``Android Backup`` loader you use either + +.. code-block:: bash + + target-query -f func -L ab /path/to/target + target-query -f func ab:///path/to/target + +.. list-table:: Supported Loaders :header-rows: 1 - :file: /supported_targets/loaders.csv :widths: 15 10 25 + * - Name + - Loader type + - Description + * - :class:`Android Backup ` + - ``ab`` + - Load Android backup files. + * - :class:`Carbon Black ` + - ``cb`` + - Use Carbon Black endpoints as targets using Live Response. + * - :class:`Cellebrite ` + - ``cellebrite`` + - Load Cellebrite UFED exports (``.ufdx`` and ``.ufd``). + * - :class:`Directory ` + - ``dir`` + - Load a local directory as a filesystem. + * - :class:`Direct ` + - ``--direct`` + - Load an evidence file directly instead of an image format. + The plugins that can be used with this loader are: + + - apache + - evt + - evtx + - iis + - syslog + * - :class:`Hyper-V ` + - ``hyperv`` + - Load Microsoft Hyper-V hypervisor files. + * - :class:`Itunes Backup ` + - ``itunes`` + - Load iTunes backup files. + * - :class:`Kape ` + - ``kape`` + - Load KAPE forensic image format files. + * - :class:`Libvirt ` + - ``libvirt`` + - Load libvirt xml configuration files. + * - :class:`Local ` + - ``local``. + - Load local filesystem. + * - :class:`Log ` + - ``log`` + - Load separate log files without a target. + * - :class:`MQTT ` + - ``mqtt`` + - Load remote targets through a mqtt broker. + * - :class:`OVA ` + - ``ova`` + - Load Open Virtual Appliance (OVA) files. + * - :class:`Overlay2 ` + + :class:`Overlay ` + - ``overlay2``, ``overlay`` + - Load the different layers of a docker container image. + * - :class:`Open Virtualization Format ` + - ``ovf`` + - Load Open Virtualization Format (OVF) files. + * - :class:`Phobos ` + - ``phobos`` + - Load Phobos Ransomware files. + * - :class:`Proxmox ` + - ``proxmox`` + - Loader for Proxmox VM configuration files. + * - :class:`Parallels VM ` + + :class:`Parallels VM Configuration ` + - ``pvm``, ``pvs`` + - Parallels VM directory (.pvm). + Parallels VM configuration file (config.pvs). + * - :class:`Raw ` + + :class:`MultiRaw ` + - ``raw``, ``multiraw`` + - Load raw container files such as disk images. + To load multiple raw containers in a single target, use ``MultiRaw``. + To use this loader automatically use ``+`` to chain disks. E.g. ``/dev/vda+/dev/vdb`` + * - :class:`Remote ` + - ``remote`` + - Load a remote target that runs a compatible Dissect agent. + * - :class:`SMB ` + - ``smb`` + - Use an SMB connection to user remote SMB servers as a target. + This particular loader requires ``impacket`` to be installed. + * - :class:`Tanium ` + - ``tanium`` + - Load Tanium forensic image format files. + * - :class:`Tar ` + - ``tar`` + - Load tar output files from a variety of tools. These can be the outputs of files. + - Acquire + - Docker + - UAC + * - :class:`Target ` + - ``target`` + - Load target system using a target file. + * - :class:`Unix-like Artifacts Collector ` .. todo + - ``uac`` + - Load the output of the UAC tool + * - :class:`UTM ` .. todo + - ``utm`` + - Load UTM virtual machine files. + * - :class:`VB ` + - ``vb`` + - No documentation + * - :class:`Virtual Box ` + - ``vbox`` + - Load Oracle VirtualBox files. + * - :class:`Veaam Backup ` + - ``vbk`` + - Load Veaam Backup (VBK) files. + * - :class:`Velociraptor ` + - ``velociraptor`` + - Load Rapid7 Velociraptor forensic image files. + * - :class:`Virtual Machine Archive ` + - ``vma`` + - Load Proxmox Virtual Machine Archive (VMA) files. + * - :class:`VMware Fusion ` + - ``vmwarevm`` + - Load ``*.vmwarevm`` folders from VMware Fusion. + * - :class:`VMware VM configuration ` + - ``vmx`` + - Load VMware virtual machine configuration (VMX) files. + * - :class:`XVA ` + - ``xva`` + - Load Citrix Hypervisor XVA format files. + * - :class:`Zip ` + - ``zip`` + - Load zip output files from a variety of tools. These can be the outputs of files. + - Acquire + - UAC + Containers ~~~~~~~~~~ -.. Descriptions can be reworded by changing _defaults/containers.csv -.. csv-table:: Supported Containers +Containers are the abstraction layer for anything that looks (or should look) like a raw disk. Look at ``containers`` for more information about them. + + +.. list-table:: Supported Containers :header-rows: 1 - :file: /supported_targets/containers.csv - :widths: 15 10 25 + :widths: 15 35 + * - Container + - Description + * - :class:`Apple Sparse Image Format ` + - No Documentation + * - :class:`Expert Witness Disk Image Format ` + - Expert Witness Disk Image Format. + * - :class:`Fortinet Firmware ` + - No documentation + * - :class:`HDD` -Partition Schemes -~~~~~~~~~~~~~~~~~ + :class:`HDS ` + - Parallels Desktop hard disk format + * - :class:`Qcow2 ` + - Hard disk used for QEMU. + * - :class:`VDI ` + - The virtualbox harddisk format. + * - :class:`Virtual Hard Disk ` + + :class:`Virtual Hard Disk X ` + - The virtual hard disk formats used for the Hyper-V hypervisor. + VHD is a precursor to VHDX + * - :class:`VMware disk format ` + - VMware virtual hard disks. + +Partition Schemes and Volume Systems +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Partitions organize a disk into multiple logical disks. The volume system abstraction inside `dissect.target` takes care of these partition schemes with the :class:`~dissect.target.volumes.disk.DissectVolumeSystem`. -.. Descriptions can be reworded by changing _defaults/containers.csv -.. csv-table:: Supported Partition Schemes +.. seealso:: + + See :doc:`volumes ` for more information about volume systems inside dissect. + +.. list-table:: Supported Partition Schemes :header-rows: 1 - :file: /supported_targets/partition_schemes.csv :widths: 15 35 + * - Partition Scheme + - Description + * - :class:`Apple Partition Map ` + - Apple Partition Map. + * - :class:`BSD Disklabel ` + - BSD disklabel. + * - :class:`GUID Partition Table ` + - GUID Partition Table. + * - :class:`Master Boot Record ` + - Master Boot Record. -Volume Systems -~~~~~~~~~~~~~~ - -.. Descriptions can be reworded by changing _defaults/volumes.csv -.. csv-table:: Supported Volume Systems +.. list-table:: Supported Volume Systems :header-rows: 1 - :file: /supported_targets/volumes.csv - :widths: 15 10 25 + :widths: 15 35 + * - Volume System + - Description + * - :class:`Bitlocker ` + - The bitlocker encrypted volume system. + * - :class:`DDF ` + - No documentation + * - :class:`LUKS ` + - No documentation + * - :class:`Logical Volume Manager ` + - No documentation + * - :class:`MD ` + - A raid volume system + * - :class:`VMFS ` + - No documentation Filesystems ~~~~~~~~~~~ -.. Descriptions can be reworded by changing _defaults/filesystems.csv -.. csv-table:: Supported Filesystems +In Dissect, filesystems are a lot more than *actual* filesystems on a disk. +Because if you squint hard enough, almost anything can be a filesystem! +Dissect has various *real* filesystem implementations, such as :doc:`/projects/dissect.ntfs/index` or :doc:`/projects/dissect.vmfs/index`, but Dissect also supports a lot of other things that *resemble* a filesystem. + +.. seealso:: + + See :doc:`filesystems ` for more information. + +.. list-table:: Supported Filesystems :header-rows: 1 - :file: /supported_targets/filesystems.csv - :widths: 15 10 25 + :widths: 15 30 + + * - Filesystem + - Description + * - :class:`AD1 ` + - A filesystem representation of the AD1 forensic format. + * - :class:`BTRFS ` + - An implementation for the BTRFS, this also includes any subvolumes on a BTRFS system. + * - :class:`CpIO ` + - No documentation + * - :class:`EXFAT ` + - No documentation + * - :class:`Ext2, Ext3, Ext4 ` + - No documentation + * - :class:`Fat ` + - No documentation + * - :class:`FFS ` + - No documentation + * - :class:`JFFS ` + - No documentation + * - :class:`Network File Share ` + - Filesystem implementation of a NFS share + * - :class:`NTFS ` + - No documentation + * - :class:`Overlay2 ` + :class:`Overlay ` + - A virtualOverlay 2 filesystem implementation. + * - :class:`QnxFs ` + - No documentation + * - :class:`SMB ` + - Filesystem implementation for SMB. + * - :class:`SquashFS ` + - No documentation + * - :class:`Virtual Backup Files ` + - Filesystem implementation for VBK files. + * - :class:`VMFS ` + - No documentation + * - :class:`XFS ` + - No documentation Operating Systems ~~~~~~~~~~~~~~~~~ -.. Descriptions can be reworded by changing _defaults/operating_systems.csv -.. csv-table:: Supported Operating Systems +Inside Dissect we have a variety of ``OSPlugins`` that it can infer from the data available on a target. Dissect detects these on the disks so it knows what kind of system it is trying to talk to. This way it can more accuratly query the users on a windows system for example. + +The variety of the Operating Systems it can detect are as follows + +.. list-table:: Supported Operating Systems :header-rows: 1 - :file: /supported_targets/operating_systems.csv :widths: 15 35 + * - Operating System + - Description + * - :class:`Android ` + - No documentation + * - :class:`Bsd ` + - No documentation + * - :class:`Citrix ` + - No documentation + * - :class:`Darwin ` + - Darwin plugin. + * - :class:`Debian ` + - No documentation + * - :class:`ESXi ` + - ESXi OS plugin + * - :class:`Fortinet ` + - FortiOS plugin for various Fortinet appliances. + * - :class:`FreeBSD ` + - No documentation + * - :class:`iOS ` + - Apple iOS plugin. + * - :class:`Generic Linux ` + - Linux plugin. + * - :class:`MacOS ` + - No documentation + * - :class:`OpenBSD ` + - No documentation + * - :class:`dissect.target.loaders.profile.ProfileOSPlugin` + - No documentation + * - :class:`Proxmox ` + - No documentation + * - :class:`RedHat ` + - "RedHat, CentOS and Fedora Plugin." + * - :class:`dissect.target.loaders.res.ResOSPlugin` + - No documentation + * - :class:`OpenSusSE ` + - No documentation + * - :class:`Unix ` + - UNIX plugin. + * - :class:`Vyos ` + - No documentation + * - :class:`Windows ` + - No documentation + Child Targets ~~~~~~~~~~~~~ -.. Descriptions can be reworded by changing _defaults/operating_systems.csv -.. csv-table:: Supported Child Targets +Also known as targets within targets. These are, for example, virtual machines inside another virtual machine. +Dissect has the ability to find these Child targets using configuration files on the host itself. + +These can be queried recursively, so Dissect can automatically find all targets within targets. +This holds true even if there is a target within those targets. + +.. seealso:: + + See :ref:`Child targets ` for more thorough explenation. + +The Child targets we support and thus are able to automatically find are: + +.. list-table:: Supported Child Targets :header-rows: 1 - :file: /supported_targets/child_targets.csv :widths: 15 35 + * - Child Target + - Description + * - :class:`Colima ` + - Child target plugin that yields Colima containers. + * - :class:`Docker ` + - Child target plugin that yields from Docker overlay2fs containers. + * - :class:`ESXi ` + - Child target plugin that yields from ESXi VM inventory. + * - :class:`Hyper-v ` + - Child target plugin that yields from Hyper-V VM inventory. + * - :class:`Lima ` + - + * - :class:`Parallels ` + - Child target plugin that yields Parallels Desktop VM files. + * - :class:`Podman ` + - + * - :class:`Proxmox ` + - Child target plugin that yields from the VM listing. + * - :class:`Qemu ` + - Child target plugin that yields all QEMU domains from a KVM libvirt deamon. + * - :class:`VirtualBox ` + - Child target plugin that yields from Oracle VirtualBox VMs. + * - :class:`Virtuozzo ` + - Child target plugin that yields from Virtuozzo container's root. + * - :class:`Vmware Workstation ` + - Child target plugin that yields from VMware Workstation VM inventory. + * - :class:`WSL ` + - Child target plugin that yields Windos Subsystem Linux VHDX file locations. + From 3e06b9be8cd285c91e22b45fe527f0faa08fa173 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 8 Oct 2025 17:34:36 +0200 Subject: [PATCH 05/25] Ignore generated plugins --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index d18c6d2..7d60321 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ _build/ __pycache__ docs/source/api/*/ +docs/source/plugins/ From b1095bd007cd162c72f6a6763d8a2785a2c99700 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Thu, 9 Oct 2025 12:01:12 +0200 Subject: [PATCH 06/25] Cleanup document --- docs/source/supported-targets.rst | 190 +++++++++++++----------------- 1 file changed, 82 insertions(+), 108 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index d52b5a1..f2afc62 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -6,18 +6,16 @@ This page contains a list of the systems that ``dissect`` supports. Loaders ~~~~~~~ -Loaders are a method to interact with a . -They are responsible for mapping any kind of source data into something ``dissect.target`` understands. -They do this by stitching together different files to construct a virtual representation of the system. +Loaders provide a way to interact with a "target" by translating source data into a format understood by ``dissect.target``. +They achieve this by combining multiple files to build a virtual representation of the system. .. seealso:: - See :doc:`loaders ` for more information about how they work. + For a deeper dive into how loaders work, see :doc:`loaders `. -The table below shows the different kind of loaders we have. -Most of these loaders are selected automatically based on the type of targets. -However you can access most of them using directly using ``-L `` or use URI notation ``://``. -E.g. for the ``Android Backup`` loader you use either +The table below lists the available loader types. +In most cases, the appropriate loader is selected automatically based on the target. +However, you can also specify a loader manually using the ``-L `` flag or URI-style notation ``://`` with the exception for ``Direct``. .. code-block:: bash @@ -47,7 +45,6 @@ E.g. for the ``Android Backup`` loader you use either - ``--direct`` - Load an evidence file directly instead of an image format. The plugins that can be used with this loader are: - - apache - evt - evtx @@ -95,8 +92,7 @@ E.g. for the ``Android Backup`` loader you use either :class:`Parallels VM Configuration ` - ``pvm``, ``pvs`` - - Parallels VM directory (.pvm). - Parallels VM configuration file (config.pvs). + - Parallels VM directory (.pvm) and the conviguration file (config.pvs) * - :class:`Raw ` :class:`MultiRaw ` @@ -116,17 +112,14 @@ E.g. for the ``Android Backup`` loader you use either - Load Tanium forensic image format files. * - :class:`Tar ` - ``tar`` - - Load tar output files from a variety of tools. These can be the outputs of files. - - Acquire - - Docker - - UAC + - Load tar files, docker container images and output files from Acquire or UAC. * - :class:`Target ` - ``target`` - Load target system using a target file. - * - :class:`Unix-like Artifacts Collector ` .. todo + * - :class:`Unix-like Artifacts Collector ` - ``uac`` - Load the output of the UAC tool - * - :class:`UTM ` .. todo + * - :class:`UTM ` - ``utm`` - Load UTM virtual machine files. * - :class:`VB ` @@ -155,20 +148,23 @@ E.g. for the ``Android Backup`` loader you use either - Load Citrix Hypervisor XVA format files. * - :class:`Zip ` - ``zip`` - - Load zip output files from a variety of tools. These can be the outputs of files. - - Acquire - - UAC - + - Load zip files themselves or interpret the output of tools like Acquire or UAC. Containers ~~~~~~~~~~ -Containers are the abstraction layer for anything that looks (or should look) like a raw disk. Look at ``containers`` for more information about them. +Containers are the abstraction layer for anything that looks (or should look) like a raw disk. +They allow Dissect to interpret and interact with disk-like data structures in a consistent way. + +.. seealso:: + For a deeper understanding on how containers work, see :doc:`containers `. + +The table below lists the supported container formats. .. list-table:: Supported Containers :header-rows: 1 - :widths: 15 35 + :widths: 20 30 * - Container - Description @@ -197,168 +193,146 @@ Containers are the abstraction layer for anything that looks (or should look) li Partition Schemes and Volume Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Partitions organize a disk into multiple logical disks. The volume system abstraction inside `dissect.target` takes care of these partition schemes with the :class:`~dissect.target.volumes.disk.DissectVolumeSystem`. - -.. seealso:: - - See :doc:`volumes ` for more information about volume systems inside dissect. +Partitions organize a disk into multiple logical volumes. +Within `dissect.target` :class:`~dissect.target.volumes.disk.DissectVolumeSystem` handles the partition schemes that are listed below. .. list-table:: Supported Partition Schemes :header-rows: 1 - :widths: 15 35 + :widths: 20 * - Partition Scheme - - Description * - :class:`Apple Partition Map ` - - Apple Partition Map. * - :class:`BSD Disklabel ` - - BSD disklabel. * - :class:`GUID Partition Table ` - - GUID Partition Table. * - :class:`Master Boot Record ` - - Master Boot Record. + +In addition to standard partition tables, Dissect supports various volume systems. +These are used for RAID configurations or encrypted volumes such as ``LUKS`` and ``Bitlocker``. + +.. seealso:: + + For more details, see :doc:`volumes `. + +The table below lists the different supported volume systems. .. list-table:: Supported Volume Systems :header-rows: 1 - :widths: 15 35 + :widths: 20 30 * - Volume System - Description * - :class:`Bitlocker ` - - The bitlocker encrypted volume system. - * - :class:`DDF ` - - No documentation - * - :class:`LUKS ` - - No documentation + - Bitlocker encrypted volume system. Used by windows systems + * - :class:`Disk Data Format ` + - DDF is a RAID data format that describes how data is formatted across raid groups. + * - :class:`Linux Unified Key Setup ` + - LUKS encrypted volume system. These are a standard specification for disk encryption on linux systems. * - :class:`Logical Volume Manager ` - - No documentation - * - :class:`MD ` - - A raid volume system - * - :class:`VMFS ` - - No documentation + - LVM is a device mapper framework that can make multiple volumes on a single disk. + * - :class:`Multiple Device driver ` + - Linux MD RAID volume system. A software based RAID system. + * - :class:`Virtual Machine Filesystem ` + - VMFS is a clustered filesystem developed by VMWare on an ESXi type hosts. Filesystems ~~~~~~~~~~~ -In Dissect, filesystems are a lot more than *actual* filesystems on a disk. -Because if you squint hard enough, almost anything can be a filesystem! -Dissect has various *real* filesystem implementations, such as :doc:`/projects/dissect.ntfs/index` or :doc:`/projects/dissect.vmfs/index`, but Dissect also supports a lot of other things that *resemble* a filesystem. +In Dissect, filesystems go beyond traditional disk-based structures. +If it behaves like a filesystem, Dissect can likely treat it as one. +This includes both standard filesystems and formats that resemble filesystem behavior. + +Dissect provides implementations for common filesystems such as :doc:`NTFS ` and :doc:`VMFS `, as well as support for forensic formats, network shares, and virtual overlays. .. seealso:: - See :doc:`filesystems ` for more information. + For more details, see :doc:`Filesystems `. .. list-table:: Supported Filesystems :header-rows: 1 - :widths: 15 30 + :widths: 20 30 * - Filesystem - Description + * - :class:`AD1 ` - - A filesystem representation of the AD1 forensic format. + - Forensic container format (AccessData AD1). * - :class:`BTRFS ` - - An implementation for the BTRFS, this also includes any subvolumes on a BTRFS system. + - BTRFS filesystem with support for subvolumes. * - :class:`CpIO ` - - No documentation + - CPIO archive format. * - :class:`EXFAT ` - - No documentation + - Microsoft EXFAT filesystem. * - :class:`Ext2, Ext3, Ext4 ` - - No documentation - * - :class:`Fat ` - - No documentation + - Linux EXT family filesystems. + * - :class:`FAT ` + - FAT12/16/32 filesystem. * - :class:`FFS ` - - No documentation + - Fast File System (BSD). * - :class:`JFFS ` - - No documentation + - Journaling Flash File System. * - :class:`Network File Share ` - - Filesystem implementation of a NFS share + - NFS share filesystem. * - :class:`NTFS ` - - No documentation - * - :class:`Overlay2 ` - - :class:`Overlay ` - - A virtualOverlay 2 filesystem implementation. + - Microsoft NTFS filesystem. + * - :class:`Overlay2 `, :class:`Overlay ` + - Overlay filesystem used in container environments. * - :class:`QnxFs ` - - No documentation - * - :class:`SMB ` - - Filesystem implementation for SMB. + - QNX filesystem. * - :class:`SquashFS ` - - No documentation + - Compressed read-only filesystem. * - :class:`Virtual Backup Files ` - - Filesystem implementation for VBK files. + - Filesystem representation of VBK backup files. * - :class:`VMFS ` - - No documentation + - VMware VMFS filesystem. * - :class:`XFS ` - - No documentation + - High-performance journaling filesystem Operating Systems ~~~~~~~~~~~~~~~~~ -Inside Dissect we have a variety of ``OSPlugins`` that it can infer from the data available on a target. Dissect detects these on the disks so it knows what kind of system it is trying to talk to. This way it can more accuratly query the users on a windows system for example. -The variety of the Operating Systems it can detect are as follows +Dissect includes a range of ``OSPlugins`` that help identify the operating system present on a target. +These plugins analyze disk data to determine the system type, enabling more accurate queries such as retrieving user or network information. + +Below is a list of supported operating systems that Dissect can detect. .. list-table:: Supported Operating Systems :header-rows: 1 - :widths: 15 35 + :widths: 20 * - Operating System - - Description * - :class:`Android ` - - No documentation * - :class:`Bsd ` - - No documentation * - :class:`Citrix ` - - No documentation * - :class:`Darwin ` - - Darwin plugin. * - :class:`Debian ` - - No documentation * - :class:`ESXi ` - - ESXi OS plugin * - :class:`Fortinet ` - - FortiOS plugin for various Fortinet appliances. * - :class:`FreeBSD ` - - No documentation * - :class:`iOS ` - - Apple iOS plugin. * - :class:`Generic Linux ` - - Linux plugin. * - :class:`MacOS ` - - No documentation * - :class:`OpenBSD ` - - No documentation - * - :class:`dissect.target.loaders.profile.ProfileOSPlugin` - - No documentation * - :class:`Proxmox ` - - No documentation * - :class:`RedHat ` - - "RedHat, CentOS and Fedora Plugin." - * - :class:`dissect.target.loaders.res.ResOSPlugin` - - No documentation + * - :class:`RES ` * - :class:`OpenSusSE ` - - No documentation * - :class:`Unix ` - - UNIX plugin. * - :class:`Vyos ` - - No documentation * - :class:`Windows ` - - No documentation Child Targets ~~~~~~~~~~~~~ -Also known as targets within targets. These are, for example, virtual machines inside another virtual machine. -Dissect has the ability to find these Child targets using configuration files on the host itself. - -These can be queried recursively, so Dissect can automatically find all targets within targets. -This holds true even if there is a target within those targets. +Dissect supports identifying, listing and querying *child targets*. +These are targets within other targets. +These can include virtual machines, containers, or other environments nested inside a target. +Child targets are discovered using configuration files or metadata present on the host or target. +Dissect can recursively query these targets, allowing it to detect deeply nested environments automatically. .. seealso:: - See :ref:`Child targets ` for more thorough explenation. - -The Child targets we support and thus are able to automatically find are: + For more details, see :ref:`Child targets `. .. list-table:: Supported Child Targets :header-rows: 1 @@ -375,11 +349,11 @@ The Child targets we support and thus are able to automatically find are: * - :class:`Hyper-v ` - Child target plugin that yields from Hyper-V VM inventory. * - :class:`Lima ` - - + - Child target plugin that yields Lima VMs. * - :class:`Parallels ` - Child target plugin that yields Parallels Desktop VM files. * - :class:`Podman ` - - + - Child target plugin that yields from Podman overlayfs containers * - :class:`Proxmox ` - Child target plugin that yields from the VM listing. * - :class:`Qemu ` From 1ab7432a7d07b619a0b9d998ff43c3d3f247c926 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Thu, 9 Oct 2025 15:04:17 +0200 Subject: [PATCH 07/25] Apply suggestions from code review Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com> --- .gitignore | 1 - docs/source/supported-targets.rst | 23 ++++++----------------- 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/.gitignore b/.gitignore index 7d60321..d18c6d2 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,3 @@ _build/ __pycache__ docs/source/api/*/ -docs/source/plugins/ diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index f2afc62..fc9e341 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -1,21 +1,20 @@ Supported targets ----------------- -This page contains a list of the systems that ``dissect`` supports. +Dissect supports a large range of formats. From various disk images, volume systems, file systems and operating systems, to tarballs and proprietary backup formats, and everything combined! This page aims to provide you with an overview of what you can expect Dissect to be able to handle! Loaders ~~~~~~~ -Loaders provide a way to interact with a "target" by translating source data into a format understood by ``dissect.target``. -They achieve this by combining multiple files to build a virtual representation of the system. +Loaders provide a way to interact with a "target" by combining and accessing source data into usable components for ``dissect.target``. +The goal is to build a virtual representation of the original system. .. seealso:: For a deeper dive into how loaders work, see :doc:`loaders `. -The table below lists the available loader types. In most cases, the appropriate loader is selected automatically based on the target. -However, you can also specify a loader manually using the ``-L `` flag or URI-style notation ``://`` with the exception for ``Direct``. +However, you can also specify a loader manually using the ``-L `` flag or URI-style notation ``://``. .. code-block:: bash @@ -34,22 +33,13 @@ However, you can also specify a loader manually using the ``-L `` f - Load Android backup files. * - :class:`Carbon Black ` - ``cb`` - - Use Carbon Black endpoints as targets using Live Response. + - Carbon Black Live Response endpoints. Can only be used directly with ``cb://`` or ``-L cb``. * - :class:`Cellebrite ` - ``cellebrite`` - Load Cellebrite UFED exports (``.ufdx`` and ``.ufd``). * - :class:`Directory ` - ``dir`` - Load a local directory as a filesystem. - * - :class:`Direct ` - - ``--direct`` - - Load an evidence file directly instead of an image format. - The plugins that can be used with this loader are: - - apache - - evt - - evtx - - iis - - syslog * - :class:`Hyper-V ` - ``hyperv`` - Load Microsoft Hyper-V hypervisor files. @@ -207,7 +197,7 @@ Within `dissect.target` :class:`~dissect.target.volumes.disk.DissectVolumeSystem * - :class:`Master Boot Record ` In addition to standard partition tables, Dissect supports various volume systems. -These are used for RAID configurations or encrypted volumes such as ``LUKS`` and ``Bitlocker``. +These are used for RAID configurations or encrypted volumes such as ``LUKS`` and ``BitLocker``. .. seealso:: @@ -290,7 +280,6 @@ Dissect provides implementations for common filesystems such as :doc:`NTFS Date: Wed, 3 Dec 2025 13:41:18 +0100 Subject: [PATCH 08/25] Changed the `join us on github` url to refer to the dissect metapackage --- docs/source/index.rst | 2 +- docs/source/supported-targets.rst | 465 +++++++++++++++++++----------- 2 files changed, 291 insertions(+), 176 deletions(-) diff --git a/docs/source/index.rst b/docs/source/index.rst index ad62162..2243f1e 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -80,7 +80,7 @@ Or you can start by taking a look at some community articles and videos: :doc:`/resources/dissect-in-action` or :doc:`/resources/talks-and-conferences` to begin with. -Get in touch, join us on `github `_! +Get in touch, join us on `Github `_! .. toctree:: diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index fc9e341..bdb1a01 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -27,118 +27,153 @@ However, you can also specify a loader manually using the ``-L `` f * - Name - Loader type + - File extensions - Description - * - :class:`Android Backup ` - - ``ab`` - - Load Android backup files. - * - :class:`Carbon Black ` - - ``cb`` + * - Android Backup + - :class:`ab ` + - ``.ab`` + - Android backup files. + * - Carbon Black + - :class:`cb ` + - - Carbon Black Live Response endpoints. Can only be used directly with ``cb://`` or ``-L cb``. - * - :class:`Cellebrite ` - - ``cellebrite`` - - Load Cellebrite UFED exports (``.ufdx`` and ``.ufd``). - * - :class:`Directory ` - - ``dir`` - - Load a local directory as a filesystem. - * - :class:`Hyper-V ` - - ``hyperv`` - - Load Microsoft Hyper-V hypervisor files. - * - :class:`Itunes Backup ` - - ``itunes`` - - Load iTunes backup files. - * - :class:`Kape ` - - ``kape`` - - Load KAPE forensic image format files. - * - :class:`Libvirt ` - - ``libvirt`` - - Load libvirt xml configuration files. - * - :class:`Local ` - - ``local``. - - Load local filesystem. - * - :class:`Log ` - - ``log`` - - Load separate log files without a target. - * - :class:`MQTT ` - - ``mqtt`` - - Load remote targets through a mqtt broker. - * - :class:`OVA ` - - ``ova`` - - Load Open Virtual Appliance (OVA) files. - * - :class:`Overlay2 ` - - :class:`Overlay ` - - ``overlay2``, ``overlay`` - - Load the different layers of a docker container image. - * - :class:`Open Virtualization Format ` - - ``ovf`` - - Load Open Virtualization Format (OVF) files. - * - :class:`Phobos ` - - ``phobos`` - - Load Phobos Ransomware files. - * - :class:`Proxmox ` - - ``proxmox`` - - Loader for Proxmox VM configuration files. - * - :class:`Parallels VM ` - - :class:`Parallels VM Configuration ` - - ``pvm``, ``pvs`` + * - Cellebrite + - :class:`cellebrite ` + - ``.ufdx``, ``.ufd`` + - Cellebrite UFED exports files. + * - Directory + - :class:`dir ` + - + - Use a local directory as the root of a virtual filesystem. + * - Hyper-V + - :class:`hyperv ` + - ``.vmcx``, ``.xml`` + - Microsoft Hyper-V configuration files. + * - Itunes Backup + - :class:`itunes ` + - + - iTunes backup files. Only from a directory that contains a ``Manifest.plist`` file. + * - Kape + - :class:`kape ` + - ``.vhdx`` or ``directory/`` + - KAPE forensic image format files. Only if the file or directory contains Kape specific directories. + * - Libvirt + - :class:`libvirt ` + - ``.xml`` + - Libvirt xml configuration files. + * - Local + - :class:`local ` + - Interpret the local system inside Dissect. + * - Log + - :class:`log ` + - + - Target specific log files. Can only be used directly with ``cb://`` or ``-L log``. + * - MQTT + - :class:`mqtt ` + - + - MQTT broker. Can only be used directly with ``mqtt://`` or ``-L mqtt``. + * - OVA + - :class:`ova ` + - ``.ova`` + - Virtual Appliance files. + * - Overlay + - :class:`overlay `, + - + - Construct a filesystem of the different layers of a ``podman`` container directory. + * - Overlay2 + - :class:`overlay2 ` + - + - Construct a filesystem of the different layers of a ``docker`` container directory. + * - Open Virtualization Format + - :class:`ovf ` + - ``.ovf`` + - Open Virtualization Format (OVF) files. + * - Phobos + - :class:`phobos ` + - ``.eight`` + - Phobos Ransomware files. + * - Proxmox + - :class:`proxmox ` + - ``.conf`` + - Proxmox VM configuration files. + * - Parallels VM + - :class:`pvm `, + :class:`pvs ` + - ``.pvm``, ``config.pvs`` - Parallels VM directory (.pvm) and the conviguration file (config.pvs) - * - :class:`Raw ` - - :class:`MultiRaw ` - - ``raw``, ``multiraw`` - - Load raw container files such as disk images. + * - Raw + - :class:`raw `, + :class:`multiraw ` + - + - Raw binary files such as disk images. To load multiple raw containers in a single target, use ``MultiRaw``. To use this loader automatically use ``+`` to chain disks. E.g. ``/dev/vda+/dev/vdb`` - * - :class:`Remote ` - - ``remote`` - - Load a remote target that runs a compatible Dissect agent. - * - :class:`SMB ` - - ``smb`` + * - Remote + - :class:`remote ` + - + - Connect to a remote target that runs a compatible Dissect agent. Can only be used directly with ``remote://`` or ``-L remote``. + * - SMB + - :class:`smb ` + - - Use an SMB connection to user remote SMB servers as a target. This particular loader requires ``impacket`` to be installed. - * - :class:`Tanium ` - - ``tanium`` - - Load Tanium forensic image format files. - * - :class:`Tar ` - - ``tar`` - - Load tar files, docker container images and output files from Acquire or UAC. - * - :class:`Target ` - - ``target`` + Can only be used directly with ``smb://`` or ``-L smb``. + * - Tanium + - :class:`tanium ` + - + - Tanium forensic image format files. + * - Tar + - :class:`tar ` + - ``.tar``, ``.tar.``, ``.t`` + - (Compressed) Tar files, docker container images and output files from Acquire or UAC. + * - Target + - :class:`target ` + - ``.target`` - Load target system using a target file. - * - :class:`Unix-like Artifacts Collector ` - - ``uac`` - - Load the output of the UAC tool - * - :class:`UTM ` - - ``utm`` - - Load UTM virtual machine files. - * - :class:`VB ` - - ``vb`` - - No documentation - * - :class:`Virtual Box ` - - ``vbox`` - - Load Oracle VirtualBox files. - * - :class:`Veaam Backup ` - - ``vbk`` + * - Unix-like Artifacts Collector + - :class:`uac ` + - + - UAC tool output. Detects whether the directory contains ``uac.log`` and a ``[root]`` directory. + * - UTM + - :class:`utm ` + - ``*.utm/`` directory. + - UTM virtual machine files. + * - VB + - :class:`vb ` + - + - ..todo: + * - Virtual Box + - :class:`vbox ` + - ``.vbox`` + - Oracle VirtualBox files. + * - Veaam Backup + - :class:`vbk ` + - ``.vbk`` - Load Veaam Backup (VBK) files. - * - :class:`Velociraptor ` - - ``velociraptor`` - - Load Rapid7 Velociraptor forensic image files. - * - :class:`Virtual Machine Archive ` - - ``vma`` - - Load Proxmox Virtual Machine Archive (VMA) files. - * - :class:`VMware Fusion ` - - ``vmwarevm`` - - Load ``*.vmwarevm`` folders from VMware Fusion. - * - :class:`VMware VM configuration ` - - ``vmx`` - - Load VMware virtual machine configuration (VMX) files. - * - :class:`XVA ` - - ``xva`` - - Load Citrix Hypervisor XVA format files. - * - :class:`Zip ` - - ``zip`` - - Load zip files themselves or interpret the output of tools like Acquire or UAC. + * - Velociraptor + - :class:`velociraptor ` + - + - Rapid7 Velociraptor forensic image files. Either loads in the zip file or a directory containing the contents. + * - Virtual Machine Archive + - :class:`vma ` + - ``.vma`` + - Proxmox Virtual Machine Archive files. + * - VMware Fusion + - :class:`vmwarevm ` + - ``.vmwarevm`` + - VMware Fusion virtual machines. + * - VMware VM configuration + - :class:`vmx ` + - ``.vmx`` + - VMware virtual machine configuration files. + * - XVA + - :class:`xva ` + - ``.xva`` + - Citrix Hypervisor format files. + * - Zip + - :class:`zip ` + - ``.zip`` + - Zip files themselves or load the output of tools like Acquire or UAC. Containers ~~~~~~~~~~ @@ -154,31 +189,53 @@ The table below lists the supported container formats. .. list-table:: Supported Containers :header-rows: 1 - :widths: 20 30 + :widths: 20 5 20 5 * - Container + - Extension - Description - * - :class:`Apple Sparse Image Format ` + - API + * - Apple Sparse Image Format + - ``.asif`` - No Documentation - * - :class:`Expert Witness Disk Image Format ` - - Expert Witness Disk Image Format. - * - :class:`Fortinet Firmware ` + - :class:`here ` + * - Expert Witness Disk Image Format + - ``.E01``, ``.L01``, ``.Ex01``, ``.Lx01`` + - FTK Expert witness data format. + - :class:`here ` + * - Fortinet Firmware + - ``*-fortinet.out`` - No documentation - * - :class:`HDD` - - :class:`HDS ` + - :class:`here ` + * - HDD + - ``.hdd`` + - ... + - :class:`here ` + * - HDS + - ``.hds`` - Parallels Desktop hard disk format - * - :class:`Qcow2 ` + - :class:`here ` + * - Qcow2 + - ``.qcow2`` - Hard disk used for QEMU. - * - :class:`VDI ` + - :class:`here ` + * - VDI + - ``.vdi`` - The virtualbox harddisk format. - * - :class:`Virtual Hard Disk ` - - :class:`Virtual Hard Disk X ` + - :class:`here ` + * - Virtual Hard Disk + - ``.vhd`` + - ... + - :class:`here ` + * - Virtual Hard Disk X + - ``.vhdx`` - The virtual hard disk formats used for the Hyper-V hypervisor. VHD is a precursor to VHDX - * - :class:`VMware disk format ` + - :class:`here ` + * - VMware disk format + - ``.vmdk`` - VMware virtual hard disks. + - :class:`here ` Partition Schemes and Volume Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -191,10 +248,14 @@ Within `dissect.target` :class:`~dissect.target.volumes.disk.DissectVolumeSystem :widths: 20 * - Partition Scheme - * - :class:`Apple Partition Map ` - * - :class:`BSD Disklabel ` - * - :class:`GUID Partition Table ` - * - :class:`Master Boot Record ` + * - Apple Partition Map + - :class:`` + * - BSD Disklabel + - :class:`` + * - GUID Partition Table + - :class:`` + * - Master Boot Record + - :class:`` In addition to standard partition tables, Dissect supports various volume systems. These are used for RAID configurations or encrypted volumes such as ``LUKS`` and ``BitLocker``. @@ -211,17 +272,23 @@ The table below lists the different supported volume systems. * - Volume System - Description - * - :class:`Bitlocker ` + * - Bitlocker + - :class:`` - Bitlocker encrypted volume system. Used by windows systems - * - :class:`Disk Data Format ` + * - Disk Data Format + - :class:`` - DDF is a RAID data format that describes how data is formatted across raid groups. - * - :class:`Linux Unified Key Setup ` + * - Linux Unified Key Setup + - :class:`` - LUKS encrypted volume system. These are a standard specification for disk encryption on linux systems. - * - :class:`Logical Volume Manager ` + * - Logical Volume Manager + - :class:`` - LVM is a device mapper framework that can make multiple volumes on a single disk. - * - :class:`Multiple Device driver ` + * - Multiple Device driver + - :class:`` - Linux MD RAID volume system. A software based RAID system. - * - :class:`Virtual Machine Filesystem ` + * - Virtual Machine Filesystem + - :class:`` - VMFS is a clustered filesystem developed by VMWare on an ESXi type hosts. Filesystems @@ -244,37 +311,53 @@ Dissect provides implementations for common filesystems such as :doc:`NTFS ` + * - AD1 + - :class:`` - Forensic container format (AccessData AD1). - * - :class:`BTRFS ` + * - BTRFS + - :class:`` - BTRFS filesystem with support for subvolumes. - * - :class:`CpIO ` + * - CpIO + - :class:`` - CPIO archive format. - * - :class:`EXFAT ` + * - EXFAT + - :class:`` - Microsoft EXFAT filesystem. - * - :class:`Ext2, Ext3, Ext4 ` + * - Ext2, Ext3, Ext4 + - :class:`` - Linux EXT family filesystems. - * - :class:`FAT ` + * - FAT + - :class:`` - FAT12/16/32 filesystem. - * - :class:`FFS ` + * - FFS + - :class:`` - Fast File System (BSD). - * - :class:`JFFS ` + * - JFFS + - :class:`` - Journaling Flash File System. - * - :class:`Network File Share ` + * - Network File Share + - :class:`` - NFS share filesystem. - * - :class:`NTFS ` + * - NTFS + - :class:`` - Microsoft NTFS filesystem. - * - :class:`Overlay2 `, :class:`Overlay ` + * - Overlay2 `, :class:`Overlay + - :class:`` - Overlay filesystem used in container environments. - * - :class:`QnxFs ` + * - QnxFs + - :class:`` - QNX filesystem. - * - :class:`SquashFS ` + * - SquashFS + - :class:`` - Compressed read-only filesystem. - * - :class:`Virtual Backup Files ` + * - Virtual Backup Files + - :class:`` - Filesystem representation of VBK backup files. - * - :class:`VMFS ` + * - VMFS + - :class:`` - VMware VMFS filesystem. - * - :class:`XFS ` + * - XFS + - :class:`` - High-performance journaling filesystem Operating Systems @@ -290,25 +373,44 @@ Below is a list of supported operating systems that Dissect can detect. :widths: 20 * - Operating System - * - :class:`Android ` - * - :class:`Bsd ` - * - :class:`Citrix ` - * - :class:`Darwin ` - * - :class:`Debian ` - * - :class:`ESXi ` - * - :class:`Fortinet ` - * - :class:`FreeBSD ` - * - :class:`iOS ` - * - :class:`Generic Linux ` - * - :class:`MacOS ` - * - :class:`OpenBSD ` - * - :class:`Proxmox ` - * - :class:`RedHat ` - * - :class:`RES ` - * - :class:`OpenSusSE ` - * - :class:`Unix ` - * - :class:`Vyos ` - * - :class:`Windows ` + * - Android + - :class:`` + * - Bsd + - :class:`` + * - Citrix + - :class:`` + * - Darwin + - :class:`` + * - Debian + - :class:`` + * - ESXi + - :class:`` + * - Fortinet + - :class:`` + * - FreeBSD + - :class:`` + * - iOS + - :class:`` + * - Generic Linux + - :class:`` + * - MacOS + - :class:`` + * - OpenBSD + - :class:`` + * - Proxmox + - :class:`` + * - RedHat + - :class:`` + * - RES + - :class:`` + * - OpenSusSE + - :class:`` + * - Unix + - :class:`` + * - Vyos + - :class:`` + * - Windows + - :class:`` Child Targets ~~~~~~~~~~~~~ @@ -329,30 +431,43 @@ Dissect can recursively query these targets, allowing it to detect deeply nested * - Child Target - Description - * - :class:`Colima ` + * - Colima + - :class:`` - Child target plugin that yields Colima containers. - * - :class:`Docker ` + * - Docker + - :class:`` - Child target plugin that yields from Docker overlay2fs containers. - * - :class:`ESXi ` + * - ESXi + - :class:`` - Child target plugin that yields from ESXi VM inventory. - * - :class:`Hyper-v ` + * - Hyper-v + - :class:`` - Child target plugin that yields from Hyper-V VM inventory. - * - :class:`Lima ` + * - Lima + - :class:`` - Child target plugin that yields Lima VMs. - * - :class:`Parallels ` + * - Parallels + - :class:`` - Child target plugin that yields Parallels Desktop VM files. - * - :class:`Podman ` + * - Podman + - :class:`` - Child target plugin that yields from Podman overlayfs containers - * - :class:`Proxmox ` + * - Proxmox + - :class:`` - Child target plugin that yields from the VM listing. - * - :class:`Qemu ` + * - Qemu + - :class:`` - Child target plugin that yields all QEMU domains from a KVM libvirt deamon. - * - :class:`VirtualBox ` + * - VirtualBox + - :class:`` - Child target plugin that yields from Oracle VirtualBox VMs. - * - :class:`Virtuozzo ` + * - Virtuozzo + - :class:`` - Child target plugin that yields from Virtuozzo container's root. - * - :class:`Vmware Workstation ` + * - Vmware Workstation + - :class:`` - Child target plugin that yields from VMware Workstation VM inventory. - * - :class:`WSL ` + * - WSL + - :class:`` - Child target plugin that yields Windos Subsystem Linux VHDX file locations. From 6e8be2e284733522acbcb109a3d061657b0a12d4 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 3 Dec 2025 13:41:53 +0100 Subject: [PATCH 09/25] Move supported-targets before the tutorial --- docs/source/index.rst | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/source/index.rst b/docs/source/index.rst index 2243f1e..9e5fccc 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -85,7 +85,7 @@ Get in touch, join us on `Github `_! .. toctree:: :hidden: - + Home .. toctree:: @@ -93,19 +93,18 @@ Get in touch, join us on `Github `_! :hidden: Install + Supported Targets Tutorial Querying Shell Mount Acquire - Supported Targets RDump - - + .. toctree:: :caption: In-Depth :hidden: - + /tools/index /projects/index /usage/index From 8c23b4718103f997672d19d3cbdee01630e72bcc Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 3 Dec 2025 13:51:51 +0100 Subject: [PATCH 10/25] Make it clearer that dissect automatically selects the correct loader --- docs/source/supported-targets.rst | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index bdb1a01..e6dfc66 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -13,13 +13,15 @@ The goal is to build a virtual representation of the original system. For a deeper dive into how loaders work, see :doc:`loaders `. -In most cases, the appropriate loader is selected automatically based on the target. -However, you can also specify a loader manually using the ``-L `` flag or URI-style notation ``://``. +In most cases, the appropriate loader is selected automatically based on the the file it encounters. +This can be based on the file extension, a directory structure inside the file or a specific configuration inside the file. +However, a loader can be selected manually using ``-L `` flag or with URI-style notation ``://``. .. code-block:: bash target-query -f func -L ab /path/to/target target-query -f func ab:///path/to/target + target-query -f func /path/to/target.ab .. list-table:: Supported Loaders :header-rows: 1 @@ -140,8 +142,8 @@ However, you can also specify a loader manually using the ``-L `` f - UTM virtual machine files. * - VB - :class:`vb ` - - - - ..todo: + - .. TODO: + - .. TODO: looks like it supports rawcopy or something. * - Virtual Box - :class:`vbox ` - ``.vbox`` From 877ad6442536fca1df30e9612c309b48f7ebb811 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 10 Dec 2025 15:21:02 +0100 Subject: [PATCH 11/25] Update loaders table --- docs/source/supported-targets.rst | 153 +++++++++++++++--------------- 1 file changed, 77 insertions(+), 76 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index e6dfc66..47cb167 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -13,9 +13,9 @@ The goal is to build a virtual representation of the original system. For a deeper dive into how loaders work, see :doc:`loaders `. -In most cases, the appropriate loader is selected automatically based on the the file it encounters. -This can be based on the file extension, a directory structure inside the file or a specific configuration inside the file. -However, a loader can be selected manually using ``-L `` flag or with URI-style notation ``://``. +In most cases, Dissect selects the appropriate loader automatically based on the file you target. +This can be based on the file extension, a specific directory structure inside the file (e.g. inside a zip file) or a specific configuration inside the file. +However, there is an option to select a loader manually using ``-L `` flag or with URI-style notation ``://``. .. code-block:: bash @@ -25,157 +25,158 @@ However, a loader can be selected manually using ``-L `` flag or wi .. list-table:: Supported Loaders :header-rows: 1 - :widths: 15 10 25 + :widths: 15 20 10 5 * - Name - - Loader type - - File extensions - Description + - Extension + - Type * - Android Backup - - :class:`ab ` - - ``.ab`` - Android backup files. + - ``.ab`` + - :class:`ab ` * - Carbon Black - - :class:`cb ` - - - Carbon Black Live Response endpoints. Can only be used directly with ``cb://`` or ``-L cb``. + - + - :class:`cb ` * - Cellebrite - - :class:`cellebrite ` - - ``.ufdx``, ``.ufd`` - Cellebrite UFED exports files. + - ``.ufdx``, ``.ufd`` + - :class:`cellebrite ` * - Directory - - :class:`dir ` - - - Use a local directory as the root of a virtual filesystem. + - + - :class:`dir ` * - Hyper-V - - :class:`hyperv ` - - ``.vmcx``, ``.xml`` - Microsoft Hyper-V configuration files. + - ``.vmcx``, ``.xml`` + - :class:`hyperv ` * - Itunes Backup - - :class:`itunes ` - - - iTunes backup files. Only from a directory that contains a ``Manifest.plist`` file. + - + - :class:`itunes ` * - Kape - - :class:`kape ` - - ``.vhdx`` or ``directory/`` - KAPE forensic image format files. Only if the file or directory contains Kape specific directories. + - ``.vhdx`` or ``directory/`` + - :class:`kape ` * - Libvirt - - :class:`libvirt ` - - ``.xml`` - Libvirt xml configuration files. + - ``.xml`` + - :class:`libvirt ` * - Local - - :class:`local ` - Interpret the local system inside Dissect. + - + - :class:`local ` * - Log - - :class:`log ` - - - Target specific log files. Can only be used directly with ``cb://`` or ``-L log``. - * - MQTT - - :class:`mqtt ` - + - :class:`log ` + * - MQTT - MQTT broker. Can only be used directly with ``mqtt://`` or ``-L mqtt``. + - + - :class:`mqtt ` * - OVA - - :class:`ova ` - - ``.ova`` - Virtual Appliance files. + - ``.ova`` + - :class:`ova ` * - Overlay - - :class:`overlay `, - - - Construct a filesystem of the different layers of a ``podman`` container directory. - * - Overlay2 - - :class:`overlay2 ` - + - :class:`overlay `, + * - Overlay2 - Construct a filesystem of the different layers of a ``docker`` container directory. + - + - :class:`overlay2 ` * - Open Virtualization Format - - :class:`ovf ` - - ``.ovf`` - Open Virtualization Format (OVF) files. + - ``.ovf`` + - :class:`ovf ` * - Phobos - - :class:`phobos ` - - ``.eight`` - Phobos Ransomware files. + - ``.eight`` + - :class:`phobos ` * - Proxmox - - :class:`proxmox ` - - ``.conf`` - Proxmox VM configuration files. + - ``.conf`` + - :class:`proxmox ` * - Parallels VM + - Parallels VM directory (.pvm) and the conviguration file (config.pvs) + - ``.pvm``, ``config.pvs`` - :class:`pvm `, :class:`pvs ` - - ``.pvm``, ``config.pvs`` - - Parallels VM directory (.pvm) and the conviguration file (config.pvs) * - Raw - - :class:`raw `, - :class:`multiraw ` - - - Raw binary files such as disk images. To load multiple raw containers in a single target, use ``MultiRaw``. To use this loader automatically use ``+`` to chain disks. E.g. ``/dev/vda+/dev/vdb`` + - + - :class:`raw `, + :class:`multiraw ` * - Remote - - :class:`remote ` - - - Connect to a remote target that runs a compatible Dissect agent. Can only be used directly with ``remote://`` or ``-L remote``. - * - SMB - - :class:`smb ` - + - :class:`remote ` + * - SMB - Use an SMB connection to user remote SMB servers as a target. This particular loader requires ``impacket`` to be installed. Can only be used directly with ``smb://`` or ``-L smb``. - * - Tanium - - :class:`tanium ` - + - :class:`smb ` + * - Tanium - Tanium forensic image format files. + - + - :class:`tanium ` * - Tar - - :class:`tar ` - - ``.tar``, ``.tar.``, ``.t`` - (Compressed) Tar files, docker container images and output files from Acquire or UAC. + - ``.tar``, ``.tar.``, ``.t`` + - :class:`tar ` * - Target - - :class:`target ` - - ``.target`` - Load target system using a target file. + - ``.target`` + - :class:`target ` * - Unix-like Artifacts Collector - - :class:`uac ` - - - UAC tool output. Detects whether the directory contains ``uac.log`` and a ``[root]`` directory. + - + - :class:`uac ` * - UTM - - :class:`utm ` - - ``*.utm/`` directory. - UTM virtual machine files. + - ``*.utm/`` directory. + - :class:`utm ` * - VB - - :class:`vb ` - - .. TODO: - .. TODO: looks like it supports rawcopy or something. + - + - :class:`vb ` * - Virtual Box - - :class:`vbox ` - - ``.vbox`` - Oracle VirtualBox files. + - ``.vbox`` + - :class:`vbox ` * - Veaam Backup - - :class:`vbk ` - - ``.vbk`` - Load Veaam Backup (VBK) files. + - ``.vbk`` + - :class:`vbk ` * - Velociraptor - - :class:`velociraptor ` - - - Rapid7 Velociraptor forensic image files. Either loads in the zip file or a directory containing the contents. + - + - :class:`velociraptor ` * - Virtual Machine Archive - - :class:`vma ` - - ``.vma`` - Proxmox Virtual Machine Archive files. + - ``.vma`` + - :class:`vma ` * - VMware Fusion - - :class:`vmwarevm ` - - ``.vmwarevm`` - VMware Fusion virtual machines. + - ``.vmwarevm`` + - :class:`vmwarevm ` * - VMware VM configuration - - :class:`vmx ` - - ``.vmx`` - VMware virtual machine configuration files. + - ``.vmx`` + - :class:`vmx ` * - XVA - - :class:`xva ` - - ``.xva`` - Citrix Hypervisor format files. + - ``.xva`` + - :class:`xva ` * - Zip - - :class:`zip ` - - ``.zip`` - Zip files themselves or load the output of tools like Acquire or UAC. + - ``.zip`` + - :class:`zip ` Containers ~~~~~~~~~~ From 8caa7e57adaa80e2763f94f97239fce802474afa Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 3 Dec 2025 14:51:45 +0100 Subject: [PATCH 12/25] Update the documentation of the container formats --- docs/source/supported-targets.rst | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 47cb167..2f40b51 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -181,8 +181,8 @@ However, there is an option to select a loader manually using ``-L Containers ~~~~~~~~~~ -Containers are the abstraction layer for anything that looks (or should look) like a raw disk. -They allow Dissect to interpret and interact with disk-like data structures in a consistent way. +Containers provide an interface for Dissect to interact with a disk-like structure in a consistent way. +These can be files or a harddisk. .. seealso:: @@ -192,52 +192,51 @@ The table below lists the supported container formats. .. list-table:: Supported Containers :header-rows: 1 - :widths: 20 5 20 5 + :widths: 20 20 5 5 * - Container - - Extension - Description + - Extension - API * - Apple Sparse Image Format + - A sparse disk format introduced by Apple with near native SSD speeds. - ``.asif`` - - No Documentation - :class:`here ` * - Expert Witness Disk Image Format - - ``.E01``, ``.L01``, ``.Ex01``, ``.Lx01`` - FTK Expert witness data format. + - ``.E01``, ``.L01``, ``.Ex01``, ``.Lx01`` - :class:`here ` * - Fortinet Firmware + - Interprets and decompresses a Fortinet firmware file. - ``*-fortinet.out`` - - No documentation - :class:`here ` * - HDD + - Parallels HDD virtual disk implementation. - ``.hdd`` - - ... - :class:`here ` * - HDS + - Parallels sparse hard disk format - ``.hds`` - - Parallels Desktop hard disk format - :class:`here ` * - Qcow2 + - QEMU Copy On Write virtual disk format. - ``.qcow2`` - - Hard disk used for QEMU. - :class:`here ` * - VDI - - ``.vdi`` - The virtualbox harddisk format. + - ``.vdi`` - :class:`here ` * - Virtual Hard Disk + - The original virtual hard disk format developed by Microsoft. Mainly used by the Hyper-V hypervisor. - ``.vhd`` - - ... - :class:`here ` * - Virtual Hard Disk X + - Virtual Hard Disk v2, the successor of VHD, and the new default on Hyper-V. - ``.vhdx`` - - The virtual hard disk formats used for the Hyper-V hypervisor. - VHD is a precursor to VHDX - :class:`here ` * - VMware disk format - - ``.vmdk`` - VMware virtual hard disks. + - ``.vmdk`` - :class:`here ` Partition Schemes and Volume Systems From 0e6c1b9083db026516ad52c610f9535fecb8f797 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 3 Dec 2025 16:19:39 +0100 Subject: [PATCH 13/25] Apply changes to the volume systems Also split it between encrypted and unencrypted volume systems --- docs/source/supported-targets.rst | 58 +++++++++++++++++++------------ 1 file changed, 36 insertions(+), 22 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 2f40b51..a308891 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -242,56 +242,70 @@ The table below lists the supported container formats. Partition Schemes and Volume Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Partitions organize a disk into multiple logical volumes. -Within `dissect.target` :class:`~dissect.target.volumes.disk.DissectVolumeSystem` handles the partition schemes that are listed below. +Dissect supports the following partition schemes to divide a disk into multiple logical volumes. .. list-table:: Supported Partition Schemes :header-rows: 1 - :widths: 20 + :widths: 45 5 * - Partition Scheme + - API * - Apple Partition Map - - :class:`` + - :class:`here ` * - BSD Disklabel - - :class:`` + - :class:`here ` * - GUID Partition Table - - :class:`` + - :class:`here ` * - Master Boot Record - - :class:`` + - :class:`here ` -In addition to standard partition tables, Dissect supports various volume systems. -These are used for RAID configurations or encrypted volumes such as ``LUKS`` and ``BitLocker``. +Besides the standard partition tables used in most computer systems. +Dissect supports various other systems that do something similar. +These are volume systems used fo RAID configurations or logical volumes that span multiple disks. .. seealso:: For more details, see :doc:`volumes `. -The table below lists the different supported volume systems. +The table below showcases the different supported volume systems. .. list-table:: Supported Volume Systems :header-rows: 1 - :widths: 20 30 + :widths: 20 30 5 * - Volume System - Description - * - Bitlocker - - :class:`` - - Bitlocker encrypted volume system. Used by windows systems + - API * - Disk Data Format - - :class:`` - DDF is a RAID data format that describes how data is formatted across raid groups. - * - Linux Unified Key Setup - - :class:`` - - LUKS encrypted volume system. These are a standard specification for disk encryption on linux systems. + - :class:`here ` * - Logical Volume Manager - - :class:`` - - LVM is a device mapper framework that can make multiple volumes on a single disk. + - LVM is a device mapper framework that can make multiple volumes on a single disk. + - :class:`here ` * - Multiple Device driver - - :class:`` - Linux MD RAID volume system. A software based RAID system. + - :class:`here ` * - Virtual Machine Filesystem - - :class:`` - VMFS is a clustered filesystem developed by VMWare on an ESXi type hosts. + - :class:`here ` + +Dissect also supports decryption for some well known formats. +The decryption functionality can be accessed with the (``-K``) or a keychain value (``-Kv``) inside the Dissect tooling. +Dissect supports the following encrypted volume systems + +.. list-table:: Supported Encrypted Volume Systems + :header-rows: 1 + :widths: 20 30 5 + + * - Encrypted volume system + - Description + - API + * - Linux Unified Key Setup + - LUKS encrypted volume system. These are the standard specification for disk encryption on linux systems. + - :class:`here ` + * - Bitlocker + - BitLocker encrypted volume system. Used by Windows systems + - :class:`here ` Filesystems ~~~~~~~~~~~ From 5b17098639f938a98375ed34846aba82f48f42dd Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 10 Dec 2025 15:24:33 +0100 Subject: [PATCH 14/25] Add updates to filesystem table --- docs/source/supported-targets.rst | 77 ++++++++++++++++--------------- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index a308891..2934614 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -260,8 +260,7 @@ Dissect supports the following partition schemes to divide a disk into multiple - :class:`here ` Besides the standard partition tables used in most computer systems. -Dissect supports various other systems that do something similar. -These are volume systems used fo RAID configurations or logical volumes that span multiple disks. +Dissect supports volume systems used for RAID configurations or logical volumes that span multiple disks. .. seealso:: @@ -314,67 +313,71 @@ In Dissect, filesystems go beyond traditional disk-based structures. If it behaves like a filesystem, Dissect can likely treat it as one. This includes both standard filesystems and formats that resemble filesystem behavior. -Dissect provides implementations for common filesystems such as :doc:`NTFS ` and :doc:`VMFS `, as well as support for forensic formats, network shares, and virtual overlays. - .. seealso:: For more details, see :doc:`Filesystems `. .. list-table:: Supported Filesystems :header-rows: 1 - :widths: 20 30 + :widths: 20 30 5 * - Filesystem - Description - + - API * - AD1 - - :class:`` - Forensic container format (AccessData AD1). + - :class:`here ` + * - APFS + - Apple Filesystem. + - :class:`here ` * - BTRFS - - :class:`` - - BTRFS filesystem with support for subvolumes. - * - CpIO - - :class:`` + - Binary-tree file system with support for subvolumes. + - :class:`here ` + * - CPIO - CPIO archive format. - * - EXFAT - - :class:`` - - Microsoft EXFAT filesystem. + - :class:`here ` + * - exFAT + - Microsoft Extensible File Allocation Table filesystem. + - :class:`here ` * - Ext2, Ext3, Ext4 - - :class:`` - Linux EXT family filesystems. + - :class:`here ` * - FAT - - :class:`` - - FAT12/16/32 filesystem. + - File Allocation Table 12/16/32-bit filesystem. + - :class:`here ` * - FFS - - :class:`` - - Fast File System (BSD). + - Fast Filesystem (BSD). + - :class:`here ` * - JFFS - - :class:`` - - Journaling Flash File System. - * - Network File Share - - :class:`` - - NFS share filesystem. + - Journaling Flash Filesystem. + - :class:`here ` + * - NFS + - Network File Share filesystem. Gives the ability to connect to an NFS share + - :class:`here ` * - NTFS - - :class:`` - - Microsoft NTFS filesystem. - * - Overlay2 `, :class:`Overlay - - :class:`` - - Overlay filesystem used in container environments. - * - QnxFs - - :class:`` - - QNX filesystem. + - Microsoft NT Filesystem. + - :class:`here ` + * - Overlay + - Overlay filesystem combines multiple layers into one singular filesystem. This filesystem is used for container formats for Docker or Podman. + - :class:`here ` + * - Overlay2 + - Overlay2 Filesystem is a more efficient version of the Overlay filesystem. + - :class:`here ` + * - QNX4, QNX6 + - QNX filesystem, commonly used in the QNX RTOS. + - :class:`here ` * - SquashFS - - :class:`` - - Compressed read-only filesystem. + - Compressed read-only filesystem used by linux systems. + - :class:`here ` * - Virtual Backup Files - - :class:`` - Filesystem representation of VBK backup files. + - :class:`here ` * - VMFS - - :class:`` - VMware VMFS filesystem. + - :class:`here ` * - XFS - - :class:`` - High-performance journaling filesystem + - :class:`here ` Operating Systems ~~~~~~~~~~~~~~~~~ From 5e680ec846cc0263f891f2634ae6b65968e58666 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 10 Dec 2025 15:26:10 +0100 Subject: [PATCH 15/25] Order operating systems based on class hierarchy --- docs/source/supported-targets.rst | 73 ++++++++++++++++--------------- 1 file changed, 37 insertions(+), 36 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 2934614..e6ae897 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -382,54 +382,55 @@ This includes both standard filesystems and formats that resemble filesystem beh Operating Systems ~~~~~~~~~~~~~~~~~ -Dissect includes a range of ``OSPlugins`` that help identify the operating system present on a target. -These plugins analyze disk data to determine the system type, enabling more accurate queries such as retrieving user or network information. +Dissect supports various operating systems, where Dissect tries to automatically figure out what operating system is on the disk. +This kind of detection enables more accurate queries for retrieving user and network information. Below is a list of supported operating systems that Dissect can detect. .. list-table:: Supported Operating Systems :header-rows: 1 - :widths: 20 + :widths: 45 5 * - Operating System - * - Android - - :class:`` - * - Bsd - - :class:`` - * - Citrix - - :class:`` - * - Darwin - - :class:`` - * - Debian - - :class:`` + - API + * - RES + - :class:`here ` + * - Windows + - :class:`here ` + * - Unix + - :class:`here ` * - ESXi - - :class:`` - * - Fortinet - - :class:`` + - :class:`here ` + * - BSD + - :class:`here ` + * - Citrix + - :class:`here ` * - FreeBSD - - :class:`` + - :class:`here ` + * - OpenBSD + - :class:`here ` + * - Darwin + - :class:`here ` * - iOS - - :class:`` - * - Generic Linux - - :class:`` + - :class:`here ` * - MacOS - - :class:`` - * - OpenBSD - - :class:`` - * - Proxmox - - :class:`` + - :class:`here ` + * - Generic Linux + - :class:`here ` + * - Android + - :class:`here ` + * - Fortinet + - :class:`here ` + * - OpenSUSE + - :class:`here ` * - RedHat - - :class:`` - * - RES - - :class:`` - * - OpenSusSE - - :class:`` - * - Unix - - :class:`` - * - Vyos - - :class:`` - * - Windows - - :class:`` + - :class:`here ` + * - Debian + - :class:`here ` + * - Proxmox + - :class:`here ` + * - VyOS + - :class:`here ` Child Targets ~~~~~~~~~~~~~ From 0dc1b255544bd0802405d52b3378e426ad8bb35f Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 10 Dec 2025 16:43:10 +0100 Subject: [PATCH 16/25] Add changes to supported child targets --- docs/source/supported-targets.rst | 57 ++++++++++++++++--------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index e6ae897..4d70fdb 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -437,7 +437,7 @@ Child Targets Dissect supports identifying, listing and querying *child targets*. These are targets within other targets. -These can include virtual machines, containers, or other environments nested inside a target. +This can include virtual machines, containers, or other environments nested inside a target. Child targets are discovered using configuration files or metadata present on the host or target. Dissect can recursively query these targets, allowing it to detect deeply nested environments automatically. @@ -447,47 +447,48 @@ Dissect can recursively query these targets, allowing it to detect deeply nested .. list-table:: Supported Child Targets :header-rows: 1 - :widths: 15 35 + :widths: 15 35 5 * - Child Target - Description + - API * - Colima - - :class:`` - - Child target plugin that yields Colima containers. + - Colima container format, which is a runtime for both linux and macOS. + - :class:`here ` * - Docker - - :class:`` - - Child target plugin that yields from Docker overlay2fs containers. + - The Docker overlay2fs containers that available on the system. + - :class:`here ` * - ESXi - - :class:`` - - Child target plugin that yields from ESXi VM inventory. + - The VM inventory on ESXi machines. + - :class:`here ` * - Hyper-v - - :class:`` - - Child target plugin that yields from Hyper-V VM inventory. + - The VM inventory on Hyper-V Windows hosts. + - :class:`here ` * - Lima - - :class:`` - - Child target plugin that yields Lima VMs. + - Lima, Linux Machines, is a container / VM runtime that supports different container engines such as docker, podman, and kubernetes. + - :class:`here ` * - Parallels - - :class:`` - - Child target plugin that yields Parallels Desktop VM files. + - The Parallels Desktop inventory, Parallels is a hypervisor for Mac computers. + - :class:`here ` * - Podman - - :class:`` - - Child target plugin that yields from Podman overlayfs containers + - Podman, a container runtime engine such as Docker. + - :class:`here ` * - Proxmox - - :class:`` - - Child target plugin that yields from the VM listing. + - Proxmox is a debian based virtualization platform. + - :class:`here ` * - Qemu - - :class:`` - - Child target plugin that yields all QEMU domains from a KVM libvirt deamon. + - All QEMU virtual machines created by the KVM libvirt deamon. + - :class:`here ` * - VirtualBox - - :class:`` - - Child target plugin that yields from Oracle VirtualBox VMs. + - Oracle VirtualBox VMs. + - :class:`here ` * - Virtuozzo - - :class:`` - - Child target plugin that yields from Virtuozzo container's root. + - All the vms from the Virtuozzo container's root directory ``vz/root/$VEID``. + - :class:`here ` * - Vmware Workstation - - :class:`` - - Child target plugin that yields from VMware Workstation VM inventory. + - All the VMs registerd within the VMWare workstation VM inventory. + - :class:`here ` * - WSL - - :class:`` - - Child target plugin that yields Windos Subsystem Linux VHDX file locations. + - All the Windows Subsystem Linux VHDX file locations. + - :class:`here ` From d624beb92a5e7c3876c81404d28229eec80ef41a Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Mon, 15 Dec 2025 14:06:47 +0100 Subject: [PATCH 17/25] Change the text to be more accessible --- docs/source/supported-targets.rst | 38 +++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 4d70fdb..e7ad425 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -1,21 +1,23 @@ Supported targets ----------------- -Dissect supports a large range of formats. From various disk images, volume systems, file systems and operating systems, to tarballs and proprietary backup formats, and everything combined! This page aims to provide you with an overview of what you can expect Dissect to be able to handle! +Dissect supports a large range of formats. +From various disk images, volume systems, file systems and operating systems, to tarballs and proprietary backup formats, and everything combined! +This page aims to provide you with an overview of what you can expect Dissect to be able to handle! Loaders ~~~~~~~ -Loaders provide a way to interact with a "target" by combining and accessing source data into usable components for ``dissect.target``. -The goal is to build a virtual representation of the original system. +Loaders provide a way to interact with a "target" by combining and accessing source data into usable parts. +This creates a virtual version of the original system. .. seealso:: For a deeper dive into how loaders work, see :doc:`loaders `. In most cases, Dissect selects the appropriate loader automatically based on the file you target. -This can be based on the file extension, a specific directory structure inside the file (e.g. inside a zip file) or a specific configuration inside the file. -However, there is an option to select a loader manually using ``-L `` flag or with URI-style notation ``://``. +It does this by looking at things like the file type, folder structure or special configurations files. +If needed, you can choose the loader yourself by using ``-L `` option or by using the URI-style notation ``://``. .. code-block:: bash @@ -142,7 +144,7 @@ However, there is an option to select a loader manually using ``-L - ``*.utm/`` directory. - :class:`utm ` * - VB - - .. TODO: looks like it supports rawcopy or something. + - Construct a target from files created by RawCopy - - :class:`vb ` * - Virtual Box @@ -181,8 +183,8 @@ However, there is an option to select a loader manually using ``-L Containers ~~~~~~~~~~ -Containers provide an interface for Dissect to interact with a disk-like structure in a consistent way. -These can be files or a harddisk. +Containers lets Dissect interact with a disk-like structure in a consistent way. +These can be virtual machine files, forensic containers or a harddisk itself. .. seealso:: @@ -259,8 +261,7 @@ Dissect supports the following partition schemes to divide a disk into multiple * - Master Boot Record - :class:`here ` -Besides the standard partition tables used in most computer systems. -Dissect supports volume systems used for RAID configurations or logical volumes that span multiple disks. +Besides these standard partition tables used in most computer systems, Dissect supports disks in RAID configurations or disks with logical volumes that span multiple disks. .. seealso:: @@ -288,9 +289,9 @@ The table below showcases the different supported volume systems. - VMFS is a clustered filesystem developed by VMWare on an ESXi type hosts. - :class:`here ` -Dissect also supports decryption for some well known formats. -The decryption functionality can be accessed with the (``-K``) or a keychain value (``-Kv``) inside the Dissect tooling. -Dissect supports the following encrypted volume systems +Dissect also has decryption capability for some well known systems. +This functionality can be accessed with a keychain file (specified with ``-K``) with multiple passphrases or a keychain value (``-Kv``) using Dissect. +Dissect supports the following encryption formats. .. list-table:: Supported Encrypted Volume Systems :header-rows: 1 @@ -382,8 +383,8 @@ This includes both standard filesystems and formats that resemble filesystem beh Operating Systems ~~~~~~~~~~~~~~~~~ -Dissect supports various operating systems, where Dissect tries to automatically figure out what operating system is on the disk. -This kind of detection enables more accurate queries for retrieving user and network information. +Dissect supports various operating systems, where Dissect tries to automatically figure out what operating system is available on the disk. +Once the operating system is known, it enables the user to get more accurate information from the system, for example, the user andretrieve user or network information. Below is a list of supported operating systems that Dissect can detect. @@ -436,10 +437,9 @@ Child Targets ~~~~~~~~~~~~~ Dissect supports identifying, listing and querying *child targets*. -These are targets within other targets. -This can include virtual machines, containers, or other environments nested inside a target. -Child targets are discovered using configuration files or metadata present on the host or target. -Dissect can recursively query these targets, allowing it to detect deeply nested environments automatically. +These are systems within other systems and can include virtual machines, containers or any other environment inside a "target". +Dissect finds these systems by looking inside configuration files on the systems. +It can even look deeper, and look inside those systems within systems for even more *child targets*. .. seealso:: From a00fc6dbe9b8e0e2f83506764ac473be3db79d23 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 14 Jan 2026 14:56:45 +0100 Subject: [PATCH 18/25] Apply suggestions from code review Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com> --- docs/source/index.rst | 2 +- docs/source/supported-targets.rst | 44 +++++++++++++++---------------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/source/index.rst b/docs/source/index.rst index 9e5fccc..17dbb64 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -80,7 +80,7 @@ Or you can start by taking a look at some community articles and videos: :doc:`/resources/dissect-in-action` or :doc:`/resources/talks-and-conferences` to begin with. -Get in touch, join us on `Github `_! +Get in touch, join us on `GitHub `_! .. toctree:: diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index e7ad425..9df456d 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -21,9 +21,9 @@ If needed, you can choose the loader yourself by using ``-L `` opti .. code-block:: bash + target-query -f func /path/to/target.ab target-query -f func -L ab /path/to/target target-query -f func ab:///path/to/target - target-query -f func /path/to/target.ab .. list-table:: Supported Loaders :header-rows: 1 @@ -53,12 +53,12 @@ If needed, you can choose the loader yourself by using ``-L `` opti - Microsoft Hyper-V configuration files. - ``.vmcx``, ``.xml`` - :class:`hyperv ` - * - Itunes Backup + * - iTunes Backup - iTunes backup files. Only from a directory that contains a ``Manifest.plist`` file. - - :class:`itunes ` - * - Kape - - KAPE forensic image format files. Only if the file or directory contains Kape specific directories. + * - KAPE + - KAPE forensic image format files. Only if the file or directory contains KAPE specific directories. - ``.vhdx`` or ``directory/`` - :class:`kape ` * - Libvirt @@ -183,8 +183,8 @@ If needed, you can choose the loader yourself by using ``-L `` opti Containers ~~~~~~~~~~ -Containers lets Dissect interact with a disk-like structure in a consistent way. -These can be virtual machine files, forensic containers or a harddisk itself. +Containers let Dissect interact with a disk-like structure in a consistent way. +These can be virtual machine files, forensic containers or a hard disk itself. .. seealso:: @@ -267,7 +267,7 @@ Besides these standard partition tables used in most computer systems, Dissect s For more details, see :doc:`volumes `. -The table below showcases the different supported volume systems. +The table below lists the different supported volume systems. .. list-table:: Supported Volume Systems :header-rows: 1 @@ -290,7 +290,7 @@ The table below showcases the different supported volume systems. - :class:`here ` Dissect also has decryption capability for some well known systems. -This functionality can be accessed with a keychain file (specified with ``-K``) with multiple passphrases or a keychain value (``-Kv``) using Dissect. +This functionality can be accessed with a keychain file (specified with ``-K``) with multiple passphrases or a keychain value (``-Kv``) in most Dissect tools. Dissect supports the following encryption formats. .. list-table:: Supported Encrypted Volume Systems @@ -303,7 +303,7 @@ Dissect supports the following encryption formats. * - Linux Unified Key Setup - LUKS encrypted volume system. These are the standard specification for disk encryption on linux systems. - :class:`here ` - * - Bitlocker + * - BitLocker - BitLocker encrypted volume system. Used by Windows systems - :class:`here ` @@ -384,7 +384,7 @@ Operating Systems ~~~~~~~~~~~~~~~~~ Dissect supports various operating systems, where Dissect tries to automatically figure out what operating system is available on the disk. -Once the operating system is known, it enables the user to get more accurate information from the system, for example, the user andretrieve user or network information. +Once the operating system is known, it enables the user to get more accurate information from the system, for example, the user or network configuration. Below is a list of supported operating systems that Dissect can detect. @@ -414,13 +414,13 @@ Below is a list of supported operating systems that Dissect can detect. - :class:`here ` * - iOS - :class:`here ` - * - MacOS + * - macOS - :class:`here ` * - Generic Linux - :class:`here ` * - Android - :class:`here ` - * - Fortinet + * - FortiOS - :class:`here ` * - OpenSUSE - :class:`here ` @@ -453,19 +453,19 @@ It can even look deeper, and look inside those systems within systems for even m - Description - API * - Colima - - Colima container format, which is a runtime for both linux and macOS. + - Colima container format, which is a runtime for both Linux and macOS. - :class:`here ` * - Docker - - The Docker overlay2fs containers that available on the system. + - The Docker overlay2fs containers that are available on the system. - :class:`here ` * - ESXi - The VM inventory on ESXi machines. - :class:`here ` - * - Hyper-v + * - Hyper-V - The VM inventory on Hyper-V Windows hosts. - :class:`here ` * - Lima - - Lima, Linux Machines, is a container / VM runtime that supports different container engines such as docker, podman, and kubernetes. + - Lima, Linux Machines, is a container / VM runtime that supports different container engines such as Docker, Podman, and Kubernetes. - :class:`here ` * - Parallels - The Parallels Desktop inventory, Parallels is a hypervisor for Mac computers. @@ -476,19 +476,19 @@ It can even look deeper, and look inside those systems within systems for even m * - Proxmox - Proxmox is a debian based virtualization platform. - :class:`here ` - * - Qemu + * - QEMU - All QEMU virtual machines created by the KVM libvirt deamon. - :class:`here ` * - VirtualBox - Oracle VirtualBox VMs. - :class:`here ` * - Virtuozzo - - All the vms from the Virtuozzo container's root directory ``vz/root/$VEID``. + - All the Virtuozzo containers. - :class:`here ` - * - Vmware Workstation - - All the VMs registerd within the VMWare workstation VM inventory. + * - VMware Workstation + - All the VMs registerd within the VMware Workstation VM inventory. - :class:`here ` - * - WSL - - All the Windows Subsystem Linux VHDX file locations. + * - WSL2 + - All the Windows Subsystem for Linux 2 instances. - :class:`here ` From 95b8d161446111722f8f8b5a288ce10ca3491c1e Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 14 Jan 2026 15:04:23 +0100 Subject: [PATCH 19/25] Remove too specific entries that are not relevant --- docs/source/supported-targets.rst | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 9df456d..b1df604 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -69,10 +69,6 @@ If needed, you can choose the loader yourself by using ``-L `` opti - Interpret the local system inside Dissect. - - :class:`local ` - * - Log - - Target specific log files. Can only be used directly with ``cb://`` or ``-L log``. - - - - :class:`log ` * - MQTT - MQTT broker. Can only be used directly with ``mqtt://`` or ``-L mqtt``. - @@ -93,10 +89,6 @@ If needed, you can choose the loader yourself by using ``-L `` opti - Open Virtualization Format (OVF) files. - ``.ovf`` - :class:`ovf ` - * - Phobos - - Phobos Ransomware files. - - ``.eight`` - - :class:`phobos ` * - Proxmox - Proxmox VM configuration files. - ``.conf`` @@ -143,10 +135,6 @@ If needed, you can choose the loader yourself by using ``-L `` opti - UTM virtual machine files. - ``*.utm/`` directory. - :class:`utm ` - * - VB - - Construct a target from files created by RawCopy - - - - :class:`vb ` * - Virtual Box - Oracle VirtualBox files. - ``.vbox`` @@ -394,8 +382,6 @@ Below is a list of supported operating systems that Dissect can detect. * - Operating System - API - * - RES - - :class:`here ` * - Windows - :class:`here ` * - Unix From 1eb9ff5c4e6b7ade2bd8d4d49c87d873c51cc31c Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 14 Jan 2026 15:05:28 +0100 Subject: [PATCH 20/25] Add suggestions --- docs/source/supported-targets.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index b1df604..307896b 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -9,7 +9,7 @@ Loaders ~~~~~~~ Loaders provide a way to interact with a "target" by combining and accessing source data into usable parts. -This creates a virtual version of the original system. +This creates a virtual representation of the original system. .. seealso:: @@ -111,7 +111,7 @@ If needed, you can choose the loader yourself by using ``-L `` opti - :class:`remote ` * - SMB - Use an SMB connection to user remote SMB servers as a target. - This particular loader requires ``impacket`` to be installed. + This loader requires ``impacket`` to be installed, which can be done by installing `dissect.target[smb]`. Can only be used directly with ``smb://`` or ``-L smb``. - - :class:`smb ` @@ -266,9 +266,10 @@ The table below lists the different supported volume systems. - API * - Disk Data Format - DDF is a RAID data format that describes how data is formatted across raid groups. + Commonly used by Dell RAID controllers. - :class:`here ` - * - Logical Volume Manager - - LVM is a device mapper framework that can make multiple volumes on a single disk. + * - Logical Volume Manager 2 + - LVM2 is a device mapper framework that can make multiple volumes on a single disk. - :class:`here ` * - Multiple Device driver - Linux MD RAID volume system. A software based RAID system. From 9822f6588a899fb70f60f640a6474c4a5f42ec3e Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 14 Jan 2026 15:21:31 +0100 Subject: [PATCH 21/25] Update all API `here` references to __type__ of their classes --- docs/source/supported-targets.rst | 138 +++++++++++++++--------------- 1 file changed, 69 insertions(+), 69 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 307896b..9d26773 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -191,43 +191,43 @@ The table below lists the supported container formats. * - Apple Sparse Image Format - A sparse disk format introduced by Apple with near native SSD speeds. - ``.asif`` - - :class:`here ` + - :class:`asif ` * - Expert Witness Disk Image Format - FTK Expert witness data format. - ``.E01``, ``.L01``, ``.Ex01``, ``.Lx01`` - - :class:`here ` + - :class:`ewf ` * - Fortinet Firmware - Interprets and decompresses a Fortinet firmware file. - ``*-fortinet.out`` - - :class:`here ` + - :class:`fortifw ` * - HDD - Parallels HDD virtual disk implementation. - ``.hdd`` - - :class:`here ` + - :class:`hdd ` * - HDS - Parallels sparse hard disk format - ``.hds`` - - :class:`here ` + - :class:`hds ` * - Qcow2 - QEMU Copy On Write virtual disk format. - ``.qcow2`` - - :class:`here ` + - :class:`qcow2 ` * - VDI - The virtualbox harddisk format. - ``.vdi`` - - :class:`here ` + - :class:`vdi ` * - Virtual Hard Disk - The original virtual hard disk format developed by Microsoft. Mainly used by the Hyper-V hypervisor. - ``.vhd`` - - :class:`here ` + - :class:`vhd ` * - Virtual Hard Disk X - Virtual Hard Disk v2, the successor of VHD, and the new default on Hyper-V. - ``.vhdx`` - - :class:`here ` + - :class:`vhdx ` * - VMware disk format - VMware virtual hard disks. - ``.vmdk`` - - :class:`here ` + - :class:`vmdk ` Partition Schemes and Volume Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -241,13 +241,13 @@ Dissect supports the following partition schemes to divide a disk into multiple * - Partition Scheme - API * - Apple Partition Map - - :class:`here ` + - :class:`apm ` * - BSD Disklabel - - :class:`here ` + - :class:`bsd ` * - GUID Partition Table - - :class:`here ` + - :class:`gpt ` * - Master Boot Record - - :class:`here ` + - :class:`mbr ` Besides these standard partition tables used in most computer systems, Dissect supports disks in RAID configurations or disks with logical volumes that span multiple disks. @@ -267,16 +267,16 @@ The table below lists the different supported volume systems. * - Disk Data Format - DDF is a RAID data format that describes how data is formatted across raid groups. Commonly used by Dell RAID controllers. - - :class:`here ` + - :class:`ddf ` * - Logical Volume Manager 2 - LVM2 is a device mapper framework that can make multiple volumes on a single disk. - - :class:`here ` + - :class:`lvm2 ` * - Multiple Device driver - Linux MD RAID volume system. A software based RAID system. - - :class:`here ` + - :class:`md ` * - Virtual Machine Filesystem - VMFS is a clustered filesystem developed by VMWare on an ESXi type hosts. - - :class:`here ` + - :class:`vmfs ` Dissect also has decryption capability for some well known systems. This functionality can be accessed with a keychain file (specified with ``-K``) with multiple passphrases or a keychain value (``-Kv``) in most Dissect tools. @@ -291,10 +291,10 @@ Dissect supports the following encryption formats. - API * - Linux Unified Key Setup - LUKS encrypted volume system. These are the standard specification for disk encryption on linux systems. - - :class:`here ` + - :class:`luks ` * - BitLocker - BitLocker encrypted volume system. Used by Windows systems - - :class:`here ` + - :class:`bde ` Filesystems ~~~~~~~~~~~ @@ -316,58 +316,58 @@ This includes both standard filesystems and formats that resemble filesystem beh - API * - AD1 - Forensic container format (AccessData AD1). - - :class:`here ` + - :class:`ad1 ` * - APFS - Apple Filesystem. - - :class:`here ` + - :class:`apfs-container ` * - BTRFS - Binary-tree file system with support for subvolumes. - - :class:`here ` + - :class:`btrfs ` * - CPIO - CPIO archive format. - - :class:`here ` + - :class:`cpio ` * - exFAT - Microsoft Extensible File Allocation Table filesystem. - - :class:`here ` + - :class:`exfat ` * - Ext2, Ext3, Ext4 - Linux EXT family filesystems. - - :class:`here ` + - :class:`ext ` * - FAT - File Allocation Table 12/16/32-bit filesystem. - - :class:`here ` + - :class:`fat ` * - FFS - Fast Filesystem (BSD). - - :class:`here ` + - :class:`ffs ` * - JFFS - Journaling Flash Filesystem. - - :class:`here ` + - :class:`jffs ` * - NFS - Network File Share filesystem. Gives the ability to connect to an NFS share - - :class:`here ` + - :class:`nfs ` * - NTFS - Microsoft NT Filesystem. - - :class:`here ` + - :class:`ntfs ` * - Overlay - Overlay filesystem combines multiple layers into one singular filesystem. This filesystem is used for container formats for Docker or Podman. - - :class:`here ` + - :class:`overlay ` * - Overlay2 - Overlay2 Filesystem is a more efficient version of the Overlay filesystem. - - :class:`here ` + - :class:`overlay2 ` * - QNX4, QNX6 - QNX filesystem, commonly used in the QNX RTOS. - - :class:`here ` + - :class:`qnxfs ` * - SquashFS - Compressed read-only filesystem used by linux systems. - - :class:`here ` + - :class:`squashfs ` * - Virtual Backup Files - Filesystem representation of VBK backup files. - - :class:`here ` + - :class:`vbk ` * - VMFS - VMware VMFS filesystem. - - :class:`here ` + - :class:`vmfs ` * - XFS - High-performance journaling filesystem - - :class:`here ` + - :class:`xfs ` Operating Systems ~~~~~~~~~~~~~~~~~ @@ -384,41 +384,41 @@ Below is a list of supported operating systems that Dissect can detect. * - Operating System - API * - Windows - - :class:`here ` + - :class:`windows ` * - Unix - - :class:`here ` + - :class:`unix ` * - ESXi - - :class:`here ` + - :class:`esxi ` * - BSD - - :class:`here ` + - :class:`bsd ` * - Citrix - - :class:`here ` + - :class:`citrix ` * - FreeBSD - - :class:`here ` + - :class:`freebsd ` * - OpenBSD - - :class:`here ` + - :class:`openbsd ` * - Darwin - - :class:`here ` + - :class:`darwin ` * - iOS - - :class:`here ` + - :class:`ios ` * - macOS - - :class:`here ` + - :class:`macos ` * - Generic Linux - - :class:`here ` + - :class:`linux ` * - Android - - :class:`here ` + - :class:`android ` * - FortiOS - - :class:`here ` + - :class:`fortios ` * - OpenSUSE - - :class:`here ` + - :class:`opensuse ` * - RedHat - - :class:`here ` + - :class:`redhat ` * - Debian - - :class:`here ` + - :class:`debian ` * - Proxmox - - :class:`here ` + - :class:`proxmox ` * - VyOS - - :class:`here ` + - :class:`vyos ` Child Targets ~~~~~~~~~~~~~ @@ -441,41 +441,41 @@ It can even look deeper, and look inside those systems within systems for even m - API * - Colima - Colima container format, which is a runtime for both Linux and macOS. - - :class:`here ` + - :class:`colima ` * - Docker - The Docker overlay2fs containers that are available on the system. - - :class:`here ` + - :class:`docker ` * - ESXi - The VM inventory on ESXi machines. - - :class:`here ` + - :class:`esxi ` * - Hyper-V - The VM inventory on Hyper-V Windows hosts. - - :class:`here ` + - :class:`hyper-v ` * - Lima - Lima, Linux Machines, is a container / VM runtime that supports different container engines such as Docker, Podman, and Kubernetes. - - :class:`here ` + - :class:`lima ` * - Parallels - The Parallels Desktop inventory, Parallels is a hypervisor for Mac computers. - - :class:`here ` + - :class:`parallels ` * - Podman - Podman, a container runtime engine such as Docker. - - :class:`here ` + - :class:`podman ` * - Proxmox - Proxmox is a debian based virtualization platform. - - :class:`here ` + - :class:`proxmox ` * - QEMU - All QEMU virtual machines created by the KVM libvirt deamon. - - :class:`here ` + - :class:`qemu ` * - VirtualBox - Oracle VirtualBox VMs. - - :class:`here ` + - :class:`virtualbox ` * - Virtuozzo - All the Virtuozzo containers. - - :class:`here ` + - :class:`virtuozzo ` * - VMware Workstation - All the VMs registerd within the VMware Workstation VM inventory. - - :class:`here ` + - :class:`vmware ` * - WSL2 - All the Windows Subsystem for Linux 2 instances. - - :class:`here ` + - :class:`wsl ` From 05564cb2b40ac49201f689a4b7fd417e94556f57 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 14 Jan 2026 15:50:42 +0100 Subject: [PATCH 22/25] Add documentation that containers are automatically selected --- docs/source/supported-targets.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 9d26773..15e4177 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -178,6 +178,11 @@ These can be virtual machine files, forensic containers or a hard disk itself. For a deeper understanding on how containers work, see :doc:`containers `. +Dissect has two methods to find the appropriate container automatically. +The first one is based on the file extension, while the other is based on a magic value inside the file. + +As an example, the qcow2 container gets selected if the file extension is `.qcow2` or if the first bytes of the file are b"QFI\xfb". + The table below lists the supported container formats. .. list-table:: Supported Containers From 914cc47f03be6b903d1052e8ff62e65c0b1fa22c Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Thu, 15 Jan 2026 13:57:24 +0100 Subject: [PATCH 23/25] Add suggestion --- docs/source/supported-targets.rst | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index 15e4177..c635fc3 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -178,10 +178,8 @@ These can be virtual machine files, forensic containers or a hard disk itself. For a deeper understanding on how containers work, see :doc:`containers `. -Dissect has two methods to find the appropriate container automatically. -The first one is based on the file extension, while the other is based on a magic value inside the file. - -As an example, the qcow2 container gets selected if the file extension is `.qcow2` or if the first bytes of the file are b"QFI\xfb". +Dissect can select the appropriate container automatically based on either the file extension or file magic. +For example, the QCOW2 container gets selected if the file extension is ``.qcow2`` or if the first bytes of the file are ``b"QFI\xfb"``. The table below lists the supported container formats. From 8fa7a0ecbd934234ecd158bc3d8c63b18dd254f8 Mon Sep 17 00:00:00 2001 From: Schamper <1254028+Schamper@users.noreply.github.com> Date: Thu, 15 Jan 2026 18:22:34 +0100 Subject: [PATCH 24/25] Suggest changes --- docs/source/conf.py | 5 +- docs/source/index.rst | 12 +- docs/source/supported-targets.rst | 765 ++++++++++++++---------------- 3 files changed, 356 insertions(+), 426 deletions(-) diff --git a/docs/source/conf.py b/docs/source/conf.py index f562ada..4fdf8c9 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -73,8 +73,9 @@ api_dir = Path(__file__).parent / "api" for dir_name in ["acquire/nop", "dissect/nop", "flow/nop"]: - api_dir.joinpath(dir_name).mkdir(parents=True, exist_ok=True) - api_dir.joinpath(dir_name, "index.rst").write_text(":orphan:\n\nTITLE\n#####\n") + if not (nop_dir := api_dir.joinpath(dir_name)).exists(): + nop_dir.mkdir(parents=True, exist_ok=True) + nop_dir.joinpath("index.rst").write_text(":orphan:\n\nTITLE\n#####\n") else: extensions.append("autoapi.extension") diff --git a/docs/source/index.rst b/docs/source/index.rst index 17dbb64..eb09fe3 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -18,17 +18,17 @@ Usage Example ------------- One of the most prominent tools that Dissect offers is called *target-query*. -With this simple command you can, for example, extract all user accounts from a disk image: +With this simple command you can, for example, extract all user accounts from a disk image: .. code-block:: console $ target-query pc.img -f users - + - + To see what other useful artefacts you can query use ``-l``: .. code-block:: console @@ -92,9 +92,9 @@ Get in touch, join us on `GitHub `_! :caption: Basics :hidden: - Install - Supported Targets - Tutorial + /install + /supported-targets + /tutorial Querying Shell Mount diff --git a/docs/source/supported-targets.rst b/docs/source/supported-targets.rst index c635fc3..0c28bc5 100644 --- a/docs/source/supported-targets.rst +++ b/docs/source/supported-targets.rst @@ -1,4 +1,4 @@ -Supported targets +Supported Targets ----------------- Dissect supports a large range of formats. @@ -13,160 +13,147 @@ This creates a virtual representation of the original system. .. seealso:: - For a deeper dive into how loaders work, see :doc:`loaders `. + For a deeper dive into how loaders work, see :doc:`loaders `. In most cases, Dissect selects the appropriate loader automatically based on the file you target. It does this by looking at things like the file type, folder structure or special configurations files. If needed, you can choose the loader yourself by using ``-L `` option or by using the URI-style notation ``://``. -.. code-block:: bash - - target-query -f func /path/to/target.ab - target-query -f func -L ab /path/to/target - target-query -f func ab:///path/to/target - -.. list-table:: Supported Loaders - :header-rows: 1 - :widths: 15 20 10 5 - - * - Name - - Description - - Extension - - Type - * - Android Backup - - Android backup files. - - ``.ab`` - - :class:`ab ` - * - Carbon Black - - Carbon Black Live Response endpoints. Can only be used directly with ``cb://`` or ``-L cb``. - - - - :class:`cb ` - * - Cellebrite - - Cellebrite UFED exports files. - - ``.ufdx``, ``.ufd`` - - :class:`cellebrite ` - * - Directory - - Use a local directory as the root of a virtual filesystem. - - - - :class:`dir ` - * - Hyper-V - - Microsoft Hyper-V configuration files. - - ``.vmcx``, ``.xml`` - - :class:`hyperv ` - * - iTunes Backup - - iTunes backup files. Only from a directory that contains a ``Manifest.plist`` file. - - - - :class:`itunes ` - * - KAPE - - KAPE forensic image format files. Only if the file or directory contains KAPE specific directories. - - ``.vhdx`` or ``directory/`` - - :class:`kape ` - * - Libvirt - - Libvirt xml configuration files. - - ``.xml`` - - :class:`libvirt ` - * - Local - - Interpret the local system inside Dissect. - - - - :class:`local ` - * - MQTT - - MQTT broker. Can only be used directly with ``mqtt://`` or ``-L mqtt``. - - - - :class:`mqtt ` - * - OVA - - Virtual Appliance files. - - ``.ova`` - - :class:`ova ` - * - Overlay - - Construct a filesystem of the different layers of a ``podman`` container directory. - - - - :class:`overlay `, - * - Overlay2 - - Construct a filesystem of the different layers of a ``docker`` container directory. - - - - :class:`overlay2 ` - * - Open Virtualization Format - - Open Virtualization Format (OVF) files. - - ``.ovf`` - - :class:`ovf ` - * - Proxmox - - Proxmox VM configuration files. - - ``.conf`` - - :class:`proxmox ` - * - Parallels VM - - Parallels VM directory (.pvm) and the conviguration file (config.pvs) - - ``.pvm``, ``config.pvs`` - - :class:`pvm `, - :class:`pvs ` - * - Raw - - Raw binary files such as disk images. - To load multiple raw containers in a single target, use ``MultiRaw``. - To use this loader automatically use ``+`` to chain disks. E.g. ``/dev/vda+/dev/vdb`` - - - - :class:`raw `, - :class:`multiraw ` - * - Remote - - Connect to a remote target that runs a compatible Dissect agent. Can only be used directly with ``remote://`` or ``-L remote``. - - - - :class:`remote ` - * - SMB - - Use an SMB connection to user remote SMB servers as a target. - This loader requires ``impacket`` to be installed, which can be done by installing `dissect.target[smb]`. - Can only be used directly with ``smb://`` or ``-L smb``. - - - - :class:`smb ` - * - Tanium - - Tanium forensic image format files. - - - - :class:`tanium ` - * - Tar - - (Compressed) Tar files, docker container images and output files from Acquire or UAC. - - ``.tar``, ``.tar.``, ``.t`` - - :class:`tar ` - * - Target - - Load target system using a target file. - - ``.target`` - - :class:`target ` - * - Unix-like Artifacts Collector - - UAC tool output. Detects whether the directory contains ``uac.log`` and a ``[root]`` directory. - - - - :class:`uac ` - * - UTM - - UTM virtual machine files. - - ``*.utm/`` directory. - - :class:`utm ` - * - Virtual Box - - Oracle VirtualBox files. - - ``.vbox`` - - :class:`vbox ` - * - Veaam Backup - - Load Veaam Backup (VBK) files. - - ``.vbk`` - - :class:`vbk ` - * - Velociraptor - - Rapid7 Velociraptor forensic image files. Either loads in the zip file or a directory containing the contents. - - - - :class:`velociraptor ` - * - Virtual Machine Archive - - Proxmox Virtual Machine Archive files. - - ``.vma`` - - :class:`vma ` - * - VMware Fusion - - VMware Fusion virtual machines. - - ``.vmwarevm`` - - :class:`vmwarevm ` - * - VMware VM configuration - - VMware virtual machine configuration files. - - ``.vmx`` - - :class:`vmx ` - * - XVA - - Citrix Hypervisor format files. - - ``.xva`` - - :class:`xva ` - * - Zip - - Zip files themselves or load the output of tools like Acquire or UAC. - - ``.zip`` - - :class:`zip ` +.. code-block:: console + + target-query -f func /path/to/target.ab + target-query -f func -L ab /path/to/target + target-query -f func ab:///path/to/target + +.. important:: + + Just because it does not have a loader, does not mean Dissect cannot open it! In those cases, Dissect falls back to a "raw loader", + which allows it to be opened as any of the :ref:`supported containers ` or even + :ref:`supported filesystems `. Whether a target is supported + as a loader, a container or a filesystem depends on implementation details for that specific format. + +.. list-table:: Supported loaders + :header-rows: 1 + :widths: 20 15 5 + + * - Description + - Format + - API + * - Android backup + - ``.ab`` + - :mod:`ab ` + * - Acquire + - ZIP or tar with Acquire structure + - :mod:`acquire ` + * - AccessData AD1 + - ``.ad1`` + - :mod:`ad1 ` + * - Carbon Black Live Response endpoint + - ``cb://`` or ``-L cb`` [#f1]_ + - :mod:`cb ` + * - Cellebrite UFED export + - ``.ufdx``, ``.ufd`` + - :mod:`cellebrite ` + * - Docker and OCI container images + - tar file with Docker or OCI image structure + - :mod:`containerimage ` + * - Local directory + - Common OS structure (``path/Windows/System32`` or ``path/etc``) + - :mod:`dir ` + * - Microsoft Hyper-V virtual machine configuration + - ``.vmcx``, ``.xml`` + - :mod:`hyperv ` + * - iTunes backup + - Directory with iTunes backup structure + - :mod:`itunes ` + * - KAPE + - Directory or ``.vhdx`` with KAPE structure + - :mod:`kape ` + * - Libvirt XML configuration + - ``.xml`` + - :mod:`libvirt ` + * - Local system (automatically load all drives such as ``/dev/sda`` or ``\\.\PhysicalDrive0``) + - ``local`` + - :mod:`local ` + * - MQTT broker + - ``mqtt://`` or ``-L mqtt`` [#f2]_ + - :mod:`mqtt ` + * - Netscaler Techsupport Collector + - tar with Netscaler Techsupport structure + - :mod:`nscollector ` + * - Open Virtual Appliance (OVA) + - ``.ova`` + - :mod:`ova ` + * - Podman OCI overlay + - Directory with Podman overlay structure + - :mod:`overlay ` + * - Docker overlay2 + - Directory with Docker overlay2 structure + - :mod:`overlay2 ` + * - Open Virtualization Format (OVF) + - ``.ovf`` + - :mod:`ovf ` + * - Proxmox virtual machine configuration + - ``.conf`` + - :mod:`proxmox ` + * - Parallels virtual machine directory + - ``.pvm``, + - :mod:`pvm ` + * - Parallels virtual machine configuration + - ``config.pvs`` + - :mod:`pvs ` + * - Single raw binary file + - Default fallback for unknown files + - :mod:`raw ` + * - Multiple raw binary files + - Paths with ``+`` (``/dev/vda+/dev/vdb``) + - :mod:`multiraw ` + * - Remote Dissect agent + - ``remote://`` or ``-L remote`` + - :mod:`remote ` + * - Remote SMB server + - ``smb://`` or ``-L smb`` [#f3]_ + - :mod:`smb ` + * - Tanium + - Directory with Tanium structure + - :mod:`tanium ` + * - (Compressed) tar + - ``.tar``, ``.tar.``, ``.t`` + - :mod:`tar ` + * - Unix-like Artifacts Collector (UAC) + - Directory, ZIP or tar with UAC structure + - :mod:`uac ` + * - UTM virtual machine + - ``.utm`` + - :mod:`utm ` + * - Oracle VirtualBox virtual machine + - ``.vbox`` + - :mod:`vbox ` + * - Veeam Backup (VBK) + - ``.vbk`` + - :mod:`vbk ` + * - Rapid7 Velociraptor + - Directory or ZIP with Velociraptor structure + - :mod:`velociraptor ` + * - Proxmox Virtual Machine Archive (VMA) + - ``.vma`` + - :mod:`vma ` + * - VMware Fusion virtual machine + - ``.vmwarevm`` + - :mod:`vmwarevm ` + * - VMware virtual machine configuration + - ``.vmx`` + - :mod:`vmx ` + * - Citrix Hypervisor backup (XVA) + - ``.xva`` + - :mod:`xva ` + * - ZIP + - ``.zip`` + - :mod:`zip ` + +.. [#f1] Requires ``dissect.target[cb]`` +.. [#f2] Requires ``dissect.target[mqtt]`` +.. [#f3] Requires ``dissect.target[smb]`` Containers ~~~~~~~~~~ @@ -176,128 +163,103 @@ These can be virtual machine files, forensic containers or a hard disk itself. .. seealso:: - For a deeper understanding on how containers work, see :doc:`containers `. + For a deeper understanding on how containers work, see :doc:`containers `. Dissect can select the appropriate container automatically based on either the file extension or file magic. For example, the QCOW2 container gets selected if the file extension is ``.qcow2`` or if the first bytes of the file are ``b"QFI\xfb"``. -The table below lists the supported container formats. - -.. list-table:: Supported Containers - :header-rows: 1 - :widths: 20 20 5 5 - - * - Container - - Description - - Extension - - API - * - Apple Sparse Image Format - - A sparse disk format introduced by Apple with near native SSD speeds. - - ``.asif`` - - :class:`asif ` - * - Expert Witness Disk Image Format - - FTK Expert witness data format. - - ``.E01``, ``.L01``, ``.Ex01``, ``.Lx01`` - - :class:`ewf ` - * - Fortinet Firmware - - Interprets and decompresses a Fortinet firmware file. - - ``*-fortinet.out`` - - :class:`fortifw ` - * - HDD - - Parallels HDD virtual disk implementation. - - ``.hdd`` - - :class:`hdd ` - * - HDS - - Parallels sparse hard disk format - - ``.hds`` - - :class:`hds ` - * - Qcow2 - - QEMU Copy On Write virtual disk format. - - ``.qcow2`` - - :class:`qcow2 ` - * - VDI - - The virtualbox harddisk format. - - ``.vdi`` - - :class:`vdi ` - * - Virtual Hard Disk - - The original virtual hard disk format developed by Microsoft. Mainly used by the Hyper-V hypervisor. - - ``.vhd`` - - :class:`vhd ` - * - Virtual Hard Disk X - - Virtual Hard Disk v2, the successor of VHD, and the new default on Hyper-V. - - ``.vhdx`` - - :class:`vhdx ` - * - VMware disk format - - VMware virtual hard disks. - - ``.vmdk`` - - :class:`vmdk ` +.. list-table:: Supported containers + :header-rows: 1 + :widths: 15 5 5 + + * - Description + - Format + - API + * - Apple Sparse Image Format + - ``.asif`` + - :mod:`asif ` + * - FTK Expert Witness Disk Image Format (EWF) + - ``.E01``, ``.L01`` + - :mod:`ewf ` + * - Fortinet firmware + - ``*-fortinet.out`` + - :mod:`fortifw ` + * - Parallels HDD virtual disk + - ``.hdd`` + - :mod:`hdd ` + * - Parallels HDS sparse virtual disk + - ``.hds`` + - :mod:`hds ` + * - QEMU QCOW2 + - ``.qcow2`` + - :mod:`qcow2 ` + * - VirtualBox VDI virtual disk + - ``.vdi`` + - :mod:`vdi ` + * - Hyper-V VHD virtual disk + - ``.vhd`` + - :mod:`vhd ` + * - Hyper-V VHDX virtual disk + - ``.vhdx`` + - :mod:`vhdx ` + * - VMware virtual disk + - ``.vmdk`` + - :mod:`vmdk ` Partition Schemes and Volume Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Dissect supports the following partition schemes to divide a disk into multiple logical volumes. +Dissect supports most common partition schemes. Nested partitions are supported as well. .. list-table:: Supported Partition Schemes - :header-rows: 1 - :widths: 45 5 - - * - Partition Scheme - - API - * - Apple Partition Map - - :class:`apm ` - * - BSD Disklabel - - :class:`bsd ` - * - GUID Partition Table - - :class:`gpt ` - * - Master Boot Record - - :class:`mbr ` - -Besides these standard partition tables used in most computer systems, Dissect supports disks in RAID configurations or disks with logical volumes that span multiple disks. + :header-rows: 1 + :widths: 20 5 + + * - Description + - API + * - Apple Partition Map (APM) + - :mod:`apm ` + * - BSD Disklabel + - :mod:`bsd ` + * - GUID Partition Table (GPT) + - :mod:`gpt ` + * - Master Boot Record (MBR) + - :mod:`mbr ` + +Besides these standard partition schemes, Dissect supports disks in RAID configurations or disks with logical volumes that span multiple disks. .. seealso:: - For more details, see :doc:`volumes `. - -The table below lists the different supported volume systems. - -.. list-table:: Supported Volume Systems - :header-rows: 1 - :widths: 20 30 5 - - * - Volume System - - Description - - API - * - Disk Data Format - - DDF is a RAID data format that describes how data is formatted across raid groups. - Commonly used by Dell RAID controllers. - - :class:`ddf ` - * - Logical Volume Manager 2 - - LVM2 is a device mapper framework that can make multiple volumes on a single disk. - - :class:`lvm2 ` - * - Multiple Device driver - - Linux MD RAID volume system. A software based RAID system. - - :class:`md ` - * - Virtual Machine Filesystem - - VMFS is a clustered filesystem developed by VMWare on an ESXi type hosts. - - :class:`vmfs ` + For more details, see :doc:`volumes `. + +.. list-table:: Supported volume systems + :header-rows: 1 + :widths: 20 5 + + * - Description + - API + * - DDF (Disk Data Format) RAID, common in Dell RAID controllers + - :mod:`ddf ` + * - LVM2 + - :mod:`lvm2 ` + * - Linux MD RAID + - :mod:`md ` + * - VMFS LVM + - :mod:`vmfs ` Dissect also has decryption capability for some well known systems. This functionality can be accessed with a keychain file (specified with ``-K``) with multiple passphrases or a keychain value (``-Kv``) in most Dissect tools. -Dissect supports the following encryption formats. - -.. list-table:: Supported Encrypted Volume Systems - :header-rows: 1 - :widths: 20 30 5 - - * - Encrypted volume system - - Description - - API - * - Linux Unified Key Setup - - LUKS encrypted volume system. These are the standard specification for disk encryption on linux systems. - - :class:`luks ` - * - BitLocker - - BitLocker encrypted volume system. Used by Windows systems - - :class:`bde ` + +.. list-table:: Supported encrypted volume systems + :header-rows: 1 + :widths: 20 5 + + * - Description + - API + * - LUKS (version 1 and 2) + - :mod:`luks ` + * - BitLocker (all configurations and versions, including EOW) + - :mod:`bde ` Filesystems ~~~~~~~~~~~ @@ -306,179 +268,146 @@ In Dissect, filesystems go beyond traditional disk-based structures. If it behaves like a filesystem, Dissect can likely treat it as one. This includes both standard filesystems and formats that resemble filesystem behavior. +There might be some overlap with loaders and containers, as some formats can function in multiple roles, +or need implementation in different areas to work correctly. + .. seealso:: - For more details, see :doc:`Filesystems `. - -.. list-table:: Supported Filesystems - :header-rows: 1 - :widths: 20 30 5 - - * - Filesystem - - Description - - API - * - AD1 - - Forensic container format (AccessData AD1). - - :class:`ad1 ` - * - APFS - - Apple Filesystem. - - :class:`apfs-container ` - * - BTRFS - - Binary-tree file system with support for subvolumes. - - :class:`btrfs ` - * - CPIO - - CPIO archive format. - - :class:`cpio ` - * - exFAT - - Microsoft Extensible File Allocation Table filesystem. - - :class:`exfat ` - * - Ext2, Ext3, Ext4 - - Linux EXT family filesystems. - - :class:`ext ` - * - FAT - - File Allocation Table 12/16/32-bit filesystem. - - :class:`fat ` - * - FFS - - Fast Filesystem (BSD). - - :class:`ffs ` - * - JFFS - - Journaling Flash Filesystem. - - :class:`jffs ` - * - NFS - - Network File Share filesystem. Gives the ability to connect to an NFS share - - :class:`nfs ` - * - NTFS - - Microsoft NT Filesystem. - - :class:`ntfs ` - * - Overlay - - Overlay filesystem combines multiple layers into one singular filesystem. This filesystem is used for container formats for Docker or Podman. - - :class:`overlay ` - * - Overlay2 - - Overlay2 Filesystem is a more efficient version of the Overlay filesystem. - - :class:`overlay2 ` - * - QNX4, QNX6 - - QNX filesystem, commonly used in the QNX RTOS. - - :class:`qnxfs ` - * - SquashFS - - Compressed read-only filesystem used by linux systems. - - :class:`squashfs ` - * - Virtual Backup Files - - Filesystem representation of VBK backup files. - - :class:`vbk ` - * - VMFS - - VMware VMFS filesystem. - - :class:`vmfs ` - * - XFS - - High-performance journaling filesystem - - :class:`xfs ` + For more details, see :doc:`Filesystems `. + +.. list-table:: Supported filesystems + :header-rows: 1 + :widths: 20 5 + + * - Description + - API + * - AccessData AD1 + - :mod:`ad1 ` + * - Apple File System (APFS) + - :mod:`apfs ` + * - Linux Btrfs + - :mod:`btrfs ` + * - CPIO archive + - :mod:`cpio ` + * - Linux cramfs + - :mod:`cramfs ` + * - exFAT + - :mod:`exfat ` + * - Linux EXT2, EXT3, EXT4 + - :mod:`extfs ` + * - FAT12, FAT16, FAT32 + - :mod:`fat ` + * - BSD Fast Filesystem (FFS) + - :mod:`ffs ` + * - Linux Journaling Flash Filesystem (JFFS) + - :mod:`jffs ` + * - Network File Share (NFS) + - :mod:`nfs ` + * - Microsoft NTFS + - :mod:`ntfs ` + * - QNX4 and QNX6 + - :mod:`qnxfs ` + * - Linux SquashFS + - :mod:`squashfs ` + * - Veeam Backup (VBK) + - :mod:`vbk ` + * - VMware (VMFS) + - :mod:`vmfs ` + * - VMware vmtar + - :mod:`vmtar ` + * - Linux XFS + - :mod:`xfs ` Operating Systems ~~~~~~~~~~~~~~~~~ -Dissect supports various operating systems, where Dissect tries to automatically figure out what operating system is available on the disk. -Once the operating system is known, it enables the user to get more accurate information from the system, for example, the user or network configuration. - -Below is a list of supported operating systems that Dissect can detect. - -.. list-table:: Supported Operating Systems - :header-rows: 1 - :widths: 45 5 - - * - Operating System - - API - * - Windows - - :class:`windows ` - * - Unix - - :class:`unix ` - * - ESXi - - :class:`esxi ` - * - BSD - - :class:`bsd ` - * - Citrix - - :class:`citrix ` - * - FreeBSD - - :class:`freebsd ` - * - OpenBSD - - :class:`openbsd ` - * - Darwin - - :class:`darwin ` - * - iOS - - :class:`ios ` - * - macOS - - :class:`macos ` - * - Generic Linux - - :class:`linux ` - * - Android - - :class:`android ` - * - FortiOS - - :class:`fortios ` - * - OpenSUSE - - :class:`opensuse ` - * - RedHat - - :class:`redhat ` - * - Debian - - :class:`debian ` - * - Proxmox - - :class:`proxmox ` - * - VyOS - - :class:`vyos ` +Dissect tries to automatically figure out what operating system is available on the target, based on known file locations and structures. +Once the operating system is known, it enables you to get more accurate information from the system, for example, the user or network configuration. + +.. list-table:: Supported operating systems + :header-rows: 1 + :widths: 20 5 + + * - Description + - API + * - Windows + - :mod:`windows ` + * - Generic Unix + - :mod:`unix ` + * - BSD + - :mod:`unix.bsd ` + * - Citrix + - :mod:`unix.bsd.citrix ` + * - FreeBSD + - :mod:`unix.bsd.freebsd ` + * - OpenBSD + - :mod:`unix.bsd.openbsd ` + * - Generic Darwin + - :mod:`unix.bsd.darwin ` + * - iOS + - :mod:`unix.bsd.darwin.ios ` + * - macOS + - :mod:`unix.bsd.darwin.macos ` + * - ESXi + - :mod:`unix.esxi ` + * - Generic Linux + - :mod:`unix.linux ` + * - Android + - :mod:`unix.linux.android ` + * - FortiOS + - :mod:`unix.linux.fortios ` + * - OpenSUSE + - :mod:`unix.linux.suse ` + * - RedHat + - :mod:`unix.linux.redhat ` + * - Debian + - :mod:`unix.linux.debian ` + * - Proxmox + - :mod:`unix.linux.debian.proxmox ` + * - VyOS + - :mod:`unix.linux.debian.vyos ` Child Targets ~~~~~~~~~~~~~ Dissect supports identifying, listing and querying *child targets*. -These are systems within other systems and can include virtual machines, containers or any other environment inside a "target". -Dissect finds these systems by looking inside configuration files on the systems. -It can even look deeper, and look inside those systems within systems for even more *child targets*. +These are targets within other targets, such as virtual machines or containers. +Dissect finds these by looking inside configuration files on a target. +It can do this recursively, and look for *child targets* inside the *child targets* for even more *child targets*. .. seealso:: - For more details, see :ref:`Child targets `. - -.. list-table:: Supported Child Targets - :header-rows: 1 - :widths: 15 35 5 - - * - Child Target - - Description - - API - * - Colima - - Colima container format, which is a runtime for both Linux and macOS. - - :class:`colima ` - * - Docker - - The Docker overlay2fs containers that are available on the system. - - :class:`docker ` - * - ESXi - - The VM inventory on ESXi machines. - - :class:`esxi ` - * - Hyper-V - - The VM inventory on Hyper-V Windows hosts. - - :class:`hyper-v ` - * - Lima - - Lima, Linux Machines, is a container / VM runtime that supports different container engines such as Docker, Podman, and Kubernetes. - - :class:`lima ` - * - Parallels - - The Parallels Desktop inventory, Parallels is a hypervisor for Mac computers. - - :class:`parallels ` - * - Podman - - Podman, a container runtime engine such as Docker. - - :class:`podman ` - * - Proxmox - - Proxmox is a debian based virtualization platform. - - :class:`proxmox ` - * - QEMU - - All QEMU virtual machines created by the KVM libvirt deamon. - - :class:`qemu ` - * - VirtualBox - - Oracle VirtualBox VMs. - - :class:`virtualbox ` - * - Virtuozzo - - All the Virtuozzo containers. - - :class:`virtuozzo ` - * - VMware Workstation - - All the VMs registerd within the VMware Workstation VM inventory. - - :class:`vmware ` - * - WSL2 - - All the Windows Subsystem for Linux 2 instances. - - :class:`wsl ` - + For more details, see :ref:`Child targets `. + +.. list-table:: Supported child targets + :header-rows: 1 + :widths: 20 5 + + * - Description + - API + * - Colima containers + - :mod:`colima ` + * - Docker containers + - :mod:`docker ` + * - ESXi virtual machines + - :mod:`esxi ` + * - Hyper-V virtual machines + - :mod:`hyperv ` + * - Lima containers and virtual machines + - :mod:`lima ` + * - Parallels virtual machines + - :mod:`parallels ` + * - Podman containers + - :mod:`podman ` + * - Proxmox virtual machines + - :mod:`proxmox ` + * - QEMU virtual machines + - :mod:`qemu ` + * - Oracle VirtualBox virtual machines + - :mod:`virtualbox ` + * - Virtuozzo containers + - :mod:`virtuozzo ` + * - VMware Workstation virtual machines + - :mod:`vmware_workstation ` + * - Windows Subsystem for Linux 2 (WSL2) instances + - :mod:`wsl ` From 48eed93ceaab19ddce07f012ffc6d62b90aeda6e Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Fri, 16 Jan 2026 13:45:55 +0100 Subject: [PATCH 25/25] Update dissect.target project to main --- submodules/dissect.target | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submodules/dissect.target b/submodules/dissect.target index 73dd16d..0041dd4 160000 --- a/submodules/dissect.target +++ b/submodules/dissect.target @@ -1 +1 @@ -Subproject commit 73dd16d197442368ad42e6e2117c047e6a946b4f +Subproject commit 0041dd4f5d2e9bcaa483f3540890eecf596d1f51