fslib

README

fslib

A collection of tools and libraries to parse filesystems, archives and other data types.

Installation

go get dfir.software/fslib

Libraries

Package	Description	GoDoc
aferotools/copy	Copy functions for afero
aferotools/zip	Write only zip file systems for afero
cmd/fs	High level functions and commandline tools
content	Extract plain text from different file formats
filesystem	Tests for filesystems
filetype	Detect filetype of files
forensicfs	Interface for forensic filesystems
forensicfs/copy	Copy files from forensic filesystems

Forensic Filesystems

Package	Description	GoDoc
fat16	FAT16 filesystem
gpt	GPT filesystem
mbr	MBR filesystem
ntfs	NTFS filesystem
osfs	Live OS filesystem
registryfs	Registry filesystem
zip	ZIP filesystem
fallbackfs	Meta filesystem to use another filesystem in case of errors
recursivefs	Meta filesystem to recursively parse filesystems
testfs	Test filesystem

Path

• all paths are sparated by forward slashes '/' (yes, even the windows registry)
• forward slashes are escaped as '//' TODO
• all paths need to start with forward slashes '/' (exception: the OSFS accepts relative paths)

Future Work

• Create more commands
  • carve for files
• Support more formats
  • EXT2, EXT3, EXT4: https://github.com/sleuthkit/sleuthkit/wiki/ExtX, https://digital-forensics.sans.org/blog/2017/06/07/understanding-ext4-part-6-directories
  • FAT, exFAT: https://github.com/sleuthkit/sleuthkit/wiki/FAT, https://commons.erau.edu/adfsl/2018/presentations/4/
  • HFS: https://github.com/sleuthkit/sleuthkit/wiki/HFS
  • ISO 9660: https://github.com/sleuthkit/sleuthkit/wiki/ISO9660
  • UFS 1, UFS 2: https://github.com/sleuthkit/sleuthkit/wiki/UFS
  • YAFFS2: https://github.com/sleuthkit/sleuthkit/wiki/YAFFS2
  • ReFS: (https://github.com/movitto/resilience)
  • AFF: https://github.com/aff4/Standard/blob/master/AFF4StandardSpecification-v1.0.pdf
  • EWF: https://github.com/libyal/libewf/blob/master/documentation/Expert%20Witness%20Compression%20Format%20(EWF).asciidoc
  • Windows Registry: https://github.com/log2timeline/plaso/tree/master/plaso/parsers/winreg_plugins
  • vmdk
  • E01; https://github.com/sydp/goewF
  • aff: https://github.com/Velocidex/c-aff4
  • OCR: https://github.com/otiai10/gosseract
  • zip, tar, rar: https://github.com/mholt/archiver
  • zip, tar, rar, 7z: https://github.com/gen2brain/go-unarr
  • Format Collections
    • https://github.com/sleuthkit/sleuthkit/tree/develop/tsk/fs
      • C -> kaitai: https://gist.github.com/GreyCat/9dba530b0d2cb8ccec4e1d6e90a0b565
      • C -> go: https://github.com/elliotchance/c2go/blob/master/README.md
    • https://github.com/cgsecurity/testdisk/tree/master/src
    • https://github.com/libyal/dtformats

Documentation

Index

• func GetSize(seeker io.Seeker) (int64, error)
• type DecoderAtWrapper
  • func (da *DecoderAtWrapper) ReadAt(p []byte, off int64) (n int, err error)
• type ReadSeekerAt

Functions

func GetSize

func GetSize(seeker io.Seeker) (int64, error)

Types

type DecoderAtWrapper

type DecoderAtWrapper struct {
	io.ReadSeeker
}

func (*DecoderAtWrapper) ReadAt

func (da *DecoderAtWrapper) ReadAt(p []byte, off int64) (n int, err error)

type ReadSeekerAt

type ReadSeekerAt interface {
	io.Reader
	io.Seeker
	io.ReaderAt
}