artifactsrc package

Submodules

artifactsrc.resource_file module

Windows Message Resource file.

class artifactsrc.resource_file.MessageResourceFile(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)

Bases: object

Windows Message Resource file.

windows_path

Windows path of the message resource file.

Type:

str

Close()

Closes the Windows Message Resource file.

Raises:

• IOError – if not open.

• OSError – if not open.

GetMUILanguage()

Retrieves the MUI language.

Returns:

MUI language or None if not available.

Return type:

str

GetMUIResource()

Retrieves the MUI resource.

Returns:

MUI resource or None if not available.

Return type:

pywrc.mui_resource

GetMessageTableResource()

Retrieves the message table resource.

Returns:

resource containing the message table resource or None

if not available.

Return type:

pywrc.resource

HasMessageTableResource()

Determines if the resource file as a message table resource.

Returns:

True if the resource file as a message table resource.

Return type:

bool

OpenFileObject(file_object)

Opens the Windows Message Resource file using a file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

• IOError – if already open.

• OSError – if already open.

__init__(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)

Initializes the Windows Message Resource file.

Parameters:

• windows_path (str) – normalized version of the Windows path.

• ascii_codepage (Optional[str]) – ASCII string codepage.

• preferred_language_identifier (Optional[int]) – preferred language identifier (LCID).

property file_version

the file version.

Type:

str

property product_version

the product version.

Type:

str

artifactsrc.volume_scanner module

Volume scanner for artifact definitions.

class artifactsrc.volume_scanner.ArtifactDefinitionsVolumeScanner(*args: Any, **kwargs: Any)

Bases: VolumeScanner

Artifact definitions volume scanner.

CheckArtifactDefinition(artifact_definition)

Checks if an artifact definition on a storage media image.

Parameters:

artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

Returns:

check results.

Return type:

CheckResults

GetWindowsVersion()

Determines the Windows version from kernel executable file.

Returns:

Windows version or None otherwise.

Return type:

str

ScanForOperatingSystemVolumes(source_path, options=None)

Scans for volumes containing an operating system.

Parameters:

• source_path (str) – source path.

• options (Optional[dfvfs.VolumeScannerOptions]) – volume scanner options. If None the default volume scanner options are used, which are defined in the VolumeScannerOptions class.

Returns:

True if a volume with an operating system was found.

Return type:

bool

Raises:

ScannerError – if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported.

__init__(artifacts_registry, mediator=None)

Initializes an artifact definitions volume scanner.

Parameters:

• artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifact definitions registry.

• mediator (Optional[dfvfs.VolumeScannerMediator]) – a volume scanner mediator.

class artifactsrc.volume_scanner.CheckResults

Bases: object

Check results.

data_formats

data formats that were found.

Type:

set[str]

number_of_file_entries

number of file entries that were found.

Type:

int

__init__()

Initializes check results.

Module contents

ForensicArtifacts.com Artifact Repository resources.