volatility3.plugins.linux.pagecache module

class Files(context, config_path, progress_callback=None)[source]

Bases: PluginInterface, TimeLinerInterface

Lists files from memory

Parameters:

context (ContextInterface) – The context that the plugin will operate within
config_path (str) – The path to configuration data within the context configuration data
progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:: HierarchicalDict

property config: HierarchicalDict: The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str: The configuration path on which this configurable lives.

property context: ContextInterface: The context object that this configurable belongs to/configuration is stored in.

classmethod format_fields_with_headers(headers, generator)[source]: Uses the headers type to cast the fields obtained from the generator

generate_timeline()[source]

Generates tuples of (description, timestamp_type, timestamp)

These need not be generated in any particular order, sorting will be done later

classmethod get_inodes(context, vmlinux_module_name, follow_symlinks=True)[source]

Retrieves the inodes from the superblocks

Parameters:

context (ContextInterface) – The context that the plugin will operate within
vmlinux_module_name (str) – The name of the kernel module on which to operate
follow_symlinks (bool) – Whether to follow symlinks or not

Yields:

An InodeInternal object

Return type:

Iterable[InodeInternal]

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

Return type:: List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open: Returns a context manager and thus can be called like open

run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Returns:: A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type:: None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type:: Dict[str, RequirementInterface]

version = (1, 1, 0)

class InodeInternal(superblock, mountpoint, inode, path)[source]

Bases: object

Inode internal representation containing only the core objects

Fields:: superblock: ‘super_block’ struct mountpoint: Superblock mountpoint path inode: ‘inode’ struct path: Dentry full path

inode: ObjectInterface

mountpoint: str

path: str

superblock: ObjectInterface

to_user(kernel_layer)[source]

Augment the inode information to be presented to the user

Parameters:: kernel_layer (TranslationLayerInterface) – The kernel layer to obtain the page size
Return type:: InodeUser
Returns:: An InodeUser dataclass

class InodePages(context, config_path, progress_callback=None)[source]

Bases: PluginInterface

Lists and recovers cached inode pages

Parameters:

context (ContextInterface) – The context that the plugin will operate within
config_path (str) – The path to configuration data within the context configuration data
progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:: HierarchicalDict

property config: HierarchicalDict: The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str: The configuration path on which this configurable lives.

property context: ContextInterface: The context object that this configurable belongs to/configuration is stored in.

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

Return type:: List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open: Returns a context manager and thus can be called like open

run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Returns:: A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type:: None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type:: Dict[str, RequirementInterface]

version = (3, 0, 0)

classmethod write_inode_content_to_file(context, layer_name, inode, filename, open_method)[source]

Extracts the inode’s contents from the page cache and saves them to a file

Parameters:

context (ContextInterface) – The context on which to operate
layer_name (str) – The name of the layer on which to operate
inode (ObjectInterface) – The inode to dump
filename (str) – Filename for writing the inode content
open_method (Type[FileHandlerInterface]) – class for constructing output files

Return type:

None

classmethod write_inode_content_to_stream(context, layer_name, inode, stream)[source]

Extracts the inode’s contents from the page cache and saves them to a stream

Parameters:

context (ContextInterface) – The context on which to operate
layer_name (str) – The name of the layer on which to operate
inode (ObjectInterface) – The inode to dump
stream (IO) – An IO stream to write to, typically FileHandlerInterface or BytesIO

Return type:

None

class InodeUser(superblock_addr, mountpoint, device, inode_num, inode_addr, type, inode_pages, cached_pages, file_mode, access_time, modification_time, change_time, path, inode_size)[source]

Bases: object

Inode user representation, featuring augmented information and formatted fields. This is the data the plugin will eventually display.

access_time: str

cached_pages: int

change_time: str

device: str

file_mode: str

classmethod format_symlink(symlink_source, symlink_dest)[source]

Return type:: str

inode_addr: int

inode_num: int

inode_pages: int

inode_size: int

modification_time: str

mountpoint: str

path: str

superblock_addr: int

type: str

class RecoverFs(context, config_path, progress_callback=None)[source]

Bases: PluginInterface

Recovers the cached filesystem (directories, files, symlinks) into a compressed tarball.

Details: level 0 directories are named after the UUID of the parent superblock; metadata aren’t replicated to extracted objects; objects modification time is set to the plugin run time; absolute symlinks are converted to relative symlinks to prevent referencing the analyst’s filesystem. Troubleshooting: to fix extraction errors related to long paths, please consider using https://github.com/mxmlnkn/ratarmount.

Parameters:

context (ContextInterface) – The context that the plugin will operate within
config_path (str) – The path to configuration data within the context configuration data
progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:: HierarchicalDict

property config: HierarchicalDict: The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str: The configuration path on which this configurable lives.

property context: ContextInterface: The context object that this configurable belongs to/configuration is stored in.

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

Return type:: List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open: Returns a context manager and thus can be called like open

run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Returns:: A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type:: None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type:: Dict[str, RequirementInterface]

version = (1, 0, 0)