PyFlag Logo
   
Introduction
FAQ
Screenshots
 
Downloads
Download PyFlag
Standard Image Sets
Browse the Source
 
Documentation
User Manual
Tutorials
Developer Documentation
Papers and Articles
Presentations
 
Email Us
Support Mailing List
 
Thanks to Sourceforge for their support: SourceForge.net Logo
[Python Powered]
 
© 2004-2005
 
Print this page
  

Table of Contents

The PyFlag Virtual File System

Filesystems are central to digital forensics, and therefore they are central to PyFlag. At the heart of PyFlag we find the Virtual File System (VFS). This section will cover the basic concepts behind the VFS and how they may be used.

Definitions

First we cover some working definitions of some basic concepts within PyFlag:

Data
Data is ultimately a stream of digital numbers. The interpretation of these numbers is what digital forensics is all about.
Files
Files are discrete pieces of data. A file has a finite amount of data within it. The most important operations on files are reading and seeking. We are able to seek to any point within the data contained inside the file, and read as much data as needed or until the end of file.
File Systems
Files are organised into filesystems. File Systems are structures which allows storing and accessing multiple files. PyFlag's filesystems allow access to files by name or inode.
Inode
An Inode is a unique address within the filesystem to enable us to access a specific file (and hence its data). In PyFlag are not represented as integers, but rather as strings. Note that Inodes are unique in the sense that the same inode will alway provide the same file (with the same data), but multiple Inodes may also provide the very same file (and data) too. Note that in PyFlag the VFS can have an infinite number of Inodes.
Filename
Filesystems also store filenames for files. Filenames organise files into directories and files within the directory. Note however, that not all files within the filesystem have to have filenames at all. Inodes may be present in the filesystem, without having a filename (or path) at all.

The PyFlag Virtual File System

The PyFlag Virtual File System is an abstract file system. The File System itself merely stores the relationships between inodes and filenames.

The VFS provides three central facilities:

  1. Open files - returning the file data.
  2. Create new files within the VFS.
  3. Browse the file structure within the VFS. (File names and directories).

Opening VFS Files:

When we require a file to be read, the VFS looks up the inode, and then attempts to open the file associated with that Inode.

There are many types of Inodes stored within the VFS, each with their own unique driver. The VFS switches to a unique driver for that inode, based on the inode name using the following rules:

  1. If an Inode has pipe characters in it (|), the VFS uses these to split the Inode name into components.
  2. The VFS then uses the left most component to open the file denoted by that inode. In order to determine which driver is responsible to this component, the VFS driver consults the first character of the component name.
  3. Using the correct driver, the VFS opens the component and obtains the file.
  4. The VFS now moves to the next component, determines its driver and provides it with previous file opened.
  5. The resulting file is used to open the next component and so on.
  6. Once all components have been processed, the resulting file is provided to the user of the VFS.

Example

To illustrate this process, consider we asked the VFS to open the following Inode: D1285|P2097412:1|Z0

  1. First we open D1285 using the Sleuthkit driver (registered with 'D')
  2. We then pass this file to the Pst File driver (denoted by 'P') which uses the string 2097412:1 to reference an internal file within the PST file provided from the previous step.
  3. Now we send this file through the Zip File Driver (denoted by 'Z') who will open the resultant file as a zip file and will retrieve the first file stored in the Zip file.
  4. We now return this file.

Note that the resultant file is actually a file within a zip archive, which was stored in a PST file on the filesystem accessed by the Sleuthkit. This provides a great deal of reach for the forensic investigator who is now able to see much beyond the simple data which is written on the disk.

The full list of registered VFS_File drivers and their associated designators can be obtained from the variable Registry.VFS_FILES.vfslist. Here is a concise list:

Designator Name
'C' MSN.MSNFile
'D' DiskForensics.DBFS_file
'G' ZipFile.GZ_file
'M' DiskForensics.MountedFS_file
'P' PstFile.Pst_file
'S' StreamReassembler.CachedStreamFile
'T' ZipFile.Tar_file
'U' Unallocated.Unallocated_File
'Z' ZipFile.Zip_file
'c' HTTP.Chunked
'm' RFC2822.RFC2822CachedFile
'o' StreamReassembler.OffsetFile
'p' PCAPFS.PCAPFile

Creating New Files withing the VFS

There are two ways for files to be added to the VFS. The first was is to load a File System, while the second way is to run a Scanner on the VFS.

Both these methods are covered elsewhere.

Browsing the VFS

Browsing the VFS is a powerful analysis technique. The figure below shows an example of a filesystem being browsed:

browse_fs.png

This figure examines a pst file which contains an email attachment which is a zip file. The zip file contains a single file called file.txt.

Clicking on this file, we can view its contents. Clicking on the different tabs give different information, such as statistics, hexdump, text view, and the ability to save the file off.

view_file.png

The top of each page has a toolbar which is specific to this page. The the figure above, the toolbar allows the user to seek help, page through the hexdump, skip to a certain offset and scan this one file.

View document source. Generated on: 2005-08-18 14:36 UTC. Generated by Docutils from reStructuredText source.