Dfvfs

dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.

dfVFS is currently implemented as a Python module.

Supported Formats

The information below is based of version 20230503.

Storage media types

• Encase image file format or EWF (EWF-E01, EWF-Ex01, EWF-S01) using libewf
• Mac OS disk image using libmod
• Sparse bundle disk image
• Sparse disk image
• Universal Disk Image Format (UDIF) image
• Parallels Hard Disk image format version 2 using libphdi
• QCOW Image Format or QCOW using libqcow
• currently no differential image support
• Raw Image Format RAW using libsmraw
• Storage media devices using libsmdev
• Virtual Disk Image (vdi) or VHD(X) using libvhdi
• VMWare Virtual Disk Format (vmdk) using libvmdk
• currently no differential image support

Volume systems

• Apple Partition Map or APM using The Sleuth Kit and pytsk
• Apple File System or APFS container version 2 using libfsapfs
• BitLocker Disk Encryption or BDE using libbde
• BSD disklabel APM using The Sleuth Kit and pytsk
• Core Storage (CS) including FileVault Disk Encryption or FVDE, or FileVault 2 using libfvde
• GPT using libvsgpt with fallback to The Sleuth Kit and pytsk
• Linux Logical Volume Manager or Linux LVM using libvslvm
• At the moment only single physical volume LVM support
• Linux Unified Key Setup or LUKS using libluksde
• MBR using The Sleuth Kit and pytsk
• Windows Shadow Volumes or VSS using libvshadow

File systems

• Apple File System or APFS version 2 using libfsapfs
• Extended File System (ext) version 2, 3, 4 using libfsext with fallback to The Sleuth Kit and pytsk
• FAT-12, FAT-16, FAT-32 and exFAT using The Sleuth Kit and pytsk with fallback to libfsfat
• HFS+, HFSX using libfshfs with fallback to The Sleuth Kit and pytsk
• ISO-9660 version 1 using The Sleuth Kit and pytsk
• New Technology File System or NTFS version 3 using libfsntfs with fallback to The Sleuth Kit and pytsk
• Unix File System or UFS version 1, 2 using The Sleuth Kit and pytsk
• XFS version 4, 5 using libfsxfs

History

dfVFS originates from Plaso. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.

See Also

• dfWinReg
• Plaso

External Links

• Project site
• Project documentation
• Developing Python code using dfVFS