Difference between pages "Raw Image Format" and "Dfvfs"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
The RAW Image Format is used to store a disk or volume image.
+
{{Infobox_Software |
 +
  name = dfvfs |
 +
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
 +
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/dfvfs/ code.google.com/p/dfvfs/] |
 +
}}
  
== File types ==
+
dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
Some variants of the RAW Image Format split the data among multiple segment files, which is also known as split RAW.
+
  
There are various naming schemes for RAW Image Format files, some of the more common used for disk or volume images are:
+
dfVFS is currently implemented as a Python module.
* PREFIX.dd
+
* PREFIX.dmg
+
* PREFIX.img
+
* PREFIX.raw
+
* PREFIX.0 - PREFIX.#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX.000
+
* PREFIX0 - PREFIX#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX000
+
* PREFIXaa - PREFIXzz; variations: consisting of more letters e.g. PREFIX.aaa
+
* PREFIX.1of5 - PREFIX.5of5; variations: consisting of multiple segment files
+
* PREFIX001.asb - PREFIX###.asb
+
* PREFIX-f001.vmdk - PREFIX-f###.vmdk; variations: starting with 001
+
  
 +
== Supported Formats ==
 +
The information below is based of version 20140621.
  
Note that there are also RAW Image Formats specific to the storage media, e.g. RAW optical disc image.
+
=== Storage media types ===
 +
* [[Encase image file format]] or EWF (EWF-E01, EWF-Ex01, EWF-S01) using [[libewf]]
 +
* [[QCOW Image Format]] or QCOW using [[libqcow]]
 +
* [[Raw Image Format]] or (split) RAW using [[libsmraw]]
 +
* Storage media devices using [[libsmdev]]
 +
* [[Virtual Disk Image (VDI)]] or VHD using [[libvhdi]]
 +
* [[VMWare Virtual Disk Format (VMDK)]] using [[libvmdk]]
  
These often are accompanied by a table of contents file often in the [[CUE Sheet format]], e.g.
+
=== Volume systems ===
* BIN/CUE
+
* using [[sleuthkit]] and [[pytsk]]
* ISO/CUE
+
** [[APM]]
 +
** [[GPT]]
 +
** [[MBR]]
 +
* [[BitLocker Disk Encryption]] or BDE using [[libbde]]
 +
* [[Windows Shadow Volumes]] or VSS using [[libvshadow]]
  
== Contents ==
+
=== File systems ===
The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.
+
* using [[sleuthkit]] and [[pytsk]]
 +
** [[Extended File System (Ext)]] version 2, 3, 4
 +
** [[FAT]]
 +
** [[HFS+|HFS, HFS+, HFSX]]
 +
** [[New Technology File System (NTFS)]] version 3
 +
** [[Unix File System (UFS)]] version 1, 2
  
There is no [[metadata]] stored in RAW Image Format files. However sometimes the metadata is stored in additional files.
+
== History ==
 
+
dfVFS originates from the [[plaso|Plaso project]]. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.
The RAW Image Format was original used by [[dd]], but is supported by most of the computer forensics applications.
+
  
 
== See Also ==
 
== See Also ==
* [[Disk Images]]
+
* [[plaso]]
 
+
== Tools ==
+
* [[Dd|dd]]
+
* [[dc3dd]]
+
* [[dcfldd]]
+
* [[dd_rescue]]
+
* [[ddrescue]]
+
  
[[Category:Forensics File Formats]]
+
== External Links ==
 +
* [https://code.google.com/p/dfvfs/ Project site]
 +
* [https://code.google.com/p/dfvfs/wiki/dfvfs Developing Python code using dfvfs]

Latest revision as of 08:41, 21 June 2014

dfvfs
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/dfvfs/

dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.

dfVFS is currently implemented as a Python module.

Supported Formats

The information below is based of version 20140621.

Storage media types

Volume systems

File systems

History

dfVFS originates from the Plaso project. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.

See Also

External Links