fslib

package module
v0.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 2, 2021 License: MIT Imports: 6 Imported by: 5

README

fslib

file system processing for forensics

doc

The fslib project contains a collection of packages to parse file systems, archives and similar data. The included packages can be used to access disk images of with different partitioning and file systems. Additionally, file systems for live access to the currently mounted file system and registry (on Windows) are implemented.

All filesystems implement io/fs.

Included File systems

  • Native OS file system (directory listing for Windows root provides list of drives)
  • Windows Registry (live not from files)
  • NTFS
  • FAT16
  • MBR
  • GPT

Meta file systems

  • Buffer FS: Buffer accessed files of an underlying file system
  • System FS: Similar to the native OS file system, but falls back to NTFS on failing access on Windows

See also

  • zipfs: A zip file system
  • Recursive FS: Access container files on file systems recursively, e.g. "ntfs.dd/forensic.zip/Computer forensics - Wikipedia.pdf"

Installation

go get -u github.com/forensicanalysis/fslib

Example

func main() {
	// Read the root directory on an NTFS disk image.

	// open the disk image
	image, _ := os.Open("filesystem/ntfs.dd")

	// parse the file system
	fsys, _ := ntfs.New(image)

	// get filenames
	entries, _ := fs.ReadDir(fsys, ".")

	var filenames []string
	for _, entry := range entries {
		filenames = append(filenames, entry.Name())
	}

	// print filenames
	fmt.Println(filenames)
}

Contact

For feedback, questions and discussions you can use the Open Source DFIR Slack.

Documentation

Overview

Package fslib project contains a collection of packages to parse file systems, archives and similar data. The included packages can be used to access disk images of with different partitioning and file systems. Additionally, file systems for live access to the currently mounted file system and registry (on Windows) are implemented.

Example 
package main

import (
	"fmt"
	"io/fs"
	"os"

	"github.com/forensicanalysis/fslib/ntfs"
)

func main() {
	// Read the root directory on an NTFS disk image.

	// open the disk image
	image, _ := os.Open("testdata/filesystem/ntfs.dd")

	// parse the file system
	fsys, _ := ntfs.New(image)

	// get filenames
	entries, _ := fs.ReadDir(fsys, ".")

	var filenames []string
	for _, entry := range entries {
		filenames = append(filenames, entry.Name())
	}

	// print filenames
	fmt.Println(filenames)
}

Output:

[$AttrDef $BadClus $Bitmap $Boot $Extend $LogFile $MFT $MFTMirr $Secure $UpCase $Volume README.md container document evidence.json folder image]

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func DirEntries added in v0.15.0 

func DirEntries(n int, items []fs.DirEntry, dirOffset int) ([]fs.DirEntry, int, error)

func ReadDir added in v0.15.0 

func ReadDir(file fs.File, n int) (items []fs.DirEntry, err error)

func ToFSPath added in v0.15.0 

func ToFSPath(systemPath string) (name string, err error)

ToFSPath converts a normal path (e.g. 'C:\Windows') to a fs path ('C/Windows').

Types

type ByName added in v0.15.0 

type ByName []fs.DirEntry

func (ByName) Len added in v0.15.0 

func (a ByName) Len() int

func (ByName) Less added in v0.15.0 

func (a ByName) Less(i, j int) bool

func (ByName) Swap added in v0.15.0 

func (a ByName) Swap(i, j int)

Source Files

View all Source files

Directories

Path Synopsis
Package bufferfs provides a fs.FS wrapper for other fs.FS with a fs.File that implements io.Seeker and io.ReaderAt.
 Package bufferfs provides a fs.FS wrapper for other fs.FS with a fs.File that implements io.Seeker and io.ReaderAt.
Package fallbackfs implements a meta filesystem that wraps a sequence of file systems.
 Package fallbackfs implements a meta filesystem that wraps a sequence of file systems.
Package fat16 provides an io/fs implementation of the FAT16 file systems.
 Package fat16 provides an io/fs implementation of the FAT16 file systems.
Package fsio provides IO interfaces and functions similar for file system operations.
 Package fsio provides IO interfaces and functions similar for file system operations.
Package fstest provides functions for testing implementations of the io/fs.
 Package fstest provides functions for testing implementations of the io/fs.
Package gpt provides an io/fs implementation of the GUID partition table (GPT).
 Package gpt provides an io/fs implementation of the GUID partition table (GPT).
Package mbr provides an io/fs implementation of the Master Boot Record (MBR) partition table.
 Package mbr provides an io/fs implementation of the Master Boot Record (MBR) partition table.
Package ntfs provides an io/fs implementation of the New Technology File System (NTFS).
 Package ntfs provides an io/fs implementation of the New Technology File System (NTFS).
Package osfs provides an io/fs implementation of the native OS file system.
 Package osfs provides an io/fs implementation of the native OS file system.
Package registryfs provides an io/fs implementation to access the Windows Registry.
 Package registryfs provides an io/fs implementation to access the Windows Registry.
replace
context
Package context provides an simple replacement for the standard library context for older Go versions.
 Package context provides an simple replacement for the standard library context for older Go versions.
Package systemfs provides an io/fs implementation that uses the osfs as default, while a ntfs for every partition as a fallback on Windows, on UNIX the behavior is the same as osfs.
 Package systemfs provides an io/fs implementation that uses the osfs as default, while a ntfs for every partition as a fallback on Windows, on UNIX the behavior is the same as osfs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.