dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
dfVFS originates from the Plaso project and is also based on ideas from the GRR project. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.
Supported Formats
Storage media types
- EWF (EWF-E01, EWF-Ex01, EWF-S01) (Requires: libewf/pyewf)
- QCOW version 1, 2, 3 (Requires: libqcow/pyqcow)
- currently no differential image support
- Storage Media device (Requires: libsmdev/pysmdev)
- (split) Storage Media RAW (Requires: libsmraw/pysmraw)
- VHD (Requires: libvhdi/pyvhdi)
- differential image support as of version 20160428
- VMDK (Requires: libvmdk/pyvmdk)
- currently no differential image support
Volume systems
- Apple Partition Map (APM) (Requires: libtsk/pytsk)
- BitLocker Disk Encryption (BDE) (Requires: libbde/pybde)
- AES-XTS variant not supported yet
- FileVault Disk Encryption (FVDE) (or FileVault 2) (Requires: libfvde/pyfvde)
- GPT (Requires: libtsk/pytsk)
- LVM (Requires: libvslvm/pyvslvm)
- At the moment only single physical volume LVM support
- MBR (Requires: libtsk/pytsk)
- Volume Shadow Snapshots (VSS) (Requires: libvshadow/pyvshadow)
File systems
- ext version 2, 3, 4 (Requires: libtsk/pytsk)
- FAT (Requires: libtsk/pytsk)
- HFS, HFS+, HFSX (Requires: libtsk/pytsk)
- NTFS version 3 (Requires: libtsk/pytsk or libfsntfs/pyfsntfs)
- UFS version 1, 2 (Requires: libtsk/pytsk)
Compressed stream file types
- bzip2
- gzip
- lzma
- xz
- zlib (both zlib-DEFLATE and raw-DEFLATE)
Encoded stream file types
- base16
- base32
- base64
Encrypted stream file types
- AES-CBC, AES-CFB, AES-ECB, AES-OFB (Requires: pycrypto)
- Blowfish (Requires: pycrypto)
- DES3 (Requires: pycrypto)
- RC4 (Requires: pycrypto)
Archive file types
- cpio
- tar
- zip
Other file types
- blob stored in SQlite
Download & Tutorial
Copyright (C) 2016 log2timeline